Security Architecture: Hardening Docker-less Code Execution with Deterministic AST Boundaries

[kwdoug63]

The Local Execution Problem
Currently, the framework relies heavily on Docker for safe agent code execution. When users run agents locally without Docker (which is common for rapid prototyping), they are essentially opening themselves up to Remote Code Execution (RCE) via agent hallucinations or prompt injection.
The Proposed Solution: VAREK
I propose integrating a deterministic, lightweight circuit breaker using Abstract Syntax Tree (AST) static analysis, functioning as a “Hardened Local Executor.”
Instead of relying on heavy containerization, the VAREK boundary:
Compiles the agent’s proposed Python payload into an AST before it reaches the kernel.
Scans for destructive structural patterns (e.g., unauthorized os, subprocess, or shutil calls).
Physically snaps the execution natively, returning an error to the agent to course-correct.
Proof of Concept
I built a lightweight bare-metal multi-agent simulation using the OpenAI API to demonstrate this. When the agent attempted to execute an os.remove() script to wipe log files, the VAREK AST engine intercepted and quarantined the payload natively—even running on a mobile ARM processor without Docker.
Proof of Intercept: https://github.com/kwdoug63/varek/blob/main/07-bare-metal-mobile-intercept.py
Would the engineering team be open to discussing a native AST security layer for the LocalCommandLineCodeExecutor?

[kwdoug63]

Update: VAREK PyPI Release
To follow up on this architecture proposal, I have formalized the VAREK engine into a standalone Python package. Furthermore, to address potential blind spots in static analysis (like obfuscated dynamic imports via import), I have upgraded the architecture into a true defense-in-depth system by pairing the AST static gate with PEP 578 CPython runtime audit hooks.

If the AutoGen engineering team—or any developers building locally—want to test this security boundary against the LocalCommandLineCodeExecutor, it can now be provisioned directly via:

pip install varek-guardrails

PyPI Registry: https://pypi.org/project/varek-guardrails/
Documentation: https://github.com/kwdoug63/varek

I am actively stress-testing this module against agent hallucination edge-cases. Let me know if there is interest in a PR to add native support for this guardrail layer.