Code Generation & Sandboxing

Guardrails decide what an agent is allowed to do. Code-generation agents make that boundary concrete: they write programs, run commands, inspect logs, and retry. This chapter turns the previous safety lesson into an execution pattern, showing how sandboxes, tests, logs, and retry loops turn generated code from plausible text into a tested candidate change.

Imagine a developer who writes code but never runs it. They type out a solution, submit it, and hope for the best. A bare language-model generation has the same limitation: without tools, it predicts plausible-looking syntax but cannot execute a test. A code agent takes a different approach. It plans a solution, writes code, runs it in a sandboxed environment, reads failure evidence, and proposes a repair. Building this generate-execute-debug loop safely and reliably is a core challenge in applied AI.

To make this concrete, imagine you manage a warehouse system. You ask an agent to write a Python function that calculates shipping costs from a rate-card CSV. The agent generates a script that looks correct, but when you feed it a 5-kilogram package going to zone 3, it returns the wrong price. A single-pass completion leaves that error for downstream review. A code agent can catch it before approval when it runs relevant tests inside a sandbox, sees the mismatch, and proposes a fix.

The trust problem: code that looks right but isn't

Model-generated code is untrusted by default. Even strong frontier models can produce code with security vulnerabilities or be manipulated through prompt injection (malicious instructions hidden in files, tool output, or webpages) to write unsafe scripts. When AI moves from merely generating code to executing it autonomously, the security boundary shifts entirely to the infrastructure layer.

Without proper isolation, executed code inherits access exposed by the account, workspace, environment, and network where it runs. We delegate coding tasks to AI because we want automation, yet that automation needs strict containment so an injected instruction cannot directly read secrets or mutate production resources.

Code generation is a critical application for LLMs, but moving from simple completion to autonomous agents requires a fundamental shift in architecture. A completion model predicts the next token. A code agent must plan, execute, and self-correct.

This creates three core challenges:

1. Safety: Executing untrusted code can expose files, secrets, compute, or network access.
2. Correctness: LLMs hallucinate library functions and APIs.
3. State Management: Code depends on files, environment variables, and external services.

Understanding how to build a controlled generate-execute-debug loop inside an isolated, bounded runtime is essential for anyone working on AI-assisted development tools.

Building the loop: plan, run, fix

The key differentiator of a code agent is the feedback loop. Instead of a single generation pass, the agent uses the execution output (stdout/stderr) as a signal to refine its solution.

In production, this means the difference between shipping a broken migration script and catching the bug before it touches the database. A human developer writes code, runs it, reads the traceback, and edits. A code agent automates that exact rhythm, but only if the infrastructure can execute the code safely and return the result fast enough to stay inside the model's context window.

A concrete walkthrough

Let's walk through the shipping-cost task in detail. The agent receives this request:

Write a function calculate_shipping(weight_kg, zone) that reads rate_card.csv and returns the correct cost in USD. The CSV has columns weight_kg, zone, and cost_usd.

On its first attempt, the agent produces code like this:

The agent runs two hidden tests inside the sandbox:

Both fail. The sandbox captures the traceback:

Why? The actual CSV uses weight as the column name, not weight_kg. The agent sees this error, feeds it back into the LLM, and regenerates.

The corrected example below includes a tiny CSV fixture and assertions, so the function can be run as written.

This time the tests pass. The loop turned a hallucinated column name into a candidate fix backed by evidence for the two tested rows.

Architecture

The system consists of an Orchestrator (the LLM) and an Environment (the Sandbox). The Orchestrator emits code and shell commands. The Environment executes them and returns the result.

Planning before coding

Before generating code, the agent must formulate a plan. In our shipping example, this means three concrete steps.

Context gathering. The agent reads rate_card.csv and confirms the column names, data types, and row count. It can't write correct code if it doesn't know the schema.

Task decomposition. The agent breaks the request into atomic actions: open the file, parse the header, match the weight and zone columns, return the cost, and handle the case where no row matches.

Dependency analysis. The agent checks which libraries are available. csv is in the standard library, so it's safe to import. If the agent assumed pandas was installed but it isn't, the first execution would fail with an ImportError, and the agent would need to either switch to csv or request installation.

The architecture figure above shows where planning sits in the larger loop: the agent plans before writing, executes only inside the sandbox, and sends failures back into the next generation attempt.

The agent control loop

This loop manages the state and decides when to stop, implementing the core retry logic. The solve function takes a task description and a list of test cases as input, then iteratively generates code, executes it in the sandbox, and feeds any errors back into the next generation attempt. It returns the final code string if all tests pass, or raises an exception if the maximum iterations are exhausted.

