feat: 新增 stardomain 沙箱子项目脚手架(Docker + Rust 过滤层)

提供统一沙箱运行时,支持 local/sandbox 两种模式切换。Rust 层负责命令和代码的策略过滤,
Docker 层负责实际的进程隔离。包含三种预设策略:agent_exec / tool_run / untrusted。

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-06-04 10:07:30 +00:00
parent 6932294ddd
commit 32bdbe77ff
13 changed files with 2021 additions and 0 deletions
@@ -0,0 +1,34 @@
/*
* Copyright 2026 zhaoxi826
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
pub struct SandboxConfig {
pub mode: SandboxMode,
pub workspace: String,
pub timeout_secs: u64,
pub memory_limit_mb: u64,
pub policy_name: String,
}
pub enum SandboxMode {
Local,
Sandbox,
}
impl Default for SandboxConfig {
fn default() -> Self {
SandboxConfig {
mode: SandboxMode::Sandbox,
workspace: "/tmp/stardomain_ws".to_string(),
timeout_secs: 30,
memory_limit_mb: 512,
policy_name: "agent_exec".to_string(),
}
}
}
@@ -0,0 +1,23 @@
/*
* Copyright 2026 zhaoxi826
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
/// Executor: responsible for running commands either locally or in Docker.
/// This is a stub — actual Docker execution will be implemented later.
pub struct Executor;
impl Executor {
pub fn run_local(_command: &str) -> (String, String, i32) {
("".to_string(), "".to_string(), 0)
}
pub fn run_docker(_command: &str) -> (String, String, i32) {
("".to_string(), "[stardomain] Docker execution not yet implemented".to_string(), 1)
}
}
+38
View File
@@ -0,0 +1,38 @@
/*
* Copyright 2026 zhaoxi826
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
pub mod config;
pub mod executor;
use pyo3::prelude::*;
#[pyclass]
#[derive(Clone)]
pub struct SandboxResult {
#[pyo3(get)]
pub stdout: String,
#[pyo3(get)]
pub stderr: String,
#[pyo3(get)]
pub exit_code: i32,
#[pyo3(get)]
pub killed_by_timeout: bool,
}
impl SandboxResult {
pub fn stub(input: &str) -> Self {
SandboxResult {
stdout: format!("[stardomain stub] would execute: {}", input),
stderr: String::new(),
exit_code: 0,
killed_by_timeout: false,
}
}
}