kavach 0.25.3

Sandbox execution framework — backend abstraction, strength scoring, policy engine, credential proxy, and audit hooks
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234

# kavach

**Sandbox execution framework for Rust.**

Backend abstraction, strength scoring, policy engine, credential proxy, and lifecycle management — in a single crate. Execute untrusted code across 8 isolation backends with quantitative security guarantees.

> **Name**: Kavach (कवच, Sanskrit) — armor, shield. Protects both what's inside and what's outside.
> Extracted from [SecureYeoman](https://github.com/MacCracken/SecureYeoman)'s production sandbox framework.

[![Crates.io](https://img.shields.io/crates/v/kavach.svg)](https://crates.io/crates/kavach)
[![CI](https://github.com/MacCracken/kavach/actions/workflows/ci.yml/badge.svg)](https://github.com/MacCracken/kavach/actions/workflows/ci.yml)
[![License: AGPL-3.0](https://img.shields.io/badge/license-AGPL--3.0-blue.svg)](LICENSE)

---

## What it does

kavach is the **execution sandbox** — it wraps untrusted code in isolation and gives you a number (0–100) that tells you how protected you are. Applications build their agent execution on top of kavach.

| Capability | Details |
|------------|---------|
| **8 backends** | Process, gVisor, Firecracker, WASM, OCI, SGX, SEV, Noop |
| **Strength scoring** | Quantitative 0–100 score per sandbox (not "secure"/"insecure") |
| **Policy engine** | Seccomp, Landlock, network allowlists, resource limits, presets |
| **Credential proxy** | Inject secrets via env/pipe — never touches sandbox filesystem |
| **Lifecycle FSM** | Created → Running → Paused → Stopped → Destroyed with audit hooks |
| **Externalization gate** | Nothing leaves the sandbox without policy approval |
| **Builder pattern** | Fluent config: `.backend(GVisor).policy_seccomp("strict").network(false)` |

---

## Architecture

```
Consumer (SY, daimon, AgnosAI)
Sandbox::create(config) → exec("command") → destroy()
    ├── Policy Engine (seccomp, Landlock, network, resources)
    ├── Strength Scoring (0-100 per backend + modifiers)
    ├── Credential Proxy (secrets injection)
Backend Dispatch
    ├── Process (50)      — seccomp + namespaces + cgroups
    ├── OCI (55)          — runc/crun container
    ├── WASM (65)         — wasmtime + WASI
    ├── gVisor (70)       — user-space kernel (runsc)
    ├── SGX (80)          — Intel hardware enclave
    ├── SEV (82)          — AMD encrypted VM
    └── Firecracker (90)  — lightweight microVM
```

See [docs/architecture/overview.md](docs/architecture/overview.md) for the full architecture.

---

## Quick start

```toml
[dependencies]
kavach = "0.21"
```

```rust
use kavach::{Sandbox, SandboxConfig, Backend, SandboxState};

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    // Build a sandboxed execution environment
    let config = SandboxConfig::builder()
        .backend(Backend::Process)
        .policy_seccomp("basic")
        .network(false)
        .timeout_ms(30_000)
        .agent_id("agent-123")
        .build();

    // Create and start
    let mut sandbox = Sandbox::create(config).await?;
    sandbox.transition(SandboxState::Running)?;

    // Execute
    let result = sandbox.exec("echo hello world").await?;
    println!("exit: {}, stdout: {}", result.exit_code, result.stdout);

    // Cleanup
    sandbox.destroy().await?;
    Ok(())
}
```

### Strength scoring

```rust
use kavach::{Backend, SandboxPolicy, scoring};

// Base score per backend
let process_score = scoring::base_score(Backend::Process);    // 50
let gvisor_score = scoring::base_score(Backend::GVisor);      // 70
let firecracker_score = scoring::base_score(Backend::Firecracker); // 90

// Policy modifiers raise the score
let strict = SandboxPolicy::strict();
let score = scoring::score_backend(Backend::Process, &strict);
println!("{}", score); // "63 (standard)" — seccomp + ro rootfs + limits
```

