Expand description
Platform-specific sandbox backends for synwire agents.
This crate provides process isolation, resource accounting, and LLM-accessible process management tools. Namespace isolation is provided by an OCI runtime (runc/crun) — no custom init binary needed.
§Safety
This crate uses #![deny(unsafe_code)] with a single scoped exception:
receiving a PTY controller fd from the OCI runtime via SCM_RIGHTS
requires converting a kernel-provided raw fd to an OwnedFd.
§Platform support
| Platform | Light isolation | Strong isolation |
|---|---|---|
| Linux | cgroup v2 + AppArmor | Namespace container |
| macOS | sandbox-exec Seatbelt | Podman / Lima |
| Other | None (fallback) | None |
Re-exports§
pub use error::SandboxError;pub use output::CapturedOutput;pub use output::OutputMode;pub use output::ProcessCapture;pub use process_registry::ProcessRecord;pub use process_registry::ProcessRegistry;pub use process_registry::ProcessStatus;pub use visibility::ProcessVisibilityScope;
Modules§
- error
- Sandbox error type.
- output
- Output capture for non-interactive sandbox processes.
- platform
- Platform-specific sandbox backend selection.
- plugin
- Process tracking plugin, command execution tools, and shell session tools.
- process_
registry - In-memory registry of processes spawned by sandbox backends.
- visibility
- Parent-child process visibility scoping.