runjs

RunJS is an MCP server that securely executes JavaScript inside a sandbox powered by the Jint .NET library. It provides a safe execution environment with configurable memory limits, runtime constraints, and recursion depth to prevent abuse. The server includes a built-in secrets manager to securely store API keys, a fetch-like mechanism for outbound HTTP requests (with secret injection), and jsonpath-plus support for convenient JSON processing. You can invoke the MCP via a client (for example, the Vercel AI SDK or other MCP clients) to generate and run JavaScript against your input data, returning transformed results or HTTP-driven outputs. The workflow typically involves obtaining a tool from the MCP (the RunJS execution tool), passing in your JavaScript, and letting the sandboxed runtime return a result to your application. This enables you to process JSON, transform payloads, or call external REST APIs safely within your own private network.

Prerequisites:

• Docker installed on your host
• Basic familiarity with running containers

Installation steps:

1. Install Docker on your machine (Desktop or Engine) from https://www.docker.com/get-started
2. Pull or prepare the RunJS MCP server image (example image used in docs): docker pull cdigs/runjs-mcp-server
3. Run the MCP server using Docker with the recommended environment configuration: docker run -i -p 5000:8080
   -e RunJSConfig__Jint__LimitMemory=10000000
   -e RunJSConfig__Jint__TimeoutIntervalSeconds=30
   cdigs/runjs-mcp-server
4. Verify the server is reachable at http://localhost:5000/ (or your mapped host URL) and the SSE endpoint is exposed as /sse if used by your MCP client.

Optional: For persistence of secrets, configure a database (Postgres) as described in the project docs and set the appropriate environment variables in your docker run command or docker-compose file.

Tips and common considerations:

• The default RunJS sandbox uses Jint with memory and runtime limits to avoid runaway scripts. Adjust RunJSConfig__Jint__LimitMemory and RunJSConfig__Jint__TimeoutIntervalSeconds to fit your workload.
• Secrets storage is secure by design (encrypted at rest); by default, secrets may be ephemeral. For persistence, wire up a database backend (e.g., Postgres) as described in the docs and update the environment accordingly.
• The server exposes an HTTP API for the MCP client. If exposing to the public internet, consider using a reverse proxy and TLS termination.
• Local testing can use port 5000; when deploying in private networks, ensure proper network routing and firewall rules for the /sse or HTTP endpoints used by your MCP client.
• If using the provided Docker image, keep the image up to date to receive security and feature updates.