This class is an adapter-shaped scaffold: llm.generate, llm.generate_code, sandbox.execute, and sandbox.run_tests are interfaces supplied by your application.

Notice how solve never runs tests on the host. The sandbox boundary contains everything, including the test runner. A correctly configured sandbox reduces the code's access to host files, secrets, and networks; its configuration and runtime still require security review and patching.

The interface-shaped example above depends on a real model and runtime, so it is not a copy-runnable lab. The next miniature controller uses prerecorded sandbox evidence to expose the acceptance rule: a patch is not accepted just because it ran; its validation must pass before the budget expires.

The controller produces a candidate for review, not an automatic deployment. More tests, code review, and authorization may still be required before changing a live fulfillment service.

Where the danger lives

The loop we built is powerful, but it assumes the sandbox contains the threat. What happens when it doesn't?

Think of a sandbox like a sealed fulfillment test bay. The test bay has fake labels, fake carriers, and fake payment credentials, so automation behaves naturally without touching real orders. Its controls should terminate work that exceeds its limits and deny access to unapproved host or network resources.

Static analysis, allowlists, and prompt rules help, but they're not the security boundary. Assume the code will reach execution and design the runtime so a malicious or broken program still can't damage the host.

If an attacker tricks the agent into generating os.system("rm -rf /"), destruction must be limited to a disposable sandbox filesystem rather than the host or a persistent repository. If the agent writes an infinite loop, the supervisor must terminate it at its resource or time budget. If the agent tries to open a reverse shell to an external server, an offline sandbox must deny that connection.

Containers: useful execution packaging, not a complete policy

Containers are convenient for development, CI, and controlled workloads, but a standard container shares the host kernel. For hostile multi-tenant generated code, evaluate an additional isolation boundary such as gVisor, Kata Containers, or a microVM, along with the controls shown below.^[1]

This example shows the shape of a constrained Docker launch through the Python SDK. It takes an untrusted code string as input and executes it inside a container with disabled networking, a read-only filesystem, and resource limits. Notice one subtle but important detail: Docker's wait(timeout=...) is an API request timeout, not the workload's total execution deadline, so the supervisor still needs its own wall-clock kill timer.

This snippet is reference code, not a complete sandbox service. It requires the Docker Python SDK, a reachable Docker daemon, and the ExecutionResult dataclass from the control-loop example above. A production service also needs image provenance, admission policy, monitoring, patching, and isolation appropriate to its threat model.

For a real code agent, don't stop at python -c. Give each run a scratch workspace, mount only that directory as writable, and reset it between attempts. The same pattern applies if you execute tests or let the agent edit files inside the sandbox.

Treat sandbox configuration as reviewable policy, not scattered SDK options. This small admission check rejects a job that requests outbound networking, a host repository mount, or an ambient credential.

Hardened containers and microVMs: gVisor vs. Firecracker

For hostile multi-tenant execution, a standard container still depends on the host kernel boundary. Two stronger isolation designs are to interpose a userspace application kernel, as gVisor does, or run each workload inside a microVM, as Firecracker does.

gVisor (Google). gVisor is not a microVM. Its OCI-compatible runsc runtime uses the Sentry userspace application kernel between the application and host kernel. gVisor's documentation describes Sentry as intercepting application system calls and implementing necessary kernel behavior in Go; its paper reports that Sentry needs at most 68 host system calls. This design reduces direct host-kernel exposure while retaining a container-oriented workflow, with compatibility and performance trade-offs to measure for each workload.^[2][3]

Firecracker (AWS). Firecracker is a Virtual Machine Monitor (VMM) that uses KVM (Kernel-based Virtual Machine) to create microVMs. Unlike gVisor, Firecracker places the workload behind a guest kernel and virtual-machine boundary. The original paper reports starting guest userspace in under 125 ms for its minimal configuration and memory overhead below 5 MiB per microVM, and reports Firecracker use in AWS Lambda and AWS Fargate.^[4]

The figure below shows the key difference in the isolation path: gVisor intercepts Linux syscalls in a userspace kernel, while Firecracker runs the workload with a guest kernel inside a microVM.

