Installation & Configuration
Coding Tools MCP is a Python package that installs a single CLI command:coding-tools-mcp.
Installation
>=3.11 and declares PyJWT as a runtime dependency. Development extras are available through coding-tools-mcp[dev]; image support declares coding-tools-mcp[image].
Core CLI options
| Option | Default | Purpose |
|---|---|---|
--workspace | CODING_TOOLS_MCP_WORKSPACE or current directory | Root directory exposed to direct file tools and command execution. |
--host | CODING_TOOLS_MCP_HOST or 127.0.0.1 | HTTP bind host. |
--port | CODING_TOOLS_MCP_PORT or 8000 | HTTP bind port. |
--stdio | false | Use newline-delimited JSON-RPC over stdio instead of HTTP. |
--auth-token | CODING_TOOLS_MCP_AUTH_TOKEN | Require Authorization: Bearer <token> on /mcp. |
--oauth-mode | false | Enable OAuth 2.1 Authorization Code + PKCE. |
--tool-profile | CODING_TOOLS_MCP_TOOL_PROFILE or full | Controls which MCP tools are exposed. |
--shell-env-inherit | CODING_TOOLS_MCP_SHELL_ENV_INHERIT or core | Baseline environment inherited by exec_command. |
--permission-mode | mode policy default | Controls exec_command safety gates. |
--allow-network | false | Compatibility alias allowing network-looking command calls. |
--enable-view-image | enabled unless CODING_TOOLS_MCP_ENABLE_VIEW_IMAGE=0 | Expose view_image. |
--dangerously-skip-all-permissions | false | Compatibility alias for --permission-mode dangerous. |
Transports
HTTP
/mcp. The server also exposes metadata at /.well-known/mcp.json and /.well-known/mcp/server-card.json.
Stdio
Authentication
Local loopback HTTP can run without auth. Non-loopback binding is rejected unless one of these is configured:--auth-tokenorCODING_TOOLS_MCP_AUTH_TOKEN--oauth-modeorCODING_TOOLS_MCP_OAUTH_MODE=1CODING_TOOLS_MCP_AUTH_MODE=noauthfor an explicit no-auth deployment behind another trusted boundary
CODING_TOOLS_MCP_AUTH_MODE values are bearer, noauth, and oauth.
OAuth settings are read from:
CODING_TOOLS_MCP_OAUTH_CLIENT_IDCODING_TOOLS_MCP_OAUTH_CLIENT_SECRETCODING_TOOLS_MCP_OAUTH_PASSWORDCODING_TOOLS_MCP_SERVER_URLCODING_TOOLS_MCP_OAUTH_TOKEN_SECRETCODING_TOOLS_MCP_OAUTH_TOKEN_TTL
Tool profiles
| Profile | Behavior |
|---|---|
full | Exposes the full implemented tool set. |
read-only | Hides tools that mutate files, process state, or runtime permissions. |
compat-readonly-all | Advertises every exposed tool as read-only for compatibility, while mutation-capable tools can still mutate local state. |
Permission modes
| Mode | Network-looking commands | Shell expansion and inline scripts | Landlock filesystem confinement | Secret env filtering |
|---|---|---|---|---|
safe | Blocked | Blocked | Enabled when available | Enabled |
trusted | Allowed | Allowed | Enabled when available | Enabled |
dangerous | Allowed | Allowed | Disabled | Disabled |
trusted for normal local development tasks that need package managers, test runners, or shell features. Use dangerous only when an outer sandbox already provides the real isolation boundary.
Command environment
exec_command inherits a controlled environment. --shell-env-inherit accepts:
core: inherit core variables such as PATH and locale values.all: inherit the process environment subject to filtering.none: start from an empty baseline except explicit values.
exec_command.env; secret-looking names, values, and risky loader/startup variables are filtered in safe and trusted modes.
Runtime files
The server uses a runtime root namedcoding-tools-mcp under the system temp directory unless CODING_TOOLS_MCP_RUNTIME_ROOT is set. This root is used for runtime-managed home/tmp areas and command sessions.