Sandbox & Security
Anvil can verify generated code in a sandbox environment before saving it, protecting against malicious or dangerous code.
Verified Mode
Section titled “Verified Mode”Enable sandbox verification:
from anvil import Anvil
anvil = Anvil(verified_mode=True)
# Generated code is now verified before savingtool = anvil.use_tool(name="risky_tool", intent="Do something risky")When verified mode is enabled:
- Code is generated as usual
- Static analysis checks for dangerous patterns
- Code is executed in a sandbox
- Only if verification passes is the code saved
Sandbox Drivers
Section titled “Sandbox Drivers”Anvil supports two sandbox drivers:
Docker Sandbox (Recommended)
Section titled “Docker Sandbox (Recommended)”Full isolation using Docker containers:
# Automatically used if Docker is availableanvil = Anvil(verified_mode=True)
# Check sandbox statusstatus = anvil.get_sandbox_status()print(status["active_driver"]) # "docker" or "local"Requires Docker to be installed and running.
Local Sandbox (Fallback)
Section titled “Local Sandbox (Fallback)”Restricted execution environment without Docker:
- Uses static analysis to block dangerous code
- Less secure than Docker
- Always available
Security Policies
Section titled “Security Policies”Customize what generated code can do:
from anvil import Anvilfrom anvil.sandbox import SecurityPolicy
policy = SecurityPolicy( # Network access allow_network=True, allowed_hosts=["api.example.com", "*.github.com"],
# Filesystem access allow_filesystem_read=True, allow_filesystem_write=False, allowed_paths=["/tmp", "./data"],
# System access allow_subprocess=False, allow_env_access=True,
# Resource limits max_memory_mb=256, max_cpu_seconds=30.0, max_output_size_kb=1024,)
anvil = Anvil( verified_mode=True, security_policy=policy,)Policy Options
Section titled “Policy Options”| Option | Default | Description |
|---|---|---|
allow_network | False | Allow network requests |
allowed_hosts | None | Whitelist of allowed hosts |
allow_filesystem_read | True | Allow reading files |
allow_filesystem_write | False | Allow writing files |
allowed_paths | None | Whitelist of filesystem paths |
allow_subprocess | False | Allow subprocess execution |
allow_env_access | True | Allow reading environment variables |
max_memory_mb | 256 | Maximum memory usage |
max_cpu_seconds | 30.0 | Maximum CPU time |
max_output_size_kb | 1024 | Maximum output size |
Blocked Patterns
Section titled “Blocked Patterns”Static analysis blocks dangerous code patterns:
Blocked Imports
Section titled “Blocked Imports”# These imports are blocked by default:import subprocess # System command executionimport multiprocessing # Process spawningimport ctypes # Low-level memory accessimport socket # Raw network accessimport paramiko # SSH accessimport fabric # Remote executionimport shutil # File operations (if filesystem write disabled)Blocked Functions
Section titled “Blocked Functions”# These functions are blocked:eval("...") # Dynamic code executionexec("...") # Dynamic code executioncompile("...") # Code compilation__import__("...") # Dynamic importsgetattr(obj, "...") # Reflectionsetattr(obj, "...") # Reflectiondelattr(obj, "...") # Reflectionglobals() # Global namespace accesslocals() # Local namespace accessDangerous OS Calls
Section titled “Dangerous OS Calls”# These os module calls are blocked:os.system("...") # Shell executionos.popen("...") # Process creationos.spawn*() # Process spawningos.exec*() # Process replacementManual Verification
Section titled “Manual Verification”Verify a tool’s code manually:
anvil verify my_toolOutput:
🔍 Verifying: my_tool
Sandbox: docker
✓ Code passed verification! Duration: 45.2msOr via API:
result = anvil.sandbox.verify_code("""import requests
def run(url): return requests.get(url).json()""")
if result.success: print("Code is safe")else: print(f"Violations: {result.security_violations}")Verification Results
Section titled “Verification Results”The SandboxResult object contains:
result = anvil.sandbox.verify_code(code)
print(result.success) # True/Falseprint(result.output) # Execution outputprint(result.error) # Error message if failedprint(result.duration_ms) # Execution timeprint(result.security_violations) # List of violationsDocker Configuration
Section titled “Docker Configuration”When using Docker sandbox:
# Docker sandbox configuration is automatic# It uses the python:3.11-slim image
# Check if Docker is availablefrom anvil.sandbox import DockerSandboxdocker = DockerSandbox()print(docker.is_available()) # True/FalseSandbox Status
Section titled “Sandbox Status”Check the current sandbox configuration:
status = anvil.get_sandbox_status()print(status)# {# "enabled": True,# "active_driver": "docker",# "docker_available": True,# "policy": {...}# }When to Use Verified Mode
Section titled “When to Use Verified Mode”Enable for:
- Production environments
- Multi-tenant systems
- Untrusted intents or documentation URLs
- Compliance requirements
Skip for:
- Development/testing
- Trusted internal tools
- Performance-critical applications (adds latency)
Security Considerations
Section titled “Security Considerations”1. Defense in Depth
Section titled “1. Defense in Depth”Sandbox verification is one layer. Also use:
- API key rotation
- Network segmentation
- Least-privilege access
2. Review Generated Code
Section titled “2. Review Generated Code”Even with verification, review critical tools:
code = anvil.get_tool_code("critical_tool")print(code) # Manual review3. Eject Verified Tools
Section titled “3. Eject Verified Tools”For production, eject and lock down critical tools:
# Generate and verifytool = anvil.use_tool(name="production_tool", intent="...")
# Review the codeprint(anvil.get_tool_code("production_tool"))
# Eject to prevent changes# Edit ANVIL-MANAGED: false in the file