WebAssembly (WASM) (edge and serverless)

WebAssembly (WASM) offers a capability-oriented execution model. It is a strong fit when you can compile the workload to WASM or restrict the runtime to a small WASI (WebAssembly System Interface) surface. The trade-off is compatibility: arbitrary Linux programs, native extensions, and system packages usually will not run unchanged. A host can avoid granting filesystem, environment, or network capabilities unless the module needs them. In practice, this makes WASM a better fit for constrained plugin-style jobs than for arbitrary repo-wide Python execution.

This example uses wasmtime, a server-side WASM runtime, to run a precompiled module outside the browser. The execute method takes a compiled WebAssembly binary and an integer input value. It limits linear memory inside the Wasmtime store and uses fuel metering to trap work that consumes its allotted fuel, returning the integer result of the WASM function.

This example expects a precompiled WASM module that exports run(i32) -> i32; it demonstrates the host-side execution wrapper, not compilation from Python source to WASM.^[5]

Comparison of sandboxing approaches

Managed sandbox services

Many teams do not build sandbox infrastructure from scratch. They rent ephemeral runtimes from a managed service and call them over an SDK. The hosted choice is still the same architecture decision: what isolation tier do you need, how much Linux compatibility do you need, and how much operational work do you want to own?

• E2B documents Linux VM sandboxes created on demand for agents, and its product material says those sandboxes are powered by Firecracker.^[6]
• Modal documents isolated sandboxes for AI-generated code, and its image guide states containers run on gVisor.^[7]
• Daytona documents isolated sandboxes with a dedicated kernel, filesystem, network stack, and per-sandbox firewall rules.^[8]

Their documentation illustrates a common hosted pattern: provision an isolated environment, run code through an SDK, and read back stdout or stderr. Features, limits, pricing, and implementation details change quickly, so verify current provider documentation before hard-coding platform assumptions.

Layering defenses: five controls that reinforce each other

A single control can fail. A firewall rule might have an unintended exception. A runtime can later require security patches. Production sandbox designs should not rely on one mechanism.

A sandbox is more than a "box." It is a layered defense system where controls reduce different failure paths. If one layer fails, other layers can still reduce exposure. Use the following five controls as a baseline review for an untrusted-code execution environment.

Network isolation

Start untrusted-code sandboxes with zero egress. Tasks such as sorting fixture data, running local unit tests, and formatting files do not need internet access. If the agent needs a dependency, use a pinned pre-built image or a controlled internal mirror rather than general outbound access. This removes a direct exfiltration and callback path for jobs that do not need a network.

Resource limits

Prevent resource exhaustion by setting hard caps on:

• CPU: Quota selected for the workload class
• Wall-clock time: TTL or supervisor deadline so sleep(10**9) cannot sit idle forever
• Memory: Hard limit with OOM handling
• Disk I/O: Quotas to prevent filling the host's storage
• Process count: pids.max cgroup setting to prevent fork bombs

CPU quotas and elapsed-time limits solve different problems. A busy loop burns CPU and hits quotas quickly, but a blocked process can sit until the orchestrator enforces a wall-clock deadline and terminates the job.

Filesystem masking

The code should only see its task workspace and required fixtures. Do not mount sensitive host paths such as ~/.ssh, /etc/shadow, or Docker sockets into an untrusted-code job. Limit writable mounts to disposable scratch paths so the job has no direct filesystem route to host secrets or persistent repositories.

Even inside a scratch workspace, the candidate patch should stay inside task scope. A shipping-rate task has no reason to edit deployment credentials or workflow configuration.

Syscall filtering (seccomp)

Use seccomp-bpf (Secure Computing Mode) to restrict which system calls the code can make. Block operations like ptrace (debugging other processes), mount (filesystem manipulation), raw kernel interfaces, and other capabilities your workload doesn't need. Be careful with blanket bans on execve: many code agents need to spawn compilers, test runners, or shells, so the safer pattern is to permit a minimal known subprocess surface inside the sandbox rather than assuming no process creation is ever needed.

Ephemerality

For untrusted generated code, the environment should be disposable. Once the task completes, destroy it or restore a clean snapshot before reuse. This prevents files written by one attempt from becoming input or executable state for another. Warm pools require an equivalent reset boundary.

Cleanup belongs on every result path, including failed tests and successful candidate creation.

Teaching the model to debug itself

The generate-execute-debug loop is only useful if the model learns from the debug step. A naive implementation might feed the error back to the model but get an equally broken second attempt. The quality of the fix depends on how you format the error, how much previous context you preserve, and whether you force the model to explain the bug before rewriting the code.

