adk-sandbox 1.0.0

Isolated code execution runtime for ADK agents
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

//! Error types for sandbox execution.

use std::time::Duration;
use thiserror::Error;

/// Errors that can occur during sandbox execution.
///
/// All variants include actionable context to help callers diagnose issues.
///
/// # Example
///
/// ```rust
/// use adk_sandbox::SandboxError;
/// use std::time::Duration;
///
/// let err = SandboxError::Timeout { timeout: Duration::from_secs(30) };
/// assert!(err.to_string().contains("30s"));
/// ```
#[derive(Debug, Clone, Error)]
pub enum SandboxError {
    /// Execution exceeded the configured timeout.
    #[error("execution timed out after {timeout:?}")]
    Timeout {
        /// The timeout duration that was exceeded.
        timeout: Duration,
    },

    /// Execution exceeded the configured memory limit (Wasm only).
    #[error("memory limit exceeded: {limit_mb} MB")]
    MemoryExceeded {
        /// The memory limit in megabytes that was exceeded.
        limit_mb: u32,
    },

    /// Execution failed due to an internal error (e.g., subprocess I/O failure).
    #[error("execution failed: {0}")]
    ExecutionFailed(String),

    /// The request is invalid (e.g., unsupported language for this backend).
    #[error("invalid request: {0}")]
    InvalidRequest(String),

    /// The backend is not available (e.g., missing runtime or feature not enabled).
    #[error("backend unavailable: {0}")]
    BackendUnavailable(String),

    /// The sandbox enforcer failed to apply the profile.
    #[error("enforcer '{enforcer}' failed: {message}")]
    EnforcerFailed {
        /// The enforcer name (e.g., "seatbelt", "bubblewrap", "appcontainer").
        enforcer: String,
        /// A descriptive message explaining what failed.
        message: String,
    },

    /// The sandbox enforcer is not available on this system.
    #[error("enforcer '{enforcer}' unavailable: {message}")]
    EnforcerUnavailable {
        /// The enforcer name.
        enforcer: String,
        /// A message explaining why the enforcer is not functional.
        message: String,
    },

    /// A policy path or resource could not be resolved.
    #[error("policy violation: {0}")]
    PolicyViolation(String),

    // ── Workspace lifecycle variants (behind `workspace` feature) ──────────
    /// Workspace provisioning failed.
    #[cfg(feature = "workspace")]
    #[error("provisioning failed for '{resource}': {reason}. {suggestion}")]
    ProvisionFailed {
        /// The resource that failed to provision (e.g., manifest entry path).
        resource: String,
        /// A description of why provisioning failed.
        reason: String,
        /// An actionable suggestion for resolution.
        suggestion: String,
    },

    /// Referenced session does not exist or has been stopped.
    #[cfg(feature = "workspace")]
    #[error("session '{handle}' not found. It may have been stopped or expired.")]
    SessionNotFound {
        /// The session handle that was not found.
        handle: String,
    },

    /// Referenced snapshot does not exist.
    #[cfg(feature = "workspace")]
    #[error("snapshot '{id}' not found. It may have been deleted or expired.")]
    SnapshotNotFound {
        /// The snapshot ID that was not found.
        id: String,
    },

    /// Path traversal attempt detected.
    #[cfg(feature = "workspace")]
    #[error("path traversal rejected: '{path}' escapes workspace root. Use relative paths only.")]
    PathTraversal {
        /// The offending path that attempted to escape the workspace root.
        path: String,
    },

    /// Docker is not available on this host.
    #[cfg(feature = "workspace")]
    #[error("Docker unavailable: {reason}. Ensure Docker daemon is running and accessible.")]
    DockerUnavailable {
        /// A description of why Docker is unavailable.
        reason: String,
    },

    /// Session exceeded its configured timeout.
    #[cfg(feature = "workspace")]
    #[error(
        "session timed out after {timeout:?}. Consider increasing session_timeout in SandboxConfig."
    )]
    SessionTimeout {
        /// The timeout duration that was exceeded.
        timeout: Duration,
    },
}

impl From<std::io::Error> for SandboxError {
    fn from(err: std::io::Error) -> Self {
        SandboxError::ExecutionFailed(format!("I/O error: {err}"))
    }
}

impl From<SandboxError> for adk_core::AdkError {
    fn from(err: SandboxError) -> Self {
        use adk_core::{ErrorCategory, ErrorComponent};
        let (category, code) = match &err {
            SandboxError::Timeout { .. } => (ErrorCategory::Timeout, "code.sandbox_timeout"),
            SandboxError::MemoryExceeded { .. } => (ErrorCategory::Internal, "code.sandbox_memory"),
            SandboxError::ExecutionFailed(_) => (ErrorCategory::Internal, "code.sandbox_execution"),
            SandboxError::InvalidRequest(_) => {
                (ErrorCategory::InvalidInput, "code.sandbox_invalid_request")
            }
            SandboxError::BackendUnavailable(_) => {
                (ErrorCategory::Unavailable, "code.sandbox_unavailable")
            }
            SandboxError::EnforcerFailed { .. } => {
                (ErrorCategory::Internal, "code.sandbox_enforcer_failed")
            }
            SandboxError::EnforcerUnavailable { .. } => {
                (ErrorCategory::Unavailable, "code.sandbox_enforcer_unavailable")
            }
            SandboxError::PolicyViolation(_) => {
                (ErrorCategory::InvalidInput, "code.sandbox_policy_violation")
            }
            #[cfg(feature = "workspace")]
            SandboxError::ProvisionFailed { .. } => {
                (ErrorCategory::Internal, "code.sandbox_provision_failed")
            }
            #[cfg(feature = "workspace")]
            SandboxError::SessionNotFound { .. } => {
                (ErrorCategory::NotFound, "code.sandbox_session_not_found")
            }
            #[cfg(feature = "workspace")]
            SandboxError::SnapshotNotFound { .. } => {
                (ErrorCategory::NotFound, "code.sandbox_snapshot_not_found")
            }
            #[cfg(feature = "workspace")]
            SandboxError::PathTraversal { .. } => {
                (ErrorCategory::InvalidInput, "code.sandbox_path_traversal")
            }
            #[cfg(feature = "workspace")]
            SandboxError::DockerUnavailable { .. } => {
                (ErrorCategory::Unavailable, "code.sandbox_docker_unavailable")
            }
            #[cfg(feature = "workspace")]
            SandboxError::SessionTimeout { .. } => {
                (ErrorCategory::Timeout, "code.sandbox_session_timeout")
            }
        };
        adk_core::AdkError::new(ErrorComponent::Code, category, code, err.to_string())
            .with_source(err)
    }
}