feat: integrate Sandbox with Agent

Author: gsird

strands-ts/package.json

@@ -6,6 +6,10 @@
   "module": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
   "type": "module",
+  "sideEffects": [
+    "./dist/src/index.node.js",
+    "./src/index.node.ts"
+  ],
   "files": [
     "dist",
     "README.md",
@@ -14,6 +18,7 @@
   "exports": {
     ".": {
       "types": "./dist/src/index.d.ts",
+      "node": "./dist/src/index.node.js",
       "default": "./dist/src/index.js"
     },
     "./models/anthropic": {

strands-ts/src/__fixtures__/register-node-defaults.ts

@@ -0,0 +1,6 @@
+import { defaultSandbox } from '../sandbox/default.js'
+import { NotASandboxLocalEnvironment } from '../sandbox/not-a-sandbox-local-environment.js'
+
+// In production, index.node.ts registers this on import. Tests don't go through that entry
+// point, so this setup file does it instead.
+defaultSandbox.set(new NotASandboxLocalEnvironment())

strands-ts/src/agent/agent.ts

@@ -89,6 +89,8 @@ import { isInterruptResponseContent, type InterruptResponseContent } from '../ty
 import { takeSnapshot as takeSnapshotInternal, loadSnapshot as loadSnapshotInternal } from './snapshot.js'
 import type { TakeSnapshotOptions } from './snapshot.js'
 import type { Snapshot } from '../types/snapshot.js'
+import type { Sandbox } from '../sandbox/base.js'
+import { defaultSandbox } from '../sandbox/default.js'
 
 /**
  * Recursive type definition for nested tool arrays.
@@ -222,6 +224,20 @@ export type AgentConfig = {
    * Defaults to `'concurrent'`. See {@link ToolExecutorStrategy} for details.
    */
   toolExecutor?: ToolExecutorStrategy
+  /**
+   * Execution environment for running commands, code, and file operations.
+   * When provided, sandbox-aware tools route operations through it.
+   *
+   * Two distinct intents, even though they resolve to the same host execution
+   * in Node today:
+   * - Omitted: use the environment's default sandbox (host execution in Node).
+   *   This default is the slot reserved for richer behavior later.
+   * - `false`: explicitly opt out of a managed sandbox and run on the host.
+   *
+   * Keep `false` distinct from omitting so the opt-out stays stable even if the
+   * default changes.
+   */
+  sandbox?: Sandbox | false
 }
 
 /** Default name assigned to agents when none is provided. */
@@ -289,6 +305,18 @@ export class Agent implements LocalAgent, InvokableAgent {
    */
   public readonly sessionManager?: SessionManager | undefined
 
+  private readonly _sandbox: Sandbox | false | undefined
+
+  /**
+   * Execution environment for running commands, code, and file operations.
+   *
+   * @throws DefaultNotConfiguredError if no sandbox is configured for this
+   * environment (e.g. browsers, where no host default is registered).
+   */
+  get sandbox(): Sandbox {
+    return this._sandbox || defaultSandbox.get()
+  }
+
   private readonly _hooksRegistry: HookRegistryImplementation
   private readonly _pluginRegistry: PluginRegistry
   private readonly _interventionRegistry: InterventionRegistry
@@ -324,6 +352,7 @@ export class Agent implements LocalAgent, InvokableAgent {
     this.id = config?.id ?? DEFAULT_AGENT_ID
     if (config?.description !== undefined) this.description = config.description
     this.sessionManager = config?.sessionManager
+    this._sandbox = config?.sandbox
 
     if (typeof config?.model === 'string') {
       this.model = new BedrockModel({ modelId: config.model })

strands-ts/src/default-slot.ts

@@ -0,0 +1,24 @@
+export class DefaultNotConfiguredError extends Error {
+  constructor(message: string) {
+    super(message)
+    this.name = 'DefaultNotConfiguredError'
+  }
+}
+
+export interface DefaultSlot<T> {
+  set(value: T): void
+  get(): T
+}
+
+export function createDefaultSlot<T>(errorMessage: string): DefaultSlot<T> {
+  let value: T | undefined
+  return {
+    set(v): void {
+      value = v
+    },
+    get(): T {
+      if (value !== undefined) return value
+      throw new DefaultNotConfiguredError(errorMessage)
+    },
+  }
+}

strands-ts/src/index.node.ts

@@ -0,0 +1,10 @@
+// Node entry point (selected by the "node" export condition in package.json).
+// Registers Node-specific defaults, then re-exports the full public API.
+// This is a load-bearing side effect -- do NOT mark this module side-effect-free
+// or bundlers will tree-shake the registrations.
+import { defaultSandbox } from './sandbox/default.js'
+import { NotASandboxLocalEnvironment } from './sandbox/not-a-sandbox-local-environment.js'
+
+defaultSandbox.set(new NotASandboxLocalEnvironment())
+
+export * from './index.js'

strands-ts/src/sandbox/__tests__/default.test.browser.ts

@@ -0,0 +1,11 @@
+import { describe, it, expect } from 'vitest'
+import { Agent } from '../../agent/agent.js'
+import { MockMessageModel } from '../../__fixtures__/mock-message-model.js'
+
+// The unit-browser project has no setupFiles registering a default sandbox,
+// mirroring a real browser where index.node.ts never loads.
+describe('Agent.sandbox getter (browser)', () => {
+  it('throws when unconfigured because no default sandbox is registered', () => {
+    expect(() => new Agent({ model: new MockMessageModel() }).sandbox).toThrow('No Sandbox configured')
+  })
+})

strands-ts/src/sandbox/__tests__/default.test.node.ts

@@ -0,0 +1,28 @@
+import { describe, it, expect } from 'vitest'
+import { Agent } from '../../agent/agent.js'
+import { MockMessageModel } from '../../__fixtures__/mock-message-model.js'
+import { NotASandboxLocalEnvironment } from '../not-a-sandbox-local-environment.js'
+import { defaultSandbox } from '../default.js'
+
+describe('default sandbox registry', () => {
+  it('returns the instance registered by the setup file', () => {
+    expect(defaultSandbox.get()).toBeInstanceOf(NotASandboxLocalEnvironment)
+  })
+})
+
+describe('Agent.sandbox getter', () => {
+  it('returns the configured sandbox when one is provided', () => {
+    const sandbox = new NotASandboxLocalEnvironment()
+    expect(new Agent({ model: new MockMessageModel(), sandbox }).sandbox).toBe(sandbox)
+  })
+
+  it('falls back to the registered default when unconfigured', () => {
+    expect(new Agent({ model: new MockMessageModel() }).sandbox).toBeInstanceOf(NotASandboxLocalEnvironment)
+  })
+
+  it('treats sandbox: false the same as unconfigured', () => {
+    expect(new Agent({ model: new MockMessageModel(), sandbox: false }).sandbox).toBeInstanceOf(
+      NotASandboxLocalEnvironment
+    )
+  })
+})

