feat: add sandlock as lightweight OS-level sandboxing backend for CodeInterpreterTool

[devin-ai-integration]

Summary

Implements #5150 — adds sandlock as a new lightweight execution backend for CodeInterpreterTool. Sandlock uses Linux kernel features (Landlock + seccomp-bpf) to provide process-level isolation without requiring Docker.

Key changes:

• New execution_backend parameter on CodeInterpreterTool: "auto" (default), "docker", "sandlock", "unsafe"
• New sandbox configuration fields: sandbox_fs_read, sandbox_fs_write, sandbox_max_memory_mb, sandbox_max_processes, sandbox_timeout
• run_code_in_sandlock() method with library installation, policy building, and error handling
• Auto mode fallback order: Docker → Sandlock → RuntimeError
• sandlock>=0.2.0 added as an optional dependency group in pyproject.toml
• 18 new tests covering routing, availability checks, policy building, error handling, timeouts, and fallback behavior

Review & Testing Checklist for Human

• Verify sandlock API contract matches implementation. All tests mock Sandbox and Policy — the real sandlock API (Sandbox(policy).run(cmd, timeout=...) returning an object with .stdout, .stderr, .returncode) has not been integration-tested. The hasattr() guards on lines 530-532 suggest uncertainty about the return type. Confirm the actual sandlock>=0.2.0 package exposes this interface.
• Review security of library installation outside sandbox. run_code_in_sandlock installs pip packages on the host filesystem (via subprocess.run) before entering the sandbox. Compare with Docker backend which installs inside the container. Untrusted library names get passed to pip install --target.
• Review _build_sandlock_policy filesystem permissions. The policy adds all sys.path entries as readable paths and uses exec(open('{code_file}').read()) for execution. Verify this doesn't expose more of the host filesystem than intended.
• Confirm sandlock package maturity/trust. sandlock v0.2.0 is a relatively new/small package. Evaluate whether it meets the bar for a crewAI dependency (even as optional).
• Test plan: Install sandlock on a Linux machine, run CodeInterpreterTool(execution_backend="sandlock") with real code, and verify isolation (e.g., confirm filesystem writes outside allowed paths are blocked, memory limits enforced).

Notes

• The existing test_docker_unavailable_raises_error was renamed to test_docker_and_sandlock_unavailable_raises_error and its assertions updated to reflect the new fallback chain.
• sandlock is Linux-only (requires kernel 5.13+). The implementation gracefully rejects non-Linux platforms with a helpful error message.
• The unsafe_mode=True flag continues to work as before for backward compatibility.

Updates since last revision

• Fixed mypy type-checker errors across all Python versions (3.10–3.13): the Policy import uses # type: ignore[import-untyped] (matching the existing docker import pattern), and the Sandbox import needs no annotation since mypy caches the module after the first import.

Link to Devin session: https://app.devin.ai/sessions/cd127bbc88684d649b90b1272c9a520b

[devin-ai-integration]

Prompt hidden (unlisted session)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[theCyberTech]

How will this affect Windows-based deployments?