adk-code 0.6.0

Code execution substrate for ADK-Rust — typed executor abstraction, sandbox policy model, and built-in execution backends
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

//! Async executor trait and shared request validation helpers.
//!
//! [`CodeExecutor`] is the backend interface that all execution backends implement.
//! The module also provides [`validate_policy`] and [`validate_request`] helpers
//! that enforce fail-closed semantics: if a backend cannot enforce a requested
//! sandbox control, execution is rejected before user code runs.
//!
//! # Example
//!
//! ```rust
//! use adk_code::{
//!     BackendCapabilities, ExecutionIsolation, SandboxPolicy, validate_policy,
//! };
//!
//! let caps = BackendCapabilities {
//!     isolation: ExecutionIsolation::ContainerEphemeral,
//!     enforce_network_policy: true,
//!     enforce_filesystem_policy: true,
//!     enforce_environment_policy: true,
//!     enforce_timeout: true,
//!     supports_structured_output: true,
//!     supports_process_execution: false,
//!     supports_persistent_workspace: false,
//!     supports_interactive_sessions: false,
//! };
//!
//! let policy = SandboxPolicy::strict_rust();
//! assert!(validate_policy(&caps, &policy).is_ok());
//! ```

use async_trait::async_trait;

use crate::{
    BackendCapabilities, EnvironmentPolicy, ExecutionError, ExecutionLanguage, ExecutionPayload,
    ExecutionRequest, ExecutionResult, FilesystemPolicy, GuestModuleFormat, NetworkPolicy,
    SandboxPolicy,
};

/// Async trait for code execution backends.
///
/// Backends may optionally implement lifecycle methods ([`start`](Self::start),
/// [`stop`](Self::stop), [`restart`](Self::restart)) for persistent execution
/// environments like containers. The default implementations are no-ops, so
/// simple backends (e.g., host-local `rustc`) work without lifecycle management.
///
/// Backends that support persistent environments should override these methods
/// and report `supports_persistent_workspace: true` in their capabilities.
#[async_trait]
pub trait CodeExecutor: Send + Sync {
    /// Human-readable backend name.
    fn name(&self) -> &str;
    /// The capabilities this backend can enforce.
    fn capabilities(&self) -> BackendCapabilities;
    /// Whether this backend supports the given language.
    fn supports_language(&self, lang: &ExecutionLanguage) -> bool;
    /// Execute a request and return a structured result.
    async fn execute(&self, request: ExecutionRequest) -> Result<ExecutionResult, ExecutionError>;

    /// Start the execution environment (e.g., create and start a container).
    ///
    /// For persistent backends, this creates the underlying environment and
    /// makes it ready for [`execute`](Self::execute) calls. Calling `execute`
    /// on a started backend reuses the same environment.
    ///
    /// The default implementation is a no-op for backends that don't need
    /// lifecycle management (e.g., host-local compilation).
    async fn start(&self) -> Result<(), ExecutionError> {
        Ok(())
    }

    /// Stop the execution environment and release resources.
    ///
    /// For persistent backends, this stops and removes the underlying
    /// environment (e.g., stops and removes a Docker container). After
    /// `stop`, the backend can be restarted with [`start`](Self::start).
    ///
    /// The default implementation is a no-op.
    async fn stop(&self) -> Result<(), ExecutionError> {
        Ok(())
    }

    /// Restart the execution environment.
    ///
    /// Equivalent to [`stop`](Self::stop) followed by [`start`](Self::start),
    /// but backends may implement this more efficiently (e.g., `docker restart`).
    ///
    /// The default implementation calls `stop` then `start`.
    async fn restart(&self) -> Result<(), ExecutionError> {
        self.stop().await?;
        self.start().await
    }

    /// Whether the execution environment is currently running.
    ///
    /// Returns `true` if [`start`](Self::start) has been called and
    /// [`stop`](Self::stop) has not. For backends without lifecycle
    /// management, this always returns `true`.
    async fn is_running(&self) -> bool {
        true
    }
}

/// Validates that the backend can enforce the requested sandbox policy.
///
/// Returns `Err(ExecutionError::UnsupportedPolicy(...))` if any requested
/// control cannot be enforced by the backend. This implements fail-closed
/// semantics: execution is rejected before user code runs.
///
/// # Checks
///
/// - Network policy: if disabled, backend must be able to enforce it
/// - Filesystem policy: if any access is requested, backend must enforce it
/// - Environment policy: if any variables are exposed, backend must enforce it
/// - Timeout: backend must always be able to enforce timeouts
pub fn validate_policy(
    capabilities: &BackendCapabilities,
    policy: &SandboxPolicy,
) -> Result<(), ExecutionError> {
    if matches!(policy.network, NetworkPolicy::Disabled) && !capabilities.enforce_network_policy {
        return Err(ExecutionError::UnsupportedPolicy(
            "backend cannot enforce network restrictions".to_string(),
        ));
    }
    if !matches!(policy.filesystem, FilesystemPolicy::None)
        && !capabilities.enforce_filesystem_policy
    {
        return Err(ExecutionError::UnsupportedPolicy(
            "backend cannot enforce filesystem restrictions".to_string(),
        ));
    }
    if !matches!(policy.environment, EnvironmentPolicy::None)
        && !capabilities.enforce_environment_policy
    {
        return Err(ExecutionError::UnsupportedPolicy(
            "backend cannot enforce environment variable restrictions".to_string(),
        ));
    }
    if !capabilities.enforce_timeout {
        return Err(ExecutionError::UnsupportedPolicy(
            "backend cannot enforce execution timeouts".to_string(),
        ));
    }
    Ok(())
}

/// Validates a full execution request against a backend's capabilities.
///
/// Checks that:
/// 1. The backend supports the requested language
/// 2. The payload type matches the language (e.g., `GuestModule` only for Wasm)
/// 3. The sandbox policy is enforceable by the backend
///
/// Call this before [`CodeExecutor::execute`] for clear, early errors.
///
/// # Example
///
/// ```rust
/// use adk_code::{
///     BackendCapabilities, ExecutionIsolation, ExecutionLanguage,
///     ExecutionPayload, ExecutionRequest, SandboxPolicy,
///     validate_request,
/// };
///
/// let caps = BackendCapabilities {
///     isolation: ExecutionIsolation::ContainerEphemeral,
///     enforce_network_policy: true,
///     enforce_filesystem_policy: true,
///     enforce_environment_policy: true,
///     enforce_timeout: true,
///     supports_structured_output: true,
///     supports_process_execution: false,
///     supports_persistent_workspace: false,
///     supports_interactive_sessions: false,
/// };
///
/// let request = ExecutionRequest {
///     language: ExecutionLanguage::Rust,
///     payload: ExecutionPayload::Source {
///         code: "fn run(input: serde_json::Value) -> serde_json::Value { input }".to_string(),
///     },
///     argv: vec![],
///     stdin: None,
///     input: None,
///     sandbox: SandboxPolicy::strict_rust(),
///     identity: None,
/// };
///
/// let supported = [ExecutionLanguage::Rust];
/// assert!(validate_request(&caps, &supported, &request).is_ok());
/// ```
pub fn validate_request(
    capabilities: &BackendCapabilities,
    supported_languages: &[ExecutionLanguage],
    request: &ExecutionRequest,
) -> Result<(), ExecutionError> {
    // 1. Language support check
    if !supported_languages.contains(&request.language) {
        return Err(ExecutionError::UnsupportedLanguage(format!("{}", request.language)));
    }

    // 2. Payload-language compatibility check
    match (&request.language, &request.payload) {
        // GuestModule payloads are only valid for Wasm
        (lang, ExecutionPayload::GuestModule { format, .. }) => match format {
            GuestModuleFormat::Wasm if *lang != ExecutionLanguage::Wasm => {
                return Err(ExecutionError::InvalidRequest(format!(
                    "GuestModule(Wasm) payload requires Wasm language, got {lang}"
                )));
            }
            _ => {}
        },
        // Wasm language requires a GuestModule payload
        (ExecutionLanguage::Wasm, ExecutionPayload::Source { .. }) => {
            return Err(ExecutionError::InvalidRequest(
                "Wasm language requires a GuestModule payload, not Source".to_string(),
            ));
        }
        _ => {}
    }

    // 3. Policy enforcement check
    validate_policy(capabilities, &request.sandbox)?;

    Ok(())
}