Introduction
Most MCP CodeMode implementations today still execute generated code inside local processes, shared-kernel containers, or userspace sandboxes that ultimately rely on the host Linux kernel as the primary security boundary. In the previous post, OpenSandbox already demonstrated how production-grade sandbox orchestration can significantly improve safety compared to running generated Python directly on the host machine. But once agents start executing untrusted code, third-party tools, long-running workflows, or multi-tenant workloads, the challenge shifts from simple execution isolation to containment and blast-radius reduction.
Platforms like OpenSandbox solve a large part of this operational problem extremely well. OpenSandbox provides orchestration, sandbox lifecycle management, SDK abstraction, browser/code execution, and production-ready runtime operations for agent systems. In practice, however, the execution layer still typically depends on Docker containers and external sandbox orchestration. That introduces additional runtime layers, container lifecycle overhead, and more boundary transitions between the MCP runtime and the isolated execution environment.
This is where Hyperlight Sandbox becomes interesting. Instead of treating sandboxing primarily as infrastructure orchestration, Hyperlight pushes isolation directly into the runtime layer itself: hypervisor-backed microVM execution, no full Linux guest OS, reduced attack surface, fast startup, and WASI-friendly capability boundaries. Combined with MCP CodeMode, this creates a very different execution model for AI agents — one that moves closer to microVM-grade isolation without the operational and resource overhead of traditional virtual machines.
I submitted a feature request at Hyperlight Sandbox Issue #13. Just a couple of days later, the Hyperlight team added .NET SDK support in Hyperlight Sandbox PR #46.
I then spent a weekend experimenting with this approach, and in this blog post. I will walk through step by step what I have done so far.
Let's get started...
The MCP CodeMode approach with Hyperlight sandbox
Ref: Mermaid
As you can see, the Hyperlight sandbox is an in-process call, meaning it runs inside a hypervisor-backed runtime embedded in the host application (look at the left box in the picture above). As a result, the execution experience feels like a native function call.
Step by step to set up the code
First of all, you have to reference some NuGet package for the Hyperlight sandbox at https://www.nuget.org/packages?q=HyperlightSandbox
<PackageReference Include="Hyperlight.HyperlightSandbox.Api" Version="0.4.0" />
<PackageReference Include="Hyperlight.HyperlightSandbox.Extensions.AI" Version="0.4.0" />
<PackageReference Include="Hyperlight.HyperlightSandbox.Guest.Python" Version="0.4.0" />
In the previous part, we have already had the ISandboxRunner interface:
public interface ISandboxRunner
{
string SyntaxGuide { get; }
Task<RunnerResult> RunAsync(string code, CancellationToken ct);
}
Now I just implemented this interface for the Hyperlight sandbox as below
public sealed class HyperlightSandboxRunner : ISandboxRunner, IDisposable
{
private static readonly Regex AbsoluteHttpUrlRegex = new(
"https?://[^\\s\"'\\)\\]]+",
RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.CultureInvariant);
private static readonly ActivitySource ActivitySource = new("McpServer.CodeMode.HyperlightSandboxRunner");
private readonly TimeSpan timeout;
private readonly int maxToolCalls;
private readonly ILogger<HyperlightSandboxRunner> logger;
private readonly IReadOnlyList<Uri> allowedBaseUris;
private readonly Sandbox sandbox;
private bool disposed;
public HyperlightSandboxRunner(
TimeSpan timeout,
int maxToolCalls,
ILogger<HyperlightSandboxRunner> logger,
IReadOnlyList<string>? allowedBaseUrls = null)
{
this.timeout = timeout;
this.maxToolCalls = maxToolCalls;
this.logger = logger;
allowedBaseUris = NormalizeAllowedBaseUris(allowedBaseUrls);
SandboxBuilder builder = new SandboxBuilder()
.WithPythonModule()
.WithTempOutput();
sandbox = builder.Build();
foreach (Uri allowedBaseUri in allowedBaseUris)
{
sandbox.AllowDomain(allowedBaseUri.AbsoluteUri.TrimEnd('/'));
}
}
public string SyntaxGuide
{
get
{
string defaultBaseUrl = allowedBaseUris.Count > 0
? allowedBaseUris[0].AbsoluteUri.TrimEnd('/')
: string.Empty;
string baseUrlSection = defaultBaseUrl.Length > 0
? $"Use the injected `BASE_URL` variable for API calls. Default `BASE_URL` is \"{defaultBaseUrl}\"."
