Define "MCP Sandbox Interface" and implement limactl mcp serve

=== Interface ===

`pkg/mcp/msi` defines "MCP Sandbox Interface" (tentative)
that should be reusable for other projects too.

MCP Sandbox Interface defines MCP (Model Context Protocol) tools
that can be used for reading, writing, and executing local files
with an appropriate sandboxing technology. The sandboxing technology
can be more secure and/or efficient than the default tools provided
by an AI agent.

MCP Sandbox Interface was inspired by Gemini CLI's built-in tools.
https://github.com/google-gemini/gemini-cli/tree/v0.1.12/docs/tools

=== Implementation ===

`limactl mcp serve INSTANCE` launches an MCP server that implements the MCP
Sandbox Interface.

Use <https://github.com/modelcontextprotocol/inspector>
to play around with the server.

```bash
limactl start default
brew install mcp-inspector
mcp-inspector
```
In the web browser,
- Set `Command` to `limactl`
- Set `Arguments` to `mcp serve default`
- Click `▶️Connect`

=== Usage with Gemni CLI ===

1. Create `.gemini/extensions/lima/gemini-extension.json` as follows:
```json
{
  "name": "lima",
  "version": "2.0.0",
  "mcpServers": {
    "lima": {
      "command": "limactl",
      "args": [
        "mcp",
        "serve",
        "default"
      ]
    }
  }
}
```

2. Modify `.gemini/settings.json` so as to disable Gemini CLI's built-in tools
except ones that do not relate to local command execution and file I/O:
```json
{
  "coreTools": ["WebFetchTool", "WebSearchTool", "MemoryTool"]
}
```

Signed-off-by: Akihiro Suda <[email protected]>

Author: AkihiroSuda

Makefile

@@ -88,6 +88,8 @@ help-targets:
 	@echo  '- limactl                   : Build limactl, and lima'
 	@echo  '- lima                      : Copy lima, and lima.bat'
 	@echo  '- helpers                   : Copy nerdctl.lima, apptainer.lima, docker.lima, podman.lima, and kubectl.lima'
+	# TODO: move CLI plugins to _output/libexec/lima/
+	@echo  '- limactl-plugins           : Build limactl-* CLI plugins'
 	@echo
 	@echo  'Targets for files in _output/share/lima/:'
 	@echo  '- guestagents               : Build guestagents'
@@ -150,7 +152,7 @@ CONFIG_GUESTAGENT_COMPRESS=y
 
 ################################################################################
 .PHONY: binaries
-binaries: limactl helpers guestagents \
+binaries: limactl helpers limactl-plugins guestagents \
 	templates template_experimentals \
 	documentation create-links-in-doc-dir
 
@@ -256,6 +258,11 @@ ifeq ($(GOOS),darwin)
 	codesign -f -v --entitlements vz.entitlements -s - $@
 endif
 
+limactl-plugins: _output/bin/limactl-mcp$(exe)
+
+_output/bin/limactl-mcp$(exe): $(call dependencies_for_cmd,limactl-mcp) $$(call force_build,$$@)
+	$(ENVS_$@) $(GO_BUILD) -o $@ ./cmd/limactl-mcp
+
 DRIVER_INSTALL_DIR := _output/libexec/lima
 
 .PHONY: additional-drivers

cmd/limactl-mcp/main.go

@@ -0,0 +1,159 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"runtime"
+	"strings"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/lima-vm/lima/v2/pkg/mcp/toolset"
+	"github.com/lima-vm/lima/v2/pkg/store"
+	"github.com/lima-vm/lima/v2/pkg/version"
+)
+
+func main() {
+	if err := newApp().Execute(); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+func newApp() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:           "limactl-mcp",
+		Short:         "Model Context Protocol plugin for Lima (EXPERIMENTAL)",
+		Version:       strings.TrimPrefix(version.Version, "v"),
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+	cmd.AddCommand(
+		newMcpInfoCommand(),
+		newMcpServeCommand(),
+		// TODO: `limactl-mcp install-gemini` ?
+	)
+	return cmd
+}
+
+func newServer() *mcp.Server {
+	impl := &mcp.Implementation{
+		Name:    "lima",
+		Title:   "Lima VM, for sandboxing local command executions and file I/O operations",
+		Version: version.Version,
+	}
+	serverOpts := &mcp.ServerOptions{
+		Instructions: `This MCP server provides tools for sandboxing local command executions and file I/O operations,
+by wrapping them in Lima VM (https://lima-vm.io).
+
+Use these tools to avoid accidentally executing malicious codes directly on the host.
+`,
+	}
+	if runtime.GOOS != "linux" {
+		serverOpts.Instructions += fmt.Sprintf(`
+
+NOTE: the guest OS of the VM is Linux, while the host OS is %s.
+`, strings.ToTitle(runtime.GOOS))
+	}
+	return mcp.NewServer(impl, serverOpts)
+}
+
+func newMcpInfoCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "info",
+		Short: "Show information about the MCP server",
+		Args:  cobra.NoArgs,
+		RunE:  mcpInfoAction,
+	}
+	return cmd
+}
+
+func mcpInfoAction(cmd *cobra.Command, args []string) error {
+	ctx := cmd.Context()
+
+	ts, err := toolset.New()
+	if err != nil {
+		return err
+	}
+	server := newServer()
+	if err = ts.RegisterServer(server); err != nil {
+		return err
+	}
+	serverTransport, clientTransport := mcp.NewInMemoryTransports()
+	serverSession, err := server.Connect(ctx, serverTransport, nil)
+	if err != nil {
+		return err
+	}
+	client := mcp.NewClient(&mcp.Implementation{Name: "client"}, nil)
+	clientSession, err := client.Connect(ctx, clientTransport, nil)
+	if err != nil {
+		return err
+	}
+	toolsResult, err := clientSession.ListTools(ctx, &mcp.ListToolsParams{})
+	if err != nil {
+		return err
+	}
+	if err = clientSession.Close(); err != nil {
+		return err
+	}
+	if err = serverSession.Wait(); err != nil {
+		return err
+	}
+	info := &Info{
+		Tools: toolsResult.Tools,
+	}
+	j, err := json.MarshalIndent(info, "", "    ")
+	if err != nil {
+		return err
+	}
+	_, err = fmt.Fprint(cmd.OutOrStdout(), string(j))
+	return err
+}
+
+type Info struct {
+	Tools []*mcp.Tool `json:"tools"`
+}
+
+func newMcpServeCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "serve INSTANCE",
+		Short: "Serve MCP over stdio",
+		Long: `Serve MCP over stdio.
+
+Expected to be executed via an AI agent, not by a human`,
+		Args: cobra.MaximumNArgs(1),
+		RunE: mcpServeAction,
+	}
+	return cmd
+}
+
+func mcpServeAction(cmd *cobra.Command, args []string) error {
+	ctx := cmd.Context()
+	instName := "default"
+	if len(args) > 0 {
+		instName = args[0]
+	}
+
+	ts, err := toolset.New()
+	if err != nil {
+		return err
+	}
+	server := newServer()
+	if err = ts.RegisterServer(server); err != nil {
+		return err
+	}
+
+	inst, err := store.Inspect(ctx, instName)
+	if err != nil {
+		return err
+	}
+	if err = ts.RegisterInstance(ctx, inst); err != nil {
+		return err
+	}
+	transport := &mcp.StdioTransport{}
+	return server.Run(ctx, transport)
+}

go.mod

@@ -31,9 +31,11 @@ require (
 	github.com/mdlayher/vsock v1.2.1 // gomodjail:unconfined
 	github.com/miekg/dns v1.1.68 // gomodjail:unconfined
 	github.com/mikefarah/yq/v4 v4.47.2
+	github.com/modelcontextprotocol/go-sdk v0.4.0
 	github.com/nxadm/tail v1.4.11 // gomodjail:unconfined
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58
+	github.com/pkg/sftp v1.13.9
 	github.com/rjeczalik/notify v0.9.3
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/sethvargo/go-password v0.3.1
@@ -105,13 +107,13 @@ require (
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pkg/sftp v1.13.9 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	// gomodjail:unconfined
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
 	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/mod v0.27.0 // indirect
@@ -135,6 +137,7 @@ require (
 
