run-mcp 1.6.3 → 1.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +157 -38
  2. package/dist/index.js +2136 -859
  3. package/package.json +10 -4
package/README.md CHANGED
@@ -60,14 +60,28 @@ You'll see an interactive prompt:
60
60
 
61
61
  run-mcp [options] [target_command...]
62
62
 
63
- Options:
64
- -V, --version Show version number
65
- -o, --out-dir <path> Directory to save intercepted images and audio
66
- -t, --timeout <ms> Default tool call timeout in milliseconds (default: 300000) (Agent Mode only)
67
- --max-text <chars> Max text response length before truncation (default: 50000) (Agent Mode only)
68
- --mcp Force start Agent Server mode even if run interactively without arguments
69
- -s, --script <file> Read commands from a file instead of stdin (REPL Mode only)
70
- -h, --help Display help for command
63
+ <!-- OPTIONS_START -->
64
+ | Option | Description |
65
+ | :--- | :--- |
66
+ | `-V, --version` | output the version number |
67
+ | `-o, --out-dir <path>` | Directory to save intercepted images and audio |
68
+ | `-t, --timeout <ms>` | Default tool call timeout in milliseconds (default: 300000) (Agent Mode only) |
69
+ | `--max-text <chars>` | Max text response length before truncation (default: 50000) (Agent Mode only) |
70
+ | `-m, --media-threshold <kb>` | Media size threshold in KB to save to disk (0 to always save, -1 to keep inline) |
71
+ | `--mcp` | Force start Agent Server mode even if run interactively without arguments |
72
+ | `-s, --script <file>` | Read commands from a file instead of stdin (REPL Mode only) |
73
+ | `--color <mode>` | Color output mode: always, never, auto (default: auto) |
74
+ | `--open-media` | Automatically open intercepted images and audio files using the host OS viewer |
75
+ | `--sandbox <mode>` | Sandbox execution mode: auto, docker, native, audit, none (default: "none") |
76
+ | `--scan` | Scan the current workspace and parent directories for any JSON files containing mcpServers |
77
+ | `--allow-read <paths...>` | Paths to allow reading under the sandbox |
78
+ | `--allow-write <paths...>` | Paths to allow writing under the sandbox |
79
+ | `--allow-net <domains...>` | Network domains to allow connecting to under the sandbox |
80
+ | `--deny-read <paths...>` | Paths to deny reading under the sandbox |
81
+ | `--deny-write <paths...>` | Paths to deny writing under the sandbox |
82
+ | `--deny-net <domains...>` | Network domains to deny connecting to under the sandbox |
83
+ | `-h, --help` | display help for command |
84
+ <!-- OPTIONS_END -->
71
85
 
72
86
  Examples:
73
87
  $ run-mcp # Test harness (agent mode)
@@ -81,12 +95,20 @@ Examples:
81
95
 
82
96
  For CI/CD pipelines, shell scripts, or parsing via `jq`, `run-mcp` exposes a suite of headless subcommands that pipe clean JSON to stdout and isolate standard errors and progress updates to stderr.
83
97
 
84
- ### ⚠️ Strictly Required Double-Dash `--`
98
+ ### ⚠️ Double-Dash `--` Separator
85
99
 
86
- To prevent argument parsing conflicts between `run-mcp` and the target server, **you must always separate the target command with a double-dash `--`**. This applies to both default REPL launching and all headless subcommands.
100
+ To prevent argument parsing conflicts between `run-mcp` and the target server, you should separate the target command with a double-dash `--` when the target command itself contains flags or options.
87
101
 
88
- - **Correct**: `run-mcp list-tools -- node my-server.js`
89
- - **Incorrect**: `run-mcp list-tools node my-server.js` (will exit with a coaching error)
102
+ * **Required when the target command has options/flags:**
103
+ ```bash
104
+ run-mcp list-tools -- node my-server.js --verbose
105
+ ```
106
+ *(Must use `--` so `--verbose` is passed to your server, not parsed as an option for `run-mcp`.)*
107
+ * **Optional when the target command has no options/flags:**
108
+ ```bash
109
+ run-mcp list-tools node my-server.js
110
+ ```
111
+ *(Runs successfully without `--`.)*
90
112
 
91
113
  ### ⚡ HTTPie-Style Shorthand Arguments
92
114
 
@@ -119,14 +141,17 @@ run-mcp close-session main
119
141
 
120
142
  ### Available Headless Subcommands
121
143
 
122
- - `call <tool> [json_or_shorthand_args]`
123
- - `list-tools`
124
- - `list-resources`
125
- - `list-prompts`
126
- - `read <uri>`
127
- - `describe <tool>`
128
- - `get-prompt <name> [json_or_shorthand_args]`
144
+ <!-- SUBCOMMANDS_START -->
145
+ - `call [options] <tool> [json_args] [target_command...]`
146
+ - `list-tools [options] [target_command...]`
147
+ - `list-resources [options] [target_command...]`
148
+ - `list-prompts [options] [target_command...]`
149
+ - `read [options] <uri> [target_command...]`
150
+ - `describe [options] <tool> [target_command...]`
151
+ - `get-prompt [options] <name> [json_args] [target_command...]`
152
+ - `daemon [options] <session_name> [target_command...]`
129
153
  - `close-session <session_name>`
154
+ <!-- SUBCOMMANDS_END -->
130
155
 
