Codebase MCP Server

codebase-mcp
docs
mcp-split-plan
phases
phase-00-preparation

PHASE-0-ARCHITECTURAL-REVIEW.md•45.3 kB

# Phase 0 Architectural Review **Document Version:** 1.0.0 **Review Date:** 2025-10-11 **Reviewer:** Claude Code (Software Architect) **Reviewed Document:** PHASE-0-FOUNDATION.md v1.0.0 --- ## Executive Summary **Overall Assessment:** **SOUND WITH RECOMMENDATIONS** The Phase 0 Foundation plan demonstrates strong architectural practices with comprehensive infrastructure setup for both workflow-mcp (new) and codebase-mcp (refactor preparation). The plan exhibits: ✅ **Strengths:** - Well-structured TDD approach with test infrastructure before implementation - Comprehensive CI/CD pipeline with proper service dependencies - Idempotent database setup scripts with permission validation - Risk mitigation through baseline collection and rollback procedures - Clear separation of concerns in project structure - Production-quality tooling (mypy strict, ruff, pytest with coverage) ⚠️ **Areas for Improvement:** - Database security practices need enhancement (hardcoded passwords, insufficient isolation) - CI/CD lacks security scanning and deployment automation - Configuration management could leverage secrets management tools - Missing container orchestration and local development consistency - Performance baseline collection needs validation strategy - Documentation gaps around operational procedures **Recommendation:** Proceed with Phase 0 execution with the following priority improvements: 1. **CRITICAL:** Remove hardcoded passwords, implement proper secrets management 2. **HIGH:** Add security scanning to CI/CD pipeline 3. **MEDIUM:** Enhance database setup with connection pooling validation 4. **LOW:** Add container development environment for consistency **Time Impact:** +8 hours for critical improvements (total: 48 hours vs. 40 planned) --- ## Repository Structure Assessment ### Phase 0A: workflow-mcp (New Repository) #### ✅ Strengths **1. Standard Python Project Layout** - Follows modern Python packaging standards (PEP 517/518) - Clean separation: `src/` for production code, `tests/` for test code - Proper namespace packaging with `workflow_mcp` package structure - Subdirectory organization by architectural layer: `models/`, `services/`, `tools/`, `utils/` **2. Layered Architecture Foundation** ``` src/workflow_mcp/ ├── models/ # Data models (Pydantic schemas) ├── services/ # Business logic layer ├── tools/ # MCP tool implementations └── utils/ # Shared utilities ``` This structure supports Clean Architecture principles with clear dependency directions. **3. Test Structure Mirrors Production** ``` tests/ ├── unit/ # Isolated unit tests ├── integration/ # Database + service integration ├── performance/ # Benchmarking tests └── fixtures/ # Shared test data ``` Strong separation enables targeted test execution and proper TDD workflow. **4. Configuration Management** - `pyproject.toml` centralizes all project configuration - `.env.template` provides clear configuration contract - `config.py` uses pydantic-settings for type-safe configuration loading #### ⚠️ Concerns and Recommendations **CRITICAL: Secrets Management** ```bash # ISSUE: .env.template contains example credentials POSTGRES_PASSWORD=your_password_here ``` **Recommendation:** ```bash # .env.template should not contain any real or example passwords POSTGRES_PASSWORD= # REQUIRED: Set via secure secrets management # Add .env.example with documentation only: # POSTGRES_PASSWORD - Database password (store in 1Password/LastPass/Vault) # Local dev: Generate via `openssl rand -base64 32` # CI/CD: Use GitHub Secrets or similar ``` **HIGH: Missing Configuration Validation** The `config.py` implementation lacks validation for critical settings: ```python # CURRENT: class Settings(BaseSettings): postgres_password: str # No validation # RECOMMENDED: from pydantic import Field, field_validator class Settings(BaseSettings): postgres_password: str = Field( min_length=16, description="Database password (min 16 chars)" ) @field_validator('postgres_password') @classmethod def validate_password_strength(cls, v: str) -> str: if v == "your_password_here" or v == "test_password": raise ValueError("Cannot use example passwords in production") return v max_active_projects: int = Field( ge=1, le=1000, default=50, description="Maximum concurrent projects (1-1000)" ) ``` **MEDIUM: Test Fixture Management** The `tests/conftest.py` creates a test database pool but lacks: - Connection pool size configuration - Connection timeout handling - Proper cleanup on test failures - Test isolation guarantees (parallel test safety) **Recommended Enhancement:** ```python import pytest import asyncpg from typing import AsyncGenerator import os @pytest.fixture(scope="session") def test_db_config() -> dict: """Test database configuration.""" return { "host": os.getenv("TEST_POSTGRES_HOST", "localhost"), "port": int(os.getenv("TEST_POSTGRES_PORT", "5432")), "user": os.getenv("TEST_POSTGRES_USER", "mcp_user"), "password": os.getenv("TEST_POSTGRES_PASSWORD"), "database": f"test_workflow_mcp_{os.getpid()}", # Per-process isolation "min_size": 2, "max_size": 5, "command_timeout": 10.0, # 10 second query timeout } @pytest.fixture(scope="session") async def test_db_pool(test_db_config: dict) -> AsyncGenerator[asyncpg.Pool, None]: """Create test database connection pool with proper lifecycle.""" # Create database if needed admin_pool = await asyncpg.create_pool( **{**test_db_config, "database": "postgres"}, min_size=1, max_size=1 ) async with admin_pool.acquire() as conn: await conn.execute(f'CREATE DATABASE {test_db_config["database"]}') await admin_pool.close() # Create application pool pool = await asyncpg.create_pool(**test_db_config) try: yield pool finally: await pool.close() # Cleanup: drop test database admin_pool = await asyncpg.create_pool( **{**test_db_config, "database": "postgres"}, min_size=1, max_size=1 ) async with admin_pool.acquire() as conn: await conn.execute( f'DROP DATABASE IF EXISTS {test_db_config["database"]}' ) await admin_pool.close() ``` **LOW: Missing Directory Structure Documentation** Add `src/workflow_mcp/README.md`: ```markdown # workflow_mcp Package Structure ## Directory Organization - `models/` - Pydantic data models and schemas - Input/output validation for MCP tools - Database table representations (future) - `services/` - Business logic layer - Project management service - Entity management service - Orchestrates database operations - `tools/` - MCP tool implementations - FastMCP tool decorators - Maps service methods to MCP protocol - `utils/` - Shared utilities - Database connection pooling - Logging configuration - Common validators ## Dependency Rules - `tools/` depends on `services/` (not vice versa) - `services/` depends on `models/` (not vice versa) - `utils/` has no dependencies on other modules - No circular dependencies allowed ``` ### Phase 0B: codebase-mcp (Refactor Preparation) #### ✅ Strengths **1. Comprehensive Baseline Collection** - Deterministic test repository generation (reproducible benchmarks) - Performance baseline collection before refactoring - Baseline parsing script for metrics visualization **2. Risk Mitigation Through Rollback Procedures** - Emergency rollback script with confirmation prompt - Backup tag creation before refactoring - Clear restoration procedures **3. Database Permission Validation** - Script validates PostgreSQL version (14+) - Checks CREATEDB permission dynamically - Validates pgvector extension availability - Tests dynamic database creation flow #### ⚠️ Concerns and Recommendations **HIGH: Baseline Collection Lacks Validation Strategy** The `test_baseline.py` has TODO placeholders without validation: ```python # ISSUE: No actual implementation def test_indexing_baseline(benchmark): def index_repo(): # TODO: Call current index_repository implementation pass # This will always pass! ``` **Recommendation:** ```python """Baseline performance tests before refactoring.""" import pytest from pathlib import Path from