Self-hosted secure runtime for AI agents.

Let agents execute code, query databases, call cloud APIs, and manage files — inside isolated Docker sandboxes on your infrastructure. No external SaaS. No telemetry. No data leaving your network.

license apache-2.0 core lang go 1.25 mcp tools 53 auth api-key / oidc / saml mode self-hosted

quickstart

Up and running in five commands.

 sh — vaultrun
$ git clone https://github.com/nickvd7/vaultrun && cd vaultrun
$ cp .env.example .env        # set MASTER_API_KEY to something strong
$ make up                     # API + Postgres + Redis + dashboard
$ make bootstrap-key          # prints your first vr_... API key
$ curl http://localhost:8080/health
{"status":"ok"}
# dashboard → http://localhost:3000

Prerequisites: Docker, Docker Compose, Go 1.25+.

how it works

One API between your agent and the blast radius.

┌──────────────────────────────────────────────────────────────┐
│  Your AI agent  (Claude, GPT, custom, …)                     │
│                                                              │
│  result = client.run(session_id,                             │
│      command="python", args=["analyze.py"])                  │
└────────────────────────┬─────────────────────────────────────┘
                         │ API key
                         ▼
┌──────────────────────────────────────────────────────────────┐
│  VaultRun API  (your server, your infra)                     │
│                                                              │
│  • isolated Docker container per session                     │
│  • exec API only — no shell injection                        │
│  • path traversal prevention in workspace                    │
│  • HMAC-signed audit trail                                   │
│  • CPU / memory / timeout limits per session                 │
│  • network disabled by default                               │
└──────────────────────────────────────────────────────────────┘

what's in the box

Seven components, one repo.

01 / cmd/api

API server

Gin-based REST API — sessions, runs, files, audit logs, key management.

02 / sdk/mcp

MCP server

53 tools over stdio and HTTP. Claude, OpenAI, OpenRouter, custom agents.

03 / cmd/cli

CLI

The vaultrun command-line tool for sessions, files, runs and logs.

04 / cmd/ci-runner

CI runner

GitHub webhook → sandboxed CI with Slack / Teams notifications.

05 / apps/frontend

Dashboard

Next.js management UI with a server-side API proxy — keys never reach the browser.

06 / sdk/go + sdk/python

SDKs

Typed Go client and a Python client. Same API, your language.

07 / enterprise

Enterprise SSO

OIDC (PKCE) + SAML 2.0 with org-aware RBAC. Okta, Azure AD, Google, Keycloak. VaultRun Enterprise.

08 / internal/audit

Audit trail

Every action HMAC-signed and queryable. Tamper-evident by design.

09 / internal/policy

Policy hook

Pluggable policy layer, OPA-ready. Decide what agents may run, centrally.

mcp server

53 tools. Two transports. Any agent.

stdio — claude desktop / claude code

{
  "mcpServers": {
    "vaultrun": {
      "command": "/path/to/vaultrun-mcp",
      "env": {
        "VAULTRUN_BASE_URL": "http://localhost:8080",
        "VAULTRUN_API_KEY": "vr_your_key"
      }
    }
  }
}

http — openai / openrouter / custom

$ MCP_TRANSPORT=http \
  MCP_AUTH_TOKEN=your-secret-token \
  VAULTRUN_BASE_URL=http://localhost:8080 \
  VAULTRUN_API_KEY=vr_your_key \
  ./vaultrun-mcp
# POST /mcp — JSON-RPC 2.0
# Authorization: Bearer your-secret-token
sandbox ×13
create_session · run_command · upload_file · read_file · list_files · get_session_logs · …
databases ×13
sqlite_query · pg_query · pg_schema · mongo_find · mongo_aggregate · …
aws ×14
s3_get_object · ssm_get_parameter · sm_get_secret · lambda_invoke · … (explicit opt-in)
filesystem ×4
fs_read_file · fs_write_file · fs_list_dir · fs_delete_file
github ×2
run_github_repo · github_post_comment
ops ×7
list_images · pull_image · create_snapshot · create_artifact · list_audit_logs · …

sdks

Five lines to a sandboxed run.

python

# pip install ./sdk/python
from sandbox_sdk import Client

client = Client("http://localhost:8080",
                api_key="vr_...")
s = client.create_session(
        image="python:3.12-slim")
client.upload_file(s.id, "script.py",
        open("script.py", "rb"))
r = client.run(s.id, command="python",
        args=["script.py"])
print(r.stdout)

go

import vaultrun "github.com/nickvd7/vaultrun/sdk/go"

client := vaultrun.New(
    "http://localhost:8080", "vr_...")
s, _ := client.CreateSession(ctx,
    vaultrun.CreateSessionOptions{
        Image: "python:3.12-slim"})
client.UploadFile(ctx, s.ID,
    "script.py", scriptContent)
run, _ := client.Run(ctx, s.ID,
    vaultrun.RunOptions{Command: "python",
        Args: []string{"script.py"}})
fmt.Println(*run.Stdout)

security model

Paranoid by default. On purpose.

Full write-up: docs/security.md

open core

Apache 2.0 core. Fork it, ship it, embed it.

The core — API server, sandbox runtime, CLI, MCP server (53 tools), CI runner, dashboard, and both SDKs — is Apache 2.0: run it commercially, modify it, or vendor the Go SDK straight into your agent. Enterprise SSO (OIDC + SAML) ships separately under a commercial license — mail@030.dev. Issues and pull requests welcome.

contact

Questions, enterprise use, security reports?

Drop a message — it lands straight in our inbox. Prefer mail? mail@030.dev. Bugs and feature requests go to GitHub issues.

 new-message — vaultrun.dev