19 - Exec Security

import os
from polos import (
    Agent, max_steps, MaxStepsConfig,
    sandbox_tools, SandboxToolsConfig, DockerEnvironmentConfig, ExecToolConfig,
    create_ask_user_tool,
)

workspace_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), "workspace")

# Sandbox tools with exec security -- only allowlisted commands run
# without approval. Everything else suspends for the user to decide.
tools = sandbox_tools(
    SandboxToolsConfig(
        env="docker",
        docker=DockerEnvironmentConfig(
            image="node:20-slim",
            workspace_dir=workspace_dir,
            network="bridge",
        ),
        exec=ExecToolConfig(
            security="allowlist",
            allowlist=[
                "node *",   # allow running node scripts
                "cat *",    # allow reading files
                "echo *",   # allow echo
                "ls *",     # allow listing
                "ls",       # allow bare ls
            ],
        ),
    )
)

# Ask-user tool -- lets the agent ask the user questions during execution
ask_user = create_ask_user_tool()

coding_agent = Agent(
    id="secure_coding_agent",
    provider="anthropic",
    model="claude-sonnet-4-5",
    system_prompt=(
        "You are a coding agent with access to a sandbox environment. "
        "You can create files, edit code, run shell commands, and search the codebase. "
        "The workspace is at /workspace inside the container. "
        "Some commands may need user approval before running. If a command is rejected, "
        "read the user feedback in the error output and adjust your approach accordingly. "
        "Always verify your work by running the code after writing it. "
        "If you need clarification or a decision from the user, use the ask_user tool."
    ),
    tools=[*tools, ask_user],
    stop_conditions=[max_steps(MaxStepsConfig(count=30))],
    conversation_history=50,
)

async for suspend in stream_events(client, handle):
    if suspend["step_key"].startswith("approve_exec"):
        # Show command and ask for approval
        form = suspend["data"].get("_form", {})
        context = form.get("context", {})
        command = context.get("command", "unknown")

        print(f"  Command: {command}")
        approved = input("  Approve? (y/n): ").strip().lower() == "y"

        feedback = None
        if not approved:
            feedback = input("  Feedback: ").strip() or None

        resume_data = {"approved": approved, "allow_always": False}
        if feedback:
            resume_data["feedback"] = feedback

        await client.resume(
            suspend_workflow_id=handle.root_workflow_id,
            suspend_execution_id=handle.id,
            suspend_step_key=suspend["step_key"],
            data=resume_data,
        )

git clone https://github.com/polos-dev/polos.git
cd polos/python-examples/19-exec-security
cp .env.example .env
uv sync
python worker.py      # Terminal 1
python main.py        # Terminal 2