coding-tools-mcp 0.1.3__tar.gz

coding_tools_mcp-0.1.3/LICENSE

@@ -0,0 +1,37 @@
+Coding Tools MCP Source-Available License v1.0
+
+Copyright (c) 2026 Coding Tools MCP Contributors.
+All rights reserved except as expressly granted below.
+
+1. Permitted Use
+
+You may view, clone, build, run, and modify the Software solely for internal
+evaluation, development, testing, and security review.
+
+2. Restrictions
+
+Without prior written permission from the copyright holders, you may not:
+
+- distribute, publish, sublicense, sell, lease, or otherwise transfer the
+  Software or modified versions of the Software;
+- provide the Software or modified versions as a hosted, managed, or
+  software-as-a-service offering for third parties;
+- use the Software or modified versions for production commercial purposes;
+- remove or alter copyright, license, or attribution notices;
+- use the project name, trademarks, or branding to imply endorsement.
+
+3. Contributions
+
+Unless a separate written agreement says otherwise, any contribution submitted
+to this project may be used by the copyright holders under this license and
+under any future license chosen by the copyright holders.
+
+4. No Warranty
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM,
+OUT OF, OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

coding_tools_mcp-0.1.3/PKG-INFO

@@ -0,0 +1,235 @@
+Metadata-Version: 2.4
+Name: coding-tools-mcp
+Version: 0.1.3
+Summary: Workspace-confined coding tools exposed as an MCP server.
+Author: Coding Tools MCP Contributors
+License-Expression: LicenseRef-Coding-Tools-MCP-Source-Available
+Project-URL: Homepage, https://github.com/ytagent/codex-tool-runtime-mcp
+Project-URL: Documentation, https://github.com/ytagent/codex-tool-runtime-mcp/tree/main/docs
+Project-URL: Source, https://github.com/ytagent/codex-tool-runtime-mcp
+Project-URL: Issues, https://github.com/ytagent/codex-tool-runtime-mcp/issues
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: dev
+Requires-Dist: mypy<2.2,>=2.1; extra == "dev"
+Requires-Dist: ruff<0.16,>=0.15; extra == "dev"
+Requires-Dist: typing_extensions>=4.12; extra == "dev"
+Provides-Extra: image
+Requires-Dist: Pillow>=10.0; extra == "image"
+Dynamic: license-file
+
+# Coding Tools MCP
+
+Coding Tools MCP is a model-neutral coding-agent runtime MCP server. It exposes local coding primitives to any MCP client:
+
+```text
+inspect repo -> search/read files -> apply structured patches -> run tests/commands
+-> interact with stdin sessions -> inspect git status/diff
+```
+
+It is not a prompt wrapper. It does not expose external agent accounts, memory, cloud tasks, web search, image generation, model routing, plugin marketplace, or subagent orchestration as MCP tools.
+
+## Documentation Map
+
+- [Quickstart](docs/quickstart.md)
+- [MCP client configuration](docs/mcp-client-config.md)
+- [Remote MCP](docs/remote-mcp.md)
+- [Tools and schemas](docs/tools-and-schemas.md)
+- [Security policy](SECURITY.md)
+- [CI and test commands](docs/ci-and-tests.md)
+- [Dogfood](docs/dogfood.md)
+- [SWE-bench evaluation](docs/swe-bench.md)
+- [Known limitations](docs/limitations.md)
+- [Troubleshooting](docs/troubleshooting.md)
+- [Competitive analysis](docs/competitive-analysis.md)
+- Normative MCP runtime profile: [docs/profile-v0.1.md](docs/profile-v0.1.md)
+
+## Quickstart
+
+Run directly with `uvx` against the current directory:
+
+```bash
+uvx coding-tools-mcp --workspace .
+```
+
+Use stdio for MCP clients:
+
+```bash
+uvx coding-tools-mcp --stdio --workspace /path/to/repo
+```
+
+If you are working from this checkout instead of a published package:
+
+```bash
+cd /root/coding-tools-mcp
+python -m pip install -e ".[dev]"
+coding-tools-mcp --workspace /path/to/repo --host 127.0.0.1 --port 8765
+```
+
+Install the optional image extra when you want `view_image` auto-resize support:
+
+```bash
+python -m pip install -e ".[image]"
+```
+
+HTTP endpoint:
+
+```text
+http://127.0.0.1:8765/mcp
+```
+
+Stdio:
+
+```bash
+coding-tools-mcp --stdio --workspace /path/to/repo
+```
+
+Set `CODING_TOOLS_MCP_TRACE=1` to emit redacted JSON tool-call trace events to stderr for local debugging. Logs stay off stdout so stdio JSON-RPC remains clean.
+
+If your MCP client does not support permission elicitation and you explicitly want permission-gated operations to run, start with:
+
+```bash
+coding-tools-mcp --dangerously-skip-all-permissions --workspace /path/to/repo
+```
+
+This auto-grants permission-gated operations such as network-looking commands, destructive commands, shell expansion, and sensitive env passed through `exec_command`. Workspace path boundaries still apply.
