run-mcp 1.6.3 → 1.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +157 -38
- package/dist/index.js +2136 -859
- package/package.json +10 -4
package/README.md
CHANGED
|
@@ -60,14 +60,28 @@ You'll see an interactive prompt:
|
|
|
60
60
|
|
|
61
61
|
run-mcp [options] [target_command...]
|
|
62
62
|
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
--
|
|
68
|
-
--
|
|
69
|
-
-
|
|
70
|
-
|
|
63
|
+
<!-- OPTIONS_START -->
|
|
64
|
+
| Option | Description |
|
|
65
|
+
| :--- | :--- |
|
|
66
|
+
| `-V, --version` | output the version number |
|
|
67
|
+
| `-o, --out-dir <path>` | Directory to save intercepted images and audio |
|
|
68
|
+
| `-t, --timeout <ms>` | Default tool call timeout in milliseconds (default: 300000) (Agent Mode only) |
|
|
69
|
+
| `--max-text <chars>` | Max text response length before truncation (default: 50000) (Agent Mode only) |
|
|
70
|
+
| `-m, --media-threshold <kb>` | Media size threshold in KB to save to disk (0 to always save, -1 to keep inline) |
|
|
71
|
+
| `--mcp` | Force start Agent Server mode even if run interactively without arguments |
|
|
72
|
+
| `-s, --script <file>` | Read commands from a file instead of stdin (REPL Mode only) |
|
|
73
|
+
| `--color <mode>` | Color output mode: always, never, auto (default: auto) |
|
|
74
|
+
| `--open-media` | Automatically open intercepted images and audio files using the host OS viewer |
|
|
75
|
+
| `--sandbox <mode>` | Sandbox execution mode: auto, docker, native, audit, none (default: "none") |
|
|
76
|
+
| `--scan` | Scan the current workspace and parent directories for any JSON files containing mcpServers |
|
|
77
|
+
| `--allow-read <paths...>` | Paths to allow reading under the sandbox |
|
|
78
|
+
| `--allow-write <paths...>` | Paths to allow writing under the sandbox |
|
|
79
|
+
| `--allow-net <domains...>` | Network domains to allow connecting to under the sandbox |
|
|
80
|
+
| `--deny-read <paths...>` | Paths to deny reading under the sandbox |
|
|
81
|
+
| `--deny-write <paths...>` | Paths to deny writing under the sandbox |
|
|
82
|
+
| `--deny-net <domains...>` | Network domains to deny connecting to under the sandbox |
|
|
83
|
+
| `-h, --help` | display help for command |
|
|
84
|
+
<!-- OPTIONS_END -->
|
|
71
85
|
|
|
72
86
|
Examples:
|
|
73
87
|
$ run-mcp # Test harness (agent mode)
|
|
@@ -81,12 +95,20 @@ Examples:
|
|
|
81
95
|
|
|
82
96
|
For CI/CD pipelines, shell scripts, or parsing via `jq`, `run-mcp` exposes a suite of headless subcommands that pipe clean JSON to stdout and isolate standard errors and progress updates to stderr.
|
|
83
97
|
|
|
84
|
-
### ⚠️
|
|
98
|
+
### ⚠️ Double-Dash `--` Separator
|
|
85
99
|
|
|
86
|
-
To prevent argument parsing conflicts between `run-mcp` and the target server,
|
|
100
|
+
To prevent argument parsing conflicts between `run-mcp` and the target server, you should separate the target command with a double-dash `--` when the target command itself contains flags or options.
