Pydantic's new Monty project implements a secure Python subset in Rust, enabling microsecond-fast sandboxing of LLM-generated code. Developer Simon Willison demonstrates WebAssembly implementations running both natively and via Pyodide.
Pydantic has released Monty, a Rust-implemented subset of Python designed for secure execution of LLM-generated code. Unlike container-based solutions that incur hundreds of milliseconds of startup overhead, Monty achieves execution times in single-digit microseconds while maintaining strict security boundaries.
Technical Implementation
Monty's architecture provides:
- Controlled environment: Blocks all filesystem, network, and environment variable access by default
- External function API: Developers explicitly expose permitted host functions
- Memory/CPU constraints: Hard limits prevent resource exhaustion attacks
- Python compatibility: Supports enough syntax (variables, functions, arithmetic) for basic agent operations
Notably absent are class definitions and more advanced Python features - limitations that LLMs can work around through error-driven iteration. As Willison notes: "A coding agent can run some Python code, get an error message telling it that classes aren't supported and then try again with a different approach."
WebAssembly Deployment
Willison demonstrated two browser-based implementations:
- Native WASM Demo: Directly loads compiled Rust WebAssembly with JavaScript bindings
- Pyodide Integration: Uses Python's WebAssembly runtime to load Monty as a PyPI-compatible wheel
The dual approach shows Monty's flexibility - developers can choose between JavaScript-first or Python-first integration depending on their stack.
Practical Considerations
While promising, Monty currently faces several constraints:
- Limited standard library: No
importsystem beyond explicitly exposed functions - Syntax restrictions: Lacks classes, decorators, and other Python features
- Early stage: Current version (0.0.3) remains experimental
However, its Rust foundation provides memory safety guarantees lacking in CPython-based sandboxes, and the WebAssembly compilation path demonstrated by Willison offers deployment flexibility missing in alternatives like Google's Sandboxed API.
Broader Context
Monty enters a crowded field of code sandboxing solutions including:
- WebAssembly runtimes like Wasmtime
- Pyodide's Python-in-browser approach
- Firecracker microVMs for container-level isolation
Its niche appears tailored for AI-assisted coding tools where:
- Startup latency matters (sub-10μs vs 100+ms for containers)
- Code complexity remains limited
- Security boundaries must prevent LLM-induced mayhem
As Willison concludes: "It's small, fast, widely available (thanks to Rust and WebAssembly) and provides strict limits on memory usage, CPU time and access to disk and network." The complete implementation serves as a practical reference for Rust/WebAssembly/Python integration patterns.
Comments
Please log in or register to join the discussion