strands-ts/src/sandbox/__tests__/not-a-sandbox-local-environment.test.node.ts

@@ -0,0 +1,128 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import fs from 'fs'
+import path from 'path'
+import { NotASandboxLocalEnvironment } from '../not-a-sandbox-local-environment.js'
+
+const TEST_DIR = '/tmp/strands-test-not-a-sandbox'
+// Written relative (resolved against process.cwd()) to exercise _resolvePath; cleaned up below.
+const REL_NAME = 'strands-not-a-sandbox-rel-probe.txt'
+const REL_ABS = path.join(process.cwd(), REL_NAME)
+
+describe.skipIf(process.platform === 'win32')('NotASandboxLocalEnvironment', () => {
+  let sandbox: NotASandboxLocalEnvironment
+
+  beforeEach(() => {
+    fs.rmSync(TEST_DIR, { recursive: true, force: true })
+    fs.mkdirSync(TEST_DIR, { recursive: true })
+    sandbox = new NotASandboxLocalEnvironment()
+  })
+
+  afterEach(() => {
+    fs.rmSync(TEST_DIR, { recursive: true, force: true })
+    fs.rmSync(REL_ABS, { force: true })
+  })
+
+  describe('execute', () => {
+    it('runs a command on the host', async () => {
+      const result = await sandbox.execute('echo hello')
+      expect(result.exitCode).toBe(0)
+      expect(result.stdout).toBe('hello\n')
+    })
+
+    it('respects the cwd option', async () => {
+      const result = await sandbox.execute('pwd', { cwd: TEST_DIR })
+      expect(result.stdout.trim()).toBe(TEST_DIR)
+    })
+
+    it('reports a non-zero exit code and stderr from a failing command', async () => {
+      const result = await sandbox.execute('echo oops >&2; exit 3')
+      expect(result.exitCode).toBe(3)
+      expect(result.stderr).toBe('oops\n')
+    })
+  })
+
+  describe('executeCode', () => {
+    it('runs code through the named interpreter', async () => {
+      const result = await sandbox.executeCode('print(2 + 2)', 'python3', { cwd: TEST_DIR })
+      expect(result.exitCode).toBe(0)
+      expect(result.stdout).toBe('4\n')
+    })
+
+    it('rejects a language with invalid characters', async () => {
+      await expect(sandbox.executeCode('x', '../../bin/sh')).rejects.toThrow('invalid characters')
+    })
+  })
+
+  describe('read/write (native fs)', () => {
+    it('text file roundtrip via absolute path', async () => {
+      const file = path.join(TEST_DIR, 'note.txt')
+      await sandbox.writeText(file, 'hello host')
+      expect(await sandbox.readText(file)).toBe('hello host')
+    })
+
+    it('binary roundtrip preserves all byte values', async () => {
+      const file = path.join(TEST_DIR, 'all-bytes.bin')
+      const bytes = new Uint8Array(256)
+      for (let i = 0; i < 256; i++) bytes[i] = i
+      await sandbox.writeFile(file, bytes)
+      expect(Array.from(await sandbox.readFile(file))).toStrictEqual(Array.from(bytes))
+    })
+
+    it('creates missing parent directories on write', async () => {
+      const file = path.join(TEST_DIR, 'deep/nested/file.txt')
+      await sandbox.writeText(file, 'deep')
+      expect(await sandbox.readText(file)).toBe('deep')
+    })
+
+    it('throws when reading a nonexistent file', async () => {
+      await expect(sandbox.readFile(path.join(TEST_DIR, 'nope.txt'))).rejects.toThrow()
+    })
+  })
+
+  describe('removeFile', () => {
+    it('removes a file', async () => {
+      const file = path.join(TEST_DIR, 'delete-me.txt')
+      await sandbox.writeText(file, 'bye')
+      await sandbox.removeFile(file)
+      await expect(sandbox.readFile(file)).rejects.toThrow()
+    })
+
+    it('throws on a nonexistent file', async () => {
+      await expect(sandbox.removeFile(path.join(TEST_DIR, 'nope.txt'))).rejects.toThrow()
+    })
+  })
+
+  describe('listFiles', () => {
+    it('returns entries sorted by name with isDir and size metadata', async () => {
+      await sandbox.writeText(path.join(TEST_DIR, 'c.txt'), 'cc')
+      await sandbox.writeText(path.join(TEST_DIR, 'a.txt'), 'a')
+      await sandbox.writeText(path.join(TEST_DIR, 'b.txt'), 'bbb')
+      fs.mkdirSync(path.join(TEST_DIR, 'sub'))
+
+      const files = await sandbox.listFiles(TEST_DIR)
+      expect(files.map((f) => f.name)).toStrictEqual(['a.txt', 'b.txt', 'c.txt', 'sub'])
+
+      const a = files.find((f) => f.name === 'a.txt')
+      expect(a?.isDir).toBe(false)
+      expect(a?.size).toBe(1)
+      expect(files.find((f) => f.name === 'sub')?.isDir).toBe(true)
+    })
+
+    it('throws on a nonexistent directory', async () => {
+      await expect(sandbox.listFiles(path.join(TEST_DIR, 'no-such-dir'))).rejects.toThrow()
+    })
+  })
+
+  describe('_resolvePath (relative vs absolute)', () => {
+    it('writes absolute paths as-is', async () => {
+      const file = path.join(TEST_DIR, 'abs.txt')
+      await sandbox.writeText(file, 'absolute')
+      expect(fs.readFileSync(file, 'utf8')).toBe('absolute')
+    })
+
+    it('resolves relative paths against process.cwd()', async () => {
+      await sandbox.writeText(REL_NAME, 'relative')
+      expect(fs.readFileSync(REL_ABS, 'utf8')).toBe('relative')
+    })
+  })
+})

