Add more sandboxing to direct mode

README.md

@@ -136,11 +136,11 @@ amber run /tmp/amber-direct
 Direct output only supports components that use `program.path`.
 
 `amber run` for direct output requires a local sandbox backend:
-- Linux: `bwrap` and `slirp4netns`
+- Linux: `bwrap`, `slirp4netns`, and a Landlock-enabled kernel
 - macOS: `/usr/bin/sandbox-exec`
 
 Current enforcement notes:
-- Direct/native on Linux has the strongest capability mediation today: Amber runs each component behind a sidecar/router, isolates sidecar networking, joins the component into that namespace, shapes the filesystem with curated read-only mounts plus explicit writable storage, and drops all Linux capabilities for Amber-owned sidecars.
+- Direct/native on Linux has the strongest capability mediation today: Amber runs each component behind a sidecar/router, isolates sidecar networking, joins the component into that namespace, shapes the filesystem with curated read-only mounts plus explicit writable storage, launches component programs through `amber-helper`, applies fixed seccomp and Landlock hardening inside that shaped view, and drops all Linux capabilities for Amber-owned sidecars.
 - Docker Compose and Kubernetes now default generated containers to non-escalating privilege settings, run Amber-owned internal routers/provisioners non-root where their images already guarantee it, make those internal root filesystems read-only where possible, and reject external slot targets that resolve to loopback or link-local IPs.
 - Docker Compose and Kubernetes do not yet transparently redirect all arbitrary container egress through the router. Amber strongly mediates declared capability paths, but shared pod/service networking still means generic outbound traffic is not yet fully non-bypassable on those backends.
 
@@ -266,7 +266,11 @@ amber run /tmp/direct-out
 ```
 
 Direct output requires `program.path` with an explicit absolute path or a manifest-relative path
-like `./bin/server`; it does not search `PATH`.
+like `./bin/server`; it does not search `PATH`. By default, direct mode preserves the same ambient
+read-only access to the component's local source tree that it historically exposed. Add
+`program.reads` to replace that legacy source-tree read access with explicit manifest-relative or
+absolute read-only paths instead. Amber still keeps the executable support path and platform
+runtime defaults readable so the process can start.
 
 ### Compile + run VM
 

cli/Cargo.toml

@@ -9,6 +9,7 @@ path = "src/main.rs"
 [dependencies]
 amber-compiler = { workspace = true }
 amber-config = { workspace = true }
+amber-helper = { path = "../runtime/helper" }
 amber-manifest = { workspace = true }
 amber-mesh = { workspace = true }
 amber-proxy = { workspace = true }

cli/README.md

@@ -12,8 +12,10 @@ Command-line front-end for the compiler. It resolves a root manifest, runs compi
 - Emit bundle directories via `--bundle` when the input is a manifest or bundle; Scenario IR
   inputs do not carry manifest source bytes, so `--bundle` is not available there.
 - Run compiled direct and VM artifacts via `amber run <output-dir>`.
-  - Direct mode requires a local sandbox backend: `bwrap` plus `slirp4netns` on Linux, or `/usr/bin/sandbox-exec` on macOS.
+  - Direct mode requires a local sandbox backend: `bwrap`, `slirp4netns`, and a Landlock-enabled kernel on Linux, or `/usr/bin/sandbox-exec` on macOS.
   - Direct mode only supports explicit `program.path` executables; it does not resolve bare program names through `PATH`.
+  - Linux direct mode launches component programs through `amber-helper`, which applies fixed seccomp and Landlock hardening inside Amber's shaped filesystem view.
+  - `program.reads` replaces the legacy source-tree read access for `program.path` components with explicit manifest-relative or absolute read-only paths. Amber still keeps the executable support path and platform runtime defaults readable so the process can start.
   - VM mode also accepts `vm-plan.json` and depends on local QEMU tooling.
 - Surface the manifest README via `amber docs manifest`.
 - Surface embedded project docs via `amber docs readme`, `amber docs manifest`, and