codebase_mcp.tools import index_repository, search_code @pytest.mark.benchmark @pytest.mark.skipif( not Path("test_repos/baseline_repo").exists(), reason="Baseline repo not generated" ) def test_indexing_baseline(benchmark, tmp_path): """Measure current indexing performance.""" test_repo = Path("test_repos/baseline_repo") # Use temporary database for isolation test_db_name = f"baseline_test_{tmp_path.name}" def index_repo(): result = index_repository( repo_path=str(test_repo), force_reindex=True, db_name=test_db_name ) assert result["status"] == "success" assert result["files_indexed"] > 0 return result result = benchmark(index_repo) # Store baseline for comparison baseline_file = Path("baseline-results.json") if baseline_file.exists(): import json with open(baseline_file, "r") as f: baseline_data = json.load(f) # Ensure we don't regress if "indexing_p95" in baseline_data: assert result["duration_seconds"] <= baseline_data["indexing_p95"] * 1.2, \ f"Indexing regressed: {result['duration_seconds']}s vs baseline {baseline_data['indexing_p95']}s" # Target: <60s for 10k files assert result["duration_seconds"] < 60.0, \ f"Indexing took {result['duration_seconds']}s (target: <60s)" @pytest.mark.benchmark def test_search_baseline(benchmark, test_db_pool): """Measure current search performance.""" # Assume indexing already done by previous test def search(): results = search_code( query="function definition", limit=10, db_pool=test_db_pool ) assert len(results["results"]) > 0 return results result = benchmark(search) # Target: <500ms p95 (benchmark returns median/mean/p95) assert result.stats.max < 0.5, \ f"Search p95 took {result.stats.max}s (target: <0.5s)" ``` **MEDIUM: Rollback Script Missing Pre-flight Checks** The `emergency_rollback.sh` lacks safety checks: ```bash # ISSUE: No validation of current state git reset --hard backup-before-refactor ``` **Recommended Enhancement:** ```bash #!/bin/bash set -e echo "⚠️ EMERGENCY ROLLBACK" # PRE-FLIGHT CHECKS echo "Performing pre-flight checks..." # Check if backup tag exists if ! git tag | grep -q "backup-before-refactor"; then echo "❌ ERROR: backup-before-refactor tag not found" echo "Cannot proceed with rollback without backup reference." exit 1 fi # Check if on refactor branch (safety) CURRENT_BRANCH=$(git branch --show-current) if [ "$CURRENT_BRANCH" != "004-multi-project-refactor" ]; then echo "⚠️ WARNING: Not on refactor branch (current: $CURRENT_BRANCH)" echo "This rollback is intended for the refactor branch." read -p "Continue anyway? (yes/no): " continue_confirm if [ "$continue_confirm" != "yes" ]; then exit 0 fi fi # Check for uncommitted changes if ! git diff-index --quiet HEAD --; then echo "⚠️ WARNING: Uncommitted changes detected" git status --short echo "" read -p "Stash these changes? (yes/no): " stash_confirm if [ "$stash_confirm" == "yes" ]; then STASH_MSG="emergency-rollback-$(date +%Y%m%d-%H%M%S)" git stash push -m "$STASH_MSG" echo "✅ Changes stashed as: $STASH_MSG" fi fi # Final confirmation echo "" echo "This will:" echo " 1. Checkout main branch" echo " 2. Reset to backup-before-refactor tag" echo " 3. DISCARD all refactoring work" echo "" read -p "Are you ABSOLUTELY sure? (type 'ROLLBACK'): " confirm if [ "$confirm" != "ROLLBACK" ]; then echo "Rollback cancelled." exit 0 fi # Perform rollback git checkout main git reset --hard backup-before-refactor echo "✅ Rollback complete" echo "Repository restored to: $(git log -1 --oneline)" echo "" echo "Refactor branch preserved: 004-multi-project-refactor" echo "To delete refactor branch: git branch -D 004-multi-project-refactor" ``` **LOW: Missing Performance Regression Detection** Add `scripts/compare_baseline.py`: ```python """Compare current performance against baseline.""" import json import sys from pathlib import Path from typing import Dict, Any def load_baseline(path: Path) -> Dict[str, Any]: """Load baseline results.""" with open(path) as f: return json.load(f) def compare_results(baseline: Dict, current: Dict) -> bool: """Compare performance