Files
privateGPT/fern/docs/pages/tools/code-execution.mdx
Javier Martinez 21d42fd97a feat: code execution v4 (#2295)
* feat: add bundle to remove

* fix: spaces

* feat: add xml render as skill spec

* feat: add skill volume root to cache

* fix: deduplicate values

* fix: change the mount path to skill_id

* fix: use different paths

* feat: add principal

(cherry picked from commit 5db64fe721d5706440ce9f342b1388ffe742bc16)

# Conflicts:
#	private_gpt/components/code_execution/base.py
#	private_gpt/components/code_execution/code_execution_component.py
#	private_gpt/components/code_execution/local.py
#	private_gpt/components/environment/manager.py
#	private_gpt/components/tools/builders/bash_tool_builder.py
#	private_gpt/components/tools/builders/text_editor_tool_builder.py
#	private_gpt/components/tools/processors/bash_processor.py

* fix: mypy

...

* fix: config

* fix: sandbox config

* feat: add forward cookies

* fix: loop

* feat: add present server

* feat: add feature flag for tools

* refactor: move principal to another better place

* feat: add api key principal

* docs: fix docs

* docs: add present server

* fix: principal

* fix: mypy

* fix: avoid to block the loop

* fix: blocks in expansion

* fix: remove maximum concurrent users

...

* fix: multiplexer

* fix: readers

* fix: more fixes

...

* fix: impl

* feat: tool scheduler

* feat: add adaptative

* feat: add chat worker

* fix: config

* fix: max

* feat: add chat/tools workers

* fix: mypy

* feat: add generic scheduler

* fix: get result

* feat: do serializable the tool executor

* fix: tools

* fix: config

* fix: config

* fix: args

* fix: config

* fix: serializer

* Revert "fix: blocks in expansion"

This reverts commit a2110f94a8.

* fix: unify all logic

* feat: add ingestion scheduler

* fix: settings

* fix: config

* feat: add arq worker to chat

* fix: arq worker

* fix: add nest

* fix: mypy

* fix: await

* fix: script stress

* fix: tokenizer

* fix: chat scheduler

* fix: mypy

* fix: add async tokenizer

* fix: improve condense

* fix: tool scheduler

* feat: add initial real async chat worker

* fix: mypy

* fix: do resumable local executor

...

...

...

fix: revert usleess changes

fix: remove parent chat job

fix: refactor

fix: loop

ref: rename models

fix: chat engine

fix: mypy

...

...

...

fix: fix deps

* fix: tests

* fix: tests

* ...

* fix: stream

* fix: config

* fix: scheduler

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Handle PGPT_WORKER_MODE=celery in health check worker status

* fix: cancel

* fix: arch

* fix: test ingestion

* fix: deserialization of chat messages

* fix: broken results

* fix: mypy

* fix: test

* fix: config

* fix: remove arq tool worker

* fix: output cls

* fix: preserve early resumable tool callbacks

* fix: preserve async tool result order

* refactor: address worker PR review comments

* fix: mypy

* test: colocate ARQ chat enqueue coverage

* fix: remove redis from tests

* fix: mypy

* fix: tests

* test: isolate chat mocks and cancellation timing

* fix: tests

* fix: tests

* fix: test

(cherry picked from commit f8ee460af2)

* fix: worker config

* test: remove flaky chat cancellation assertion

(cherry picked from commit 1115ff2349)

# Conflicts:
#	tests/server/chat/test_chat_routes.py

* fix: emit chat pings from stream listeners

* fix: don't duplciate the output

* fix: rss memory

...

