Sandbox
SandboxSettings restricts what the agent can do at the filesystem and network level.
Sandbox modes
from agentix import AgentixAgentOptions, SandboxSettings
# Advisory mode (default when enabled):
# path checks enforced at the Python layer only.
# Bash subprocesses can still escape the workspace.
# Use for development / light restrictions.
options = AgentixAgentOptions(
cwd="/home/user/project",
sandbox=SandboxSettings(enabled=True, sandbox_mode="advisory"),
)
# Strict mode:
# Bash shell execution (action=bash) is disabled entirely.
# File-operation actions (view/create/str_replace) still work.
# Recommended for production when container-level isolation is unavailable.
options = AgentixAgentOptions(
cwd="/home/user/project",
sandbox=SandboxSettings(enabled=True, sandbox_mode="strict"),
)
For full OS-level isolation, run inside a container with a read-only filesystem and restrictive seccomp/AppArmor profile.
sandbox_mode="strict"is not a substitute for container-level isolation.
SandboxSettings fields
SandboxSettings(
enabled=True,
sandbox_mode="advisory", # "advisory" | "strict"
network=None, # SandboxNetworkConfig for SSRF rules
workspace_root=None, # explicit workspace root (defaults to cwd)
)
Network restrictions (SSRF protection)
WebFetch blocks requests to private/internal IPs by default (RFC-1918, link-local, loopback).
To allow specific internal ranges:
from agentix import SandboxSettings, SandboxNetworkConfig
options = AgentixAgentOptions(
sandbox=SandboxSettings(
enabled=True,
network=SandboxNetworkConfig(
allow_network_ranges=["10.100.0.0/16"], # explicit allow-list
),
),
)
Secure subprocess environment
The Bash tool spawns subprocesses with a minimal environment (safe PATH only) by default.
options = AgentixAgentOptions(
strict_env=True, # minimal platform-safe environment
env_pass_through=["DATABASE_URL"], # opt-in specific extra vars
env={"MY_APP_ENV": "production"}, # explicit extra vars
)
When strict_env=False (default), subprocesses inherit the full parent environment minus internal Agentix vars.