feat(ie-sandbox): implement process spawning with IPC fd inheritance #12

- ChildHandle: wraps tokio::process::Child + IpcChannel with graceful
  shutdown (5s timeout → kill), is_alive check, Drop cleanup
- spawn_child/spawn_child_with_exe: re-executes binary with
  --subprocess-kind arg and IE_IPC_FD env var, fd inheritance via
  CLOEXEC clearing
- ProcessKind: as_str/parse for string conversion
- child_network.rs: network process event loop handling FetchRequest,
  Ping, Shutdown via IPC
- child_renderer.rs: renderer process stub (Ping/Shutdown only)
- CLI: hidden --subprocess-kind arg, Mode::Subprocess variant
- main.rs: subprocess entry point reconstructing IPC channel from fd
- 9 integration tests: ping/pong, alive/shutdown, drop cleanup,
  fetch via IPC, error handling, sequential requests

Author: thomasnemer

Cargo.lock

@@ -57,3 +57,4 @@ async-trait = "0.1"
 chrono = { version = "0.4", features = ["serde"] }
 tempfile = "3"
 base64 = "0.22"
+libc = "0.2"

Cargo.toml

@@ -15,3 +15,4 @@ tokio.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 base64.workspace = true
+libc.workspace = true

crates/ie-sandbox/Cargo.toml

@@ -42,6 +42,28 @@ impl IpcChannel {
         ))
     }
 
+    /// Create a pair suitable for process spawning: returns (parent_channel, child_raw_fd).
+    /// The child fd is kept open (not CLOEXEC) so it survives fork+exec.
+    #[cfg(unix)]
+    pub fn pair_for_spawn() -> Result<(IpcChannel, std::os::unix::io::RawFd), IpcError> {
+        use std::os::unix::io::IntoRawFd;
+        let (std_a, std_b) = std::os::unix::net::UnixStream::pair()?;
+        let child_fd = std_b.into_raw_fd();
+        // Clear CLOEXEC on child fd so it survives exec
+        unsafe {
+            let flags = libc::fcntl(child_fd, libc::F_GETFD);
+            libc::fcntl(child_fd, libc::F_SETFD, flags & !libc::FD_CLOEXEC);
+        }
+        std_a.set_nonblocking(true)?;
+        let tok_a = tokio::net::UnixStream::from_std(std_a)?;
+        let (a_read, a_write) = tok_a.into_split();
+        let parent_channel = IpcChannel {
+            reader: BufReader::new(a_read),
+            writer: a_write,
+        };
+        Ok((parent_channel, child_fd))
+    }
+
     /// Reconstruct a channel from a raw file descriptor (for child processes).
     #[cfg(unix)]
     pub fn from_raw_fd(fd: std::os::unix::io::RawFd) -> Result<Self, IpcError> {

crates/ie-sandbox/src/channel.rs

@@ -19,4 +19,4 @@ pub mod process;
 pub use channel::IpcChannel;
 pub use error::IpcError;
 pub use message::IpcMessage;
-pub use process::{ProcessKind, spawn_child};
+pub use process::{ChildHandle, ProcessKind, spawn_child, spawn_child_with_exe};

crates/ie-sandbox/src/lib.rs

@@ -1,4 +1,10 @@
-use anyhow::Result;
+use std::time::Duration;
+
+use tokio::process::Command;
+use tokio::time::timeout;
+
+use crate::channel::IpcChannel;
+use crate::message::IpcMessage;
 
 #[derive(Debug, Clone, Copy, PartialEq)]
 pub enum ProcessKind {
@@ -7,6 +13,149 @@ pub enum ProcessKind {
     Network,
 }
 
