mcpbox

Sandboxed MCP server host. It runs MCP tools as WASM components with capability-based isolation, so tools only see what they are explicitly granted.

What this is

• A single binary MCP server host (stdio transport for MVP)
• Per-invocation WASM sandbox with deny-by-default capabilities
• AOT compiled components with a disk cache for fast startups
• Strict failure isolation: traps/timeouts never crash the host

Quick start

1. Build the host
   • cargo build
2. Build the reference tool
   • ./build-echo-tool.sh
3. Validate config
   • cargo run -- serve --config sandbox.toml --dry-run
4. Run the server (stdio)
   • cargo run -- serve --config sandbox.toml

Minimal MCP call (stdio) Send a JSON-RPC request on stdin:

{
   "jsonrpc":"2.0",
   "id":1,
   "method":"tools/call",
   "params":{
      "name":"echo",
      "arguments":{
         "op":"echo",
         "text":"hello"
      }
   }
}

You should receive a JSON-RPC response with content in result.

Config basics

• sandbox.toml declares tools, capabilities, and resource limits
• Capabilities are deny-by-default: no fs, no net, no env unless granted

Common commands

• cargo test
• cargo run -- serve --config sandbox.toml --dry-run

Docs [to be added soon]

• design/v1.md for the full design spec
• blog/ for byte-sized implementation notes