Struct SandboxConfig 

pub struct SandboxConfig {
    pub enabled: bool,
    pub image: Option<String>,
    pub workspace: Option<String>,
    pub network: NetworkConfig,
    pub resources: ResourceConfig,
    pub env: Vec<String>,
    pub volumes: Vec<String>,
    pub exclude: Vec<String>,
    pub dns: Vec<String>,
}

Full sandbox configuration (parsed from workflow config or CLI flags)

Fields

enabled: bool

image: Option<String>

Docker image to use (default: “minion-sandbox:latest”)

workspace: Option<String>

Host path to mount as workspace inside container

network: NetworkConfig

resources: ResourceConfig

env: Vec<String>

Host environment variables to forward into the container. Each entry is a variable name (e.g. “GH_TOKEN”); the value is read from the host environment at container-creation time.

volumes: Vec<String>

Extra read-only volume mounts (host_path:container_path or host_path:container_path:mode). Tilde (~) is expanded to $HOME on the host.

exclude: Vec<String>

Glob patterns of files/dirs to exclude when copying workspace into the container (e.g. “node_modules”, “target”).

dns: Vec<String>

DNS servers to use inside the container (e.g. “8.8.8.8”). Ensures name resolution works even with restricted networks.

Implementations

impl SandboxConfig

pub const DEFAULT_IMAGE: &'static str = "minion-sandbox:latest"

Default image used when none is specified

pub const AUTO_ENV: &'static [&'static str]

Well-known env vars that are auto-forwarded when the user does NOT specify an explicit env: list. This covers the most common credentials needed by workflows.

pub const AUTO_EXCLUDE: &'static [&'static str]

Well-known directories to exclude when copying workspace into the sandbox container. These are typically large build/cache directories that would make the copy prohibitively slow and are not needed for workflow execution.

pub const AUTO_VOLUMES: &'static [&'static str]

Well-known host directories that are auto-mounted when the user does NOT specify an explicit volumes: list. Note: ~/.claude needs read-write access because Claude CLI writes session data. Note: ~/.gitconfig is NOT mounted because the host gitconfig often contains macOS-specific paths (e.g. credential helpers pointing to /usr/local/bin/gh) and missing safe.directory entries. The sandbox configures its own gitconfig after workspace copy.

pub const PROXIED_SECRETS: &'static [&'static str]

Secrets that are proxied and should NOT be passed as env vars into the container.

pub fn image(&self) -> &str

pub fn effective_env(&self) -> Vec<String>

Return the effective env-var list: explicit config overrides auto-env.

pub fn effective_env_with_proxy(&self) -> Vec<String>

Return env vars to forward when the API proxy is active. Excludes secrets that are handled by the proxy (e.g. ANTHROPIC_API_KEY).

pub fn effective_volumes(&self) -> Vec<String>

Return the effective volume list: explicit config overrides auto-volumes. Tilde (~) is expanded to $HOME on the host.

pub fn effective_exclude(&self) -> Vec<String>

Return the effective exclude list: explicit config overrides auto-exclude.

pub fn from_global_config(config: &HashMap<String, Value>) -> Self

Parse SandboxConfig from a global config map (Devbox mode)

Trait Implementations

impl Clone for SandboxConfig

fn clone(&self) -> SandboxConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SandboxConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for SandboxConfig

fn default() -> SandboxConfig

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for SandboxConfig

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for SandboxConfig

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.