feat(ie-shell): implement IPC navigator for multi-process architecture #14

IpcNavigator sends fetch requests to sandboxed network child process
via IPC instead of making HTTP calls in-process:
- Writer task forwards messages to IPC channel
- Reader task dispatches FetchResponse/FetchError to pending requests
- Request ID correlation for concurrent navigations
- 30s timeout per navigation with pending cleanup
- Response validation: status range, URL parsing, body size
- HTTPS-only enforcement in browser process

Multi-process is now the default mode:
- --single-process flag falls back to InProcessNavigator
- GUI mode spawns network child, stores ChildHandle for cleanup
- Headless mode supports both modes for dump-source/dump-status/interactive
- IpcChannel gains into_halves() -> (IpcSender, IpcReceiver)
- ChildHandle gains take_channel() for IpcNavigator ownership transfer

All 200+ tests pass in multi-process mode (default).

Author: thomasnemer

crates/ie-sandbox/src/channel.rs

@@ -23,6 +23,14 @@ pub struct IpcChannel {
     writer: WriteHalf,
 }
 
+pub struct IpcSender {
+    writer: WriteHalf,
+}
+
+pub struct IpcReceiver {
+    reader: BufReader<ReadHalf>,
+}
+
 impl IpcChannel {
     /// Create a connected pair of IPC channels.
     #[cfg(unix)]
@@ -78,6 +86,18 @@ impl IpcChannel {
         })
     }
 
+    /// Split into separate sender and receiver halves.
+    pub fn into_halves(self) -> (IpcSender, IpcReceiver) {
+        (
+            IpcSender {
+                writer: self.writer,
+            },
+            IpcReceiver {
+                reader: self.reader,
+            },
+        )
+    }
+
     /// Send a serializable message with length prefix.
     pub async fn send<T: Serialize>(&mut self, msg: &T) -> Result<(), IpcError> {
         let payload =
@@ -138,6 +158,48 @@ impl IpcChannel {
     }
 }
 
+impl IpcSender {
+    pub async fn send<T: Serialize>(&mut self, msg: &T) -> Result<(), IpcError> {
+        let payload =
+            serde_json::to_vec(msg).map_err(|e| IpcError::SerializationError(e.to_string()))?;
+        if payload.len() > MAX_MESSAGE_SIZE {
+            return Err(IpcError::MessageTooLarge(payload.len(), MAX_MESSAGE_SIZE));
+        }
+        self.writer
+            .write_all(&(payload.len() as u32).to_be_bytes())
+            .await?;
+        self.writer.write_all(&payload).await?;
+        self.writer.flush().await?;
+        Ok(())
+    }
+}
+
+impl IpcReceiver {
+    pub async fn recv<T: DeserializeOwned>(&mut self) -> Result<T, IpcError> {
+        let mut len_buf = [0u8; LENGTH_PREFIX_SIZE];
+        match self.reader.read_exact(&mut len_buf).await {
+            Ok(_) => {}
+            Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => {
+                return Err(IpcError::ConnectionClosed);
+            }
+            Err(e) => return Err(IpcError::Io(e)),
+        }
+        let size = u32::from_be_bytes(len_buf) as usize;
+        if size > MAX_MESSAGE_SIZE {
+            return Err(IpcError::MessageTooLarge(size, MAX_MESSAGE_SIZE));
+        }
+        let mut buf = vec![0u8; size];
+        match self.reader.read_exact(&mut buf).await {
+            Ok(_) => {}
+            Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => {
+                return Err(IpcError::ConnectionClosed);
+            }
+            Err(e) => return Err(IpcError::Io(e)),
+        }
+        serde_json::from_slice(&buf).map_err(|e| IpcError::DeserializationError(e.to_string()))
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use std::collections::HashMap;

crates/ie-sandbox/src/lib.rs

@@ -21,7 +21,7 @@ pub mod sandbox_linux;
 #[cfg(target_os = "macos")]
 pub mod sandbox_macos;
 
-pub use channel::IpcChannel;
+pub use channel::{IpcChannel, IpcReceiver, IpcSender};
 pub use error::IpcError;
 pub use message::IpcMessage;
 pub use process::{ChildHandle, ProcessKind, spawn_child, spawn_child_with_exe};

crates/ie-sandbox/src/process.rs

@@ -34,15 +34,20 @@ impl ProcessKind {
 
 pub struct ChildHandle {
     process: tokio::process::Child,
-    channel: IpcChannel,
+    channel: Option<IpcChannel>,
     kind: ProcessKind,
 }
 
 const SHUTDOWN_TIMEOUT: Duration = Duration::from_secs(5);
 
 impl ChildHandle {
     pub fn channel(&mut self) -> &mut IpcChannel {
-        &mut self.channel
+        self.channel.as_mut().expect("channel already taken")
+    }
+
+    /// Take ownership of the IPC channel (for IpcNavigator).
+    pub fn take_channel(&mut self) -> IpcChannel {
+        self.channel.take().expect("channel already taken")
     }
 
