jeevesagent.security.sandbox.filesystem

Path-aware sandbox.

Wraps a ToolHost and rejects tool calls whose path-typed arguments resolve outside a configured set of allowed roots. Detection is configurable:

  • Pass path_args=("path", "destination", ...) to validate exactly those argument names.

  • Otherwise the sandbox auto-detects: any string argument whose name is in DEFAULT_PATH_ARG_NAMES or whose value contains a path separator (/ or \) is treated as a path.

Symlinks are resolved before the containment check so an attacker can’t bypass the sandbox by symlinking /etc/passwd into the allowed root.

Attributes

DEFAULT_PATH_ARG_NAMES

Classes

FilesystemSandbox

Restrict a tool host's path-typed arguments to declared roots.

Module Contents

class jeevesagent.security.sandbox.filesystem.FilesystemSandbox(inner: jeevesagent.core.protocols.ToolHost, *, roots: collections.abc.Iterable[str | pathlib.Path], path_args: collections.abc.Iterable[str] | None = None, auto_detect: bool = True)[source]

Restrict a tool host’s path-typed arguments to declared roots.

async call(tool: str, args: collections.abc.Mapping[str, Any], *, call_id: str = '') jeevesagent.core.types.ToolResult[source]
async list_tools(*, query: str | None = None) list[jeevesagent.core.types.ToolDef][source]
async watch() collections.abc.AsyncIterator[jeevesagent.core.types.ToolEvent][source]
property inner: jeevesagent.core.protocols.ToolHost
property roots: tuple[pathlib.Path, Ellipsis]
jeevesagent.security.sandbox.filesystem.DEFAULT_PATH_ARG_NAMES: frozenset[str]