PyPI - coding-tools-mcp - Versions diffs - 0.1.6__tar.gz → 0.1.7__tar.gz - Mend

coding-tools-mcp 0.1.6tar.gz → 0.1.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

{coding_tools_mcp-0.1.6 → coding_tools_mcp-0.1.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: coding-tools-mcp
-Version: 0.1.6
+Version: 0.1.7
 Summary: Workspace-confined coding tools exposed as an MCP server.
 Author: Coding Tools MCP Contributors
 License: Coding Tools MCP Source-Available License v1.0
@@ -73,12 +73,17 @@ It is not a prompt wrapper. It does not expose external agent accounts, memory,
 - [MCP client configuration](docs/mcp-client-config.md)
 - [Remote MCP](docs/remote-mcp.md)
 - [Tools and schemas](docs/tools-and-schemas.md)
+- [Permission modes](docs/permission-modes.md)
+- [Exec command recipes](docs/exec-command-recipes.md)
+- [Docker sandbox](docs/docker.md)
 - [Security policy](SECURITY.md)
+- [Security boundary](docs/security-boundary.md)
 - [CI and test commands](docs/ci-and-tests.md)
 - [Dogfood](docs/dogfood.md)
 - [SWE-bench evaluation](docs/swe-bench.md)
 - [Known limitations](docs/limitations.md)
 - [Troubleshooting](docs/troubleshooting.md)
+- [Exec troubleshooting](docs/troubleshooting-exec.md)
 - [Competitive analysis](docs/competitive-analysis.md)
 - Normative MCP runtime profile: [docs/profile-v0.1.md](docs/profile-v0.1.md)
@@ -125,15 +130,19 @@ uvx coding-tools-mcp --stdio --workspace /path/to/repo
 If you are working from this checkout instead of a published package:
 ```bash
-cd /root/coding-tools-mcp
-python -m pip install -e ".[dev]"
-coding-tools-mcp --workspace /path/to/repo --host 127.0.0.1 --port 8765
+make start
 ```
-Install the optional image extra when you want `view_image` auto-resize support:
+Pass a different workspace, host, port, or extra server flags with Make variables:
 ```bash
-python -m pip install -e ".[image]"
+make start MCP_WORKSPACE=/path/to/repo MCP_PORT=8000 MCP_ARGS="--permission-mode trusted"
+```
+If dependencies are missing, install the runtime in editable mode:
+```bash
+python -m pip install -e ".[dev]"
 ```
 HTTP endpoint:
@@ -142,6 +151,12 @@ HTTP endpoint:
 http://127.0.0.1:8765/mcp
 ```
+Install the optional image extra when you want `view_image` auto-resize support:
+```bash
+python -m pip install -e ".[image]"
+```
 Stdio:
 ```bash
@@ -150,13 +165,25 @@ coding-tools-mcp --stdio --workspace /path/to/repo
 Set `CODING_TOOLS_MCP_TRACE=1` to emit redacted JSON tool-call trace events to stderr for local debugging. Logs stay off stdout so stdio JSON-RPC remains clean.
-If your MCP client does not support permission elicitation and you explicitly want permission-gated operations to run, start with:
+By default, `exec_command` passes a core shell environment only. For local toolchains that depend on inherited environment variables, such as MSVC developer prompts, start with:
+```bash
+CODING_TOOLS_MCP_SHELL_ENV_INHERIT=all coding-tools-mcp --workspace /path/to/repo
+```
+`inherit=all` still filters secret-looking and loader/startup variables unless dangerous mode is also enabled. For local development with dependency downloads, shell expansion, and inline interpreter snippets, use:
+```bash
+coding-tools-mcp --permission-mode trusted --workspace /path/to/repo
+```
+`--allow-network` remains available as a compatibility flag when you only want to open network-looking commands. If your MCP client does not support permission elicitation and you explicitly want to disable `exec_command` permission gates inside an isolated container or VM, start with:
 ```bash
-coding-tools-mcp --dangerously-skip-all-permissions --workspace /path/to/repo
+coding-tools-mcp --permission-mode dangerous --workspace /path/to/repo
 ```
-This auto-grants permission-gated operations such as network-looking commands, destructive commands, shell expansion, and sensitive env passed through `exec_command`. Workspace path boundaries still apply.
+This disables `exec_command` permission gates such as network-looking commands, destructive command checks, shell expansion, inline scripts, and sensitive env checks. Workspace path boundaries for direct file tools still apply. `--dangerously-skip-all-permissions` remains as a compatibility alias.
 ## MCP Client Examples
@@ -262,9 +289,9 @@ For input/output schemas and result envelopes, see [docs/tools-and-schemas.md](d
 The runtime binds one workspace root per server process. Paths are workspace-relative by default. Absolute paths, `..` traversal, and symlink escapes are rejected. Recursive listing/search excludes `.git`, `.reference`, `node_modules`, `target`, `dist`, build outputs, virtualenvs, and common caches by default.
-`exec_command` runs under policy controls with workspace-bound cwd, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
+`exec_command` runs under policy controls with workspace-bound cwd, configurable shell environment inheritance, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
-`--dangerously-skip-all-permissions` disables the permission gates above for operators who accept that risk. Do not use it for untrusted workspaces or untrusted MCP clients.
+`--permission-mode safe` is the default. `--permission-mode trusted` opens local-development gates while keeping secret filtering and destructive-command checks. `--permission-mode dangerous` disables `exec_command` permission gates for operators who accept that risk inside an isolated runner. Do not use dangerous mode for untrusted workspaces or untrusted MCP clients.
 ## Compliance

