Runtime Supervisor

Runtime Supervisor is the policy layer for teams that need request-time approvals before high-risk operations execute.

Status: Preview design. For production controls today, use Network Filtering, Endpoint Rules, and Audit Trail.

Proposed sandbox config

from isorun import Sandbox

with Sandbox("python", supervisor={
    "webhook": "https://your-app.com/approve",
    "events": ["network_request", "file_write", "exec"],
    "decision_timeout_ms": 3000,
    "default_action": "deny",
}) as sb:
    sb.exec("python3 task.py")

Proposed webhook payload

{
  "event_id": "evt_01J9...",
  "event": "network_request",
  "sandbox_id": "run78cbccbab85efc28",
  "timestamp": "2026-04-10T12:03:20Z",
  "details": {
    "host": "api.openai.com",
    "method": "POST",
    "path": "/v1/chat/completions"
  }
}

Proposed webhook response

{ "approved": true, "reason": "policy matched: allow-openai-chat" }

{ "approved": false, "reason": "write operation blocked by policy" }

Design goals

• Deterministic timeout behavior (default_action on webhook timeout).
• Low-latency approval path.
• Full auditability of allow/deny decisions.
• Composable with host/method/path policy controls.