: "Use the injected `BASE_URL` variable for API calls. No default URL was discovered from OpenAPI sources.";
string allowedSection = allowedBaseUris.Count > 0
? $"Only call API URLs under configured OpenAPI bases via `BASE_URL`: {string.Join(", ", allowedBaseUris.Select(static u => $"\"{u.AbsoluteUri.TrimEnd('/')}\""))}."
: "No API base allowlist is currently configured, so URL host restrictions are not enforced.";
return $$"""
Runner: hyperlight (Python sandbox)
Write pure Python code.
For HTTP calls in this sandbox, prefer built-in `http_get(url)` and `http_post(url, body="")`.
A lightweight `requests` compatibility shim object is preloaded as `requests` for fallback compatibility.
Do not import `requests` in generated code.
Do NOT rely on `urllib`, `http.client`, or other stdlib HTTP modules in guest code.
Prefer assigning the final value to `result`.
If `result` is not set, stdout fallback is returned when available.
{{baseUrlSection}}
{{allowedSection}}
Code mode is isolated from tool-Search tools.
Do NOT use: SearchTools, CallTool, Search, GetSchema, or Execute in this code.
Example:
resp = http_get(f"{BASE_URL}/pet/findByStatus?status=sold")
if resp["status"] >= 400:
raise Exception(f"HTTP {resp['status']}")
result = resp["body"]
The final `result` value (or stdout fallback) is returned as tool output.
""";
}
}
public async Task<RunnerResult> RunAsync(string code, CancellationToken ct)
{
ThrowIfDisposed();
ArgumentException.ThrowIfNullOrWhiteSpace(code);
logger.LogInformation(
"Hyperlight constrained execution requested. Timeout: {Timeout}, MaxToolCalls: {MaxToolCalls}.",
timeout,
maxToolCalls);
using Activity? activity = ActivitySource.StartActivity("codemode.run", ActivityKind.Internal);
activity?.SetTag("mcp.code.length", code.Length);
activity?.SetTag("mcp.Execute.timeout.ms", timeout.TotalMilliseconds);
activity?.SetTag("mcp.Execute.maxToolCalls", maxToolCalls);
if (SandboxCodeGuard.ContainsForbiddenMetaToolUsage(code))
{
throw new InvalidOperationException(
"Code mode is isolated from tool-Search tools. " +
"Do not call SearchTools, CallTool, Search, GetSchema, or Execute inside code mode; use pure Python compute only. " +
"If you need an MCP tool, call it outside Execute. If you stay in Execute, rewrite the task as direct Python logic or HTTP requests with http_get/http_post.");
}
if (ContainsForbiddenHardcodedApiUsage(code))
{
throw new InvalidOperationException(
"Code mode HTTP calls must stay within configured OpenAPI data sources. " +
"Use BASE_URL (or ALLOWED_BASE_URLS) instead of hardcoded external URLs.");
}
logger.LogInformation("Generated Python code for Hyperlight Execute:\n{Code}", code);
using CancellationTokenSource timeoutCts = new(timeout);
using CancellationTokenSource linkedCts = CancellationTokenSource.CreateLinkedTokenSource(ct, timeoutCts.Token);
ExecutionResult executionResult = await Task.Run(() => ExecuteInSandbox(code), linkedCts.Token);
activity?.SetTag("mcp.Execute.callCount", 0);
activity?.SetTag("mcp.Execute.hasFinalValue", executionResult.Success);
object? finalValue = ExtractFinalValue(executionResult);
return new RunnerResult(finalValue, 0);
}
private ExecutionResult ExecuteInSandbox(string code)
{
string serializedCode = JsonSerializer.Serialize(code);
string serializedDefaultBaseUrl = JsonSerializer.Serialize(
allowedBaseUris.Count > 0 ? allowedBaseUris[0].AbsoluteUri.TrimEnd('/') : string.Empty);
string wrapper = $$"""
code = {{serializedCode}}
BASE_URL = {{serializedDefaultBaseUrl}}
try:
import sys
except Exception:
sys = None
_native_http_get = None
_native_http_post = None
try:
_native_http_get = http_get
except Exception:
_native_http_get = None
try:
_native_http_post = http_post
except Exception:
_native_http_post = None
if _native_http_get is None or _native_http_post is None:
try:
from hyperlight import http_get as _hl_http_get, http_post as _hl_http_post
if _native_http_get is None:
_native_http_get = _hl_http_get
if _native_http_post is None:
_native_http_post = _hl_http_post
except Exception:
pass
def http_get(url):
if _native_http_get is None:
raise Exception("http_get is unavailable in this Hyperlight guest runtime")
return _native_http_get(url)
def http_post(url, body=""):
if _native_http_post is None:
raise Exception("http_post is unavailable in this Hyperlight guest runtime")
return _native_http_post(url, body)
def _encode_query(params):
if params is None:
return ""
if isinstance(params, dict):
parts = []
for key, value in params.items():
if isinstance(value, (list, tuple)):
for item in value:
parts.append(str(key) + "=" + str(item))
else:
parts.append(str(key) + "=" + str(value))
return "&".join(parts)
return str(params)
def _append_query(url, params):
query = _encode_query(params)
if not query:
return url
return url + ("&" if "?" in url else "?") + query
class _RequestsHttpError(Exception):
pass
class _RequestsResponse:
def __init__(self, status_code, text):
self.status_code = int(status_code) if status_code is not None else 0
self.text = text if text is not None else ""
self.content = self.text.encode("utf-8") if hasattr(self.text, "encode") else self.text
def json(self):
try:
import json as _json
return _json.loads(self.text)
except Exception:
return self.text
def raise_for_status(self):
if self.status_code >= 400:
raise _RequestsHttpError("HTTP " + str(self.status_code))
def _requests_request(method, url, params=None, data=None, json=None, headers=None, timeout=None):
del headers, timeout
method_upper = str(method).upper()
target = _append_query(str(url), params)
if method_upper == "GET":
raw = http_get(target)
elif method_upper == "POST":
body = data
if json is not None:
try:
import json as _json
body = _json.dumps(json)
except Exception:
body = str(json)
if body is None:
body = ""
raw = http_post(target, str(body))
else:
raise Exception("Method not supported in hyperlight requests shim: " + method_upper)
if isinstance(raw, dict):
return _RequestsResponse(raw.get("status", 0), raw.get("body", ""))
return _RequestsResponse(0, str(raw))
class _RequestsModule:
RequestException = Exception
HTTPError = _RequestsHttpError
def request(self, method, url, **kwargs):
return _requests_request(method, url, **kwargs)
def get(self, url, **kwargs):
return _requests_request("GET", url, **kwargs)
def post(self, url, **kwargs):
return _requests_request("POST", url, **kwargs)
requests = _RequestsModule()
if sys is not None:
try:
sys.modules["requests"] = requests
except Exception:
pass
scope = {"BASE_URL": BASE_URL}
scope["requests"] = requests
scope["http_get"] = http_get
scope["http_post"] = http_post
try:
exec(code, scope, scope)
_result = scope.get("result")
if _result is None:
print("__MCP_RESULT__")
else:
try:
import json as _json
print("__MCP_RESULT_JSON__" + _json.dumps(_result, ensure_ascii=False, default=str))
except Exception:
print("__MCP_RESULT__" + str(_result))
except Exception as ex:
print("__MCP_ERROR__" + str(ex))
raise
""";
ExecutionResult result = sandbox.Run(wrapper);
if (!result.Success)
{
throw new InvalidOperationException(
$"Hyperlight Python execution failed with exit code {result.ExitCode}: {result.Stderr}");
}
return result;
}
private object? ExtractFinalValue(ExecutionResult result)
{
string lastLine = result.Stdout
.Split('\n', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
.LastOrDefault() ?? string.Empty;
if (lastLine.StartsWith("__MCP_RESULT__", StringComparison.Ordinal))
{
string value = lastLine["__MCP_RESULT__".Length..];
return string.IsNullOrEmpty(value) ? null : value;
}
if (lastLine.StartsWith("__MCP_RESULT_JSON__", StringComparison.Ordinal))
{
string value = lastLine["__MCP_RESULT_JSON__".Length..];
if (string.IsNullOrWhiteSpace(value))
{
return null;
}
try
{
return JsonSerializer.Deserialize<object>(value);
}
catch
{
return value;
}
}
if (lastLine.StartsWith("__MCP_ERROR__", StringComparison.Ordinal))
{
return lastLine;
}
return result.Stdout.TrimEnd();
}
private bool ContainsForbiddenHardcodedApiUsage(string code)
{
if (allowedBaseUris.Count == 0)
{
return false;
}
MatchCollection matches = AbsoluteHttpUrlRegex.Matches(code);
foreach (Match match in matches)
{
