Expand description
Re-export of the noether_isolation crate.
The isolation primitives used to live here. They were extracted
into their own crate in v0.7.1 so downstream consumers that want
the sandbox primitive without pulling in all of noether-engine
(agentspec’s trust-enforcement path, the standalone
noether-sandbox binary, future language bindings) can depend on
noether-isolation directly.
Existing callers that reach through noether_engine::executor::isolation
keep working via this re-export — nothing here is new API, only a
new location. See the noether_isolation crate docs for the
authoritative source.
Structs§
- Isolation
Policy - What the sandbox does and doesn’t let a stage reach.
- RoBind
- A single read-only bind mount. Named-struct rather than a tuple
so the JSON wire format stays readable for non-Rust consumers:
{"host": "/nix/store", "sandbox": "/nix/store"}instead of the earlier["/nix/store", "/nix/store"]. The latter was terser but gave external language bindings no schema hint about which path was which.
Enums§
- Isolation
Backend - Which isolation backend to use for a stage execution.
- Isolation
Error - Error from the isolation layer itself — policy misconfiguration or backend unavailable. Stage-body errors come back as the usual execution error on the inner command.
Constants§
- NOBODY_
GID - NOBODY_
UID - Conventional “nobody” UID/GID on Linux. bwrap maps the invoking user to this identity inside the sandbox so the stage cannot observe the real UID of the caller.
- TRUSTED_
BWRAP_ PATHS - Root-owned locations where
bwraplives on a correctly-provisioned Linux host. Order matters: NixOS system profile first (nix hosts almost always have this), then the Determinate / single-user nix profile, then distro-packaged/usr/bin, then manual installs.
Functions§
- build_
bwrap_ command - Build a
bwrapinvocation that runscmdinside a sandbox. - find_
bwrap - Locate the
bwrapbinary.