CodeAudit MCP

CodeAudit MCP

A read-only MCP server for AI coding agents to inspect repositories, audit code quality, route engineering skills, and plan safe issue/PR workflows.

Category
访问服务器

README

CodeAudit MCP

npm CI MCP License: MIT

CodeAudit MCP is a read-only MCP server that helps AI coding agents inspect repositories, route engineering skills, verify docs claims, audit code quality, and plan safer issue/PR workflows.

The current MVP is read-only by default. It supports local stdio and Streamable HTTP transports. It does not implement unrestricted shell execution, remote repository mutation, auto-push, auto-delete, or auto-merge.

Production Status

CodeAudit is usable now for production-style read-only repository inspection and agent workflow routing when deployed with the documented controls:

  • use stdio for local trusted agent clients, or Streamable HTTP behind HTTPS for remote clients
  • set CODEAUDIT_API_KEY for any HTTP deployment that is not strictly local
  • set CODEAUDIT_ALLOWED_ROOTS for hosted HTTP deployments so project reads stay inside approved workspaces
  • restrict CODEAUDIT_ALLOWED_ORIGINS for browser-accessible deployments
  • keep the server read-only; do not add write/GitHub mutation tools without an approval model

Validated in this repository with CI, pnpm check, pnpm build, HTTP health/metadata smoke testing, allowed-root rejection tests, docs-claims audit, and installed-skill audit. OAuth multi-user identity is not implemented yet; use API-key/Bearer protection for hosted HTTP deployments.

What Works

  • detect_project identifies empty/existing projects, package manager, framework, language, tests, auth, database, deployment, CI, and risk notes.
  • Python detection covers pyproject.toml, uv.lock, FastAPI, Django, Flask, Python MCP SDK, pytest, typing/lint tooling, auth, database, and deployment indicators.
  • route_skills returns a skill-routing manifest with workflow phases, recommended tool sequence, skill activation order, quality gates, required outputs, strict instructions, and disallowed actions.
  • scan_repo summarizes trees and classifies important, risk, docs, test, and config files.
  • audit_code_quality runs heuristic maintainability checks for long files, weak schema boundaries, missing tests, mixed responsibilities, and weak error handling.
  • audit_nextjs_security runs heuristic checks for Next.js route, middleware, env, headers, validation, logging, redirect, SSRF, upload, rate-limit, and auth indicators.
  • audit_docs_claims maps strong README/docs claims to evidence found or missing.
  • audit_tests summarizes test setup and missing test areas.
  • audit_installed_skills checks local agent skills for supply-chain, prompt-injection, secret-leakage, dependency-install, webhook, destructive-shell, manifest-quality, duplicate-name, auxiliary-doc, and resource-discovery risks.
  • official_docs_router recommends where to look up official/current docs.
  • generate_issue_plan, generate_pr_plan, and generate_report produce planning artifacts from findings.
  • Resources expose codeaudit://docs/llms and codeaudit://skills/index for MCP-native discovery.

Quick Start

Run the free public npm package directly:

npx -y @priyanshuchawda/codeaudit

For local development from the GitHub checkout:

pnpm install
pnpm build

Run local stdio:

pnpm --filter @priyanshuchawda/codeaudit start

Run local development stdio:

pnpm --filter @priyanshuchawda/codeaudit dev

Run Streamable HTTP with API-key protection:

pnpm build
CODEAUDIT_API_KEY=change-me pnpm --filter @priyanshuchawda/codeaudit start:http

HTTP endpoints:

  • MCP: http://127.0.0.1:3000/mcp
  • health: http://127.0.0.1:3000/health
  • metadata: http://127.0.0.1:3000/.well-known/codeaudit

Example MCP Inspector command:

npx @modelcontextprotocol/inspector pnpm --filter @priyanshuchawda/codeaudit dev

Add To Codex

Npm stdio config for ~/.codex/config.toml or project-local .codex/config.toml:

[mcp_servers.codeaudit]
command = "npx"
args = ["-y", "@priyanshuchawda/codeaudit"]
startup_timeout_sec = 40

Local checkout stdio config:

[mcp_servers.codeaudit]
command = "pnpm"
args = [
  "--dir",
  "/absolute/path/to/codeaudit",
  "--filter",
  "@priyanshuchawda/codeaudit",
  "start"
]
startup_timeout_sec = 40

Windows example:

[mcp_servers.codeaudit]
command = "pnpm"
args = [
  "--dir",
  "C:\\Users\\Admin\\Desktop\\skills\\codeaudit",
  "--filter",
  "@priyanshuchawda/codeaudit",
  "start"
]
startup_timeout_sec = 40

HTTP config:

[mcp_servers.codeaudit]
url = "https://your-codeaudit-host.example.com/mcp"
http_headers = { "Authorization" = "Bearer YOUR_API_KEY" }

Recommended first prompt after connecting:

Use CodeAudit MCP on this local project. First call detect_project, then route_skills. Follow workflowPhases, recommendedToolSequence, skillActivationOrder, and qualityGates before making any changes.

Documentation

  • Start with docs/llms.txt for the complete documentation index.
  • Use docs/clients.md for Codex, Claude Code, Cursor, VS Code, Claude Desktop, Gemini CLI, and MCP Inspector setup examples.
  • Use docs/deployment.md for production HTTP deployment, Docker, environment variables, and verification.
  • CodeAudit supports local stdio and Streamable HTTP MCP connections. HTTP deployments can be protected with an API key or Bearer token.

Free Public Distribution

  • Npm public package: @priyanshuchawda/codeaudit
  • Current npm version: 0.1.5
  • Npm public packages are free to publish with npm publish --access public.
  • Release publishing is configured through .github/workflows/publish-npm.yml.
  • To publish, add a granular npm write token with bypass 2FA enabled as the GitHub secret NPM_TOKEN, then create a GitHub release.
  • Users can install and run without cloning GitHub by using npx -y @priyanshuchawda/codeaudit.

Skills CLI

Install the public CodeAudit skill without cloning this repository:

npx skills add priyanshuchawda/codeaudit --skill codeaudit

List available public skills:

npx skills add priyanshuchawda/codeaudit --list

The public catalog shape intentionally exposes one skill, codeaudit. Specialist workflows under skills/ are marked metadata.internal: true so CodeAudit can keep its internal routing vocabulary without duplicating public skills on skills.sh.

Safety Model

  • Tools are registered with read-only annotations.
  • Filesystem access is bounded to the supplied project root.
  • Hosted HTTP deployments restrict projectPath to CODEAUDIT_ALLOWED_ROOTS; when unset in HTTP mode, the server defaults to process.cwd().
  • Common secret formats are redacted before output.
  • Command execution is not exposed as an MCP tool.
  • The internal command runner only supports a small allowlist.
  • Skill files are treated as untrusted input and can be audited before use.
  • External documentation is treated as untrusted reference data.
  • Generated reports are returned as markdown strings; this server does not write them into target repositories.

Skills Pack

Custom skills live in skills/:

  • codeaudit public umbrella skill for npx skills add
  • codeaudit-orchestrator
  • python-backend-quality
  • python-mcp-server-quality
  • enterprise-code-quality
  • nextjs-security-review
  • ai-app-security-review
  • docs-claims-evidence-review
  • refactor-with-tests
  • github-issue-pr-workflow
  • official-docs-grounding
  • skill-supply-chain-auditor

These skills are written so clients that cannot literally activate skills can still use route_skills as a manifest of recommended skills, ordered workflow phases, tool sequence, outputs, and guardrails.

Example Workflow

{
  "tool": "detect_project",
  "input": {
    "projectPath": "./some-project"
  }
}

Then route:

{
  "tool": "route_skills",
  "input": {
    "projectPath": "./some-project",
    "userTask": "Audit and improve this repo",
    "detectedProject": "<detect_project output>"
  }
}

For an existing project, run audits before refactors:

scan_repo -> audit_code_quality -> audit_nextjs_security -> audit_docs_claims -> audit_tests -> audit_installed_skills -> generate_issue_plan -> generate_pr_plan

Example Output

When run on an existing Next.js project, CodeAudit returns detected stack and risk notes, important/risk/docs/test/config file lists, code quality findings, docs claims with evidence found or missing, a recommended issue plan, and a recommended PR plan.

{
  "projectState": "existing",
  "requiredWorkflow": "repo_audit_then_issue_pr_plan",
  "recommendedSkills": ["codeaudit-orchestrator", "enterprise-code-quality", "next-best-practices"],
  "qualityGates": [
    "Existing project is scanned and audited before refactor work.",
    "Every finding includes file evidence or a clear missing-evidence note."
  ],
  "docsClaim": {
    "claim": "Production-ready and secure by default.",
    "evidenceFound": ["middleware", "test"],
    "evidenceMissing": ["threat-model", "rateLimit"],
    "recommendation": "add-evidence"
  },
  "prPlan": {
    "branchName": "refactor/p1-route-handler-validation",
    "testsToRun": ["unit tests", "typecheck"],
    "docsToUpdate": ["README.md if public behavior changed"]
  }
}

What CodeAudit Is Not

  • Not a replacement for Semgrep, CodeQL, or SAST.
  • Not a vulnerability scanner.
  • Not an autonomous GitHub mutation bot.
  • Not a deep AST analyzer yet.
  • Best used as a read-only planning and evidence-gathering layer for AI coding agents.

Future Work

  • More language/framework detectors.
  • AST-based checks using the TypeScript compiler API or ts-morph.
  • JSON and SARIF report formats.
  • Deeper AST-based duplicate and complexity analysis.
  • Optional report writer tool gated by explicit approval.
  • Optional GitHub issue/PR creation gated by explicit approval.
  • Broader security policy packs for Firebase, Azure, and AI agents.
  • Optional OAuth provider integration for hosted multi-user deployments.

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选