Skip to main content
A coding agent with sandbox tools that run directly on your machine — no Docker required. Since there’s no container isolation, exec security defaults to approval-always and file operations use path_restriction to confine access to the workspace directory.

Create local sandbox tools

import os
from polos import (
    Agent, max_steps, MaxStepsConfig,
    sandbox_tools, SandboxToolsConfig, LocalEnvironmentConfig,
)

workspace_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), "workspace")

# Create sandbox tools that run locally on the host
tools = sandbox_tools(
    SandboxToolsConfig(
        env="local",
        local=LocalEnvironmentConfig(
            cwd=workspace_dir,
            path_restriction=workspace_dir,  # prevent file access outside workspace
        ),
        # Exec defaults to 'approval-always' for local mode.
        # Write and edit also require approval (file_approval defaults to 'always').
        # You can override these defaults:
        #
        # exec=ExecToolConfig(
        #     security="allowlist",
        #     allowlist=["node *", "cat *", "ls *", "ls", "echo *"],
        # ),
        # file_approval="none",  # disable write/edit approval
    )
)

Define the agent

coding_agent = Agent(
    id="local_coding_agent",
    provider="anthropic",
    model="claude-sonnet-4-5",
    system_prompt=(
        f"You are a coding agent with access to the local filesystem. "
        f"You can create files, edit code, run shell commands, and search the codebase. "
        f"Your workspace is at {workspace_dir}. "
        f"Use the tools to complete the task, then summarize what you did and show the output. "
        f"Always verify your work by running the code after writing it. "
        f"In your final response, include the actual output from running the code."
    ),
    tools=tools,
    stop_conditions=[max_steps(MaxStepsConfig(count=30))],
)

Security model

OperationBehavior
exec (shell commands)Always requires approval
write, edit (file modifications)Always requires approval
read, glob, grep within workspaceRuns freely
read, glob, grep outside workspaceRequires approval
Symlink traversal is blocked when path_restriction is set, preventing the agent from escaping the workspace via symlinks.

Comparison with Docker sandbox

FeatureDocker (env: 'docker')Local (env: 'local')
IsolationContainerNone (host machine)
Exec security defaultNo check (sandbox provides isolation)approval-always
File accessVia bind mountDirect filesystem
Path restrictionContainer boundarypathRestriction config
Requires DockerYesNo
PerformanceContainer overheadNative speed

Run it

git clone https://github.com/polos-dev/polos.git
cd polos/python-examples/21-local-sandbox
cp .env.example .env
uv sync
python worker.py      # Terminal 1
python main.py        # Terminal 2
Every shell command the agent tries to run will pause and ask for your approval in the terminal. File write/edit operations also require approval. Read-only operations run freely within the workspace. Open http://localhost:5173 to view your agents and workflows, run them from the UI, and see execution traces. Python example on GitHub | TypeScript example on GitHub