Merge pull request #3744 from AkihiroSuda/mcp

Define "MCP Sandbox Interface" and implement `limactl mcp serve`

Author: jandubois

Makefile

@@ -112,6 +112,8 @@ help-targets:
 	@echo  '- limactl                   : Build limactl, and lima'
 	@echo  '- lima                      : Copy lima, and lima.bat'
 	@echo  '- helpers                   : Copy nerdctl.lima, apptainer.lima, docker.lima, podman.lima, and kubectl.lima'
+	# TODO: move CLI plugins to _output/libexec/lima/
+	@echo  '- limactl-plugins           : Build limactl-* CLI plugins'
 	@echo
 	@echo  'Targets for files in _output/share/lima/:'
 	@echo  '- guestagents               : Build guestagents'
@@ -174,7 +176,7 @@ CONFIG_GUESTAGENT_COMPRESS=y
 
 ################################################################################
 .PHONY: binaries
-binaries: limactl helpers guestagents \
+binaries: limactl helpers limactl-plugins guestagents \
 	templates template_experimentals \
 	documentation create-links-in-doc-dir
 
@@ -280,6 +282,11 @@ ifeq ($(GOOS),darwin)
 	codesign -f -v --entitlements vz.entitlements -s - $@
 endif
 
+limactl-plugins: _output/bin/limactl-mcp$(exe)
+
+_output/bin/limactl-mcp$(exe): $(call dependencies_for_cmd,limactl-mcp) $$(call force_build,$$@)
+	$(ENVS_$@) $(GO_BUILD) -o $@ ./cmd/limactl-mcp
+
 DRIVER_INSTALL_DIR := _output/libexec/lima
 
 .PHONY: additional-drivers
@@ -516,6 +523,7 @@ uninstall:
 		"$(DEST)/bin/lima" \
 		"$(DEST)/bin/lima$(bat)" \
 		"$(DEST)/bin/limactl$(exe)" \
+		"$(DEST)/bin/limactl-mcp$(exe)" \
 		"$(DEST)/bin/nerdctl.lima" \
 		"$(DEST)/bin/apptainer.lima" \
 		"$(DEST)/bin/docker.lima" \

cmd/limactl-mcp/main.go

@@ -0,0 +1,172 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"runtime"
+	"strings"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+
+	"github.com/lima-vm/lima/v2/pkg/limactlutil"
+	"github.com/lima-vm/lima/v2/pkg/mcp/toolset"
+	"github.com/lima-vm/lima/v2/pkg/version"
+)
+
+func main() {
+	if err := newApp().Execute(); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+func newApp() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:           "limactl-mcp",
+		Short:         "Model Context Protocol plugin for Lima (EXPERIMENTAL)",
+		Version:       strings.TrimPrefix(version.Version, "v"),
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+	cmd.AddCommand(
+		newMcpInfoCommand(),
+		newMcpServeCommand(),
+		// TODO: `limactl-mcp configure gemini` ?
+	)
+	return cmd
+}
+
+func newServer() *mcp.Server {
+	impl := &mcp.Implementation{
+		Name:    "lima",
+		Title:   "Lima VM, for sandboxing local command executions and file I/O operations",
+		Version: version.Version,
+	}
+	serverOpts := &mcp.ServerOptions{
+		Instructions: `This MCP server provides tools for sandboxing local command executions and file I/O operations,
+by wrapping them in Lima VM (https://lima-vm.io).
+
+Use these tools to avoid accidentally executing malicious codes directly on the host.
+`,
+	}
+	if runtime.GOOS != "linux" {
+		serverOpts.Instructions += fmt.Sprintf(`
+
+NOTE: the guest OS of the VM is Linux, while the host OS is %s.
+`, cases.Title(language.English).String(runtime.GOOS))
+	}
+	return mcp.NewServer(impl, serverOpts)
+}
+
+func newMcpInfoCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "info",
+		Short: "Show information about the MCP server",
+		Args:  cobra.NoArgs,
+		RunE:  mcpInfoAction,
+	}
+	return cmd
+}
+
+func mcpInfoAction(cmd *cobra.Command, _ []string) error {
+	ctx := cmd.Context()
+	limactl, err := limactlutil.Path()
+	if err != nil {
+		return err
+	}
+	ts, err := toolset.New(limactl)
+	if err != nil {
+		return err
+	}
+	server := newServer()
+	if err = ts.RegisterServer(server); err != nil {
+		return err
+	}
+	serverTransport, clientTransport := mcp.NewInMemoryTransports()
+	serverSession, err := server.Connect(ctx, serverTransport, nil)
+	if err != nil {
+		return err
+	}
+	client := mcp.NewClient(&mcp.Implementation{Name: "client"}, nil)
+	clientSession, err := client.Connect(ctx, clientTransport, nil)
+	if err != nil {
+		return err
+	}
+	toolsResult, err := clientSession.ListTools(ctx, &mcp.ListToolsParams{})
+	if err != nil {
+		return err
+	}
+	if err = clientSession.Close(); err != nil {
+		return err
+	}
+	if err = serverSession.Wait(); err != nil {
+		return err
+	}
+	info := &Info{
+		Tools: toolsResult.Tools,
+	}
+	j, err := json.MarshalIndent(info, "", "    ")
+	if err != nil {
+		return err
+	}
+	_, err = fmt.Fprint(cmd.OutOrStdout(), string(j))
+	return err
+}
+
+type Info struct {
+	Tools []*mcp.Tool `json:"tools"`
+}
+
+func newMcpServeCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "serve INSTANCE",
+		Short: "Serve MCP over stdio",
+		Long: `Serve MCP over stdio.
+
+Expected to be executed via an AI agent, not by a human`,
+		Args: cobra.MaximumNArgs(1),
+		RunE: mcpServeAction,
+	}
+	return cmd
+}
+
+func mcpServeAction(cmd *cobra.Command, args []string) error {
+	ctx := cmd.Context()
+	instName := "default"
+	if len(args) > 0 {
+		instName = args[0]
+	}
+	limactl, err := limactlutil.Path()
+	if err != nil {
+		return err
+	}
+	// FIXME: We can not use store.Inspect() here because it requires VM drivers to be compiled in.
+	// https://github.com/lima-vm/lima/pull/3744#issuecomment-3289274347
+	inst, err := limactlutil.Inspect(ctx, limactl, instName)
+	if err != nil {
+		return err
+	}
+	if len(inst.Errors) != 0 {
+		return errors.Join(inst.Errors...)
+	}
+	ts, err := toolset.New(limactl)
+	if err != nil {
+		return err
+	}
+	server := newServer()
+	if err = ts.RegisterServer(server); err != nil {
+		return err
+	}
+	if err = ts.RegisterInstance(ctx, inst); err != nil {
+		return err
+	}
+	transport := &mcp.StdioTransport{}
+	return server.Run(ctx, transport)
+}

go.mod

@@ -31,9 +31,11 @@ require (
 	github.com/mdlayher/vsock v1.2.1 // gomodjail:unconfined
 	github.com/miekg/dns v1.1.68 // gomodjail:unconfined
 	github.com/mikefarah/yq/v4 v4.47.2
+	github.com/modelcontextprotocol/go-sdk v0.6.0
 	github.com/nxadm/tail v1.4.11 // gomodjail:unconfined
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58
+	github.com/pkg/sftp v1.13.9
 	github.com/rjeczalik/notify v0.9.3
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/sethvargo/go-password v0.3.1
@@ -105,13 +107,13 @@ require (
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pkg/sftp v1.13.9 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	// gomodjail:unconfined
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
 	golang.org/x/crypto v0.42.0 // indirect
 	golang.org/x/mod v0.27.0 // indirect
@@ -135,6 +137,7 @@ require (
 
 require (
 	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/google/jsonschema-go v0.2.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect

go.sum

@@ -118,6 +118,8 @@ github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
+github.com/google/jsonschema-go v0.2.3 h1:dkP3B96OtZKKFvdrUSaDkL+YDx8Uw9uC4Y+eukpCnmM=
+github.com/google/jsonschema-go v0.2.3/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
@@ -191,6 +193,8 @@ github.com/mikefarah/yq/v4 v4.47.2 h1:Jb5fHlvgK5eeaPbreG9UJs1E5w6l5hUzXjeaY6LTTW
 github.com/mikefarah/yq/v4 v4.47.2/go.mod h1:ulYbZUzGJsBDDwO5ohvk/KOW4vW5Iddd/DBeAY1Q09g=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/modelcontextprotocol/go-sdk v0.6.0 h1:cmtMYfRAUtEtCiuorOWPj7ygcypfuB2FgFEDBqZqgy4=
+github.com/modelcontextprotocol/go-sdk v0.6.0/go.mod h1:djQKZ74bEV+UMAmyG/L0coVhV0HM3fpVtGuUPls0znc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -266,6 +270,8 @@ github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
+github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=

