[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-85148":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":12,"openIssues":13,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":13,"stars7d":13,"stars30d":13,"stars90d":13,"forks30d":13,"starsTrendScore":13,"compositeScore":14,"rankGlobal":8,"rankLanguage":8,"license":15,"archived":16,"fork":16,"defaultBranch":17,"hasWiki":18,"hasPages":16,"topics":19,"createdAt":8,"pushedAt":8,"updatedAt":20,"readmeContent":21,"aiSummary":8,"trendingCount":13,"starSnapshotCount":13,"syncStatus":22,"lastSyncTime":23,"discoverSource":24},85148,"coding-tools-mcp","xyTom\u002Fcoding-tools-mcp","xyTom",null,"Python",58,10,1,0,36.12,"Other",false,"main",true,[],"2026-06-15 10:04:51","# Coding Tools MCP\n\nCoding Tools MCP is a model-neutral coding-agent runtime MCP server. It exposes local coding primitives to any MCP client:\n\n```text\ninspect repo -> search\u002Fread files -> apply structured patches -> run tests\u002Fcommands\n-> interact with stdin sessions -> inspect git status\u002Fdiff\n```\n\nIt is not a prompt wrapper. It does not expose external agent accounts, memory, cloud tasks, web search, image generation, model routing, plugin marketplace, or subagent orchestration as MCP tools.\n\n## Documentation Map\n\n- [Quickstart](docs\u002Fquickstart.md)\n- [MCP client configuration](docs\u002Fmcp-client-config.md)\n- [Remote MCP](docs\u002Fremote-mcp.md)\n- [Tools and schemas](docs\u002Ftools-and-schemas.md)\n- [Permission modes](docs\u002Fpermission-modes.md)\n- [Exec command recipes](docs\u002Fexec-command-recipes.md)\n- [Docker sandbox](docs\u002Fdocker.md)\n- [Security policy](SECURITY.md)\n- [Security boundary](docs\u002Fsecurity-boundary.md)\n- [CI and test commands](docs\u002Fci-and-tests.md)\n- [Dogfood](docs\u002Fdogfood.md)\n- [SWE-bench evaluation](docs\u002Fswe-bench.md)\n- [Known limitations](docs\u002Flimitations.md)\n- [Troubleshooting](docs\u002Ftroubleshooting.md)\n- [Exec troubleshooting](docs\u002Ftroubleshooting-exec.md)\n- [Competitive analysis](docs\u002Fcompetitive-analysis.md)\n- Normative MCP runtime profile: [docs\u002Fprofile-v0.1.md](docs\u002Fprofile-v0.1.md)\n\n## Quickstart\n\nInstall the published command from PyPI:\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FxyTom\u002Fcoding-tools-mcp\u002Fmain\u002Fscripts\u002Finstall.sh | bash\n```\n\nInstall and start local Streamable HTTP against a workspace:\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FxyTom\u002Fcoding-tools-mcp\u002Fmain\u002Fscripts\u002Finstall.sh \\\n  | bash -s -- --start --workspace \u002Fpath\u002Fto\u002Frepo\n```\n\nInstall and expose a read-only bearer-token tunnel:\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FxyTom\u002Fcoding-tools-mcp\u002Fmain\u002Fscripts\u002Finstall.sh \\\n  | bash -s -- --tunnel cloudflared --auto-install-tunnel --workspace \u002Fpath\u002Fto\u002Frepo\n```\n\nOr, from this checkout:\n\n```bash\nscripts\u002Finstall.sh\n```\n\nRun the published package without a persistent install:\n\n```bash\nuvx coding-tools-mcp --workspace .\n```\n\nUse stdio for MCP clients:\n\n```bash\nuvx coding-tools-mcp --stdio --workspace \u002Fpath\u002Fto\u002Frepo\n```\n\nIf you are working from this checkout instead of a published package:\n\n```bash\nmake start\n```\n\nPass a different workspace, host, port, or extra server flags with Make variables:\n\n```bash\nmake start MCP_WORKSPACE=\u002Fpath\u002Fto\u002Frepo MCP_PORT=8000 MCP_ARGS=\"--permission-mode trusted\"\n```\n\nIf dependencies are missing, install the runtime in editable mode:\n\n```bash\npython -m pip install -e \".[dev]\"\n```\n\nHTTP endpoint:\n\n```text\nhttp:\u002F\u002F127.0.0.1:8765\u002Fmcp\n```\n\nInstall the optional image extra when you want `view_image` auto-resize support:\n\n```bash\npython -m pip install -e \".[image]\"\n```\n\nStdio:\n\n```bash\ncoding-tools-mcp --stdio --workspace \u002Fpath\u002Fto\u002Frepo\n```\n\nSet `CODING_TOOLS_MCP_TRACE=1` to emit redacted JSON tool-call trace events to stderr for local debugging. Logs stay off stdout so stdio JSON-RPC remains clean.\n\nBy default, `exec_command` passes a core shell environment only. For local toolchains that depend on inherited environment variables, such as MSVC developer prompts, start with:\n\n```bash\nCODING_TOOLS_MCP_SHELL_ENV_INHERIT=all coding-tools-mcp --workspace \u002Fpath\u002Fto\u002Frepo\n```\n\n`inherit=all` still filters secret-looking and loader\u002Fstartup variables unless dangerous mode is also enabled. For local development with dependency downloads, shell expansion, and inline interpreter snippets, use:\n\n```bash\ncoding-tools-mcp --permission-mode trusted --workspace \u002Fpath\u002Fto\u002Frepo\n```\n\n`--allow-network` remains available as a compatibility flag when you only want to open network-looking commands. If your MCP client does not support permission elicitation and you explicitly want to disable `exec_command` permission gates inside an isolated container or VM, start with:\n\n```bash\ncoding-tools-mcp --permission-mode dangerous --workspace \u002Fpath\u002Fto\u002Frepo\n```\n\nThis disables `exec_command` permission gates such as network-looking commands, destructive command checks, shell expansion, inline scripts, and sensitive env checks. Workspace path boundaries for direct file tools still apply. `--dangerously-skip-all-permissions` remains as a compatibility alias.\n\n## MCP Client Examples\n\nGeneric stdio client:\n\n```toml\n[mcp_servers.coding_tools]\ncommand = \"uvx\"\nargs = [\"coding-tools-mcp\", \"--stdio\", \"--workspace\", \"\u002Fpath\u002Fto\u002Frepo\"]\n```\n\nClaude Code:\n\n```json\n{\n  \"mcpServers\": {\n    \"coding-tools\": {\n      \"command\": \"uvx\",\n      \"args\": [\"coding-tools-mcp\", \"--stdio\", \"--workspace\", \"\u002Fpath\u002Fto\u002Frepo\"]\n    }\n  }\n}\n```\n\nCursor:\n\n```json\n{\n  \"mcpServers\": {\n    \"coding-tools\": {\n      \"command\": \"uvx\",\n      \"args\": [\"coding-tools-mcp\", \"--stdio\", \"--workspace\", \"\u002Fpath\u002Fto\u002Frepo\"]\n    }\n  }\n}\n```\n\nGeneric Streamable HTTP clients should use MCP protocol version `2025-06-18` and point at `http:\u002F\u002F127.0.0.1:8765\u002Fmcp`.\n\n## Remote MCP\n\nFor remote MCP clients and local development over an HTTPS tunnel, keep the server bound to loopback and expose the tunnel URL with the safest profile your client can use. Anonymous tunnel testing should use `read-only` mode:\n\n```bash\nCODING_TOOLS_MCP_AUTH_MODE=noauth \\\nCODING_TOOLS_MCP_TOOL_PROFILE=read-only \\\n.\u002Fscripts\u002Ftunnel.sh cloudflared \u002Fpath\u002Fto\u002Frepo\n```\n\nConfigure the remote MCP client with the HTTPS tunnel URL:\n\n```text\nURL: https:\u002F\u002F\u003Ctunnel-host>\u002Fmcp\n```\n\nThe tunnel scripts support `cloudflared`, `ngrok`, and Microsoft Dev Tunnel. If the selected tunnel CLI is missing, the script asks before installing it:\n\n```bash\nscripts\u002Ftunnel.sh cloudflared \u002Fpath\u002Fto\u002Frepo\nscripts\u002Ftunnel.sh ngrok \u002Fpath\u002Fto\u002Frepo\nscripts\u002Ftunnel.sh devtunnel \u002Fpath\u002Fto\u002Frepo\n```\n\nFor clients that support custom headers, use bearer-token auth with `Authorization: Bearer \u003Ctoken>`. For MCP clients that speak OAuth 2.1 Authorization Code + PKCE, use `CODING_TOOLS_MCP_AUTH_MODE=oauth` with `scripts\u002Ftunnel.sh` (or `scripts\u002Finstall.sh --auth-mode oauth`). The server can infer its OAuth issuer from the tunnel request URL, so one-shot tunnels like cloudflared work without setting `CODING_TOOLS_MCP_SERVER_URL` before startup; set it only when you want to pin a stable issuer. The script prints a generated OAuth password, accepts any non-empty client_id by default, and lets you opt into `CODING_TOOLS_MCP_OAUTH_CLIENT_ID`\u002F`CODING_TOOLS_MCP_OAUTH_CLIENT_SECRET` only when you need to lock down a confidential client. Clients that cannot send custom bearer headers and do not speak OAuth should use anonymous `read-only` mode only for local\u002Ftesting tunnels, or be placed behind an external auth proxy for production use.\n\nSee [docs\u002Fremote-mcp.md](docs\u002Fremote-mcp.md) for the exact modes and security notes.\n\n## Tool Profiles\n\n- `full`: exposes all tools with truthful annotations. This is the default for backward compatibility.\n- `read-only`: recommended for remote or safe-mode clients; exposes only inspection tools, git read tools, image viewing, and default-cwd helpers.\n- `compat-readonly-all`: exposes all tools but advertises every tool as read-only for clients that gate availability on `readOnlyHint`. This is not a safety mode; mutation-capable tools such as `apply_patch`, `exec_command`, `write_stdin`, and `kill_session` can still mutate local state.\n\n## Tools\n\nP0 tools exposed by default:\n\n- `server_info`\n- `get_default_cwd`\n- `set_default_cwd`\n- `read_file`\n- `list_dir`\n- `list_files`\n- `search_text`\n- `apply_patch`\n- `exec_command`\n- `write_stdin`\n- `kill_session`\n- `git_status`\n- `git_diff`\n- `git_log`\n- `git_show`\n- `git_blame`\n- `request_permissions`\n\nAdditional image tool exposed by default:\n\n- `view_image`\n\nFor input\u002Foutput schemas and result envelopes, see [docs\u002Ftools-and-schemas.md](docs\u002Ftools-and-schemas.md) and [docs\u002Fprofile-v0.1.md](docs\u002Fprofile-v0.1.md).\n\n## Safety Boundary\n\nThe runtime binds one workspace root per server process. Paths are workspace-relative by default. Absolute paths, `..` traversal, and symlink escapes are rejected. Recursive listing\u002Fsearch excludes `.git`, `.reference`, `node_modules`, `target`, `dist`, build outputs, virtualenvs, and common caches by default.\n\n`exec_command` runs under policy controls with workspace-bound cwd, configurable shell environment inheritance, timeout, output caps, sensitive-value and loader\u002Fstartup environment rejection, destructive command checks, network-looking command checks, shell-expansion permission gates, indirect absolute-path checks, cancellation\u002Fkill cleanup, session deadline watchdogs, and bounded session buffers. On Linux hosts with Landlock support it also applies filesystem confinement; on Windows, macOS, or Linux hosts without Landlock, command results include a warning and external sandboxing is required before running untrusted commands. This is still not a complete OS\u002Fcontainer sandbox; see [SECURITY.md](SECURITY.md).\n\n`--permission-mode safe` is the default. `--permission-mode trusted` opens local-development gates while keeping secret filtering and destructive-command checks. `--permission-mode dangerous` disables `exec_command` permission gates for operators who accept that risk inside an isolated runner. Do not use dangerous mode for untrusted workspaces or untrusted MCP clients.\n\n## Compliance\n\n```bash\nmake compliance\n```\n\nCompliance and CI commands are documented in [docs\u002Fci-and-tests.md](docs\u002Fci-and-tests.md). The checked-in report files are generated artifacts; inspect their `suite` field before treating them as full compliance evidence.\n\n## Dogfood And Benchmark\n\nDogfood and SWE-bench notes live in [docs\u002Fdogfood.md](docs\u002Fdogfood.md), [docs\u002Fswe-bench.md](docs\u002Fswe-bench.md), and [BENCHMARK.md](BENCHMARK.md). This repository does not claim a model-generated SWE-bench leaderboard result.\n\n## Development Commands\n\n```bash\nmake lint\nmake typecheck\nmake test\nmake compliance\nmake ci\n```\n\nSee [docs\u002Fci-and-tests.md](docs\u002Fci-and-tests.md) for the full test matrix.\n\n## License\n\nThis project is source-available, not open source. See [LICENSE](LICENSE).\nInternal evaluation, development, testing, and security review are permitted;\nredistribution, hosted third-party service use, and production commercial use\nrequire prior written permission.\n",2,"2026-06-15 02:30:10","CREATED_QUERY"]