Limitations
These limitations are based on the current implementation and repository state.Not an agent framework
Coding Tools MCP exposes tools. It does not plan tasks, manage memory, choose model prompts, or provide an agent runtime. Those responsibilities belong to the MCP client or surrounding application.Workspace scope is explicit
The server works inside a configured workspace. It is not designed to browse arbitrary filesystem locations. Direct file tools resolve paths against the workspace and reject unsafe or unsupported paths.HTTP transport is JSON-RPC only
The HTTP endpoint is/mcp and expects JSON-RPC. It is not a REST API for direct tool calls. Clients should use MCP initialize, tools/list, and tools/call.
Stdio is line-oriented
The stdio transport reads newline-delimited JSON-RPC. Clients that expect a different framing protocol need an adapter.Text file support is UTF-8
read_file supports UTF-8 text and rejects binary-looking files. Use view_image for supported images when enabled. Other binary inspection workflows should go through appropriate command-line tools under the configured permission mode.
Command safety is policy-based
The permission modes add meaningful safety gates, but they are not a substitute for a container, VM, or operating-system sandbox when running untrusted commands.dangerous mode disables command permission gates.
Landlock availability varies
Landlock confinement depends on the Linux host. When unavailable, the server reports that commands ran with policy checks only.Tool profiles are exposure controls
read-only hides mutating tools from the client. compat-readonly-all is compatibility metadata, not a security boundary. If you need hard isolation, combine a narrow workspace, authentication, least-privilege profile, and external sandboxing.
Remote use needs deployment discipline
The server can be exposed over HTTP, but remoteexec_command is still remote code execution in the server environment. Use auth, TLS, narrow workspaces, and external isolation for remote deployments.
Port defaults can differ by layer
The direct CLI defaults to8000. Some repository helper scripts or tunnel workflows may use 8765. Always confirm the actual server port and client URL when debugging connection issues.