Security

Sandbox levels (ADR-0010)

Side-effect declarations + tiered isolation.

Tools declare what they do. Sandboxes choose isolation accordingly.

Side-effect declarations

Every tool registers its side effects:

network — outbound HTTP / sockets
filesystem — read / write
shell — process exec
db — database mutation
payment — money movement
pii — touches personal data

The runtime uses these to:

Pick an appropriate sandbox tier.
Enforce capability checks before the call.
Annotate audit events with the actual side effects observed.

Sandbox tiers

Tier	Provided by	Use
`none`	core	dev only
`process`	`os-sandbox`	most tools
`container`	plugin	risky / community tools
`vm`	plugin (e2b, firecracker)	full code-execution sandboxes

Source: ADR-0010.

Previous

Audit log signing (ADR-0008)

Next

Egress default-deny (ADR-0011)

On this page

Side-effect declarations Sandbox tiers