Expand description
CodeExecutionGuard – language allowlist, dangerous-module detection, network gating, and execution-time bounds for sandboxed interpreter actions.
Roadmap phase 8.1. The guard applies to
ToolAction::CodeExecution derived from tool calls like python,
eval, run_code, jupyter, etc. See crate::action::extract_action
for the full list of tool names that map to code execution.
§Enforcement surface
| Policy | Behavior |
|---|---|
language_allowlist | Languages outside the set are denied |
dangerous_modules | Imports/uses of named modules (e.g. subprocess) are denied |
network_access | When false, calls requesting network are denied |
max_execution_time_ms | When the arguments exceed this bound, the call is denied |
Network access is considered requested when either:
- the arguments carry
network_access = true/allow_network = true; - or the code contains an obvious network module import
(
socket,requests,urllib,http,httpx,aiohttp,fetch().
The module-detection regexes target Python, JavaScript, and the common
shell-style import X / require('X') / from X import forms. The
detection is intentionally conservative: regex matches are denial
signals, never permit signals.
§Fail-closed behavior
ToolAction::CodeExecutionwith nolanguagevalue is denied when aCodeExecutionConfig::language_allowlistis set;- malformed configuration (invalid regex patterns in
CodeExecutionConfig::module_denylist) causesCodeExecutionGuard::with_configto returnCodeExecutionError::InvalidPattern; - non-code-execution actions pass through with
Verdict::Allow.
Structs§
- Code
Execution Config - Configuration for
CodeExecutionGuard. - Code
Execution Guard - Guard that enforces
CodeExecutionConfigpolicies againstToolAction::CodeExecutioncalls.
Enums§
- Code
Execution Error - Errors produced when building a
CodeExecutionGuardor parsing its configuration.
Functions§
- default_
dangerous_ modules - Default dangerous module names (Python-focused; matches are case sensitive and use word boundaries).