From 07812091aad852c2f74368a7ff66d5f075c02f6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adna=20Salkovi=C4=87?= Date: Sun, 7 Jun 2026 07:26:54 +0200 Subject: [PATCH] feat(skills): add codehealth-mcp skill and CodeScene MCP config (#2077) * feat(skills): add codehealth-mcp skill and CodeScene MCP config * docs(skills): add When to Use, How It Works, and Examples sections * docs(skills): clarify MCP opt-in, data boundaries, and offline behavior Address security review on PR #2077: no bundled credentials, document what tools read locally, failure behavior when MCP is unavailable, and README wording that Code Health MCP is optional and not enabled by default. Co-authored-by: Cursor --------- Co-authored-by: adnasalk-notus Co-authored-by: Cursor --- README.md | 2 + mcp-configs/mcp-servers.json | 8 ++ skills/codehealth-mcp/SKILL.md | 166 +++++++++++++++++++++++++++++++++ 3 files changed, 176 insertions(+) create mode 100644 skills/codehealth-mcp/SKILL.md diff --git a/README.md b/README.md index 8161f320..9cc9e7d3 100644 --- a/README.md +++ b/README.md @@ -608,6 +608,7 @@ ECC/ | |-- perl-testing/ # Perl TDD with Test2::V0, prove, Devel::Cover (NEW) | |-- autonomous-loops/ # Autonomous loop patterns: sequential pipelines, PR loops, DAG orchestration (NEW) | |-- plankton-code-quality/ # Write-time code quality enforcement with Plankton hooks (NEW) +| |-- codehealth-mcp/ # Optional CodeScene Code Health MCP skill (opt-in; not enabled by default) (NEW) | |-- commands/ # Maintained slash-entry compatibility; prefer skills/ | |-- plan.md # /plan - Implementation planning @@ -1348,6 +1349,7 @@ Canonical Anthropic skills such as `claude-api`, `frontend-design`, and `skill-c | brand-voice | Source-derived writing style profiles from real content | | bun-runtime | Bun as runtime, package manager, bundler, and test runner | | coding-standards | Universal coding standards | +| codehealth-mcp | Optional — Code Health MCP (opt-in server + token); structural review and commit/PR gates | | content-engine | Platform-native social content and repurposing | | crosspost | Multi-platform content distribution across X, LinkedIn, Threads | | deep-research | Multi-source research with synthesis and source attribution | diff --git a/mcp-configs/mcp-servers.json b/mcp-configs/mcp-servers.json index b8386c45..9a3d05ef 100644 --- a/mcp-configs/mcp-servers.json +++ b/mcp-configs/mcp-servers.json @@ -109,6 +109,14 @@ "args": ["-y", "@upstash/context7-mcp@latest"], "description": "Live documentation lookup — use with /docs command and documentation-lookup skill (resolve-library-id, query-docs)." }, + "codescene": { + "command": "npx", + "args": ["-y", "@codescene/codehealth-mcp"], + "env": { + "CS_ACCESS_TOKEN": "YOUR_CS_ACCESS_TOKEN_HERE" + }, + "description": "Optional. CodeScene Code Health MCP (community skill: codehealth-mcp). Not enabled by default — copy only if you opt in. Requires your own CS_ACCESS_TOKEN (no bundled credentials). See skills/codehealth-mcp/SKILL.md for data boundaries and failure behavior." + }, "magic": { "command": "npx", "args": ["-y", "@magicuidesign/mcp@latest"], diff --git a/skills/codehealth-mcp/SKILL.md b/skills/codehealth-mcp/SKILL.md new file mode 100644 index 00000000..1f41e585 --- /dev/null +++ b/skills/codehealth-mcp/SKILL.md @@ -0,0 +1,166 @@ +--- +name: codehealth-mcp +description: Real-time structural Code Health via CodeScene MCP — review before edits, verify score deltas after changes, gate commits and PRs. Use when reviewing code quality, refactoring, checking if AI changes degraded a file, or before commit/PR. +origin: community +--- + +# Code Health MCP (CodeScene) + +Structural maintainability feedback for AI-assisted coding. Complements style/lint skills (`coding-standards`, `plankton-code-quality`) with **design-level** health scores and regression gates. + +**Upstream:** [codescene-oss/codescene-mcp-server](https://github.com/codescene-oss/codescene-mcp-server) +**Package:** `@codescene/codehealth-mcp` (stdio via npx) + +## Security and boundaries + +**Opt-in (ECC):** The `codescene` block in `mcp-configs/mcp-servers.json` is a template only. ECC plugin installs do not auto-enable bundled MCP servers. Copy the entry into your config only if you want it. You can exclude it during ECC install/sync with `ECC_DISABLED_MCPS=codescene,...`. + +**Credentials:** No bundled token. Set `CS_ACCESS_TOKEN` yourself (see [getting-a-personal-access-token.md](https://github.com/codescene-oss/codescene-mcp-server/blob/main/docs/getting-a-personal-access-token.md) in the upstream repo). Never commit tokens to the repo. + +**What the tools read:** When invoked, tools analyze files and git state **in the local repository** you point them at (paths you pass, plus branch context for `analyze_change_set`). They do not run by themselves. For standalone mode, follow upstream privacy docs: [codescene-mcp-server README](https://github.com/codescene-oss/codescene-mcp-server#frequently-asked-questions) and [CodeScene policies](https://codescene.com/policies). Do not use this skill for secrets, credentials, or paths you do not want analyzed. + +**If the MCP is unavailable (offline, bad token, server crash):** Do not invent Code Health scores. Tell the user the check was skipped. Continue only with explicit user approval. Prefer lint/tests/verification-loop for gating when MCP is down. Re-enable checks once the server connects. + +## When