Skip to main content

Local Python sandbox using AST rewriting, with optional subprocess isolation and kernel-level enforcement.

Project description

sandtrap ⛳

A local Python sandbox using AST rewriting and compiled bytecode execution. Whitelist-based policies control attribute access, imports, and resource usage. Designed as a walled garden for cooperative code (e.g. agent-generated scripts), not for adversarial inputs.

Three isolation levels via the sandbox() factory:

  • "none" (default) -- in-process, lightweight, shares the host's memory space
  • "process" -- subprocess-backed, crash protection, no kernel restrictions
  • "kernel" -- subprocess + kernel-level isolation (seccomp, Landlock, Seatbelt)

Install

pip install sandtrap

For subprocess isolation with kernel-level sandboxing on Linux:

pip install sandtrap[process]

Quick start

In-process (default)

from sandtrap import Policy, sandbox

policy = Policy(timeout=5.0, tick_limit=100_000)

with sandbox(policy) as sb:
    result = sb.exec("""
total = sum(range(10))
print(f"total = {total}")
""")

print(result.stdout)       # "total = 45\n"
print(result.namespace)    # {"total": 45}
print(result.error)        # None
print(result.ticks)        # 2 (fn calls: sum + print)

Subprocess

from sandtrap import Policy, IsolatedFS, sandbox

policy = Policy(timeout=5.0, tick_limit=100_000)

with sandbox(policy, isolation="kernel", filesystem=IsolatedFS("/tmp/sandbox")) as sb:
    result = sb.exec("""
total = sum(range(10))
print(f"total = {total}")
""")

print(result.stdout)       # "total = 45\n"
print(result.namespace)    # {"total": 45}

isolation="kernel" runs code in a forked child process with:

  • Filesystem restricted to the IsolatedFS root via Landlock (Linux) or Seatbelt (macOS)
  • Syscall filtering via seccomp (Linux) or Seatbelt (macOS)
  • Network blocked at the kernel level (unless the policy enables it)
  • Worker crash doesn't take down the host process

Part of the agex stack

sandtrap powers sandboxed code execution in agex, where AI agents write and execute Python directly against host libraries. Filesystem interception is provided by monkeyfs.

Documentation

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sandtrap-0.2.3.tar.gz (97.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sandtrap-0.2.3-py3-none-any.whl (61.2 kB view details)

Uploaded Python 3

File details

Details for the file sandtrap-0.2.3.tar.gz.

File metadata

  • Download URL: sandtrap-0.2.3.tar.gz
  • Upload date:
  • Size: 97.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for sandtrap-0.2.3.tar.gz
Algorithm Hash digest
SHA256 5a94cdb739780d9b8d801d1866b6557d6e26474cf98fd0e65af91bb523ec62c6
MD5 fee91a62ffcd247b10c008c08a57be59
BLAKE2b-256 b3ae3d4364c122a170f7595e83b3651bc131050a9c62f95b149441c70bb7945c

See more details on using hashes here.

File details

Details for the file sandtrap-0.2.3-py3-none-any.whl.

File metadata

  • Download URL: sandtrap-0.2.3-py3-none-any.whl
  • Upload date:
  • Size: 61.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for sandtrap-0.2.3-py3-none-any.whl
Algorithm Hash digest
SHA256 3f11b91bf2276dd94a294c4585979c466eb00ed853c65b0bff6eec8d53d1657b
MD5 966f69c6c3af8c2fefab9efac6179be3
BLAKE2b-256 29000680f5579029259bc3a980670477b1c022128773eba29c74743c4e91a9a5

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page