MCP Build Environment Service

Instructions

Implementation Reference

• src/server.py:502-519 (handler)

  The handler function for the 'git' tool. Extracts repo, branch, and args from input, validates args using validate_git_args, constructs the git command by splitting args and prepending 'git', then executes it in the repository worktree using execute_in_worktree.
  async def handle_git(self, args: Dict[str, Any]) -> List[TextContent]: """Handle git command""" repo = args.get("repo") branch = args.get("branch") git_args = args.get("args", "") if not git_args: raise ValueError("git command requires arguments") # Validate arguments validate_git_args(git_args) # Build command cmd = ["git"] + shlex.split(git_args) # Execute in appropriate worktree with locking result = await self.execute_in_worktree(repo, branch, cmd) return [TextContent(type="text", text=result)]
• src/server.py:348-371 (registration)

  Registers the 'git' tool with the MCP server via the list_tools handler. Includes tool name, description, and input schema specifying required 'repo' and 'args', optional 'branch'.
  Tool( name="git", description="Run git commands in a repository. " "Limited to safe operations: status, log, checkout, pull, branch, diff, fetch, reset, show. " "If branch is specified, creates/uses a hidden worktree (.repo@branch) for isolation.", inputSchema={ "type": "object", "properties": { "args": { "type": "string", "description": "Git command and arguments (e.g., 'status', 'checkout main', 'pull origin main')" }, "repo": { "type": "string", "description": "Repository name (required)" }, "branch": { "type": "string", "description": "Git branch name (optional). If provided, uses isolated worktree." } }, "required": ["args", "repo"] } ),
• src/server.py:353-370 (schema)

  JSON schema for the 'git' tool input: object with 'args' (string, required), 'repo' (string, required), 'branch' (string, optional). Defines validation for tool calls.
  inputSchema={ "type": "object", "properties": { "args": { "type": "string", "description": "Git command and arguments (e.g., 'status', 'checkout main', 'pull origin main')" }, "repo": { "type": "string", "description": "Repository name (required)" }, "branch": { "type": "string", "description": "Git branch name (optional). If provided, uses isolated worktree." } }, "required": ["args", "repo"] }
• src/validators.py:71-116 (helper)

  Helper function to validate git arguments. Checks for dangerous patterns, ensures subcommand is in ALLOWED_GIT_COMMANDS, and blocks force operations on checkout/pull.
  def validate_git_args(args: str) -> None: """ Validate git command arguments Only allows safe read-only and branch operations: - status, log, branch, diff, show (read-only) - checkout, pull, fetch (branch operations) Args: args: Git command arguments Raises: ValueError: If arguments contain dangerous patterns or disallowed commands """ if not args: raise ValueError("Git command requires arguments") # Check for dangerous patterns if contains_dangerous_pattern(args): raise ValueError(f"Git arguments contain dangerous patterns: {args}") # Extract the git subcommand (first word) parts = args.strip().split() if not parts: raise ValueError("Empty git command") subcommand = parts[0].lower() # Check if subcommand is allowed if subcommand not in ALLOWED_GIT_COMMANDS: raise ValueError( f"Git subcommand '{subcommand}' not allowed. " f"Allowed commands: {', '.join(sorted(ALLOWED_GIT_COMMANDS))}" ) # Additional checks for specific commands if subcommand == "checkout": # Block checkout with -f (force) or -b with remote paths if "-f" in parts or "--force" in parts: raise ValueError("Force checkout not allowed") if subcommand == "pull": # Block force pull if "-f" in parts or "--force" in parts: raise ValueError("Force pull not allowed")
• src/validators.py:13-16 (helper)

  Set of allowed git subcommands used by validate_git_args to restrict operations to safe ones.
  # Allowed git subcommands ALLOWED_GIT_COMMANDS = { "status", "log", "checkout", "pull", "branch", "diff", "fetch", "reset", "show" }