API server
Gin-based REST API — sessions, runs, files, audit logs, key management.
Self-hosted secure runtime for AI agents.
Let agents execute code, query databases, call cloud APIs, and manage files — inside isolated Docker sandboxes on your infrastructure. No external SaaS. No telemetry. No data leaving your network.
Up and running in five commands.
$ git clone https://github.com/nickvd7/vaultrun && cd vaultrun $ cp .env.example .env # set MASTER_API_KEY to something strong $ make up # API + Postgres + Redis + dashboard $ make bootstrap-key # prints your first vr_... API key $ curl http://localhost:8080/health {"status":"ok"} # dashboard → http://localhost:3000
Prerequisites: Docker, Docker Compose, Go 1.25+.
One API between your agent and the blast radius.
┌──────────────────────────────────────────────────────────────┐
│ Your AI agent (Claude, GPT, custom, …) │
│ │
│ result = client.run(session_id, │
│ command="python", args=["analyze.py"]) │
└────────────────────────┬─────────────────────────────────────┘
│ API key
▼
┌──────────────────────────────────────────────────────────────┐
│ VaultRun API (your server, your infra) │
│ │
│ • isolated Docker container per session │
│ • exec API only — no shell injection │
│ • path traversal prevention in workspace │
│ • HMAC-signed audit trail │
│ • CPU / memory / timeout limits per session │
│ • network disabled by default │
└──────────────────────────────────────────────────────────────┘
Seven components, one repo.
Gin-based REST API — sessions, runs, files, audit logs, key management.
53 tools over stdio and HTTP. Claude, OpenAI, OpenRouter, custom agents.
The vaultrun command-line tool for sessions, files, runs and logs.
GitHub webhook → sandboxed CI with Slack / Teams notifications.
Next.js management UI with a server-side API proxy — keys never reach the browser.
Typed Go client and a Python client. Same API, your language.
OIDC (PKCE) + SAML 2.0 with org-aware RBAC. Okta, Azure AD, Google, Keycloak. VaultRun Enterprise.
Every action HMAC-signed and queryable. Tamper-evident by design.
Pluggable policy layer, OPA-ready. Decide what agents may run, centrally.
53 tools. Two transports. Any agent.
stdio — claude desktop / claude code
{
"mcpServers": {
"vaultrun": {
"command": "/path/to/vaultrun-mcp",
"env": {
"VAULTRUN_BASE_URL": "http://localhost:8080",
"VAULTRUN_API_KEY": "vr_your_key"
}
}
}
}http — openai / openrouter / custom
$ MCP_TRANSPORT=http \ MCP_AUTH_TOKEN=your-secret-token \ VAULTRUN_BASE_URL=http://localhost:8080 \ VAULTRUN_API_KEY=vr_your_key \ ./vaultrun-mcp # POST /mcp — JSON-RPC 2.0 # Authorization: Bearer your-secret-token
Five lines to a sandboxed run.
python
# pip install ./sdk/python
from sandbox_sdk import Client
client = Client("http://localhost:8080",
api_key="vr_...")
s = client.create_session(
image="python:3.12-slim")
client.upload_file(s.id, "script.py",
open("script.py", "rb"))
r = client.run(s.id, command="python",
args=["script.py"])
print(r.stdout)go
import vaultrun "github.com/nickvd7/vaultrun/sdk/go"
client := vaultrun.New(
"http://localhost:8080", "vr_...")
s, _ := client.CreateSession(ctx,
vaultrun.CreateSessionOptions{
Image: "python:3.12-slim"})
client.UploadFile(ctx, s.ID,
"script.py", scriptContent)
run, _ := client.Run(ctx, s.ID,
vaultrun.RunOptions{Command: "python",
Args: []string{"script.py"}})
fmt.Println(*run.Stdout)Paranoid by default. On purpose.
Full write-up: docs/security.md
Apache 2.0 core. Fork it, ship it, embed it.
The core — API server, sandbox runtime, CLI, MCP server (53 tools), CI runner, dashboard, and both SDKs — is Apache 2.0: run it commercially, modify it, or vendor the Go SDK straight into your agent. Enterprise SSO (OIDC + SAML) ships separately under a commercial license — mail@030.dev. Issues and pull requests welcome.
Questions, enterprise use, security reports?
Drop a message — it lands straight in our inbox. Prefer mail? mail@030.dev. Bugs and feature requests go to GitHub issues.