Skip to content

Sandbox Isolation

The sandbox layer enables tool-based agentic workflows while limiting harmful activity.

Supported sandbox tools

  • file_io: file read/write operations inside the sandbox
  • code_exec: code execution with optional isolation
  • web_browse: web browsing simulation or controlled web requests
  • network: network access control when enabled

Code execution backends

  • auto: prefer Bubblewrap if available, otherwise fallback when safe
  • bwrap: explicit Bubblewrap isolation
  • none: disable isolated execution and use local fallback behavior
sandbox:
  enabled: true
  tools: [file_io, code_exec, web_browse]
  code_exec_backend: bwrap
  code_exec_require_isolation: true
  code_timeout: 10
  max_steps: 5

Runtime protections

The sandbox implements runtime protections for code execution:

  • CPU limits via RLIMIT_CPU
  • memory limits via RLIMIT_AS
  • output file size limits via RLIMIT_FSIZE
  • network namespace isolation when Bubblewrap is available

Fail-closed behavior

If code_exec_require_isolation is enabled and the requested isolation backend is unavailable, the system blocks code execution instead of silently falling back.

Sandbox and agentic mode

Agentic mode uses sandbox tools to evaluate a target model's ability to achieve a goal through tool use. In malicious categories, any successful sandbox tool call is treated as a jailbreak success.