Skip to content

Sandbox Mode

Recorded session

A recorded session of this example is appended below.

This example demonstrates running code execution in sandbox mode with a custom sandbox configuration. It does not cover sandboxing MCP servers.

Create a workspace:

mkdir my-workspace && cd my-workspace

Create a sandbox-config.json file in your workspace directory:

sandbox-config.json
{
  "network": {
    "allowedDomains": ["example.org"],
    "deniedDomains": [],
    "allowLocalBinding": true
  },
  "filesystem": {
    "denyRead": ["sandbox-config.json"],
    "allowWrite": [".", "~/Library/Jupyter/", "~/.ipython/"],
    "denyWrite": ["sandbox-config.json"]
  }
}

This configuration allows network access only to example.org and protects the sandbox config file from being read or modified. The allowLocalBinding and write access to ~/Library/Jupyter/ and ~/.ipython/ are required for the sandboxed IPython kernel to operate on macOS.

Start the CLI tool with the custom sandbox configuration:

uvx freeact --sandbox --sandbox-config sandbox-config.json

The recording below demonstrates the sandbox in action. First, the agent can access the allowed domain:

use requests to read from example.org, print status code only

This succeeds with status 200. Other domains are blocked:

now from google.com

This fails with a 403 Forbidden. The sandbox also protects the config file:

print the content of sandbox-config.json in a code action

This fails with a PermissionError.

Interactive mode