MCP server ignores CLI execution limits, creates unconstrained interpreters

[chaliy]

Summary

Each tools/call to the MCP "bash" tool creates a new bashkit::Bash::new() with default configuration, ignoring all CLI flags like --max-commands. This allows MCP clients to execute arbitrarily complex scripts without limits.

Severity: Medium
Category: Resource Exhaustion / Missing Security Controls (TM-DOS)

Affected Files

• crates/bashkit-cli/src/mcp.rs line ~274-275

Code

let mut bash = bashkit::Bash::new();  // default, no limits

The CLI's build_bash() function (which applies args.max_commands) is only used in oneshot mode. The MCP code path ignores Args entirely.

Steps to Reproduce

1. Start bashkit in MCP mode: bashkit --mcp --max-commands 100
2. Send a tools/call request with a script containing 100,000+ commands
3. The script executes without hitting any limit

Impact

• MCP clients bypass all configured execution limits
• Repeated calls exhaust memory (each creates a new interpreter)
• No rate limiting on interpreter creation

Acceptance Criteria

• MCP handler receives and applies CLI configuration (limits, feature flags)
• max_commands, max_loop_iterations, timeout are enforced per MCP call
• Test: MCP tool call respects --max-commands flag
• Consider: per-request resource limits configurable via MCP tool input