Hyland Connect

angelborroy · ‎10-23-2025

How to safely run dynamic, untrusted, or AI-generated code against repository content?. Whether it’s an LLM suggesting a quick data-extraction script, or a user-uploaded rule that needs to analyze a document, the question is the same.

Traditionally, Docker has been the go-to answer: build a container, mount content, run the task. It works, but it’s heavy for small, short-lived executions. That’s where E2B (Engine-to-Box) comes in.

What is E2B?

E2B provides ephemeral sandboxes: lightweight, cloud-isolated environments that spin up in seconds, execute arbitrary code securely, and shut down immediately.

They’re based on Firecracker microVMs, the same ultra-fast virtualization layer used by AWS Lambda, giving developers a way to run any code safely and with almost zero startup delay.

In practice, an E2B sandbox is:

Fast: starts in under 2 s
Ephemeral: disappears after each job
Isolated: no access to your network or filesystem
Language-agnostic: supports Python, Node, shell, etc. via SDK

The Alfresco + E2B Minimal Project

The alfresco-e2b-minimal demo shows the concept in action. It’s a Node.js app that connects to an Alfresco repository, downloads a document, and uses E2B to analyze it without any code ever touching your host.

E2B provides also a Python SDK in addition to the JavaScript SDK used for this sample project. Additional details can be found in the E2B Documentation page. You may also want to take a look at the MCP Gateway provided by the platform.

How it works

1. Authenticate to Alfresco
Using a ticket or bearer token, the app connects to the Alfresco REST API

2. Download the target document
The file is fetched from the repository by its "nodeId"

3. Create a new E2B sandbox
Through the E2B TypeScript SDK, it requests an ephemeral Firecracker VM

4. Transfer inputs and script
The document content and a Python file ("scripts/basic_stats.py") are copied into the sandbox

5. Execute analysis inside the sandbox
The script runs remotely. It simply counts bytes, words, and lines in the file as a sample logic

6. Upload results back to Alfresco
When the Python process finishes, the host app retrieves the JSON result and creates a new node in the specified target folder, setting fields such as "cm:title", "cm:description", and "cm:author"

Example Run

Once configured, you only need:

cp .env.example .env
# fill ALFRESCO_BASE_URL, TARGET_FOLDER_ID, E2B_API_KEY, NODE_ID
docker compose up --build

Expected output:

✓ Analysis uploaded.
Source node: 3d0014d0-6232-4af1-8014-d062327af1c5
Result node: f6b01cfb-492c-4576-b01c-fb492c1576b1

In Alfresco, a JSON file appears alongside your document, containing:

{
  "bytes": 13452,
  "words": 2164,
  "lines": 238
}

Every execution happens within a fresh E2B sandbox, fully isolated, disposable, and never carrying Alfresco credentials.

Customizing your analysis

You can replace "scripts/basic_stats.py" with any Python logic:

Extract keywords using spaCy or regex
Detect PII in text
Compute document similarity
Generate embeddings for AI retrieval
...

All that’s required is to read from "INPUT_PATH" and write JSON to "OUTPUT_PATH"

E2B isolates dependencies and execution, while the host app remains responsible for repository access and metadata updates

Conclusion

The Alfresco-E2B minimal project demonstrates how ephemeral compute can extend your content platform securely.
Instead of asking "can I trust this code?", you can now run it: safely, in isolation, and automatically cleaned up.

Docker provides your stable foundation, while E2B adds a disposable, serverless-like execution layer ideal for experimentation, automation, and AI-driven extensions.

Because sometimes the safest code execution is the one that disappears right after it runs