The Atlas AnyLegal OSS — documentation bound to its code
20 documents

Run it locally: services, sandbox, knowledge

From `docker compose up` to the hardened code sandbox and the optional knowledge sidecar — what boots, what to lock down, and what is opt-in.

Optional — build the Python sandbox

The run_code tool runs LLM-generated Python or Node inside a separate anylegal-sandbox:latest Docker image. To enable it, build the sandbox image once on the host that runs the compose stack:

docker build -t anylegal-sandbox:latest backend/sandbox/

The backend container ships with the docker CLI. docker-compose.yml mounts two host paths into it so the run_code tool can launch sandbox containers on the host's docker daemon:

  • /var/run/docker.sock — lets the backend talk to the host's docker daemon
  • /tmp (host) → /tmp (backend) — per-call scratch dirs need to live at the same path on both sides, because the docker daemon resolves bind-source paths against the host filesystem

The sandbox itself runs with --network=none, non-root user, capability drop, no-new-privileges, pids/memory/cpu limits, and a 120s timeout — see backend/sandbox/Dockerfile.

Security framing for the docker.sock mount. Mounting /var/run/docker.sock into the backend gives the backend container the same privileges as the host's docker daemon — i.e., effectively root on the host. For OSS this is the right trade-off because:

  • OSS is single-tenant. The threat model is the same as installing any other desktop dev tool on your machine.
  • Without the socket mount, run_code cannot work at all — there is no in-container sandboxing primitive that's both isolated and doesn't require host docker access.
  • Production-grade isolation (seccomp profiles, gVisor / Firecracker, separate worker hosts) is part of the hosted product. Self-hosters running untrusted LLM-generated code on a shared box should either disable run_code (comment out the socket + /tmp mounts in docker-compose.yml) or replace the sandbox layer with their own.

To disable the sandbox path entirely (e.g., when running on a multi-user host or a CI runner you don't fully trust), comment out the /var/run/docker.sock and /tmp:/tmp lines in docker-compose.yml's backend service. The agent loop still works for everything except run_code — chat, document drafting, web research, redlining all go through other tools.