From 8c288195a00de7cfa0d0d4eb4aefb75afef3aac7 Mon Sep 17 00:00:00 2001 From: Alex Clarke Date: Wed, 17 Jun 2026 15:10:40 -0600 Subject: [PATCH] feat: created mixin kit for built-in functions and MCP servers --- assets/functions/sbx-mixin.yaml | 44 +++++++++++++++++++++++++++++++++ assets/sbx-kit/spec.yaml | 41 ++++++++++++++++-------------- 2 files changed, 66 insertions(+), 19 deletions(-) create mode 100644 assets/functions/sbx-mixin.yaml diff --git a/assets/functions/sbx-mixin.yaml b/assets/functions/sbx-mixin.yaml new file mode 100644 index 0000000..be05515 --- /dev/null +++ b/assets/functions/sbx-mixin.yaml @@ -0,0 +1,44 @@ +schemaVersion: "1" +kind: mixin +name: built-in-tools +description: > + Installs binaries and allows network domains required by Coyote's built-in + global tools and the default MCP server set. Auto-applied by Coyote's sbx + mixin discovery when running `coyote --sandbox`. + +network: + allowedDomains: + # fetch_url_via_jina + jina reader fallback + - "r.jina.ai:443" + # get_current_weather (.sh, .py, .ts) + - "wttr.in:443" + # search_arxiv (the .sh tool still uses http://, so :80 is required until fixed) + - "export.arxiv.org:443" + - "export.arxiv.org:80" + # search_arxiv + search_wikipedia may follow DOI redirects + - "doi.org:443" + # search_wikipedia + - "en.wikipedia.org:443" + # search_wolframalpha + - "api.wolframalpha.com:443" + # web_search_perplexity + - "api.perplexity.ai:443" + # web_search_tavily + - "api.tavily.com:443" + # send_twilio + - "api.twilio.com:443" + # MCP: github (built-in mcp.json: api.githubcopilot.com) + - "api.githubcopilot.com:443" + # MCP: atlassian (built-in mcp.json: mcp-remote -> mcp.atlassian.com) + - "mcp.atlassian.com:443" + # MCP: ddg-search (built-in mcp.json: uvx duckduckgo-mcp-server) + - "duckduckgo.com:443" + - "html.duckduckgo.com:443" + - "lite.duckduckgo.com:443" + # MCP: npx-based servers (mcp-remote) pull from npm + - "registry.npmjs.org:443" + # MCP: docker server may pull images from common registries + - "ghcr.io:443" + - "registry-1.docker.io:443" + - "auth.docker.io:443" + - "production.cloudflare.docker.com:443" diff --git a/assets/sbx-kit/spec.yaml b/assets/sbx-kit/spec.yaml index 3c0b4f8..2a86ceb 100644 --- a/assets/sbx-kit/spec.yaml +++ b/assets/sbx-kit/spec.yaml @@ -113,20 +113,22 @@ network: headerName: Authorization valueFormat: "Bearer %s" allowedDomains: + # Coyote release + self-update + model-registry sync - "github.com:443" - "api.github.com:443" - "raw.githubusercontent.com:443" - "objects.githubusercontent.com:443" - "*.githubusercontent.com:443" + # Coyote install paths (cargo install + uv + rustup + Python tool deps at runtime) - "crates.io:443" - "static.crates.io:443" - "pypi.org:443" - "files.pythonhosted.org:443" - - "registry.npmjs.org:443" - "astral.sh:443" - "sh.rustup.rs:443" - "static.rust-lang.org:443" + # LLM model OAuth + API endpoints - "claude.ai:443" - "console.anthropic.com:443" - "accounts.google.com:443" @@ -140,22 +142,6 @@ network: - "*.amazonaws.com:443" - "models.inference.ai.azure.com:443" - - "api.githubcopilot.com:443" - - "mcp.atlassian.com:443" - - "duckduckgo.com:443" - - "html.duckduckgo.com:443" - - "lite.duckduckgo.com:443" - - - "wttr.in:443" - # search_arxiv.sh uses http://, so :80 is required until the tool is fixed - - "export.arxiv.org:443" - - "export.arxiv.org:80" - - "en.wikipedia.org:443" - - "api.wolframalpha.com:443" - - "api.twilio.com:443" - - "api.tavily.com:443" - - "doi.org:443" - credentials: sources: openai: @@ -261,12 +247,29 @@ commands: cmake \ clang libclang-dev \ musl-tools \ - libssl-dev + libssl-dev \ + pandoc \ + bzip2 user: "1000" - description: Install system prerequisites + description: Install system prerequisites (including pandoc for fetch_url_via_curl) - command: "curl -LsSf https://astral.sh/uv/install.sh | sh" user: "1000" description: Install uv (required for Python-based custom tools) + - command: | + set -euo pipefail + USQL_VERSION="0.19.20" + ARCH=$(uname -m) + case "$ARCH" in + x86_64) USQL_ARCH=amd64 ;; + aarch64) USQL_ARCH=arm64 ;; + *) echo "Unsupported arch for usql install: $ARCH" >&2; exit 1 ;; + esac + curl -sSL "https://github.com/xo/usql/releases/download/v${USQL_VERSION}/usql_static-${USQL_VERSION}-linux-${USQL_ARCH}.tar.bz2" -o /tmp/usql.tar.bz2 + sudo tar -xjf /tmp/usql.tar.bz2 -C /usr/local/bin + sudo chmod +x /usr/local/bin/usql + rm -f /tmp/usql.tar.bz2 + user: "1000" + description: Install the usql universal SQL CLI (used by the built-in sql agent and execute_sql_code tool) - command: | curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ sh -s -- -y \