synwire_sandbox/lib.rs
1//! Platform-specific sandbox backends for synwire agents.
2//!
3//! This crate provides process isolation, resource accounting, and
4//! LLM-accessible process management tools. Namespace isolation is provided
5//! by an OCI runtime (runc/crun) — no custom init binary needed.
6//!
7//! # Safety
8//!
9//! This crate uses `#![deny(unsafe_code)]` with a single scoped exception:
10//! receiving a PTY controller fd from the OCI runtime via `SCM_RIGHTS`
11//! requires converting a kernel-provided raw fd to an `OwnedFd`.
12//!
13//! # Platform support
14//!
15//! | Platform | Light isolation | Strong isolation |
16//! |----------|----------------|-----------------|
17//! | Linux | cgroup v2 + AppArmor | Namespace container |
18//! | macOS | `sandbox-exec` Seatbelt | Podman / Lima |
19//! | Other | None (fallback) | None |
20
21#![deny(unsafe_code)]
22
23pub mod error;
24pub mod output;
25pub mod platform;
26pub mod plugin;
27pub mod process_registry;
28pub mod visibility;
29
30pub use error::SandboxError;
31pub use output::{CapturedOutput, OutputMode, ProcessCapture};
32pub use process_registry::{ProcessRecord, ProcessRegistry, ProcessStatus};
33pub use visibility::ProcessVisibilityScope;