Skip to content

Comments

feat: add embedded MCP servers for filesystem and shell operations#27

Merged
douglaz merged 5 commits intomasterfrom
feat/embedded-mcp-servers
Sep 5, 2025
Merged

feat: add embedded MCP servers for filesystem and shell operations#27
douglaz merged 5 commits intomasterfrom
feat/embedded-mcp-servers

Conversation

@douglaz
Copy link
Owner

@douglaz douglaz commented Sep 1, 2025

Summary

This PR adds two embedded MCP (Model Context Protocol) servers as binaries, providing essential filesystem and shell operation capabilities for the Replicante agent.

New MCP Servers

1. filesystem-mcp-server

Provides sandboxed file operations within a workspace:

  • Tools: read_file, write_file, list_directory, create_directory, delete_file, file_exists
  • Security: Path sandboxing ensures all operations stay within the configured workspace
  • Features: Supports both absolute and relative paths, append mode for writes, recursive directory listing

2. shell-mcp-server

Enables command execution with optional Docker support:

  • Basic Tools: run_command, check_command
  • Docker Tools: docker_run, docker_ps, docker_logs, docker_exec, docker_stop, docker_rm
  • Security: Working directory sandboxing, configurable Docker access
  • Features: Command timeouts, environment variables, container management

Use Cases

  • Development Tasks: File manipulation, code generation, project scaffolding
  • Build Automation: Running build scripts, tests, and deployments
  • Container Orchestration: Managing Docker containers for complex setups
  • Fedimint Challenge: Supporting the challenge requirements for file and command operations

Implementation Details

  • Both servers implement the full MCP protocol with JSON-RPC
  • Proper error handling using Result types and unwrap_or_else with safe defaults
  • Async runtime using Tokio for non-blocking I/O operations
  • Comprehensive tool schemas with parameter validation

Security Measures

  1. Path Sandboxing: All file operations restricted to workspace directory
  2. Command Sandboxing: Working directory restricted to workspace
  3. Docker Toggle: Docker operations can be disabled via environment variable
  4. Timeout Protection: Commands have configurable timeouts to prevent hanging

Configuration

  • WORKSPACE_PATH: Root directory for sandboxed operations (default: /workspace)
  • ALLOW_DOCKER: Enable/disable Docker operations (default: true)

Testing

  • Filesystem operations stay within workspace
  • Commands execute with proper timeout
  • Docker operations work when enabled
  • Error handling doesn't panic on invalid inputs

Integration

These servers integrate with the existing MCP client infrastructure in src/mcp.rs, allowing the agent to:

  1. Spawn these servers as subprocesses
  2. Communicate via stdio using JSON-RPC
  3. Discover and use their tools dynamically

Related Work

  • Builds on the MCP client implementation
  • Complements existing mock and http MCP servers
  • Essential for Fedimint challenge scenarios

@douglaz
feat: add embedded MCP servers for filesystem and shell operations
4ec217a 
Add two new MCP (Model Context Protocol) servers as binaries:

1. filesystem-mcp-server: Sandboxed file operations
   - Read, write, list, create, delete files and directories
   - Path sandboxing ensures operations stay within workspace
   - Supports both absolute and relative paths

2. shell-mcp-server: Command execution with Docker support
   - Execute shell commands with timeout support
   - Optional Docker container management (run, exec, logs, stop, rm)
   - Working directory sandboxing
   - Environment variable support

These servers provide essential tools for the agent to interact with
the filesystem and execute commands, particularly useful for:
- Development tasks requiring file manipulation
- Build and test automation
- Container orchestration for complex deployments
- Fedimint challenge support

Both servers implement the MCP protocol with proper JSON-RPC handling,
error management using Result types, and security sandboxing.
@douglaz
feat(mcp): add clap argument parsing with env variable support
c1fd067 
- Add clap Parser to both filesystem and shell MCP servers
- Support both CLI arguments and environment variables
- Add --workspace flag (env: WORKSPACE_PATH) for workspace directory
- Add --verbose flag (env: MCP_VERBOSE) for debug output
- Add --allow-docker flag (env: ALLOW_DOCKER) for shell server
- Update logging to conditionally use verbose flag
- Improve configurability for different deployment scenarios
@douglaz
refactor(mcp): remove pseudo-async from filesystem server
806e9f4 
- Replace tokio::fs with std::fs for all file operations
- Remove unnecessary tokio runtime from filesystem-mcp-server
- Eliminate runtime.block_on() pattern for simple file I/O
- Keep shell-mcp-server async for long-running commands
- Simplify code and reduce overhead for synchronous operations
- File operations are fast enough to be blocking in stdio context
@douglaz
fix(mcp): add missing timeouts to shell server operations
595e2a5 
- Add 5-second timeout to check_command (which command)
- Add 10-second timeout to docker_ps operation
- Ensures all async operations have timeout protection
- Prevents server hanging if Docker daemon becomes unresponsive
- Maintains consistency with other operations that already have timeouts
@douglaz
feat(mcp): add comprehensive size limits to prevent OOM attacks
7ca88e8 
Security improvements for MCP servers:

Filesystem Server:
- Add configurable max file size (default 10MB)
- Check file size before reading to prevent memory exhaustion
- Add buffered reading with truncation for large files
- Limit directory listings to 10,000 entries
- Add clear truncation indicators in responses

Shell Server:
- Add configurable max output size (default 1MB)
- Truncate command stdout/stderr to prevent memory exhaustion
- Default docker logs to last 1000 lines
- Add truncation messages showing bytes omitted

Both servers now have:
- CLI arguments for size limits (--max-file-size-mb, --max-output-size-mb)
- Environment variable support (MAX_FILE_SIZE_MB, MAX_OUTPUT_SIZE_MB)
- Protection against malicious or accidental memory exhaustion
- Clear user feedback when limits are reached
@douglaz douglaz merged commit 96f1cb2 into master Sep 5, 2025
4 checks passed
@douglaz douglaz deleted the feat/embedded-mcp-servers branch September 5, 2025 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@douglaz