     pub fn kind(&self) -> ProcessKind {
@@ -59,7 +64,9 @@ impl ChildHandle {
 
     /// Graceful shutdown: send Shutdown, wait, kill if timeout.
     pub async fn shutdown(&mut self) -> anyhow::Result<()> {
-        let _ = self.channel.send(&IpcMessage::Shutdown).await;
+        if let Some(channel) = &mut self.channel {
+            let _ = channel.send(&IpcMessage::Shutdown).await;
+        }
         match timeout(SHUTDOWN_TIMEOUT, self.process.wait()).await {
             Ok(Ok(status)) => {
                 tracing::info!("{:?} process exited with status: {}", self.kind, status);
@@ -135,7 +142,7 @@ pub async fn spawn_child_with_exe(
 
     Ok(ChildHandle {
         process,
-        channel: parent_channel,
+        channel: Some(parent_channel),
         kind,
     })
 }

crates/ie-shell/src/app.rs

@@ -30,30 +30,57 @@ pub struct Browser {
     overlay: OverlayState,
     navigator: Arc<dyn NavigationService + Send + Sync>,
     tokio_runtime: tokio::runtime::Runtime,
+    _network_child: Option<ie_sandbox::ChildHandle>,
     modifiers: ModifiersState,
     event_loop_proxy: EventLoopProxy<UserEvent>,
 }
 
 impl Browser {
-    pub fn new(url: Option<Url>, allow_http: bool, proxy: EventLoopProxy<UserEvent>) -> Self {
-        let navigator = InProcessNavigator::new()
-            .expect("failed to create navigator")
-            .with_https_only(!allow_http);
+    pub fn new(
+        url: Option<Url>,
+        allow_http: bool,
+        single_process: bool,
+        proxy: EventLoopProxy<UserEvent>,
+    ) -> Self {
+        let tokio_runtime = tokio::runtime::Runtime::new().expect("failed to create tokio runtime");
+
+        let (navigator, network_child): (
+            Arc<dyn NavigationService + Send + Sync>,
+            Option<ie_sandbox::ChildHandle>,
+        ) = if single_process {
+            let nav = InProcessNavigator::new()
+                .expect("failed to create navigator")
+                .with_https_only(!allow_http);
+            (Arc::new(nav), None)
+        } else {
+            let (nav, child) = tokio_runtime.block_on(async {
+                let mut child = ie_sandbox::spawn_child(ie_sandbox::ProcessKind::Network)
+                    .await
+                    .expect("failed to spawn network process");
+                let channel = child.take_channel();
+                (
+                    crate::ipc_navigator::IpcNavigator::new(channel, !allow_http),
+                    child,
+                )
+            });
+            (Arc::new(nav), Some(child))
+        };
+
         let data_dir = dirs_data_dir().unwrap_or_else(|| PathBuf::from("."));
         let bookmark_store = BookmarkStore::new(&data_dir).unwrap_or_else(|e| {
             tracing::warn!("failed to load bookmarks: {e}");
             BookmarkStore::new(&std::env::temp_dir()).expect("failed to create bookmark store")
         });
-        let tokio_runtime = tokio::runtime::Runtime::new().expect("failed to create tokio runtime");
 
         let mut browser = Self {
             window: None,
             surface: None,
             tab_manager: TabManager::new(),
             bookmark_store,
             overlay: OverlayState::None,
-            navigator: Arc::new(navigator),
+            navigator,
             tokio_runtime,
+            _network_child: network_child,
             modifiers: ModifiersState::empty(),
             event_loop_proxy: proxy,
         };

crates/ie-shell/src/cli.rs

@@ -32,6 +32,10 @@ pub struct Cli {
     #[arg(long)]
     pub data_dir: Option<String>,
 
+    /// Run everything in a single process (no sandboxing, no IPC)
+    #[arg(long)]
+    pub single_process: bool,
+
     /// Internal: subprocess kind (not shown in help)
     #[arg(long, hide = true)]
     pub subprocess_kind: Option<String>,

crates/ie-shell/src/headless.rs

@@ -1,4 +1,5 @@
 use std::path::PathBuf;
+use std::sync::Arc;
 
 use anyhow::Result;
 use serde::{Deserialize, Serialize};
@@ -7,6 +8,7 @@ use url::Url;
 
 use crate::bookmarks::BookmarkStore;
 use crate::cli::HeadlessAction;
+use crate::ipc_navigator::IpcNavigator;
 use crate::navigation::{InProcessNavigator, NavigationService};
 use crate::tab::{TabId, TabManager, TabState};
 
@@ -15,20 +17,50 @@ pub fn run_headless(
     action: HeadlessAction,
     allow_http: bool,
     data_dir: Option<String>,
+    single_process: bool,
 ) -> Result<()> {
     let rt = tokio::runtime::Runtime::new()?;
     rt.block_on(async {
         match action {
-            HeadlessAction::DumpSource => run_dump_source(url.unwrap(), allow_http).await,
-            HeadlessAction::DumpStatus => run_dump_status(url.unwrap(), allow_http).await,
-            HeadlessAction::Interactive => run_interactive(allow_http, data_dir).await,
+            HeadlessAction::DumpSource => {
+                run_dump_source(url.unwrap(), allow_http, single_process).await
+            }
+            HeadlessAction::DumpStatus => {
+                run_dump_status(url.unwrap(), allow_http, single_process).await
+            }
+            HeadlessAction::Interactive => {
+                run_interactive(allow_http, data_dir, single_process).await
+            }
         }
     })
 }
 
-async fn run_dump_source(url: Url, allow_http: bool) -> Result<()> {
-    let navigator = InProcessNavigator::new()?.with_https_only(!allow_http);
-    match navigator.navigate(&url).await {
+struct NavigatorHandle {
+    navigator: Arc<dyn NavigationService + Send + Sync>,
+    _child: Option<ie_sandbox::ChildHandle>,
+}
+
+async fn create_navigator(allow_http: bool, single_process: bool) -> Result<NavigatorHandle> {
+    if single_process {
+        let nav = InProcessNavigator::new()?.with_https_only(!allow_http);
+        Ok(NavigatorHandle {
+            navigator: Arc::new(nav),
+            _child: None,
+        })
+    } else {
+        let mut child = ie_sandbox::spawn_child(ie_sandbox::ProcessKind::Network).await?;
+        let channel = child.take_channel();
+        let nav = IpcNavigator::new(channel, !allow_http);
+        Ok(NavigatorHandle {
+            navigator: Arc::new(nav),
+            _child: Some(child),
+        })
+    }
+}
+
+async fn run_dump_source(url: Url, allow_http: bool, single_process: bool) -> Result<()> {
+    let handle = create_navigator(allow_http, single_process).await?;
+    match handle.navigator.navigate(&url).await {
         Ok(result) => {
             let text = String::from_utf8_lossy(&result.body);
             print!("{text}");
@@ -41,9 +73,9 @@ async fn run_dump_source(url: Url, allow_http: bool) -> Result<()> {
     }
 }
 
-async fn run_dump_status(url: Url, allow_http: bool) -> Result<()> {
-    let navigator = InProcessNavigator::new()?.with_https_only(!allow_http);
-    match navigator.navigate(&url).await {
+async fn run_dump_status(url: Url, allow_http: bool, single_process: bool) -> Result<()> {
+    let handle = create_navigator(allow_http, single_process).await?;
+    match handle.navigator.navigate(&url).await {
         Ok(result) => {
             println!("{}", result.status);
             Ok(())
@@ -122,20 +154,22 @@ impl Response {
 struct HeadlessSession {
     tab_manager: TabManager,
     bookmark_store: BookmarkStore,
-    navigator: InProcessNavigator,
+    navigator: Arc<dyn NavigationService + Send + Sync>,
+    _child: Option<ie_sandbox::ChildHandle>,
 }
 
 impl HeadlessSession {
-    fn new(allow_http: bool, data_dir: Option<String>) -> Result<Self> {
-        let navigator = InProcessNavigator::new()?.with_https_only(!allow_http);
+    async fn new(allow_http: bool, data_dir: Option<String>, single_process: bool) -> Result<Self> {
+        let handle = create_navigator(allow_http, single_process).await?;
         let bookmark_path = data_dir
             .map(PathBuf::from)
             .unwrap_or_else(|| std::env::temp_dir().join("ie-headless"));
         let bookmark_store = BookmarkStore::new(&bookmark_path)?;
         Ok(Self {
             tab_manager: TabManager::new(),
             bookmark_store,
-            navigator,
+            navigator: handle.navigator,
+            _child: handle._child,
         })
     }
 
@@ -169,7 +203,6 @@ impl HeadlessSession {
             tab.url = Some(url.clone());
         }
 
-        // Sequential: navigate blocks until complete
         match self.navigator.navigate(&url).await {
             Ok(result) => {
                 let source = String::from_utf8(result.body).ok();
@@ -303,10 +336,14 @@ impl HeadlessSession {
     }
 }
 
-async fn run_interactive(allow_http: bool, data_dir: Option<String>) -> Result<()> {
+async fn run_interactive(
+    allow_http: bool,
+    data_dir: Option<String>,
+    single_process: bool,
+) -> Result<()> {
     let stdin = BufReader::new(tokio::io::stdin());
     let mut stdout = tokio::io::stdout();
-    let mut session = HeadlessSession::new(allow_http, data_dir)?;
+    let mut session = HeadlessSession::new(allow_http, data_dir, single_process).await?;
 
     let mut lines = stdin.lines();
     while let Ok(Some(line)) = lines.next_line().await {