🛡️ Wardstone

Sandboxing system for secure tool execution - magical containment.

Overview

Wardstone provides platform-specific sandboxing for AI agent tool execution:

• macOS: Seatbelt (sandbox-exec) with auto-generated .sbpl policies
• Linux: Landlock LSM for filesystem isolation
• Windows: Windows Sandbox (planned)

Features

• 🔒 Filesystem isolation (read/write/execute permissions)
• 🌐 Network access control
• ⏱️ Execution timeouts
• 🎯 Path-based permissions
• 🔧 Easy policy builder API

Installation

[dependencies]
wardstone = "0.1"

Usage

use wardstone::{SandboxPolicy, create_sandbox, NetworkPolicy};
use std::process::Command;

// Create a restrictive policy
let policy = SandboxPolicy::new()
    .allow_read("/usr")
    .allow_read("/lib")
    .allow_write("./output")
    .with_network(NetworkPolicy::None)
    .with_timeout(std::time::Duration::from_secs(60));

// Create platform-specific sandbox
let sandbox = create_sandbox(policy)?;

// Wrap a command with sandbox restrictions
let cmd = Command::new("./my-script.sh");
let sandboxed_cmd = sandbox.wrap_command(cmd)?;

Policy Builder

use wardstone::{SandboxPolicy, NetworkPolicy};

let policy = SandboxPolicy::default_for_tools("/home/user/project".into())
    .allow_read("/tmp")
    .allow_localhost()  // Allow localhost network only
    .allow_spawn(true); // Allow spawning subprocesses

Platform Support

Part of the Goblin Family

• warhorn - Protocol types
• trinkets - Tool registry
• wardstone - Sandboxing (you are here)
• skulk - MCP connections
• hutch - Checkpoints
• ambush - Task planning
• cabal - Orchestration

License

MIT OR Apache-2.0