feat: 新增 stardomain 沙箱子项目脚手架(Docker + Rust 过滤层)

提供统一沙箱运行时,支持 local/sandbox 两种模式切换。Rust 层负责命令和代码的策略过滤,
Docker 层负责实际的进程隔离。包含三种预设策略:agent_exec / tool_run / untrusted。

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-06-04 10:07:30 +00:00
parent 6932294ddd
commit 32bdbe77ff
13 changed files with 2021 additions and 0 deletions
+44
View File
@@ -0,0 +1,44 @@
/*
* Copyright 2026 zhaoxi826
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
/// Docker integration layer.
/// Uses bollard to manage container lifecycle for sandbox execution.
pub struct DockerBackend {
pub image: String,
pub network_disabled: bool,
pub memory_limit: u64,
pub cpu_period: u64,
pub cpu_quota: u64,
}
impl Default for DockerBackend {
fn default() -> Self {
DockerBackend {
image: "stardomain-runtime:latest".to_string(),
network_disabled: false,
memory_limit: 512 * 1024 * 1024, // 512MB
cpu_period: 100_000,
cpu_quota: 50_000, // 50% of one core
}
}
}
impl DockerBackend {
pub fn with_policy(policy_name: &str) -> Self {
let mut backend = Self::default();
if policy_name == "untrusted" {
backend.network_disabled = true;
backend.memory_limit = 128 * 1024 * 1024;
backend.cpu_quota = 25_000;
}
backend
}
}