feat(mcp): add code-graph-context as optional built-in MCP#2718
Open
nguyentamdat wants to merge 1 commit intocode-yeongyu:devfrom
Open
feat(mcp): add code-graph-context as optional built-in MCP#2718nguyentamdat wants to merge 1 commit intocode-yeongyu:devfrom
nguyentamdat wants to merge 1 commit intocode-yeongyu:devfrom
Conversation
Contributor
|
All contributors have signed the CLA. Thank you! ✅ |
Add code-graph-context as a 4th built-in MCP for graph-based code analysis (callers, dead code, complexity, relationships). Unlike the existing remote HTTP MCPs, this is a local stdio MCP requiring the cgc binary. - Disabled by default, users opt in via config: code_graph_context.enabled = true - Auto-detects cgc binary in ~/.local/bin, /usr/local/bin, /usr/bin - Sensible FalkorDB environment defaults (~/.codegraphcontext/) - New LocalMcpConfig type extending BuiltinMcpConfig union - Tool hints for 7 code-graph-context tools in skill-mcp constants - Agent prompt updates for Explore and Oracle to leverage graph tools - Config schema, barrel exports, doctor check, and tests included
nguyentamdat
force-pushed
the
feat/code-graph-context-mcp
branch
from
c58e2bb to
97d58ee
Compare
Author
|
I have read the CLA Document and I hereby sign the CLA |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
6 issues found across 13 files
Confidence score: 1/5
src/mcp/index.tsintroduces a high-risk security regression: workspace-localcode_graph_context.binary_pathcan be executed as a local MCP command, which could allow arbitrary code execution when opening untrusted repositories.- There are concrete functional regressions in
src/mcp/code-graph-context.ts(Windows probe usescgcinstead ofcgc.exe, and PATH-based command names likecgcare rejected), so valid setups may fail across common environments. - Validation coverage is weakened:
src/mcp/index.test.tshas a vacuous filter assertion andsrc/mcp/code-graph-context.test.tsmisses the auto-detection fallback path, reducing confidence that these behaviors are protected from regressions. - Pay close attention to
src/mcp/index.ts,src/mcp/code-graph-context.ts,src/cli/doctor/checks/tools-mcp.ts,src/mcp/index.test.ts,src/mcp/code-graph-context.test.ts- security-sensitive command execution and MCP enablement/detection logic need tightening before merge.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/cli/doctor/checks/tools-mcp.ts">
<violation number="1" location="src/cli/doctor/checks/tools-mcp.ts:8">
P2: Doctor MCP check now treats `code_graph_context` as always enabled by adding it to a static built-in list that is mapped to `enabled: true`, ignoring its conditional config-based enablement.</violation>
</file>
<file name="src/mcp/index.test.ts">
<violation number="1" location="src/mcp/index.test.ts:133">
P2: The new filtering test for `code_graph_context` is vacuous because the MCP is disabled by default, so the assertion passes regardless of whether disabled-list filtering works.</violation>
</file>
<file name="src/mcp/code-graph-context.ts">
<violation number="1" location="src/mcp/code-graph-context.ts:15">
P2: Windows auto-detection is broken because binary lookup uses `cgc` instead of `cgc.exe` for path probes.</violation>
<violation number="2" location="src/mcp/code-graph-context.ts:22">
P2: `binary_path` validation incorrectly rejects PATH-resolved command names (e.g., `cgc`), causing valid MCP setups to be disabled.</violation>
</file>
<file name="src/mcp/code-graph-context.test.ts">
<violation number="1" location="src/mcp/code-graph-context.test.ts:26">
P2: Auto-detection branch (`enabled: true` without `binary_path`) is untested, leaving the core fallback binary resolution path unverified.</violation>
</file>
<file name="src/mcp/index.ts">
<violation number="1" location="src/mcp/index.ts:35">
P1: Workspace-local config can supply `code_graph_context.binary_path`, which is used as an executed local MCP command, enabling arbitrary code execution from untrusted repos.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| } | ||
|
|
||
| if (!disabledMcps.includes("code_graph_context")) { | ||
| const cgcConfig = createCodeGraphContextConfig(config?.code_graph_context) |
There was a problem hiding this comment.
P1: Workspace-local config can supply code_graph_context.binary_path, which is used as an executed local MCP command, enabling arbitrary code execution from untrusted repos.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/mcp/index.ts, line 35:
<comment>Workspace-local config can supply `code_graph_context.binary_path`, which is used as an executed local MCP command, enabling arbitrary code execution from untrusted repos.</comment>
<file context>
@@ -28,5 +31,12 @@ export function createBuiltinMcps(disabledMcps: string[] = [], config?: OhMyOpen
}
+ if (!disabledMcps.includes("code_graph_context")) {
+ const cgcConfig = createCodeGraphContextConfig(config?.code_graph_context)
+ if (cgcConfig) {
+ mcps.code_graph_context = cgcConfig
</file context>
| import { parseJsonc } from "../../../shared" | ||
|
|
||
| const BUILTIN_MCP_SERVERS = ["context7", "grep_app"] | ||
| const BUILTIN_MCP_SERVERS = ["context7", "grep_app", "code_graph_context"] |
There was a problem hiding this comment.
