# `Agentic.Sandbox.Platform`

OS-level sandbox capability detection.

Decisions are based on the operating system (`:os.type/0`), not on the
presence of specific binaries in `$PATH`. This prevents silent failures
where a sandbox tool is installed but does not provide meaningful
isolation on the host platform (e.g. `bwrap` on macOS).

# `backend`

```elixir
@type backend() :: :bubblewrap | :macos_sandbox | :wsl2_bwrap | :windows_restricted
```

# `backend`

```elixir
@spec backend() :: backend()
```

Returns the effective sandbox backend for the current operating system.

# `backend_name`

```elixir
@spec backend_name() :: String.t()
```

Returns a human-readable description of the current sandbox backend.

# `log_status`

```elixir
@spec log_status() :: :ok
```

Logs the platform backend at application startup.

# `strong_isolation?`

```elixir
@spec strong_isolation?() :: boolean()
```

Returns true if the current platform provides strong filesystem isolation.
Windows without WSL2 is considered weak and will return false.

# `warning`

```elixir
@spec warning() :: String.t() | nil
```

Returns a warning string if the current platform has weak sandboxing.
Returns `nil` when isolation is strong.

---

*Consult [api-reference.md](api-reference.md) for complete listing*