I posted this elsewhere in the thread, and don't want to spam it everywhere (or take away from Amla!), but you might be interested in eryx [1] - the Python bindings [2] get you a similar Python-in-Python sandbox based on a WASI build of CPython (props to the componentize-py [3] people)!
reply[1]: https://github.com/sd2k/eryx/
That's really cool.
replyAny chance you could add SQLite?
% uv run --with pyeryx python
Installed 1 package in 1ms
Python 3.14.0 (main, Oct 7 2025, 16:07:00) [Clang 20.1.4 ] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import eryx
>>> sandbox = eryx.Sandbox()
>>> result = sandbox.execute('''
... print("Hello from the sandbox!")
... x = 2 + 2
... print(f"2 + 2 = {x}")
... ''')
>>> result
ExecuteResult(stdout="Hello from the sandbox!\n2 + 2 = 4", duration_ms=6.83, callback_invocations=0, peak_memory_bytes=Some(16384000))
>>> sandbox.execute('''
... import sqlite3
... print(sqlite3.connect(":memory:").execute("select sqlite_version()").fetchall())
... ''').stdout
Traceback (most recent call last):
File "<python-input-6>", line 1, in <module>
sandbox.execute('''
~~~~~~~~~~~~~~~^^^^
import sqlite3
^^^^^^^^^^^^^^
print(sqlite3.connect(":memory:").execute("select sqlite_version()").fetchall())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
''').stdout
^^^^
eryx.ExecutionError: Traceback (most recent call last):
File "<string>", line 1, in <module>
File "<string>", line 125, in _eryx_exec
File "<user>", line 2, in <module>
File "/python-stdlib/sqlite3/__init__.py", line 57, in <module>
from sqlite3.dbapi2 import *
File "/python-stdlib/sqlite3/dbapi2.py", line 27, in <module>
from _sqlite3 import *
ModuleNotFoundError: No module named '_sqlite3'
It looks like there's not mechanism yet in the Python bindings for exposing callback functions to the sandboxed code - it exists in the Rust library and Python has a ExecuteRusult.callback_invocations counter so presumably this is coming soon?
replyGood call, yes, I'll get that added soon!
replyHow does this all compare to using pyodide?
replyI'm not super familiar with how pyodide works but I think it uses CPython compiled with Emscripten then needs to be run from a Javascript environment, and uses the browser's (or Node's) Wasm engine.
replyThis uses CPython compiled to WASI and can (in theory) be run from any WASI-compatible Wasm runtime, in this case wasmtime, which has bindings in lots of languages. WASI uses capability based security rather than browser sandboxing and lets the host intercept any syscalls which is pretty cool. Wasmtime also lets you do things like epoch-based interruption, 'gas' for limiting instruction count, memory limits, and a bunch of other things that give you tons of control over the sandbox.
Pyodide/Emscripten might offer something similar but I'm not sure!
Thanks for the explanation, need to dive in deeper into wasm / wasi - I didn't realize there was a difference.
replyA lot of it IS using Pyodide, but wrapping it in a way that's convenient to use not-in-a-browser.
replyThanks Simon! Denobox looks very cool: Deno's permissions model is a natural fit for this.
replyOn the licensing: totally fair point. Our intention is to open source the WASM too. The binary is closed for now only because we need to clean up the source code before releasing it as open-source. The Python SDK and capability layer are MIT. We wanted to ship something usable now rather than wait. Since the wasm binary runs in wasmtime within an open source harness, it is possible to audit everything going in and out of the wasm blob for security.
Genuinely open to feedback on this. If the split license is a blocker for your use cases, that's useful signal for us.
That's great to hear. The split license is a blocker for me because I build open source tools for other people to use, so I need to be sure that all of my dependencies are things I can freely redistribute to others.
replyMakes total sense. We'll prioritize getting the WASM source out. This is good signal that it matters. Will ping you when it's up!
replySmall suggestion: push an alpha to PyPI ASAP mainly to preserve your name there but also to make it more convenient for people to try out with `uv`.
replyYep, we got that sorted. Thanks for the suggestion!
https://pypi.org/project/amla-sandbox/
replySimon - would love if you could take a look at Localsandbox (https://github.com/coplane/localsandbox) - it was partly inspired by your Pyodide post!
replyI tried it (really like the API design) but ran into a blocker:
reply uv run --with localsandbox python -c '
from localsandbox import LocalSandbox
with LocalSandbox() as sandbox:
result = sandbox.bash("echo hi")
print(result.stdout)
'
Traceback (most recent call last):
File "<string>", line 5, in <module>
result = sandbox.bash("echo hi")
File "/Users/simon/.cache/uv/archive-v0/spFCEHagkq3VTpTyStT-Z/lib/python3.14/site-packages/localsandbox/core.py", line 492, in bash
raise SubprocessCrashed(
...<2 lines>...
)
localsandbox.exceptions.SubprocessCrashed: Node subprocess crashed: error: Failed reading lockfile at '/Users/simon/.cache/uv/archive-v0/spFCEHagkq3VTpTyStT-Z/lib/python3.14/site-packages/localsandbox/shim/deno.lock'
Caused by:
Unsupported lockfile version '5'. Try upgrading Deno or recreating the lockfile
It looks like it currently defaults to allowing networking so it can load Pyodide from npm. My preference is a sandbox with no network access at all and access only to specific files that I can configure.
replyThanks for taking a look and the feedback! We run the shim with internet access (https://github.com/coplane/localsandbox/blob/main/localsandb...) but the pyodide sandbox itself doesn't run with internet access : https://github.com/coplane/localsandbox/blob/main/localsandb...
replyOh neat, thanks - I'd missed that.
replyhttps://github.com/bytecodealliance/ComponentizeJS is a Bytecode Alliance project which can run JS in a SpiderMonkey-based runtime as a Wasm component
reply