Trait Sandbox 

pub trait Sandbox: Send + Sync {
    // Required methods
    fn availability(&self) -> &'static str;
    fn enforces(&self) -> bool;
}

Sandbox boundary: wrap an MCP server child process so that any tool invocation can only access an explicitly granted set of paths and syscalls.

Required Methods

fn availability(&self) -> &'static str

Returns a tag like "seccomp+landlock", "unsupported(macos)".

fn enforces(&self) -> bool

Whether the current platform can actually enforce a policy.

Implementors