Skip to main content

Local Python sandbox using AST rewriting, with optional subprocess isolation and kernel-level enforcement.

Project description

sandtrap ⛳

A local Python sandbox using AST rewriting and compiled bytecode execution. Whitelist-based policies control attribute access, imports, and resource usage. Designed as a walled garden for cooperative code (e.g. agent-generated scripts), not for adversarial inputs.

Three isolation levels via the sandbox() factory:

  • "none" (default) -- in-process, lightweight, shares the host's memory space
  • "process" -- subprocess-backed, crash protection, no kernel restrictions
  • "kernel" -- subprocess + kernel-level isolation (seccomp, Landlock, Seatbelt)

Install

pip install sandtrap

For subprocess isolation with kernel-level sandboxing on Linux:

pip install sandtrap[process]

Quick start

In-process (default)

from sandtrap import Policy, sandbox

policy = Policy(timeout=5.0, tick_limit=100_000)

with sandbox(policy) as sb:
    result = sb.exec("""
total = sum(range(10))
print(f"total = {total}")
""")

print(result.stdout)       # "total = 45\n"
print(result.namespace)    # {"total": 45}
print(result.error)        # None
print(result.ticks)        # 2 (fn calls: sum + print)

Subprocess

from sandtrap import Policy, IsolatedFS, sandbox

policy = Policy(timeout=5.0, tick_limit=100_000)

with sandbox(policy, isolation="kernel", filesystem=IsolatedFS("/tmp/sandbox")) as sb:
    result = sb.exec("""
total = sum(range(10))
print(f"total = {total}")
""")

print(result.stdout)       # "total = 45\n"
print(result.namespace)    # {"total": 45}

isolation="kernel" runs code in a forked child process with:

  • Filesystem restricted to the IsolatedFS root via Landlock (Linux) or Seatbelt (macOS)
  • Syscall filtering via seccomp (Linux) or Seatbelt (macOS)
  • Network blocked at the kernel level (unless the policy enables it)
  • Worker crash doesn't take down the host process

Part of the agex stack

sandtrap powers sandboxed code execution in agex, where AI agents write and execute Python directly against host libraries. Filesystem interception is provided by monkeyfs.

Documentation

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sandtrap-0.2.2.tar.gz (94.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sandtrap-0.2.2-py3-none-any.whl (59.6 kB view details)

Uploaded Python 3

File details

Details for the file sandtrap-0.2.2.tar.gz.

File metadata

  • Download URL: sandtrap-0.2.2.tar.gz
  • Upload date:
  • Size: 94.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for sandtrap-0.2.2.tar.gz
Algorithm Hash digest
SHA256 b01f790b65eb28f507fd27f631ecb45c3a752bad381d80c465a050db7a7ff879
MD5 5a54320256dc2e16e4358917d1c63c9b
BLAKE2b-256 6b0808797d790a3bfd5625f88bea510c50daa82a433f6f06fabfc6a5fa93993d

See more details on using hashes here.

File details

Details for the file sandtrap-0.2.2-py3-none-any.whl.

File metadata

  • Download URL: sandtrap-0.2.2-py3-none-any.whl
  • Upload date:
  • Size: 59.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for sandtrap-0.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 74d4455924ec5339ec28d081154e3fcd55878078dd1af631199256f64955ca92
MD5 0838cc83d14ef09b05b8185713d26f92
BLAKE2b-256 c376990ed80393ff4e2166634036ccd0db7ada05fa7b78113fca36ba5997ba66

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page