Code execution: sandboxes

Maps to: Code execution: sandboxes.

Scope

Isolated environments for arbitrary shell or code execution initiated by the agent, with clear boundaries for filesystem, network, and secrets.

Design questions

• When is execute exposed versus filesystem-only tools?
• Provider selection, warm pools, and lifecycle (per thread, per assistant, per run).
• Credential proxy versus secrets inside the sandbox.
• Prompt-injection threat model: host protected versus data inside sandbox compromised.

Tradeoffs

• Sandboxes unlock general-purpose agents but expand attack surface and cost.
• Warm pools reduce latency at steady-state expense.
• Disabling execute simplifies security but caps agent reach.

Evaluation hooks

• Host filesystem and env vars unreachable from sandbox breakout attempts in test harness.
• Outbound API calls receive credentials only via approved proxy path.
• Runaway command killed under CPU and time limits.

Reference notes

See LangChain runtime article (sandbox auth proxy figure).