Skip to main content

Architecture

SuperBox backend has three main components:

Go API Server

RESTful API with Gin framework

Python CLI

Command-line tool for developers

AWS Lambda

Sandboxed MCP execution

Go API Server

Technology:
  • Go 1.21+
  • Gin web framework
  • Firebase Auth (Google/GitHub OAuth)
  • S3 for storage via Python helper
Endpoints:
  • /api/v1/servers - List, get, create, update, delete servers
  • /api/v1/auth - Register, login, OAuth, device flow, profile
Key Features:
  • Calls Python helper scripts for S3 operations
  • Device authorization flow for CLI
  • Multi-stage Docker build (Go binary + Python runtime)
  • CORS enabled for web clients

Python CLI

Technology:
  • Python 3.11+
  • Click framework
  • boto3 for AWS S3
  • requests for HTTP calls
Commands:
  • init - Create superbox.json config
  • auth - Device flow OAuth login
  • push - Security scan + upload to S3
  • pull - Configure AI clients (VSCode, Cursor, etc)
  • run - Interactive test session
  • search - Find servers in registry
  • inspect - View server details
  • test - Test servers locally
  • logs - View CloudWatch logs
Security Scanners:
  • SonarCloud - Code quality and security
  • Bandit - Python vulnerabilities
  • GitGuardian - Secret detection
  • Tool Discovery - Extract MCP tools from code

AWS Lambda Executor

Function: lambda.lambda_handler
  • Runtime: Python 3.11
  • Memory: 512 MB (configurable)
  • Timeout: 60 seconds
  • Trigger: Lambda Function URL (HTTPS)
Execution Flow:
  1. Receive HTTP request with server name
  2. Fetch {server}.json metadata from S3
  3. Download GitHub repo as ZIP
  4. Extract to /tmp
  5. Install dependencies (pip/npm)
  6. Execute entrypoint with JSON-RPC request
  7. Return response
  8. Log to CloudWatch
Test Mode: 
POST https://lambda-url/test?test_mode=true&repo_url=https://github.com/user/repo&entrypoint=main.py

Data Flow

Storage Structure

S3 Bucket (flat files): superbox-mcp-registry Each MCP server is a single JSON object stored at the bucket root:
  • <name>.json (e.g., weather-server.json)
Fields (from superbox.cli.commands.push):
  • name
  • repository { "type": "git", "url": "<repo-url>" }
  • description
  • entrypoint (defaults to main.py)
  • lang (defaults to python)
  • tools (array of discovered tool names)
  • tool_count
  • security_report (SonarCloud, Bandit, GitGuardian results; may be null)
  • meta.created_at, meta.updated_at (timestamps added on upsert)

Core Services

Coordinates Lambda execution pipeline.
type ExecutionService struct {
    lambda     *lambda.Client
    s3         *s3.Client
    maxTimeout time.Duration
}

func (s *ExecutionService) ExecuteTool(serverID, toolName string, params map[string]interface{}) (interface{}, error)
func (s *ExecutionService) GetExecutionLogs(executionID string) ([]LogEntry, error)
Orchestrates multi-tool security scanning:
  • SonarQube for code quality
  • Bandit for Python security issues
  • GitGuardian for secret detection
  • Semgrep for pattern matching
  • OWASP Dependency-Check
type SecurityService struct {
    sonarqube   *sonarqube.Client
    bandit      *exec.Cmd
    gitguardian *gitguardian.Client
}

func (s *SecurityService) ScanServer(serverPath string) (*ScanReport, error)
func (s *SecurityService) GetScanStatus(scanID string) (*ScanStatus, error)

CLI Tool (Python)

1

Initialization

superbox init creates project structure:
my-mcp-server/
- mcp_server.py
- tools/
- example_tool.py
- config.yaml
- requirements.txt
- README.md
2

Authentication

superbox auth performs device flow: 1. Generates device code 2. Opens browser for authorization 3. Polls for token 4. Stores credentials securely
3

Security Scan

superbox push runs 5-step pipeline: 1. SonarQube code quality 2. Bandit security issues 3. GitGuardian secrets 4. Semgrep vulnerabilities 5. OWASP dependencies
4

Publish

Uploads server to SuperBox:
  1. Validates configuration
  2. Packages server code
  3. Uploads to S3
  4. Registers in database
  5. Triggers Lambda deployment

API Endpoints

Authentication

  • POST /auth/register - POST /auth/login - GET /auth/oauth/:provider - POST /auth/device-flow

Servers

  • GET /servers - GET /servers/:id - POST /servers - PUT /servers/:id - DELETE /servers/:id

Execution

  • POST /execute/:serverId - GET /execution/:id/logs - GET /execution/:id/status

Performance Metrics

SuperBox is designed for high performance with the following targets:
MetricTargetActual
Average Response Time< 100ms85ms
P95 Response Time< 200ms175ms
P99 Response Time< 500ms425ms
Throughput> 10k req/s12k req/s
Error Rate< 0.1%0.05%

Scaling Strategy

API servers scale automatically based on CPU/memory:
  • Auto Scaling Groups with min 2, max 10 instances
  • Scale up at 70% CPU utilization
  • Scale down at 30% CPU utilization
  • Health checks every 30 seconds
PostgreSQL RDS with read replicas: - Primary instance for writes - 2 read replicas for queries - Automatic failover - Daily backups with 7-day retention
Redis ElastiCache for performance: - Server metadata cached for 1 hour - User sessions cached for 7 days - Search results cached for 15 minutes - Cache invalidation on updates
AWS Lambda auto-scales execution:
  • Reserved concurrency: 1000
  • Burst concurrency: 3000
  • Cold start optimization with provisioned concurrency
  • Dead letter queue for failed executions

Security Features

End-to-End Encryption - All data encrypted in transit (TLS 1.3) and at rest (AES-256)
WAF Protection - AWS WAF rules for DDoS and common attacks
Rate Limiting - Redis-based rate limiting per user and IP
Input Validation - Strict validation and sanitization of all inputs
Sandbox Isolation - Lambda functions run in isolated containers
Secrets Management - AWS Secrets Manager for sensitive data

Monitoring & Observability

Logs

CloudWatch Logs Centralized logging with structured JSON format

Metrics

CloudWatch Metrics Custom metrics for API, Lambda, and database

Traces

X-Ray Tracing Distributed tracing across services

Next Steps

Backend Setup

Set up local development environment

Architecture Deep Dive

Detailed architecture documentation

Deploy to AWS

Production deployment guide

API Reference

Explore API endpoints