Secure runtime for AI agents with built-in guardrails -- PII scanning, prompt injection defense, network isolation, and egress filtering.
Project description
declaw
Secure runtime for AI agents. Spin up isolated sandboxes in milliseconds with built-in guardrails — PII scanning, prompt injection defense, network isolation, and egress filtering.
Install
pip install declaw
Quick Start
from declaw import Sandbox
sandbox = Sandbox.create(api_key='your-api-key', template='base', timeout=60)
# Run commands
result = sandbox.commands.run('echo "Hello from a secure sandbox"')
print(result.stdout)
# Read/write files
sandbox.files.write('/tmp/hello.txt', 'Hello World')
content = sandbox.files.read('/tmp/hello.txt')
# Clean up
sandbox.kill()
Async
from declaw import AsyncSandbox
sandbox = await AsyncSandbox.create(api_key='your-api-key', template='python', timeout=60)
result = await sandbox.commands.run('python3 -c "print(1+1)"')
await sandbox.kill()
Why Declaw?
AI agents need to execute code, call APIs, and interact with the world. Declaw gives them a secure sandbox to do it — with built-in guardrails that protect your users and infrastructure.
- Sub-10ms sandbox creation — pre-warmed VM pool, no cold starts
- Network isolation — per-sandbox firewall with domain and CIDR rules
- Full file system — read, write, upload, download files in the sandbox
Security & Guardrails
Every outbound request from the sandbox passes through a configurable security pipeline.
PII Scanning
Detect and redact sensitive data before it leaves the sandbox.
from declaw import Sandbox, SecurityPolicy, PIIConfig
sandbox = Sandbox.create(
security=SecurityPolicy(
pii=PIIConfig(
enabled=True,
types=['ssn', 'credit_card', 'email', 'phone', 'api_key'],
action='redact',
),
),
)
Prompt Injection Defense
Block prompt injection attempts in agent outputs.
from declaw import SecurityPolicy, InjectionDefenseConfig
sandbox = Sandbox.create(
security=SecurityPolicy(
injection_defense=InjectionDefenseConfig(
enabled=True,
action='block',
threshold=0.85,
),
),
)
Toxicity, Code Security & Invisible Text
sandbox = Sandbox.create(
security=SecurityPolicy(
toxicity=ToxicityConfig(enabled=True, action='block', threshold=0.7),
code_security=CodeSecurityConfig(enabled=True, action='log'),
invisible_text=InvisibleTextConfig(enabled=True, action='block'),
),
)
Network Policies
from declaw import Sandbox, NetworkPolicy
# Allow only specific domains
sandbox = Sandbox.create(
network=NetworkPolicy(allow_out=['api.openai.com', 'huggingface.co']),
)
# Block all egress
isolated = Sandbox.create(
network=NetworkPolicy(deny_out=['ALL_TRAFFIC']),
)
Data Transformation
Transform sensitive values in-flight.
from declaw import SecurityPolicy, TransformationRule
sandbox = Sandbox.create(
security=SecurityPolicy(
transformations=[
TransformationRule(
pattern=r'sk-[a-zA-Z0-9]+',
replacement='[API_KEY]',
direction='egress',
),
],
),
)
Combining Guardrails
All guardrails compose — enable multiple and they run in sequence:
sandbox = Sandbox.create(
api_key='your-api-key',
template='ai-agent',
timeout=300,
network=NetworkPolicy(allow_out=['api.openai.com', 'api.anthropic.com']),
security=SecurityPolicy(
pii=PIIConfig(enabled=True, action='redact', types=['ssn', 'credit_card']),
injection_defense=InjectionDefenseConfig(enabled=True, action='block'),
toxicity=ToxicityConfig(enabled=True, action='log'),
invisible_text=InvisibleTextConfig(enabled=True, action='block'),
),
)
Templates
| Template | Description |
|---|---|
base |
Minimal Linux |
python |
Python 3.12 with pip |
node |
Node.js 22 LTS with npm |
code-interpreter |
Python with data science libraries |
ai-agent |
Python + Node.js + AI/ML tools |
mcp-server |
MCP server runtime |
web-dev |
Node.js + browser testing |
devops |
Docker, Terraform, kubectl |
API
# Create sandbox
sandbox = Sandbox.create(template, api_key, timeout, network, security)
# Commands
result = sandbox.commands.run('ls -la')
for chunk in sandbox.commands.stream('python script.py'):
print(chunk)
# Files — `path` is the literal absolute path inside the sandbox.
# Files appear at exactly that path — no remapping, no bridge directory.
sandbox.files.write(path, content)
data = sandbox.files.read(path)
entries = sandbox.files.list('/')
# PTY (interactive terminal)
pty = sandbox.pty.create(cols=80, rows=24)
# Lifecycle
sandbox.kill()
License
Apache-2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file declaw-1.1.9.tar.gz.
File metadata
- Download URL: declaw-1.1.9.tar.gz
- Upload date:
- Size: 56.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.3.2 CPython/3.11.14 Darwin/24.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
36ad50daae43f0bdd5cc717b9fd363078818e182e3a7427a4e5bda0e94493374
|
|
| MD5 |
b91fa81d3018d0d0604f1fef1950c61c
|
|
| BLAKE2b-256 |
1b43bcba6011d9316f3345e92021e3b4d078122b116f9e1ef9bdd15559fea89b
|
File details
Details for the file declaw-1.1.9-py3-none-any.whl.
File metadata
- Download URL: declaw-1.1.9-py3-none-any.whl
- Upload date:
- Size: 82.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.3.2 CPython/3.11.14 Darwin/24.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e3c5c7aa59edf43d0592538292156119941666489a532e025a676c9e1cd3f7e1
|
|
| MD5 |
af173da541baf2bdabb4dd4eb917ef29
|
|
| BLAKE2b-256 |
c91f673373ac69a202ca984fdb027e731b7592f27bfb1bceb80f6766a8f7e634
|
