mcpx

A highly reliable, maximally capable Model Context Protocol server for complete shell and SSH mastery.

mcpx gives an MCP client (Claude, or any MCP-compatible agent) a robust, auditable interface to operate a Linux host and a fleet of remote hosts over SSH: one-shot command execution, long-lived interactive PTY sessions, scripted runs, SFTP transfer, port forwarding, and host-inventory aware connectivity.

It is designed as operator infrastructure tooling for hosts you own and administer. The default operating posture is native, full access (no sandbox), matching the way real administration is performed, paired with the defensive controls a production operator actually needs: an append-only, output-hashed audit trail; a tiered-authority policy layer; secret redaction; strict resource and timeout bounds; and an optional OAuth 2.1 edge.

The architecture, security model, and deployment patterns are modeled on a mature production MCP gateway and on established operational best practices.

Why

Engineers SSH into hosts and run commands from memory, with no structured reasoning trail and no pre-execution review. A well-built MCP relay improves on that baseline: every action is captured with arguments, an output hash, an exit code, and a tier classification; limits and timeouts are enforced centrally; failure paths never crash the transport. The reasoning layer sits inside the loop and can assess blast radius before acting.

Capabilities

Local shell

SSH

Sessions (local PTY and SSH PTY, unified)

Diagnostics

Full reference: docs/tools.md.

Quickstart

git clone https://github.com/rmednitzer/mcp.git && cd mcp
python3 -m venv .venv && . .venv/bin/activate
pip install -e ".[dev]"

# stdio transport (local agent / Claude Desktop / MCP Inspector)
mcpx

# HTTP transport (streamable-http on 127.0.0.1:8080)
MCPX_TRANSPORT=http mcpx

Register with an MCP client (stdio):

{ "mcpServers": { "mcpx": { "command": "mcpx" } } }

Configuration is environment-driven; see .env.example and docs/deployment.md.

Security posture

mcpx runs unsandboxed with the privileges of its service account by design (see docs/adr/0002-no-sandbox-full-access.md): sandboxing the process would defeat the very capability it exists to provide. Safety is achieved with compensating controls, not by crippling the tool:

• Audit - every invocation appended as one JSON line with a SHA-256 hash of the output (never the output body), byte length, exit code, request and client id, and the assessed tier. Append-only on disk; rotation-safe handler.

• Tiered authority - every call is classified Tier 0..3 (docs/adr/0003-tiered-authority.md). MCPX_POLICY_MODE selects open (default), guarded, or readonly.

• Redaction - audited arguments are scrubbed for tokens, keys, and Authorization material.

• Bounds - timeout and output caps on every tool; bounded session count and buffers; idle/lifetime reaping.

• Optional OAuth 2.1 - DCR with single-client lockdown, PKCE, file-backed rotating tokens, lazy expiry (HTTP transport).

• Edge - a reference Caddy config restricts the endpoint to known CIDRs with TLS and security headers; systemd unit applies resource caps.

This server grants real administrative power. Run it only as a scoped service account, only on hosts you are authorized to administer, behind the network controls in docs/deployment.md. See SECURITY.md for the threat model and reporting.

Layout

src/mcpx/        server, config, audit, policy, redaction, sessions, tools, auth
deploy/          systemd unit + hardening drop-in, Caddyfile, logrotate, install.sh
docs/            architecture, tool reference, deployment, ADRs
tests/           unit + integration (in-process SSH server, no network)

Development

ruff check . && ruff format --check .
mypy
pytest

License

Apache-2.0. See LICENSE and NOTICE.