Skip to main content

Module process_sandbox

Module process_sandbox 

Source
Expand description

Process-sandbox backend slot (shape only).

This module defines the interface a future shared saorsa-sandbox crate will implement. It mirrors the contract designed in x0x-symphony’s XSY-0027 (wrap(argv) + probe()), with four shape refinements (C1–C4) fed back to the symphony team:

  • C1: wrap returns a WrappedCommand (argv and env additions), not bare argv — the runner’s env_clear() would otherwise drop a backend’s proxy/CA vars.
  • C2: the backend is stateful (ProcessSandbox::prepare / ProcessSandbox::shutdown) — fluers spawns dozens of short-lived commands per turn; per-exec boot (e.g. srt’s Node) is too expensive.
  • C3: ProcessSandbox::probe is async — it spawns children, and all fluers/runtime consumers are tokio.
  • C4: ExecSandboxContext carries an optional per-call cwd — a parent’s current_dir does not survive a mount-namespace pivot (e.g. bubblewrap --chdir).

No backends are implemented here. When the shared saorsa-sandbox crate publishes (WP-5/4e), this slot is replaced by, re-exported from, or adapted to that crate’s final API. NOTE: as of 2026-07, symphony’s runner-shell Sandbox trait (XSY-0027 M2) and this trait are semantically aligned on C1–C4 (env-returning wrap, stateful lifecycle, async probe, per-call cwd) but differ concretely — notably lifecycle scope (fluers prepares once per session + cheap per-command wrap; symphony prepares per command). The shared-crate reconciliation is tracked for WP-5/4e; until then this local trait preserves the C1–C4 semantics fluers needs.

Structs§

ExecSandboxContext
Per-session/per-call context handed to a ProcessSandbox.
SandboxPolicy
A caller’s sandbox requirements, paired with a fallback policy.
WrappedCommand
The result of ProcessSandbox::wrap: the (possibly rewritten) argv plus any environment the backend needs present in the child.

Enums§

Enforcement
How strongly a backend enforces a given SandboxProfile.
OnUnavailable
What to do when a requested profile cannot be fully enforced.
SandboxProfile
A coarse capability profile a caller may request of the sandbox.

Traits§

ProcessSandbox
A process-sandbox backend. Shape only — no implementations ship in fluers; this is the slot saorsa-sandbox will replace/re-export/adapt to (WP-5/4e).