pkg/limactlutil/limactlutil.go

@@ -0,0 +1,38 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package limactlutil
+
+import (
+	"bytes"
+	"cmp"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+
+	"github.com/lima-vm/lima/v2/pkg/limatype"
+)
+
+// Path returns the path to the `limactl` executable.
+func Path() (string, error) {
+	limactl := cmp.Or(os.Getenv("LIMACTL"), "limactl")
+	return exec.LookPath(limactl)
+}
+
+// Inspect runs `limactl list --json INST` and parses the output.
+func Inspect(ctx context.Context, limactl, instName string) (*limatype.Instance, error) {
+	var stdout, stderr bytes.Buffer
+	cmd := exec.CommandContext(ctx, limactl, "list", "--json", instName)
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	if err := cmd.Run(); err != nil {
+		return nil, fmt.Errorf("failed to run %v: stdout=%q, stderr=%q: %w", cmd.Args, stdout.String(), stderr.String(), err)
+	}
+	var inst limatype.Instance
+	if err := json.Unmarshal(stdout.Bytes(), &inst); err != nil {
+		return nil, err
+	}
+	return &inst, nil
+}

pkg/mcp/msi/filesystem.go

@@ -0,0 +1,83 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+// Portion of AI prompt texts from:
+// - https://github.com/google-gemini/gemini-cli/blob/v0.1.12/docs/tools/file-system.md
+//
+// SPDX-FileCopyrightText: Copyright 2025 Google LLC
+
+package msi
+
+import (
+	"io/fs"
+	"time"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+)
+
+var ListDirectory = &mcp.Tool{
+	Name:        "list_directory",
+	Description: `Lists the names of files and subdirectories directly within a specified directory path.`,
+}
+
+type ListDirectoryParams struct {
+	Path string `json:"path" jsonschema:"The absolute path to the directory to list."`
+}
+
+// ListDirectoryResultEntry is similar to [io/fs.FileInfo].
+type ListDirectoryResultEntry struct {
+	Name    string       `json:"name" jsonschema:"base name of the file"`
+	Size    *int64       `json:"size,omitempty" jsonschema:"length in bytes for regular files; system-dependent for others"`
+	Mode    *fs.FileMode `json:"mode,omitempty" jsonschema:"file mode bits"`
+	ModTime *time.Time   `json:"time,omitempty" jsonschema:"modification time"`
+	IsDir   *bool        `json:"is_dir,omitempty" jsonschema:"true for a directory"`
+}
+
+type ListDirectoryResult struct {
+	Entries []ListDirectoryResultEntry `json:"entries" jsonschema:"The directory content entries."`
+}
+
+var ReadFile = &mcp.Tool{
+	Name:        "read_file",
+	Description: `Reads and returns the content of a specified file.`,
+}
+
+type ReadFileParams struct {
+	Path string `json:"path" jsonschema:"The absolute path to the file to read."`
+	// TODO: Offset *int   `json:"offset,omitempty" jsonschema:"For text files, the 0-based line number to start reading from. Requires limit to be set."`
+	// TODO: Limit  *int   `json:"limit,omitempty" jsonschema:"For text files, the maximum number of lines to read. If omitted, reads a default maximum (e.g., 2000 lines) or the entire file if feasible."`
+}
+
+var WriteFile = &mcp.Tool{
+	Name:        "write_file",
+	Description: `Writes content to a specified file. If the file exists, it will be overwritten. If the file doesn't exist, it (and any necessary parent directories) will be created.`,
+}
+
+type WriteFileParams struct {
+	Path    string `json:"path" jsonschema:"The absolute path to the file to write to."`
+	Content string `json:"content" jsonschema:"The content to write into the file."`
+}
+
+var Glob = &mcp.Tool{
+	Name:        "glob",
+	Description: `Finds files matching specific glob patterns (e.g., src/**/*.ts, *.md)`, // Not sorted by mod time, unlike Gemini
+}
+
+type GlobParams struct {
+	Pattern string  `json:"pattern" jsonschema:"The glob pattern to match against (e.g., '*.py', 'src/**/*.js')."`
+	Path    *string `json:"path,omitempty" jsonschema:"The absolute path to the directory to search within. If omitted, searches the tool's root directory."`
+	// TODO: CaseSensitive bool    `json:"case_sensitive,omitempty" jsonschema:": Whether the search should be case-sensitive. Defaults to false."`
+}
+
+var SearchFileContent = &mcp.Tool{
+	Name:        "search_file_content",
+	Description: `Searches for a regular expression pattern within the content of files in a specified directory. Internally calls 'git grep -n --no-index'.`,
+}
+
+type SearchFileContentParams struct {
+	Pattern string  `json:"pattern" jsonschema:"The regular expression (regex) to search for (e.g., 'function\\s+myFunction')."`
+	Path    *string `json:"path,omitempty" jsonschema:"The absolute path to the directory to search within. Defaults to the current working directory."`
+	Include *string `json:"include,omitempty" jsonschema:"A glob pattern to filter which files are searched (e.g., '*.js', 'src/**/*.{ts,tsx}'). If omitted, searches most files (respecting common ignores)."`
+}
+
+// TODO: implement Replace