Why (roadmap: Next)
Governed MCP v1 (docs/GOVERNED-MCP.md) covers remote Streamable HTTP servers. Local stdio servers complete the story — many MCP tools run locally, and stdio avoids network egress entirely.
Sketch
- Spawn the server as a child process through
runGovernedProcess (sandbox + policy) — never a bare spawn (see the governance rules in CONTRIBUTING).
- Same JSON-RPC methods as
src/mcp/client.ts but over stdin/stdout framing.
- Same governed mapping:
mcp__<server>__<tool>, policy admission via mcp.allow, audit mcp_request per call, annotation-derived access tiers.
- Config:
{ id, command, args, enabled } alongside remote servers.
Open questions
- Sandbox profile for a long-lived child (network-denied by default? policy knob?)
- Lifecycle: per-run vs per-session process reuse; kill on run end.
Why (roadmap: Next)
Governed MCP v1 (docs/GOVERNED-MCP.md) covers remote Streamable HTTP servers. Local stdio servers complete the story — many MCP tools run locally, and stdio avoids network egress entirely.
Sketch
runGovernedProcess(sandbox + policy) — never a barespawn(see the governance rules in CONTRIBUTING).src/mcp/client.tsbut over stdin/stdout framing.mcp__<server>__<tool>, policy admission viamcp.allow, auditmcp_requestper call, annotation-derived access tiers.{ id, command, args, enabled }alongside remote servers.Open questions