Skip to content

README.md

Latest commit

 

History

History
225 lines (166 loc) · 6.39 KB

README.md

File metadata and controls

225 lines (166 loc) · 6.39 KB

Zerobox Python SDK

Zerobox PyPI version Zerobox license

Python SDK for zerobox. Sandbox any command with file, network, and credential controls.

pip install zerobox

Installing the wheel drops the zerobox CLI into your environment's bin/ and exposes a Python SDK.

For CLI usage, secrets concepts, the full flag reference, performance numbers, and platform support see the main README.

Quick start

from zerobox import Sandbox

sandbox = Sandbox.create({"allow_write": ["/tmp"]})
print(sandbox.sh("echo hello").text())

Commands

Three ways to run a command. Each returns a ShellCommand you terminate with .text(), .json(), or .output().

Shell

name = "world"
sandbox.sh(f"echo hello {name}").text()

Inline Python

data = sandbox.py("import json; print(json.dumps({'sum': 1 + 2}))").json()

Explicit command + args

sandbox.exec("python3", ["-c", "print('hi')"]).text()

Results

Method On success On non-zero exit
.text() Returns stdout as a string Raises SandboxCommandError
.json() Parses stdout as JSON Raises SandboxCommandError
.output() Returns CommandOutput(code, stdout, stderr) Returns the same shape, never raises 
data = sandbox.sh("cat data.json").json()
result = sandbox.sh("exit 42").output()
# CommandOutput(code=42, stdout='', stderr='')

Async API

Use AsyncSandbox in async applications so waiting for the sandboxed subprocess does not block the event loop. The command shape is the same as Sandbox, but creation and terminators are awaited.

from zerobox import AsyncSandbox

sandbox = await AsyncSandbox.create({"allow_write": ["/tmp"]})

text = await sandbox.sh("echo hello").text()
data = await sandbox.sh("printf '{\"ok\": true}'").json()
result = await sandbox.exec("python3", ["-c", "print('hi')"]).output()

Async commands accept the same timeout option:

import subprocess

try:
    await sandbox.sh("sleep 60").text(timeout=1.0)
except subprocess.TimeoutExpired:
    print("cancelled")

Error handling

Non-zero exit raises SandboxCommandError:

from zerobox import Sandbox, SandboxCommandError

sandbox = Sandbox.create()
try:
    sandbox.sh("exit 1").text()
except SandboxCommandError as e:
    print(e.code, e.stderr)

Secrets

Pass API keys that the sandboxed process never sees. The proxy substitutes the real value only for approved hosts.

import os
from zerobox import Sandbox

sandbox = Sandbox.create({
    "secrets": {
        "OPENAI_API_KEY": {
            "value": os.environ["OPENAI_API_KEY"],
            "hosts": ["api.openai.com"],
        },
        "GITHUB_TOKEN": {
            "value": os.environ["GITHUB_TOKEN"],
            "hosts": ["api.github.com"],
        },
    },
})

sandbox.sh('curl -H "Authorization: Bearer $OPENAI_API_KEY" https://api.openai.com/v1/models').text()

See the main README for how placeholder substitution works.

Snapshots

Record filesystem changes and roll them back automatically:

sandbox = Sandbox.create({
    "allow_write": ["."],
    "restore": True,
})
sandbox.sh("npm install").text()

Record without rolling back:

sandbox = Sandbox.create({
    "allow_write": ["."],
    "snapshot": True,
    "snapshot_exclude": ["node_modules"],
})
sandbox.sh("npm install").text()

Cancellation

Pass a timeout (seconds) to any terminator:

import subprocess
try:
    sandbox.sh("sleep 60").text(timeout=1.0)
except subprocess.TimeoutExpired:
    print("cancelled")

Environment variables

sandbox = Sandbox.create({
    "env": {"NODE_ENV": "production"},
    "allow_env": ["PATH", "HOME"],
    "deny_env": ["AWS_SECRET_ACCESS_KEY"],
})

See the main README for what's inherited by default and the CLI equivalents.

Options

Sandbox.create(options) accepts a SandboxOptions dataclass or a plain dict. All fields are optional.

Field Type Description
profile str | list[str] Named profile(s). A list merges left-to-right. Default "workspace".
allow_read / deny_read list[str] Readable / blocked paths.
allow_write / deny_write list[str] Writable / blocked paths.
allow_net bool | list[str] True allows all. A list restricts to those domains.
deny_net list[str] Blocked domains.
allow_all bool Full filesystem + network access.
no_sandbox bool Disable the sandbox entirely.
strict_sandbox bool Fail instead of falling back to weaker isolation.
cwd str Working directory.
env dict[str, str] Explicit env vars.
allow_env bool | list[str] Inherit parent env vars.
deny_env list[str] Blocked env vars.
snapshot bool Record filesystem changes.
restore bool Record and roll back after exit. Implies snapshot.
snapshot_paths / snapshot_exclude list[str] Tracked paths / excluded patterns.
secrets dict[str, SecretConfig] Secrets with per-host scopes.
debug bool Print sandbox config to stderr.

Unknown dict keys (e.g. accidental allowWrite instead of allow_write) raise TypeError at construction time.

Caveats

Sandbox.py(code) runs whichever python3 is on PATH inside the sandbox. If your active interpreter lives outside the sandbox's readable roots (for example uv-managed Pythons under ~/.local/share/uv/), fall back to:

import sys
sandbox = Sandbox.create({"allow_read": [sys.prefix]})
sandbox.exec(sys.executable, ["-c", "print('hi')"]).text()

Other SDKs

License

Apache-2.0