Add MCP tool profiles for workspace chat flows
Expose stable MCP/server tool profiles so chat hosts can start narrow and widen only when needed. This adds vm-run, workspace-core, and workspace-full across the CLI serve path, Pyro.create_server(), and the package-level create_server() factory while keeping workspace-full as the default. Register profile-specific tool sets from one shared contract mapping, and narrow the workspace-core schemas so secrets, network policy, shells, services, snapshots, and disk tools do not leak into the default persistent chat profile. The full surface remains available unchanged under workspace-full. Refresh the public docs and examples around the profile progression, add a canonical OpenAI Responses workspace-core example, mark the 3.4.0 roadmap milestone done, and verify with uv lock, UV_CACHE_DIR=.uv-cache make check, UV_CACHE_DIR=.uv-cache make dist-check, and a real guest-backed workspace-core smoke for create, file write, exec, diff, export, reset, and delete.
This commit is contained in:
parent
446f7fce04
commit
eecfd7a7d7
23 changed files with 984 additions and 511 deletions
|
|
@ -7,8 +7,10 @@ CLI path in [install.md](install.md) or [first-run.md](first-run.md).
|
|||
|
||||
## Recommended Default
|
||||
|
||||
Use `vm_run` first for one-shot commands, then move to the stable workspace surface when the
|
||||
agent needs to inhabit one sandbox across multiple calls.
|
||||
Use `vm_run` first for one-shot commands, then move to `workspace-core` when the
|
||||
agent needs to inhabit one sandbox across multiple calls. Only promote the chat
|
||||
surface to `workspace-full` when it truly needs shells, services, snapshots,
|
||||
secrets, network policy, or disk tools.
|
||||
|
||||
That keeps the model-facing contract small:
|
||||
|
||||
|
|
@ -17,8 +19,11 @@ That keeps the model-facing contract small:
|
|||
- one ephemeral VM
|
||||
- automatic cleanup
|
||||
|
||||
Move to `workspace_*` when the agent needs repeated commands, shells, services, snapshots, reset,
|
||||
diff, or export in one stable workspace across multiple calls.
|
||||
Profile progression:
|
||||
|
||||
- `vm-run`: one-shot only
|
||||
- `workspace-core`: persistent workspace create/list/update/status/sync/exec/logs/file ops/diff/export/reset/delete
|
||||
- `workspace-full`: the full stable workspace surface, including shells, services, snapshots, secrets, network policy, and disk tools
|
||||
|
||||
## OpenAI Responses API
|
||||
|
||||
|
|
@ -30,20 +35,14 @@ Best when:
|
|||
|
||||
Recommended surface:
|
||||
|
||||
- `vm_run`
|
||||
- `workspace_create(name=..., labels=...)` + `workspace_list` + `workspace_update` when the agent needs to rediscover or retag long-lived workspaces between turns
|
||||
- `workspace_create(seed_path=...)` + `workspace_sync_push` + `workspace_exec` when the agent needs persistent workspace state
|
||||
- `workspace_file_list` / `workspace_file_read` / `workspace_file_write` / `workspace_patch_apply` when the agent needs model-native file inspection and text edits inside one live workspace
|
||||
- `workspace_create(..., secrets=...)` + `workspace_exec(..., secret_env=...)` when the workspace needs private tokens or authenticated setup
|
||||
- `workspace_create(..., network_policy="egress+published-ports")` + `start_service(..., published_ports=[...])` when the host must probe one workspace service
|
||||
- `workspace_diff` + `workspace_export` when the agent needs explicit baseline comparison or host-out file transfer
|
||||
- `stop_workspace(...)` + `list_workspace_disk(...)` / `read_workspace_disk(...)` / `export_workspace_disk(...)` when one stopped guest-backed workspace needs offline inspection or a raw ext4 copy
|
||||
- `start_service` / `list_services` / `status_service` / `logs_service` / `stop_service` when the agent needs long-running processes inside that workspace
|
||||
- `open_shell(..., secret_env=...)` / `read_shell` / `write_shell` when the agent needs an interactive PTY inside that workspace
|
||||
- `vm_run` for one-shot loops
|
||||
- the `workspace-core` tool set for the normal persistent chat loop
|
||||
- the `workspace-full` tool set only when the host explicitly needs advanced workspace capabilities
|
||||
|
||||
Canonical example:
|
||||
|
||||
- [examples/openai_responses_vm_run.py](../examples/openai_responses_vm_run.py)
|
||||
- [examples/openai_responses_workspace_core.py](../examples/openai_responses_workspace_core.py)
|
||||
|
||||
## MCP Clients
|
||||
|
||||
|
|
@ -55,7 +54,13 @@ Best when:
|
|||
|
||||
Recommended entrypoint:
|
||||
|
||||
- `pyro mcp serve`
|
||||
- `pyro mcp serve --profile workspace-core`
|
||||
|
||||
Profile progression:
|
||||
|
||||
- `pyro mcp serve --profile vm-run` for the smallest one-shot surface
|
||||
- `pyro mcp serve --profile workspace-core` for the normal persistent chat loop
|
||||
- `pyro mcp serve --profile workspace-full` only when the model truly needs advanced workspace tools
|
||||
|
||||
Starter config:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue