Hyperlight sandbox provider for Agent governance Toolkit (#1806)

* Adding Hyperlight provider

Signed-off-by: Imran Siddique <imran.siddique@microsoft.com>

* Code review comments

Signed-off-by: Imran Siddique <imran.siddique@microsoft.com>

* Fix dependency confusion

Signed-off-by: Imran Siddique <imran.siddique@microsoft.com>

* fix(ci): add cspell terms and fix broken Azure design doc link

Add Hyperlight-specific terms (Nanvix, microkernel, hypercall,
flatbuffer, uncallable, reqwest, bursty, kwarg) to cspell dictionary.
Replace broken link to non-existent AZURE-SANDBOX-ISOLATION-DESIGN.md
with 'planned' placeholder.

Signed-off-by: Imran Siddique <45405841+imran-siddique@users.noreply.github.com>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Signed-off-by: Imran Siddique <imran.siddique@microsoft.com>
Co-authored-by: Amol Ravande <amolr@microsoft.com>
Co-authored-by: Imran Siddique <imran.siddique@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 4 people

.cspell-repo-terms.txt

@@ -143,4 +143,12 @@ cref
 nameof
 aspnet
 appsettings
+bursty
+flatbuffer
+hypercall
+kwarg
+microkernel
+Nanvix
+reqwest
 requireapproval
+uncallable

agent-governance-python/agent-sandbox/pyproject.toml

@@ -39,11 +39,14 @@ dependencies = []
 docker = [
     "docker>=7.0.0,<8.0",
 ]
+hyperlight = [
+    "hyperlight-sandbox>=0.4.0,<0.5",
+]
 policy = [
     "agent-os-kernel>=3.2.0,<4.0",
 ]
 full = [
-    "agent-sandbox[docker,policy]",
+    "agent-sandbox[docker,hyperlight,policy]",
 ]
 dev = [
     "pytest>=8.0.0,<10.0",

agent-governance-python/agent-sandbox/src/agent_sandbox/__init__.py

@@ -1,11 +1,17 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
-"""Agent Sandbox — Docker-based execution isolation for AI agents.
+"""Agent Sandbox — execution isolation for AI agents.
 
 Provides ``SandboxProvider``, the abstract base class for all sandbox
-backends, and ``DockerSandboxProvider``, a hardened Docker implementation
-with policy-driven resource limits, tool/network proxies, and filesystem
-checkpointing via ``docker commit``.
+backends, plus two built-in implementations:
+
+* :class:`DockerSandboxProvider` — hardened Docker containers with
+  policy-driven resource limits, tool/network proxies, and filesystem
+  checkpointing via ``docker commit``.
+* :class:`HyperLightSandboxProvider` — micro-VM isolation backed by the
+  upstream `hyperlight-sandbox <https://github.com/hyperlight-dev/hyperlight-sandbox>`_
+  project (CNCF Sandbox). Capability-bound tools and domains, with
+  in-memory snapshots.
 """
 
 from importlib.metadata import PackageNotFoundError, version
@@ -20,14 +26,35 @@
     SessionStatus,
 )
 from agent_sandbox.isolation_runtime import IsolationRuntime
-from agent_sandbox.state import SandboxCheckpoint, SandboxStateManager
+from agent_sandbox.docker_provider.state import SandboxCheckpoint, SandboxStateManager
 
 # Lazy import: DockerSandboxProvider requires the optional ``docker`` SDK.
 try:
-    from agent_sandbox.docker_sandbox_provider import DockerSandboxProvider
+    from agent_sandbox.docker_provider import DockerSandboxProvider
 except ImportError:
     DockerSandboxProvider = None  # type: ignore[assignment,misc]
 
