File storage and sandbox backends for AI agents
Project description
Pydantic AI Backend
Sandboxed execution & file tools for agents.
A ready-made console toolset over State / Local / Docker / Daytona backends.
Docs · PyPI · Install · Ecosystem · Deep Agents
Console toolset • State / Local / Docker / Daytona • Permission system • Session manager • Image support
Part of Pydantic Deep Agents — the open-source Claude Code alternative & Python agent framework. Use this library standalone, or get everything wired together in one
create_deep_agent()call.
Pydantic AI Backend gives your Pydantic AI agent everything it needs to read, write, and run code safely — a ready-made console toolset over in-memory, local-filesystem, or Docker-isolated backends, with a fine-grained permission system.
Use Cases
| What You Want to Build | How This Library Helps |
|---|---|
| AI Coding Assistant | Console toolset with file ops + code execution |
| Multi-User Web App | Docker sandboxes with session isolation |
| Code Review Bot | Read-only backend with grep/glob search |
| Secure Execution | Permission system blocks dangerous operations |
| Testing/CI | In-memory StateBackend for fast, isolated tests |
Installation
pip install pydantic-ai-backend
Or with uv:
uv add pydantic-ai-backend
Optional extras:
# Console toolset (requires pydantic-ai)
pip install pydantic-ai-backend[console]
# Docker sandbox support
pip install pydantic-ai-backend[docker]
# Everything
pip install pydantic-ai-backend[console,docker]
Quick Start — ConsoleCapability (Recommended)
The simplest way to give your agent filesystem tools:
from pydantic_ai import Agent
from pydantic_ai_backends import ConsoleCapability
agent = Agent("openai:gpt-4.1", capabilities=[ConsoleCapability()])
With Permissions
from pydantic_ai_backends import ConsoleCapability
from pydantic_ai_backends.permissions import READONLY_RULESET
# Read-only agent — write/edit/execute tools are hidden from the model
agent = Agent("openai:gpt-4.1", capabilities=[ConsoleCapability(permissions=READONLY_RULESET)])
Alternative: Toolset API
from dataclasses import dataclass
from pydantic_ai import Agent
from pydantic_ai_backends import LocalBackend, create_console_toolset
@dataclass
class Deps:
backend: LocalBackend
agent = Agent(
"openai:gpt-4.1",
deps_type=Deps,
toolsets=[create_console_toolset()],
)
backend = LocalBackend(root_dir="./workspace")
result = agent.run_sync(
"Create a Python script that calculates fibonacci and run it",
deps=Deps(backend=backend),
)
print(result.output)
That's it. Your agent can now:
- List files and directories (
ls) - Read and write files (
read_file,write_file) - Edit files with string replacement (
edit_file) - Search with glob patterns and regex (
glob,grep) - Execute shell commands (
execute)
Available Backends
| Backend | Storage | Execution | Use Case |
|---|---|---|---|
StateBackend |
In-memory | No | Testing, ephemeral sessions |
LocalBackend |
Filesystem | Yes | Local development, CLI tools |
DockerSandbox |
Container | Yes | Multi-user, untrusted code |
CompositeBackend |
Routed | Varies | Complex multi-source setups |
In-Memory (StateBackend)
from pydantic_ai_backends import StateBackend
backend = StateBackend()
# Files stored in memory, perfect for tests
Local Filesystem (LocalBackend)
from pydantic_ai_backends import LocalBackend
backend = LocalBackend(
root_dir="/workspace",
allowed_directories=["/workspace", "/shared"],
enable_execute=True,
)
Docker Sandbox (DockerSandbox)
from pydantic_ai_backends import DockerSandbox
sandbox = DockerSandbox(runtime="python-datascience")
sandbox.start()
# Fully isolated container environment
sandbox.stop()
Reusable Named Container
from pydantic_ai_backends import DockerSandbox
