Sandbox any command with file, network, and credential controls.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for afshinm from gravatar.com afshinm

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Afshin Mehrabani
  • Tags ai-agents , cli , code-execution , credential-injection , llm , mcp , network-filtering , process-isolation , sandbox , secret-management , security , security-tools , vault
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

Zerobox Python SDK

Zerobox PyPI version Zerobox license

Python SDK for zerobox. Sandbox any command with file, network, and credential controls.

pip install zerobox

Installing the wheel drops the zerobox CLI into your environment's bin/ and exposes a Python SDK.

For CLI usage, secrets concepts, the full flag reference, performance numbers, and platform support see the main README.

Quick start

from zerobox import Sandbox

sandbox = Sandbox.create({"allow_write": ["/tmp"]})
print(sandbox.sh("echo hello").text())

Commands

Three ways to run a command. Each returns a ShellCommand you terminate with .text(), .json(), or .output().

Shell

name = "world"
sandbox.sh(f"echo hello {name}").text()

Inline Python

data = sandbox.py("import json; print(json.dumps({'sum': 1 + 2}))").json()

Explicit command + args

sandbox.exec("python3", ["-c", "print('hi')"]).text()

Results

Method On success On non-zero exit
.text() Returns stdout as a string Raises SandboxCommandError
.json() Parses stdout as JSON Raises SandboxCommandError
.output() Returns CommandOutput(code, stdout, stderr) Returns the same shape, never raises 
data = sandbox.sh("cat data.json").json()
result = sandbox.sh("exit 42").output()
# CommandOutput(code=42, stdout='', stderr='')

Error handling

Non-zero exit raises SandboxCommandError:

from zerobox import Sandbox, SandboxCommandError

sandbox = Sandbox.create()
try:
    sandbox.sh("exit 1").text()
except SandboxCommandError as e:
    print(e.code, e.stderr)

Secrets

Pass API keys that the sandboxed process never sees. The proxy substitutes the real value only for approved hosts.

import os
from zerobox import Sandbox

sandbox = Sandbox.create({
    "secrets": {
        "OPENAI_API_KEY": {
            "value": os.environ["OPENAI_API_KEY"],
            "hosts": ["api.openai.com"],
        },
        "GITHUB_TOKEN": {
            "value": os.environ["GITHUB_TOKEN"],
            "hosts": ["api.github.com"],
        },
    },
})

sandbox.sh('curl -H "Authorization: Bearer $OPENAI_API_KEY" https://api.openai.com/v1/models').text()

See the main README for how placeholder substitution works.

Snapshots

Record filesystem changes and roll them back automatically:

sandbox = Sandbox.create({
    "allow_write": ["."],
    "restore": True,
})
sandbox.sh("npm install").text()

Record without rolling back:

sandbox = Sandbox.create({
    "allow_write": ["."],
    "snapshot": True,
    "snapshot_exclude": ["node_modules"],
})
sandbox.sh("npm install").text()

Cancellation

Pass a timeout (seconds) to any terminator:

import subprocess
try:
    sandbox.sh("sleep 60").text(timeout=1.0)
except subprocess.TimeoutExpired:
    print("cancelled")

Environment variables

sandbox = Sandbox.create({
    "env": {"NODE_ENV": "production"},
    "allow_env": ["PATH", "HOME"],
    "deny_env": ["AWS_SECRET_ACCESS_KEY"],
})

See the main README for what's inherited by default and the CLI equivalents.

Options

Sandbox.create(options) accepts a SandboxOptions dataclass or a plain dict. All fields are optional.

Field Type Description
profile str | list[str] Named profile(s). A list merges left-to-right. Default "workspace".
allow_read / deny_read list[str] Readable / blocked paths.
allow_write / deny_write list[str] Writable / blocked paths.
allow_net bool | list[str] True allows all. A list restricts to those domains.
deny_net list[str] Blocked domains.
allow_all bool Full filesystem + network access.
no_sandbox bool Disable the sandbox entirely.
strict_sandbox bool Fail instead of falling back to weaker isolation.
cwd str Working directory.
env dict[str, str] Explicit env vars.
allow_env bool | list[str] Inherit parent env vars.
deny_env list[str] Blocked env vars.
snapshot bool Record filesystem changes.
restore bool Record and roll back after exit. Implies snapshot.
snapshot_paths / snapshot_exclude list[str] Tracked paths / excluded patterns.
secrets dict[str, SecretConfig] Secrets with per-host scopes.
debug bool Print sandbox config to stderr.

Unknown dict keys (e.g. accidental allowWrite instead of allow_write) raise TypeError at construction time.

Caveats

Sandbox.py(code) runs whichever python3 is on PATH inside the sandbox. If your active interpreter lives outside the sandbox's readable roots (for example uv-managed Pythons under ~/.local/share/uv/), fall back to:

import sys
sandbox = Sandbox.create({"allow_read": [sys.prefix]})
sandbox.exec(sys.executable, ["-c", "print('hi')"]).text()

Other SDKs

License

Apache-2.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for afshinm from gravatar.com afshinm

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Afshin Mehrabani
  • Tags ai-agents , cli , code-execution , credential-injection , llm , mcp , network-filtering , process-isolation , sandbox , secret-management , security , security-tools , vault
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

This version

0.2.6

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

zerobox-0.2.6.tar.gz (13.5 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

zerobox-0.2.6-py3-none-musllinux_1_1_x86_64.whl (8.3 MB view details)

Uploaded Python 3musllinux: musl 1.1+ x86-64

zerobox-0.2.6-py3-none-musllinux_1_1_aarch64.whl (7.9 MB view details)

Uploaded Python 3musllinux: musl 1.1+ ARM64

zerobox-0.2.6-py3-none-manylinux_2_17_x86_64.whl (7.0 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ x86-64

zerobox-0.2.6-py3-none-manylinux_2_17_aarch64.whl (6.5 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ ARM64

zerobox-0.2.6-py3-none-macosx_11_0_arm64.whl (7.1 MB view details)

Uploaded Python 3macOS 11.0+ ARM64

zerobox-0.2.6-py3-none-macosx_10_12_x86_64.whl (7.5 MB view details)

Uploaded Python 3macOS 10.12+ x86-64

File details

Details for the file zerobox-0.2.6.tar.gz.