metrics, return True if acceptable.""" metrics = { "indexing_p95": {"threshold": 1.2, "unit": "seconds"}, "search_p95": {"threshold": 1.2, "unit": "milliseconds"}, } passed = True for metric, config in metrics.items(): baseline_val = baseline.get(metric) current_val = current.get(metric) if baseline_val and current_val: ratio = current_val / baseline_val threshold = config["threshold"] status = "✅" if ratio <= threshold else "❌" print(f"{status} {metric}: {current_val:.2f}{config['unit']} " f"(baseline: {baseline_val:.2f}, ratio: {ratio:.2f}x)") if ratio > threshold: passed = False print(f" ⚠️ Exceeds threshold of {threshold}x") return passed if __name__ == "__main__": baseline_file = Path("baseline-results.json") current_file = Path(sys.argv[1]) if len(sys.argv) > 1 else None if not current_file or not current_file.exists(): print("Usage: python scripts/compare_baseline.py <current-results.json>") sys.exit(1) baseline = load_baseline(baseline_file) current = load_baseline(current_file) if not compare_results(baseline, current): print("\n❌ Performance regression detected!") sys.exit(1) else: print("\n✅ Performance meets baseline requirements") sys.exit(0) ``` --- ## CI/CD Pipeline Assessment ### GitHub Actions Workflows #### ✅ Strengths **1. Proper Service Dependencies** ```yaml services: postgres: image: postgres:14 options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 ``` - Health checks ensure PostgreSQL is ready before tests - Proper service isolation with containerization - Correct PostgreSQL version (14) matches production requirements **2. Separation of Concerns** - Separate `lint` and `test` jobs allow parallel execution - Independent `performance.yml` workflow prevents blocking main CI - Lint job fails fast (no DB dependency) **3. Modern GitHub Actions Practices** - Uses `actions/checkout@v4` (latest) - Uses `actions/setup-python@v4` (latest) - Proper Python version pinning (3.11) - Coverage upload to codecov (observability) **4. Performance Benchmarking** - Scheduled weekly performance runs - Benchmark result storage for trend analysis - Separate workflow prevents main CI slowdown #### ⚠️ Concerns and Recommendations **CRITICAL: Missing Security Scanning** The CI/CD pipeline lacks security vulnerability scanning: **Recommended Addition - `.github/workflows/security.yml`:** ```yaml name: Security on: push: branches: [main, develop] pull_request: branches: [main, develop] schedule: - cron: '0 0 * * 1' # Weekly on Monday jobs: dependency-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v4 with: python-version: '3.11' - name: Install dependencies run: pip install -e ".[dev]" - name: Run Safety check run: | pip install safety safety check --json - name: Run Bandit security linter run: | pip install bandit bandit -r src/ -f json -o bandit-report.json - name: Upload security reports uses: actions/upload-artifact@v3 with: name: security-reports path: | safety-report.json bandit-report.json secret-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # Full history for secret scanning - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ``` **HIGH: Database Credentials Hardcoded** ```yaml # ISSUE: Hardcoded password in workflow env: POSTGRES_PASSWORD: postgres run: | psql -h localhost -U postgres -c "CREATE ROLE mcp_user WITH LOGIN PASSWORD 'test_password' CREATEDB;" ``` **Recommendation:** ```yaml # Use GitHub Secrets env: POSTGRES_PASSWORD: ${{ secrets.CI_POSTGRES_PASSWORD }} TEST_MCP_PASSWORD: ${{ secrets.CI_MCP_USER_PASSWORD }} run: | psql -h localhost -U postgres -c "CREATE ROLE mcp_user WITH LOGIN PASSWORD '${TEST_MCP_PASSWORD}' CREATEDB;" ``` **MEDIUM: Missing Test Coverage Enforcement** Add coverage threshold check: ```yaml - name: Run tests env: POSTGRES_PASSWORD: ${{ secrets.CI_MCP_USER_PASSWORD }} run: | pytest tests/ -v \ --cov=src \ --cov-report=xml \ --cov-report=term \ --cov-fail-under=80 # Fail if coverage < 80% ``` **MEDIUM: No Deployment Automation** Add deployment workflow for main branch: ```yaml # .github/workflows/deploy.yml name: Deploy on: push: branches: [main] tags: ['v*'] jobs: publish: runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/v') steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v4 with: python-version: '3.11' - name: Build package run: | pip install build python -m build - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: password: ${{ secrets.PYPI_API_TOKEN }} ``` **LOW: Missing Matrix Testing** Enhance test coverage across Python versions: ```yaml test: runs-on: ubuntu-latest strategy: matrix: python-version: ['3.11', '3.12'] postgres-version: ['14', '15', '16'] services: postgres: image: postgres:${{ matrix.postgres-version }} # ... rest of config steps: # ... existing steps - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} ``` **LOW: Performance Workflow Missing Failure Alerts** Add notification on performance regression: ```yaml - name: Run performance tests id: benchmark run: | pytest tests/performance -v --benchmark-only --benchmark-json=current.json python scripts/compare_baseline.py current.json - name: Notify on regression if: failure() && steps.benchmark.outcome == 'failure' uses: actions/github-script@v6 with: script: | github.rest.issues.create({ owner: context.repo.owner, repo: context.repo.repo, title: 'Performance regression detected', body: 'Performance benchmarks failed. Review workflow logs.', labels: ['performance', 'regression'] }) ``` --- ## Database Setup Assessment ### PostgreSQL Setup Scripts #### ✅ Strengths **1. Idempotent Script Design** ```sql DO $$ BEGIN IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'mcp_user') THEN CREATE ROLE mcp_user WITH LOGIN PASSWORD 'your_password_here'; END IF; END $$; ``` - Scripts can be run multiple times safely - Uses conditional existence checks - Proper error handling with `set -e` **2. Comprehensive Validation** - `verify_database.sh` checks database existence - Validates CREATEDB permission dynamically - Verifies schema creation - Provides clear success/failure messages **3. Separation of Environments** - Separate databases: `project_registry` (production), `test_workflow_mcp` (testing) - Environment-specific configuration through `.env` files **4. PostgreSQL Version Checking** ```bash PG_VERSION=$(psql --version | grep -oE '[0-9]+\.[0-9]+' | head -1) MAJOR_VERSION=$(echo $PG_VERSION | cut -d. -f1) if [ "$MAJOR_VERSION" -lt 14 ]; then echo "❌ PostgreSQL version $PG_VERSION is too old (need 14+)" exit 1 fi ``` - Enforces version requirements - Clear error messages #### ⚠️ Concerns and Recommendations **CRITICAL: Password Security Vulnerability** Multiple password security issues: 1. **Hardcoded passwords in scripts:** ```bash # ISSUE: Password in plaintext in script CREATE ROLE mcp_user WITH LOGIN PASSWORD 'your_password_here'; ``` 2. **Password in environment variables:** ```bash # ISSUE: Password readable via `ps aux | grep psql` psql -h localhost -U postgres -c "CREATE ROLE..." ``` 3. **Password in git history:** If `.env` is accidentally committed, passwords are in git history forever. **Recommended Solution:** ```bash #!/bin/bash set -e echo "🗄️ Setting up PostgreSQL for workflow-mcp..." # Check for required environment variables if [ -z "$SETUP_POSTGRES_PASSWORD" ]; then echo "❌ ERROR: SETUP_POSTGRES_PASSWORD not set" echo " Usage: SETUP_POSTGRES_PASSWORD='...' ./scripts/setup_database.sh" exit 1 fi # Use .pgpass file for secure password handling PGPASS_FILE="$HOME/.pgpass" PGPASS_BACKUP="$HOME/.pgpass.backup.$(date +%s)" # Backup existing .pgpass if present if [ -f "$PGPASS_FILE" ]; then cp "$PGPASS_FILE" "$PGPASS_BACKUP" echo "ℹ️ Backed up existing .pgpass to $PGPASS_BACKUP" fi # Add temporary credential (will be removed at end) echo "localhost:5432:*:postgres:$SETUP_POSTGRES_PASSWORD" >> "$PGPASS_FILE" chmod 600 "$PGPASS_FILE" # Generate secure random password for mcp_user MCP_USER_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32) # Create database user with generated password psql -h localhost -U postgres -c " DO \$\$ BEGIN IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'mcp_user') THEN CREATE ROLE mcp_user WITH LOGIN PASSWORD '$MCP_USER_PASSWORD'; ELSE ALTER ROLE mcp_user WITH PASSWORD '$MCP_USER_PASSWORD'; END IF; END \$\$; " 2>/dev/null # Store mcp_user password in .pgpass echo "localhost:5432:project_registry:mcp_user:$MCP_USER_PASSWORD" >> "$PGPASS_FILE" echo "localhost:5432:test_workflow_mcp:mcp_user:$MCP_USER_PASSWORD" >> "$PGPASS_FILE" # Cleanup: Remove temporary postgres credential if [ -f "$PGPASS_BACKUP" ]; then mv "$PGPASS_BACKUP" "$PGPASS_FILE" else # Remove only the line we added grep -v "localhost:5432:\*:postgres:" "$PGPASS_FILE" > "${PGPASS_FILE}.tmp" mv "${PGPASS_FILE}.tmp" "$PGPASS_FILE" fi chmod 600 "$PGPASS_FILE" # Write password to secure location for application use echo "POSTGRES_PASSWORD=$MCP_USER_PASSWORD" >> .env.local chmod 600 .env.local echo "✅ Database setup complete!" echo "" echo "⚠️ IMPORTANT: Password stored in:" echo " - ~/.pgpass (for psql access)" echo " - .env.local (for application use)" echo "" echo "Next: Add .env.local to .gitignore if not already present" ``` **Update `.gitignore`:** ```gitignore # Environment files with secrets .env .env.local .env.*.local # PostgreSQL password file .pgpass ``` **HIGH: Missing Connection Pooling Validation** The setup scripts create databases but don't validate connection pooling: **Add to `verify_database.sh`:** ```bash # Test connection pooling echo "Testing connection pooling..." python3 << 'EOF' import asyncio import asyncpg import os async def test_pool(): """Test connection pool creation and basic operations.""" pool = await asyncpg.create_pool( host="localhost", port=5432, user="mcp_user", password=os.getenv("POSTGRES_PASSWORD"), database="project_registry", min_size=2, max_size=10, command_timeout=10.0, ) # Test concurrent connections async def query(n): async with pool.acquire() as conn: result = await conn.fetchval(f"SELECT {n}") return result results = await asyncio.gather(*[query(i) for i in range(5)]) assert results == list(range(5)), "Connection pool query failed" await pool.close() print("✅ Connection pooling works correctly") asyncio.run(test_pool()) EOF if [ $? -ne 0 ]; then echo "❌ Connection pooling test failed" exit 1 fi ``` **MEDIUM: Missing Database Schema Initialization** The `init_registry_schema.sql` creates a placeholder table but doesn't follow best practices: **Recommended Enhancement:** ```sql -- Registry database schema for project tracking -- Version: 0.1.0 -- Created: 2025-10-11 -- Enable required extensions CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; -- Create schema CREATE SCHEMA IF NOT EXISTS registry; -- Set search path SET search_path TO registry, public; -- System metadata table CREATE TABLE IF NOT EXISTS registry.system_info ( id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), version VARCHAR(20) NOT NULL, initialized_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- Constraints CONSTRAINT version_format CHECK (version ~ '^\d+\.\d+\.\d+$') ); -- Create updated_at trigger function CREATE OR REPLACE FUNCTION registry.update_updated_at_column() RETURNS TRIGGER AS $$ BEGIN NEW.updated_at = NOW(); RETURN NEW; END; $$ LANGUAGE plpgsql; -- Apply trigger to system_info CREATE TRIGGER system_info_updated_at BEFORE UPDATE ON registry.system_info FOR EACH ROW EXECUTE FUNCTION registry.update_updated_at_column(); -- Insert initial version (idempotent) INSERT INTO registry.system_info (version) VALUES ('0.1.0') ON CONFLICT (id) DO NOTHING; -- Create migration tracking table CREATE TABLE IF NOT EXISTS registry.schema_migrations ( id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), version VARCHAR(20) NOT NULL UNIQUE, description TEXT, applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), checksum VARCHAR(64), -- Constraints CONSTRAINT version_format_migration CHECK (version ~ '^\d+\.\d+\.