harn_vm/process_sandbox.rs
1//! Public re-exports of the platform-specific process sandbox primitives.
2//!
3//! Embedders that spawn subprocesses on behalf of Harn scripts (today: the
4//! `harn-hostlib` deterministic-tool builtins) must funnel every spawn
5//! through these helpers so the active orchestration capability policy is
6//! enforced — Linux seccomp/landlock filters via `pre_exec`, macOS
7//! `sandbox-exec` wrapping, Windows AppContainer + Job Object launches
8//! through `command_output`, plus workspace-root cwd enforcement.
9//!
10//! The same surface also exposes [`check_fs_path_scope`] so embedders that
11//! resolve host *paths* on behalf of Harn scripts (the `harn-hostlib`
12//! `fs/*`, `tools/*`, and `ast/*` builtins) can enforce the active policy's
13//! workspace-root scope without depending on `VmError`.
14//!
15//! The helpers themselves live next to the rest of the sandbox state in
16//! [`crate::stdlib::sandbox`]. This module exists so external crates have a
17//! stable, documented surface to depend on without reaching into
18//! `stdlib::*` plumbing.
19
20pub use crate::stdlib::sandbox::{
21 active_backend_available, active_backend_name, active_workspace_tmpdir_env,
22 check_fs_path_scope, command_output, deterministic_message_locale_env, enforce_process_cwd,
23 process_spawn_error, process_violation_error, push_process_sandbox_scope, std_command_for,
24 tokio_command_for, FsAccess, ProcessCommandConfig, ProcessSandboxScope,
25 ProcessSandboxScopeGuard, SandboxViolation, MESSAGE_LOCALE_OVERRIDE_ENV,
26};