File metadata

  • Download URL: zerobox-0.2.6.tar.gz
  • Upload date:
  • Size: 13.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for zerobox-0.2.6.tar.gz
Algorithm Hash digest
SHA256 d5386f8804620f9ac75ab29436106be4d111ee9186b46b6d05d18e1295320a8f
MD5 d86126eacd1048e7508b0e454d3b7aa7
BLAKE2b-256 507411b855893d762d2701c0bc97f9e84962b607a6123c504a63b6a757cbb742

See more details on using hashes here.

Provenance

The following attestation bundles were made for zerobox-0.2.6.tar.gz:

Publisher: release.yml on afshinm/zerobox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file zerobox-0.2.6-py3-none-musllinux_1_1_x86_64.whl.

File metadata

File hashes

Hashes for zerobox-0.2.6-py3-none-musllinux_1_1_x86_64.whl
Algorithm Hash digest
SHA256 9f76be6b906904ba2c4621f5d0c5dc19b1888c83a0dbe47bdf254cc75334eb5a
MD5 0c90675ee52cdbf303e7955eda525b54
BLAKE2b-256 2efa564a5f4de7bde9fbc374c8153cf88e80d31dfc102530000635faac8e889c

See more details on using hashes here.

Provenance

The following attestation bundles were made for zerobox-0.2.6-py3-none-musllinux_1_1_x86_64.whl:

Publisher: release.yml on afshinm/zerobox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file zerobox-0.2.6-py3-none-musllinux_1_1_aarch64.whl.

File metadata

File hashes

Hashes for zerobox-0.2.6-py3-none-musllinux_1_1_aarch64.whl
Algorithm Hash digest
SHA256 9a2c5e4465bc6d8b596e9d92e22586705b3af04d7e0d86b82905c505b56f4f2e
MD5 6881d63e2c9b6b6f026ef47673f899ec
BLAKE2b-256 47d27fb0d246a8156a403502204c6365110c34358866b8fc44daf50919491c7f

See more details on using hashes here.

Provenance

The following attestation bundles were made for zerobox-0.2.6-py3-none-musllinux_1_1_aarch64.whl:

Publisher: release.yml on afshinm/zerobox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file zerobox-0.2.6-py3-none-manylinux_2_17_x86_64.whl.

File metadata

File hashes

Hashes for zerobox-0.2.6-py3-none-manylinux_2_17_x86_64.whl
Algorithm Hash digest
SHA256 a9dfad70ad9ead38e86f41f90024136251e27cd117ef54e4f7c2e1b725e44f8c
MD5 33ae4bfad4ba2fb78990fcbe5b7c0990
BLAKE2b-256 98a12ec12b3e3b5ae8f4f4de36afaa32327a31f6620448a8eaef4df189cba980

See more details on using hashes here.

Provenance

The following attestation bundles were made for zerobox-0.2.6-py3-none-manylinux_2_17_x86_64.whl:

Publisher: release.yml on afshinm/zerobox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file zerobox-0.2.6-py3-none-manylinux_2_17_aarch64.whl.

File metadata

File hashes

Hashes for zerobox-0.2.6-py3-none-manylinux_2_17_aarch64.whl
Algorithm Hash digest
SHA256 61ed5a40f4922cfdf61d7c55f013149cc32213411477216b627e9350ee5d5612
MD5 0e36d6fee9a3ffdd261bdb2f32452c0c
BLAKE2b-256 ab13640ca0de324e71df220528da9368e16aa246aea1ac16690cc876c3f2926f

See more details on using hashes here.

Provenance

The following attestation bundles were made for zerobox-0.2.6-py3-none-manylinux_2_17_aarch64.whl:

Publisher: release.yml on afshinm/zerobox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file zerobox-0.2.6-py3-none-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for zerobox-0.2.6-py3-none-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 4c26fcbf1852d024d3b91af649373f565012e9b202058c6389689c709d7afc01
MD5 9ec9eabc798160369a40399d9aee5a7b
BLAKE2b-256 55e1e2869c419ba9039427c0454a3be64f1fd4a206ddf4ef6f42f91c7eb03290

See more details on using hashes here.

Provenance

The following attestation bundles were made for zerobox-0.2.6-py3-none-macosx_11_0_arm64.whl:

Publisher: release.yml on afshinm/zerobox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file zerobox-0.2.6-py3-none-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for zerobox-0.2.6-py3-none-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 cb1ad367551f1207e0b87b36fae74a6e14d5021887c675bd03a11fa12a29bc76
MD5 d55cb1aad91a7931b8f99694c1dffa26
BLAKE2b-256 45eb8c019dfbd6d701efad57244a8bfb5e94b1b624927a59af9099f0253daa1d

See more details on using hashes here.

Provenance

The following attestation bundles were made for zerobox-0.2.6-py3-none-macosx_10_12_x86_64.whl:

Publisher: release.yml on afshinm/zerobox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page