mcp#24
Open
pranavcodeant wants to merge 3 commits into
Open
Conversation
|
CodeAnt AI is running Incremental review |
codeant-ai
Bot
added
the
size:XXL
|
CodeAnt AI Incremental review completed. |
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
|
CodeAnt AI is reviewing your PR. |
codeant-ai
Bot
added
size:XXL
| } | ||
|
|
||
| console.log(`[build-mcpb] zipping → ${outPath}`); | ||
| run('zip', ['-r', '-q', outPath, '.'], { cwd: stageDir }); |
There was a problem hiding this comment.
Suggestion: The build depends on the external zip binary, which is not guaranteed to exist on all environments (notably many Windows setups and minimal CI containers). When it is missing, packaging fails at runtime. Use a Node-based zip library or add platform/tool availability checks with a clear fallback. [possible bug]
Severity Level: Major ⚠️
- ❌ MCPB bundle build fails on systems lacking `zip`.
- ⚠️ Blocks generating Claude MCP bundle in such environments.Steps of Reproduction ✅
1. Use a development or CI environment without a `zip` CLI installed (for example, a
minimal Windows or container image).
2. From the repo root, run `node scripts/build-mcpb.mjs` to build the MCPB bundle, which
executes `main()` at `scripts/build-mcpb.mjs:36-80`.
3. After staging files and writing `package.json`, `main()` reaches the packaging step at
`scripts/build-mcpb.mjs:73-74` and calls `run('zip', ['-r', '-q', outPath, '.'], { cwd:
stageDir })`.
4. `child_process.spawnSync` (invoked inside `run` at `scripts/build-mcpb.mjs:31-33`)
cannot find the `zip` executable, causing a non-zero result; `run` throws, which is then
caught by `main().catch` at `scripts/build-mcpb.mjs:82-84`, and the build fails without
producing `dist/codeant.mcpb`.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** scripts/build-mcpb.mjs
**Line:** 74:74
**Comment:**
*Possible Bug: The build depends on the external `zip` binary, which is not guaranteed to exist on all environments (notably many Windows setups and minimal CI containers). When it is missing, packaging fails at runtime. Use a Node-based zip library or add platform/tool availability checks with a clear fallback.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
Comment on lines
+53
to
+66
| async function captureStdout(fn) { | ||
| const chunks = []; | ||
| const origWrite = process.stdout.write.bind(process.stdout); | ||
| process.stdout.write = (chunk) => { | ||
| chunks.push(typeof chunk === 'string' ? chunk : chunk.toString('utf8')); | ||
| return true; | ||
| }; | ||
| try { | ||
| await fn(); | ||
| } finally { | ||
| process.stdout.write = origWrite; | ||
| } | ||
| return chunks.join(''); | ||
| } |
There was a problem hiding this comment.
Suggestion: captureStdout mutates the global process.stdout.write, which is shared by the whole process. If two MCP tool calls run at the same time, one call can capture or suppress another call's output and corrupt protocol traffic; use a per-command output stream (or refactor called functions to return data) instead of monkey-patching global stdout. [race condition]
Severity Level: Critical 🚨
- ❌ Concurrent scan tools can corrupt MCP stdio responses.
- ❌ MCP client may see malformed or missing tool output.
- ⚠️ Debug logging to stdout becomes interleaved and unreliable.Steps of Reproduction ✅
1. Start the MCP server via the MCP bundle entrypoint (`mcpb/server/index.js`), which
ultimately calls `startMcpServer()` in `src/mcp/server.js:85`.
2. From an MCP client (e.g. Claude Desktop), issue a `tools.call` for
`codeant_scans_results` (`src/mcp/server.js:158-205`), which invokes `captureStdout()`
(`src/mcp/server.js:53-66`) around `runResults()`.
3. Before the first `codeant_scans_results` call finishes, issue a second `tools.call` for
`codeant_scans_results` (or `codeant_scans_start` when write mode is enabled;
`src/mcp/server.js:420-437`), causing a second concurrent invocation of `captureStdout()`.
4. During these overlapping calls, each `captureStdout()` overwrites
`process.stdout.write` with its own interceptor (`src/mcp/server.js:56-59`), so stdout
from `runResults()`/`runStartScan()` and any MCP protocol frames emitted while the
override is active can be captured by the wrong invocation or lost, resulting in
malformed/mixed JSON on the MCP stdio transport and broken tool responses on the client.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/mcp/server.js
**Line:** 53:66
**Comment:**
*Race Condition: `captureStdout` mutates the global `process.stdout.write`, which is shared by the whole process. If two MCP tool calls run at the same time, one call can capture or suppress another call's output and corrupt protocol traffic; use a per-command output stream (or refactor called functions to return data) instead of monkey-patching global stdout.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| console.error('[codeant-mcp] No API token configured — opening browser for sign-in.'); | ||
| try { | ||
| const { loginUrl } = await runLoginFlow(); | ||
| console.error(`[codeant-mcp] Login complete. (URL was ${loginUrl})`); |
There was a problem hiding this comment.
