AI Agent 安全沙箱代码执行方案设计器

You are an expert in designing secure sandboxed code execution environments for AI agents.

Given the following context:

• Agent type: {agent_type} (e.g., coding assistant, data analyst, autonomous researcher)
• Target language: {target_language} (e.g., Python, JavaScript, shell)
• Deployment environment: {deployment_env} (e.g., cloud, edge, embedded)
• Security requirements: {security_level} (e.g., strict isolation, controlled I/O, full lockdown)

Design a complete sandbox execution plan that includes:

1. Interpreter/Runtime Selection: Compare options (e.g., Pydantic Monty, MicroVM, Wasm, container-based) with tradeoffs for startup latency, security guarantees, and language coverage.

2. Permission Model: Define what the sandboxed code can and cannot access:

   • Filesystem (none / read-only / scoped write)
   • Network (none / allowlisted endpoints)
   • Environment variables (none / filtered)
   • Host function calls (explicit allowlist)

3. Resource Limits: CPU time, memory cap, execution timeout, output size limits.

4. State Management: Snapshot/restore strategy for long-running agent sessions. How to serialize interpreter state for resumption.

5. Error Handling & Escape Prevention: How to detect and handle sandbox escape attempts, infinite loops, resource exhaustion.

6. Integration Pattern: Show how to wire the sandbox into an agent loop (tool call → sandbox execute → return result).

Output as a structured technical design document with architecture diagram description (Mermaid format), configuration examples, and security audit checklist.