Crate forge_sandbox 

forge-sandbox

V8 sandbox for the Forgemax Code Mode Gateway.

Executes LLM-generated JavaScript in a deno_core isolate with no filesystem, network, or environment access. The only bridge to the host is through explicitly registered ops that dispatch to a ToolDispatcher.

Security model

• V8 isolate: Same process-level isolation as Chrome tabs
• No ambient capabilities: No fs, net, env, or child_process access
• Fresh runtime per call: No state leakage between executions
• Pre-execution validation: Banned patterns caught before reaching V8
• Timeout enforcement: Execution killed after configurable deadline
• Output size limits: Prevents exfiltration of large data sets
• Opaque bindings: Credentials never exposed to sandbox code

Re-exports

pub use error::SandboxError;

pub use executor::ExecutionMode;

pub use executor::SandboxConfig;

pub use executor::SandboxExecutor;

Modules

ast_validator

AST-based code validator for the Forge sandbox.

audit

Audit logging for sandbox executions.

error

Error types for the Forge sandbox.

executor

Sandbox executor — creates fresh V8 isolates and runs LLM-generated code.

groups

Server group enforcement for cross-server data flow policies.

host

SandboxHost — parent-side management of isolated worker child processes.

ipc

IPC protocol for parent ↔ worker communication.

metrics

Prometheus metrics for the Forge sandbox.

ops

deno_core op definitions for the Forge sandbox.

pool

Worker pool for reusing sandbox child processes across executions.

redact

Error redaction for preventing information leakage to LLMs.

stash

Session stash — a per-session key/value store with TTL and group isolation.

validator

Pre-execution code validator for the Forge sandbox.

Traits

ResourceDispatcher

Trait for dispatching resource reads from the sandbox to downstream MCP servers.

StashDispatcher

Trait for dispatching stash operations from the sandbox.

ToolDispatcher

Trait for dispatching tool calls from the sandbox to downstream MCP servers.