Skip to content

feat(cloud): implement secure agent execution engine with VM2 sandboxing #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(cloud): implement secure agent execution engine with VM2 sandboxing #273

wants to merge 1 commit into from
+2,071 −3

Conversation

@jeevanpillay
Copy link
Collaborator

@jeevanpillay jeevanpillay commented Nov 5, 2025

Summary

Implements a complete cloud-native agent execution system for apps/cloud that safely runs external user code with proper security isolation.

This PR preserves important foundational work from the feat/cloud-agent-execution-engine branch that was developed earlier but never merged to main.

Key Components

1. AST-Based Bundle Parser (src/lib/bundle-parser.ts)

  • Safely parses Lightfast agent bundles without code execution
  • Uses @babel/parser and @babel/traverse for AST analysis
  • Extracts agent configurations, tools, and metadata
  • Supports both createAgent() and createLightfast() patterns

2. Secure Tool Execution (src/app/api/tool/route.ts)

  • VM2-based sandboxing for tool execution with 30s timeout limits
  • Blocks filesystem, network, and child process access
  • Captures console output and provides detailed error reporting
  • Forces Node.js runtime for VM2 compatibility

3. Tool Proxying System (src/lib/tool-proxy.ts)

  • Creates Lightfast ToolFactory functions that proxy to secure execution
  • Converts JSON Schema parameters to Zod validation
  • Injects runtime context (sessionId, resourceId) properly
  • Handles tool execution errors with helpful messages

4. Agent Execution Engine (src/app/api/execute/route.ts)

  • Fetches and parses agent bundles via HTTP
  • Creates real Lightfast agents with proxied tools
  • Uses fetchRequestHandler for native AI SDK streaming
  • Implements proper error handling and logging

5. Test Interface (test-executor/page.tsx)

  • Full-featured UI for testing agent execution (434 lines)
  • Interactive testing environment

Security Features

  • ✅ Zero code execution during bundle parsing (AST-only analysis)
  • ✅ Sandboxed tool execution in isolated VM2 environment
  • ✅ Network and filesystem access restrictions
  • ✅ Resource limits with execution timeouts
  • ✅ Vercel-only deployment with full Node.js capabilities
  • ✅ No external services required

Documentation

This PR includes comprehensive architecture documentation:

  • EXECUTION_ARCHITECTURE.md - Problem statement, architecture overview, decision matrix
  • REVISED_ARCHITECTURE.md - Updated architecture plans
  • execution-service-plan.md - Detailed implementation roadmap (298 lines)

Dependencies Added

{
  "@babel/parser": "^7.28.4",
  "@babel/traverse": "^7.28.4", 
  "@babel/types": "^7.28.4",
  "vm2": "^3.9.19",
  "isolated-vm": "^6.0.1",
  "lightfast": "workspace:^"
}

Testing

The system has been tested end-to-end with sample weather agent bundles that include tools with both safe and potentially unsafe operations. All security restrictions work as expected.

Future Work

This implementation provides a foundation for:

  • Migration to containerized execution service (see execution-service-plan.md)
  • Enhanced security with additional isolation layers
  • Support for more complex agent workflows
  • Performance optimization and scaling

Related

  • Original branch: feat/cloud-agent-execution-engine
  • Related to cloud platform execution requirements

🤖 Generated with Claude Code

@jeevanpillay @claude
feat(cloud): implement secure agent execution engine with VM2 sandboxing
45d08f4 
This commit implements a complete cloud-native agent execution system for apps/cloud
that safely runs external user code with proper security isolation.

- Safely parses Lightfast agent bundles without code execution
- Uses @babel/parser and @babel/traverse for AST analysis
- Extracts agent configurations, tools, and metadata
- Supports both createAgent() and createLightfast() patterns

- VM2-based sandboxing for tool execution with 30s timeout limits
- Blocks filesystem, network, and child process access
- Captures console output and provides detailed error reporting
- Forces Node.js runtime for VM2 compatibility

- Creates Lightfast ToolFactory functions that proxy to secure execution
- Converts JSON Schema parameters to Zod validation
- Injects runtime context (sessionId, resourceId) properly
- Handles tool execution errors with helpful messages

- Fetches and parses agent bundles via HTTP
- Creates real Lightfast agents with proxied tools
- Uses fetchRequestHandler for native AI SDK streaming
- Implements proper error handling and logging

- ✅ Zero code execution during bundle parsing (AST-only analysis)
- ✅ Sandboxed tool execution in isolated VM2 environment
- ✅ Network and filesystem access restrictions
- ✅ Resource limits with execution timeouts
- ✅ Vercel-only deployment with full Node.js capabilities
- ✅ No external services required

- @babel/parser: ^7.28.4 - JavaScript AST parsing
- @babel/traverse: ^7.28.4 - AST traversal
- @babel/types: ^7.28.4 - AST node types
- vm2: ^3.9.19 - Secure JavaScript sandbox
- isolated-vm: ^6.0.1 - Alternative sandbox (kept for future use)

The system has been tested end-to-end with a sample weather agent bundle
that includes tools with both safe and potentially unsafe operations.
All security restrictions work as expected.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@vercel
Copy link

vercel bot commented Nov 5, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
lightfast-auth Ready Ready Preview Comment Nov 5, 2025 8:46am
lightfast-chat Ready Ready Preview Comment Nov 5, 2025 8:46am
lightfast-cloud Error Error Nov 5, 2025 8:46am
lightfast-deus Error Error Nov 5, 2025 8:46am
lightfast-www-search Ready Ready Preview Comment Nov 5, 2025 8:46am
4 Skipped Deployments
Project Deployment Preview Comments Updated (UTC)
lightfast-experimental Ignored Ignored Nov 5, 2025 8:46am
lightfast-docs Skipped Skipped Nov 5, 2025 8:46am
lightfast-playground Skipped Skipped Nov 5, 2025 8:46am
lightfast-www Skipped Skipped Nov 5, 2025 8:46am

@coderabbitai
Copy link

coderabbitai bot commented Nov 5, 2025

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/cloud-agent-execution-engine-updated

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeevanpillay