docs: add sandboxing API proposal

[tiran]

Pull Request Description

What

Proposal for a pluggable sandboxing API that lets users configure custom sandboxing solutions for build process confinement.

Why

#1019

• PR follows CONTRIBUTING.md guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2343a26e-7520-4e9a-bd71-284849bcd8f1

📥 Commits

Reviewing files that changed from the base of the PR and between 159b672 and d6d1171.

📒 Files selected for processing (3)

• docs/proposals/sandboxing-api.md
• docs/proposals/sandboxing_api.py
• docs/spelling_wordlist.txt

✅ Files skipped from review due to trivial changes (2)

• docs/spelling_wordlist.txt
• docs/proposals/sandboxing-api.md

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/proposals/sandboxing_api.py

---

📝 Walkthrough

Walkthrough

This PR adds a design proposal for a pluggable sandboxing API (docs/proposals/sandboxing-api.md), a typed Python API contract module with sandbox lifecycle and execution hooks (docs/proposals/sandboxing_api.py), and updates the spelling wordlist with sandboxing-related terms.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a sandboxing API proposal document.
Description check	✅ Passed	The description is directly related to the changeset, explaining the proposal's purpose and providing context via issue reference.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tiran]

@pavank63 Here is is my proposal. I have listed you as a co-author. Part of the document are based on your previous proposal and research.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/proposals/sandboxing_api.py (1)

12-73: ⚡ Quick win

Add Sphinx version directives to the new public hook docstrings.

These are user-facing API additions, so include .. versionadded:: (or .. versionchanged:: where applicable) in each public function docstring.

Suggested pattern

 def setup_sandbox(
@@
 ) -> None:
     """Set up sandboxing
+
+    .. versionadded:: <release>
 
     Executed after `prepare_source` hook. Can be used to set up sandbox or chown/chmod the sdist_root_dir.
     """

As per coding guidelines **/*.{rst,py}: Use Sphinx versionadded, versionremoved, versionchanged directives for user-facing changes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/proposals/sandboxing_api.py` around lines 12 - 73, Add Sphinx version
directive lines to each public hook docstring: update setup_sandbox,
teardown_sandbox, run_sandboxed, and run_unconfined to include a "..
versionadded:: <release>" (or ".. versionchanged:: <release>" if appropriate)
entry immediately after the short description/summary in each docstring; use the
correct release version token for this change and keep the directive formatting
consistent with other public API docstrings in the repo.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/proposals/sandboxing_api.py`:
- Line 47: The cwd parameter in run_sandboxed and run_unconfined is currently
typed as os.PathLike[str] | os.PathLike[bytes] | None which excludes plain str
and bytes accepted by subprocess.run; update the type annotation for cwd in both
functions to include str and bytes (e.g., os.PathLike[str] | os.PathLike[bytes]
| str | bytes | None) so it matches subprocess.run’s signature and adjust any
imports/typing as needed.

---

Nitpick comments:
In `@docs/proposals/sandboxing_api.py`:
- Around line 12-73: Add Sphinx version directive lines to each public hook
docstring: update setup_sandbox, teardown_sandbox, run_sandboxed, and
run_unconfined to include a ".. versionadded:: <release>" (or "..
versionchanged:: <release>" if appropriate) entry immediately after the short
description/summary in each docstring; use the correct release version token for
this change and keep the directive formatting consistent with other public API
docstrings in the repo.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fc037f41-cfbf-4ae6-a79b-9cba905dc67b

📥 Commits

Reviewing files that changed from the base of the PR and between b10d2e4 and cf3fcdb.

📒 Files selected for processing (3)

• docs/proposals/sandboxing-api.md
• docs/proposals/sandboxing_api.py
• docs/spelling_wordlist.txt

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/proposals/sandboxing-api.md`:
- Around line 58-60: The proposal currently contradicts itself about the
run_unconfined hook by describing it for monitoring/policy but only adding
WorkContext.run_unconfined and omitting BuildEnvironment.run_unconfined; clarify
the API contract by either (A) adding run_unconfined to BuildEnvironment as well
(or documenting a clear delegation from BuildEnvironment to WorkContext) so
build-step code has a defined call path, or (B) explicitly state that unconfined
execution is only permitted via WorkContext.run_unconfined (and remove any
mentions implying BuildEnvironment exposure); update the rationale text and any
instances around the run_unconfined mentions (including the other affected
paragraphs) to match the chosen design and ensure there is a single unambiguous
call-site for unconfined execution.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 45703514-441f-438b-8c55-b868dd5f9d7e

📥 Commits

Reviewing files that changed from the base of the PR and between cf3fcdb and 159b672.

📒 Files selected for processing (3)

• docs/proposals/sandboxing-api.md
• docs/proposals/sandboxing_api.py
• docs/spelling_wordlist.txt

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/proposals/sandboxing_api.py

[mergify]

This pull request has merge conflicts that must be resolved before it can be merged.
@tiran please rebase your branch.