deskcloud-mcp

The project's core functionality involves allowing AI agents to execute commands on an isolated virtual desktop. Security measures focus on robust isolation: each session receives an isolated X11 display (Xvfb), a dedicated VNC server with token-based routing, and a separate filesystem via OverlayFS (requiring `CAP_SYS_ADMIN` and `apparmor:unconfined` Docker capabilities). Anthropic API keys are handled using a 'Bring Your Own Key' (BYOK) model via HTTP headers (`X-Anthropic-API-Key`) and stored in request-scoped memory (`ContextVar`), not persisted or directly exposed to the LLM. All tool subprocess calls are configured with session-specific environments, preventing unintended access to the host's global environment. However, a default `CORS_ORIGINS: "*"` setting, as seen in the `render.yaml` for cloud deployment, is a security risk in production and should be restricted. The inherent nature of allowing arbitrary command execution by an AI means that any compromise of the API or a failure in the isolation mechanisms could lead to control over the isolated desktop, and potentially the host system. The project's `entrypoint.sh` includes a critical check for OverlayFS permissions.