aleph

The server features a 'best-effort' Python REPL sandbox with robust AST validation, import whitelisting, and blocking of dangerous builtins/dunder access to mitigate code execution risks. Action tools (file I/O, command execution, etc.) are explicitly opt-in via the '--enable-actions' flag and can be further restricted with workspace scoping ('--workspace-root', '--workspace-mode') and confirmation requirements ('--require-confirmation'). However, the inherent nature of running arbitrary Python code and spawning CLI sub-processes (even with precautions like command sanitization and output limits) means it is not a formally hardened sandbox; strong isolation (e.g., containers) is recommended for untrusted input. No obvious hardcoded secrets or malicious patterns were identified.