Execution feedback can make a repair attempt more grounded than a blind rewrite. When code fails, the next request can include a bounded traceback, failing assertion, and relevant file context. That evidence identifies what failed, but it does not prove the next patch is correct; the runtime must execute validation again.

Error-driven iteration

Feeding a relevant traceback to the model can expose the line number and error type. This works well for syntax errors or runtime exceptions, but raw logs are still untrusted data: they can include secrets, huge output, or injected instructions. The adapter-shaped function below omits those preprocessing details to focus on the repair call; the executable example after it shows the missing input hygiene.

Before a retry, minimize and label the evidence that crosses back into the model. Redaction is not a full prompt-injection defense, so the repaired program still runs only inside the sandbox and still requires tests.

Explaining before fixing

For logical errors where the code runs but produces incorrect output, asking the model to "fix it" provides little inspectable direction. Request a short bug hypothesis or failing invariant before it edits the code. That gives you a concrete debugging artifact without depending on hidden chain-of-thought logs. This function takes the problematic code and the original task description as inputs. It performs a two-step generation: first producing a short analysis, and then using that analysis to return a fixed code string.

Measuring real-world skill

Pass@k, the probability that at least one of k generated samples passes all test cases, is useful on self-contained problems such as HumanEval^[9] or MBPP (Mostly Basic Python Problems)^[10]. It does not cover repository navigation, environment setup, multi-file changes, or regression risk.

SWE-bench^[11] is a repository-level benchmark for agentic coding. It packages real GitHub issue-fix pairs from Python repositories such as Django, scikit-learn, and Flask.

Other benchmarks like InterCode^[12] focus on interactive coding environments, with the original paper instantiating Bash, SQL, and Python settings where the agent receives execution feedback.

To solve a SWE-bench task, an agent must:

1. Explore: Search through a large codebase to find the relevant files using tools like ripgrep or file tree traversal.
2. Reproduce: Write a reproduction script or test case that fails, confirming the bug exists.
3. Fix: Edit the code to make the test pass without breaking existing tests (regression testing).

SWE-bench Lite is a curated subset of 300 tasks selected for faster, more cost-effective evaluation ^[13]. SWE-bench Verified is a human-validated subset of 500 instances and is usually a cleaner comparison set than the raw benchmark ^[14]. For frontier-model evaluation, treat it with caution: OpenAI argued in 2026 that SWE-bench Verified had become increasingly contaminated and recommended SWE-bench Pro for measuring frontier coding capability ^[15].

Leaderboards and benchmark suitability change, so treat a benchmark as a versioned harness with stated tools and budgets rather than a timeless absolute.

Production tip: Compare coding-agent results only under similar harnesses, budgets, tool permissions, and repository snapshots. Then evaluate the tasks and security policies that matter for your product.

A deployment workflow needs more than a green candidate test. This miniature review gate captures three independent signals: task tests, regression tests, and a security-policy scan.

Running this in production

A prototype agent that solves ten shipping-cost tasks in a Jupyter notebook is a long way from a production system that handles hundreds of concurrent jobs across different repositories, languages, and dependency versions. The sandbox, the orchestrator, and the model all face scaling pressures that don't show up in demos.

Building a reliable code agent requires more than a good prompt loop. You need to handle the messiness of real-world software development. At scale, several architectural constraints become apparent, particularly around cost, context limits, and security. Engineering teams need infrastructure that prevents runaway execution and keeps sandboxes isolated.

Context window management

Do not default to placing an entire repository in the context window. Longer prompts increase input cost, leave less room for execution feedback, and can make relevant evidence harder to retrieve; the "lost in the middle" study demonstrates failures to use relevant information placed within long contexts.^[16] Use two main techniques. First, Retrieval-Augmented Generation (RAG), which searches the codebase to find and provide the most relevant code snippets as context for the LLM. Second, use code-aware parsing with tools like Tree-sitter to build an Abstract Syntax Tree (AST). This tree representation shows the hierarchy of functions, classes, and their relationships, letting the agent extract only the relevant definitions instead of entire files. A "map" of the codebase (file tree + high-level signatures) helps the agent decide where to look.

Summarize files to save tokens. Create "skeleton" files that contain only class and function signatures, removing implementations. This gives the model a global view without the token weight.

Cost and loop control

Repair loops need explicit stop conditions. A stuck agent can spend model tokens and sandbox runtime without creating new evidence.

Token budget: Set a hard limit per task based on product cost and latency requirements.

Step limit: Set a maximum number of iterations appropriate to the task class.

Circuit breakers: Detect repetitive failures. If the agent makes the same edit or encounters the same error three times in a row, halt execution.

