mcp-execution

The project adheres to Microsoft Rust Guidelines, explicitly denying `unsafe` code. It implements defense-in-depth security measures for command execution, path validation (preventing directory traversal), and limits on file sizes and counts (DoS protection) when scanning user-provided directories. The `mcp-execution-cli` and `runtime/mcp-bridge.ts` validate inputs and sanitize command arguments passed to external MCP servers. Environment variables for sensitive tokens are expected to be passed securely to target servers, not directly handled by the `mcp-execution` server itself. The overall design principle 'No Code Execution' for generated TypeScript (it's for type info) enhances safety. No hardcoded secrets were found. However, the runtime bridge `mcp-bridge.ts` spawns `ChildProcess` which inherently carries some risk if not rigorously validated, though the core Rust components do extensive validation before passing arguments.