Code Genesis supports shell script execution within a sandbox

Author: vinci-grape

projects/code_genesis/README.md

@@ -19,25 +19,15 @@ This project needs to be used together with ms-agent.
   cd ms-agent
   ```
 
-2. Prepare python environment (python>=3.10) with conda:
+2. Build the Docker sandbox image (requires Docker):
 
   ```shell
-  conda create -n code_genesis python==3.11
-  conda activate code_genesis
-  pip install -r ./requirements.txt
+  bash projects/code_genesis/tools/build_sandbox_image.sh
   ```
 
-3. Prepare npm environment, following https://nodejs.org/en/download. If you are using Mac, using Homebrew is recommended: https://formulae.brew.sh/formula/node
+  This builds a `code-genesis-sandbox:version1` image containing Python 3.12, Node.js 20, npm, git and curl. All shell commands from the agents run inside this container for security isolation.
 
-Make sure your installation is successful:
-
-```shell
-npm --version
-```
-
-Make sure the npm installation is successful, or the npm install/build/dev will fail and cause an infinite loop.
-
-4. Run:
+3. Run:
 
 ```shell
 PYTHONPATH=. openai_api_key=your-api-key openai_base_url=your-api-url python ms_agent/cli/cli.py run --config projects/code_genesis --query 'make a demo website' --trust_remote_code true

projects/code_genesis/coding.yaml

@@ -103,11 +103,10 @@ prompt:
     8. When fixing issues and updating files:
     Call the `edit_file` tool or `write_file` tool, after fixing issues there's no need to check by yourself, the lsp tool will check and report issues.
 
-    9. You can use the shell to debug problems:
+    9. You can use the shell_executor to debug problems:
 
     Example:
-    # Find all fields of a class
-    execute_single(command='python -c "from module import MyClass; print(vars(MyClass))"')
+    shell_executor(command='python -c "from module import MyClass; print(vars(MyClass))"')
 
     Your optimization goals:
     1. [Priority] Output the most accurate code implementation at once, without hallucinations or incorrect references.
@@ -128,8 +127,25 @@ tools:
       base_url: https://api.morphllm.com/v1
   plugins:
     - workflow/api_search
-  shell:
+  code_executor:
     mcp: false
+    sandbox:
+      mode: local
+      type: docker_notebook
+      image: code-genesis-sandbox:version1
+      working_dir: /data
+      timeout: 180
+      memory_limit: "2g"
+      cpu_limit: 2.0
+      network_enabled: true
+      tools_config:
+        shell_executor: {}
+    exclude:
+      - notebook_executor
+      - python_executor
+      - file_operation
+      - reset_executor
+      - get_executor_info
 
 pre_import_check: true
 post_import_check: true

projects/code_genesis/install.yaml

@@ -34,7 +34,7 @@ prompt:
       - Avoid installing development tools (like eslint, prettier) unless they are essential for the project to function
       - If the framework description states "No Framework" or "No external dependencies", do NOT create or install unnecessary dependencies
 
-    2. After writing dependency files (if needed), you should proactively call shell tools to install dependencies ONLY if:
+    2. After writing dependency files (if needed), you should proactively call the shell_executor tool to install dependencies ONLY if:
       - The project has runtime dependencies that are required for execution
       - The project explicitly requires build tools or package managers
       - Do NOT install dependencies for simple vanilla web projects that can run without them
@@ -47,16 +47,30 @@ prompt:
 max_chat_round: 20
 
 tools:
-  shell:
+  code_executor:
     mcp: false
-    timeout: 180
+    sandbox:
+      mode: local
+      type: docker_notebook
+      image: code-genesis-sandbox:version1
+      working_dir: /data
+      timeout: 180
+      memory_limit: "2g"
+      cpu_limit: 2.0
+      network_enabled: true
+      tools_config:
+        shell_executor: {}
+    exclude:
+      - notebook_executor
+      - python_executor
+      - file_operation
+      - reset_executor
+      - get_executor_info
 
   file_system:
     mcp: false
     include:
       - read_file
       - write_file
 
-tool_call_timeout: 120
-
 help: |

projects/code_genesis/refine.yaml

@@ -61,7 +61,7 @@ prompt:
       * Compress the workspace subdirectory into a zip file and name it workspace.zip in the workspace_dir
       * Once the project is working, use the EdgeOne Pages MCP tools to deploy it
       * Follow the deployment documentation provided in the user message
-      * When calling the deployment tool, first use the shell command `pwd` to get the current working directory path, then use "<current_path>/workspace.zip" as the builtFolderPath parameter
+      * When calling the deployment tool, first use the shell_executor with command `pwd` to get the current working directory path, then use "<current_path>/workspace.zip" as the builtFolderPath parameter
 
     5. If everything is OK, you may exit
       * Ignore warnings like unused variables; they don't affect runtime behavior
@@ -72,9 +72,25 @@ prompt:
     2. [Secondary] Use as few tokens as possible
 
 tools:
-  shell:
+  code_executor:
     mcp: false
-    timeout: 10
+    sandbox:
+      mode: local
+      type: docker_notebook
+      image: code-genesis-sandbox:version1
+      working_dir: /data
+      timeout: 180
+      memory_limit: "2g"
+      cpu_limit: 2.0
+      network_enabled: true
+      tools_config:
+        shell_executor: {}
+    exclude:
+      - notebook_executor
+      - python_executor
+      - file_operation
+      - reset_executor
+      - get_executor_info
   file_system:
     mcp: false
     include:

projects/code_genesis/tools/build_sandbox_image.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Build Docker sandbox image for code_genesis
+# Includes Python + Node.js for full-stack project support
+
+set -e
+
+IMAGE_NAME="code-genesis-sandbox"
+IMAGE_TAG="version1"
+
+echo "Building code-genesis sandbox Docker image..."
+
+docker pull python:3.12-slim
+
+cat > Dockerfile.sandbox << 'EOF'
+FROM python:3.12-slim
+
+# Install system dependencies and Node.js
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    git \
+    build-essential \
+    && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install Jupyter kernel gateway (required by sandbox)
+RUN pip install --no-cache-dir \
+    jupyter_kernel_gateway \
+    jupyter_client \
+    ipykernel
+
+# Install Python kernel
+RUN python -m ipykernel install --sys-prefix --name python3 --display-name "Python 3"
+
+WORKDIR /data
+
+EXPOSE 8888
+CMD ["jupyter", "kernelgateway", "--KernelGatewayApp.ip=0.0.0.0", "--KernelGatewayApp.port=8888", "--KernelGatewayApp.allow_origin=*"]
+EOF
+
+echo "Building Docker image: ${IMAGE_NAME}:${IMAGE_TAG}"
+docker build -f Dockerfile.sandbox -t "${IMAGE_NAME}:${IMAGE_TAG}" .
+
+rm Dockerfile.sandbox
+
+echo "Done: ${IMAGE_NAME}:${IMAGE_TAG}"
+echo "Contains: Python 3.12, Node.js 20, npm, git, curl"

projects/code_genesis/workflow/refine.py

@@ -107,10 +107,10 @@ async def run(self, messages, **kwargs):
                 f'Tech stack (framework.txt): {framework}\n'
                 f'Communication protocol (protocol.txt): {protocol}\n'
                 f'File list:\n{file_info}\n'
-                # f'Your shell tool workspace_dir is {self.output_dir}; '
-                f'all tools should use this directory as the current working directory.\n'
+                f'The shell_executor runs inside a Docker sandbox. '
+                f'Project files are at the current working directory (/data). '
+                f'All relative paths work directly.\n'
                 f'When creating the deployment zip file, name it workspace.zip.\n'
-                f'Python executable: {sys.executable}\n'
                 f'Please refine the project and deploy it to EdgeOne Pages:'),
         ]
         return await super().run(messages, **kwargs)