@rnbsolucoes/axion-code 0.1.22 → 0.1.23

package/README.md

@@ -292,15 +292,16 @@ provider as a follow-up `tool_result` continuation turn, so the agent can use
 the evidence before answering. Unsupported tools remain explicitly pending until
 a dedicated adapter exists.
 
-`axion tool run` exposes the first guarded dispatcher surface. The CLI and TUI
+`axion tool run` exposes the guarded dispatcher surface. The CLI and TUI
 currently support workspace-local `Read`, `Glob`, `Grep`, `Write` and `Edit`,
-plus governed `Shell`/`Bash`/`PowerShell` commands that run from a workspace
-directory with timeout and bounded output. Provider tool aliases such as
-`read_file`, `write_file` and `run_command` are normalized to native tool names
-before approval/execution. When the active permission mode requires approval,
-execution is allowed only if the supplied approval is already approved and
-matches the exact redacted tool request. MCP, browser, process and unknown tools
-remain unsupported even when an approval exists.
+governed `Shell`/`Bash`/`PowerShell` commands that run from a workspace
+directory with timeout and bounded output, and enabled stdio MCP tools named as
+`mcp__<server-id>__<tool-name>`. Provider tool aliases such as `read_file`,
+`write_file` and `run_command` are normalized to native tool names before
+approval/execution. When the active permission mode requires approval, execution
+is allowed only if the supplied approval is already approved and matches the
+exact redacted tool request. Remote MCP transports, browser, process and
+unknown tools remain unsupported even when an approval exists.
 
 Examples:
 
@@ -314,6 +315,7 @@ axion permission resolve <approval-id> --deny --reason "not needed" --json
 axion tool run Read "{\"path\":\"README.md\"}" --mode full_permission --json
 axion tool run Write "{\"path\":\"notes/out.txt\",\"content\":\"approved\"}" --session smoke --turn turn-1 --approval <approval-id> --mode request_permission --json
 axion tool run Shell "{\"command\":\"echo axion-shell\"}" --session smoke --turn turn-1 --approval <approval-id> --mode request_permission --json
+axion tool run mcp__dotcontext__list_context "{\"query\":\"PREVC\"}" --mode full_permission --json
 ```
 
 Security invariants:
@@ -327,6 +329,8 @@ Security invariants:
 - unknown native tools are default-deny until they are classified.
 - MCP tools are mutating by default; only read-shaped names such as `find_*`,
   `get_*`, `list_*`, `search_*` and `*_overview` are downgraded to read-only.
+  The dispatcher validates that enabled stdio MCP servers advertise the target
+  tool through `tools/list` before calling `tools/call`.
 
 Provider menu actions:
 
@@ -364,11 +368,11 @@ This is a functional direction MVP, not the full harness:
 - terminal logo uses Sixel when available and falls back to width-bounded ANSI/block rendering;
 - initial chat splash shows the Axion logo and system name until the first interaction;
 - guarded dispatcher execution is limited to workspace-local `Read`, `Glob`,
-  `Grep`, `Write` and `Edit`, plus governed workspace-scoped shell commands;
+  `Grep`, `Write` and `Edit`, governed workspace-scoped shell commands and
+  enabled stdio MCP tools;
   the TUI executes these after approval and shows the result, then feeds
   successful supported results back into the provider as an iterative
   `tool_result` continuation turn;
-- MCP, browser, process and unknown tools remain blocked;
+- remote MCP transports, browser, process and unknown tools remain blocked;
 - no executable Pi RPC bridge yet;
-- no MCP transport execution yet;
 - native subagent execution is prompt-isolated and provider/model-inherited; richer multi-subagent orchestration, streaming and budget telemetry remain next-cycle items.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rnbsolucoes/axion-code",
-  "version": "0.1.22",
+  "version": "0.1.23",
   "description": "Axion Code CLI harness for the Axion ecosystem.",
   "type": "module",
   "repository": {