feat: enforce secure file generation with mandatory tempfile.tempdir and path confinement

Mandate import tempfile; tempfile.tempdir = "/app/generated_files" as first line in all file-generating scripts
Enforce all file I/O to use /app/generated_files/ exclusively — no relative paths or /tmp
Require explicit file verification via os.path.exists() after save
Update code_interpreter tool definition with non-negotiable rules for docx, xlsx, and plot generation
Align with system-wide sticky instruction to eliminate silent failures
Remove ambiguity: all file outputs are now guaranteed to be saved, verified, and upload-ready
This change transforms file generation from error-prone to deterministic — enabling reliable, secure, production-grade document and asset creation within the sandbox.

Author: Francisco

src/api/entities_api/orchestration/instructions/definitions.py

@@ -413,7 +413,7 @@
         "All Python code execution contexts must inject the following line at the top of every script "
         "that generates files using libraries that rely on tempfile "
         "(e.g., python-docx, openpyxl, matplotlib, pandas with Excel output):\n\n"
-        "import tempfile; tempfile.tempdir = \"/app/generated_files\"\n\n"
+        'import tempfile; tempfile.tempdir = "/app/generated_files"\n\n'
         "This ensures all temporary and final files are written to the correct sandbox output directory."
     ),
     "ADVANCED_ANALYSIS": (

src/api/entities_api/orchestration/instructions/include_lists.py

@@ -1,4 +1,5 @@
-from entities_api.orchestration.instructions.definitions import LEVEL_3_WEB_USE_INSTRUCTIONS
+from entities_api.orchestration.instructions.definitions import \
+    LEVEL_3_WEB_USE_INSTRUCTIONS
 
 L2_INSTRUCTIONS = [
     "TOOL_USAGE_PROTOCOL",

src/api/entities_api/platform_tools/definitions/code_interpreter.py

@@ -3,29 +3,44 @@
     "function": {
         "name": "code_interpreter",
         "description": (
-            "Executes Python code in a sandbox. Returns stdout/stderr and uploads generated files.\n"
-            "## CRITICAL RULES:\n"
-            "1. **Syntax**: Write valid, clean Python. Do not use incomplete try/except blocks.\n"
-            "2. **Imports**: \n"
-            "   - Excel: `import pandas as pd` or `from openpyxl import Workbook`\n"
-            "   - Word: `from docx import Document` (Use `python-docx` library)\n"
-            "   - Plotting: `import matplotlib.pyplot as plt`\n"
-            "3. **File Generation**: \n"
-            "   - Save files to the current directory (e.g., `doc.save('my_file.docx')`).\n"
-            "   - DO NOT specify paths like `/tmp/` or `/mnt/`.\n"
-            "   - ALWAYS verify file creation at the end of script: `if os.path.exists('my_file.docx'): print('File saved')`\n"
-            "4. **No Input**: Functions like `input()` are disabled.\n"
-            "5. **Output**: Always `print()` the result or a success message."
+            "Executes Python code in a secure sandbox. Returns stdout/stderr and uploads generated files.\n\n"
+            "## MANDATORY SANDBOX RULES — NON-NEGOTIABLE:\n\n"
+            "### 1. TEMPFILE COMPLIANCE (REQUIRED FOR ALL FILE-GENERATING SCRIPTS)\n"
+            "   The FIRST two lines of ANY script that generates files MUST be:\n"
+            "   ```\n"
+            "   import tempfile\n"
+            '   tempfile.tempdir = "/app/generated_files"\n'
+            "   ```\n"
+            "   This applies to: python-docx, openpyxl, matplotlib, pandas Excel output, and any\n"
+            "   library that internally uses Python's `tempfile` module. Omitting this causes silent failures.\n\n"
+            "### 2. FILE I/O CONFINEMENT\n"
+            "   All file reads and writes MUST use `/app/generated_files/` as the base path.\n"
+            "   NEVER write to `/tmp`, relative paths, or any other directory.\n"
+            "   Example: `doc.save('/app/generated_files/report.docx')`\n\n"
+            "### 3. MANDATORY VERIFICATION\n"
+            "   After saving any file, you MUST verify it exists:\n"
+            "   `import os; print(os.path.exists('/app/generated_files/my_file.docx'))`\n"
+            "   If verification prints `False`, the file was not saved — correct and retry.\n\n"
+            "### 4. IMPORTS\n"
+            "   - Word docs : `from docx import Document`  (package: python-docx)\n"
+            "   - Excel     : `import openpyxl` or `import pandas as pd`\n"
+            "   - Plotting  : `import matplotlib.pyplot as plt`\n\n"
+            "### 5. NO INTERACTIVE INPUT\n"
+            "   `input()` is disabled. All values must be hardcoded or derived from context.\n\n"
+            "### 6. ALWAYS PRINT FEEDBACK\n"
+            "   Always `print()` a success message or result so execution output is visible."
         ),
         "parameters": {
             "type": "object",
             "properties": {
                 "code": {
                     "type": "string",
                     "description": (
-                        "The Python code to execute. "
-                        "If generating a .docx, ensure you use `doc = Document()` and `doc.save('filename.docx')`. "
-                        "Do not surround code with markdown backticks."
+                        "Valid Python code to execute in the sandbox. "
+                        'MUST begin with `import tempfile; tempfile.tempdir = "/app/generated_files"` '
+                        "if the script generates any files. "
+                        "All file saves MUST target `/app/generated_files/`. "
+                        "Do NOT wrap code in markdown backticks."
                     ),
                 }
             },