heel 0.1.1

Cross-platform native sandboxing library for running untrusted code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299

//! Security configuration for sandbox profiles
//!
//! The sandbox profile is static (generated at creation time), so security
//! is configured via a builder with toggles for each protection category.
//!
//! # Presets
//!
//! - `SecurityConfig::privacy_first()` - Maximum privacy protection (default)
//! - `SecurityConfig::permissive()` - Minimal restrictions, only logging
//!
//! # Custom Configuration
//!
//! ```rust,ignore
//! use heel::SecurityConfig;
//!
//! let config = SecurityConfig::builder()
//!     .protect_credentials(true)
//!     .protect_browser_data(true)
//!     .protect_user_home(false)  // Allow access to home directory
//!     .build();
//! ```

/// Static security configuration for sandbox profile generation
#[derive(Debug, Clone)]
pub struct SecurityConfig {
    /// Protect user home directories (/Users, /home)
    pub protect_user_home: bool,
    /// Allow macOS TCC prompts for protected folders (Desktop, Documents, Downloads, etc.)
    /// When true, TCC-protected folders are not blocked at sandbox level, letting macOS prompt.
    /// When false (strict mode), these folders are blocked at sandbox level without prompts.
    pub allow_tcc_prompts: bool,
    /// Protect SSH/GPG credentials (.ssh, .gnupg)
    pub protect_credentials: bool,
    /// Protect cloud provider config (.aws, .kube, .docker)
    pub protect_cloud_config: bool,
    /// Protect browser data (cookies, history, passwords)
    pub protect_browser_data: bool,
    /// Protect system keychain
    pub protect_keychain: bool,
    /// Protect shell history (.bash_history, .zsh_history, etc.)
    pub protect_shell_history: bool,
    /// Protect package manager credentials (.npmrc, .pypirc, .netrc)
    pub protect_package_credentials: bool,
    /// Allow GPU access (Metal, CUDA, OpenCL, etc.)
    /// Enabled by default - essential for graphics and compute workloads
    pub allow_gpu: bool,
    /// Allow NPU/Neural Engine access (CoreML, ANE on Apple Silicon)
    /// Enabled by default - essential for ML/AI workloads
    pub allow_npu: bool,
    /// Allow general hardware access (USB, Bluetooth, cameras, etc.)
    /// Disabled by default in strict mode
    pub allow_hardware: bool,
}

impl Default for SecurityConfig {
    fn default() -> Self {
        Self::strict()
    }
}

impl SecurityConfig {
    /// Strict preset - maximum protection (default)
    ///
    /// All sensitive data protection is enabled.
    /// TCC prompts are disabled (sandbox blocks TCC-protected folders).
    /// GPU and NPU access allowed (essential for ML workloads).
    /// General hardware access is disabled.
    pub fn strict() -> Self {
        Self {
            protect_user_home: true,
            allow_tcc_prompts: false,
            protect_credentials: true,
            protect_cloud_config: true,
            protect_browser_data: true,
            protect_keychain: true,
            protect_shell_history: true,
            protect_package_credentials: true,
            allow_gpu: true,
            allow_npu: true,
            allow_hardware: false,
        }
    }

    /// Permissive preset - minimal restrictions
    ///
    /// Use when you fully trust the sandboxed code.
    /// TCC prompts are enabled (macOS will prompt for protected folders).
    /// Logging still works for audit purposes.
    /// All hardware access is allowed.
    pub fn permissive() -> Self {
        Self {
            protect_user_home: false,
            allow_tcc_prompts: true,
            protect_credentials: false,
            protect_cloud_config: false,
            protect_browser_data: false,
            protect_keychain: false,
            protect_shell_history: false,
            protect_package_credentials: false,
            allow_gpu: true,
            allow_npu: true,
            allow_hardware: true,
        }
    }

    /// Interactive preset - suitable for CLI tools with user interaction
    ///
    /// Protects sensitive credentials but allows TCC prompts for user folders.
    /// User can approve/deny access to Desktop, Documents, Downloads, etc. via macOS dialogs.
    pub fn interactive() -> Self {
        Self {
            protect_user_home: true,
            allow_tcc_prompts: true,
            protect_credentials: true,
            protect_cloud_config: true,
            protect_browser_data: true,
            protect_keychain: true,
            protect_shell_history: true,
            protect_package_credentials: true,
            allow_gpu: true,
            allow_npu: true,
            allow_hardware: false,
        }
    }

    /// Create a builder for custom configuration
    pub fn builder() -> SecurityConfigBuilder {
        SecurityConfigBuilder::default()
    }
}

/// Builder for SecurityConfig
#[derive(Debug, Clone, Default)]
pub struct SecurityConfigBuilder {
    config: SecurityConfig,
}

impl SecurityConfigBuilder {
    /// Start from permissive config
    pub fn from_permissive() -> Self {
        Self {
            config: SecurityConfig::permissive(),
        }
    }

    /// Protect user home directories
    pub fn protect_user_home(mut self, enabled: bool) -> Self {
        self.config.protect_user_home = enabled;
        self
    }

    /// Allow macOS TCC prompts for protected folders
    ///
    /// When enabled, TCC-protected folders (Desktop, Documents, Downloads, etc.)
    /// are not blocked at sandbox level, letting macOS prompt the user.
    pub fn allow_tcc_prompts(mut self, enabled: bool) -> Self {
        self.config.allow_tcc_prompts = enabled;
        self
    }

    /// Protect SSH/GPG credentials
    pub fn protect_credentials(mut self, enabled: bool) -> Self {
        self.config.protect_credentials = enabled;
        self
    }

    /// Protect cloud provider config
    pub fn protect_cloud_config(mut self, enabled: bool) -> Self {
        self.config.protect_cloud_config = enabled;
        self
    }

    /// Protect browser data
    pub fn protect_browser_data(mut self, enabled: bool) -> Self {
        self.config.protect_browser_data = enabled;
        self
    }

    /// Protect system keychain
    pub fn protect_keychain(mut self, enabled: bool) -> Self {
        self.config.protect_keychain = enabled;
        self
    }

    /// Protect shell history
    pub fn protect_shell_history(mut self, enabled: bool) -> Self {
        self.config.protect_shell_history = enabled;
        self
    }

    /// Protect package manager credentials
    pub fn protect_package_credentials(mut self, enabled: bool) -> Self {
        self.config.protect_package_credentials = enabled;
        self
    }

    /// Allow GPU access (Metal, CUDA, OpenCL)
    pub fn allow_gpu(mut self, enabled: bool) -> Self {
        self.config.allow_gpu = enabled;
        self
    }

    /// Allow NPU/Neural Engine access (CoreML, ANE)
    pub fn allow_npu(mut self, enabled: bool) -> Self {
        self.config.allow_npu = enabled;
        self
    }

    /// Allow general hardware access (USB, Bluetooth, cameras, etc.)
    pub fn allow_hardware(mut self, enabled: bool) -> Self {
        self.config.allow_hardware = enabled;
        self
    }

    /// Build the configuration
    pub fn build(self) -> SecurityConfig {
        self.config
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_strict_has_all_protections() {
        let config = SecurityConfig::strict();

        assert!(config.protect_user_home);
        assert!(!config.allow_tcc_prompts); // Strict blocks TCC folders
        assert!(config.protect_credentials);
        assert!(config.protect_cloud_config);
        assert!(config.protect_browser_data);
        assert!(config.protect_keychain);
        assert!(config.protect_shell_history);
        assert!(config.protect_package_credentials);
        assert!(config.allow_gpu);
        assert!(config.allow_npu);
        assert!(!config.allow_hardware);
    }

    #[test]
    fn test_permissive_has_no_protections() {
        let config = SecurityConfig::permissive();

        assert!(!config.protect_user_home);
        assert!(config.allow_tcc_prompts); // Permissive allows TCC prompts
        assert!(!config.protect_credentials);
        assert!(!config.protect_cloud_config);
        assert!(!config.protect_browser_data);
        assert!(!config.protect_keychain);
        assert!(!config.protect_shell_history);
        assert!(!config.protect_package_credentials);
        assert!(config.allow_gpu);
        assert!(config.allow_npu);
        assert!(config.allow_hardware);
    }

    #[test]
    fn test_interactive_allows_tcc_prompts() {
        let config = SecurityConfig::interactive();

        assert!(config.protect_user_home);
        assert!(config.allow_tcc_prompts); // Interactive allows TCC prompts
        assert!(config.protect_credentials);
        assert!(config.protect_cloud_config);
        assert!(config.protect_browser_data);
        assert!(config.protect_keychain);
        assert!(config.protect_shell_history);
        assert!(config.protect_package_credentials);
        assert!(config.allow_gpu);
        assert!(config.allow_npu);
        assert!(!config.allow_hardware);
    }

    #[test]
    fn test_builder_custom() {
        let config = SecurityConfig::builder()
            .protect_user_home(false)
            .protect_credentials(true)
            .protect_browser_data(false)
            .build();

        assert!(!config.protect_user_home);
        assert!(config.protect_credentials);
        assert!(!config.protect_browser_data);
    }

    #[test]
    fn test_builder_from_permissive() {
        let config = SecurityConfigBuilder::from_permissive()
            .protect_credentials(true)
            .build();

        assert!(config.protect_credentials);
        assert!(!config.protect_user_home);
        assert!(!config.protect_browser_data);
    }
}