Module sandbox 

The runtime arm of the permission primitive: pluggable sandbox backends that enforce a declared policy rather than merely gating tool dispatch.

A sandbox is the runtime answer to a permission policy. The authoritative policy model lives in harn-serve’s permissions module (the policy { read, write, exec, net } block); this module is where that policy becomes true at execution time. harn-serve lowers a PermissionPolicy into a SandboxSpec and a backend makes the spec real:

• filesystem — mounts scope what the spawned process can touch; reads and writes outside the declared roots are rejected by the underlying OS sandbox.
• process — every command runs through harn-vm’s process sandbox, which maps the policy onto Landlock/seccomp (Linux), sandbox-exec (macOS), Job Objects (Windows), and pledge/ unveil (OpenBSD).
• network — egress is governed by NetworkPolicy; a backend advertises whether it can honour a per-host allowlist via SandboxCapabilities::network_policy.

The LocalSandbox backend ships here because the process/fs enforcement it relies on already lives in harn-vm; remote backends (Fly Machines, Modal, E2B, …) implement the same SandboxBackend contract from wherever they run.

Structs

ExecRequest

A command to run inside a session.

ExecResult

The outcome of an ExecRequest.

FilesystemMount

A requested mount: a host source exposed to the guest at target.

LocalSandbox

Local SandboxBackend that confines commands with harn-vm’s process sandbox.

LocalSandboxConfig

Configuration for a LocalSandbox.

ResolvedMount

A mount resolved to concrete host/guest paths.

ResourceLimits

Resource ceilings applied to a session.

SandboxCapabilities

What a backend can do, so callers can degrade gracefully.

SandboxSession

A provisioned session as seen by callers.

SandboxSessionId

Stable identifier for a provisioned sandbox session.

SandboxSnapshot

A point-in-time snapshot handle for a session.

SandboxSpec

The full request to provision a session: the runtime lowering of a declared permission policy.

Enums

FilesystemAccess

Whether a mount is writable by the guest.

NetworkPolicy

Egress policy for a sandbox session. The wire shape matches the Anthropic sandbox network-policy contract so cloud backends can forward it verbatim.

SandboxError

Errors surfaced by a SandboxBackend.

SandboxState

Lifecycle state of a session.

Constants

MEMORY_MOUNT

Canonical guest mount for durable agent memory, read-only by default. Backends expose its host path through the HARN_MEMORY_DIR environment variable.

OUTPUTS_MOUNT

Canonical guest mount for a session’s writable scratch/output directory. Backends expose its host path through the HARN_OUTPUTS_DIR environment variable.

Traits

SandboxBackend

Pluggable enforcement backend. Implementations make a SandboxSpec (the runtime lowering of a permission policy) real and run commands under it.

Type Aliases

SandboxResult

Result alias for sandbox operations.