strands-ts/src/sandbox/default.ts

@@ -0,0 +1,6 @@
+import type { Sandbox } from './base.js'
+import { createDefaultSlot } from '../default-slot.js'
+
+export const defaultSandbox = createDefaultSlot<Sandbox>(
+  'No Sandbox configured. Pass a `sandbox` to the Agent to use sandbox features in this environment.'
+)

strands-ts/src/sandbox/not-a-sandbox-local-environment.ts

@@ -0,0 +1,81 @@
+import { readFile, writeFile, unlink, mkdir, readdir, stat } from 'fs/promises'
+import { dirname, isAbsolute, join } from 'path'
+import { Sandbox } from './base.js'
+import type { ExecuteOptions } from './base.js'
+import { LANGUAGE_PATTERN } from './constants.js'
+import { streamProcess } from './stream-process.js'
+import type { ExecutionResult, FileInfo, StreamChunk } from './types.js'
+import { shellQuote } from './posix-shell.js'
+
+/**
+ * Runs on the host with no isolation. Used as the default when no sandbox is configured.
+ */
+export class NotASandboxLocalEnvironment extends Sandbox {
+  private _resolvePath(path: string): string {
+    return isAbsolute(path) ? path : join(process.cwd(), path)
+  }
+
+  async *executeStreaming(
+    command: string,
+    options?: ExecuteOptions
+  ): AsyncGenerator<StreamChunk | ExecutionResult, void, undefined> {
+    const cwd = options?.cwd ?? process.cwd()
+    yield* streamProcess('sh', ['-c', `cd ${shellQuote(cwd)} && ${command}`], {
+      timeout: options?.timeout,
+      signal: options?.signal,
+    })
+  }
+
+  async *executeCodeStreaming(
+    code: string,
+    language: string,
+    options?: ExecuteOptions
+  ): AsyncGenerator<StreamChunk | ExecutionResult, void, undefined> {
+    if (!LANGUAGE_PATTERN.test(language)) {
+      throw new Error(`language parameter contains invalid characters: ${language}`)
+    }
+    const cwd = options?.cwd ?? process.cwd()
+    const encoded = btoa(Array.from(new TextEncoder().encode(code), (b) => String.fromCharCode(b)).join(''))
+    const eof = `STRANDS_EOF_${crypto.randomUUID().slice(0, 16)}`
+    yield* streamProcess(
+      'sh',
+      ['-c', `cd ${shellQuote(cwd)} && base64 -d << '${eof}' | ${language}\n${encoded}\n${eof}`],
+      {
+        timeout: options?.timeout,
+        signal: options?.signal,
+        enoentMessage: `Language interpreter not found: ${language}`,
+      }
+    )
+  }
+
+  async readFile(path: string): Promise<Uint8Array> {
+    return readFile(this._resolvePath(path))
+  }
+
+  async writeFile(path: string, content: Uint8Array): Promise<void> {
+    const fullPath = this._resolvePath(path)
+    await mkdir(dirname(fullPath), { recursive: true })
+    await writeFile(fullPath, content)
+  }
+
+  async removeFile(path: string): Promise<void> {
+    await unlink(this._resolvePath(path))
+  }
+
+  async listFiles(path: string): Promise<FileInfo[]> {
+    const fullPath = this._resolvePath(path)
+    const entries = await readdir(fullPath, { withFileTypes: true })
+    const results: FileInfo[] = []
+
+    for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
+      try {
+        const entryStat = await stat(join(fullPath, entry.name))
+        results.push({ name: entry.name, isDir: entryStat.isDirectory(), size: entryStat.size })
+      } catch {
+        results.push({ name: entry.name })
+      }
+    }
+
+    return results
+  }
+}