Expand description
Process-sandbox backend slot (shape only).
This module defines the interface a future shared saorsa-sandbox crate
will implement. It mirrors the contract designed in x0x-symphony’s
XSY-0027 (wrap(argv) + probe()), with four shape refinements (C1–C4)
fed back to the symphony team:
- C1:
wrapreturns aWrappedCommand(argv and env additions), not bare argv — the runner’senv_clear()would otherwise drop a backend’s proxy/CA vars. - C2: the backend is stateful (
ProcessSandbox::prepare/ProcessSandbox::shutdown) — fluers spawns dozens of short-lived commands per turn; per-exec boot (e.g. srt’s Node) is too expensive. - C3:
ProcessSandbox::probeisasync— it spawns children, and all fluers/runtime consumers are tokio. - C4:
ExecSandboxContextcarries an optional per-callcwd— a parent’scurrent_dirdoes not survive a mount-namespace pivot (e.g. bubblewrap--chdir).
No backends are implemented here. When the shared saorsa-sandbox crate
publishes (WP-5/4e), this slot is replaced by, re-exported from, or adapted
to that crate’s final API. NOTE: as of 2026-07, symphony’s runner-shell
Sandbox trait (XSY-0027 M2) and this trait are semantically aligned on
C1–C4 (env-returning wrap, stateful lifecycle, async probe, per-call cwd)
but differ concretely — notably lifecycle scope (fluers prepares once per
session + cheap per-command wrap; symphony prepares per command). The
shared-crate reconciliation is tracked for WP-5/4e; until then this local
trait preserves the C1–C4 semantics fluers needs.
Structs§
- Exec
Sandbox Context - Per-session/per-call context handed to a
ProcessSandbox. - Sandbox
Policy - A caller’s sandbox requirements, paired with a fallback policy.
- Wrapped
Command - The result of
ProcessSandbox::wrap: the (possibly rewritten) argv plus any environment the backend needs present in the child.
Enums§
- Enforcement
- How strongly a backend enforces a given
SandboxProfile. - OnUnavailable
- What to do when a requested profile cannot be fully enforced.
- Sandbox
Profile - A coarse capability profile a caller may request of the sandbox.
Traits§
- Process
Sandbox - A process-sandbox backend. Shape only — no implementations ship in
fluers; this is the slot
saorsa-sandboxwill replace/re-export/adapt to (WP-5/4e).