to Use + +- User asks to **review code quality**, **refactor** a file, or check if **AI changes degraded** maintainability +- Before editing a **hotspot**, legacy module, or unfamiliar file +- Before **commit** or **pull request** when you need a maintainability safeguard +- After a large agent-written diff — verify Code Health did not regress +- Pair with `verification-loop`, `tdd-workflow`, or `/quality-gate` as a structural check (not a replacement for tests/lint) + +## When to Activate + +Same triggers as **When to Use** above — this heading is what ECC uses for skill auto-activation. + +## How It Works + +### 1. Connect the MCP server + +Copy the `codescene` entry from `mcp-configs/mcp-servers.json` into your harness MCP config. + +**Claude Code** (`~/.claude.json` → `mcpServers`): + +```json +"codescene": { + "command": "npx", + "args": ["-y", "@codescene/codehealth-mcp"], + "env": { + "CS_ACCESS_TOKEN": "YOUR_CS_ACCESS_TOKEN_HERE" + } +} +``` + +**Project-scoped:** merge the same block into `.mcp.json` at the repo root. + +Token setup is documented in the upstream repo (link above). Standalone mode does not require a paid CodeScene platform account for the four tools listed below. Restart the session and confirm the `codescene` server is connected before relying on scores. + +### 2. Call standalone tools only + +| Tool | When to use | +|------|-------------| +| `code_health_review` | Full structural analysis **before** modifying a file | +| `code_health_score` | Quick numeric score after each change (delta check) | +| `pre_commit_code_health_safeguard` | Block commits that introduce Code Health regressions | +| `analyze_change_set` | Branch-level check **before** opening a PR | + +Do **not** call platform-only tools (e.g. repository-wide technical debt hotspot lists). Do **not** reference `delta_analysis` — not available on standalone. + +### 3. Interpret scores (1–10) + +| Range | Meaning | Agent behavior | +|-------|---------|----------------| +| **9.0–10.0** | Green — healthy | Safer to extend; still prefer vertical slices | +| **4.0–8.9** | Yellow — debt | Tread carefully; no drive-by refactors | +| **1.0–3.9** | Red — severe debt | Narrow scope only | + +### 4. Run the feedback loop + +**Before touching a file** + +1. Run `code_health_review` on the target path. +2. Record baseline score and listed code smells. +3. Plan the smallest change that addresses the task. + +Scope by score: **below 5** — minimal diff only; **5–7** — no broad refactors; **above 7** — safer to refactor, still verify after each edit. + +**After each change** + +1. Run `code_health_score` on the same file. +2. Compare to the baseline from `code_health_review`. +3. If the score **regressed**, fix before continuing. Never mark the task done while the score is lower than when you started. + +**Before every commit** — run `pre_commit_code_health_safeguard` on the repository path. + +**Before a PR** — run `analyze_change_set` against the base branch (e.g. `main`). + +## Examples + +### Example: Flask maintainability improvement + +On `pallets/flask`, an agent loop using only standalone tools: + +1. `code_health_review` on a target module (baseline **4.82**) +2. Targeted refactor addressing listed smells +3. `code_health_score` after each edit +4. `pre_commit_code_health_safeguard` before commit +5. `analyze_change_set` before PR + +Result: Code Health **4.82 → 9.1** (free standalone token only). + +### Example: AGENTS.md enforcement block + +Paste into the project `AGENTS.md` or `CLAUDE.md`: + +```md +## Code Health (CodeScene MCP) + +Before modifying any file: run `code_health_review`, note score and issues. + +- Score below 5: problematic range — scope changes narrowly. +- Score 5–7: warning range — no broad refactors. + +After each change: run `code_health_score` to verify delta. + +- If score regressed: fix before continuing; never declare done if score dropped. + +Before every commit: run `pre_commit_code_health_safeguard`. + +Before PR: run `analyze_change_set`. +``` + +### Example: anti-patterns vs correct loop + +```markdown +# BAD: Edit first, check later +[large refactor without code_health_review] + +# BAD: Ignore score drop +"Tests pass" → mark task done while Code Health decreased + +# BAD: Broad refactor on red-score file (below 5) +Drive-by cleanup across the module + +# GOOD: review → small change → score → commit safeguard → analyze_change_set +``` + +## Pairing with ECC + +| ECC skill / flow | Code Health MCP role | +|------------------|----------------------| +| `coding-standards` | Style/naming; Code Health = structure/complexity | +| `plankton-code-quality` | Write-time lint/format; Code Health = pre/post edit structural gate | +| `verification-loop` / `/quality-gate` | Add structural regression check before "done" | +| `security-review` | Security vs maintainability — use both when relevant | +| `tdd-workflow` | Tests pass ≠ healthy design — check score after refactors | + +**Context tip:** ECC recommends keeping MCP count low. Enable `codescene` when doing substantive edits; disable when not needed. + +## Related Skills + +- `coding-standards` — baseline conventions +- `plankton-code-quality` — write-time lint/format hooks +- `verification-loop` — build/test/lint gate +- `tdd-workflow` — test-first development +- `security-review` — security checklist +- `documentation-lookup` — library docs via Context7 (orthogonal)