deck_sandbox/lib.rs
1//! deck-sandbox — the ICE.
2//!
3//! Wraps a child process (an MCP server) with a seccomp BPF filter and a
4//! landlock filesystem ruleset. On non-Linux targets, this crate degrades
5//! to a no-op stub so the workspace still builds, but [`enforces`] reports
6//! `false` and `--sandbox-strict` will refuse to launch untrusted servers.
7//!
8//! This is the *one* feature that distinguishes ono-sendai from every
9//! other LLM TUI on GitHub: you can run an untrusted MCP server and trust
10//! that, at worst, it can only touch the paths you whitelisted.
11
12use deck_core::Sandbox;
13
14pub mod profile;
15pub use profile::SandboxProfile;
16
17#[cfg(target_os = "linux")]
18mod linux;
19#[cfg(not(target_os = "linux"))]
20mod stub;
21
22#[cfg(target_os = "linux")]
23pub use linux::LinuxSandbox as PlatformSandbox;
24#[cfg(not(target_os = "linux"))]
25pub use stub::StubSandbox as PlatformSandbox;
26
27/// Short human-readable tag for diagnostics (`doctor` subcommand).
28#[must_use]
29pub fn availability() -> &'static str {
30 PlatformSandbox::default().availability()
31}
32
33/// `true` if the host kernel actually enforces a policy when we apply one.
34#[must_use]
35pub fn enforces() -> bool {
36 PlatformSandbox::default().enforces()
37}