# Named container persists between sessions (packages survive restarts)
sandbox = DockerSandbox(
image="python:3.12-slim",
container_name="my-dev-env", # implies auto_remove=False
volumes={"/my/project": "/workspace"},
)
# Next time: finds existing container and reattaches
Console Toolset
Ready-to-use tools for pydantic-ai agents:
from pydantic_ai_backends import create_console_toolset
# All tools enabled
toolset = create_console_toolset()
# Without shell execution
toolset = create_console_toolset(include_execute=False)
# With approval requirements
toolset = create_console_toolset(
require_write_approval=True,
require_execute_approval=True,
)
# With custom tool descriptions
toolset = create_console_toolset(
descriptions={
"execute": "Run shell commands in the workspace",
"read_file": "Read file contents from the workspace",
}
)
Available tools: ls, read_file, write_file, edit_file, glob, grep, execute
Image Support
For multimodal models, enable image file handling:
toolset = create_console_toolset(image_support=True)
# Now read_file on .png/.jpg/.gif/.webp returns BinaryContent
# that multimodal models (GPT-4o, Claude, etc.) can see directly
Permission System
Fine-grained access control:
from pydantic_ai_backends import LocalBackend
from pydantic_ai_backends.permissions import DEFAULT_RULESET, READONLY_RULESET
# Safe defaults (allow reads, ask for writes)
backend = LocalBackend(root_dir="/workspace", permissions=DEFAULT_RULESET)
# Read-only mode
backend = LocalBackend(root_dir="/workspace", permissions=READONLY_RULESET)
| Preset | Description |
|---|---|
DEFAULT_RULESET |
Allow reads (except secrets), ask for writes/executes |
PERMISSIVE_RULESET |
Allow most operations, deny dangerous commands |
READONLY_RULESET |
Allow reads only, deny all writes and executes |
STRICT_RULESET |
Everything requires approval |
Docker Runtimes
Pre-configured environments:
| Runtime | Base Image | Packages |
|---|---|---|
python-minimal |
python:3.12-slim | (none) |
python-datascience |
python:3.12-slim | pandas, numpy, matplotlib, scikit-learn |
python-web |
python:3.12-slim | fastapi, uvicorn, sqlalchemy, httpx |
node-minimal |
node:20-slim | (none) |
node-react |
node:20-slim | typescript, vite, react |
Custom runtime:
from pydantic_ai_backends import DockerSandbox, RuntimeConfig
runtime = RuntimeConfig(
name="ml-env",
base_image="python:3.12-slim",
packages=["torch", "transformers"],
)
sandbox = DockerSandbox(runtime=runtime)
Session Manager
Multi-user web applications:
from pydantic_ai_backends import SessionManager
# Docker (default)
manager = SessionManager(
default_runtime="python-datascience",
workspace_root="/app/workspaces",
)
# Each user gets isolated sandbox
sandbox = await manager.get_or_create("user-123")
Custom Sandbox Factory
Use any sandbox backend (Daytona, custom, etc.):
from pydantic_ai_backends import SessionManager, DaytonaSandbox
def daytona_factory(session_id: str) -> DaytonaSandbox:
return DaytonaSandbox(sandbox_id=session_id)
manager = SessionManager(sandbox_factory=daytona_factory)
sandbox = await manager.get_or_create("user-123")
Why Choose This Library?
| Feature | Description |
|---|---|
| Multiple Backends | In-memory, filesystem, Docker — same interface |
| Console Toolset | Ready-to-use tools for pydantic-ai agents |
| Permission System | Pattern-based access control with presets |
| Docker Isolation | Safe execution of untrusted code |
| Session Management | Multi-user support with workspace persistence |
| Image Support | Multimodal models can see images via BinaryContent |
| Pre-built Runtimes | Python and Node.js environments ready to go |
Vstorm OSS Ecosystem
This library is one piece of a broader open-source toolkit for production AI agents — all built on Pydantic AI.
| Project | Description | Stars |
|---|---|---|
| Pydantic Deep Agents | The full agent framework and terminal assistant — bundles every library below into one create_deep_agent() call. |
|
| 👉 pydantic-ai-backend | Sandboxed execution & file tools — State / Local / Docker / Daytona backends + console toolset. | |
| subagents-pydantic-ai | Declarative multi-agent orchestration — sync / async / auto, with token tracking. | |
| summarization-pydantic-ai | Unlimited context for long-running agents — summarization or sliding window. | |
| pydantic-ai-shields | Drop-in guardrails — cost caps, prompt-injection defense, PII & secret redaction, tool blocking. | |
| pydantic-ai-todo | Task planning with subtasks, dependencies, and cycle detection. | |
| full-stack-ai-agent-template | Zero to production AI app in 30 minutes — FastAPI + Next.js 15, RAG, 6 AI frameworks. |
Want it all wired together? Pydantic Deep Agents ships every library above integrated — planning, filesystem, subagents, memory, context management, and guardrails — behind a single function call. Browse everything at oss.vstorm.co.
Contributing
git clone https://github.com/vstorm-co/pydantic-ai-backend.git
cd pydantic-ai-backend
make install
make test # 100% coverage required
Star History
If this library saved you from wiring an agent harness by hand — give it a ⭐. It's the single biggest thing that helps the project grow.
License
MIT — see LICENSE
Need help shipping AI agents in production?
We're Vstorm — an Applied Agentic AI Engineering Consultancy
with 30+ production agent implementations. Pydantic Deep Agents is what we build them with.
Made with care by Vstorm
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pydantic_ai_backend-0.2.16.tar.gz.
File metadata
- Download URL: pydantic_ai_backend-0.2.16.tar.gz
- Upload date:
- Size: 14.2 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b226c9278a3c6ac7463fdfa49ac09dfe687d732d9aaab57f24fdf2dcb72b9d8
|
|
| MD5 |
22ae18b6c551872390f5081711366826
|
|
| BLAKE2b-256 |
c00d5a710c345a2704be4d338c59b1e334385c30757118060ab0738204fce4a1
|
Provenance
The following attestation bundles were made for pydantic_ai_backend-0.2.16.tar.gz:
Publisher:
publish.yml on vstorm-co/pydantic-ai-backend
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pydantic_ai_backend-0.2.16.tar.gz -
Subject digest:
0b226c9278a3c6ac7463fdfa49ac09dfe687d732d9aaab57f24fdf2dcb72b9d8 - Sigstore transparency entry: 2192244935
- Sigstore integration time:
-
Permalink:
vstorm-co/pydantic-ai-backend@c8b0af1079e03d3706bb520e5351017f46ba4054 -
Branch / Tag:
refs/tags/0.2.16 - Owner: https://github.com/vstorm-co
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@c8b0af1079e03d3706bb520e5351017f46ba4054 -
Trigger Event:
release
-
Statement type:
File details
Details for the file pydantic_ai_backend-0.2.16-py3-none-any.whl.
File metadata
- Download URL: pydantic_ai_backend-0.2.16-py3-none-any.whl
- Upload date:
- Size: 83.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b8c3d17df558d4f97944f801abfedff28f6ad7325baba445b9961c1c6729b53c
|
|
| MD5 |
43d988eb3b615c34626bdcf04f3da0c6
|
|
| BLAKE2b-256 |
49c5964d68a2ad2736ff6d472e8bbc88a9d1bec80847d0a05bbe713ebf45b10b
|
Provenance
The following attestation bundles were made for pydantic_ai_backend-0.2.16-py3-none-any.whl:
Publisher:
publish.yml on vstorm-co/pydantic-ai-backend
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pydantic_ai_backend-0.2.16-py3-none-any.whl -
Subject digest:
b8c3d17df558d4f97944f801abfedff28f6ad7325baba445b9961c1c6729b53c - Sigstore transparency entry: 2192244943
- Sigstore integration time:
-
Permalink:
vstorm-co/pydantic-ai-backend@c8b0af1079e03d3706bb520e5351017f46ba4054 -
Branch / Tag:
refs/tags/0.2.16 - Owner: https://github.com/vstorm-co
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@c8b0af1079e03d3706bb520e5351017f46ba4054 -
Trigger Event:
release
-
Statement type: