llmbox

module
v0.1.17 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 12, 2026 License: Apache-2.0

README

llmbox

CI coverage ui coverage

An MCP server for spinning up sandboxed boxes ("llmboxes") on demand. From a chatbot you say "create an llmbox" and get back a box you can exec into, dial ports on, and expose over HTTP. llmbox is pure box infrastructure: it provides the sandbox lifecycle (create/destroy/pause/resume/exec/dial) plus an HTTP proxy for a box's ports. Built with the official Go SDK.

Each box is a container (or Firecracker microVM) on its own isolated network. The box's workload is installed and started by the spoke's init script (--init-script), not by llmbox — llmbox only provides the sandbox and, optionally, exposes the box's ports to a browser via the proxy (--publish-port or the *_llmbox_proxy tools). See Architecture for the full design.

Quick start

docker build -t llmbox .

# Copy the example config and edit it (at least set public_url).
cp llmbox.example.yaml llmbox.yaml

docker run -d --name llmbox \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v "$PWD/llmbox.yaml:/etc/llmbox/llmbox.yaml:ro" \
  --group-add "$(stat -c '%g' /var/run/docker.sock)" \
  -p 8080:8080 \
  llmbox --config /etc/llmbox/llmbox.yaml

One port (8080) serves everything: the box-control JSON API (under /api/v1/) and the UI (admin dashboard, sign-in, health). The MCP protocol itself is served by a separate binary, llmbox-mcp, which forwards every tool call to that box-control API:

docker run -d --name llmbox-mcp -p 8082:8082 \
  llmbox-mcp --upstream http://llmbox:8080 --addr :8082

Then add llmbox-mcp's URL (streamable HTTP) — or run it with --stdio as a child process — as a remote MCP server in your client. The box-control API is authenticated with API keys (llmbox-server apikey add) or an admin login session; still run llmbox behind an authenticating proxy. Full details — Docker socket permissions, docker compose, TLS — are in Running & configuration.

Prebuilt binaries

Each v* tag publishes static, dependency-free binaries to the GitHub Releases page (built by GoReleaser). This lets a box host run a spoke without Docker or a Go toolchain — for example to host Firecracker microVM boxes on a KVM machine:

# Download and unpack the spoke for your platform (linux amd64/arm64).
VERSION=vX.Y.Z
curl -fsSL -o llmbox-spoke.tar.gz \
  "https://github.com/clems4ever/llmbox/releases/download/${VERSION}/llmbox-spoke_${VERSION#v}_linux_amd64.tar.gz"
tar xzf llmbox-spoke.tar.gz llmbox-spoke

# Connect it to a hub and serve Firecracker boxes (see docs/firecracker.md).
./llmbox-spoke firecracker --hub wss://hub.example.com/spoke/connect --token <join-token>

Archives are also published for llmbox-server, llmbox-mcp, and the in-box llmbox-guest init.

MCP tools

create_llmbox, get_llmbox, list_llmboxes, list_spokes, destroy_llmbox, exec_llmbox, plus create_llmbox_proxy / delete_llmbox_proxy / list_llmbox_proxies for exposing a box's HTTP ports. See MCP tools for arguments and return values.

Documentation

Doc What's in it
Architecture How the pieces fit together: the box-control API, the spoke init script, and the code components.
MCP tools Full reference for every tool's arguments and results.
Running & configuration Running the server, connecting a chatbot, and the YAML config reference.
Authentication Admin OIDC sign-in gating the admin UI and the per-box HTTP proxies, plus API keys and the single-tenant trust model.
Box lifecycle hooks Injecting per-box secrets/files via box.create/box.destroy hooks, plus box networking and isolation.
Firecracker backend Running each box as a Firecracker microVM instead of a Docker container: vsock control, TAP/NAT egress, and building a guest rootfs.
Operations State persistence, pausing boxes, and orphan cleanup.
Development Building, CI, and the unit / integration / end-to-end test suites.

Status & caveats

  • A box's workload is provisioned by the spoke's --init-script, which runs once at creation. A box whose init script fails is surfaced with phase broken and the captured script output, so a bad provisioning step is loud rather than silent.
  • The only human sign-in is admin OIDC (auth.admin.emails). It gates the admin dashboard/API and the per-box HTTP proxies. Every box-control API call (creation included) requires an API key or an admin session.
  • The box-control API is single-tenant by design: it authenticates the caller but does not authorize per box, so any valid API key or admin can exec/destroy any box. This is safe only when a single trusted tenant sits behind the API (typically an authenticating proxy in front of llmbox-mcp); do not share one hub across mutually-distrusting users. See the trust model. Per-user MCP clients and binding a box to its initiator are the natural follow-ups for multi-tenant use.

