mcp-server-jupyter

The server implements comprehensive security measures including Pydantic-validated input, robust Docker sandboxing (seccomp, capability dropping, read-only rootfs, network isolation), entropy-based secret redaction, structured audit logging, atomic notebook writes, and backpressure for DoS prevention. It also features UUID-based zombie kernel reaping and explicitly removed insecure checkpointing mechanisms. Token-based authentication (MCP_SESSION_TOKEN generated at runtime) is enforced, and a configurable package allowlist (MCP_PACKAGE_ALLOWLIST) prevents supply chain attacks. Path traversal is strictly prevented for both notebook and asset access. While highly hardened, the 'auto_analyst' prompt example, if executed literally by an agent, might bypass the server's package allowlist by directly using `subprocess.check_call` for `pip install`, though the dedicated `install_package` tool is secure.