feat(cloud): implement secure agent execution engine with VM2 sandboxing #158

jeevanpillay · 2025-09-08T16:22:35Z

Summary

This PR implements a complete cloud-native agent execution system for apps/cloud that safely runs external user code with proper security isolation.

🎯 Key Features

AST-Based Bundle Parsing: Safely extracts agent configurations without executing code
VM2 Sandboxing: Secure tool execution with network/filesystem isolation
Lightfast Integration: Native streaming via fetchRequestHandler
Vercel-Only: No external services, full Node.js capabilities

🔧 Implementation Details

1. Bundle Parser (`src/lib/bundle-parser.ts`)

Uses @babel/parser for AST analysis of JavaScript bundles
Extracts agent configs, tools, and metadata safely
Supports createAgent() and createLightfast() patterns
Zero code execution during parsing

2. Secure Tool Execution (`src/app/api/tool/route.ts`)

VM2 sandbox with 30-second timeout limits
Blocks filesystem (fs), network (http/https), and child processes
Console output capture and detailed error reporting
Node.js runtime for VM2 compatibility

3. Tool Proxying (`src/lib/tool-proxy.ts`)

Creates proper Lightfast ToolFactory functions
Converts JSON Schema → Zod validation
Runtime context injection (sessionId, resourceId)
Proxies tool calls to secure /api/tool endpoint

4. Agent Execution (`src/app/api/execute/route.ts`)

Fetches agent bundles via HTTP
AST parsing → Lightfast agent creation
fetchRequestHandler for native AI SDK streaming
Comprehensive error handling

🔒 Security Architecture

User Bundle → AST Parser → Agent Config
                            ↓
Agent Creation → Tool Proxies → VM2 Sandbox
                    ↓              ↓
             fetchRequestHandler → Secure Execution
                    ↓
                Streaming UI

✅ No code execution during bundle analysis
✅ All tools run in isolated VM2 environment
✅ Network and filesystem access blocked
✅ Resource limits with execution timeouts
✅ Vercel-native with full Node.js capabilities

🧪 Testing

Tested end-to-end with sample weather agent including:

Safe tools (weather simulation)
Potentially unsafe tools (filesystem access)
All security restrictions verified working

📦 Dependencies

@babel/parser ^7.28.4 - AST parsing
@babel/traverse ^7.28.4 - AST traversal
@babel/types ^7.28.4 - AST types
vm2 ^3.9.19 - Secure sandbox

🚀 Next Steps

Add authentication/authorization for agent ownership
Implement rate limiting per organization
Add metrics and monitoring
Support for more bundle formats

Test plan

Bundle parsing works with sample agents
Tool execution properly sandboxed
Agent creation and streaming functional
Security restrictions enforced
Error handling comprehensive
Integration with existing Lightfast framework

🤖 Generated with Claude Code

This commit implements a complete cloud-native agent execution system for apps/cloud that safely runs external user code with proper security isolation. ## Key Components ### 1. AST-Based Bundle Parser (`src/lib/bundle-parser.ts`) - Safely parses Lightfast agent bundles without code execution - Uses @babel/parser and @babel/traverse for AST analysis - Extracts agent configurations, tools, and metadata - Supports both createAgent() and createLightfast() patterns ### 2. Secure Tool Execution (`src/app/api/tool/route.ts`) - VM2-based sandboxing for tool execution with 30s timeout limits - Blocks filesystem, network, and child process access - Captures console output and provides detailed error reporting - Forces Node.js runtime for VM2 compatibility ### 3. Tool Proxying System (`src/lib/tool-proxy.ts`) - Creates Lightfast ToolFactory functions that proxy to secure execution - Converts JSON Schema parameters to Zod validation - Injects runtime context (sessionId, resourceId) properly - Handles tool execution errors with helpful messages ### 4. Agent Execution Engine (`src/app/api/execute/route.ts`) - Fetches and parses agent bundles via HTTP - Creates real Lightfast agents with proxied tools - Uses fetchRequestHandler for native AI SDK streaming - Implements proper error handling and logging ## Security Features - ✅ Zero code execution during bundle parsing (AST-only analysis) - ✅ Sandboxed tool execution in isolated VM2 environment - ✅ Network and filesystem access restrictions - ✅ Resource limits with execution timeouts - ✅ Vercel-only deployment with full Node.js capabilities - ✅ No external services required ## Dependencies Added - @babel/parser: ^7.28.4 - JavaScript AST parsing - @babel/traverse: ^7.28.4 - AST traversal - @babel/types: ^7.28.4 - AST node types - vm2: ^3.9.19 - Secure JavaScript sandbox - isolated-vm: ^6.0.1 - Alternative sandbox (kept for future use) ## Testing The system has been tested end-to-end with a sample weather agent bundle that includes tools with both safe and potentially unsafe operations. All security restrictions work as expected. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>

vercel · 2025-09-08T16:22:41Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
lightfast-auth	Ready	Preview	Comment	Sep 8, 2025 4:28pm
lightfast-chat	Ready	Preview	Comment	Sep 8, 2025 4:28pm
lightfast-cloud	Error			Sep 8, 2025 4:28pm
lightfast-docs	Ready	Preview	Comment	Sep 8, 2025 4:28pm
lightfast-playground	Error			Sep 8, 2025 4:28pm
lightfast-www	Ready	Preview	Comment	Sep 8, 2025 4:28pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
lightfast-experimental	Ignored			Sep 8, 2025 4:28pm

vercel bot deployed to Preview – lightfast-auth September 8, 2025 16:24 View deployment

vercel bot deployed to Preview – lightfast-chat September 8, 2025 16:25 View deployment

vercel bot had a problem deploying to Preview – lightfast-playground September 8, 2025 16:25 Failure

vercel bot had a problem deploying to Preview – lightfast-cloud September 8, 2025 16:25 Failure

vercel bot deployed to Preview – lightfast-docs September 8, 2025 16:25 View deployment

vercel bot deployed to Preview – lightfast-www September 8, 2025 16:28 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(cloud): implement secure agent execution engine with VM2 sandboxing #158

feat(cloud): implement secure agent execution engine with VM2 sandboxing #158

Uh oh!

jeevanpillay commented Sep 8, 2025

Uh oh!

vercel bot commented Sep 8, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

feat(cloud): implement secure agent execution engine with VM2 sandboxing #158

Are you sure you want to change the base?

feat(cloud): implement secure agent execution engine with VM2 sandboxing #158

Uh oh!

Conversation

jeevanpillay commented Sep 8, 2025

Summary

🎯 Key Features

🔧 Implementation Details

1. Bundle Parser (src/lib/bundle-parser.ts)

2. Secure Tool Execution (src/app/api/tool/route.ts)

3. Tool Proxying (src/lib/tool-proxy.ts)

4. Agent Execution (src/app/api/execute/route.ts)

🔒 Security Architecture

🧪 Testing

📦 Dependencies

🚀 Next Steps

Test plan

Uh oh!

vercel bot commented Sep 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

1. Bundle Parser (`src/lib/bundle-parser.ts`)

2. Secure Tool Execution (`src/app/api/tool/route.ts`)

3. Tool Proxying (`src/lib/tool-proxy.ts`)

4. Agent Execution (`src/app/api/execute/route.ts`)

vercel bot commented Sep 8, 2025 •

edited

Loading