if (!Uri.TryCreate(match.Value, UriKind.Absolute, out Uri? discoveredUrl))
{
continue;
}
bool isAllowed = allowedBaseUris.Any(baseUri =>
discoveredUrl.Scheme.Equals(baseUri.Scheme, StringComparison.OrdinalIgnoreCase) &&
discoveredUrl.Host.Equals(baseUri.Host, StringComparison.OrdinalIgnoreCase) &&
discoveredUrl.Port == baseUri.Port &&
discoveredUrl.AbsoluteUri.StartsWith(baseUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase));
if (!isAllowed)
{
return true;
}
}
return false;
}
private static IReadOnlyList<Uri> NormalizeAllowedBaseUris(IReadOnlyList<string>? input)
{
if (input is null || input.Count == 0)
{
return [];
}
HashSet<string> seen = new(StringComparer.OrdinalIgnoreCase);
List<Uri> normalized = [];
foreach (string value in input)
{
if (!Uri.TryCreate(value, UriKind.Absolute, out Uri? uri))
{
continue;
}
if (uri.Scheme != Uri.UriSchemeHttp && uri.Scheme != Uri.UriSchemeHttps)
{
continue;
}
Uri withSlash = EnsureTrailingSlash(uri);
if (!seen.Add(withSlash.AbsoluteUri))
{
continue;
}
normalized.Add(withSlash);
}
return normalized;
}
private static Uri EnsureTrailingSlash(Uri uri)
{
if (uri.AbsoluteUri.EndsWith("/", StringComparison.Ordinal))
{
return uri;
}
return new Uri(uri.AbsoluteUri + "/", UriKind.Absolute);
}
private void ThrowIfDisposed()
{
if (disposed)
{
throw new ObjectDisposedException(nameof(HyperlightSandboxRunner));
}
}
public void Dispose()
{
if (disposed)
{
return;
}
disposed = true;
sandbox.Dispose();
}
}
And finally, we need to register it with the SandboxRunnerFactory:
public static class SandboxRunnerFactory
{
public static ISandboxRunner Create(
IConfiguration configuration,
ILoggerFactory loggerFactory,
IReadOnlyList<string>? allowedBaseUrls = null)
{
ArgumentNullException.ThrowIfNull(configuration);
ArgumentNullException.ThrowIfNull(loggerFactory);
string runnerName = configuration["CodeMode:Runner"]?.Trim() ?? "auto";
int timeoutMs = configuration.GetValue<int>("CodeMode:TimeoutMs", 5000);
int maxToolCalls = configuration.GetValue<int>("CodeMode:MaxToolCalls", 10);
if (string.Equals(runnerName, "opensandbox", StringComparison.OrdinalIgnoreCase))
{
string? domain = configuration["OpenSandbox:Domain"] ?? "localhost:8080";
OpenSandboxRunnerOptions options = new()
{
Domain = domain,
ApiKey = configuration["OpenSandbox:ApiKey"],
Image = configuration["OpenSandbox:Image"] ?? "python:3.12-slim",
TimeoutSeconds = configuration.GetValue<int>("OpenSandbox:TimeoutSeconds", 5 * 60),
ReadyTimeoutSeconds = configuration.GetValue<int>("OpenSandbox:ReadyTimeoutSeconds", 30),
RequestTimeoutSeconds = configuration.GetValue<int>("OpenSandbox:RequestTimeoutSeconds", 30),
UseServerProxy = configuration.GetValue<bool>("OpenSandbox:UseServerProxy", true),
Timeout = TimeSpan.FromMilliseconds(timeoutMs),
MaxToolCalls = maxToolCalls,
AllowedBaseUrls = allowedBaseUrls,
};
return new OpenSandboxRunner(options, loggerFactory, allowedBaseUrls);
}
if (string.Equals(runnerName, "local", StringComparison.OrdinalIgnoreCase))
{
return new LocalConstrainedRunner(
timeout: TimeSpan.FromMilliseconds(timeoutMs),
maxToolCalls: maxToolCalls,
loggerFactory.CreateLogger<LocalConstrainedRunner>(),
allowedBaseUrls);
}
try
{
return new HyperlightSandboxRunner(
timeout: TimeSpan.FromMilliseconds(timeoutMs),
maxToolCalls: maxToolCalls,
loggerFactory.CreateLogger<HyperlightSandboxRunner>(),
allowedBaseUrls);
}
catch (Exception ex)
{
loggerFactory.CreateLogger("McpServer.CodeMode.SandboxRunnerFactory")
.LogWarning(ex, "Falling back to local sandbox runner because Hyperlight runner could not be created.");
return new LocalConstrainedRunner(
timeout: TimeSpan.FromMilliseconds(timeoutMs),
maxToolCalls: maxToolCalls,
loggerFactory.CreateLogger<LocalConstrainedRunner>(),
allowedBaseUrls);
}
}
}
Test it all
In the root of the project, run:
aspire run
Then access to https://localhost:17294, and click on mcp-server, you should see:
Open up the web, then type use codemode to get random brewery
Back to the mcp-server logs:
And the web:
Try with the complex scenario:
The prompt:
Write Python code for execute mode.
