agent-leash 0.3.0__py3-none-any.whl

agent_leash-0.3.0.dist-info/METADATA

@@ -0,0 +1,18 @@
+Metadata-Version: 2.4
+Name: agent-leash
+Version: 0.3.0
+Summary: Isolated sandbox for AI coding agents
+Project-URL: Repository, https://github.com/mathieu-lacage/agent-leash.git
+Project-URL: Issues, https://github.com/mathieu-lacage/agent-leash/issues
+Author-email: Mathieu Lacage <mathieu.lacage@cutebugs.net>
+Maintainer-email: Mathieu Lacage <mathieu.lacage@cutebugs.net>
+License-Expression: MIT
+License-File: LICENSE
+Requires-Python: >=3.11
+Requires-Dist: aiosqlite>=0.20
+Requires-Dist: click>=8.1
+Requires-Dist: fastapi>=0.111
+Requires-Dist: httpx>=0.27
+Requires-Dist: mitmproxy>=10.3
+Requires-Dist: uvicorn[standard]>=0.29
+Provides-Extra: dev

agent_leash-0.3.0.dist-info/RECORD

@@ -0,0 +1,17 @@
+aleash/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+aleash/bwrap.py,sha256=9U5SyPF1fYgYkpabajoeZEzWQPOYXNI7kY5cUBvPPWo,5953
+aleash/cli.py,sha256=Eh-gZfCYECanyQ-UFawlFeckOFRcdSs1DVoG6HMYuKo,5666
+aleash/db.py,sha256=uC8GKvNpZ6CalfQE4AHhv5TKC-8VddKVa4RX6Wzo6jg,7189
+aleash/profiles.py,sha256=qos28gB5ENG_NskzHi-Hb2dllpQm3OnT4Yt_pBT7264,1695
+aleash/proxy_addon.py,sha256=sYaCWzHI0eQlg9exUjKhYnO9nEkLcEIkA4ZwHXM4JL8,1617
+aleash/runner.py,sha256=9LjjXtGV09BFSV9Mpuvn6zXSrIWA7g9MKkg5ZW1-48I,17333
+aleash/server.py,sha256=seXOrBNY5JQZnUTgdOpjla5Qktndtc-Mf3qtcFzpCJc,20061
+aleash/services.py,sha256=jkrLMfxaSujhbyN9Y4yPmphBxsLxiBO9_W_4M6dx2DI,3910
+aleash/static/index.html,sha256=x36JhTRMoots4Q-rbxYCsGf5-WBSSc0SNd4VzLO0Tl4,371
+aleash/static/assets/index-DZWOxijS.css,sha256=vfJ5yOABrOLquigwEjeWQGWNHqTahGv1ISCYFEuVmw8,10985
+aleash/static/assets/index-gPIKKcCv.js,sha256=LDpUiEBOlfQqThu54BQMFOvX0suTpoFYi5rBA1Fs71A,374291
+agent_leash-0.3.0.dist-info/METADATA,sha256=Yw1kS13v8UEhIqiMYiEYuchDr-xkQQ7G4vnRueS9ddY,647
+agent_leash-0.3.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+agent_leash-0.3.0.dist-info/entry_points.txt,sha256=doBYgl7_2fdgFoWYPvnrMycQvk0Un4QTYjlTOA4E4PY,43
+agent_leash-0.3.0.dist-info/licenses/LICENSE,sha256=zbOaTPxyhqlr08nomI4PGYiGhr4reJUD-WyR4lSUBn4,1071
+agent_leash-0.3.0.dist-info/RECORD,,

agent_leash-0.3.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

agent_leash-0.3.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+aleash = aleash.cli:main

agent_leash-0.3.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mathieu Lacage
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aleash/bwrap.py

