Module sandbox 

Plugin sandboxing and code-signing for tool execution.

Every tool invocation is mediated through a sandbox that:

1. Validates the tool manifest signature before execution.
2. Runs external/plugin tools in an isolated subprocess with restricted environment, working directory, and resource limits.
3. Records execution results in the audit trail.

Built-in tools (those compiled into the binary) are trusted but still audit-logged. Third-party plugin tools must have a valid manifest signature to execute.

Structs

PluginManifest

Manifest describing a plugin tool.

PluginRegistry

Plugin registry — tracks registered and verified plugins.

SandboxPolicy

Sandbox execution policy for a tool invocation.

SandboxResult

Result of a sandboxed tool execution.

SigningKey

The signing key used to verify plugin manifests.

Functions

execute_sandboxed

Execute a tool in a sandboxed subprocess.

hash_bytes

Compute SHA-256 hash of byte content.

hash_file

Compute SHA-256 hash of file contents.