87c075d6ba
External MCP servers are arbitrary third-party binaries — at least as untrusted as the agents the spawner already jails — but the #36 prototype spawned them directly on the host. Close that gap by reusing the existing confinement primitive instead of growing a second one. - ExternalMcpServer gains `jail: Option<JailConfig>` (#[serde(default)]). - ExternalMcpSession::start routes Command::new through colibri_daemon::spawner::jail_wrap with the shared COLIBRI_JAIL_PRIV_MODE policy (mdo live / helper deploy). No jail => unchanged. stdio (incl. the piped JSON-RPC stdin/stdout) flows through jexec/jail/mdo unaffected. - docs/COLIBRI-EXTERNAL-MCP-PROTOTYPE: document the `jail` field + confinement. - 3 tests (no-jail passthrough, jexec wrap, registry jail deserialize). colibri-mcp already depends on colibri-daemon, so no new dep. Build/test/clippy/ fmt green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| colibri-client | ||
| colibri-contracts | ||
| colibri-daemon | ||
| colibri-deepseek | ||
| colibri-glasspane | ||
| colibri-glasspane-tui | ||
| colibri-mcp | ||
| colibri-runtime | ||
| colibri-skills | ||
| colibri-store | ||