Skip to content

docs: document safer execution patterns#1393

Open
akihikokuroda wants to merge 3 commits into
generative-computing:mainfrom
akihikokuroda:issue1310
Open

docs: document safer execution patterns#1393
akihikokuroda wants to merge 3 commits into
generative-computing:mainfrom
akihikokuroda:issue1310

Conversation

@akihikokuroda

@akihikokuroda akihikokuroda commented Jul 14, 2026

Copy link
Copy Markdown
Member

Pull Request

Issue

Fix: #1310

Description

Testing

  • Tests added to the respective file if code was changed
  • New code has 100% coverage if code was added
  • Ensure existing tests and github automation passes (a maintainer will kick off the github automation when the rest of the PR is populated)

Attribution

  • AI coding assistants used

Adding a new component, requirement, sampling strategy, or tool?

If your PR adds or modifies one of the types below, check the matching box. A checklist of type-specific review items will be posted as a comment.

  • Component
  • Requirement
  • Sampling Strategy
  • Tool

NOTE: Please ensure you have an issue that has been acknowledged by a core contributor and routed you to open a pull request against this repository. Otherwise, please open an issue before continuing with this pull request.

Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
@akihikokuroda akihikokuroda requested a review from a team as a code owner July 14, 2026 20:27
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jul 14, 2026
Comment on lines +209 to +213
policy=CapabilityPolicy(
timeout=30, # Kill after 30 seconds
network_access=False, # No network access
package_installation=False, # No pip install
),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at the docstring for CapabilityPolicy; I see:

    The enforcement gap — the difference between what is *declared* and what is
    *actively enforced at runtime* — is made explicit through per-field
    `ENFORCED_*` class attributes.  Callers and UX layers can read these to
    decide whether to prompt the user ("allow once / allow always") or display
    a warning.

    .. warning::
        **Most fields are declarative only and are not enforced at runtime.**
        Setting `network_access=False`, `package_installation=False`,
        `subprocess_execution=False`, or `env_var_access=False` does *not*
        block those capabilities in the current implementation — the declared
        value is informational only.  Check the `ENFORCED_*` class attributes
        to see what is actively enforced.  For stronger isolation use a
        `"docker"` execution tier.

        `filesystem_read_roots` and `filesystem_write_roots` emit a
        :class:`UserWarning` at construction time when set to a non-`None`
        value, because those restrictions are also unenforced.

If this is true and these things aren't enforced, then I don't think we should advertise them as such in these examples / code snippets. If these things are enforced, please change the CapabilityPolicy docstring.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code snippet is updated.

  1. Added a clarifying comment explaining that most policy fields are declared only, not enforced
  2. Updated inline comments to explicitly distinguish between enforced fields (timeout, max_output_chars) and declared-only fields (network_access, package_installation)
  3. Referenced the escape hatch (CapabilityPolicy.ENFORCED_* class attributes) so readers know how to check what's enforced

Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Comment thread docs/examples/requirements/README.md Outdated
|------|-----------|-------|----------|
| `"static"` | Analysis only (no execution) | Fastest | Fast validation before execution |
| `"local_unsafe"` | None (direct subprocess) | Fast | Trusted code only, max performance |
| `"local"` | None (policy control only) | Fast | Trusted code with resource limits (timeout, memory) |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likely should be (timeout, sdtoutput limits) - I don't think we restrict memory anywhere via policy even in the docker tier.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! it is corrected.

Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Document safer execution patterns with execution_tier="docker" for untrusted code

3 participants