--- Self-Hosted Code Interpreter for LibreChat Overview This is a

1. ---
2. Self-Hosted Code Interpreter for LibreChat
3.  
4. Overview
5.  
6. This is a drop-in replacement for LibreChat's hosted code interpreter (code.librechat.ai). Instead of sending code to an external service, you run a local FastAPI server that executes Python code in secure Docker containers.
7.  
8. Architecture
9.  
10. ┌─────────────────────────────────────────────────────────────────────┐
11. │ LibreChat │
12. │ (Agents use @librechat/agents which calls your code interpreter) │
13. └───────────────────────────────┬─────────────────────────────────────┘
14. │ HTTP API
15. ▼
16. ┌─────────────────────────────────────────────────────────────────────┐
17. │ qwen_code_api.py (FastAPI) │
18. │ Running on port 8095 │
19. │ │
20. │ • Receives code execution requests │
21. │ • Manages sessions & user isolation │
22. │ • Spawns Docker containers for each execution │
23. │ • Returns stdout, stderr, and output files │
24. └───────────────────────────────┬─────────────────────────────────────┘
25. │ Docker API
26. ▼
27. ┌─────────────────────────────────────────────────────────────────────┐
28. │ Docker Container (qwen-sandbox:latest) │
29. │ │
30. │ ┌───────────────────────────────────────────────────────────────┐ │
31. │ │ SECURITY CONSTRAINTS: │ │
32. │ │ • network_mode="none" (no internet access) │ │
33. │ │ • mem_limit="256m" (memory cap) │ │
34. │ │ • pids_limit=50 (prevent fork bombs) │ │
35. │ │ • read_only=True (immutable root filesystem) │ │
36. │ │ • no-new-privileges (no privilege escalation) │ │
37. │ │ • 120 second timeout (execution time limit) │ │
38. │ └───────────────────────────────────────────────────────────────┘ │
39. │ │
40. │ /workspace (read-write mount) ←→ Host session directory │
41. │ │
42. │ Pre-installed: numpy, pandas, matplotlib, seaborn, scipy, │
43. │ scikit-learn, python-pptx, graphviz, pillow, etc. │
44. └─────────────────────────────────────────────────────────────────────┘
45.  
46. Why Build This?
47.  
48. 1. Privacy: Code never leaves your infrastructure
49. 2. Customization: Add any Python packages you need
50. 3. No rate limits: Execute as much as you want
51. 4. Cost: No per-execution fees
52. 5. Control: Full visibility into what's running
53.  
54. ---
55. API Endpoints (LibreChat Compatible)
56.  
57. The API matches LibreChat's @librechat/agents expectations exactly:
58.  
59. | Endpoint | Method | Description |
60. |--------------------------------------|--------|------------------------------------------|
61. | /exec | POST | Execute code, return stdout/stderr/files |
62. | /upload | POST | Upload file to session |
63. | /files/{session_id} | GET | List files in session |
64. | /download/{session_id}/{file_id} | GET | Download file (browser) |
65. | /file/{session_id}/{file_id}/content | GET | Get file as base64 (for MCP) |
66. | /sessions/{session_id} | DELETE | Clean up session |
67. | /health | GET | Health check |
68.  
69. Execute Code Request
70.  
71. POST /exec
72. {
73. "code": "import pandas as pd\ndf = pd.DataFrame({'a': [1,2,3]})\nprint(df)",
74. "lang": "python",
75. "session_id": "optional-session-id",
76. "entity_id": "user-123"
77. }
78.  
79. Execute Code Response
80.  
81. {
82. "stdout": " a\n0 1\n1 2\n2 3\n",
83. "stderr": "",
84. "files": [
85. {"name": "output.png", "id": "uuid-here"}
86. ],
87. "session_id": "generated-or-provided-session-id"
88. }
89.  
90. ---
91. Security Model
92.  
93. Container Isolation
94.  
95. Every code execution runs in a fresh Docker container with strict constraints:
96.  
97. container = client.containers.run(
98. image="qwen-sandbox:latest",
99. command=["python", "/workspace/_exec.py"],
100.  