### Credential proxy

```rust
use kavach::credential::{CredentialProxy, SecretRef, InjectionMethod};

let mut proxy = CredentialProxy::new();
proxy.register("API_KEY", "sk-secret-12345");

let refs = vec![SecretRef {
    name: "API_KEY".into(),
    inject_via: InjectionMethod::EnvVar { var_name: "OPENAI_API_KEY".into() },
}];

let env_vars = proxy.env_vars(&refs);
// env_vars = [("OPENAI_API_KEY", "sk-secret-12345")]
// The secret never touches the sandbox filesystem
```

### Policy presets

```rust
use kavach::SandboxPolicy;

let minimal = SandboxPolicy::minimal();  // No restrictions
let basic = SandboxPolicy::basic();      // Seccomp + no network
let strict = SandboxPolicy::strict();    // Everything locked down
```

---

## Features

| Flag | Backend | Default |
|------|---------|---------|
| `process` | Process isolation (seccomp, Landlock, namespaces) | yes |
| `gvisor` | gVisor user-space kernel | no |
| `firecracker` | Firecracker microVM | no |
| `wasm` | WebAssembly (wasmtime + WASI) | no |
| `oci` | OCI container (runc/crun) | no |
| `sgx` | Intel SGX enclave | no |
| `sev` | AMD SEV encrypted VM | no |
| `full` | All backends | no |

```toml
# Just process + WASM sandboxing
kavach = { version = "0.21", features = ["wasm"] }

# Everything
kavach = { version = "0.21", features = ["full"] }
```

---

## Strength scoring scale

| Score | Label | Example |
|-------|-------|---------|
| 0–29 | minimal | Noop (testing only) |
| 30–49 | basic | Process without seccomp |
| 50–69 | standard | Process + seccomp, OCI, WASM |
| 70–84 | hardened | gVisor, SGX, SEV, sy-agnos |
| 85–100 | fortress | Firecracker + full policy |

---

## Who uses this

| Project | Usage |
|---------|-------|
| **[SecureYeoman](https://github.com/MacCracken/SecureYeoman)** | All agent execution — 279 MCP tools sandboxed |
| **[AGNOS](https://github.com/MacCracken/agnosticos)** (daimon) | Agent sandbox lifecycle, 7 backend dispatch |
| **[AgnosAI](https://github.com/MacCracken/agnosai)** | Sandboxed crew execution (WASM/OCI agents) |
| **[aethersafta](https://github.com/MacCracken/aethersafta)** | Sandboxed compositor plugin execution |
| **[sutra](https://github.com/MacCracken/sutra)** | Sandboxed remote command execution on fleet |

---

## Roadmap

| Version | Milestone | Key features |
|---------|-----------|--------------|
| **0.21.3** | Foundation | Backend trait, scoring, policy, credentials, lifecycle FSM |
| **0.22.3** | Process backend | seccomp-bpf, Landlock, namespaces, cgroups, externalization gate |
| **0.23.3** | gVisor + OCI | runsc integration, OCI spec generation, container lifecycle |
| **0.24.3** | Firecracker + WASM | microVM, wasmtime + WASI, checkpoint/restore |
| **0.25.3** | Hardware enclaves | Intel SGX, AMD SEV-SNP, attestation |
| **0.26.3** | Consumer adoption | SY, daimon, AgnosAI integration |
| **0.27.3** | Stiva integration | `Sandbox::spawn()` (long-running), rootfs passthrough, graceful stop (SIGTERM→SIGKILL), stdout/stderr streaming |
| **1.0.0** | Stable API | All 8 backends, 90%+ coverage, formally verified FSM |

Full details: [docs/development/roadmap.md](docs/development/roadmap.md)

---

## Building from source

```bash
git clone https://github.com/MacCracken/kavach.git
cd kavach

# Build (process backend only — no system deps)
cargo build

# Build with WASM support
cargo build --features wasm

# Run tests
cargo test

# Run all CI checks
make check
```

---

## Versioning

Pre-1.0 releases use `0.D.M` SemVer — e.g. `0.21.3` = March 21st.
Post-1.0 follows standard SemVer.

---

## License

AGPL-3.0-only. See [LICENSE](LICENSE) for details.