car-sandbox

Sandboxed execution environment for Common Agent Runtime agents.

What it does

SandboxExecutor is a ToolExecutor implementation that runs tool commands inside an isolated Docker container. The container has:

• Full filesystem access to a mounted working directory
• No safety policy restrictions — the isolation IS the safety
• Ability to run tests, install deps, and iterate freely
• Automatic cleanup on drop

Usage

let sandbox = SandboxExecutor::new(working_dir, image).await?;
let runtime = Runtime::new().with_executor(Arc::new(sandbox));

Where it fits

Used by Tokhn (the agent that drives CAR for autonomous work) when it wants to give an agent permission to run arbitrary shell without putting the host filesystem at risk. CAR's normal car-policy rules (deny_tool, deny_tool_param) are appropriate when tools touch the user's machine; the sandbox is appropriate when you want to remove guardrails entirely inside a contained environment.