{coding_tools_mcp-0.1.6 → coding_tools_mcp-0.1.7}/README.md RENAMED Viewed

@@ -15,12 +15,17 @@ It is not a prompt wrapper. It does not expose external agent accounts, memory,
 - [MCP client configuration](docs/mcp-client-config.md)
 - [Remote MCP](docs/remote-mcp.md)
 - [Tools and schemas](docs/tools-and-schemas.md)
+- [Permission modes](docs/permission-modes.md)
+- [Exec command recipes](docs/exec-command-recipes.md)
+- [Docker sandbox](docs/docker.md)
 - [Security policy](SECURITY.md)
+- [Security boundary](docs/security-boundary.md)
 - [CI and test commands](docs/ci-and-tests.md)
 - [Dogfood](docs/dogfood.md)
 - [SWE-bench evaluation](docs/swe-bench.md)
 - [Known limitations](docs/limitations.md)
 - [Troubleshooting](docs/troubleshooting.md)
+- [Exec troubleshooting](docs/troubleshooting-exec.md)
 - [Competitive analysis](docs/competitive-analysis.md)
 - Normative MCP runtime profile: [docs/profile-v0.1.md](docs/profile-v0.1.md)
@@ -67,15 +72,19 @@ uvx coding-tools-mcp --stdio --workspace /path/to/repo
 If you are working from this checkout instead of a published package:
 ```bash
-cd /root/coding-tools-mcp
-python -m pip install -e ".[dev]"
-coding-tools-mcp --workspace /path/to/repo --host 127.0.0.1 --port 8765
+make start
 ```
-Install the optional image extra when you want `view_image` auto-resize support:
+Pass a different workspace, host, port, or extra server flags with Make variables:
 ```bash
-python -m pip install -e ".[image]"
+make start MCP_WORKSPACE=/path/to/repo MCP_PORT=8000 MCP_ARGS="--permission-mode trusted"
+```
+If dependencies are missing, install the runtime in editable mode:
+```bash
+python -m pip install -e ".[dev]"
 ```
 HTTP endpoint:
@@ -84,6 +93,12 @@ HTTP endpoint:
 http://127.0.0.1:8765/mcp
 ```
+Install the optional image extra when you want `view_image` auto-resize support:
+```bash
+python -m pip install -e ".[image]"
+```
 Stdio:
 ```bash
@@ -92,13 +107,25 @@ coding-tools-mcp --stdio --workspace /path/to/repo
 Set `CODING_TOOLS_MCP_TRACE=1` to emit redacted JSON tool-call trace events to stderr for local debugging. Logs stay off stdout so stdio JSON-RPC remains clean.
-If your MCP client does not support permission elicitation and you explicitly want permission-gated operations to run, start with:
+By default, `exec_command` passes a core shell environment only. For local toolchains that depend on inherited environment variables, such as MSVC developer prompts, start with:
+```bash
+CODING_TOOLS_MCP_SHELL_ENV_INHERIT=all coding-tools-mcp --workspace /path/to/repo
+```
+`inherit=all` still filters secret-looking and loader/startup variables unless dangerous mode is also enabled. For local development with dependency downloads, shell expansion, and inline interpreter snippets, use:
+```bash
+coding-tools-mcp --permission-mode trusted --workspace /path/to/repo
+```
+`--allow-network` remains available as a compatibility flag when you only want to open network-looking commands. If your MCP client does not support permission elicitation and you explicitly want to disable `exec_command` permission gates inside an isolated container or VM, start with:
 ```bash
-coding-tools-mcp --dangerously-skip-all-permissions --workspace /path/to/repo
+coding-tools-mcp --permission-mode dangerous --workspace /path/to/repo
 ```
-This auto-grants permission-gated operations such as network-looking commands, destructive commands, shell expansion, and sensitive env passed through `exec_command`. Workspace path boundaries still apply.
+This disables `exec_command` permission gates such as network-looking commands, destructive command checks, shell expansion, inline scripts, and sensitive env checks. Workspace path boundaries for direct file tools still apply. `--dangerously-skip-all-permissions` remains as a compatibility alias.
 ## MCP Client Examples
@@ -204,9 +231,9 @@ For input/output schemas and result envelopes, see [docs/tools-and-schemas.md](d
 The runtime binds one workspace root per server process. Paths are workspace-relative by default. Absolute paths, `..` traversal, and symlink escapes are rejected. Recursive listing/search excludes `.git`, `.reference`, `node_modules`, `target`, `dist`, build outputs, virtualenvs, and common caches by default.
-`exec_command` runs under policy controls with workspace-bound cwd, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
+`exec_command` runs under policy controls with workspace-bound cwd, configurable shell environment inheritance, timeout, output caps, sensitive-value and loader/startup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation/kill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS/container sandbox; see [SECURITY.md](SECURITY.md).
-`--dangerously-skip-all-permissions` disables the permission gates above for operators who accept that risk. Do not use it for untrusted workspaces or untrusted MCP clients.
+`--permission-mode safe` is the default. `--permission-mode trusted` opens local-development gates while keeping secret filtering and destructive-command checks. `--permission-mode dangerous` disables `exec_command` permission gates for operators who accept that risk inside an isolated runner. Do not use dangerous mode for untrusted workspaces or untrusted MCP clients.
 ## Compliance

{coding_tools_mcp-0.1.6 → coding_tools_mcp-0.1.7}/coding_tools_mcp/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Coding Tools MCP server package."""
-__version__ = "0.1.6"
+__version__ = "0.1.7"

coding-tools-mcp 0.1.6__tar.gz → 0.1.7__tar.gz

coding-tools-mcp 0.1.6tar.gz → 0.1.7tar.gz