-pub fn spawn_child(_kind: ProcessKind) -> Result<()> {
-    todo!("Spawn sandboxed child process")
+impl ProcessKind {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            ProcessKind::Browser => "browser",
+            ProcessKind::Renderer => "renderer",
+            ProcessKind::Network => "network",
+        }
+    }
+
+    pub fn parse(s: &str) -> Option<Self> {
+        match s {
+            "browser" => Some(Self::Browser),
+            "renderer" => Some(Self::Renderer),
+            "network" => Some(Self::Network),
+            _ => None,
+        }
+    }
+}
+
+pub struct ChildHandle {
+    process: tokio::process::Child,
+    channel: IpcChannel,
+    kind: ProcessKind,
+}
+
+const SHUTDOWN_TIMEOUT: Duration = Duration::from_secs(5);
+
+impl ChildHandle {
+    pub fn channel(&mut self) -> &mut IpcChannel {
+        &mut self.channel
+    }
+
+    pub fn kind(&self) -> ProcessKind {
+        self.kind
+    }
+
+    pub fn process_id(&self) -> u32 {
+        self.process.id().unwrap_or(0)
+    }
+
+    pub fn is_alive(&mut self) -> bool {
+        matches!(self.process.try_wait(), Ok(None))
+    }
+
+    /// Graceful shutdown: send Shutdown, wait, kill if timeout.
+    pub async fn shutdown(&mut self) -> anyhow::Result<()> {
+        let _ = self.channel.send(&IpcMessage::Shutdown).await;
+        match timeout(SHUTDOWN_TIMEOUT, self.process.wait()).await {
+            Ok(Ok(status)) => {
+                tracing::info!("{:?} process exited with status: {}", self.kind, status);
+                Ok(())
+            }
+            Ok(Err(e)) => {
+                tracing::error!("{:?} process wait error: {e}", self.kind);
+                Err(e.into())
+            }
+            Err(_) => {
+                tracing::warn!(
+                    "{:?} process did not exit within {:?}, killing",
+                    self.kind,
+                    SHUTDOWN_TIMEOUT
+                );
+                self.process.kill().await?;
+                Ok(())
+            }
+        }
+    }
+
+    pub async fn kill(&mut self) -> anyhow::Result<()> {
+        self.process.kill().await?;
+        Ok(())
+    }
+}
+
+impl Drop for ChildHandle {
+    fn drop(&mut self) {
+        // Best-effort kill to avoid zombies
+        let _ = self.process.start_kill();
+    }
+}
+
+/// Spawn a child process that communicates via IPC.
+/// Uses the current executable by default.
+#[cfg(unix)]
+pub async fn spawn_child(kind: ProcessKind) -> anyhow::Result<ChildHandle> {
+    spawn_child_with_exe(kind, std::env::current_exe()?).await
+}
+
+/// Spawn a child process using a specific executable path.
+#[cfg(unix)]
+pub async fn spawn_child_with_exe(
+    kind: ProcessKind,
+    exe_path: std::path::PathBuf,
+) -> anyhow::Result<ChildHandle> {
+    let (parent_channel, child_fd) = IpcChannel::pair_for_spawn()?;
+
+    let mut cmd = Command::new(exe_path);
+    cmd.arg("--subprocess-kind").arg(kind.as_str());
+    cmd.env("IE_IPC_FD", child_fd.to_string());
+    // Inherit stderr for child tracing output, null stdin/stdout
+    cmd.stdin(std::process::Stdio::null());
+    cmd.stdout(std::process::Stdio::null());
+    cmd.stderr(std::process::Stdio::inherit());
+
+    // Ensure child fd survives exec (clear CLOEXEC was done in pair_for_spawn)
+    // After spawn, close child fd in parent
+    unsafe {
+        cmd.pre_exec(move || {
+            // The fd is already non-CLOEXEC from pair_for_spawn, nothing more needed
+            Ok(())
+        });
+    }
+
+    let process = cmd.spawn()?;
+
+    // Close the child fd in the parent process
+    unsafe {
+        libc::close(child_fd);
+    }
+
+    Ok(ChildHandle {
+        process,
+        channel: parent_channel,
+        kind,
+    })
+}
+
+// Spawn tests live in crates/ie-shell/tests/subprocess.rs because
+// spawn_child re-executes the binary which needs --subprocess-kind CLI support.
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn process_kind_round_trip() {
+        for kind in [
+            ProcessKind::Browser,
+            ProcessKind::Renderer,
+            ProcessKind::Network,
+        ] {
+            assert_eq!(ProcessKind::parse(kind.as_str()), Some(kind));
+        }
+        assert_eq!(ProcessKind::parse("invalid"), None);
+    }
 }

crates/ie-sandbox/src/process.rs

@@ -32,3 +32,4 @@ http-body-util.workspace = true
 hyper.workspace = true
 hyper-util.workspace = true
 serde_json.workspace = true
+libc.workspace = true

crates/ie-shell/Cargo.toml

@@ -0,0 +1,57 @@
+use anyhow::Result;
+use ie_sandbox::IpcChannel;
+use ie_sandbox::message::IpcMessage;
+use url::Url;
+
+pub async fn run_network_process(mut channel: IpcChannel) -> Result<()> {
+    let client = ie_net::Client::new()?.with_https_only(false);
+    tracing::info!("network process started");
+
+    loop {
+        let msg: IpcMessage = channel.recv().await?;
+        match msg {
+            IpcMessage::FetchRequest { id, url } => match Url::parse(&url) {
+                Ok(parsed_url) => match client.get(&parsed_url).await {
+                    Ok(response) => {
+                        channel
+                            .send(&IpcMessage::FetchResponse {
+                                id,
+                                status: response.status,
+                                headers: response.headers,
+                                body: response.body,
+                                final_url: response.url.to_string(),
+                            })
+                            .await?;
+                    }
+                    Err(e) => {
+                        channel
+                            .send(&IpcMessage::FetchError {
+                                id,
+                                error: e.to_string(),
+                            })
+                            .await?;
+                    }
+                },
+                Err(e) => {
+                    channel
+                        .send(&IpcMessage::FetchError {
+                            id,
+                            error: format!("invalid URL: {e}"),
+                        })
+                        .await?;
+                }
+            },
+            IpcMessage::Ping => {
+                channel.send(&IpcMessage::Pong).await?;
+            }
+            IpcMessage::Shutdown => {
+                tracing::info!("network process shutting down");
+                break;
+            }
+            other => {
+                tracing::warn!("network process received unexpected message: {other:?}");
+            }
+        }
+    }
+    Ok(())
+}

crates/ie-shell/src/child_network.rs

@@ -0,0 +1,19 @@
+use anyhow::Result;
+use ie_sandbox::IpcChannel;
+use ie_sandbox::message::IpcMessage;
+
+pub async fn run_renderer_process(mut channel: IpcChannel) -> Result<()> {
+    tracing::info!("renderer process started (stub)");
+    loop {
+        let msg: IpcMessage = channel.recv().await?;
+        match msg {
+            IpcMessage::Ping => channel.send(&IpcMessage::Pong).await?,
+            IpcMessage::Shutdown => {
+                tracing::info!("renderer process shutting down");
+                break;
+            }
+            other => tracing::warn!("renderer received unhandled message: {other:?}"),
+        }
+    }
+    Ok(())
+}

crates/ie-shell/src/child_renderer.rs

@@ -31,6 +31,10 @@ pub struct Cli {
     /// Override data directory (bookmarks, etc.)
     #[arg(long)]
     pub data_dir: Option<String>,
+
+    /// Internal: subprocess kind (not shown in help)
+    #[arg(long, hide = true)]
+    pub subprocess_kind: Option<String>,
 }
 
 #[derive(Debug, PartialEq)]
@@ -42,6 +46,9 @@ pub enum Mode {
         url: Option<Url>,
         action: HeadlessAction,
     },
+    Subprocess {
+        kind: ie_sandbox::ProcessKind,
+    },
 }
 
 #[derive(Debug, PartialEq)]
@@ -53,6 +60,12 @@ pub enum HeadlessAction {
 
 impl Cli {
     pub fn mode(&self) -> Result<Mode> {
+        if let Some(kind_str) = &self.subprocess_kind {
+            let kind = ie_sandbox::ProcessKind::parse(kind_str)
+                .ok_or_else(|| anyhow::anyhow!("invalid subprocess kind: {kind_str}"))?;
+            return Ok(Mode::Subprocess { kind });
+        }
+
         let url = self
             .url
             .as_deref()