1 unstable release
| 0.15.15-alpha.3 | Apr 16, 2026 |
|---|
#2925 in Development tools
205KB
4.5K
SLoC
ta-sandbox
Allowlisted command execution for Trusted Autonomy.
Provides a controlled execution environment where agents can run pre-approved commands (search, format, test) without access to a real shell or host filesystem outside the staging workspace.
Architecture
The sandbox has three enforcement layers:
- Command allowlist: Only pre-approved binaries can execute
- CWD enforcement: All execution is confined to the staging workspace
- Network policy: Per-domain allow/deny for outbound connections
Usage
use ta_sandbox::{SandboxConfig, SandboxRunner, CommandPolicy};
let config = SandboxConfig::default();
let mut runner = SandboxRunner::new(config, "/path/to/workspace");
// Execute an allowed command
let result = runner.execute("rg", &["TODO", "src/"]).unwrap();
Dependencies
~8–12MB
~150K SLoC