* fix: pass the args

* fix: threads

* fix: websearch

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
2026-07-15 13:05:23 +02:00

213 lines
9.8 KiB
Plaintext

---
title: "Code Execution Tools"
description: "Configure the built-in server-side code execution sandbox — bash commands, file operations, resource limits, and workspace layout."
---
This page covers configuration for the built-in server-side code execution environment.
Use this together with [Built-in Tools](/api-guide/tools) for request examples and runtime usage.
---
## Supported code execution tools
The code execution subsystem provides:
| Type identifier | Role |
|---|---|
| `code_execution_v1` | Top-level wrapper — expands into `bash_v1`, `text_editor_v1`, and optionally `present_files_v1` and `present_server_v1` |
| `bash_v1` | Run arbitrary bash commands in a sandboxed subprocess |
| `text_editor_v1` | View, create, and edit files in the workspace |
| `view_v1` | View file or directory contents |
| `str_replace_v1` | Replace one exact string in a file |
| `create_v1` | Create a new file |
| `insert_v1` | Insert text after a given line |
| `present_files_v1` | Expose generated files to the caller |
| `present_server_v1` | Expose an HTTP service running in the sandbox to the caller |
Standalone endpoints are not provided for code execution tools. Use them through `/v1/messages`.
<Note>
`present_files_v1` and `present_server_v1` are server-only metadata tools that surface generated artifacts and running services to API consumers. They are enabled automatically when `code_execution_v1` is used and do not require explicit configuration.
</Note>
---
## How it works
When the model submits a `code_execution_v1` tool call, the server expands it into its constituent tools, creates or reuses a per-session sandbox, and executes the requested operations:
1. **Tool expansion** — `code_execution_v1` expands into `bash_v1`, `text_editor_v1`, and optionally `present_files_v1` and `present_server_v1`
2. **Session management** — each chat session gets an isolated workspace on the host filesystem
3. **Path translation** — canonical LLM-visible paths (`/home/agent/workspace/`) are transparently mapped to real host paths
4. **Subprocess isolation** — bash commands run as child processes with OS-level resource limits (`setrlimit`)
5. **Output scrubbing** — real host paths are removed from output before returning to the LLM
Code execution requires no external containers or Docker-in-Docker. The entire sandbox runs in the same process as the PrivateGPT server, using OS-level isolation primitives.
---
## How to install
Code execution is part of the core PrivateGPT package. No additional extras are required:
```bash
uv sync --extra core
```
No OS-level libraries or external runtimes are needed for code execution.
---
## Workspace layout
Each code execution session has a defined filesystem layout visible to the LLM:
| Directory | Canonical path | Writable | Purpose |
|---|---|---|---|
| Workspace | `/home/agent/workspace/` | Yes | Working directory — create all new files here |
| Uploads | `/mnt/user-data/uploads/` | No | Files uploaded by the user (read-only) |
| Outputs | `/mnt/user-data/outputs/` | Yes | Deliverables the user can download |
| Skills | `/skills/` | Yes | Loaded skill bundles (when skills are active) |
All canonical paths are translated to host filesystem paths automatically. The LLM only sees and uses canonical paths.
<Warning>
Attempting to write to `/mnt/user-data/uploads/` or access paths outside the workspace layout will be rejected.
</Warning>
---
## Settings reference
### `code_execution` settings
Code execution does not have a global `enabled` flag. The server always supports code execution when the tool is present in a request.
```yaml
code_execution:
provider: ${PGPT_CODE_EXECUTION_PROVIDER:local}
workspace_path: ${PGPT_CODE_EXECUTION_WORKSPACE_PATH:}
timeout: ${PGPT_CODE_EXECUTION_TIMEOUT:60}
max_output_bytes: ${PGPT_CODE_EXECUTION_MAX_OUTPUT_BYTES:1048576}
volume_root: ${PGPT_CODE_EXECUTION_VOLUME_ROOT:./local_data/private_gpt/volumes}
```
| Setting | Type | Default | Description |
|---|---|---|---|
| `code_execution.provider` | `str` | `"local"` | Code execution provider. Only `"local"` is supported by default. |
| `code_execution.workspace_path` | `str \| null` | `null` | Filesystem path for persistent workspaces. Falls back to `{local_data_folder}/code_execution_workspaces` when unset. |
| `code_execution.timeout` | `int` | `60` | Default bash execution timeout in seconds. |
| `code_execution.max_output_bytes` | `int` | `1048576` | Maximum output size returned to the LLM from code execution tools (1 MiB). Output is truncated at this limit after `output_cap_bytes`. |
| `code_execution.volume_root` | `str \| null` | `null` | Host filesystem root for session volumes. Required for Files API integration when `storage_provider` is `"local"`. |
| `code_execution.session_ttl_seconds` | `int` | `1800` | Idle TTL in seconds before a session kernel is destroyed (30 min). Workspace files are preserved. |
| `code_execution.vfs_sessions_prefix` | `str` | `"sessions"` | Path prefix inside the storage bucket for session workspace data. |
| `code_execution.storage_provider` | `"local"` or `"s3"` | `"local"` | Storage backend for session files (Files API). Use `"local"` with `volume_root` set, or `"s3"` with `s3.durable_bucket_name` set. |
### `bash` settings
Resource limits applied to each isolated bash subprocess via OS-level `setrlimit`:
```yaml
bash:
cpu_limit_seconds: ${PGPT_BASH_CPU_LIMIT_SECONDS:30}
memory_limit_mb: ${PGPT_BASH_MEMORY_LIMIT_MB:512}
fsize_limit_mb: ${PGPT_BASH_FSIZE_LIMIT_MB:10}
nproc_limit: ${PGPT_BASH_NPROC_LIMIT:50}
output_cap_bytes: ${PGPT_BASH_OUTPUT_CAP_BYTES:1048576}
```
| Setting | Type | Default | Description |
|---|---|---|---|
| `bash.cpu_limit_seconds` | `int` | `30` | CPU time limit per subprocess (`RLIMIT_CPU`). |
| `bash.memory_limit_mb` | `int` | `512` | Virtual memory limit per subprocess in MB (`RLIMIT_AS`). |
| `bash.fsize_limit_mb` | `int` | `50` | Maximum file size a subprocess can create in MB (`RLIMIT_FSIZE`). |
| `bash.nproc_limit` | `int` | `50` | Maximum number of child processes per subprocess (`RLIMIT_NPROC`). |
| `bash.output_cap_bytes` | `int` | `1048576` | Hard cap on raw stdout+stderr before the second `max_output_bytes` truncation (1 MiB). |
### Prompt configuration
Per-request, you can control whether code execution environment instructions are injected into the system prompt:
```json
{
"prompt_config": {
"code_execution": true
}
}
```
When `true` and a code execution tool is present, the prompt includes filesystem layout instructions and available paths. This flag only affects the system prompt — it does not enable or disable the tool itself.
| Field | Type | Default | Description |
|---|---|---|---|
| `prompt_config.code_execution` | `bool` | `false` | Enables code execution environment instructions in the system prompt. |
---
## Resource limits and sandboxing
Code execution applies **two layers** of output size control:
1. **Raw subprocess cap** (`bash.output_cap_bytes`, default 1 MiB) — hard truncation at the subprocess level
2. **Tool output truncation** (`code_execution.max_output_bytes`, default 1 MiB) — applied before returning results to the LLM
On Unix systems, each bash subprocess is isolated with:
- **Process group isolation** — `os.setsid()` prevents orphaned child processes
- **CPU limit** — `RLIMIT_CPU` caps CPU time
- **Memory limit** — `RLIMIT_AS` caps virtual memory
- **File size limit** — `RLIMIT_FSIZE` prevents runaway file creation
- **Process count limit** — `RLIMIT_NPROC` limits fork bombs
- **Timeout enforcement** — `SIGKILL` sent to the entire process group
On Windows, resource isolation is gracefully skipped.
### Output scrubbing
All host filesystem paths are automatically removed from command output before being returned to the LLM. The LLM only sees canonical paths.
---
## Session lifecycle
Code execution sessions are managed automatically:
- **Creation** — a new sandbox is created on the first code execution tool call in a chat session
- **Reuse** — subsequent code execution calls in the same chat session reuse the existing sandbox
- **File persistence** — workspace files survive across `bash_v1` restart operations
- **Idle expiry** — sessions idle for longer than `session_ttl_seconds` (default 30 minutes) are destroyed by a background reaper
- **Stale detection** — if the sandbox process dies, it is transparently recreated on the next tool call
---
## Platform compatibility
| Platform | Subprocess isolation | Resource limits | Notes |
|---|---|---|---|
| Linux | Full | Full | All `setrlimit` and `setsid` isolation active |
| macOS | Full | Full | All `setrlimit` and `setsid` isolation active |
| Windows | None | None | Subprocesses run without resource limits |
All platforms support the same canonical path translation, output scrubbing, and session lifecycle management.
---
## `present_server` tool
`present_server_v1` exposes an HTTP service running inside the sandbox to the caller. Call it after starting a server (for example a web app, Jupyter, or Streamlit) so the user can open or interact with it.
The model invokes it with:
| Field | Type | Required | Description |
|---|---|---|---|
| `port` | `int` | Yes | Port the service is listening on inside the sandbox. |
| `service_name` | `str` | No | Human-readable name for the service (defaults to `"App"`). |
| `initial_path` | `str \| null` | No | Optional path appended to the URL to deep-link to a specific route. |
The tool result contains a `resource_link` block whose `uri` is the publicly reachable URL of the tunneled service, plus a `text` block describing the service. If the sandbox backend does not support HTTP ingress, the tool returns a `text` block explaining that no endpoint is available.
<Note>
HTTP ingress support depends on the configured `code_execution.provider`. Only sandbox backends that support per-session endpoint tunneling can fulfill `present_server_v1` calls.
</Note>