nu-mcp

The server's core functionality involves executing arbitrary Nushell commands, either directly via `run_nushell` or through extension tools. This is a powerful capability that inherently requires strong security controls. The project implements a robust security sandbox, primarily through path validation (`src/security/mod.rs`), which aims to prevent path traversal attacks and restrict filesystem access to explicitly allowed directories (current working directory plus any `--add-path` arguments). It uses canonicalization to resolve symlinks and `..` components. A critical component is the `safe_command_patterns.txt` allowlist. Commands matching these regex patterns (e.g., `gh api`, `kubectl get /apis/`) bypass full path validation, as they are presumed to use non-filesystem path arguments. The documentation (`src/security/README.md`) explicitly warns against adding commands that access the filesystem to this list. Misconfigurations or outdated patterns in this allowlist could introduce vulnerabilities. Non-existent path-like strings outside the sandbox (e.g., API endpoints) are cached (`PathCache`) for performance, but the system explicitly ensures that *existing* files outside the sandbox are never cached and are always blocked. Network communication is handled by the executed Nushell commands/tools (e.g., `curl`), not the Rust server itself, which operates over standard I/O (stdio). Destructive operations in extension tools (e.g., `delete_application` in ArgoCD, `kill_pane` in Tmux) are designed to require explicit `force: true` parameters and/or operate within safety modes (`MCP_K8S_MODE`, `MCP_GITHUB_MODE`). No hardcoded secrets were identified in the Rust codebase; environment variables are used for configuration. Overall, the project demonstrates a strong commitment to security, but the inherent power of executing arbitrary commands necessitates careful management of the allowlist and understanding of the sandbox's boundaries.