131
156
  Use `run-mcp <subcommand> --help` for specific command options.
132
157
 
@@ -154,30 +179,49 @@ Add `run-mcp` to your agent's MCP configuration using `npx`:
154
179
 
155
180
  Then use these tools from your agent:
156
181
 
157
- | Tool | Description |
158
- | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
159
- | `connect_to_mcp` | Spawn and connect to a local MCP server. Use `include` to get tools/resources/prompts inline. Shows a diff on reconnect. |
160
- | `disconnect_from_mcp` | Tear down the connection |
161
- | `mcp_server_status` | Check connection status |
162
- | `call_mcp_primitive` | Call a tool, read a resource, or get a prompt. Auto-connects if not already connected. Use `disconnect_after` for one-shot tests. |
163
- | `list_mcp_primitives` | List tools, resources, and/or prompts on the connected server |
164
- | `get_mcp_server_stderr` | View target server stderr output |
165
- | `list_available_mcp_servers` | Discover other local MCP servers configured on the host machine |
182
+ <!-- AGENT_TOOLS_START -->
183
+ | Tool | Description |
184
+ | :--- | :--- |
185
+ | `connect_to_mcp` | Spawn and connect (use include to get tools/resources/prompts) |
186
+ | `call_mcp_primitive` | Call a tool, read a resource, or get a prompt (auto-connects) |
187
+ | `list_mcp_primitives` | List tools, resources, and/or prompts |
188
+ | `disconnect_from_mcp` | Tear down and reconnect after changes |
189
+ | `mcp_server_status` | Check connection status |
190
+ | `get_mcp_server_stderr` | View target server stderr output |
191
+ | `validate_mcp_server` | Validate an MCP server command and collect diagnostics |
192
+ | `search_all_local_mcp_servers` | Scan and search all local MCP servers for a query |
193
+ <!-- AGENT_TOOLS_END -->
166
194
 
167
195
  ## REPL Mode Commands
168
196
 
169
197
  Once connected via `run-mcp <command>`, the following shorthand commands are available:
170
198
 
171
- | Command | Description |
172
- | ------------------------------------ | --------------------------------------------------------------------------------------------------------- |
173
- | `explore` | Open interactive fuzzy-search selector for tools, resources, and prompts |
174
- | `tools/list` | List all tools exposed by the target server |
175
- | `tools/describe <name>` | Show a tool's full input schema |
176
- | `tools/call <name> [json] [--clear]` | Call a tool. Launch interactive wizard if no JSON provided. Use `--clear` to ignore remembered arguments. |
177
- | `tools/forget [name]` | Clear remembered interactive arguments for a tool, or all tools if no name provided. |
178
- | `status` | Show target server status (PID, uptime, connection) |
179
- | `help` | Show available commands |
180
- | `exit` / `quit` | Disconnect and exit |
199
+ <!-- REPL_COMMANDS_START -->
200
+ | Command | Description |
201
+ | :--- | :--- |
202
+ | `tools/list` | List all available tools |
203
+ | `tools/describe <name>` | Show a tool's input schema |
204
+ | `tools/call <name> [json] [opts]` | Call a tool (interactive if no json) |
205
+ | `tools/scaffold <name>` | Generate argument template for a tool |
206
+ | `resources/list` | List all available resources |
207
+ | `resources/read <uri>` | Read a resource by URI |
208
+ | `resources/templates` | List resource templates |
209
+ | `resources/subscribe <uri>` | Subscribe to resource changes |
210
+ | `resources/unsubscribe <uri>` | Unsubscribe from resource changes |
211
+ | `prompts/list` | List all available prompts |
212
+ | `prompts/get <name> [json_args]` | Get a prompt with arguments |
213
+ | `ping` | Verify connection, show round-trip time |
214
+ | `log-level <level>` | Set server logging verbosity |
215
+ | `history [count|clear]` | Show request/response history |
216
+ | `notifications [count|clear]` | Show server notifications |
217
+ | `roots/list` | Show configured client roots |
218
+ | `roots/add <uri> [name]` | Add a root directory |
219
+ | `roots/remove <uri>` | Remove a root directory |
220
+ | `!! / last` | Re-run the last command |
221
+ | `reconnect` | Disconnect and reconnect |
222
+ | `timing` | Show tool call performance stats |
223
+ | `status` | Show target server status |
224
+ <!-- REPL_COMMANDS_END -->
181
225
 
182
226
  ### Examples
183
227
 
@@ -282,6 +326,81 @@ Tool call responses are processed through the interceptor pipeline. All other pr
282
326
  | **Timeouts** | Tool calls are wrapped in a configurable timeout (default 60s, use `--timeout` to change) |
283
327
  | **Truncation** | Text responses exceeding the limit (default 50K chars, use `--max-text` to change) are truncated |
284
328
 
329
+ ## Sandboxing & Outbound Data Exfiltration Protection
330
+
331
+ `run-mcp` features a comprehensive multi-layered sandboxing engine designed to protect local systems and credentials from malicious or buggy MCP servers.
332
+
333
+ ### 🛡️ Sandboxing Modes
334
+
335
+ You can restrict a target server's execution footprint using the `--sandbox` flag:
336
+
337
+ - **`none`** (Default): No sandboxing. The target server runs with full user privileges.
338
+ - **`auto`**: Automatically selects the most restrictive sandboxing system available on the host OS.
339
+ - **`native`**: Uses OS-level native isolation:
340
+ - **macOS**: Utilizes the Seatbelt (App Sandbox) framework (`sandbox-exec`).
341
+ - **Linux**: Utilizes `bubblewrap` (`bwrap`) containerization.
342
+ - **Windows**: Utilizes `@microsoft/mxc-sdk` App Container sandboxing (requires the package to be present).
343
+ - **`docker`**: Spawns the target command inside a fresh, network-disabled ephemeral Docker container (`node:20` or `python:3` depending on the command).
344
+ - **`audit`**: Runs the server under a special non-enforcing native sandbox mode that permits operations but logs all network activity to the console.
345
+
346
+ ### 🌐 Outbound Network Proxy Auditing
347
+
348
+ When a sandboxed server is granted outbound network access (e.g., using `--allow-net`), `run-mcp` automatically spawns a zero-dependency local **Network Audit Proxy**.
349
+ - All outbound HTTP/HTTPS traffic is forced through the proxy using environment variables.
350
+ - Target endpoints and protocols (including HTTPS `CONNECT` tunnels) are transparently logged to stderr in distinct cyan color:
351
+ ```
352
+ 🌐 [NETWORK AUDIT] HTTP request to: http://example.com/api/v1/data
353
+ 🌐 [NETWORK AUDIT] HTTPS connection established to: github.com
354
+ ```
355
+ - Permits outbound traffic while providing complete visibility into where the server is sending data.
356
+
357
+ ### 🔑 Automatic Credential Protection (Deny-Wins)
358
+
359
+ When outbound network capability is enabled, `run-mcp` automatically safeguards your local configuration files and private keys from exfiltration.
360
+ By default, the sandbox denies access to the following directories:
361
+ - `~/.ssh` (SSH private keys and configs)
362
+ - `~/.aws` (AWS credentials)
363
+ - `~/.kube` (Kubernetes configurations)
364
+ - `~/.config/gcloud` (Google Cloud SDK credentials)
365
+ - `~/.netrc` and `~/.npmrc` (Authentication files)
366
+
367
+ Access is strictly blocked using **Deny-Wins** precedence unless a folder is explicitly whitelisted.
368
+
369
+ ### ⚙️ Capabilities & Configuration
370
+
371
+ You can configure sandbox rules on the command line or using structured JSON settings files.
372
+
373
+ #### CLI Overrides
374
+
375
+ Pass these flags after `run-mcp` and before the target command:
376
+ - `--sandbox <mode>`: Set sandbox execution mode (`auto`, `native`, `docker`, `audit`, `none`).
377
+ - `--allow-read <paths...>`: Allow reading specific host directories.
378
+ - `--allow-write <paths...>`: Allow writing to specific host directories.
379
+ - `--allow-net <domains...>`: Allow outbound network access to specific domains.
380
+ - `--deny-read <paths...>`: Deny reading specific host directories.
381
+ - `--deny-write <paths...>`: Deny writing to specific host directories.
382
+ - `--deny-net <domains...>`: Deny outbound network access to specific domains.
383
+
384
+ #### Configuration Scopes
385
+
386
+ `run-mcp` resolves settings hierarchically, allowing both administrator enforcement and developer configuration:
387
+ 1. **Managed (Enterprise)**: System-wide read-only overrides (`/Library/Application Support/run-mcp/settings.json`, `C:\Program Files\run-mcp\settings.json`, `/etc/run-mcp/settings.json`).
388
+ 2. **User (Global)**: Personal defaults (`~/.gemini/antigravity-ide/settings.json` or equivalent).
389
+ 3. **Project**: Shared settings within a repository (`<workspace>/.run-mcp.json`).
390
+ 4. **Local**: Developer-specific project settings (`<workspace>/.run-mcp.local.json`).
391
+
392
+ *Example Settings File (`.run-mcp.json`):*
393
+ ```json
394
+ {
395
+ "sandbox": {
396
+ "mode": "native",
397
+ "allowRead": ["/usr/local/bin"],
398
+ "allowNet": ["*.api.github.com"],
399
+ "denyRead": ["~/.ssh"]
400
+ }
401
+ }
402
+ ```
403
+
285
404
  ## Architecture
286
405
 
287
406
  ```