Skip to content
mvm

Code interpreter pattern

A code interpreter accepts source text, runs it, and returns output. The important rule is that user code runs in the guest, not in the host process.

One-shot interpreter

Section titled “One-shot interpreter”
Terminal window
mvmctl run --timeout 10 -- python - <<'PY'
print("hello from inside the sandbox")
PY

Use this shape for stateless calls where every invocation should start clean.

Persistent interpreter

Section titled “Persistent interpreter”
Terminal window
mvmctl init ./interpreter --preset python
mvmctl build ./interpreter
mvmctl up ./interpreter --name interpreter
mvmctl exec interpreter -- python /work/run_cell.py

Use a named VM when you intentionally want cached packages, files, or session state across cells.

Security checklist

Section titled “Security checklist”
  • Enforce input size limits before invoking the sandbox.
  • Set a timeout.
  • Bound stdout/stderr returned to the caller.
  • Disable network unless the interpreter needs named endpoints.
  • Never pass host credentials through argv.
  • Delete or snapshot state intentionally.