README
¶
llmbox
An MCP server for spinning up sandboxed Claude instances ("llmboxes") on demand. From a chatbot you say "create an llmbox"; you get back a URL; you open it, sign in with your own Claude account, and the sandbox activates — driveable from claude.ai/code or the mobile app via Claude's Remote Control.
Each box is a container running Claude Code in remote-control mode, authenticated by the end user. Built with the official Go SDK.
"create an llmbox" ──▶ auth URL ──▶ you sign in with Claude ──▶ session URL
The OAuth code exchanges for a full-scope account token, so it never enters the model's context: the chatbot only ever sees the box ID and the auth-page URL, while the code travels browser → server → container out of band. See Architecture for the full design.
Quick start
docker build -t llmbox .
# Copy the example config and edit it (at least set public_url).
cp llmbox.example.yaml llmbox.yaml
docker run -d --name llmbox \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD/llmbox.yaml:/etc/llmbox/llmbox.yaml:ro" \
--group-add "$(stat -c '%g' /var/run/docker.sock)" \
-p 8080:8080 \
llmbox --config /etc/llmbox/llmbox.yaml
Then add the server's root URL (https://boxes.example.com/, streamable HTTP) as
a remote MCP server in your client. Full details — Docker socket permissions,
docker compose, TLS — are in Running & configuration.
MCP tools
create_llmbox, get_llmbox, list_llmboxes, destroy_llmbox,
get_llmbox_logs, exec_llmbox. See MCP tools for
arguments and return values.
Documentation
| Doc | What's in it |
|---|---|
| Architecture | The auth-secret split, the activation flow, the activation page, and the code components. |
| MCP tools | Full reference for every tool's arguments and results. |
| Running & configuration | Running the server, connecting a chatbot, and the YAML config reference. |
| Authenticating activation | Gating activation behind a sign-in provider (OIDC) so a leaked token can't hijack a box. |
| Box lifecycle hooks | Injecting per-box secrets/files via box.create/box.destroy hooks, plus box networking and isolation. |
| Operations | Session persistence, box credentials across restarts, and orphan cleanup. |
| Development | Building, CI, and the unit / integration / end-to-end test suites. |
Status & caveats
- The create → authorize-URL → auth-page path is verified end-to-end (including a
real container and the live HTTP/MCP stack). The final code → session URL
exchange needs a human to authorize in a browser; the wrapper that runs
claude auth loginthenclaude remote-controlis ininternal/docker/manager.goand is easy to tweak if your Claude version's prompts differ. - Each box consumes a session on the end user's Claude subscription. That is the intended model; be deliberate about who you let create boxes.
- Activation auth gates activation (closing the leaked-token hijack), but box creation over MCP is still unauthenticated, so a caller can create boxes (a DoS bounded by the un-authenticated reaper TTL). Authenticating MCP clients per-user, and binding a box to the specific initiator, are the natural follow-ups.
- The box wrapper pre-accepts the workspace-trust dialog (writes
projects[cwd].hasTrustDialogAcceptedto~/.claude.jsonafter login), sinceclaude remote-controlotherwise aborts with "Workspace not trusted" in a fresh box. If aSubmitCodefails, the box's actual message (invalid code, trust, eligibility, …) is surfaced on the auth page instead of a bare EOF.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
llmbox
command
Command llmbox runs a server that manages sandboxed Claude containers ("llmboxes") and lets an end user authenticate each one via OAuth in their browser — never routing the OAuth secret through the chatbot.
|
Command llmbox runs a server that manages sandboxed Claude containers ("llmboxes") and lets an end user authenticate each one via OAuth in their browser — never routing the OAuth secret through the chatbot. |
|
Package hookproto defines the JSON wire protocol spoken between llmbox and the external hook executables it runs at box lifecycle events.
|
Package hookproto defines the JSON wire protocol spoken between llmbox and the external hook executables it runs at box lifecycle events. |
|
internal
|
|
|
cluster
Package cluster implements llmbox's hub-and-spoke model: a single hub (the MCP front-end the chatbot talks to) drives box operations on one or more spokes, each of which owns a local Docker daemon.
|
Package cluster implements llmbox's hub-and-spoke model: a single hub (the MCP front-end the chatbot talks to) drives box operations on one or more spokes, each of which owns a local Docker daemon. |
|
config
Package config loads llmbox's YAML configuration file.
|
Package config loads llmbox's YAML configuration file. |
|
docker
Package docker wraps the Docker Engine API to manage the lifecycle of "llmboxes": containers that run Claude Code in remote-control mode, each authenticated by an end user via OAuth.
|
Package docker wraps the Docker Engine API to manage the lifecycle of "llmboxes": containers that run Claude Code in remote-control mode, each authenticated by an end user via OAuth. |
|
hooks
Package hooks runs external hook executables at box lifecycle events.
|
Package hooks runs external hook executables at box lifecycle events. |
|
server
Package server ties the Docker box manager to two front-ends that share one process:
|
Package server ties the Docker box manager to two front-ends that share one process: |
Click to show internal directories.
Click to hide internal directories.