+
+## MCP Client Examples
+
+Generic stdio client:
+
+```toml
+[mcp_servers.coding_tools]
+command = "uvx"
+args = ["coding-tools-mcp", "--stdio", "--workspace", "/path/to/repo"]
+```
+
+Claude Code:
+
+```json
+{
+  "mcpServers": {
+    "coding-tools": {
+      "command": "uvx",
+      "args": ["coding-tools-mcp", "--stdio", "--workspace", "/path/to/repo"]
+    }
+  }
+}
+```
+
+Cursor:
+
+```json
+{
+  "mcpServers": {
+    "coding-tools": {
+      "command": "uvx",
+      "args": ["coding-tools-mcp", "--stdio", "--workspace", "/path/to/repo"]
+    }
+  }
+}
+```
+
+Generic Streamable HTTP clients should use MCP protocol version `2025-06-18` and point at `http://127.0.0.1:8765/mcp`.
+
+## Remote MCP
+
+For remote MCP clients and local development over an HTTPS tunnel, keep the server bound to loopback and expose the tunnel URL with the safest profile your client can use. Anonymous tunnel testing should use `read-only` mode:
+
+```bash
+CODING_TOOLS_MCP_AUTH_MODE=noauth \
+CODING_TOOLS_MCP_TOOL_PROFILE=read-only \
+./scripts/tunnel.sh cloudflared /path/to/repo
+```
+
+Configure the remote MCP client with the HTTPS tunnel URL:
+
+```text
+URL: https://<tunnel-host>/mcp
+```
+
+The tunnel scripts support `cloudflared`, `ngrok`, and Microsoft Dev Tunnel. If the selected tunnel CLI is missing, the script asks before installing it:
+
+```bash
+scripts/tunnel.sh cloudflared /path/to/repo
+scripts/tunnel.sh ngrok /path/to/repo
+scripts/tunnel.sh devtunnel /path/to/repo
+```
+
+For clients that support custom headers, use bearer-token auth with `Authorization: Bearer <token>`. Clients that cannot send custom bearer headers should use anonymous `read-only` mode only for local/testing tunnels, or be placed behind an external auth proxy for production use.
+
+See [docs/remote-mcp.md](docs/remote-mcp.md) for the exact modes and security notes.
+
+## Tool Profiles
+
+- `full`: exposes all tools with truthful annotations. This is the default for backward compatibility.
+- `read-only`: recommended for remote or safe-mode clients; exposes only inspection tools, git read tools, image viewing, and default-cwd helpers.
+- `compat-readonly-all`: exposes all tools but advertises every tool as read-only for clients that gate availability on `readOnlyHint`. This is not a safety mode; mutation-capable tools such as `apply_patch`, `exec_command`, `write_stdin`, and `kill_session` can still mutate local state.
+
+## Tools
+
+P0 tools exposed by default:
+
+- `server_info`
+- `get_default_cwd`
+- `set_default_cwd`
+- `read_file`
+- `list_dir`
+- `list_files`
+- `search_text`
+- `apply_patch`
+- `exec_command`
+- `write_stdin`
+- `kill_session`
+- `git_status`
+- `git_diff`
+- `git_log`
+- `git_show`
+- `git_blame`
+- `request_permissions`
+
+Additional image tool exposed by default:
+
+- `view_image`
+
+For input/output schemas and result envelopes, see [docs/tools-and-schemas.md](docs/tools-and-schemas.md) and [docs/profile-v0.1.md](docs/profile-v0.1.md).
+
+## Safety Boundary
+
+The runtime binds one workspace root per server process. Paths are workspace-relative by default. Absolute paths, `..` traversal, and symlink escapes are rejected. Recursive listing/search excludes `.git`, `.reference`, `node_modules`, `target`, `dist`, build outputs, virtualenvs, and common caches by default.
+
+`exec_command` runs under policy controls with workspace-bound cwd, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
+
+`--dangerously-skip-all-permissions` disables the permission gates above for operators who accept that risk. Do not use it for untrusted workspaces or untrusted MCP clients.
+
+## Compliance
+
+```bash
+make compliance
+```
+
+Compliance and CI commands are documented in [docs/ci-and-tests.md](docs/ci-and-tests.md). The checked-in report files are generated artifacts; inspect their `suite` field before treating them as full compliance evidence.
+
+## Dogfood And Benchmark
+
+Dogfood and SWE-bench notes live in [docs/dogfood.md](docs/dogfood.md), [docs/swe-bench.md](docs/swe-bench.md), and [BENCHMARK.md](BENCHMARK.md). This repository does not claim a model-generated SWE-bench leaderboard result.
+
+## Development Commands
+
+```bash
+make lint
+make typecheck
+make test
+make compliance
+make ci
+```
+
+See [docs/ci-and-tests.md](docs/ci-and-tests.md) for the full test matrix.
+
+## License
+
+This project is source-available, not open source. See [LICENSE](LICENSE).
+Internal evaluation, development, testing, and security review are permitted;
+redistribution, hosted third-party service use, and production commercial use
+require prior written permission.

coding_tools_mcp-0.1.3/README.md

@@ -0,0 +1,214 @@
+# Coding Tools MCP
+
+Coding Tools MCP is a model-neutral coding-agent runtime MCP server. It exposes local coding primitives to any MCP client:
+
+```text
+inspect repo -> search/read files -> apply structured patches -> run tests/commands
+-> interact with stdin sessions -> inspect git status/diff
+```
+
+It is not a prompt wrapper. It does not expose external agent accounts, memory, cloud tasks, web search, image generation, model routing, plugin marketplace, or subagent orchestration as MCP tools.
+
+## Documentation Map
+
+- [Quickstart](docs/quickstart.md)
+- [MCP client configuration](docs/mcp-client-config.md)
+- [Remote MCP](docs/remote-mcp.md)
+- [Tools and schemas](docs/tools-and-schemas.md)
+- [Security policy](SECURITY.md)
+- [CI and test commands](docs/ci-and-tests.md)
+- [Dogfood](docs/dogfood.md)
+- [SWE-bench evaluation](docs/swe-bench.md)
+- [Known limitations](docs/limitations.md)
+- [Troubleshooting](docs/troubleshooting.md)
+- [Competitive analysis](docs/competitive-analysis.md)
+- Normative MCP runtime profile: [docs/profile-v0.1.md](docs/profile-v0.1.md)
+
+## Quickstart
+
+Run directly with `uvx` against the current directory:
+
+```bash
+uvx coding-tools-mcp --workspace .
+```
+
+Use stdio for MCP clients:
+
+```bash
+uvx coding-tools-mcp --stdio --workspace /path/to/repo
+```
+
+If you are working from this checkout instead of a published package:
+
+```bash
+cd /root/coding-tools-mcp
+python -m pip install -e ".[dev]"
+coding-tools-mcp --workspace /path/to/repo --host 127.0.0.1 --port 8765
+```
+
+Install the optional image extra when you want `view_image` auto-resize support:
+
+```bash
+python -m pip install -e ".[image]"
+```
+
+HTTP endpoint:
+
+```text
+http://127.0.0.1:8765/mcp
+```
+
+Stdio:
+
+```bash
+coding-tools-mcp --stdio --workspace /path/to/repo
+```
+
+Set `CODING_TOOLS_MCP_TRACE=1` to emit redacted JSON tool-call trace events to stderr for local debugging. Logs stay off stdout so stdio JSON-RPC remains clean.
+
+If your MCP client does not support permission elicitation and you explicitly want permission-gated operations to run, start with:
+
+```bash
+coding-tools-mcp --dangerously-skip-all-permissions --workspace /path/to/repo
+```
+
+This auto-grants permission-gated operations such as network-looking commands, destructive commands, shell expansion, and sensitive env passed through `exec_command`. Workspace path boundaries still apply.
+
+## MCP Client Examples
+
+Generic stdio client:
+
+```toml
+[mcp_servers.coding_tools]
+command = "uvx"
+args = ["coding-tools-mcp", "--stdio", "--workspace", "/path/to/repo"]
+```
+
+Claude Code:
+
+```json
+{
+  "mcpServers": {
+    "coding-tools": {
+      "command": "uvx",
+      "args": ["coding-tools-mcp", "--stdio", "--workspace", "/path/to/repo"]
+    }
+  }
+}
+```
+
+Cursor:
+
+```json
+{
+  "mcpServers": {
+    "coding-tools": {
+      "command": "uvx",
+      "args": ["coding-tools-mcp", "--stdio", "--workspace", "/path/to/repo"]
+    }
+  }
+}
+```
+
+Generic Streamable HTTP clients should use MCP protocol version `2025-06-18` and point at `http://127.0.0.1:8765/mcp`.
+
+## Remote MCP
+
+For remote MCP clients and local development over an HTTPS tunnel, keep the server bound to loopback and expose the tunnel URL with the safest profile your client can use. Anonymous tunnel testing should use `read-only` mode:
+
+```bash
+CODING_TOOLS_MCP_AUTH_MODE=noauth \
+CODING_TOOLS_MCP_TOOL_PROFILE=read-only \
+./scripts/tunnel.sh cloudflared /path/to/repo
+```
+
+Configure the remote MCP client with the HTTPS tunnel URL:
+
+```text
+URL: https://<tunnel-host>/mcp
+```
+
+The tunnel scripts support `cloudflared`, `ngrok`, and Microsoft Dev Tunnel. If the selected tunnel CLI is missing, the script asks before installing it:
+
+```bash
+scripts/tunnel.sh cloudflared /path/to/repo
+scripts/tunnel.sh ngrok /path/to/repo
+scripts/tunnel.sh devtunnel /path/to/repo
+```
+
+For clients that support custom headers, use bearer-token auth with `Authorization: Bearer <token>`. Clients that cannot send custom bearer headers should use anonymous `read-only` mode only for local/testing tunnels, or be placed behind an external auth proxy for production use.
+
+See [docs/remote-mcp.md](docs/remote-mcp.md) for the exact modes and security notes.
+
+## Tool Profiles
+
+- `full`: exposes all tools with truthful annotations. This is the default for backward compatibility.
+- `read-only`: recommended for remote or safe-mode clients; exposes only inspection tools, git read tools, image viewing, and default-cwd helpers.
+- `compat-readonly-all`: exposes all tools but advertises every tool as read-only for clients that gate availability on `readOnlyHint`. This is not a safety mode; mutation-capable tools such as `apply_patch`, `exec_command`, `write_stdin`, and `kill_session` can still mutate local state.
+
+## Tools
+
+P0 tools exposed by default:
+
+- `server_info`
+- `get_default_cwd`
+- `set_default_cwd`
+- `read_file`
+- `list_dir`
+- `list_files`
+- `search_text`
+- `apply_patch`
+- `exec_command`
+- `write_stdin`
+- `kill_session`
+- `git_status`
+- `git_diff`
+- `git_log`
+- `git_show`
+- `git_blame`
+- `request_permissions`
+
+Additional image tool exposed by default:
+
+- `view_image`
+
+For input/output schemas and result envelopes, see [docs/tools-and-schemas.md](docs/tools-and-schemas.md) and [docs/profile-v0.1.md](docs/profile-v0.1.md).
+
+## Safety Boundary
+
+The runtime binds one workspace root per server process. Paths are workspace-relative by default. Absolute paths, `..` traversal, and symlink escapes are rejected. Recursive listing/search excludes `.git`, `.reference`, `node_modules`, `target`, `dist`, build outputs, virtualenvs, and common caches by default.
+
+`exec_command` runs under policy controls with workspace-bound cwd, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
+
+`--dangerously-skip-all-permissions` disables the permission gates above for operators who accept that risk. Do not use it for untrusted workspaces or untrusted MCP clients.
+
+## Compliance
+
+```bash
+make compliance
+```
+
+Compliance and CI commands are documented in [docs/ci-and-tests.md](docs/ci-and-tests.md). The checked-in report files are generated artifacts; inspect their `suite` field before treating them as full compliance evidence.
+
+## Dogfood And Benchmark
+
+Dogfood and SWE-bench notes live in [docs/dogfood.md](docs/dogfood.md), [docs/swe-bench.md](docs/swe-bench.md), and [BENCHMARK.md](BENCHMARK.md). This repository does not claim a model-generated SWE-bench leaderboard result.
+
+## Development Commands
+
+```bash
+make lint
+make typecheck
+make test
+make compliance
+make ci
+```
+
+See [docs/ci-and-tests.md](docs/ci-and-tests.md) for the full test matrix.
+
+## License
+
+This project is source-available, not open source. See [LICENSE](LICENSE).
+Internal evaluation, development, testing, and security review are permitted;
+redistribution, hosted third-party service use, and production commercial use
+require prior written permission.

