Expand description
Process-level sandboxing for subprocess-spawning tools.
Sandboxing wraps tokio::process::Command with an OS-level isolation
mechanism before the child is spawned. The current permission system is
policy enforced inside the agent process — a compromised tool or a
prompt-injection attack gets the agent’s full privileges. Sandboxing
adds a second layer of defense so that even a compromised subprocess
cannot write outside the project directory or read credentials.
§Platform support
This first slice ships macOS only using sandbox-exec (Seatbelt).
Linux bwrap and Windows Low Integrity strategies will land as
follow-up PRs behind the same SandboxStrategy trait.
§Wiring
A SandboxExecutor is built once per session from
[crate::config::schema::SandboxConfig] and threaded into
crate::tools::ToolContext. Subprocess-spawning tools (currently:
Bash) call SandboxExecutor::wrap on their
Command before .spawn(). When sandboxing is disabled or the
platform has no strategy, wrap returns the command unchanged.
Re-exports§
pub use policy::SandboxPolicy;
Modules§
- policy
- Resolved sandbox policy used at spawn time.
- seatbelt
- macOS sandbox strategy using
sandbox-exec(Seatbelt).
Structs§
- Noop
Strategy - No-op strategy used when sandboxing is disabled or unavailable.
- Sandbox
Executor - Owns the active strategy and resolved policy for a session.
Traits§
- Sandbox
Strategy - Strategy trait for wrapping a subprocess command with OS-level isolation.