Skip to main content

Architecture summary

SuperBox execution runs entirely on Cloudflare’s developer platform (Worker + Durable Objects + R2). The Go API origin is a separate self-hosted service managed via Docker. Cloudflare resources are provisioned with Terraform (config in /infra).

Cloudflare Worker

Edge compute that routes MCP requests to the correct Durable Object

McpSession Durable Object

Stateful session runtime - one instance per client session

Cloudflare R2

Object storage for server metadata (S3-compatible API)

Firebase Auth

JWT-based authentication for the Go API and the Worker

Component map

Cloudflare Worker

The Worker (superbox-executor) is the MCP execution endpoint. All AI client traffic goes through it.
PropertyValue
Namesuperbox-executor
URLhttps://superbox-executor.<your-subdomain>.workers.dev/mcp
ProtocolMCP Streamable HTTP (rev 2025-11-25)
MethodsPOST (invoke), DELETE (teardown)
AuthFirebase JWT in Authorization: Bearer header

Durable Objects

McpSession is the stateful session class. One instance per Mcp-Session-Id.
PropertyValue
ClassMcpSession
Session keyMcp-Session-Id request header
Idle eviction30-minute alarm
StorageIn-memory only (no DO storage API used)

Cloudflare R2

R2 stores server metadata. The Go API writes to it via a Python subprocess (s3_helper.py) using the S3-compatible boto3 endpoint.
PropertyValue
Bucket namesuperbox-mcp-registry
Object key{server-name}.json
AccessS3-compatible (CLOUDFLARE_R2_ENDPOINT, CLOUDFLARE_R2_ACCESS_KEY_ID, CLOUDFLARE_R2_SECRET_ACCESS_KEY)

Go API (backend)

The Go API (Gin, 1.26) handles server CRUD and security scanning. It runs as a Docker container.
PropertyValue
FrameworkGin
Go version1.26
AuthFirebase JWT middleware
R2 accessPython subprocess (s3_helper.py)
Security scanPython subprocess (security_helper.py)

Deployment summary

ComponentDeploy command
Cloudflare Worker + DOnpx wrangler deploy (from cloudflare/)
Go APIdocker build && docker run
R2 bucket (one-time)wrangler r2 bucket create superbox-mcp-registry