@@ -0,0 +1,218 @@
+import os
+from pathlib import Path
+
+from .profiles import Profile
+
+# Prefixes already mounted inside the sandbox — binary paths under these need no extra bind.
+_MOUNTED_PREFIXES = (
+    "/usr",
+    "/etc",
+    "/lib",
+    "/lib64",
+    "/lib32",
+    "/sys",
+    "/run",
+    "/dev",
+    "/proc",
+    str(Path.home() / ".local" / "bin"),
+)
+
+# Real host-path bind mounts from the fixed section of build_bwrap_argv.
+# Excludes --tmpfs, --proc, --symlink, and internal sockets/certs.
+# Used by the server to display system mounts without duplicating this list.
+SYSTEM_BIND_DISPLAY: list[tuple[str, str, str]] = [
+    ("/dev", "/dev", "rw"),
+    ("/usr", "/usr", "ro"),
+    ("/etc", "/etc", "ro"),
+    ("/lib", "/lib", "ro"),
+    ("/lib64", "/lib64", "ro"),
+    ("/lib32", "/lib32", "ro"),
+    ("/sys", "/sys", "ro"),
+]
+
+
+def _outside_mounts(path: str) -> bool:
+    return not any(path == p or path.startswith(p + "/") for p in _MOUNTED_PREFIXES)
+
+
+FLATPAK_INFO_CONTENT = """\
+[Application]
+name=fake.app.Id
+
+[Instance]
+app-id=fake.app.Id
+"""
+
+
+def _uid() -> str:
+    return str(os.getuid())
+
+
+def build_bwrap_argv(
+    profile: Profile,
+    cwd: str,
+    proxy_port: int,
+    xdg_proxy_sock: str,
+    ca_cert_path: str,
+    fake_flatpak_info: str,
+    cmd: list[str],
+    user_binds: list[tuple[str, str, str]] | None = None,
+    service_binds: list[tuple[str, str, str]] | None = None,
+    service_env: dict[str, str] | None = None,
+) -> list[str]:
+    uid = _uid()
+    ca_dest = "/tmp/aleash-ca.pem"
+    proxy_url = f"http://127.0.0.1:{proxy_port}"
+
+    args = [
+        "bwrap",
+        "--unshare-pid",
+        "--unshare-uts",
+        "--unshare-ipc",
+        "--share-net",
+        "--die-with-parent",
+        "--dev-bind",
+        "/dev",
+        "/dev",
+        "--ro-bind",
+        "/usr",
+        "/usr",
+        "--ro-bind",
+        "/etc",
+        "/etc",
+        "--ro-bind",
+        "/lib",
+        "/lib",
+        "--ro-bind-try",
+        "/lib64",
+        "/lib64",
+        "--ro-bind-try",
+        "/lib32",
+        "/lib32",
+        "--symlink",
+        "usr/bin",
+        "/bin",
+        "--symlink",
+        "usr/sbin",
+        "/sbin",
+        "--ro-bind",
+        "/sys",
+        "/sys",
+        "--tmpfs",
+        "/sys/fs/cgroup",
+        "--proc",
+        "/proc",
+        "--tmpfs",
+        f"/run/user/{uid}",
+        "--tmpfs",
+        "/tmp",
+        # CA cert: bind into /tmp (writable tmpfs, must come after --tmpfs /tmp above)
+        "--ro-bind",
+        ca_cert_path,
+        ca_dest,
+        # flatpak-info for portal auth
+        "--ro-bind",
+        fake_flatpak_info,
+        f"/run/user/{uid}/flatpak-info",
+        # xdg-dbus-proxy socket
+        "--bind",
+        xdg_proxy_sock,
+        xdg_proxy_sock,
+        # environment
+        "--setenv",
+        "http_proxy",
+        proxy_url,
+        "--setenv",
+        "HTTP_PROXY",
+        proxy_url,
+        "--setenv",
+        "https_proxy",
+        proxy_url,