coding_tools_mcp-0.1.3/coding_tools_mcp/__init__.py

@@ -0,0 +1,3 @@
+"""Coding Tools MCP server package."""
+
+__version__ = "0.1.3"

coding_tools_mcp-0.1.3/coding_tools_mcp/__main__.py

@@ -0,0 +1,7 @@
+from __future__ import annotations
+
+from .server import main
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

coding_tools_mcp-0.1.3/coding_tools_mcp/landlock_exec.py

@@ -0,0 +1,64 @@
+from __future__ import annotations
+
+import ctypes
+import os
+import shutil
+import sys
+from typing import Any
+
+
+PR_SET_NO_NEW_PRIVS = 38
+SYS_LANDLOCK_RESTRICT_SELF = 446
+
+_LIBC: Any | None = None
+
+
+def landlock_libc() -> Any:
+    global _LIBC
+    if _LIBC is None:
+        _LIBC = ctypes.CDLL(None, use_errno=True)
+    return _LIBC
+
+
+def libc_syscall(number: int, *args: object) -> int:
+    ctypes.set_errno(0)
+    return int(landlock_libc().syscall(number, *args))
+
+
+def fail(message: str) -> int:
+    print(message, file=sys.stderr)
+    return 126
+
+
+def main(argv: list[str] | None = None) -> int:
+    if sys.platform != "linux":
+        return fail("landlock_exec is only supported on Linux")
+    args = list(sys.argv[1:] if argv is None else argv)
+    if len(args) != 2:
+        return fail("landlock_exec requires: <ruleset-fd> <command>")
+    try:
+        ruleset_fd = int(args[0])
+    except ValueError:
+        return fail("landlock_exec received an invalid ruleset fd")
+    cmd = args[1]
+
+    rc = int(landlock_libc().prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+    if rc != 0:
+        err = ctypes.get_errno()
+        return fail(f"failed to set no_new_privs before Landlock restrict: {os.strerror(err)}")
+    rc = libc_syscall(SYS_LANDLOCK_RESTRICT_SELF, ruleset_fd, 0)
+    if rc != 0:
+        err = ctypes.get_errno()
+        return fail(f"failed to apply Landlock restrict_self: {os.strerror(err)}")
+    try:
+        os.close(ruleset_fd)
+    except OSError:
+        pass
+
+    shell = os.environ.get("SHELL") or shutil.which("sh") or "/bin/sh"
+    os.execvpe(shell, [shell, "-c", cmd], os.environ)
+    return 127
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())