heel 0.1.1

Cross-platform native sandboxing library for running untrusted code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

//! Native Sandbox - Cross-platform native sandboxing library
//!
//! This library provides a simple API for running untrusted code in a secure sandbox.
//! It uses platform-native sandboxing mechanisms:
//! - macOS: `sandbox-exec` with SBPL profiles
//! - Linux: Landlock + Seccomp (planned)
//! - Windows: AppContainer (planned)
//!
//! # Example
//!
//! ```rust,ignore
//! use heel::Sandbox;
//!
//! async fn run_sandboxed() -> heel::Result<()> {
//!     // Create a sandbox with default configuration (network denied)
//!     let sandbox = Sandbox::new()?;
//!
//!     // Run a command in the sandbox
//!     let output = sandbox.command("echo")
//!         .arg("Hello from sandbox!")
//!         .output()
//!         .await?;
//!
//!     println!("Output: {}", String::from_utf8_lossy(&output.stdout));
//!     Ok(())
//! }
//! ```
//!
//! # Network Policies
//!
//! By default, all network access is denied. You can configure network access
//! using different policies:
//!
//! - [`DenyAll`] - Deny all network access (default)
//! - [`AllowAll`] - Allow all network access
//! - [`AllowList`] - Allow access to specific domains
//! - [`CustomPolicy`] - Custom async handler for network decisions
//!
//! # Python Support
//!
//! The library has built-in support for Python virtual environments:
//!
//! ```rust,ignore
//! use heel::{Sandbox, SandboxConfig, PythonConfig, VenvConfig};
//!
//! async fn run_python() -> heel::Result<()> {
//!     let venv_config = VenvConfig::builder()
//!         .packages(["requests", "numpy"])
//!         .build();
//!
//!     let config = SandboxConfig::builder()
//!         .python(PythonConfig::builder().venv(venv_config).build())
//!         .build()?;
//!
//!     let sandbox = Sandbox::with_config(config)?;
//!     let output = sandbox.run_python("import requests; print(requests.__version__)").await?;
//!     Ok(())
//! }
//! ```

mod command;
mod config;
mod error;
pub mod ipc;
mod network;
mod platform;
#[cfg(target_os = "macos")]
pub mod pty;
mod python;
mod sandbox;
mod security;
mod workdir;

// Re-export public types
pub use command::{Command, StdioConfig};
pub use config::{
    PythonConfig, PythonConfigBuilder, ResourceLimits, ResourceLimitsBuilder, SandboxConfig,
    SandboxConfigBuilder, VenvConfig, VenvConfigBuilder, python_data_science_preset,
    python_dev_preset, strict_preset,
};
pub use error::{Error, Result};
pub use ipc::{IpcCommand, IpcError, IpcRouter};
pub use network::{
    AllowAll, AllowList, ConnectionDirection, CustomPolicy, DenyAll, DomainRequest, NetworkPolicy,
};
pub use platform::Child;
pub use python::VenvManager;
/// Re-export rmp_serde for IpcCommand::apply_args implementations.
pub use rmp_serde;
pub use sandbox::Sandbox;
pub use security::{SecurityConfig, SecurityConfigBuilder};
pub use workdir::WorkingDir;

// PTY support (macOS only for now)
#[cfg(target_os = "macos")]
pub use pty::PtyExitStatus;