Code Execution Tools
This page covers configuration for the built-in server-side code execution environment.
Use this together with Built-in Tools for request examples and runtime usage.
Supported code execution tools
The code execution subsystem provides:
Standalone endpoints are not provided for code execution tools. Use them through /v1/messages.
present_files_v1 is a server-only metadata tool that surfaces created files to API consumers. It is enabled automatically when code_execution_v1 is used and does not require explicit configuration.
How it works
When the model submits a code_execution_v1 tool call, the server expands it into its constituent tools, creates or reuses a per-session sandbox, and executes the requested operations:
- Tool expansion —
code_execution_v1expands intobash_v1,text_editor_v1, and optionallypresent_files_v1 - Session management — each chat session gets an isolated workspace on the host filesystem
- Path translation — canonical LLM-visible paths (
/home/agent/workspace/) are transparently mapped to real host paths - Subprocess isolation — bash commands run as child processes with OS-level resource limits (
setrlimit) - Output scrubbing — real host paths are removed from output before returning to the LLM
Code execution requires no external containers or Docker-in-Docker. The entire sandbox runs in the same process as the PrivateGPT server, using OS-level isolation primitives.
How to install
Code execution is part of the core PrivateGPT package. No additional extras are required:
No OS-level libraries or external runtimes are needed for code execution.
Workspace layout
Each code execution session has a defined filesystem layout visible to the LLM:
All canonical paths are translated to host filesystem paths automatically. The LLM only sees and uses canonical paths.
Attempting to write to /mnt/user-data/uploads/ or access paths outside the workspace layout will be rejected.
Settings reference
code_execution settings
Code execution does not have a global enabled flag. The server always supports code execution when the tool is present in a request.
bash settings
Resource limits applied to each isolated bash subprocess via OS-level setrlimit:
Prompt configuration
Per-request, you can control whether code execution environment instructions are injected into the system prompt:
When true and a code execution tool is present, the prompt includes filesystem layout instructions and available paths. This flag only affects the system prompt — it does not enable or disable the tool itself.
Resource limits and sandboxing
Code execution applies two layers of output size control:
- Raw subprocess cap (
bash.output_cap_bytes, default 1 MiB) — hard truncation at the subprocess level - Tool output truncation (
code_execution.max_output_bytes, default 1 MiB) — applied before returning results to the LLM
On Unix systems, each bash subprocess is isolated with:
- Process group isolation —
os.setsid()prevents orphaned child processes - CPU limit —
RLIMIT_CPUcaps CPU time - Memory limit —
RLIMIT_AScaps virtual memory - File size limit —
RLIMIT_FSIZEprevents runaway file creation - Process count limit —
RLIMIT_NPROClimits fork bombs - Timeout enforcement —
SIGKILLsent to the entire process group
On Windows, resource isolation is gracefully skipped.
Output scrubbing
All host filesystem paths are automatically removed from command output before being returned to the LLM. The LLM only sees canonical paths.
Session lifecycle
Code execution sessions are managed automatically:
- Creation — a new sandbox is created on the first code execution tool call in a chat session
- Reuse — subsequent code execution calls in the same chat session reuse the existing sandbox
- File persistence — workspace files survive across
bash_v1restart operations - Idle expiry — sessions idle for longer than
session_ttl_seconds(default 30 minutes) are destroyed by a background reaper - Stale detection — if the sandbox process dies, it is transparently recreated on the next tool call
Platform compatibility
All platforms support the same canonical path translation, output scrubbing, and session lifecycle management.