+        "--setenv",
+        "HTTPS_PROXY",
+        proxy_url,
+        "--setenv",
+        "SSL_CERT_FILE",
+        ca_dest,
+        "--setenv",
+        "REQUESTS_CA_BUNDLE",
+        ca_dest,
+        "--setenv",
+        "NODE_EXTRA_CA_CERTS",
+        ca_dest,
+        "--setenv",
+        "DBUS_SESSION_BUS_ADDRESS",
+        f"unix:path={xdg_proxy_sock}",
+    ]
+
+    # Collect content binds then sort shortest-dest-first so parent RO mounts
+    # are always applied before child RW mounts. bwrap's --ro-bind uses
+    # MS_RDONLY|MS_REC which would retroactively RO any child mount that
+    # already existed — sorting prevents that.
+    content: list[tuple[str, str, str]] = []  # (flag, host, dest)
+
+    # ~/.local/bin — user-installed binaries (pipx, npm, cargo, etc.)
+    local_bin = Path.home() / ".local" / "bin"
+    if local_bin.is_dir():
+        content.append(("--ro-bind", str(local_bin), str(local_bin)))
+
+    # working directory (writable)
+    content.append(("--bind", cwd, cwd))
+
+    # profile extra binds
+    for host, dest in profile.extra_binds:
+        if Path(host).exists():
+            content.append(("--bind", host, dest))
+    for host, dest in profile.extra_ro_binds:
+        if Path(host).exists():
+            content.append(("--ro-bind", host, dest))
+
+    # profile ensure_home_dirs: bind real dirs (create if needed) into cwd/subpath
+    for rel in profile.ensure_home_dirs:
+        host_path = Path.home() / rel
+        host_path.mkdir(parents=True, exist_ok=True)
+        content.append(("--bind", str(host_path), str(Path(cwd) / rel)))
+
+    # user-configured extra binds (from .aleash-fs-binds.json)
+    for host, dest, mode in user_binds or []:
+        if Path(host).exists():
+            content.append(("--bind" if mode == "rw" else "--ro-bind", host, dest))
+
+    # service binds (from .aleash-services.json)
+    for host, dest, mode in service_binds or []:
+        if Path(host).exists():
+            content.append(("--bind" if mode == "rw" else "--ro-bind", host, dest))
+
+    content.sort(key=lambda b: len(b[2]))
+    for flag, host, dest in content:
+        args += [flag, host, dest]
+
+    args += ["--chdir", cwd]
+
+    # extra env from profile
+    for k, v in profile.extra_env.items():
+        args += ["--setenv", k, v]
+
+    # service env vars
+    for k, v in (service_env or {}).items():
+        args += ["--setenv", k, v]
+
+    # auto-bind the command binary if it lives outside already-mounted paths
+    # (e.g. ~/.local/bin/claude installed via pipx/npm)
+    binary = cmd[0]
+    if os.path.isabs(binary):
+        for p in dict.fromkeys(
+            [binary, os.path.realpath(binary)]
+        ):  # dedup, preserve order
+            if _outside_mounts(p) and os.path.exists(p):
+                args += ["--ro-bind", p, p]
+
+    args += ["--", *cmd]
+    return args
+
+
+def write_fake_flatpak_info(tmp_dir: str) -> str:
+    p = Path(tmp_dir) / "flatpak-info"
+    p.parent.mkdir(parents=True, exist_ok=True)
+    p.write_text(FLATPAK_INFO_CONTENT)
+    return str(p)

