added restricted python again

kiranandcode · kiranandcode · commit 3f1aa656b92e · 2026-01-30T20:15:17.000-05:00
diff --git a/effectful/handlers/llm/evaluation.py b/effectful/handlers/llm/evaluation.py
@@ -5,6 +5,13 @@
 from types import CodeType
 from typing import Any
 
+from RestrictedPython import (
+    Eval,
+    Guards,
+    compile_restricted,
+    safe_globals,
+)
+
 from effectful.ops.syntax import ObjectInterpretation, defop, implements
 
 
@@ -86,3 +93,61 @@ def exec(
 
         # Execute module-style so top-level defs land in `env`.
         builtins.exec(bytecode, env, env)
+
+
+class RestrictedEvalProvider(ObjectInterpretation):
+    """
+    Safer provider using RestrictedPython.
+
+    RestrictedPython is not a complete sandbox, but it enforces a restricted
+    language subset and expects you to provide a constrained exec environment.
+    """
+
+    config: dict[str, Any]
+
+    def __init__(self, **kwargs):
+        self.config = kwargs
+
+    @implements(parse)
+    def parse(self, source: str, filename: str) -> ast.Module:
+        # Keep inspect.getsource() working for dynamically-defined objects.
+        linecache.cache[filename] = (
+            len(source),
+            None,
+            source.splitlines(True),
+            filename,
+        )
+        return ast.parse(source, filename=filename, mode="exec")
+
+    @implements(compile)
+    def compile(self, module: ast.Module, filename: str) -> CodeType:
+        # RestrictedPython can compile from an AST directly.
+        return compile_restricted(module, filename=filename, mode="exec", **self.config)
+
+    @implements(exec)
+    def exec(
+        self,
+        bytecode: CodeType,
+        env: dict[str, Any],
+    ) -> None:
+        # Build restricted globals from RestrictedPython's defaults
+        rglobals: dict[str, Any] = safe_globals.copy()
+
+        # Enable class definitions (required for Python 3)
+        rglobals["__metaclass__"] = type
+        rglobals["__name__"] = "restricted"
+
+        # Layer `env` on top (without letting callers replace the restricted builtins).
+        rglobals.update({k: v for k, v in env.items() if k != "__builtins__"})
+
+        # Enable for loops and comprehensions
+        rglobals["_getiter_"] = Eval.default_guarded_getiter
+
+        # Enable sequence unpacking in comprehensions and for loops
+        rglobals["_iter_unpack_sequence_"] = Guards.guarded_iter_unpack_sequence
+        rglobals["getattr"] = Guards.safer_getattr
+        rglobals["setattr"] = Guards.guarded_setattr
+        rglobals["_write_"] = lambda x: x
+
+        # Execute with locals=env so top-level defs land in `env`.
+        builtins.exec(bytecode, rglobals, env)
diff --git a/pyproject.toml b/pyproject.toml
@@ -28,7 +28,9 @@ classifiers = [
     "Programming Language :: Python :: 3.12",
     "Programming Language :: Python :: 3.13",
 ]
-dependencies = []
+dependencies = [
+    "restrictedpython>=8.1",
+]
 
 [project.urls]
 Homepage = "https://www.basis.ai/"
diff --git a/tests/test_handlers_llm_encoding.py b/tests/test_handlers_llm_encoding.py
