Code Execution Tools

This page covers configuration for the built-in server-side code execution environment.

Use this together with Built-in Tools for request examples and runtime usage.


Supported code execution tools

The code execution subsystem provides:

Type identifierRole
code_execution_v1Top-level wrapper — expands into bash_v1, text_editor_v1, and optionally present_files_v1
bash_v1Run arbitrary bash commands in a sandboxed subprocess
text_editor_v1View, create, and edit files in the workspace
view_v1View file or directory contents
str_replace_v1Replace one exact string in a file
create_v1Create a new file
insert_v1Insert text after a given line
present_files_v1Expose generated files to the caller

Standalone endpoints are not provided for code execution tools. Use them through /v1/messages.

present_files_v1 is a server-only metadata tool that surfaces created files to API consumers. It is enabled automatically when code_execution_v1 is used and does not require explicit configuration.


How it works

When the model submits a code_execution_v1 tool call, the server expands it into its constituent tools, creates or reuses a per-session sandbox, and executes the requested operations:

  1. Tool expansioncode_execution_v1 expands into bash_v1, text_editor_v1, and optionally present_files_v1
  2. Session management — each chat session gets an isolated workspace on the host filesystem
  3. Path translation — canonical LLM-visible paths (/home/agent/workspace/) are transparently mapped to real host paths
  4. Subprocess isolation — bash commands run as child processes with OS-level resource limits (setrlimit)
  5. Output scrubbing — real host paths are removed from output before returning to the LLM

Code execution requires no external containers or Docker-in-Docker. The entire sandbox runs in the same process as the PrivateGPT server, using OS-level isolation primitives.


How to install

Code execution is part of the core PrivateGPT package. No additional extras are required:

$uv sync --extra core

No OS-level libraries or external runtimes are needed for code execution.


Workspace layout

Each code execution session has a defined filesystem layout visible to the LLM:

DirectoryCanonical pathWritablePurpose
Workspace/home/agent/workspace/YesWorking directory — create all new files here
Uploads/mnt/user-data/uploads/NoFiles uploaded by the user (read-only)
Outputs/mnt/user-data/outputs/YesDeliverables the user can download
Skills/skills/YesLoaded skill bundles (when skills are active)

All canonical paths are translated to host filesystem paths automatically. The LLM only sees and uses canonical paths.

Attempting to write to /mnt/user-data/uploads/ or access paths outside the workspace layout will be rejected.


Settings reference

code_execution settings

Code execution does not have a global enabled flag. The server always supports code execution when the tool is present in a request.

1code_execution:
2 provider: ${PGPT_CODE_EXECUTION_PROVIDER:local}
3 workspace_path: ${PGPT_CODE_EXECUTION_WORKSPACE_PATH:}
4 timeout: ${PGPT_CODE_EXECUTION_TIMEOUT:60}
5 max_output_bytes: ${PGPT_CODE_EXECUTION_MAX_OUTPUT_BYTES:1048576}
6 volume_root: ${PGPT_CODE_EXECUTION_VOLUME_ROOT:./local_data/private_gpt/volumes}
SettingTypeDefaultDescription
code_execution.providerstr"local"Code execution provider. Only "local" is supported by default.
code_execution.workspace_pathstr | nullnullFilesystem path for persistent workspaces. Falls back to {local_data_folder}/code_execution_workspaces when unset.
code_execution.timeoutint60Default bash execution timeout in seconds.
code_execution.max_output_bytesint1048576Maximum output size returned to the LLM from code execution tools (1 MiB). Output is truncated at this limit after output_cap_bytes.
code_execution.volume_rootstr | nullnullHost filesystem root for session volumes. Required for Files API integration when storage_provider is "local".
code_execution.session_ttl_secondsint1800Idle TTL in seconds before a session kernel is destroyed (30 min). Workspace files are preserved.
code_execution.vfs_sessions_prefixstr"sessions"Path prefix inside the storage bucket for session workspace data.
code_execution.storage_provider"local" or "s3""local"Storage backend for session files (Files API). Use "local" with volume_root set, or "s3" with s3.durable_bucket_name set.

bash settings

Resource limits applied to each isolated bash subprocess via OS-level setrlimit:

1bash:
2 cpu_limit_seconds: ${PGPT_BASH_CPU_LIMIT_SECONDS:30}
3 memory_limit_mb: ${PGPT_BASH_MEMORY_LIMIT_MB:512}
4 fsize_limit_mb: ${PGPT_BASH_FSIZE_LIMIT_MB:10}
5 nproc_limit: ${PGPT_BASH_NPROC_LIMIT:50}
6 output_cap_bytes: ${PGPT_BASH_OUTPUT_CAP_BYTES:1048576}
SettingTypeDefaultDescription
bash.cpu_limit_secondsint30CPU time limit per subprocess (RLIMIT_CPU).
bash.memory_limit_mbint512Virtual memory limit per subprocess in MB (RLIMIT_AS).
bash.fsize_limit_mbint50Maximum file size a subprocess can create in MB (RLIMIT_FSIZE).
bash.nproc_limitint50Maximum number of child processes per subprocess (RLIMIT_NPROC).
bash.output_cap_bytesint1048576Hard cap on raw stdout+stderr before the second max_output_bytes truncation (1 MiB).

Prompt configuration

Per-request, you can control whether code execution environment instructions are injected into the system prompt:

1{
2 "prompt_config": {
3 "code_execution": true
4 }
5}

When true and a code execution tool is present, the prompt includes filesystem layout instructions and available paths. This flag only affects the system prompt — it does not enable or disable the tool itself.

FieldTypeDefaultDescription
prompt_config.code_executionboolfalseEnables code execution environment instructions in the system prompt.

Resource limits and sandboxing

Code execution applies two layers of output size control:

  1. Raw subprocess cap (bash.output_cap_bytes, default 1 MiB) — hard truncation at the subprocess level
  2. Tool output truncation (code_execution.max_output_bytes, default 1 MiB) — applied before returning results to the LLM

On Unix systems, each bash subprocess is isolated with:

  • Process group isolationos.setsid() prevents orphaned child processes
  • CPU limitRLIMIT_CPU caps CPU time
  • Memory limitRLIMIT_AS caps virtual memory
  • File size limitRLIMIT_FSIZE prevents runaway file creation
  • Process count limitRLIMIT_NPROC limits fork bombs
  • Timeout enforcementSIGKILL sent to the entire process group

On Windows, resource isolation is gracefully skipped.

Output scrubbing

All host filesystem paths are automatically removed from command output before being returned to the LLM. The LLM only sees canonical paths.


Session lifecycle

Code execution sessions are managed automatically:

  • Creation — a new sandbox is created on the first code execution tool call in a chat session
  • Reuse — subsequent code execution calls in the same chat session reuse the existing sandbox
  • File persistence — workspace files survive across bash_v1 restart operations
  • Idle expiry — sessions idle for longer than session_ttl_seconds (default 30 minutes) are destroyed by a background reaper
  • Stale detection — if the sandbox process dies, it is transparently recreated on the next tool call

Platform compatibility

PlatformSubprocess isolationResource limitsNotes
LinuxFullFullAll setrlimit and setsid isolation active
macOSFullFullAll setrlimit and setsid isolation active
WindowsNoneNoneSubprocesses run without resource limits

All platforms support the same canonical path translation, output scrubbing, and session lifecycle management.