coding-tools-mcp 0.1.5__tar.gz → 0.1.7__tar.gz

{coding_tools_mcp-0.1.5/coding_tools_mcp.egg-info → coding_tools_mcp-0.1.7}/PKG-INFO

@@ -1,9 +1,46 @@
-Metadata-Version: 2.4
+Metadata-Version: 2.2
 Name: coding-tools-mcp
-Version: 0.1.5
+Version: 0.1.7
 Summary: Workspace-confined coding tools exposed as an MCP server.
 Author: Coding Tools MCP Contributors
-License-Expression: LicenseRef-Coding-Tools-MCP-Source-Available
+License: Coding Tools MCP Source-Available License v1.0
+        
+        Copyright (c) 2026 Coding Tools MCP Contributors.
+        All rights reserved except as expressly granted below.
+        
+        1. Permitted Use
+        
+        You may view, clone, build, run, and modify the Software solely for internal
+        evaluation, development, testing, and security review.
+        
+        2. Restrictions
+        
+        Without prior written permission from the copyright holders, you may not:
+        
+        - distribute, publish, sublicense, sell, lease, or otherwise transfer the
+          Software or modified versions of the Software;
+        - provide the Software or modified versions as a hosted, managed, or
+          software-as-a-service offering for third parties;
+        - use the Software or modified versions for production commercial purposes;
+        - remove or alter copyright, license, or attribution notices;
+        - use the project name, trademarks, or branding to imply endorsement.
+        
+        3. Contributions
+        
+        Unless a separate written agreement says otherwise, any contribution submitted
+        to this project may be used by the copyright holders under this license and
+        under any future license chosen by the copyright holders.
+        
+        4. No Warranty
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM,
+        OUT OF, OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
 Project-URL: Homepage, https://github.com/xyTom/coding-tools-mcp
 Project-URL: Documentation, https://github.com/xyTom/coding-tools-mcp/tree/main/docs
 Project-URL: Source, https://github.com/xyTom/coding-tools-mcp
@@ -18,7 +55,6 @@ Requires-Dist: ruff<0.16,>=0.15; extra == "dev"
 Requires-Dist: typing_extensions>=4.12; extra == "dev"
 Provides-Extra: image
 Requires-Dist: Pillow>=10.0; extra == "image"
-Dynamic: license-file
 
 # Coding Tools MCP
 
@@ -37,12 +73,17 @@ It is not a prompt wrapper. It does not expose external agent accounts, memory,
 - [MCP client configuration](docs/mcp-client-config.md)
 - [Remote MCP](docs/remote-mcp.md)
 - [Tools and schemas](docs/tools-and-schemas.md)
+- [Permission modes](docs/permission-modes.md)
+- [Exec command recipes](docs/exec-command-recipes.md)
+- [Docker sandbox](docs/docker.md)
 - [Security policy](SECURITY.md)
+- [Security boundary](docs/security-boundary.md)
 - [CI and test commands](docs/ci-and-tests.md)
 - [Dogfood](docs/dogfood.md)
 - [SWE-bench evaluation](docs/swe-bench.md)
 - [Known limitations](docs/limitations.md)
 - [Troubleshooting](docs/troubleshooting.md)
+- [Exec troubleshooting](docs/troubleshooting-exec.md)
 - [Competitive analysis](docs/competitive-analysis.md)
 - Normative MCP runtime profile: [docs/profile-v0.1.md](docs/profile-v0.1.md)
 
@@ -89,15 +130,19 @@ uvx coding-tools-mcp --stdio --workspace /path/to/repo
 If you are working from this checkout instead of a published package:
 
 ```bash
-cd /root/coding-tools-mcp
-python -m pip install -e ".[dev]"
-coding-tools-mcp --workspace /path/to/repo --host 127.0.0.1 --port 8765
+make start
 ```
 
-Install the optional image extra when you want `view_image` auto-resize support:
+Pass a different workspace, host, port, or extra server flags with Make variables:
 
 ```bash
-python -m pip install -e ".[image]"
+make start MCP_WORKSPACE=/path/to/repo MCP_PORT=8000 MCP_ARGS="--permission-mode trusted"
+```
+
+If dependencies are missing, install the runtime in editable mode:
+
+```bash
+python -m pip install -e ".[dev]"
 ```
 
 HTTP endpoint:
@@ -106,6 +151,12 @@ HTTP endpoint:
 http://127.0.0.1:8765/mcp
 ```
 
+Install the optional image extra when you want `view_image` auto-resize support:
+
+```bash
+python -m pip install -e ".[image]"
+```
+
 Stdio:
 
 ```bash
@@ -114,13 +165,25 @@ coding-tools-mcp --stdio --workspace /path/to/repo
 
 Set `CODING_TOOLS_MCP_TRACE=1` to emit redacted JSON tool-call trace events to stderr for local debugging. Logs stay off stdout so stdio JSON-RPC remains clean.
 
-If your MCP client does not support permission elicitation and you explicitly want permission-gated operations to run, start with:
+By default, `exec_command` passes a core shell environment only. For local toolchains that depend on inherited environment variables, such as MSVC developer prompts, start with:
+
+```bash
+CODING_TOOLS_MCP_SHELL_ENV_INHERIT=all coding-tools-mcp --workspace /path/to/repo
+```
+
+`inherit=all` still filters secret-looking and loader/startup variables unless dangerous mode is also enabled. For local development with dependency downloads, shell expansion, and inline interpreter snippets, use:
+
+```bash
+coding-tools-mcp --permission-mode trusted --workspace /path/to/repo
+```
+
+`--allow-network` remains available as a compatibility flag when you only want to open network-looking commands. If your MCP client does not support permission elicitation and you explicitly want to disable `exec_command` permission gates inside an isolated container or VM, start with:
 
 ```bash
-coding-tools-mcp --dangerously-skip-all-permissions --workspace /path/to/repo
+coding-tools-mcp --permission-mode dangerous --workspace /path/to/repo
 ```
 
-This auto-grants permission-gated operations such as network-looking commands, destructive commands, shell expansion, and sensitive env passed through `exec_command`. Workspace path boundaries still apply.
+This disables `exec_command` permission gates such as network-looking commands, destructive command checks, shell expansion, inline scripts, and sensitive env checks. Workspace path boundaries for direct file tools still apply. `--dangerously-skip-all-permissions` remains as a compatibility alias.
 
 ## MCP Client Examples
 
@@ -184,7 +247,7 @@ scripts/tunnel.sh ngrok /path/to/repo
 scripts/tunnel.sh devtunnel /path/to/repo
 ```
 
-For clients that support custom headers, use bearer-token auth with `Authorization: Bearer <token>`. For MCP clients that speak OAuth 2.1 Authorization Code + PKCE, use `CODING_TOOLS_MCP_AUTH_MODE=oauth` with `scripts/tunnel.sh` (or `scripts/install.sh --auth-mode oauth`); the only env var you need to set is `CODING_TOOLS_MCP_SERVER_URL` (which must match the tunnel's stable public URL), and the script prints generated `CLIENT_ID`/`CLIENT_SECRET`/`PASSWORD` values on startup. Clients that cannot send custom bearer headers and do not speak OAuth should use anonymous `read-only` mode only for local/testing tunnels, or be placed behind an external auth proxy for production use.
+For clients that support custom headers, use bearer-token auth with `Authorization: Bearer <token>`. For MCP clients that speak OAuth 2.1 Authorization Code + PKCE, use `CODING_TOOLS_MCP_AUTH_MODE=oauth` with `scripts/tunnel.sh` (or `scripts/install.sh --auth-mode oauth`). The server can infer its OAuth issuer from the tunnel request URL, so one-shot tunnels like cloudflared work without setting `CODING_TOOLS_MCP_SERVER_URL` before startup; set it only when you want to pin a stable issuer. The script prints a generated OAuth password, accepts any non-empty client_id by default, and lets you opt into `CODING_TOOLS_MCP_OAUTH_CLIENT_ID`/`CODING_TOOLS_MCP_OAUTH_CLIENT_SECRET` only when you need to lock down a confidential client. Clients that cannot send custom bearer headers and do not speak OAuth should use anonymous `read-only` mode only for local/testing tunnels, or be placed behind an external auth proxy for production use.
 
 See [docs/remote-mcp.md](docs/remote-mcp.md) for the exact modes and security notes.
 
@@ -226,9 +289,9 @@ For input/output schemas and result envelopes, see [docs/tools-and-schemas.md](d
 
 The runtime binds one workspace root per server process. Paths are workspace-relative by default. Absolute paths, `..` traversal, and symlink escapes are rejected. Recursive listing/search excludes `.git`, `.reference`, `node_modules`, `target`, `dist`, build outputs, virtualenvs, and common caches by default.
 
-`exec_command` runs under policy controls with workspace-bound cwd, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
+`exec_command` runs under policy controls with workspace-bound cwd, configurable shell environment inheritance, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
 
-`--dangerously-skip-all-permissions` disables the permission gates above for operators who accept that risk. Do not use it for untrusted workspaces or untrusted MCP clients.
+`--permission-mode safe` is the default. `--permission-mode trusted` opens local-development gates while keeping secret filtering and destructive-command checks. `--permission-mode dangerous` disables `exec_command` permission gates for operators who accept that risk inside an isolated runner. Do not use dangerous mode for untrusted workspaces or untrusted MCP clients.
 
 ## Compliance
 

coding_tools_mcp-0.1.5/PKG-INFO → coding_tools_mcp-0.1.7/README.md

@@ -1,25 +1,3 @@
-Metadata-Version: 2.4
-Name: coding-tools-mcp
-Version: 0.1.5
-Summary: Workspace-confined coding tools exposed as an MCP server.
-Author: Coding Tools MCP Contributors
-License-Expression: LicenseRef-Coding-Tools-MCP-Source-Available
-Project-URL: Homepage, https://github.com/xyTom/coding-tools-mcp
-Project-URL: Documentation, https://github.com/xyTom/coding-tools-mcp/tree/main/docs
-Project-URL: Source, https://github.com/xyTom/coding-tools-mcp
-Project-URL: Issues, https://github.com/xyTom/coding-tools-mcp/issues
-Requires-Python: >=3.11
-Description-Content-Type: text/markdown
-License-File: LICENSE
-Requires-Dist: PyJWT>=2.8
-Provides-Extra: dev
-Requires-Dist: mypy<2.2,>=2.1; extra == "dev"
-Requires-Dist: ruff<0.16,>=0.15; extra == "dev"
-Requires-Dist: typing_extensions>=4.12; extra == "dev"
-Provides-Extra: image
-Requires-Dist: Pillow>=10.0; extra == "image"
-Dynamic: license-file
-
 # Coding Tools MCP
 
 Coding Tools MCP is a model-neutral coding-agent runtime MCP server. It exposes local coding primitives to any MCP client:
@@ -37,12 +15,17 @@ It is not a prompt wrapper. It does not expose external agent accounts, memory,
 - [MCP client configuration](docs/mcp-client-config.md)
 - [Remote MCP](docs/remote-mcp.md)
 - [Tools and schemas](docs/tools-and-schemas.md)
+- [Permission modes](docs/permission-modes.md)
+- [Exec command recipes](docs/exec-command-recipes.md)
+- [Docker sandbox](docs/docker.md)
 - [Security policy](SECURITY.md)
+- [Security boundary](docs/security-boundary.md)
 - [CI and test commands](docs/ci-and-tests.md)
 - [Dogfood](docs/dogfood.md)
 - [SWE-bench evaluation](docs/swe-bench.md)
 - [Known limitations](docs/limitations.md)
 - [Troubleshooting](docs/troubleshooting.md)
+- [Exec troubleshooting](docs/troubleshooting-exec.md)
 - [Competitive analysis](docs/competitive-analysis.md)
 - Normative MCP runtime profile: [docs/profile-v0.1.md](docs/profile-v0.1.md)
 
@@ -89,15 +72,19 @@ uvx coding-tools-mcp --stdio --workspace /path/to/repo
 If you are working from this checkout instead of a published package:
 
 ```bash
-cd /root/coding-tools-mcp
-python -m pip install -e ".[dev]"
-coding-tools-mcp --workspace /path/to/repo --host 127.0.0.1 --port 8765
+make start
 ```
 
-Install the optional image extra when you want `view_image` auto-resize support:
+Pass a different workspace, host, port, or extra server flags with Make variables:
 
 ```bash
-python -m pip install -e ".[image]"
+make start MCP_WORKSPACE=/path/to/repo MCP_PORT=8000 MCP_ARGS="--permission-mode trusted"
+```
+
+If dependencies are missing, install the runtime in editable mode:
+
+```bash
+python -m pip install -e ".[dev]"
 ```
 
 HTTP endpoint:
@@ -106,6 +93,12 @@ HTTP endpoint:
 http://127.0.0.1:8765/mcp
 ```
 
+Install the optional image extra when you want `view_image` auto-resize support:
+
+```bash
+python -m pip install -e ".[image]"
+```
+
 Stdio:
 
 ```bash
@@ -114,13 +107,25 @@ coding-tools-mcp --stdio --workspace /path/to/repo
 
 Set `CODING_TOOLS_MCP_TRACE=1` to emit redacted JSON tool-call trace events to stderr for local debugging. Logs stay off stdout so stdio JSON-RPC remains clean.
 
-If your MCP client does not support permission elicitation and you explicitly want permission-gated operations to run, start with:
+By default, `exec_command` passes a core shell environment only. For local toolchains that depend on inherited environment variables, such as MSVC developer prompts, start with:
+
+```bash
+CODING_TOOLS_MCP_SHELL_ENV_INHERIT=all coding-tools-mcp --workspace /path/to/repo
+```
+
+`inherit=all` still filters secret-looking and loader/startup variables unless dangerous mode is also enabled. For local development with dependency downloads, shell expansion, and inline interpreter snippets, use:
+
+```bash
+coding-tools-mcp --permission-mode trusted --workspace /path/to/repo
+```
+
+`--allow-network` remains available as a compatibility flag when you only want to open network-looking commands. If your MCP client does not support permission elicitation and you explicitly want to disable `exec_command` permission gates inside an isolated container or VM, start with:
 
 ```bash
-coding-tools-mcp --dangerously-skip-all-permissions --workspace /path/to/repo
+coding-tools-mcp --permission-mode dangerous --workspace /path/to/repo
 ```
 
-This auto-grants permission-gated operations such as network-looking commands, destructive commands, shell expansion, and sensitive env passed through `exec_command`. Workspace path boundaries still apply.
+This disables `exec_command` permission gates such as network-looking commands, destructive command checks, shell expansion, inline scripts, and sensitive env checks. Workspace path boundaries for direct file tools still apply. `--dangerously-skip-all-permissions` remains as a compatibility alias.
 
 ## MCP Client Examples
 
@@ -184,7 +189,7 @@ scripts/tunnel.sh ngrok /path/to/repo
 scripts/tunnel.sh devtunnel /path/to/repo
 ```
 
-For clients that support custom headers, use bearer-token auth with `Authorization: Bearer <token>`. For MCP clients that speak OAuth 2.1 Authorization Code + PKCE, use `CODING_TOOLS_MCP_AUTH_MODE=oauth` with `scripts/tunnel.sh` (or `scripts/install.sh --auth-mode oauth`); the only env var you need to set is `CODING_TOOLS_MCP_SERVER_URL` (which must match the tunnel's stable public URL), and the script prints generated `CLIENT_ID`/`CLIENT_SECRET`/`PASSWORD` values on startup. Clients that cannot send custom bearer headers and do not speak OAuth should use anonymous `read-only` mode only for local/testing tunnels, or be placed behind an external auth proxy for production use.
+For clients that support custom headers, use bearer-token auth with `Authorization: Bearer <token>`. For MCP clients that speak OAuth 2.1 Authorization Code + PKCE, use `CODING_TOOLS_MCP_AUTH_MODE=oauth` with `scripts/tunnel.sh` (or `scripts/install.sh --auth-mode oauth`). The server can infer its OAuth issuer from the tunnel request URL, so one-shot tunnels like cloudflared work without setting `CODING_TOOLS_MCP_SERVER_URL` before startup; set it only when you want to pin a stable issuer. The script prints a generated OAuth password, accepts any non-empty client_id by default, and lets you opt into `CODING_TOOLS_MCP_OAUTH_CLIENT_ID`/`CODING_TOOLS_MCP_OAUTH_CLIENT_SECRET` only when you need to lock down a confidential client. Clients that cannot send custom bearer headers and do not speak OAuth should use anonymous `read-only` mode only for local/testing tunnels, or be placed behind an external auth proxy for production use.
 
 See [docs/remote-mcp.md](docs/remote-mcp.md) for the exact modes and security notes.
 
@@ -226,9 +231,9 @@ For input/output schemas and result envelopes, see [docs/tools-and-schemas.md](d
 
 The runtime binds one workspace root per server process. Paths are workspace-relative by default. Absolute paths, `..` traversal, and symlink escapes are rejected. Recursive listing/search excludes `.git`, `.reference`, `node_modules`, `target`, `dist`, build outputs, virtualenvs, and common caches by default.
 
-`exec_command` runs under policy controls with workspace-bound cwd, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
+`exec_command` runs under policy controls with workspace-bound cwd, configurable shell environment inheritance, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
 
-`--dangerously-skip-all-permissions` disables the permission gates above for operators who accept that risk. Do not use it for untrusted workspaces or untrusted MCP clients.
+`--permission-mode safe` is the default. `--permission-mode trusted` opens local-development gates while keeping secret filtering and destructive-command checks. `--permission-mode dangerous` disables `exec_command` permission gates for operators who accept that risk inside an isolated runner. Do not use dangerous mode for untrusted workspaces or untrusted MCP clients.
 
 ## Compliance
 

{coding_tools_mcp-0.1.5 → coding_tools_mcp-0.1.7}/coding_tools_mcp/__init__.py

@@ -1,3 +1,3 @@
 """Coding Tools MCP server package."""
 
-__version__ = "0.1.5"
+__version__ = "0.1.7"