Skip to main content

Secure runtime for AI agents with built-in guardrails -- PII scanning, prompt injection defense, network isolation, and egress filtering.

Project description

declaw

Secure runtime for AI agents. Spin up isolated sandboxes in milliseconds with built-in guardrails — PII scanning, prompt injection defense, network isolation, and egress filtering.

Install

pip install declaw

Quick Start

from declaw import Sandbox

sandbox = Sandbox.create(api_key='your-api-key', template='base', timeout=60)

# Run commands
result = sandbox.commands.run('echo "Hello from a secure sandbox"')
print(result.stdout)

# Read/write files
sandbox.files.write('/tmp/hello.txt', 'Hello World')
content = sandbox.files.read('/tmp/hello.txt')

# Clean up
sandbox.kill()

Async

from declaw import AsyncSandbox

sandbox = await AsyncSandbox.create(api_key='your-api-key', template='python', timeout=60)
result = await sandbox.commands.run('python3 -c "print(1+1)"')
await sandbox.kill()

Why Declaw?

AI agents need to execute code, call APIs, and interact with the world. Declaw gives them a secure sandbox to do it — with built-in guardrails that protect your users and infrastructure.

  • Sub-10ms sandbox creation — pre-warmed VM pool, no cold starts
  • Network isolation — per-sandbox firewall with domain and CIDR rules
  • Full file system — read, write, upload, download files in the sandbox

Security & Guardrails

Every outbound request from the sandbox passes through a configurable security pipeline.

PII Scanning

Detect and redact sensitive data before it leaves the sandbox.

from declaw import Sandbox, SecurityPolicy, PIIConfig

sandbox = Sandbox.create(
    security=SecurityPolicy(
        pii=PIIConfig(
            enabled=True,
            types=['ssn', 'credit_card', 'email', 'phone', 'api_key'],
            action='redact',
        ),
    ),
)

Prompt Injection Defense

Block prompt injection attempts in agent outputs.

from declaw import SecurityPolicy, InjectionDefenseConfig

sandbox = Sandbox.create(
    security=SecurityPolicy(
        injection_defense=InjectionDefenseConfig(
            enabled=True,
            action='block',
            threshold=0.85,
        ),
    ),
)

Toxicity, Code Security & Invisible Text

sandbox = Sandbox.create(
    security=SecurityPolicy(
        toxicity=ToxicityConfig(enabled=True, action='block', threshold=0.7),
        code_security=CodeSecurityConfig(enabled=True, action='log'),
        invisible_text=InvisibleTextConfig(enabled=True, action='block'),
    ),
)

Network Policies

from declaw import Sandbox, NetworkPolicy

# Allow only specific domains
sandbox = Sandbox.create(
    network=NetworkPolicy(allow_out=['api.openai.com', 'huggingface.co']),
)

# Block all egress
isolated = Sandbox.create(
    network=NetworkPolicy(deny_out=['ALL_TRAFFIC']),
)

Data Transformation

Transform sensitive values in-flight.

from declaw import SecurityPolicy, TransformationRule

sandbox = Sandbox.create(
    security=SecurityPolicy(
        transformations=[
            TransformationRule(
                pattern=r'sk-[a-zA-Z0-9]+',
                replacement='[API_KEY]',
                direction='egress',
            ),
        ],
    ),
)

Combining Guardrails

All guardrails compose — enable multiple and they run in sequence:

sandbox = Sandbox.create(
    api_key='your-api-key',
    template='ai-agent',
    timeout=300,
    network=NetworkPolicy(allow_out=['api.openai.com', 'api.anthropic.com']),
    security=SecurityPolicy(
        pii=PIIConfig(enabled=True, action='redact', types=['ssn', 'credit_card']),
        injection_defense=InjectionDefenseConfig(enabled=True, action='block'),
        toxicity=ToxicityConfig(enabled=True, action='log'),
        invisible_text=InvisibleTextConfig(enabled=True, action='block'),
    ),
)

Templates

Template Description
base Minimal Linux
python Python 3.12 with pip
node Node.js 22 LTS with npm
code-interpreter Python with data science libraries
ai-agent Python + Node.js + AI/ML tools
mcp-server MCP server runtime
web-dev Node.js + browser testing
devops Docker, Terraform, kubectl

API

# Create sandbox
sandbox = Sandbox.create(template, api_key, timeout, network, security)

# Commands
result = sandbox.commands.run('ls -la')
for chunk in sandbox.commands.stream('python script.py'):
    print(chunk)

# Files — `path` is the literal absolute path inside the sandbox.
# Files appear at exactly that path — no remapping, no bridge directory.
sandbox.files.write(path, content)
data = sandbox.files.read(path)
entries = sandbox.files.list('/')

# PTY (interactive terminal)
pty = sandbox.pty.create(cols=80, rows=24)

# Lifecycle
sandbox.kill()

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

declaw-1.4.0.tar.gz (71.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

declaw-1.4.0-py3-none-any.whl (107.1 kB view details)

Uploaded Python 3

File details

Details for the file declaw-1.4.0.tar.gz.

File metadata

  • Download URL: declaw-1.4.0.tar.gz
  • Upload date:
  • Size: 71.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for declaw-1.4.0.tar.gz
Algorithm Hash digest
SHA256 3ffd05531c1f8e21c6ae0cb3ab94a6c02e51f61c6294c0b2899678011e7bbf4f
MD5 040465953e76e5f5345ec74fe83f26f7
BLAKE2b-256 66e6938c04eafddd2f18e7751a65a84739d72152ca74f6952a7131419fdaabf4

See more details on using hashes here.

Provenance

The following attestation bundles were made for declaw-1.4.0.tar.gz:

Publisher: publish.yml on declaw-ai/declaw-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file declaw-1.4.0-py3-none-any.whl.

File metadata

  • Download URL: declaw-1.4.0-py3-none-any.whl
  • Upload date:
  • Size: 107.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for declaw-1.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 00e6e4acd789e2929e78b3404dd0c0e3a7d5e08acdf03765b778064be34f364a
MD5 51e42f0fb4bbedaf3b710802a8c4f867
BLAKE2b-256 c8cb7f2130ac2191e54ba6b97b5c07d666f6783a26f0a22e19936a6f293e4088

See more details on using hashes here.

Provenance

The following attestation bundles were made for declaw-1.4.0-py3-none-any.whl:

Publisher: publish.yml on declaw-ai/declaw-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page