Requirements:
1) Get breweries in San Diego.
2) Return the total number of breweries found for San Diego.
3) Search for breweries matching "moon" and return top 5 with only:
- name
- city
4) Also compute a San Diego summary:
- count by brewery_type
- top 3 cities by number of breweries (if city is missing, use "Unknown")
5) Deduplicate breweries by id before counting.
6) Sort outputs deterministically:
- type summary: count desc, then type asc
- top cities: count desc, then city asc
- moon top 5: name asc
7) Return one JSON object in `result` with this exact shape:
{
"san_diego_total": number,
"san_diego_type_summary": [{"brewery_type": string, "count": number}],
"san_diego_top_cities": [{"city": string, "count": number}],
"moon_top_5": [{"name": string, "city": string}]
}
8) If any tool call fails, set a top-level "errors" array with readable messages but still return partial data.
The logs are more complex, see:
info: McpServer.CodeMode.CodeModeHandlers[0]
[codemode] Execute executing code (2707 chars).
info: McpServer.CodeMode.Hyperlight.HyperlightSandboxRunner[0]
Hyperlight constrained execution requested. Timeout: 00:01:30, MaxToolCalls: 10.
info: McpServer.CodeMode.Hyperlight.HyperlightSandboxRunner[0]
Generated Python code for Hyperlight Execute:
import json
from collections import Counter, defaultdict
errors = []
def fetch_json(url):
resp = http_get(url)
if resp["status"] >= 400:
raise Exception(f"HTTP {resp['status']} for {url}")
return resp["body"]
def as_list(body):
if isinstance(body, list):
return body
if isinstance(body, dict) and "items" in body and isinstance(body["items"], list):
return body["items"]
return []
def dedupe_by_id(items):
seen = set()
out = []
for item in items:
brewery_id = item.get("id")
key = brewery_id if brewery_id is not None else json.dumps(item, sort_keys=True, default=str)
if key in seen:
continue
seen.add(key)
out.append(item)
return out
san_diego_items = []
moon_items = []
try:
page = 1
per_page = 200
while True:
body = fetch_json(f"{BASE_URL}/breweries?by_city=San_Diego&page={page}&per_page={per_page}")
items = as_list(body)
if not items:
break
san_diego_items.extend(items)
if len(items) < per_page:
break
page += 1
except Exception as e:
errors.append(f"San Diego breweries fetch failed: {e}")
try:
page = 1
per_page = 200
while True:
body = fetch_json(f"{BASE_URL}/breweries/search?query=moon&page={page}&per_page={per_page}")
items = as_list(body)
if not items:
break
moon_items.extend(items)
if len(items) < per_page:
break
page += 1
except Exception as e:
errors.append(f"Moon search failed: {e}")
san_diego_items = dedupe_by_id(san_diego_items)
moon_items = dedupe_by_id(moon_items)
sd_type_counts = Counter()
sd_city_counts = Counter()
for item in san_diego_items:
brewery_type = item.get("brewery_type") or "Unknown"
city = item.get("city") or "Unknown"
sd_type_counts[brewery_type] += 1
sd_city_counts[city] += 1
san_diego_type_summary = [
{"brewery_type": brewery_type, "count": count}
for brewery_type, count in sorted(sd_type_counts.items(), key=lambda kv: (-kv[1], kv[0]))
]
san_diego_top_cities = [
{"city": city, "count": count}
for city, count in sorted(sd_city_counts.items(), key=lambda kv: (-kv[1], kv[0]))[:3]
]
moon_top_5 = [
{"name": item.get("name") or "", "city": item.get("city") or ""}
for item in sorted(moon_items, key=lambda item: ((item.get("name") or ""), (item.get("city") or "")))[:5]
]
result = {
"san_diego_total": len(san_diego_items),
"san_diego_type_summary": san_diego_type_summary,
"san_diego_top_cities": san_diego_top_cities,
"moon_top_5": moon_top_5,
}
if errors:
result["errors"] = errors
info: McpServer.CodeMode.CodeModeHandlers[0]
[codemode] Execute completed successfully. HasResult: True.
