Local Safe Code Executor with docker and output file capturing support #3075
Description
** Please make sure you read the contribution guide and file the issues in the right place. **
Contribution guide.
Is your feature request related to a problem? Please describe.
As someone using ADK in corporate environments, I am surprised to see the UnSafeLocalCodeExecutor is only a exec tool, I think it is possible to make it more robust for a lot of usecases.
Describe the solution you'd like
I'd like to the current implementation more robust so that gives us a secure and isolated space to run our code. Here are my 2 ideas for how making it work:
Better Process Handling:
Running in a Sub-process: It could run code in a separate child process. That way, it's isolated from the main ADK tool process, and we can cleanly capture all the output (stdout, stderr) and exit codes without worrying about it interfering with anything else.
Docker Integration: For total isolation, it would be amazing if it could run code inside a Docker container. We could point it to a Dockerfile or a pre-built image, ensuring the environment is always clean and consistent, just like in our CI/CD pipelines.
Capturing Generated Files:
It would also be super helpful if the executor could grab files created during a run, like logs or reports. Maybe we could tell it which files or folders to look for, and it would pull them out of the execution environment for us to inspect.
Describe alternatives you've considered
Adding security checks to current execs just seems more like a band-aid, this could be something that over time may be developed or repurposed for other use cases. I also considered a VM but that is definitely an overkill