Directories

Path Synopsis
cmd
llmbox-guest command
Command llmbox-guest is the in-box guest.
Command llmbox-guest is the in-box guest.
llmbox-mcp command
Command llmbox-mcp is a stand-alone MCP server that exposes the llmbox tools and forwards every call to an upstream llmbox server's box-control API over HTTP.
Command llmbox-mcp is a stand-alone MCP server that exposes the llmbox tools and forwards every call to an upstream llmbox server's box-control API over HTTP.
llmbox-server command
Command llmbox-server runs the llmbox server that manages sandboxed boxes ("llmboxes") — the box infrastructure; each box's workload is installed by the spoke's init script.
Command llmbox-server runs the llmbox server that manages sandboxed boxes ("llmboxes") — the box infrastructure; each box's workload is installed by the spoke's init script.
llmbox-spoke command
Command llmbox-spoke runs a hub-and-spoke spoke: it connects to a hub over a WebSocket and serves box operations against the local Docker daemon, so boxes can be placed on this host from a central hub.
Command llmbox-spoke runs a hub-and-spoke spoke: it connects to a hub over a WebSocket and serves box operations against the local Docker daemon, so boxes can be placed on this host from a central hub.
Package hookproto defines the JSON wire protocol spoken between llmbox and the external hook executables it runs at box lifecycle events.
Package hookproto defines the JSON wire protocol spoken between llmbox and the external hook executables it runs at box lifecycle events.
internal
guest
Package guest implements the in-box guest and its host-side client.
Package guest implements the in-box guest and its host-side client.
hub
Package server ties the box manager to the HTTP front-ends that share one process and one port:
Package server ties the box manager to the HTTP front-ends that share one process and one port:
hub/apikey
Package apikey mints and verifies the API keys that authenticate callers of the llmbox box-control API.
Package apikey mints and verifies the API keys that authenticate callers of the llmbox box-control API.
hub/auth
Package auth gates the admin UI and the per-box HTTP proxies behind OIDC provider sign-in.
Package auth gates the admin UI and the per-box HTTP proxies behind OIDC provider sign-in.
hub/config
Package config loads llmbox's YAML configuration file for the hub (the llmbox-server).
Package config loads llmbox's YAML configuration file for the hub (the llmbox-server).
hub/hooks
Package hooks runs external hook executables at box lifecycle events.
Package hooks runs external hook executables at box lifecycle events.
hub/store
Package store persists llmbox's durable state — the box registry, the admin sign-in (identity) state, the cluster enrollment records, API keys, and hub-wide settings — behind a small set of interfaces.
Package store persists llmbox's durable state — the box registry, the admin sign-in (identity) state, the cluster enrollment records, API keys, and hub-wide settings — behind a small set of interfaces.
hub/token
Package token implements the llmbox-server `token` command tree — creating, listing, and revoking the one-time join tokens a hub issues to enroll spokes.
Package token implements the llmbox-server `token` command tree — creating, listing, and revoking the one-time join tokens a hub issues to enroll spokes.
mcpserver
Package mcpserver exposes the llmbox box operations as MCP tools.
Package mcpserver exposes the llmbox box operations as MCP tools.
shared/api
Package api is the llmbox HTTP box-control API: the JSON surface the server exposes for box operations (create/get/list/destroy/logs/exec, proxies, spokes) and a Client that speaks it.
Package api is the llmbox HTTP box-control API: the JSON surface the server exposes for box operations (create/get/list/destroy/logs/exec, proxies, spokes) and a Client that speaks it.
shared/boxconfig
Package boxconfig holds the box-provisioning configuration shared by the hub (which fills these from its YAML config) and the spoke (which fills them from command-line flags): the per-box resource caps and the registry credentials, their built-in defaults, and the conversion into the Docker registry auth map the box layer consumes.
Package boxconfig holds the box-provisioning configuration shared by the hub (which fills these from its YAML config) and the spoke (which fills them from command-line flags): the per-box resource caps and the registry credentials, their built-in defaults, and the conversion into the Docker registry auth map the box layer consumes.
shared/cluster
Package cluster implements llmbox's hub-and-spoke model: a single hub (the MCP front-end the chatbot talks to) drives box operations on one or more spokes, each of which owns a local Docker daemon.
Package cluster implements llmbox's hub-and-spoke model: a single hub (the MCP front-end the chatbot talks to) drives box operations on one or more spokes, each of which owns a local Docker daemon.
shared/sandbox
Package sandbox holds the backend-neutral box lifecycle types shared across llmbox: the inputs and views that cross the hub/spoke boundary and the box-id validation rule.
Package sandbox holds the backend-neutral box lifecycle types shared across llmbox: the inputs and views that cross the hub/spoke boundary and the box-id validation rule.
spoke
Package spoke implements the llmbox-spoke command tree: running a spoke that joins a hub and serves boxes against the local Docker daemon.
Package spoke implements the llmbox-spoke command tree: running a spoke that joins a hub and serves boxes against the local Docker daemon.
spoke/box
Package box holds the backend-neutral box manager.
Package box holds the backend-neutral box manager.
spoke/box/backend
Package backend is the registry that decouples box-backend selection from the composition roots.
Package backend is the registry that decouples box-backend selection from the composition roots.
spoke/box/conformance
Package conformance provides the backend-neutral behavioural contract for box provisioners (Run) and an in-process Fake provisioner that satisfies it without Docker.
Package conformance provides the backend-neutral behavioural contract for box provisioners (Run) and an in-process Fake provisioner that satisfies it without Docker.
spoke/boxapi
Package boxapi serves the box-facing port-publishing API: a small HTTP/JSON API on a per-box unix socket that lets the workload inside a box open, close, and list public URLs for ports of ITS OWN box only.
Package boxapi serves the box-facing port-publishing API: a small HTTP/JSON API on a per-box unix socket that lets the workload inside a box open, close, and list public URLs for ports of ITS OWN box only.
spoke/docker
Package docker implements a box.Provisioner backed by the Docker Engine API.
Package docker implements a box.Provisioner backed by the Docker Engine API.
spoke/firecracker
Package firecracker implements a box.Provisioner backed by Firecracker microVMs.
Package firecracker implements a box.Provisioner backed by Firecracker microVMs.
Package testutils holds test doubles shared across the llmbox test suites.
Package testutils holds test doubles shared across the llmbox test suites.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL