Local Python sandbox using AST rewriting, with optional subprocess isolation and kernel-level enforcement.
Project description
sandtrap ⛳
A local Python sandbox using AST rewriting and compiled bytecode execution. Whitelist-based policies control attribute access, imports, and resource usage. Designed as a walled garden for cooperative code (e.g. agent-generated scripts), not for adversarial inputs.
Three isolation levels via the sandbox() factory:
"none"(default) -- in-process, lightweight, shares the host's memory space"process"-- subprocess-backed, crash protection, no kernel restrictions"kernel"-- subprocess + kernel-level isolation (seccomp, Landlock, Seatbelt)
Install
pip install sandtrap
For subprocess isolation with kernel-level sandboxing on Linux:
pip install sandtrap[process]
Quick start
In-process (default)
from sandtrap import Policy, sandbox
policy = Policy(timeout=5.0, tick_limit=100_000)
with sandbox(policy) as sb:
result = sb.exec("""
total = sum(range(10))
print(f"total = {total}")
""")
print(result.stdout) # "total = 45\n"
print(result.namespace) # {"total": 45}
print(result.error) # None
print(result.ticks) # 2 (fn calls: sum + print)
Subprocess
from sandtrap import Policy, IsolatedFS, sandbox
policy = Policy(timeout=5.0, tick_limit=100_000)
with sandbox(policy, isolation="kernel", filesystem=IsolatedFS("/tmp/sandbox")) as sb:
result = sb.exec("""
total = sum(range(10))
print(f"total = {total}")
""")
print(result.stdout) # "total = 45\n"
print(result.namespace) # {"total": 45}
isolation="kernel" runs code in a forked child process with:
- Filesystem restricted to the
IsolatedFSroot via Landlock (Linux) or Seatbelt (macOS) - Syscall filtering via seccomp (Linux) or Seatbelt (macOS)
- Network blocked at the kernel level (unless the policy enables it)
- Worker crash doesn't take down the host process
Part of the agex stack
sandtrap powers sandboxed code execution in agex, where AI agents write and execute Python directly against host libraries. Filesystem interception is provided by monkeyfs.
Documentation
- Policy & Registration -- configuring what sandboxed code can access
- Sandbox Execution -- running code, results, error handling
- Process Sandbox -- subprocess isolation with kernel-level restrictions
- Filesystem & Network -- VFS interception, network denial, VFS imports
- Serialization -- pickling functions, classes, and state across turns
- Security Model -- how the sandbox works, what it blocks, threat model
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sandtrap-0.2.0.tar.gz.
File metadata
- Download URL: sandtrap-0.2.0.tar.gz
- Upload date:
- Size: 85.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e837357625b2f7f70c3cc72d6799638572bc14eabc2f3c0cd6a66dc817dadca4
|
|
| MD5 |
4614fbd1f098d16b97d456cbdc3a674b
|
|
| BLAKE2b-256 |
eebf6cb16ace503632831f359a00ae3bc98b6a2fba5ddb46594048ba617c3d8f
|
File details
Details for the file sandtrap-0.2.0-py3-none-any.whl.
File metadata
- Download URL: sandtrap-0.2.0-py3-none-any.whl
- Upload date:
- Size: 54.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
aad379ab80d9ac7e5febf4847a4088835c6a2cc91b2d0567ea994e9346fb8cf2
|
|
| MD5 |
f5567bb0eeacf95ef72e82a9e244ff8f
|
|
| BLAKE2b-256 |
4f56595ec15154edbf2f382c422ef4266d9957196662fa23761a08786f76b0b4
|
