1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
//! Docker execution sandbox for secure command execution.
//!
//! This module provides a complete sandboxing solution for running untrusted commands:
//! - **Container isolation**: Commands run in ephemeral Docker containers
//! - **Network proxy**: All network traffic goes through a validating proxy
//! - **Credential injection**: Secrets are injected by the proxy, never exposed in containers
//! - **Resource limits**: Memory, CPU, and timeout enforcement
//!
//! # Architecture
//!
//! ```text
//! ┌─────────────────────────────────────────────────────────────────────────────┐
//! │ Sandbox System │
//! │ │
//! │ ┌─────────────────────────────────────────────────────────────────────┐ │
//! │ │ SandboxManager │ │
//! │ │ │ │
//! │ │ • Coordinates container creation and execution │ │
//! │ │ • Manages proxy lifecycle │ │
//! │ │ • Enforces resource limits │ │
//! │ └─────────────────────────────────────────────────────────────────────┘ │
//! │ │ │ │
//! │ ▼ ▼ │
//! │ ┌──────────────────┐ ┌───────────────────┐ │
//! │ │ Container │ │ Network Proxy │ │
//! │ │ Runner │ │ │ │
//! │ │ │ │ • Allowlist │ │
//! │ │ • Create │◀────────▶│ • Credentials │ │
//! │ │ • Execute │ │ • Logging │ │
//! │ │ • Cleanup │ │ │ │
//! │ └──────────────────┘ └───────────────────┘ │
//! │ │ │ │
//! │ ▼ ▼ │
//! │ ┌──────────────────┐ ┌───────────────────┐ │
//! │ │ Docker │ │ Internet │ │
//! │ │ │ │ (allowed hosts) │ │
//! │ └──────────────────┘ └───────────────────┘ │
//! └─────────────────────────────────────────────────────────────────────────────┘
//! ```
//!
//! # Sandbox Policies
//!
//! | Policy | Filesystem | Network | Use Case |
//! |--------|------------|---------|----------|
//! | `ReadOnly` | Read workspace | Proxied | Explore code, fetch docs |
//! | `WorkspaceWrite` | Read/write workspace | Proxied | Build software, run tests |
//! | `FullAccess` | Full host | Full | Direct execution (no sandbox) |
//!
//! # Example
//!
//! ```rust,no_run
//! use ironclaw::sandbox::{SandboxManager, SandboxManagerBuilder, SandboxPolicy};
//! use std::collections::HashMap;
//! use std::path::Path;
//!
//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
//! let manager = SandboxManagerBuilder::new()
//! .enabled(true)
//! .policy(SandboxPolicy::WorkspaceWrite)
//! .build();
//!
//! manager.initialize().await?;
//!
//! let result = manager.execute(
//! "cargo build --release",
//! Path::new("/workspace/my-project"),
//! HashMap::new(),
//! ).await?;
//!
//! println!("Exit code: {}", result.exit_code);
//! println!("Output: {}", result.output);
//!
//! manager.shutdown().await;
//! # Ok(())
//! # }
//! ```
//!
//! # Security Properties
//!
//! - **No credentials in containers**: Environment variables with secrets never enter containers
//! - **Network isolation**: All traffic routes through the proxy (validated domains only)
//! - **Non-root execution**: Containers run as UID 1000
//! - **Read-only root**: Container filesystem is read-only (except workspace mount)
//! - **Capability dropping**: All Linux capabilities dropped, only essential ones added back
//! - **Auto-cleanup**: Containers are removed after execution (--rm + explicit cleanup)
//! - **Timeout enforcement**: Commands are killed after the timeout
pub use ;
pub use ;
pub use ;
pub use ;
pub use ;
/// Default allowlist getter (re-export for convenience).
/// Default credential mappings getter (re-export for convenience).