Navigation
ManualIntroductionGetting StartedBuilder SpecsOperationsPrograms And ViewsDesigning Builder SurfacesOutputs, Evidence, And Runtime ArtifactsMaterialization ModelAuthoring Production Builders
TheoryBuilders As DescriptionsInternalized ProgramsOrnaments And Domain SurfacesInterpretation And ViewsEvidence, Descriptors, And Runtime Structure
ExamplesNode service exampleSource filesNode service builder moduleserver.jsC code generation exampleSource filesC codegen builder modulemessages.defmain.cBridge exampleSource filesBridge proof moduleIDL exampleSource filesIDL builder moduleschema.protoOCI image exampleSource filesOCI image example module
API Reference
Core APIDescriptionsOperations
ProgramValidateDepsDry-runPlan-viewDescribeIntrospectMaterializeBackendsFormerPlan-export
ReferenceSchemasDatatypes
OrnamentsProject-builderDependenciesImplementationsToolEnvTestingVendoringCode-genIdlCapabilitiesProtocolServiceReplServerSandboxTransformOci-image
Library HelpersTool-envToolchainPassthruBundledDashboardContentAddress

Sandbox

Typed declarative sandbox profile. The profile is the single source of truth; four enforcement backends — bubblewrap, Landlock, seccomp BPF, and systemd hardening — consume the same declaration and produce backend-specific configuration.

Three-layer defense: 1. bwrap: mount namespace, PID namespace, seccomp stage-1. 2. Landlock: path-based filesystem access (applied from inside the process post-init). 3. seccomp stage-2: self-applied filter blocking execve post-init when the profile is sealed.

  • Smart constructor sandbox.define { readOnlyPaths?; readWritePaths?; tmpfs?; listenTcp?; connectTcp?; display?; stdio?; unixSockets?; allowExecve?; allowFork?; lifecycle?; daemonMode?; dns?; sourceAccess?; sourceWritePaths?; coordinationWritePaths?; storeAccess?; } proxies to mb.operations.sandboxProfile (eager structural validation against SandboxProfile.T).

  • Built-in profiles as typed SandboxProfile values: profiles.sealed (the empty default), profiles.effectful (sealed + execve + fork). Anything host- or workload-specific composes downstream.

  • Eliminators:

  • toBwrap : SandboxProfile → [String] — bubblewrap argument list. DNS handling routes through profile.dns when present.

  • toLandlock : SandboxProfile → LandlockProfile — path-list + port-list view.

  • toSeccomp : SandboxProfile → SeccompStage → Thunk Derivation — BPF filter; stage Bwrap includes processExec, stage Self respects allowExecve.

  • toSystemd : SandboxProfile → SystemdHardening — directives suitable for systemd.services.<name>.serviceConfig.

  • Closed-sum re-exports: SeccompStage = Bwrap | Self, Lifecycle = LongRunning | OneShot.

  • Combinators in sandbox.combinators: compose, base profiles (sealed/effectful), network (listen/connectTo), filesystem (readonly/readwrite), execution (allowExec/allowFork), lifecycle (daemon), and a defer meta-combinator for two-pass composition. Each carries { sig; doc; impl } metadata.

  • Seccomp compiler: syscallSets exposes 12 generic syscall categories. mkFilter/mkAllowlist/flattenPolicy compose them into BPF filters via the bundled gen-seccomp-bpf tool. The compiler is a standalone C program (single source file) that reads a newline-separated allowlist and emits a BPF blob.

prevReplServerTransformnext