101. # === SECURITY ===
102. network_mode="none", # No network access AT ALL
103. mem_limit="256m", # Max 256MB RAM
104. memswap_limit="256m", # No swap
105. pids_limit=50, # Prevent fork bombs
106. read_only=True, # Read-only root filesystem
107. security_opt=["no-new-privileges"],
108.  
109. # Only /workspace is writable (for output files)
110. volumes={workspace: {"bind": "/workspace", "mode": "rw"}}
111. )
112.  
113. What This Prevents
114.  
115. | Attack | Protection |
116. |-------------------|-----------------------------------------------|
117. | Data exfiltration | network_mode="none" - no outbound connections |
118. | Crypto mining | No network + memory limits |
119. | Fork bombs | pids_limit=50 |
120. | Disk filling | Read-only root, limited workspace |
121. | Container escape | no-new-privileges, non-root user |
122. | Infinite loops | 120 second timeout |
123. | Memory exhaustion | 256MB hard limit |
124.  
125. User Isolation
126.  
127. Each user (identified by entity_id) gets isolated file storage:
128.  
129. /tmp/qwen_code/
130. ├── shared_uploads/
131. │ ├── user-123/ # User 123's persistent files
132. │ │ ├── template.pptx
133. │ │ └── data.csv
134. │ └── user-456/ # User 456's files (isolated)
135. │ └── report.xlsx
136. ├── {session-uuid-1}/ # Temporary session workspace
137. ├── {session-uuid-2}/ # Another session
138. └── ...
139.  
140. - Users cannot see each other's files
141. - Files persist across sessions for the same user
142. - Automatic cleanup removes old sessions (default: 24 hours)
143.  
144. ---
145. The Docker Sandbox Image
146.  
147. Dockerfile
148.  
149. FROM python:3.11-slim
150.  
151. # Environment variables to prevent sandbox errors
152. ENV MPLCONFIGDIR=/workspace
153. ENV MPLBACKEND=Agg
154. ENV XDG_CACHE_HOME=/workspace/.cache
155. ENV OPENBLAS_NUM_THREADS=1
156. ENV OMP_NUM_THREADS=1
157. ENV PYTHONUNBUFFERED=1
158.  
159. # Install system dependencies
160. RUN apt-get update && apt-get install -y --no-install-recommends \
161. graphviz \
162. fonts-dejavu \
163. fonts-liberation \
164. fontconfig \
165. && rm -rf /var/lib/apt/lists/* \
166. && fc-cache -f
167.  
168. # Install Python packages
169. RUN pip install --no-cache-dir \
170. numpy \
171. pandas \
172. matplotlib \
173. seaborn \
174. scipy \
175. scikit-learn \
176. openpyxl \
177. xlrd \
178. requests \
179. beautifulsoup4 \
180. lxml \
181. pillow \
182. sympy \
183. python-pptx \
184. graphviz
185.  
186. # Create /mnt/data symlink for LibreChat compatibility
187. RUN mkdir -p /mnt && ln -s /workspace /mnt/data
188.  
189. # Create non-root user for extra security
190. RUN useradd -m -s /bin/bash sandbox
191. USER sandbox
192.  
193. WORKDIR /workspace
194.  
195. Key Design Decisions
196.  
197. 1. Non-root user: Container runs as sandbox user, not root
198. 2. Professional fonts: Liberation Sans/DejaVu for clean charts and diagrams
199. 3. Graphviz: Enables mind maps, flowcharts, org charts
200. 4. python-pptx: PowerPoint generation with corporate templates
201. 5. No network packages active: requests/beautifulsoup4 are installed but can't reach the internet due to network_mode="none"
202.  
203. ---
204. How to Connect to LibreChat
205.  
206. 1. Build the Docker Image
207.  
208. cd services/qwen-code-interpreter
209. docker build -t qwen-sandbox:latest .
210.  
211. 2. Start the API Server
212.  
213. pip install fastapi uvicorn docker pydantic
214. python qwen_code_api.py --port 8095
215.  
216. 3. Configure LibreChat
217.  
218. In your LibreChat .env or configuration:
219.  
220. # Point to your self-hosted code interpreter
221. LIBRECHAT_CODE_API_URL=http://localhost:8095
222. LIBRECHAT_CODE_API_KEY=your-secret-key
223.  
224. Or in librechat.yaml for agents:
225.  
226. endpoints:
227. agents:
228. codeInterpreter:
229. url: "http://localhost:8095"
230. apiKey: "${LIBRECHAT_CODE_API_KEY}"
231.  
232. ---
233. Configuration Options
234.  
235. All configurable via environment variables:
236.  
237. | Variable | Default | Description |
238. |--------------------------|---------------------------------------------|---------------------------------------|
239. | LIBRECHAT_CODE_API_KEY | qwen-sandbox-dev-key | API authentication key |
240. | QWEN_CODE_WORK_DIR | /tmp/qwen_code | Base directory for sessions |
241. | CODE_EXEC_TIMEOUT | 120 | Execution timeout in seconds |
242. | SESSION_MAX_AGE_HOURS | 24 | Auto-cleanup sessions older than this |
243. | CLEANUP_INTERVAL_MINUTES | 60 | How often cleanup runs |
244. | MAX_UPLOAD_SIZE | 52428800 (50MB) | Max file upload size |
245. | MAX_BASE64_SIZE | 26214400 (25MB) | Max file size for base64 endpoint |
246. | CORS_ORIGINS | http://localhost:3080,http://localhost:3000 | Allowed CORS origins |
247.  
248. ---
249. Advanced: MCP Integration for Email/OneDrive
250.  
251. The /file/{session_id}/{file_id}/content endpoint returns base64-encoded files, enabling this workflow:
252.  
253. 1. Agent executes code → creates PowerPoint
254. 2. Agent calls /file/.../content → gets base64
255. 3. Agent calls M365 MCP → uploads to user's OneDrive
256. 4. Agent calls M365 MCP → sends email with share link
257.  
258. This lets each user authenticate with their own Microsoft 365 account.
259.  
260. ---
261. Example Capabilities
262.  
263. Create Charts
264.  
265. import matplotlib.pyplot as plt
266. import pandas as pd
267.  
268. df = pd.DataFrame({'Month': ['Jan','Feb','Mar'], 'Sales': [100, 150, 200]})
269. plt.bar(df['Month'], df['Sales'])
270. plt.savefig('sales_chart.png', dpi=150)
271.  
272. Generate PowerPoints
273.  
274. from pptx import Presentation
275. from pptx.util import Inches
276.  
277. prs = Presentation('corporate_template.pptx') # User uploads template
278. slide = prs.slides.add_slide(prs.slide_layouts[1])
279. slide.shapes.title.text = "Q4 Results"
280. prs.save('quarterly_report.pptx')
281.  
282. Create Mind Maps
283.  
284. from graphviz import Digraph
285.  
286. mind_map = Digraph('MindMap', format='png')
287. mind_map.attr('node', shape='box', style='rounded,filled',
288. fontname='Liberation Sans')
289. mind_map.node('center', 'Main Topic', fillcolor='gold')
290. mind_map.node('a', 'Subtopic A')
291. mind_map.edge('center', 'a')
292. mind_map.render('/workspace/mindmap', cleanup=True)
293.  
294. Data Analysis
295.  
296. import pandas as pd
297. from sklearn.linear_model import LinearRegression
298.  
299. df = pd.read_csv('sales_data.csv') # User uploads CSV
300. model = LinearRegression().fit(df[['marketing_spend']], df['revenue'])
301. print(f"Revenue per $1 marketing: ${model.coef_[0]:.2f}")
302.  
303. ---
304. File Structure
305.  
306. services/qwen-code-interpreter/
307. ├── qwen_code_api.py # FastAPI server (680 lines)
308. ├── Dockerfile # Sandbox image definition
309. └── README.md # This documentation
310.  
311. ---
312. Summary
313.  
314. This self-hosted code interpreter gives you:
315.  
316. - Full LibreChat compatibility - drop-in replacement
317. - Maximum security - air-gapped containers, non-root, resource limits
318. - User isolation - multi-tenant safe
319. - Rich capabilities - data science, visualization, document generation
320. - MCP integration - bridge to external services like Office 365
321. - Zero external dependencies - runs entirely on your infrastructure