brainwires-sandbox 0.11.0

Container-based sandboxing (Docker/Podman/host) for tool execution in the Brainwires framework
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

//! Error types for the sandbox crate.

use thiserror::Error;

/// Errors returned by sandbox operations.
#[derive(Debug, Error)]
pub enum SandboxError {
    /// Underlying I/O failure (process spawn, socket, filesystem).
    #[error("io error: {0}")]
    Io(#[from] std::io::Error),

    /// Docker / Podman daemon returned an error.
    #[cfg(feature = "docker")]
    #[error("docker error: {0}")]
    Docker(String),

    /// The sandboxed process exceeded its wall-clock budget.
    #[error("sandbox execution timed out")]
    Timeout,

    /// A `SandboxPolicy` rule rejected the requested operation.
    #[error("policy violation: {0}")]
    PolicyViolation(String),

    /// The sandboxed process exited with a non-zero status.
    #[error("sandbox process exited with code {code}: {stderr}")]
    ExitFailure {
        /// Exit code reported by the container/process.
        code: i32,
        /// Captured stderr (UTF-8 lossy) at the time of failure.
        stderr: String,
    },

    /// A requested runtime or feature is not available in this build/environment.
    #[error("not available: {0}")]
    NotAvailable(String),
}

#[cfg(feature = "docker")]
impl From<bollard::errors::Error> for SandboxError {
    fn from(e: bollard::errors::Error) -> Self {
        SandboxError::Docker(e.to_string())
    }
}

/// Result alias used throughout the crate.
pub type Result<T> = std::result::Result<T, SandboxError>;