Expand description
Process-level sandboxing for subprocess-spawning tools.
Sandboxing wraps tokio::process::Command with an OS-level isolation
mechanism before the child is spawned. The current permission system is
policy enforced inside the agent process — a compromised tool or a
prompt-injection attack gets the agent’s full privileges. Sandboxing
adds a second layer of defense so that even a compromised subprocess
cannot write outside the project directory or read credentials.
§Platform support
- macOS:
sandbox-exec(Seatbelt) viaseatbelt::SeatbeltStrategy - Linux:
bwrap(bubblewrap) viabwrap::BwrapStrategy - Windows: deferred to a follow-up PR; falls back to
NoopStrategy
§Wiring
A SandboxExecutor is built once per session from
[crate::config::schema::SandboxConfig] and threaded into
crate::tools::ToolContext. Subprocess-spawning tools (currently:
Bash) call SandboxExecutor::wrap on their
Command before .spawn(). When sandboxing is disabled or the
platform has no strategy, wrap returns the command unchanged.
Re-exports§
pub use policy::SandboxPolicy;
Modules§
- bwrap
- Linux sandbox strategy using
bwrap(bubblewrap). - policy
- Resolved sandbox policy used at spawn time.
- seatbelt
- macOS sandbox strategy using
sandbox-exec(Seatbelt).
Structs§
- Noop
Strategy - No-op strategy used when sandboxing is disabled or unavailable.
- Sandbox
Executor - Owns the active strategy and resolved policy for a session.
Traits§
- Sandbox
Strategy - Strategy trait for wrapping a subprocess command with OS-level isolation.