|
|
87
101
|
|
|
88
|
-
|
|
89
|
-
|
|
102
|
+
* **Required when the target command has options/flags:**
|
|
103
|
+
```bash
|
|
104
|
+
run-mcp list-tools -- node my-server.js --verbose
|
|
105
|
+
```
|
|
106
|
+
*(Must use `--` so `--verbose` is passed to your server, not parsed as an option for `run-mcp`.)*
|
|
107
|
+
* **Optional when the target command has no options/flags:**
|
|
108
|
+
```bash
|
|
109
|
+
run-mcp list-tools node my-server.js
|
|
110
|
+
```
|
|
111
|
+
*(Runs successfully without `--`.)*
|
|
90
112
|
|
|
91
113
|
### ⚡ HTTPie-Style Shorthand Arguments
|
|
92
114
|
|
|
@@ -119,14 +141,17 @@ run-mcp close-session main
|
|
|
119
141
|
|
|
120
142
|
### Available Headless Subcommands
|
|
121
143
|
|
|
122
|
-
|
|
123
|
-
- `
|
|
124
|
-
- `list-
|
|
125
|
-
- `list-
|
|
126
|
-
- `
|
|
127
|
-
- `
|
|
128
|
-
- `
|
|
144
|
+
<!-- SUBCOMMANDS_START -->
|
|
145
|
+
- `call [options] <tool> [json_args] [target_command...]`
|
|
146
|
+
- `list-tools [options] [target_command...]`
|
|
147
|
+
- `list-resources [options] [target_command...]`
|
|
148
|
+
- `list-prompts [options] [target_command...]`
|
|
149
|
+
- `read [options] <uri> [target_command...]`
|
|
150
|
+
- `describe [options] <tool> [target_command...]`
|
|
151
|
+
- `get-prompt [options] <name> [json_args] [target_command...]`
|
|
152
|
+
- `daemon [options] <session_name> [target_command...]`
|
|
129
153
|
- `close-session <session_name>`
|
|
154
|
+
<!-- SUBCOMMANDS_END -->
|
|
130
155
|
|
|
131
156
|
Use `run-mcp <subcommand> --help` for specific command options.
|
|
132
157
|
|
|
@@ -154,30 +179,49 @@ Add `run-mcp` to your agent's MCP configuration using `npx`:
|
|
|
154
179
|
|
|
155
180
|
Then use these tools from your agent:
|
|
156
181
|
|
|
157
|
-
|
|
158
|
-
|
|
|
159
|
-
|
|
|
160
|
-
| `
|
|
161
|
-
| `
|
|
162
|
-
| `
|
|
163
|
-
| `
|
|
164
|
-
| `
|
|
165
|
-
| `
|
|
182
|
+
<!-- AGENT_TOOLS_START -->
|
|
183
|
+
| Tool | Description |
|
|
184
|
+
| :--- | :--- |
|
|
185
|
+
| `connect_to_mcp` | Spawn and connect (use include to get tools/resources/prompts) |
|
|
186
|
+
| `call_mcp_primitive` | Call a tool, read a resource, or get a prompt (auto-connects) |
|
|
187
|
+
| `list_mcp_primitives` | List tools, resources, and/or prompts |
|
|
188
|
+
| `disconnect_from_mcp` | Tear down and reconnect after changes |
|
|
189
|
+
| `mcp_server_status` | Check connection status |
|
|
190
|
+
| `get_mcp_server_stderr` | View target server stderr output |
|
|
191
|
+
| `validate_mcp_server` | Validate an MCP server command and collect diagnostics |
|
|
192
|
+
| `search_all_local_mcp_servers` | Scan and search all local MCP servers for a query |
|
|
193
|
+
<!-- AGENT_TOOLS_END -->
|
|
166
194
|
|
|
167
195
|
## REPL Mode Commands
|
|
168
196
|
|
|
169
197
|
Once connected via `run-mcp <command>`, the following shorthand commands are available:
|
|
170
198
|
|
|
171
|
-
|
|
172
|
-
|
|
|
173
|
-
|
|
|
174
|
-
| `tools/list`
|
|
175
|
-
| `tools/describe <name>`
|
|
176
|
-
| `tools/call <name> [json] [
|
|
177
|
-
| `tools/
|
|
178
|
-
| `
|
|
179
|
-
| `
|
|
180
|
-
| `
|
|
199
|
+
<!-- REPL_COMMANDS_START -->
|
|
200
|
+
| Command | Description |
|
|
201
|
+
| :--- | :--- |
|
|
202
|
+
| `tools/list` | List all available tools |
|
|
203
|
+
| `tools/describe <name>` | Show a tool's input schema |
|
|
204
|
+
| `tools/call <name> [json] [opts]` | Call a tool (interactive if no json) |
|
|
205
|
+
| `tools/scaffold <name>` | Generate argument template for a tool |
|
|
206
|
+
| `resources/list` | List all available resources |
|
|
207
|
+
| `resources/read <uri>` | Read a resource by URI |
|
|
208
|
+
| `resources/templates` | List resource templates |
|
|
209
|
+
| `resources/subscribe <uri>` | Subscribe to resource changes |
|
|
210
|
+
| `resources/unsubscribe <uri>` | Unsubscribe from resource changes |
|
|
211
|
+
| `prompts/list` | List all available prompts |
|
|
212
|
+
| `prompts/get <name> [json_args]` | Get a prompt with arguments |
|
|
213
|
+
| `ping` | Verify connection, show round-trip time |
|
|
214
|
+
| `log-level <level>` | Set server logging verbosity |
|
|
215
|
+
| `history [count|clear]` | Show request/response history |
|
|
216
|
+
| `notifications [count|clear]` | Show server notifications |
|
|
217
|
+
| `roots/list` | Show configured client roots |
|
|
218
|
+
| `roots/add <uri> [name]` | Add a root directory |
|
|
219
|
+
| `roots/remove <uri>` | Remove a root directory |
|
|
220
|
+
| `!! / last` | Re-run the last command |
|
|
221
|
+
| `reconnect` | Disconnect and reconnect |
|
|
222
|
+
| `timing` | Show tool call performance stats |
|
|
223
|
+
| `status` | Show target server status |
|
|
224
|
+
<!-- REPL_COMMANDS_END -->
|
|
181
225
|
|
|
182
226
|
### Examples
|
|
183
227
|
|
|
@@ -282,6 +326,81 @@ Tool call responses are processed through the interceptor pipeline. All other pr
|
|
|
282
326
|
| **Timeouts** | Tool calls are wrapped in a configurable timeout (default 60s, use `--timeout` to change) |
|
|
283
327
|
| **Truncation** | Text responses exceeding the limit (default 50K chars, use `--max-text` to change) are truncated |
|
|
284
328
|
|
|
329
|
+
## Sandboxing & Outbound Data Exfiltration Protection
|
|
330
|
+
|
|
331
|
+
`run-mcp` features a comprehensive multi-layered sandboxing engine designed to protect local systems and credentials from malicious or buggy MCP servers.
|
|
332
|
+
|
|
333
|
+
### 🛡️ Sandboxing Modes
|
|
334
|
+
|
|
335
|
+
You can restrict a target server's execution footprint using the `--sandbox` flag:
|
|
336
|
+
|
|
337
|
+
- **`none`** (Default): No sandboxing. The target server runs with full user privileges.
|
|
338
|
+
- **`auto`**: Automatically selects the most restrictive sandboxing system available on the host OS.
|
|
339
|
+
- **`native`**: Uses OS-level native isolation:
|
|
340
|
+
- **macOS**: Utilizes the Seatbelt (App Sandbox) framework (`sandbox-exec`).
|
|
341
|
+
- **Linux**: Utilizes `bubblewrap` (`bwrap`) containerization.
|
|
342
|
+
- **Windows**: Utilizes `@microsoft/mxc-sdk` App Container sandboxing (requires the package to be present).
|
|
343
|
+
- **`docker`**: Spawns the target command inside a fresh, network-disabled ephemeral Docker container (`node:20` or `python:3` depending on the command).
|
|
344
|
+
- **`audit`**: Runs the server under a special non-enforcing native sandbox mode that permits operations but logs all network activity to the console.
|
|
345
|
+
|
|
346
|
+
### 🌐 Outbound Network Proxy Auditing
|
|
347
|
+
|
|
348
|
+
When a sandboxed server is granted outbound network access (e.g., using `--allow-net`), `run-mcp` automatically spawns a zero-dependency local **Network Audit Proxy**.
|
|
349
|
+
- All outbound HTTP/HTTPS traffic is forced through the proxy using environment variables.
