Define "MCP Sandbox Interface" and implement limactl mcp serve
#3744
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Jul 17, 2025
AkihiroSuda
commented
Jul 17, 2025
| // - [RunShellCommandParams].Directory must not be empty | ||
| // | ||
| // Eventually, this package may be split to a separate repository. | ||
| package msi |
There was a problem hiding this comment.
RFC: "MCP Sandbox Interface" might be a misnomer; it might rather sound like an interface for sandboxing MCP servers, e.g., docker run -i --rm example.com/some-mcp-server /usr/bin/some-mcp-server
https://github.com/google-gemini/gemini-cli/blob/main/docs/tools/mcp-server.md#docker-based-mcp-server
Alternative names:
- AI Sandbox Interface
- Agent Sandbox Interface
- AI Protection Interface
- ...
Thoughts?
AkihiroSuda
force-pushed
the
mcp
branch
2 times, most recently
from
b6abb82 to
dadfb7c
Compare
=== Interface === `pkg/mcp/msi` defines "MCP Sandbox Interface" (tentative) that should be reusable for other projects too. MCP Sandbox Interface defines MCP (Model Context Protocol) tools that can be used for reading, writing, and executing local files with an appropriate sandboxing technology. The sandboxing technology can be more secure and/or efficient than the default tools provided by an AI agent. MCP Sandbox Interface was inspired by Gemini CLI's built-in tools. https://github.com/google-gemini/gemini-cli/tree/v0.1.12/docs/tools === Implementation === `limactl mcp serve INSTANCE` launches an MCP server that implements the MCP Sandbox Interface. Use <https://github.com/modelcontextprotocol/inspector> to play around with the server. ```bash limactl start default brew install mcp-inspector mcp-inspector ``` In the web browser, - Set `Command` to `limactl` - Set `Arguments` to `mcp serve default` - Click `▶️ Connect` === Usage with Gemni CLI === 1. Create `.gemini/extensions/lima/gemini-extension.json` as follows: ```json { "name": "lima", "version": "2.0.0", "mcpServers": { "lima": { "command": "limactl", "args": [ "mcp", "serve", "default" ] } } } ``` 2. Modify `.gemini/settings.json` so as to disable Gemini CLI's built-in tools except ones that do not relate to local command execution and file I/O: ```json { "coreTools": ["WebFetchTool", "WebSearchTool", "MemoryTool"] } ``` Signed-off-by: Akihiro Suda <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR allows AI agents such as Gemini CLI to wrap local file operations (read/write/execute) inside Lima VM.
It should work with Claude Code, Codex, etc. too, but they might need a modification to disable their built-in local file operation tools. (Help wanted for testing)
This feature will be available in Lima v2.0
Preview of the documentation: https://deploy-preview-3744--lima-vm.netlify.app/docs/config/ai/
Interface
pkg/mcp/msidefines "MCP Sandbox Interface" (tentative) that should be reusable for other projects too.MCP Sandbox Interface defines MCP (Model Context Protocol) tools that can be used for reading, writing, and executing local files with an appropriate sandboxing technology. The sandboxing technology can be more secure and/or efficient than the default tools provided by an AI agent.
MCP Sandbox Interface was inspired by Gemini CLI's built-in tools. https://github.com/google-gemini/gemini-cli/tree/v0.1.12/docs/tools
Implementation
limactl mcp serve INSTANCElaunches an MCP server that implements the MCP Sandbox Interface.Use https://github.com/modelcontextprotocol/inspector to play around with the server.
In the web browser,
CommandtolimactlArgumentstomcp serve default▶️ConnectUsage with Gemni CLI
.gemini/extensions/lima/gemini-extension.jsonas follows:{ "name": "lima", "version": "2.0.0", "mcpServers": { "lima": { "command": "limactl", "args": [ "mcp", "serve", "default" ] } } }.gemini/settings.jsonso as to disable Gemini CLI's built-in tools except ones that do not relate to local command execution and file I/O:{ "coreTools": ["WebFetchTool", "WebSearchTool", "MemoryTool"] }TODOs