info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
Executed endpoint 'MCP Streamable HTTP | HTTP: POST /mcp/'
dbug: Microsoft.AspNetCore.Server.Kestrel.Connections[9]
Connection id "0HNLELGG9J670" completed keep alive response.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished HTTP/1.1 POST http://localhost:5100/mcp - 200 - text/event-stream 1759.5000ms
You can see the LLM model write the Python code, based on the prompt above:
import json
from collections import Counter, defaultdict
errors = []
def fetch_json(url):
resp = http_get(url)
if resp["status"] >= 400:
raise Exception(f"HTTP {resp['status']} for {url}")
return resp["body"]
def as_list(body):
if isinstance(body, list):
return body
if isinstance(body, dict) and "items" in body and isinstance(body["items"], list):
return body["items"]
return []
def dedupe_by_id(items):
seen = set()
out = []
for item in items:
brewery_id = item.get("id")
key = brewery_id if brewery_id is not None else json.dumps(item, sort_keys=True, default=str)
if key in seen:
continue
seen.add(key)
out.append(item)
return out
san_diego_items = []
moon_items = []
try:
page = 1
per_page = 200
while True:
body = fetch_json(f"{BASE_URL}/breweries?by_city=San_Diego&page={page}&per_page={per_page}")
items = as_list(body)
if not items:
break
san_diego_items.extend(items)
if len(items) < per_page:
break
page += 1
except Exception as e:
errors.append(f"San Diego breweries fetch failed: {e}")
try:
page = 1
per_page = 200
while True:
body = fetch_json(f"{BASE_URL}/breweries/search?query=moon&page={page}&per_page={per_page}")
items = as_list(body)
if not items:
break
moon_items.extend(items)
if len(items) < per_page:
break
page += 1
except Exception as e:
errors.append(f"Moon search failed: {e}")
san_diego_items = dedupe_by_id(san_diego_items)
moon_items = dedupe_by_id(moon_items)
sd_type_counts = Counter()
sd_city_counts = Counter()
for item in san_diego_items:
brewery_type = item.get("brewery_type") or "Unknown"
city = item.get("city") or "Unknown"
sd_type_counts[brewery_type] += 1
sd_city_counts[city] += 1
san_diego_type_summary = [
{"brewery_type": brewery_type, "count": count}
for brewery_type, count in sorted(sd_type_counts.items(), key=lambda kv: (-kv[1], kv[0]))
]
san_diego_top_cities = [
{"city": city, "count": count}
for city, count in sorted(sd_city_counts.items(), key=lambda kv: (-kv[1], kv[0]))[:3]
]
moon_top_5 = [
{"name": item.get("name") or "", "city": item.get("city") or ""}
for item in sorted(moon_items, key=lambda item: ((item.get("name") or ""), (item.get("city") or "")))[:5]
]
result = {
"san_diego_total": len(san_diego_items),
"san_diego_type_summary": san_diego_type_summary,
"san_diego_top_cities": san_diego_top_cities,
"moon_top_5": moon_top_5,
}
if errors:
result["errors"] = errors
And when you're back to the web:
Conclusion
Hyperlight changes the execution model from infrastructure-driven sandboxing to runtime-embedded isolation. Instead of delegating code execution to external container services over network boundaries, MCP CodeMode can invoke Hyperlight directly inside the host process while still enforcing hypervisor-backed isolation.
This collapses latency, reduces operational complexity, and removes an entire class of distributed failure modes, while preserving strong containment for untrusted agent workloads. It is not a replacement for container platforms like OpenSandbox, but a different execution primitive — optimised for fast, secure, function-level agent execution inside the application runtime itself.
The source code can be found at mcp-experiments
The code runs well on Linux and Windows, but on macOS, the Hyperlight team is still working on support.
Happy hacking!
Top comments (0)