devflow-mcp
A production-ready Model Context Protocol server that gives AI assistants deep GitHub developer tooling — PR analysis, code review, changelog generation, dependency auditing, commit summarization, and refactoring suggestions.
Features
- 6 MCP tools covering the full developer workflow
- Heuristic analysis — no external LLM calls, fast and deterministic
- OSV.dev integration for real vulnerability data (npm and PyPI)
- LRU cache with TTL to minimize GitHub API calls
- Token-bucket rate limiter to stay within GitHub's limits
- Zero
any— strict TypeScript throughout - ≥80% test coverage with MSW-mocked HTTP
Requirements
- Node.js 18+
- A GitHub Personal Access Token with
reposcope
Installation
npm install -g devflow-mcp
Or run directly with npx:
npx devflow-mcp
Or clone and build:
git clone https://github.com/yourorg/devflow-mcp
cd devflow-mcp
npm install
npm run build
Claude Desktop Configuration
Add to your claude_desktop_config.json:
{
"mcpServers": {
"devflow": {
"command": "npx",
"args": ["devflow-mcp"],
"env": {
"GITHUB_TOKEN": "ghp_your_token_here"
}
}
}
}
Config file locations:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
Tools
analyze_pr
Analyzes a GitHub pull request for risk, security findings, and merge readiness.
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
owner | string | yes | Repository owner |
repo | string | yes | Repository name |
pr_number | number | yes | Pull request number |
focus | string[] | no | Limit analysis to: security, performance, logic, style |
Returns: risk_score (0-100), risk_level, findings[], change_summary, merge_recommendation
review_code
Reviews a code snippet for quality, security issues, and improvement opportunities.
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
code | string | yes | Source code to review |
language | string | yes | Programming language |
context | string | no | Optional context about what the code does |
Returns: overall_score (1-10), issues[] with severity + fix suggestions, positive_observations[], refactor_priority
generate_changelog
Generates a changelog between two Git refs from commit history.
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
owner | string | yes | Repository owner |
repo | string | yes | Repository name |
from_ref | string | yes | Base ref (tag, SHA, branch) |
to_ref | string | yes | Target ref |
format | string | no | markdown (default), json, plain |
group_by | string | no | type (default), author, date |
include_authors | boolean | no | Include author names (default: true) |
Returns: changelog string, commit_count, stats per category, breaking_changes[]
audit_dependencies
Audits project dependencies against the OSV vulnerability database.
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
owner | string | yes | Repository owner |
repo | string | yes | Repository name |
ecosystem | string | yes | npm, pypi, or auto |
severity_threshold | string | no | Minimum severity to report: low (default), moderate, high, critical |
Returns: vulnerabilities[] with CVE IDs, fix versions, and fix commands; audit_passed, stats per severity level, osv_query_timestamp
summarize_commits
Summarizes recent commits on a branch into a human-readable digest.
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
owner | string | yes | Repository owner |
repo | string | yes | Repository name |
branch | string | no | Branch name (default: repo default) |
since | string | no | ISO date or relative (7d, 24h, 2w, 1m) |
limit | number | no | Max commits (default: 50) |
output_style | string | no | digest (default), standup, detailed |
Returns: summary string, categories (features/fixes/docs/refactors/chores/other), authors[], commit_count
suggest_refactor
Analyzes code for refactoring opportunities ranked by impact-to-effort ratio.
Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
code | string | yes | Source code to analyze |
language | string | yes | Programming language |
goals | string[] | no | Focus areas: readability, performance, testability, maintainability |
Returns: suggestions[] with rationale and effort estimates, priority_order[], original_complexity_score
Development
# Install dependencies
npm install
# Run tests
npm test
# Run tests with coverage
npm run test:coverage
# Type-check and build
npm run build
# Lint
npm run lint
# Format
npm run format
# Start the server (after build)
npm start
Project Structure
src/
index.ts # Entry point
server.ts # MCP server registration
tools/ # Tool handlers (one per tool)
github/ # GitHub API clients
lib/ # Shared utilities
cache.ts # LRU cache with TTL
rate-limiter.ts # Token-bucket rate limiter
commit-parser.ts # Conventional commit parser
diff-parser.ts # Git diff parser
risk-scorer.ts # PR risk scoring heuristics
errors.ts # Typed MCP errors
providers/
osv.ts # OSV.dev vulnerability API
tests/
integration/ # Full MCP server tests via InMemoryTransport
tools/ # Unit tests per tool handler
lib/ # Unit tests for utilities
Test Strategy
- Unit tests: each tool handler and library mocked with
vi.mock - Integration tests: full MCP client↔server round-trip via
InMemoryTransport, HTTP intercepted with MSW - HTTP mocking: MSW v2 (
msw/node) — no real network calls in tests - Coverage: ≥80% branches required (
npm run test:coverage)
Contributing
- Fork the repository
- Create a feature branch
- Add tests for new behavior
- Ensure
npm run build && npm run test:coverage && npm run lintall pass - Open a pull request
License
MIT