feat: Add secure Python code execution with llm-sandbox support

[0xCUB3]

Flexible Python code execution validation system with three execution modes:

• Safe mode (default): Syntax validation only
• Unsafe execution: Direct subprocess execution with warnings
• Sandbox execution: Secure Docker-based execution via llm-sandbox

Elements

• Abstract backend architecture with pluggable execution strategies
• Import restrictions as an add'l security layer (AST-based analysis)
• Configurable timeouts for both unsafe and sandbox execution
• Safety warnings when using unsafe execution mode
• Fallbacks when llm-sandbox is not available

API

# Safe mode (default) - validation only
req = PythonExecutesWithoutError()

# Unsafe execution with warning
req = PythonExecutesWithoutError(allow_unsafe_execution=True, timeout=10)

# Secure sandbox execution
req = PythonExecutesWithoutError(use_sandbox=True, timeout=10)

# With import restrictions
req = PythonExecutesWithoutError(
    use_sandbox=True,
    allowed_imports=["os", "sys", "json"],
    timeout=10
)

Dependencies

• Adds llm-sandbox[docker]
• Requires Docker for sandbox functionality

Testing

# Run core tests (no Docker required)
python -m pytest test/stdlib_basics/test_reqlib_python.py -k "not sandbox"

# Run all tests including sandbox (requires Docker)
python -m pytest test/stdlib_basics/test_reqlib_python.py

No breaking changes. Existing code using PythonExecutesWithoutError() continues to work with safe validation mode.

TODO: Documentation, perhaps more rigorous testing on larger code chunks

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?: