Skip to main content

Crate tsafe_mcp

Crate tsafe_mcp 

Source
Expand description

tsafe-mcp - bound MCP server for the Agent Authority Firewall.

This crate provides the companion binary behind both tsafe-mcp serve ... and the CLI normal form tsafe mcp serve --profile <profile> --contract <contract> --workdir <repo>. A bound MCP process fixes one profile, one authority contract, and one workdir at startup. Tool calls cannot switch profile, contract, workdir, or secret scope at request time.

Bound mode exposes safe command execution through three model-facing tools: show_exec_plan, run_contract_command, and tsafe_mcp_status. Secret material is not returned to the model. No-secret diagnostic contracts are valid when the contract explicitly compiles to zero allowed and required secrets while still enforcing target policy and audit behavior.

Separate agent contexts should use separate server instance normal forms, for example host entries named tsafe-cordance and tsafe-cortex, each with its own profile, contract, workdir, and process.

The library entry point run is called both from the standalone tsafe-mcp binary (src/main.rs) and from the meta-crate shim (crates/tsafe/src/bin/tsafe_mcp.rs).

The runtime exposes five subcommands per design §5.2:

  • tsafe-mcp serve [...] — stdio JSON-RPC server (default subcommand)
  • tsafe-mcp install <host> [...] — write per-host MCP config
  • tsafe-mcp config <host> [...] — emit safe host config without writing
  • tsafe-mcp uninstall <host> [...]— remove the entry
  • tsafe-mcp status — print binary version + resolved scope

All other doctrine: bound MCP stance, ADR-003 agent IPC reuse, ADR-005 module layout. See docs/architecture/ADR-006-mcp-server.md and docs/architecture/mcp-server-design.md.

Modules§

audit
mcp-flavored AuditEntry construction helpers built on tsafe_core::audit.
backend
Vault unlock helper — calls tsafe_core::agent::request_password_from_agent and opens the vault read-only for the bound profile.
errors
JSON-RPC error code table and McpError enum.
install
tsafe-mcp install <host> dispatch — routes to per-host writer modules.
server
TsafeMcpServer — the rmcp 1.7 ServerHandler that exposes tsafe’s tool surface over a spec-compliant MCP 2025-06-18 stdio transport.
session
Immutable per-process Session: bound profile, allowed/denied globs, optional contract.
tools
Tool dispatch table and tools/list catalog construction.

Functions§

run
Process entry point. Parses argv, dispatches to the matching subcommand, and exits the process with code 1 on error (same shape as tsafe-agent::run at crates/tsafe-agent/src/lib.rs).