aleash/cli.py

@@ -0,0 +1,209 @@
+import asyncio
+import os
+import socket
+import sys
+from pathlib import Path
+
+import click
+
+DAEMON_DIR = Path.home() / ".aleash"
+
+
+def _free_port(preferred: int = 7612) -> int:
+    with socket.socket() as s:
+        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        try:
+            s.bind(("127.0.0.1", preferred))
+            return preferred
+        except OSError:
+            pass
+    with socket.socket() as s:
+        s.bind(("127.0.0.1", 0))
+        return s.getsockname()[1]
+
+
+def _start_server_background(port: int):
+    import threading
+    import uvicorn
+    from .server import app as _app
+
+    ready = threading.Event()
+    config = uvicorn.Config(_app, host="127.0.0.1", port=port, log_level="warning")
+    server = uvicorn.Server(config)
+
+    orig_startup = server.startup
+
+    async def _patched_startup(sockets=None):
+        await orig_startup(sockets)
+        ready.set()
+
+    server.startup = _patched_startup
+    threading.Thread(target=lambda: asyncio.run(server.serve()), daemon=True).start()
+    ready.wait(timeout=5.0)
+    return server
+
+
+@click.group()
+@click.option(
+    "--profile", default=None, metavar="PROFILE", help="Override sandbox profile."
+)
+@click.option(
+    "--browser-master",
+    is_flag=True,
+    default=False,
+    help="Let the browser control terminal size.",
+)
+@click.pass_context
+def main(ctx, profile, browser_master):
+    """Sandbox runner for AI coding agents."""
+    from . import db as _db
+
+    _db.DB_PATH = Path.cwd() / ".aleash" / "data.db"
+    ctx.ensure_object(dict)
+    ctx.obj["profile"] = profile
+    ctx.obj["browser_master"] = browser_master
+
+
+@main.command(name="list")
+def list_sandboxes():
+    """List sandboxes."""
+    import sqlite3
+    from .db import DB_PATH
+
+    if not DB_PATH.exists():
+        click.echo("No sandboxes yet.")
+        return
+    with sqlite3.connect(str(DB_PATH)) as conn:
+        conn.row_factory = sqlite3.Row
+        rows = conn.execute(
+            "SELECT * FROM sandboxes ORDER BY started_at DESC"
+        ).fetchall()
+    if not rows:
+        click.echo("No sandboxes yet.")
+        return
+    for s in rows:
+        status = "running" if s["ended_at"] is None else f"exited({s['exit_code']})"
+        click.echo(f"{s['id'][:8]}  {status:12}  {s['profile']:10}  {s['cwd']}")
+
+
+def _run_agent(
+    profile_name: str,
+    extra_args: tuple,
+    profile_override: str | None,
+    browser_master: bool = False,
+):
+    from .profiles import PROFILES
+    from .runner import run_sandbox
+
+    profile_key = profile_override or profile_name
+    if profile_key not in PROFILES:
+        click.echo(
+            f"Unknown profile '{profile_key}'. Available: {', '.join(PROFILES)}",
+            err=True,
+        )
+        sys.exit(1)
+    profile = PROFILES[profile_key]
+
+    import shutil
+
+    binary = shutil.which(profile_name)
+    if not binary:
+        click.echo(f"'{profile_name}' not found on PATH", err=True)
+        sys.exit(1)
+
+    port = _free_port()
+    server = _start_server_background(port)
+    click.echo(f"Sandbox UI available on http://localhost:{port}/")
+    import subprocess
+
+    subprocess.Popen(
+        ["xdg-open", f"http://localhost:{port}/"],
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.DEVNULL,
+    )
+    try:
+        exit_code = asyncio.run(
+            run_sandbox(
+                profile=profile,
+                cwd=os.getcwd(),
+                cmd=[binary, *extra_args],
+                browser_master=browser_master,
+                server_url=f"http://localhost:{port}",
+            )
+        )
+    finally:
+        server.should_exit = True
+    sys.exit(exit_code)
+
+
+@main.command(
+    context_settings={"ignore_unknown_options": True, "allow_extra_args": True}
+)
+@click.argument("extra_args", nargs=-1, type=click.UNPROCESSED)
+@click.pass_context
+def claude(ctx, extra_args):
+    """Run claude in a sandbox."""
+    _run_agent(
+        "claude",
+        extra_args,
+        ctx.obj.get("profile"),
+        ctx.obj.get("browser_master", False),
+    )
+
+
+@main.command(
+    context_settings={"ignore_unknown_options": True, "allow_extra_args": True}
+)
+@click.argument("extra_args", nargs=-1, type=click.UNPROCESSED)
+@click.pass_context
+def opencode(ctx, extra_args):
+    """Run opencode in a sandbox."""
+    _run_agent(
+        "opencode",
+        extra_args,
+        ctx.obj.get("profile"),
+        ctx.obj.get("browser_master", False),
+    )
+
+
+@main.command(
+    name="run",
+    context_settings={"ignore_unknown_options": True, "allow_extra_args": True},
+)
+@click.argument("cmd", nargs=-1, type=click.UNPROCESSED, required=True)
+@click.pass_context
+def run_cmd(ctx, cmd):
+    """Run an arbitrary command in a sandbox."""
+    from .profiles import PROFILES
+    from .runner import run_sandbox
+
+    profile = ctx.obj.get("profile") or "generic"
+    if profile not in PROFILES:
+        click.echo(
+            f"Unknown profile '{profile}'. Available: {', '.join(PROFILES)}", err=True
+        )
+        sys.exit(1)
+
+    port = _free_port()
+    server = _start_server_background(port)
+    click.echo(f"Sandbox UI available on http://localhost:{port}/")
+    import subprocess
+
+    subprocess.Popen(
+        ["xdg-open", f"http://localhost:{port}/"],
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.DEVNULL,
+    )
+    try:
+        exit_code = asyncio.run(
+            run_sandbox(
+                profile=PROFILES[profile],
+                cwd=os.getcwd(),
+                cmd=list(cmd),
+                browser_master=ctx.obj.get("browser_master", False),
+                server_url=f"http://localhost:{port}",
+            )
+        )
+    finally:
+        server.should_exit = True
+    sys.exit(exit_code)