lens-sandbox-core
Health Warn
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Pass
- Code scan — Scanned 4 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Core Rust library for Lens sandbox policy enforcement, networking, DNS, proxying, and boundary credential exchange.
lens-sandbox-core
lens-sandbox-core is the Rust library used by Lens Sandbox and Lens Agents to enforce governed network, DNS, proxy, credential, and policy behavior inside sandboxed execution environments.
It is core runtime plumbing, not an end-user product. Applications embed it to give sandboxed workloads controlled access to external systems: DNS requests, outbound network traffic, HTTP CONNECT proxying, TLS interception paths, boundary credential exchange, policy lifecycle, and activity reporting.
What This Crate Provides
- Policy-controlled outbound network access
- DNS filtering and allowlist behavior
- HTTP CONNECT proxy support
- Transparent proxy routing support
- TLS interception support for governed traffic
- Boundary credential exchange and request signing
- nftables-based network lockdown helpers
- WebSocket-driven policy lifecycle integration
- Activity and audit event primitives
What This Crate Is Not
lens-sandbox-core is not a complete sandbox product by itself. It does not create the desktop app, enterprise platform, UI, packaging, distribution, or microVM lifecycle.
The effective security boundary depends on the caller's deployment model: container, microVM, Linux capabilities, filesystem mounts, process model, and policy source.
Relationship to Lens Sandbox and Lens Agents
Lens Sandbox uses this crate as the local enforcement core for sandboxed workloads on a developer machine.
Lens Agents uses the same core enforcement model in organizational deployments where central IT manages policies, credentials, connections, and audit across many agents.
The shared crate keeps low-level runtime behavior consistent across both products.
Open Source
This project is licensed under Apache 2.0. See:
- CONTRIBUTING.md for development workflow and contribution guidance.
- SECURITY.md for vulnerability reporting and security scope.
- CHANGELOG.md for release notes.
- CODE_OF_CONDUCT.md for community expectations.
Local Setup
git config core.hooksPath .githooks
Building
cargo build -p lens-sandbox-core
cargo test -p lens-sandbox-core
Integration tests requiring Linux + nftables + CAP_NET_ADMIN are #[ignore]-gated. Run them with:
cargo test -p lens-sandbox-core -- --ignored
Policy Schema
The canonical policy schema lives in schemas/policy.schema.json. Regenerate it with:
cargo run --bin generate-policy-schema > schemas/policy.schema.json
License
Apache 2.0 — see LICENSE.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found