Sandbox
sandbox
¶
Adapter for the terok_sandbox wheel.
Re-export catalog: every from terok_sandbox … import in
terok_executor lives here. The contract is enforced by
.importlinter (terok_sandbox is a protected module with
terok_executor.integrations.sandbox as the sole allowed importer).
Cross-cutting helpers that originate in terok_util (the
CommandDef /
ArgDef /
CommandTree family,
namespace_state_dir /
namespace_config_dir /
namespace_runtime_dir,
ensure_dir /
ensure_dir_writable /
write_sensitive_file,
ConfigStack /
deep_merge,
sanitize_tty,
podman_userns_args) are
imported directly from terok_util at every call site — they don't
flow through this adapter even when the same symbol also happens to
exist on terok_sandbox. This adapter owns the sandbox-specific
surface only.
When a sibling release renames, splits, or relocates a symbol, only
this file needs to change — the rest of terok-executor keeps reading
the same terok_executor.integrations.sandbox.X name. Convention
shared with terok-sandbox (which adapts terok-shield and
terok-clearance the same way) and terok-main (where the same pattern
lives at terok.lib.integrations.*).