Expand description
tsafe-mcp - bound MCP server for the Agent Authority Firewall.
This crate provides the companion binary behind both tsafe-mcp serve ...
and the CLI normal form tsafe mcp serve --profile <profile> --contract <contract> --workdir <repo>. A bound MCP process fixes one profile, one
authority contract, and one workdir at startup. Tool calls cannot switch
profile, contract, workdir, or secret scope at request time.
Bound mode exposes safe command execution through three model-facing tools:
show_exec_plan, run_contract_command, and tsafe_mcp_status. Secret
material is not returned to the model. No-secret diagnostic contracts are
valid when the contract explicitly compiles to zero allowed and required
secrets while still enforcing target policy and audit behavior.
Separate agent contexts should use separate server instance normal forms,
for example host entries named tsafe-cordance and tsafe-cortex, each
with its own profile, contract, workdir, and process.
The library entry point run is called both from the standalone
tsafe-mcp binary (src/main.rs) and from the meta-crate shim
(crates/tsafe/src/bin/tsafe_mcp.rs).
The runtime exposes five subcommands per design §5.2:
tsafe-mcp serve [...]— stdio JSON-RPC server (default subcommand)tsafe-mcp install <host> [...]— write per-host MCP configtsafe-mcp config <host> [...]— emit safe host config without writingtsafe-mcp uninstall <host> [...]— remove the entrytsafe-mcp status— print binary version + resolved scope
All other doctrine: bound MCP stance, ADR-003 agent IPC reuse, ADR-005 module
layout. See docs/architecture/ADR-006-mcp-server.md and
docs/architecture/mcp-server-design.md.
Modules§
- audit
- mcp-flavored AuditEntry construction helpers built on
tsafe_core::audit. - backend
- Vault unlock helper — calls
tsafe_core::agent::request_password_from_agentand opens the vault read-only for the bound profile. - errors
- JSON-RPC error code table and
McpErrorenum. - install
tsafe-mcp install <host>dispatch — routes to per-host writer modules.- server
TsafeMcpServer— the rmcp 1.7ServerHandlerthat exposes tsafe’s tool surface over a spec-compliant MCP 2025-06-18 stdio transport.- session
- Immutable per-process Session: bound profile, allowed/denied globs, optional contract.
- tools
- Tool dispatch table and
tools/listcatalog construction.
Functions§
- run
- Process entry point. Parses argv, dispatches to the matching subcommand,
and exits the process with code 1 on error (same shape as
tsafe-agent::runatcrates/tsafe-agent/src/lib.rs).