mcp

SandboxRunner is a multi-language MCP (Model Context Protocol) server that executes code in isolated runc/OCI containers. It supports multiple languages through language-specific handlers and exposes an MCP interface over stdio, HTTP, or WebSocket for controlling sandbox lifecycles, feeding code, and reading outputs. Typical usage involves starting the MCP server, then sending MCP messages to request sandbox creation, code execution, or state queries. The server provides resource isolation (CPU, memory, disk), persistence via SQLite for sandbox state, and configurable security policies and audit logging to monitor and restrict actions within sandboxes. Tools and capabilities include per-language handlers, sandbox lifecycle management, and policy-driven access control to ensure secure execution of untrusted code. You can interact with it using the provided CLI or by integrating with your own MCP client that speaks the MCP protocol over the supported transport (stdio or HTTP/WebSocket).

To use the server, first start it with its runtime, then generate and adjust the configuration as needed. Use the built-in tooling to create or update the MCP configuration, and leverage the language-specific toolchains to submit code in Python, JavaScript/TypeScript, Go, Rust, Java, C++, C#, or Shell. The server’s persistence layer keeps track of sandbox state, so you can query past executions and audit logs as needed. For production deployments, you’ll typically run the server behind a container runtime or orchestration layer, applying your security policies and resource limits per sandbox run.

Prerequisites:

• Go 1.24+ (or the language runtime used for building from source)
• Docker with runc/OCI support (for containerized sandboxing)
• Git
• Make (optional but recommended for build/install workflow)

Install and run (local development):

1. Clone the repository git clone https://github.com/your-org/sandboxrunner-mcp-server.git cd sandboxrunner-mcp-server

2. Install dependencies and build make build

3. Generate initial configuration (optional but recommended) make config

4. Run the server make run

Alternative containerized run:

• Build the Docker image if provided by the repository, or pull a prebuilt image
• Run the container to start the MCP server, exposing necessary ports for MCP transport (stdio/HTTP/WebSocket) as defined by your environment

Configuration notes:

• Ensure Go 1.24+ is installed if building from source
• Ensure Docker is installed and the user has permissions to run containers
• Review and set server configuration in config/mcp-sandboxd.yaml before starting in production

If you prefer a direct binary or language-specific runtime, follow the project’s docs to install the appropriate runtime and use the corresponding make targets to build and run.

Tips and common considerations:

• Security policies: customize sandbox policies to restrict file system access, network egress, and resource usage per sandbox.
• Audit logging: enable and rotate logs to track sandbox executions for compliance.
• Persistence: the SQLite-based state store allows querying sandbox history; ensure the storage directory is writable by the server.
• Transport options: MCP can run over stdio or HTTP/WebSocket; configure the transport in your client and server settings.
• Resource limits: tune CPU, memory, and disk quotas to prevent abuse and ensure fair usage across sandboxes.
• Language handlers: verify that all supported languages (Python, JavaScript/TypeScript, Go, Rust, Java, C++, C#, Shell) have their runtime dependencies installed on the host or in the container image used for sandbox execution.