feat: Add self-hosted code executor with policy enforcement (OpenShell)

[pixelsoccupied]

Is your feature request related to a specific problem?

ADK's current self-hosted code execution options are limited:

• UnsafeLocalCodeExecutor runs code directly on the host — not suitable for production
• ContainerCodeExecutor uses Docker but provides no security controls (unrestricted network, filesystem, syscalls)

The remaining executors (VertexAiCodeExecutor, GkeCodeExecutor, AgentEngineSandboxCodeExecutor, BuiltInCodeExecutor) all require Google Cloud. Teams that can't send agent-generated code to external cloud services (compliance, air-gapped environments, on-prem requirements) don't have a self-hosted code
executor with security controls.

Describe the Solution You'd Like

Add an OpenShellCodeExecutor that extends BaseCodeExecutor and runs code inside OpenShell sandboxes — self-hosted on your own infrastructure with security policy enforcement.

OpenShell provides:

• Self-hosted: runs on your infra — no cloud dependency
• Multiple compute backends: Docker containers, Kubernetes pods, or microVMs (libkrun) through a single interface
• Declarative security policies: network egress control (per-binary, per-endpoint), filesystem restrictions (Landlock), and seccomp filtering — all via YAML

The executor follows the exact same pattern as ContainerCodeExecutor — create a sandbox, execute Python code, return stdout/stderr.

Impact on your work

I'm building agents that execute code in environments where data cannot leave my infrastructure. The cloud-based executors aren't an option, and the existing self-hosted options lack the security controls needed. OpenShell fills this gap.

Willingness to contribute

Yes — I have a working implementation and am ready to submit a PR.

---

🟡 Recommended Information

Describe Alternatives You've Considered

• ContainerCodeExecutor: Self-hosted but no security policies — the container has unrestricted network access and no filesystem enforcement.
• Wrapping OpenShell as custom ADK tools: Works but bypasses the code execution flow — the LLM wouldn't generate Python code blocks naturally through the code_executor interface.

Proposed API / Implementation

from google.adk.agents import Agent
from openshell_code_executor import OpenShellCodeExecutor

agent = Agent(
    name="secure_coder",
    model="gemini-2.0-flash",
    instruction="Execute Python code in a secure sandbox.",
    code_executor=OpenShellCodeExecutor(),
)

The implementation extends BaseCodeExecutor (~80 lines), following the same pattern as ContainerCodeExecutor:

from google.adk.code_executors.base_code_executor import BaseCodeExecutor
from google.adk.code_executors.code_execution_utils import CodeExecutionInput, CodeExecutionResult
from openshell import SandboxClient as OpenShellClient

class OpenShellCodeExecutor(BaseCodeExecutor):

    def execute_code(self, invocation_context, code_execution_input):
        result = self._os_client.exec(
            self._sandbox_id,
            ["python3"],
            stdin=code_execution_input.code.encode(),
        )
        return CodeExecutionResult(
            stdout=result.stdout or "",
            stderr=result.stderr or "",
            output_files=[],
        )

Additional Context

• NVIDIA OpenShell — open-source sandboxed runtime for AI agents
• Tested end-to-end: ADK + LiteLLM (OpenAI model) + OpenShell Docker driver — agent generates Python, executor runs it in the sandbox, result returns correctly

[sanketpatil06]

Hi @pixelsoccupied, thanks for the request. If you already have a solution in mind, please go ahead and raise a PR; our team would be happy to review it. We appreciate your contribution.