|
|
350
|
+
- Target endpoints and protocols (including HTTPS `CONNECT` tunnels) are transparently logged to stderr in distinct cyan color:
|
|
351
|
+
```
|
|
352
|
+
🌐 [NETWORK AUDIT] HTTP request to: http://example.com/api/v1/data
|
|
353
|
+
🌐 [NETWORK AUDIT] HTTPS connection established to: github.com
|
|
354
|
+
```
|
|
355
|
+
- Permits outbound traffic while providing complete visibility into where the server is sending data.
|
|
356
|
+
|
|
357
|
+
### 🔑 Automatic Credential Protection (Deny-Wins)
|
|
358
|
+
|
|
359
|
+
When outbound network capability is enabled, `run-mcp` automatically safeguards your local configuration files and private keys from exfiltration.
|
|
360
|
+
By default, the sandbox denies access to the following directories:
|
|
361
|
+
- `~/.ssh` (SSH private keys and configs)
|
|
362
|
+
- `~/.aws` (AWS credentials)
|
|
363
|
+
- `~/.kube` (Kubernetes configurations)
|
|
364
|
+
- `~/.config/gcloud` (Google Cloud SDK credentials)
|
|
365
|
+
- `~/.netrc` and `~/.npmrc` (Authentication files)
|
|
366
|
+
|
|
367
|
+
Access is strictly blocked using **Deny-Wins** precedence unless a folder is explicitly whitelisted.
|
|
368
|
+
|
|
369
|
+
### ⚙️ Capabilities & Configuration
|
|
370
|
+
|
|
371
|
+
You can configure sandbox rules on the command line or using structured JSON settings files.
|
|
372
|
+
|
|
373
|
+
#### CLI Overrides
|
|
374
|
+
|
|
375
|
+
Pass these flags after `run-mcp` and before the target command:
|
|
376
|
+
- `--sandbox <mode>`: Set sandbox execution mode (`auto`, `native`, `docker`, `audit`, `none`).
|
|
377
|
+
- `--allow-read <paths...>`: Allow reading specific host directories.
|
|
378
|
+
- `--allow-write <paths...>`: Allow writing to specific host directories.
|
|
379
|
+
- `--allow-net <domains...>`: Allow outbound network access to specific domains.
|
|
380
|
+
- `--deny-read <paths...>`: Deny reading specific host directories.
|
|
381
|
+
- `--deny-write <paths...>`: Deny writing to specific host directories.
|
|
382
|
+
- `--deny-net <domains...>`: Deny outbound network access to specific domains.
|
|
383
|
+
|
|
384
|
+
#### Configuration Scopes
|
|
385
|
+
|
|
386
|
+
`run-mcp` resolves settings hierarchically, allowing both administrator enforcement and developer configuration:
|
|
387
|
+
1. **Managed (Enterprise)**: System-wide read-only overrides (`/Library/Application Support/run-mcp/settings.json`, `C:\Program Files\run-mcp\settings.json`, `/etc/run-mcp/settings.json`).
|
|
388
|
+
2. **User (Global)**: Personal defaults (`~/.gemini/antigravity-ide/settings.json` or equivalent).
|
|
389
|
+
3. **Project**: Shared settings within a repository (`<workspace>/.run-mcp.json`).
|
|
390
|
+
4. **Local**: Developer-specific project settings (`<workspace>/.run-mcp.local.json`).
|
|
391
|
+
|
|
392
|
+
*Example Settings File (`.run-mcp.json`):*
|
|
393
|
+
```json
|
|
394
|
+
{
|
|
395
|
+
"sandbox": {
|
|
396
|
+
"mode": "native",
|
|
397
|
+
"allowRead": ["/usr/local/bin"],
|
|
398
|
+
"allowNet": ["*.api.github.com"],
|
|
399
|
+
"denyRead": ["~/.ssh"]
|
|
400
|
+
}
|
|
401
|
+
}
|
|
402
|
+
```
|
|
403
|
+
|
|
285
404
|
## Architecture
|
|
286
405
|
|
|
287
406
|
```
|