Network security and dependencies

Code agents often try to install packages (pip install) or fetch external data. This creates a supply chain risk.

No internet default: Run sandboxes offline by default.

Controlled fetches: If installation is needed, route it through an internal mirror or proxy that allows pinned artifacts and records what entered the sandbox. A broad domain allowlist still permits mutable or malicious dependencies.

Pre-baked images: Avoid runtime installation. Use Docker images with the common libraries your tasks need (pandas, numpy, requests) to reduce latency and failure points.

Secret scrubbing: Start from an empty environment and pass only explicit allow-listed variables into the sandbox. Never forward the host's full environment wholesale.

An installation request should be checked against an approved, immutable dependency manifest before any sandbox obtains access to a mirror.

Mastery check

Key concepts

• Code agents turn code generation into a loop: plan, execute, validate, repair.
• Runtime isolation is the real security boundary. Prompt rules and static analysis are only upstream filters.
• Docker, gVisor, Firecracker, and WASM trade compatibility for stronger isolation in different ways.
• Defense in depth means independent controls for network, resources, filesystem, syscalls, and ephemerality.
• Context windows are scarce. ASTs, file maps, retrieval, and skeletons beat dumping whole repositories.
• Real evaluation measures search, reproduction, editing, regression safety, and tool use, not only pass or fail on toy tasks.

Evaluation rubric

• Strong: explains why generated code and generated tests must run inside same sandbox boundary.
• Strong: distinguishes plain containers from userspace-kernel runtimes, microVMs, and WASM by isolation path and compatibility.
• Strong: names concrete controls for loop safety: wall-clock timeout, CPU, memory, process count, no egress, empty env.
• Strong: evaluates code agents with repository search, reproduction, regression checks, and review acceptance, not only HumanEval-style pass rates.
• Weak: treats Docker alone as enough for hostile multi-tenant execution.
• Weak: assumes bigger context windows remove need for retrieval and code-aware filtering.

Follow-up questions

How do you handle infinite loops in generated code?

Use separate budgets for elapsed time and resource consumption. The supervisor should enforce a wall-clock deadline, such as killing the sandbox after 30 seconds. Cgroups should cap CPU, memory, and process count with controls such as pids.max. That covers both busy loops and idle hangs. In container sandboxes, combine those limits with subprocess timeouts and OOM handling so the host can terminate the workload cleanly.

What is the right context-window strategy for code agents?

Budget context by priority: current file, imported files, related tests, type definitions, and broader repository context such as README files and file trees. Use AST analysis and code-aware search to identify dependencies instead of dumping raw files. Keep context below the full window so there is room for tool output, failing tests, reasoning summaries, and patches.

How do you evaluate code-generation quality beyond pass or fail?

Measure functional correctness on holdout tasks, regression-test pass rate, lint and type-check results, security findings, patch size, and review acceptance. In production, track acceptance rate, human time-to-first-edit, retry count, downstream bug rate, and whether the agent created a minimal reproducible failure before editing.

How do you securely manage dependencies and package installation?

Avoid arbitrary runtime package installation. Prefer pre-built images with pinned package versions. When installation is necessary, restrict it to an internal mirror or narrow allowlist, pin versions, block general internet access, and verify provenance where your ecosystem supports it. High-security environments should disable runtime installation entirely.

Why is self-correction stronger than single-shot generation?

Models often make small syntax, schema, or logic errors that compilers, interpreters, and tests can detect. Feeding that concrete failure back into the next attempt gives the model a grounded target to repair. The loop works because it couples generation with runtime evidence instead of relying on a perfect first draft.

Common pitfalls

• Host gets exposed to generated code. Cause: running code or tests outside sandbox boundary. Fix: execute both generated program and validation inside same isolated runtime.
• Agent keeps burning tokens without improving. Cause: no retry budget or circuit breaker on repeated failures. Fix: cap iterations, cap tokens, and halt after repeated identical errors.
• Sandbox looks isolated but still leaks data. Cause: default egress, ambient environment variables, or writable host mounts. Fix: zero-egress default, empty environment, and scratch-only writable filesystem.
• Production eval looks great, real repos still fail. Cause: benchmark measured isolated snippets instead of repository search, reproduction, and regression work. Fix: test on SWE-bench-style tasks and track patch acceptance and downstream breakage.

Sandbox runtime comparison at a glance

Choose the boundary only after writing down the threat model, required workload compatibility, and the controls enforced outside the model.