Skip to content

ShellAdapter

autogen.beta.tools.sandbox.adapter.shell.ShellAdapter #

ShellAdapter(sandbox, *, allowed=None, blocked=None, ignore=None, readonly=False, env=None, timeout=None)

Shell surface (run) over any :class:Sandbox.

Implements the command policy once and works on every backend — local subprocess, Docker container, Daytona sandbox, or any custom one.

Filtering (allowed / blocked / ignore / readonly) lives here once. Execution delegates to the wrapped :class:Sandbox or :class:SandboxFactory; the adapter never duplicates backend logic.

PARAMETER DESCRIPTION
sandbox

Either a long-lived :class:Sandbox (used as-is) or a :class:SandboxFactory (opened per :meth:run so :class:~autogen.beta.annotations.Variable parameters get resolved against the active Context).

TYPE: Sandbox | SandboxFactory

allowed / blocked / ignore / readonly

command filter set. blocked is best-effort: it only matches the head command's prefix, so chaining (; / | / && / $(...)) can bypass it. It is not a security boundary — use allowed / readonly or an isolated container for that.
env

Extra environment variables passed into each command.

TYPE: dict[str, str] | None DEFAULT: None

timeout

Per-command timeout in seconds. None lets the backend pick its default.

TYPE: float | None DEFAULT: None

Source code in autogen/beta/tools/sandbox/adapter/shell.py 
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
def __init__(
    self,
    sandbox: "Sandbox | SandboxFactory",
    *,
    allowed: list[str] | None = None,
    blocked: list[str] | None = None,
    ignore: list[str] | None = None,
    readonly: bool = False,
    env: dict[str, str] | None = None,
    timeout: float | None = None,
) -> None:
    self._factory: SandboxFactory = sandbox if isinstance(sandbox, SandboxFactory) else SingletonFactory(sandbox)
    self._allowed: list[str] | None = list(READONLY_COMMANDS) if readonly and allowed is None else allowed
    self._blocked = blocked
    self._ignore = ignore
    self._env = env
    self._timeout = timeout

workdir property #

workdir

Working directory exposed to callers.

For a host-backed sandbox (local subprocess, incl. a :class:~autogen.beta.tools.sandbox.LocalEnvironment / :class:SingletonFactory wrapping one) this is the real host :class:~pathlib.Path (so .exists() etc. work); for a remote / container backend it is the sandbox-side :class:PurePosixPath. A not-yet-opened remote :class:SandboxFactory reports the conventional /workspace since no sandbox is bound yet.

run async #

run(command, *, context=None)
Source code in autogen/beta/tools/sandbox/adapter/shell.py 
101
102
103
104
105
106
107
108
109
110
111
112
async def run(
    self,
    command: str,
    *,
    context: "ConversationContext | None" = None,
) -> str:
    denied = self._filter(command)
    if denied is not None:
        return denied

    result = await self._exec_async(command, context)
    return _format(result)