kavach 1.0.1

Sandbox execution framework — backend abstraction, strength scoring, policy engine, credential proxy, and audit hooks
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

//! # Kavach — Sandbox Execution Framework
//!
//! Kavach (कवच, Sanskrit: armor/shield) provides a unified sandbox abstraction
//! for executing untrusted code across multiple isolation backends. Extracted
//! from [SecureYeoman](https://github.com/MacCracken/SecureYeoman)'s production
//! sandbox framework.
//!
//! ## Modules
//!
//! - [`backend`] — Sandbox backend trait and implementations (process, gVisor, Firecracker, WASM, OCI, SGX, SEV)
//! - [`scoring`] — Quantitative security strength scoring (0–100)
//! - [`policy`] — Seccomp profiles, Landlock rules, network allowlists, resource limits
//! - [`credential`] — Secrets injection without exposing to sandboxed processes
//! - [`lifecycle`] — Create, start, checkpoint, migrate, destroy with audit hooks
//! - [`scanning`] — Multi-stage output scanning (secrets, code violations, PII/compliance)
//!
//! ## Quick start
//!
//! ```rust,no_run
//! use kavach::{Sandbox, SandboxConfig, Backend};
//!
//! # async fn example() -> anyhow::Result<()> {
//! let config = SandboxConfig::builder()
//!     .backend(Backend::Process)
//!     .policy_seccomp("basic")
//!     .network(false)
//!     .build();
//!
//! let sandbox = Sandbox::create(config).await?;
//! let result = sandbox.exec("echo hello").await?;
//! println!("exit: {}, stdout: {}", result.exit_code, result.stdout);
//! sandbox.destroy().await?;
//! # Ok(())
//! # }
//! ```

pub mod backend;
pub mod credential;
pub mod lifecycle;
pub mod policy;
pub mod scanning;
pub mod scoring;

mod error;
pub use error::KavachError;

pub use backend::exec_util::SpawnedProcess;
pub use backend::health::HealthStatus;
pub use backend::metrics::SandboxMetrics;
pub use backend::{Backend, SandboxBackend};
pub use credential::{CredentialProxy, FileInjection, SecretRef};
pub use lifecycle::{ExecResult, Sandbox, SandboxConfig, SandboxPool, SandboxState};
pub use policy::{LandlockRule, NetworkPolicy, SandboxPolicy, SeccompProfile};
#[cfg(feature = "process")]
pub use scanning::ExternalizationGate;
#[cfg(feature = "process")]
pub use scanning::{CodeScanner, DataScanner};
pub use scanning::{ExternalizationPolicy, ScanVerdict, Severity};
pub use scoring::{StrengthScore, score_backend};

/// Result type alias for kavach operations.
pub type Result<T> = std::result::Result<T, KavachError>;

#[cfg(test)]
mod tests;