backend

Module: backend

Contents

Structs

• EnforcementProof - Network enforcement proof returned by backend.
• LaunchSpec - Launch payload for wrapped command.
• PrepareRequest - Request payload for backend prepare stage.
• SandboxHandle - Handle produced by backend prepare stage.

Enums

• BackendKind - Supported runtime backend choices.

Functions

• build_backend - Construct backend implementation for a kind.

Traits

• SandboxBackend - Backend interface for sandbox runtime implementations.

Constants

• DEFAULT_SENSITIVE_HOME_SUFFIXES - Shared default home-relative paths considered sensitive across agent CLIs.

---

firma_run::backend::BackendKind

Enum

Supported runtime backend choices.

Variants:

• Bwrap
• Vz
• Wsl2
• Firecracker

Methods:

• fn default_for_current_host() -> Self - Default backend for current host platform.

Traits: Copy, Eq

Trait Implementations:

• PartialEq
  • fn eq(self: &Self, other: &BackendKind) -> bool
• Display
  • fn fmt(self: &Self, f: & mut fmt::Formatter) -> fmt::Result
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Clone
  • fn clone(self: &Self) -> BackendKind
• Deserialize
  • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_run::backend::DEFAULT_SENSITIVE_HOME_SUFFIXES

Constant: &[&str]

Shared default home-relative paths considered sensitive across agent CLIs.

firma_run::backend::EnforcementProof

Struct

Network enforcement proof returned by backend.

Fields:

• backend: BackendKind
• structural: bool
• fail_closed: bool
• detail: String

Trait Implementations:

• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Clone
  • fn clone(self: &Self) -> EnforcementProof

firma_run::backend::LaunchSpec

Struct

Launch payload for wrapped command.

Fields:

• executable: String
• args: Vec<String>
• cwd: std::path::PathBuf
• env: std::collections::BTreeMap<String, String>
• seccomp_filter_path: Option<std::path::PathBuf> - Optional static seccomp cBPF artifact path resolved by runtime.
• identity_mode: crate::config::SandboxIdentityMode

Trait Implementations:

• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Clone
  • fn clone(self: &Self) -> LaunchSpec

firma_run::backend::PrepareRequest

Struct

Request payload for backend prepare stage.

Fields:

• identity: crate::identity::RunIdentity
• profile: crate::config::ResolvedProfile
• working_dir: std::path::PathBuf

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> PrepareRequest
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_run::backend::SandboxBackend

Trait

Backend interface for sandbox runtime implementations.

Methods:

• kind: Returns the concrete backend kind.
• prepare: Prepare host/sandbox state before launching an agent.
• enforce_network: Install structural network routing and return proof metadata.
• verify_fail_closed: Verify fail-closed invariants after network policy application.
• start_agent: Launch the wrapped command inside the prepared sandbox.
• teardown: Tear down backend runtime state after execution.

firma_run::backend::SandboxHandle

Struct

Handle produced by backend prepare stage.

Fields:

• backend: BackendKind
• runtime_dir: std::path::PathBuf
• identity: crate::identity::RunIdentity
• mounts: Vec<crate::config::MountSpec>
• network_policy: crate::config::NetworkPolicy

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> SandboxHandle
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_run::backend::build_backend

Function

Construct backend implementation for a kind.

fn build_backend(kind: BackendKind) -> Box<dyn SandboxBackend>