 require (
 	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/google/jsonschema-go v0.2.1-0.20250825175020-748c325cec76 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect

go.sum

@@ -118,6 +118,8 @@ github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
+github.com/google/jsonschema-go v0.2.1-0.20250825175020-748c325cec76 h1:mBlBwtDebdDYr+zdop8N62a44g+Nbv7o2KjWyS1deR4=
+github.com/google/jsonschema-go v0.2.1-0.20250825175020-748c325cec76/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
@@ -191,6 +193,8 @@ github.com/mikefarah/yq/v4 v4.47.2 h1:Jb5fHlvgK5eeaPbreG9UJs1E5w6l5hUzXjeaY6LTTW
 github.com/mikefarah/yq/v4 v4.47.2/go.mod h1:ulYbZUzGJsBDDwO5ohvk/KOW4vW5Iddd/DBeAY1Q09g=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/modelcontextprotocol/go-sdk v0.4.0 h1:RJ6kFlneHqzTKPzlQqiunrz9nbudSZcYLmLHLsokfoU=
+github.com/modelcontextprotocol/go-sdk v0.4.0/go.mod h1:whv0wHnsTphwq7CTiKYHkLtwLC06WMoY2KpO+RB9yXQ=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -266,6 +270,8 @@ github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
+github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=

pkg/mcp/msi/filesystem.go

@@ -0,0 +1,83 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+// Portion of AI prompt texts from:
+// - https://github.com/google-gemini/gemini-cli/blob/v0.1.12/docs/tools/file-system.md
+//
+// SPDX-FileCopyrightText: Copyright 2025 Google LLC
+
+package msi
+
+import (
+	"io/fs"
+	"time"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+)
+
+var ListDirectory = &mcp.Tool{
+	Name:        "list_directory",
+	Description: `Lists the names of files and subdirectories directly within a specified directory path.`,
+}
+
+type ListDirectoryParams struct {
+	Path string `json:"path" jsonschema:"The absolute path to the directory to list."`
+}
+
+// ListDirectoryResultEntry is similar to [io/fs.FileInfo].
+type ListDirectoryResultEntry struct {
+	Name    string       `json:"name" jsonschema:"base name of the file"`
+	Size    *int64       `json:"size,omitempty" jsonschema:"length in bytes for regular files; system-dependent for others"`
+	Mode    *fs.FileMode `json:"mode,omitempty" jsonschema:"file mode bits"`
+	ModTime *time.Time   `json:"time,omitempty" jsonschema:"modification time"`
+	IsDir   *bool        `json:"is_dir,omitempty" jsonschema:"true for a directory"`
+}
+
+type ListDirectoryResult struct {
+	Entries []ListDirectoryResultEntry `json:"entries" jsonschema:"The directory content entries."`
+}
+
+var ReadFile = &mcp.Tool{
+	Name:        "read_file",
+	Description: `Reads and returns the content of a specified file.`,
+}
+
+type ReadFileParams struct {
+	Path string `json:"path" jsonschema:"The absolute path to the file to read."`
+	// Offset *int   `json:"offset,omitempty" jsonschema:"For text files, the 0-based line number to start reading from. Requires limit to be set."`
+	// Limit  *int   `json:"limit,omitempty" jsonschema:"For text files, the maximum number of lines to read. If omitted, reads a default maximum (e.g., 2000 lines) or the entire file if feasible."`
+}
+
+var WriteFile = &mcp.Tool{
+	Name:        "write_file",
+	Description: `Writes content to a specified file. If the file exists, it will be overwritten. If the file doesn't exist, it (and any necessary parent directories) will be created.`,
+}
+
+type WriteFileParams struct {
+	Path    string `json:"path" jsonschema:"The absolute path to the file to write to."`
+	Content string `json:"content" jsonschema:"The content to write into the file."`
+}
+
+var Glob = &mcp.Tool{
+	Name:        "glob",
+	Description: `Finds files matching specific glob patterns (e.g., src/**/*.ts, *.md)`, // Not sorted yet, unlike Gemini
+}
+
+type GlobParams struct {
+	Pattern string  `json:"pattern" jsonschema:"The glob pattern to match against (e.g., '*.py', 'src/**/*.js')."`
+	Path    *string `json:"path,omitempty" jsonschema:"The absolute path to the directory to search within. If omitted, searches the tool's root directory."`
+	// CaseSensitive bool    `json:"case_sensitive,omitempty" jsonschema:": Whether the search should be case-sensitive. Defaults to false."`
+}
+
+var SearchFileContent = &mcp.Tool{
+	Name:        "search_file_content",
+	Description: `searches for a regular expression pattern within the content of files in a specified directory. Internally calls 'git grep -n --no-index'.`,
+}
+
+type SearchFileContentParams struct {
+	Pattern string  `json:"pattern" jsonschema:"The regular expression (regex) to search for (e.g., 'function\\s+myFunction')."`
+	Path    *string `json:"path,omitempty" jsonschema:"The absolute path to the directory to search within. Defaults to the current working directory."`
+	Include *string `json:"include,omitempty" jsonschema:"A glob pattern to filter which files are searched (e.g., '*.js', 'src/**/*.{ts,tsx}'). If omitted, searches most files (respecting common ignores)."`
+}
+
+// TODO: implement Replace

pkg/mcp/msi/msi.go

@@ -0,0 +1,24 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+// Package msi provides the "MCP Sandbox Interface" (tentative)
+// that should be reusable for other projects too.
+//
+// MCP Sandbox Interface defines MCP (Model Context Protocol) tools
+// that can be used for reading, writing, and executing local files
+// with an appropriate sandboxing technology. The sandboxing technology
+// can be more secure and/or efficient than the default tools provided
+// by an AI agent.
+//
+// MCP Sandbox Interface was inspired by Gemini CLI's built-in tools.
+// https://github.com/google-gemini/gemini-cli/tree/v0.1.12/docs/tools
+//
+// Notable differences from Gemini CLI's built-in tools:
+//   - the output format is JSON, not a plain text
+//   - the output of [SearchFileContent] always corresponds to `git grep -n --no-index`
+//   - [RunShellCommandParams].Command is a string slice, not a string
+//   - [RunShellCommandParams].Directory is a absolute path, not a relative path
+//   - [RunShellCommandParams].Directory must not be empty
+//
+// Eventually, this package may be split to a separate repository.
+package msi

pkg/mcp/msi/shell.go

@@ -0,0 +1,29 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+// Portion of AI prompt texts from:
+// - https://github.com/google-gemini/gemini-cli/blob/v0.1.12/docs/tools/shell.md
+//
+// SPDX-FileCopyrightText: Copyright 2025 Google LLC
+
+package msi
+
+import "github.com/modelcontextprotocol/go-sdk/mcp"
+
+var RunShellCommand = &mcp.Tool{
+	Name:        "run_shell_command",
+	Description: `Executes a given shell command.`,
+}
+
+type RunShellCommandParams struct {
+	Command     []string `json:"command" jsonschema:"The exact shell command to execute. Defined as a string slice, unlike Gemini's run_shell_command that defines it as a single string."`
+	Description string   `json:"description,omitempty" jsonschema:"A brief description of the command's purpose, which will be potentially shown to the user."`
+	Directory   string   `json:"directory" jsonschema:"The absolute directory in which to execute the command. Unlike Gemini's run_shell_command, this must not be a relative path, and must not be empty."`
+}
+
+type RunShellCommandResult struct {
+	Stdout   string `json:"stdout" jsonschema:"Output from the standard output stream."`
+	Stderr   string `json:"stderr" jsonschema:"Output from the standard error stream."`
+	Error    string `json:"error,omitempty" jsonschema:"Any error message reported by the subprocess."`
+	ExitCode *int   `json:"exit_code,omitempty" jsonschema:"Exit code of the command."`
+}