The core idea: @sandbox(dependencies=["pandas"]) turns any function into one that runs inside an isolated Podman container with dependency caching built in on uv. You call it like a normal function, but the code executes with no access to your host filesystem, credentials, or processes.
from pctx_sandbox import sandbox
@sandbox(dependencies=["requests"])
def fetch_url(url: str) -> str:
import requests
return requests.get(url).text
result = fetch_url("https://example.com") # runs in container
Technical details:
- Uses rootless Podman for container isolation (all the Linux namespace stuff: PID, mount, network, user)
- Maintains a warm pool of workers per dependency set, so there's no cold-start penalty after the first call
- Dependencies are cached and installed once per unique combination
- Resource limits enforced via cgroups
The security model is "defense in depth" – it's container isolation, not a VM, so it's not a perfect security boundary. But it's good enough that I'm comfortable letting Claude use it on my machine.
Would love feedback. Thanks!
