run-mcp 1.6.3 → 1.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +75 -0
- package/dist/index.js +2081 -854
- package/package.json +9 -3
package/README.md
CHANGED
|
@@ -282,6 +282,81 @@ Tool call responses are processed through the interceptor pipeline. All other pr
|
|
|
282
282
|
| **Timeouts** | Tool calls are wrapped in a configurable timeout (default 60s, use `--timeout` to change) |
|
|
283
283
|
| **Truncation** | Text responses exceeding the limit (default 50K chars, use `--max-text` to change) are truncated |
|
|
284
284
|
|
|
285
|
+
## Sandboxing & Outbound Data Exfiltration Protection
|
|
286
|
+
|
|
287
|
+
`run-mcp` features a comprehensive multi-layered sandboxing engine designed to protect local systems and credentials from malicious or buggy MCP servers.
|
|
288
|
+
|
|
289
|
+
### 🛡️ Sandboxing Modes
|
|
290
|
+
|
|
291
|
+
You can restrict a target server's execution footprint using the `--sandbox` flag:
|
|
292
|
+
|
|
293
|
+
- **`none`** (Default): No sandboxing. The target server runs with full user privileges.
|
|
294
|
+
- **`auto`**: Automatically selects the most restrictive sandboxing system available on the host OS.
|
|
295
|
+
- **`native`**: Uses OS-level native isolation:
|
|
296
|
+
- **macOS**: Utilizes the Seatbelt (App Sandbox) framework (`sandbox-exec`).
|
|
297
|
+
- **Linux**: Utilizes `bubblewrap` (`bwrap`) containerization.
|
|
298
|
+
- **Windows**: Utilizes `@microsoft/mxc-sdk` App Container sandboxing (requires the package to be present).
|
|
299
|
+
- **`docker`**: Spawns the target command inside a fresh, network-disabled ephemeral Docker container (`node:20` or `python:3` depending on the command).
|
|
300
|
+
- **`audit`**: Runs the server under a special non-enforcing native sandbox mode that permits operations but logs all network activity to the console.
|
|
301
|
+
|
|
302
|
+
### 🌐 Outbound Network Proxy Auditing
|
|
303
|
+
|
|
304
|
+
When a sandboxed server is granted outbound network access (e.g., using `--allow-net`), `run-mcp` automatically spawns a zero-dependency local **Network Audit Proxy**.
|
|
305
|
+
- All outbound HTTP/HTTPS traffic is forced through the proxy using environment variables.
|
|
306
|
+
- Target endpoints and protocols (including HTTPS `CONNECT` tunnels) are transparently logged to stderr in distinct cyan color:
|
|
307
|
+
```
|
|
308
|
+
🌐 [NETWORK AUDIT] HTTP request to: http://example.com/api/v1/data
|
|
309
|
+
🌐 [NETWORK AUDIT] HTTPS connection established to: github.com
|
|
310
|
+
```
|
|
311
|
+
- Permits outbound traffic while providing complete visibility into where the server is sending data.
|
|
312
|
+
|
|
313
|
+
### 🔑 Automatic Credential Protection (Deny-Wins)
|
|
314
|
+
|
|
315
|
+
When outbound network capability is enabled, `run-mcp` automatically safeguards your local configuration files and private keys from exfiltration.
|
|
316
|
+
By default, the sandbox denies access to the following directories:
|
|
317
|
+
- `~/.ssh` (SSH private keys and configs)
|
|
318
|
+
- `~/.aws` (AWS credentials)
|
|
319
|
+
- `~/.kube` (Kubernetes configurations)
|
|
320
|
+
- `~/.config/gcloud` (Google Cloud SDK credentials)
|
|
321
|
+
- `~/.netrc` and `~/.npmrc` (Authentication files)
|
|
322
|
+
|
|
323
|
+
Access is strictly blocked using **Deny-Wins** precedence unless a folder is explicitly whitelisted.
|
|
324
|
+
|
|
325
|
+
### ⚙️ Capabilities & Configuration
|
|
326
|
+
|
|
327
|
+
You can configure sandbox rules on the command line or using structured JSON settings files.
|
|
328
|
+
|
|
329
|
+
#### CLI Overrides
|
|
330
|
+
|
|
331
|
+
Pass these flags after `run-mcp` and before the target command:
|
|
332
|
+
- `--sandbox <mode>`: Set sandbox execution mode (`auto`, `native`, `docker`, `audit`, `none`).
|
|
333
|
+
- `--allow-read <paths...>`: Allow reading specific host directories.
|
|
334
|
+
- `--allow-write <paths...>`: Allow writing to specific host directories.
|
|
335
|
+
- `--allow-net <domains...>`: Allow outbound network access to specific domains.
|
|
336
|
+
- `--deny-read <paths...>`: Deny reading specific host directories.
|
|
337
|
+
- `--deny-write <paths...>`: Deny writing to specific host directories.
|
|
338
|
+
- `--deny-net <domains...>`: Deny outbound network access to specific domains.
|
|
339
|
+
|
|
340
|
+
#### Configuration Scopes
|
|
341
|
+
|
|
342
|
+
`run-mcp` resolves settings hierarchically, allowing both administrator enforcement and developer configuration:
|
|
343
|
+
1. **Managed (Enterprise)**: System-wide read-only overrides (`/Library/Application Support/run-mcp/settings.json`, `C:\Program Files\run-mcp\settings.json`, `/etc/run-mcp/settings.json`).
|
|
344
|
+
2. **User (Global)**: Personal defaults (`~/.gemini/antigravity-ide/settings.json` or equivalent).
|
|
345
|
+
3. **Project**: Shared settings within a repository (`<workspace>/.run-mcp.json`).
|
|
346
|
+
4. **Local**: Developer-specific project settings (`<workspace>/.run-mcp.local.json`).
|
|
347
|
+
|
|
348
|
+
*Example Settings File (`.run-mcp.json`):*
|
|
349
|
+
```json
|
|
350
|
+
{
|
|
351
|
+
"sandbox": {
|
|
352
|
+
"mode": "native",
|
|
353
|
+
"allowRead": ["/usr/local/bin"],
|
|
354
|
+
"allowNet": ["*.api.github.com"],
|
|
355
|
+
"denyRead": ["~/.ssh"]
|
|
356
|
+
}
|
|
357
|
+
}
|
|
358
|
+
```
|
|
359
|
+
|
|
285
360
|
## Architecture
|
|
286
361
|
|
|
287
362
|
```
|