bun-runner-mcp
An MCP server that executes TypeScript/JavaScript code in a sandboxed Bun environment with permission-based security controls, code snippets, and a web management UI.
README
bun-runner-mcp
An MCP (Model Context Protocol) server that executes TypeScript/JavaScript code in a sandboxed Bun environment with permission-based security controls.
Features
- Sandboxed Execution: Run TypeScript/JavaScript code in an isolated environment
- Permission System: Fine-grained control over HTTP requests, file access, and environment variables
- Code Snippets: Save and reuse code snippets across sessions with dependency resolution
- Web Management UI: Browser-based interface for managing environment variables and viewing snippets
- Two Execution Modes:
- Preload (default): Uses Bun's preload feature for runtime sandboxing
- Container: Uses Apple Containers for VM-level isolation (macOS 26+)
- HTTP Proxy: All network requests are routed through a permission-checking proxy
Quick Start
Installation
git clone https://github.com/timoconnellaus/bun-runner-mcp.git
cd bun-runner-mcp
bun install
Claude Desktop Configuration
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
Standard Mode (Preload Sandbox):
{
"mcpServers": {
"bun-runner": {
"command": "bun",
"args": ["run", "/path/to/bun-runner-mcp/src/mcp/server.ts"]
}
}
}
Container Mode (Apple Containers - Recommended for untrusted code):
{
"mcpServers": {
"bun-runner": {
"command": "bun",
"args": ["run", "/path/to/bun-runner-mcp/src/mcp/server.ts"],
"env": {
"EXECUTION_MODE": "container"
}
}
}
}
Note: Container mode requires macOS 26 (Tahoe) or later with Apple Containers installed.
Running Manually
# Standard mode
bun run start
# Container mode
EXECUTION_MODE=container bun run start
# Development with watch
bun run dev
MCP Tools
run_code
Execute TypeScript/JavaScript code in the sandbox.
{
"code": "console.log('Hello, world!')",
"timeout": 30000
}
grant_permission
Grant a permission for the current session.
HTTP Permission:
{
"permission": {
"type": "http",
"host": "api.example.com",
"description": "Access example API"
}
}
File Permission:
{
"permission": {
"type": "file",
"path": "/tmp/data/*",
"operations": ["read", "write"],
"description": "Access temp files"
}
}
Environment Variable Permission:
{
"permission": {
"type": "env",
"variables": ["API_KEY", "SECRET_*"],
"description": "Access API keys"
}
}
list_permissions
List all currently granted permissions.
revoke_permission
Revoke a previously granted permission.
save_snippet
Save a reusable code snippet. Snippets must include a JSDoc @description tag.
{
"name": "fetch-json",
"code": "/** @description Fetches JSON from a URL */\nexport async function fetchJson(url: string) {\n const res = await fetch(url);\n return res.json();\n}"
}
list_snippets
List all saved snippets with their names and descriptions.
get_snippet
Get the full code and metadata for a saved snippet.
delete_snippet
Delete a saved snippet.
list_env_vars
List available environment variable names (values are hidden for security).
get_web_ui_url
Get the URL for the web management interface. The AI can use this to direct users to the browser UI.
Code Snippets
Snippets are reusable code blocks that persist across sessions. They're stored in ~/.bun-runner-mcp/snippets/.
Using Snippets in Code
Reference snippets in your code using the @use-snippet directive:
// @use-snippet: fetch-json
// @use-snippet: format-date
const data = await fetchJson('https://api.example.com/data');
console.log(formatDate(data.timestamp));
The snippet code is automatically inlined before execution. Snippets can depend on other snippets, and circular dependencies are detected.
Snippet Requirements
- Must include a JSDoc comment with
@descriptiontag - Name must be alphanumeric with hyphens/underscores
- Should export functions for reuse
Environment Variables
Environment variables can be configured for use in executed code:
Configuration Sources
-
MCP Config: Pass variables with
BUN_prefix in your MCP config:{ "env": { "BUN_API_KEY": "your-api-key", "BUN_DEBUG": "true" } }The
BUN_prefix is stripped when accessed in code (e.g.,process.env.API_KEY). -
Env File: Create
~/.bun-runner-mcp/.bun-runner-env:API_KEY=your-api-key DATABASE_URL=postgres://localhost/db
File variables take precedence over MCP config variables.
Hot Reload
The env file is watched for changes. When modified, variables are automatically reloaded (and containers restarted if in container mode).
Web Management UI
A browser-based interface is available at http://localhost:9999 for:
- Environment Variables: Add, edit, and delete environment variables
- Code Snippets: View saved snippets and their code
The web UI is built automatically when the server starts using Bun's native bundler.
Execution Modes
Preload Mode (Default)
Uses Bun's preload feature to intercept and sandbox network requests. All HTTP requests are routed through a local proxy server (port 9999) that enforces permissions.
Container Mode (Apple Containers)
For stronger isolation, use Apple Containers which provides VM-level isolation. This is the recommended mode for untrusted code execution.
Requirements
- macOS 26 (Tahoe) or later
- Apple Containers CLI (
containercommand) installed - Internet connection for initial image pull
How It Works
- Lazy Initialization: The container is created on first code execution, not at startup
- Session Persistence: The same container is reused for all executions within a session
- Auto-Cleanup: Container is automatically stopped when the MCP server exits
- Image Management: Uses
oven/bun:alpinefrom Docker Hub, automatically pulled on first use
Container Specifications
| Resource | Limit |
|---|---|
| CPUs | 2 |
| Memory | 512 MB |
| Base Image | oven/bun:alpine |
| Timeout | 30 seconds (default) |
Features
- VM-Level Isolation: Code runs in a fully isolated virtual machine
- Isolated Filesystem: No access to host filesystem
- Network Isolation: Network access is controlled by the container runtime
- Package Support: npm packages are automatically installed via Bun
- TypeScript Support: Full TypeScript execution with type checking via tsserver
Verifying Container CLI
Check if Apple Containers is available:
container --version
List available images:
container image list
Troubleshooting
Container CLI not found:
- Ensure you're running macOS 26 (Tahoe) or later
- The
containerCLI should be available at/usr/bin/container
Image pull fails:
- Check your internet connection
- Verify Docker Hub is accessible
- Try manually:
container image pull docker.io/oven/bun:alpine
Container won't start:
- Check system resources (memory, disk space)
- Look for error messages in stderr output
- Ensure no conflicting containers are running
Architecture
┌─────────────────┐ ┌──────────────────┐
│ MCP Client │────▶│ MCP Server │
│ (Claude, etc) │ │ (stdio transport)│
└─────────────────┘ └────────┬─────────┘
│
┌────────────┴────────────┐
│ │
┌─────▼─────┐ ┌───────▼───────┐
│ Preload │ │ Container │
│ Sandbox │ │ (Apple) │
└─────┬─────┘ └───────────────┘
│
┌─────▼─────┐
│HTTP Proxy │
│ (port 9999)│
└───────────┘
License
MIT
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
mcp-server-qdrant
这个仓库展示了如何为向量搜索引擎 Qdrant 创建一个 MCP (Managed Control Plane) 服务器的示例。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器