P2: Doctor MCP check now treats code_graph_context as always enabled by adding it to a static built-in list that is mapped to enabled: true, ignoring its conditional config-based enablement.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/cli/doctor/checks/tools-mcp.ts, line 8:
<comment>Doctor MCP check now treats `code_graph_context` as always enabled by adding it to a static built-in list that is mapped to `enabled: true`, ignoring its conditional config-based enablement.</comment>
<file context>
@@ -5,7 +5,7 @@ import { join } from "node:path"
import { parseJsonc } from "../../../shared"
-const BUILTIN_MCP_SERVERS = ["context7", "grep_app"]
+const BUILTIN_MCP_SERVERS = ["context7", "grep_app", "code_graph_context"]
interface McpConfigShape {
</file context>
| const disabledMcps = ["code_graph_context"] | ||
|
|
||
| // when | ||
| const result = createBuiltinMcps(disabledMcps) |
There was a problem hiding this comment.
P2: The new filtering test for code_graph_context is vacuous because the MCP is disabled by default, so the assertion passes regardless of whether disabled-list filtering works.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/mcp/index.test.ts, line 133:
<comment>The new filtering test for `code_graph_context` is vacuous because the MCP is disabled by default, so the assertion passes regardless of whether disabled-list filtering works.</comment>
<file context>
@@ -103,4 +103,36 @@ describe("createBuiltinMcps", () => {
+ const disabledMcps = ["code_graph_context"]
+
+ // when
+ const result = createBuiltinMcps(disabledMcps)
+
+ // then
</file context>
| } | ||
|
|
||
| const COMMON_BINARY_LOCATIONS = [ | ||
| join(homedir(), ".local", "bin", "cgc"), |
There was a problem hiding this comment.
P2: Windows auto-detection is broken because binary lookup uses cgc instead of cgc.exe for path probes.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/mcp/code-graph-context.ts, line 15:
<comment>Windows auto-detection is broken because binary lookup uses `cgc` instead of `cgc.exe` for path probes.</comment>
<file context>
@@ -0,0 +1,76 @@
+}
+
+const COMMON_BINARY_LOCATIONS = [
+ join(homedir(), ".local", "bin", "cgc"),
+ "/usr/local/bin/cgc",
+ "/usr/bin/cgc",
</file context>
|
|
||
| function findCgcBinary(overridePath?: string): string | undefined { | ||
| if (overridePath) { | ||
| return existsSync(overridePath) ? overridePath : undefined |
There was a problem hiding this comment.
P2: binary_path validation incorrectly rejects PATH-resolved command names (e.g., cgc), causing valid MCP setups to be disabled.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/mcp/code-graph-context.ts, line 22:
<comment>`binary_path` validation incorrectly rejects PATH-resolved command names (e.g., `cgc`), causing valid MCP setups to be disabled.</comment>
<file context>
@@ -0,0 +1,76 @@
+
+function findCgcBinary(overridePath?: string): string | undefined {
+ if (overridePath) {
+ return existsSync(overridePath) ? overridePath : undefined
+ }
+
</file context>
| @@ -0,0 +1,69 @@ | |||
| import { describe, expect, test } from "bun:test" | |||
There was a problem hiding this comment.
P2: Auto-detection branch (enabled: true without binary_path) is untested, leaving the core fallback binary resolution path unverified.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/mcp/code-graph-context.test.ts, line 26:
<comment>Auto-detection branch (`enabled: true` without `binary_path`) is untested, leaving the core fallback binary resolution path unverified.</comment>
<file context>
@@ -0,0 +1,69 @@
+ })
+ })
+
+ describe("#given config is enabled", () => {
+ test("#when binary_path points to nonexistent file #then returns undefined", () => {
+ // given
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cgcbinarycode_graph_context.enabled = trueChanges
New Files (3)
src/mcp/code-graph-context.ts— Factory withLocalMcpConfigtype, binary auto-detection (~/.local/bin/cgc,/usr/local/bin/cgc,/usr/bin/cgc), sensible FalkorDB environment defaultssrc/config/schema/code-graph-context.ts— Zod schema:enabled(defaultfalse), optionalbinary_pathoverridesrc/mcp/code-graph-context.test.ts— Unit tests for factory functionModified Files (10)
src/mcp/types.ts— Added"code_graph_context"toMcpNameSchemaenumsrc/mcp/index.ts— NewBuiltinMcpConfigunion type (RemoteMcpConfig | LocalMcpConfig), wired intocreateBuiltinMcps()src/config/schema/oh-my-opencode-config.ts— Addedcode_graph_contextfield to root configsrc/config/schema.ts— Barrel exportsrc/tools/skill-mcp/constants.ts— Tool hints for 7 code-graph-context toolssrc/cli/doctor/checks/tools-mcp.ts— Added toBUILTIN_MCP_SERVERSsrc/mcp/index.test.ts— 3 new testssrc/agents/explore.ts— Added code-graph-context tools to Tool Strategysrc/agents/oracle.ts— Added graph analysis tools to<tool_usage_rules>assets/oh-my-opencode.schema.json— Auto-generated schema updateUsage
Design Decisions
cgcbinary locally, unlike zero-config remote HTTP MCPsChecklist
bun run typecheckpassesbun run buildsucceedspackage.jsonSummary by cubic
Adds
code-graph-contextas an optional built-in MCP for local, graph-based code analysis powered by thecgcbinary. Enables callers/dead-code/complexity queries and integrates tools into Explore and Oracle when enabled.New Features
code-graph-context(requirescgc); off by default viacode_graph_context.enabled.cgcin~/.local/bin,/usr/local/bin,/usr/bin; supportscode_graph_context.binary_path; FalkorDB defaults under~/.codegraphcontext/.createBuiltinMcps, doctor checks, and tool hints; Explore/Oracle prompts updated; respectsdisabled_mcps.Migration
cgcand ensure it’s in a common path, or setcode_graph_context.binary_path.code_graph_context.enabled: truein.opencode/oh-my-opencode.jsonc.Written for commit 97d58ee. Summary will update on new commits.