Suggestion: Logging loginUrl to stderr leaks the one-time login token (ideLoginToken) into log files, which is sensitive authentication material; avoid printing token-bearing URLs or redact query parameters. [security]
Severity Level: Critical 🚨
- ❌ API key leaked via tokenized login URL in logs.
- ❌ Centralized log systems may store reusable auth tokens.
- ⚠️ Compromised logs allow unauthorized CodeAnt account access.Steps of Reproduction ✅
1. Start the MCP server via `startMcpServer()` (`src/mcp/server.js:85`), with no
`CODEANT_API_TOKEN` env var and no `apiKeyV2` in config so that `ensureAuthenticated()`
(`src/mcp/server.js:68-83`) triggers the login flow.
2. `ensureAuthenticated()` calls `runLoginFlow()` (`src/utils/loginFlow.js:66-73`), which
uses `startLoginFlow()` (`src/utils/loginFlow.js:12-28`) to generate a random UUID `token`
and constructs `loginUrl = "https://app.codeant.ai?ideLoginToken=" + token`
(`src/utils/loginFlow.js:14-16`).
3. `awaitLoginCompletion()` (`src/utils/loginFlow.js:30-64`) polls the backend until it
reports success, then stores `token` as `apiKeyV2` and sets `process.env.CODEANT_API_TOKEN
= token` (`src/utils/loginFlow.js:50-52`), making this UUID the long-lived API key.
4. Control returns to `ensureAuthenticated()`, which logs `console.error(\`[codeant-mcp]
Login complete. (URL was ${loginUrl})\`);` (`src/mcp/server.js:79`), emitting the full
`loginUrl` including the `ideLoginToken` query parameter (i.e. the actual API token) into
stderr logs, where it can be captured by log collectors and expose the user's API key.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/mcp/server.js
**Line:** 79:79
**Comment:**
*Security: Logging `loginUrl` to stderr leaks the one-time login token (`ideLoginToken`) into log files, which is sensitive authentication material; avoid printing token-bearing URLs or redact query parameters.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
Comment on lines
+407
to
+409
| if (!force && isAlreadyLoggedIn()) { | ||
| return ok({ alreadyLoggedIn: true }); | ||
| } |
There was a problem hiding this comment.
Suggestion: The login tool checks only persisted config via isAlreadyLoggedIn() and ignores an already-present CODEANT_API_TOKEN env token, so it can incorrectly trigger browser login even when authentication is already valid; include env-token checks here as in ensureAuthenticated. [logic error]
Severity Level: Major ⚠️
- ⚠️ Users with env tokens are prompted to re-login.
- ⚠️ Extra, confusing login attempts from MCP clients.Steps of Reproduction ✅
1. Start the MCP server (`startMcpServer()` in `src/mcp/server.js:85`) with a valid
`CODEANT_API_TOKEN` environment variable set, but without `apiKeyV2` stored in the config
file (`isAlreadyLoggedIn()` in `src/utils/loginFlow.js:8-10` checks only config).
2. `ensureAuthenticated()` at `src/mcp/server.js:68-83` sees the env token
(`process.env.CODEANT_API_TOKEN`) and returns early (`src/mcp/server.js:69-70`), so the
server runs authenticated even though `isAlreadyLoggedIn()` would return `false`.
3. From the MCP client, call the `codeant_login` tool (`src/mcp/server.js:394-415`)
without `force: true`; the handler runs `if (!force && isAlreadyLoggedIn()) { return ok({
alreadyLoggedIn: true }); }` (`src/mcp/server.js:407-409`).
4. Because `isAlreadyLoggedIn()` ignores the env token and only checks config, it returns
`false`, so `codeant_login` unnecessarily invokes `runLoginFlow()`
(`src/mcp/server.js:410-412`), opens the browser, and attempts a new login despite the
already-valid `CODEANT_API_TOKEN`.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/mcp/server.js
**Line:** 407:409
**Comment:**
*Logic Error: The login tool checks only persisted config via `isAlreadyLoggedIn()` and ignores an already-present `CODEANT_API_TOKEN` env token, so it can incorrectly trigger browser login even when authentication is already valid; include env-token checks here as in `ensureAuthenticated`.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CodeAnt-AI Description
Add a CodeAnt MCP server for Claude and other MCP clients
What Changed
codeant mcpcommand that runs CodeAnt as an MCP server so Claude can access scans, pull requests, comments, and local review tools directly..mcpbfile.Impact
✅ Direct CodeAnt access inside Claude✅ Faster setup for Claude Code and Claude Desktop✅ Safer default installs with write actions hidden💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.