clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 44

feat(mcp): confine external MCP servers in a jail (reuse spawner primitive) #38

Merged
clawdie merged 1 commit from feat/jail-external-mcp into main 2026-06-13 20:35:29 +02:00
Conversation 0 Commits 1 Files changed 2 +105 -3
clawdie commented 2026-06-13 20:35:16 +02:00
Owner
Copy link

External MCP servers are arbitrary third-party binaries — at least as untrusted
as the agents the spawner already jails — but the #36 prototype spawned them
directly on the host. Close that gap by reusing the existing confinement
primitive instead of growing a second one.

  • ExternalMcpServer gains jail: Option<JailConfig> (#[serde(default)]).
  • ExternalMcpSession::start routes Command::new through
    colibri_daemon::spawner::jail_wrap with the shared COLIBRI_JAIL_PRIV_MODE
    policy (mdo live / helper deploy). No jail => unchanged. stdio (incl. the
    piped JSON-RPC stdin/stdout) flows through jexec/jail/mdo unaffected.
  • docs/COLIBRI-EXTERNAL-MCP-PROTOTYPE: document the jail field + confinement.
  • 3 tests (no-jail passthrough, jexec wrap, registry jail deserialize).

colibri-mcp already depends on colibri-daemon, so no new dep. Build/test/clippy/
fmt green.

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com

External MCP servers are arbitrary third-party binaries — at least as untrusted as the agents the spawner already jails — but the #36 prototype spawned them directly on the host. Close that gap by reusing the existing confinement primitive instead of growing a second one. - ExternalMcpServer gains `jail: Option<JailConfig>` (#[serde(default)]). - ExternalMcpSession::start routes Command::new through colibri_daemon::spawner::jail_wrap with the shared COLIBRI_JAIL_PRIV_MODE policy (mdo live / helper deploy). No jail => unchanged. stdio (incl. the piped JSON-RPC stdin/stdout) flows through jexec/jail/mdo unaffected. - docs/COLIBRI-EXTERNAL-MCP-PROTOTYPE: document the `jail` field + confinement. - 3 tests (no-jail passthrough, jexec wrap, registry jail deserialize). colibri-mcp already depends on colibri-daemon, so no new dep. Build/test/clippy/ fmt green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
clawdie added 1 commit 2026-06-13 20:35:19 +02:00
feat(mcp): confine external MCP servers in a jail (reuse spawner primitive)
Some checks failed
CI / rust (pull_request) Has been cancelled
Details
CI / markdown (pull_request) Has been cancelled
Details
87c075d6ba 
External MCP servers are arbitrary third-party binaries — at least as untrusted
as the agents the spawner already jails — but the #36 prototype spawned them
directly on the host. Close that gap by reusing the existing confinement
primitive instead of growing a second one.

- ExternalMcpServer gains `jail: Option<JailConfig>` (#[serde(default)]).
- ExternalMcpSession::start routes Command::new through
  colibri_daemon::spawner::jail_wrap with the shared COLIBRI_JAIL_PRIV_MODE
  policy (mdo live / helper deploy). No jail => unchanged. stdio (incl. the
  piped JSON-RPC stdin/stdout) flows through jexec/jail/mdo unaffected.
- docs/COLIBRI-EXTERNAL-MCP-PROTOTYPE: document the `jail` field + confinement.
- 3 tests (no-jail passthrough, jexec wrap, registry jail deserialize).

colibri-mcp already depends on colibri-daemon, so no new dep. Build/test/clippy/
fmt green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
clawdie merged commit 3ce2840823 into main 2026-06-13 20:35:29 +02:00
clawdie deleted branch feat/jail-external-mcp 2026-06-13 20:35:29 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
first-proof blocker

gates the first proven end-to-end

  
hardening

security/robustness follow-up, not a first-proof gate

No labels
first-proof blocker
hardening
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#38
No description provided.
Delete branch "feat/jail-external-mcp"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?