+# Lazy import: HyperLightSandboxProvider requires the optional
+# ``hyperlight-sandbox`` SDK. The class itself does not import the
+# SDK at module load — the dependency is resolved at session-creation
+# time — but we still wrap the import in ``try/except ImportError`` for
+# symmetry with ``DockerSandboxProvider`` and to remain robust against
+# future refactors that might pull the SDK in eagerly.
+try:
+    from agent_sandbox.hyperlight_provider import (
+        HyperlightBackend,
+        HyperlightConfig,
+        HyperLightSandboxProvider,
+        SnapshotHandle,
+        hyperlight_config_from_policy,
+    )
+except ImportError:
+    HyperlightBackend = None  # type: ignore[assignment,misc]
+    HyperlightConfig = None  # type: ignore[assignment,misc]
+    HyperLightSandboxProvider = None  # type: ignore[assignment,misc]
+    SnapshotHandle = None  # type: ignore[assignment,misc]
+    hyperlight_config_from_policy = None  # type: ignore[assignment]
+
 try:
     __version__ = version("agent-sandbox")
 except PackageNotFoundError:
@@ -38,6 +65,9 @@
     "DockerSandboxProvider",
     "ExecutionHandle",
     "ExecutionStatus",
+    "HyperLightSandboxProvider",
+    "HyperlightBackend",
+    "HyperlightConfig",
     "IsolationRuntime",
     "SandboxCheckpoint",
     "SandboxConfig",
@@ -46,4 +76,6 @@
     "SandboxStateManager",
     "SessionHandle",
     "SessionStatus",
+    "SnapshotHandle",
+    "hyperlight_config_from_policy",
 ]

agent-governance-python/agent-sandbox/src/agent_sandbox/docker_provider/__init__.py

@@ -0,0 +1,29 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+"""Docker-backed sandbox provider for ``agent-sandbox``.
+
+Implements :class:`agent_sandbox.SandboxProvider` on top of hardened
+Docker containers with policy-driven resource limits, tool/network
+proxies, and filesystem checkpointing via ``docker commit``.
+
+Importing :class:`DockerSandboxProvider` requires the optional
+``docker`` SDK to be installed.
+"""
+
+from agent_sandbox.docker_provider.provider import (
+    DockerSandboxProvider,
+    docker_config_from_policy,
+    has_iptables,
+)
+from agent_sandbox.docker_provider.state import (
+    SandboxCheckpoint,
+    SandboxStateManager,
+)
+
+__all__ = [
+    "DockerSandboxProvider",
+    "SandboxCheckpoint",
+    "SandboxStateManager",
+    "docker_config_from_policy",
+    "has_iptables",
+]

…agent_sandbox/docker_sandbox_provider.py …gent_sandbox/docker_provider/provider.pyagent-governance-python/agent-sandbox/src/agent_sandbox/docker_sandbox_provider.py renamed to agent-governance-python/agent-sandbox/src/agent_sandbox/docker_provider/provider.py agent-governance-python/agent-sandbox/src/agent_sandbox/docker_sandbox_provider.py renamed to agent-governance-python/agent-sandbox/src/agent_sandbox/docker_provider/provider.py

@@ -32,7 +32,7 @@
     SessionHandle,
     SessionStatus,
 )
-from agent_sandbox.state import SandboxCheckpoint, SandboxStateManager
+from agent_sandbox.docker_provider.state import SandboxCheckpoint, SandboxStateManager
 
 logger = logging.getLogger(__name__)
 

…agent-sandbox/src/agent_sandbox/state.py …c/agent_sandbox/docker_provider/state.pyagent-governance-python/agent-sandbox/src/agent_sandbox/state.py renamed to agent-governance-python/agent-sandbox/src/agent_sandbox/docker_provider/state.py agent-governance-python/agent-sandbox/src/agent_sandbox/state.py renamed to agent-governance-python/agent-sandbox/src/agent_sandbox/docker_provider/state.py

@@ -10,7 +10,7 @@
 from typing import TYPE_CHECKING, Any
 
 if TYPE_CHECKING:
-    from agent_sandbox.docker_sandbox_provider import DockerSandboxProvider
+    from agent_sandbox.docker_provider.provider import DockerSandboxProvider
 
 logger = logging.getLogger(__name__)
 

agent-governance-python/agent-sandbox/src/agent_sandbox/hyperlight_provider/__init__.py

@@ -0,0 +1,33 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+"""Hyperlight-backed sandbox provider for ``agent-sandbox``.
+
+Implements :class:`agent_sandbox.SandboxProvider` on top of the upstream
+`hyperlight-sandbox <https://github.com/hyperlight-dev/hyperlight-sandbox>`_
+project (CNCF Sandbox, Apache-2.0).
+
+See ``docs/proposals/HYPERLIGHT-SANDBOX-ISOLATION-DESIGN.md`` for the
+design rationale.
+
+Importing :class:`HyperLightSandboxProvider` does not require
+``hyperlight-sandbox`` to be installed; the dependency is only resolved
+when the provider is constructed and ``is_available()`` is queried.
+"""
+
+from agent_sandbox.hyperlight_provider.config import (
+    HyperlightConfig,
+    hyperlight_config_from_policy,
+)
+from agent_sandbox.hyperlight_provider.provider import (
+    HyperlightBackend,
+    HyperLightSandboxProvider,
+    SnapshotHandle,
+)
+
+__all__ = [
+    "HyperlightBackend",
+    "HyperlightConfig",
+    "HyperLightSandboxProvider",
+    "SnapshotHandle",
+    "hyperlight_config_from_policy",
+]

agent-governance-python/agent-sandbox/src/agent_sandbox/hyperlight_provider/config.py

@@ -0,0 +1,160 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+"""Configuration helpers for :class:`HyperLightSandboxProvider`.
+
+The configuration mirrors the design doc's ``HyperlightConfig`` surface:
+
+* ``backend`` and ``module`` select which upstream backend / guest the
+  session runs on.
+* ``heap_size_bytes`` / ``stack_size_bytes`` / ``max_execution_time_ms``
+  map to upstream's ``SandboxConfiguration`` knobs.
+* ``input_dir`` / ``output_dir`` are mounted in the guest as read-only
+  ``/input`` and writable ``/output``.
+
+``hyperlight_config_from_policy`` performs the same kind of policy →
+config translation as ``docker_config_from_policy`` so a single
+``PolicyDocument`` (or duck-typed equivalent) can drive either backend.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import Any
+
+from agent_sandbox.sandbox_provider import SandboxConfig
+
+# Upstream backend identifiers. Kept as plain strings (not an Enum) to
+# avoid forcing callers to import a hyperlight-specific symbol just to
+# pass ``backend="wasm"``.
+_VALID_BACKENDS: frozenset[str] = frozenset({"wasm", "hyperlightjs", "nanvix"})
+
+# Default heap / stack sizes follow upstream's ``SandboxConfiguration``
+# defaults at hyperlight-sandbox v0.4.0.
+_DEFAULT_HEAP_BYTES = 64 * 1024 * 1024
+_DEFAULT_STACK_BYTES = 2 * 1024 * 1024
+_DEFAULT_MAX_EXEC_MS = 60_000
+
+
+@dataclass
+class HyperlightConfig:
+    """Provider-specific configuration for a Hyperlight session.
+
+    Attributes
+    ----------
+    backend:
+        Upstream backend selector — ``"wasm"`` (default; supports the
+        packaged Python and JS guests), ``"hyperlightjs"`` (JS-only,
+        smaller footprint), or ``"nanvix"`` (preview microkernel; no
+        tools, FS, network, or snapshots).
+    module:
+        Guest module identifier passed to upstream when ``backend ==
+        "wasm"``. ``"python_guest"`` runs real Python source via
+        ``Sandbox.run("…")``; ``"javascript_guest"`` runs JS source.
+        Ignored for ``hyperlightjs`` and ``nanvix``.
+    heap_size_bytes / stack_size_bytes / max_execution_time_ms:
+        Upstream ``SandboxConfiguration`` knobs.
+    input_dir / output_dir:
+        Optional host paths mounted in the guest as ``/input``
+        (read-only) and ``/output`` (writable, per-session).
+    env_vars:
+        Optional host-side environment exposed to the guest where the
+        backend supports it. Ignored on backends that have no env model.
+    """
+
+    backend: str = "wasm"
+    module: str | None = "python_guest"
+    heap_size_bytes: int = _DEFAULT_HEAP_BYTES
+    stack_size_bytes: int = _DEFAULT_STACK_BYTES
+    max_execution_time_ms: int = _DEFAULT_MAX_EXEC_MS
+    input_dir: str | None = None
+    output_dir: str | None = None
+    env_vars: dict[str, str] = field(default_factory=dict)
+
+    def __post_init__(self) -> None:
+        if self.backend not in _VALID_BACKENDS:
+            raise ValueError(
+                f"Unknown Hyperlight backend '{self.backend}'. "
+                f"Expected one of: {sorted(_VALID_BACKENDS)}"
+            )
+        if self.heap_size_bytes <= 0:
+            raise ValueError("heap_size_bytes must be positive")
+        if self.stack_size_bytes <= 0:
+            raise ValueError("stack_size_bytes must be positive")
+        if self.max_execution_time_ms <= 0:
+            raise ValueError("max_execution_time_ms must be positive")
+        # ``module`` is upstream-validated when the Sandbox is built; we
+        # don't enforce a hardcoded list here so future packaged guests
+        # work without an SDK release.
+
+    @classmethod
+    def from_sandbox_config(
+        cls,
+        cfg: SandboxConfig,
+        *,
+        backend: str = "wasm",
+        module: str | None = "python_guest",
+    ) -> HyperlightConfig:
+        """Translate the generic :class:`SandboxConfig` into a
+        :class:`HyperlightConfig`.
+
+        Resource limits (``memory_mb``, ``timeout_seconds``) become
+        upstream heap / max-execution-time. ``cpu_limit`` is dropped
+        because Hyperlight pins one vCPU per micro-VM.
+        """
+        return cls(
+            backend=backend,
+            module=module,
+            heap_size_bytes=int(cfg.memory_mb) * 1024 * 1024,
+            stack_size_bytes=_DEFAULT_STACK_BYTES,
+            max_execution_time_ms=int(cfg.timeout_seconds * 1000),
+            input_dir=cfg.input_dir,
+            output_dir=cfg.output_dir,
+            env_vars=dict(cfg.env_vars),
+        )
+
+
+def hyperlight_config_from_policy(
+    policy: Any,
+    base: HyperlightConfig | None = None,
+) -> HyperlightConfig:
+    """Extract Hyperlight-relevant fields from a policy.
+
+    Reads well-known attributes (``defaults.max_memory_mb``,
+    ``defaults.timeout_seconds``, ``sandbox_mounts.input_dir`` /
+    ``output_dir``) when present; missing attributes leave *base*
+    unchanged. Tool and network allowlists are *not* merged here —
+    those are applied by :class:`HyperLightSandboxProvider` directly
+    via ``register_tool`` / ``allow_domain``.
+    """
+    cfg = HyperlightConfig(
+        backend=base.backend if base else "wasm",
+        module=base.module if base else "python_guest",
+        heap_size_bytes=base.heap_size_bytes if base else _DEFAULT_HEAP_BYTES,
+        stack_size_bytes=base.stack_size_bytes if base else _DEFAULT_STACK_BYTES,
+        max_execution_time_ms=(
+            base.max_execution_time_ms if base else _DEFAULT_MAX_EXEC_MS
+        ),
+        input_dir=base.input_dir if base else None,
+        output_dir=base.output_dir if base else None,
+        env_vars=dict(base.env_vars) if base else {},
+    )
+
+    defaults = getattr(policy, "defaults", None)
+    if defaults is not None:
+        max_mem_mb = getattr(defaults, "max_memory_mb", None)
+        if isinstance(max_mem_mb, (int, float)) and max_mem_mb > 0:
+            cfg.heap_size_bytes = int(max_mem_mb) * 1024 * 1024
+        timeout_s = getattr(defaults, "timeout_seconds", None)
+        if isinstance(timeout_s, (int, float)) and timeout_s > 0:
+            cfg.max_execution_time_ms = int(timeout_s * 1000)
+
+    mounts = getattr(policy, "sandbox_mounts", None)
+    if mounts is not None:
+        in_dir = getattr(mounts, "input_dir", None)
+        if in_dir:
+            cfg.input_dir = str(in_dir)
+        out_dir = getattr(mounts, "output_dir", None)
+        if out_dir:
+            cfg.output_dir = str(out_dir)
+
+    return cfg