\d+$') ); -- Record initial migration INSERT INTO registry.schema_migrations (version, description, checksum) VALUES ( '0.1.0', 'Initial schema setup with system_info and migration tracking', encode(sha256('init_registry_schema.sql'::bytea), 'hex') ) ON CONFLICT (version) DO NOTHING; -- Grant permissions GRANT USAGE ON SCHEMA registry TO mcp_user; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA registry TO mcp_user; GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA registry TO mcp_user; -- Set default privileges for future objects ALTER DEFAULT PRIVILEGES IN SCHEMA registry GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO mcp_user; ALTER DEFAULT PRIVILEGES IN SCHEMA registry GRANT USAGE, SELECT ON SEQUENCES TO mcp_user; -- Verify schema DO $$ BEGIN ASSERT (SELECT COUNT(*) FROM registry.system_info) = 1, 'system_info table should have exactly one row'; ASSERT (SELECT version FROM registry.system_info LIMIT 1) = '0.1.0', 'system_info version should be 0.1.0'; RAISE NOTICE 'Schema validation passed'; END $$; ``` **MEDIUM: Missing Backup and Restore Procedures** Add database backup script: ```bash #!/bin/bash # scripts/backup_database.sh set -e BACKUP_DIR="./backups" TIMESTAMP=$(date +%Y%m%d_%H%M%S) BACKUP_FILE="$BACKUP_DIR/workflow_mcp_$TIMESTAMP.sql" mkdir -p "$BACKUP_DIR" echo "📦 Creating database backup..." pg_dump \ -h localhost \ -U mcp_user \ -d project_registry \ -F p \ -f "$BACKUP_FILE" \ --no-owner \ --no-acl gzip "$BACKUP_FILE" echo "✅ Backup complete: ${BACKUP_FILE}.gz" echo "Size: $(du -h ${BACKUP_FILE}.gz | cut -f1)" ``` **LOW: Missing Database Performance Tuning** Add performance configuration to setup script: ```bash # Add to setup_database.sh after database creation echo "Configuring PostgreSQL for optimal performance..." psql -h localhost -U postgres -d project_registry <<EOF -- Connection pooling settings ALTER SYSTEM SET max_connections = 100; ALTER SYSTEM SET shared_buffers = '256MB'; ALTER SYSTEM SET effective_cache_size = '1GB'; ALTER SYSTEM SET maintenance_work_mem = '64MB'; ALTER SYSTEM SET checkpoint_completion_target = 0.9; ALTER SYSTEM SET wal_buffers = '16MB'; ALTER SYSTEM SET default_statistics_target = 100; ALTER SYSTEM SET random_page_cost = 1.1; ALTER SYSTEM SET effective_io_concurrency = 200; ALTER SYSTEM SET work_mem = '4MB'; ALTER SYSTEM SET min_wal_size = '1GB'; ALTER SYSTEM SET max_wal_size = '4GB'; SELECT pg_reload_conf(); EOF echo "✅ Performance tuning applied" ``` --- ## Development Workflow Assessment ### Makefile and Development Tools #### ✅ Strengths **1. Comprehensive Development Commands** - `make install` - Single command dependency installation - `make test` / `make test-cov` - Easy testing with coverage - `make lint` / `make format` - Code quality enforcement - `make run` - Local server startup - `make db-setup` / `make db-verify` - Database lifecycle **2. VSCode Integration** ```json { "python.testing.pytestEnabled": true, "python.linting.mypyEnabled": true, "editor.formatOnSave": true, "editor.rulers": [100] } ``` - Consistent development environment - Automated formatting on save - Visual test runner integration - Type checking enabled **3. Clean Separation of Tasks** - Lint and test are separate commands - Clean command removes all artifacts - Database commands isolated from application commands #### ⚠️ Concerns and Recommendations **HIGH: Missing Pre-commit Hooks** No automated quality checks before commits. Developers might commit failing code. **Recommendation - Add `.pre-commit-config.yaml`:** ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer - id: check-yaml - id: check-added-large-files - id: check-merge-conflict - id: detect-private-key - repo: https://github.com/astral-sh/ruff-pre-commit rev: v0.1.6 hooks: - id: ruff args: [--fix, --exit-non-zero-on-fix] - id: ruff-format - repo: https://github.com/pre-commit/mirrors-mypy rev: v1.7.1 hooks: - id: mypy additional_dependencies: [types-all] args: [--strict] - repo: local hooks: - id: pytest-fast name: pytest (fast tests only) entry: pytest tests/unit -x language: system pass_filenames: false always_run: true ``` **Add to Makefile:** ```makefile .PHONY: install-hooks install-hooks: pip install pre-commit pre-commit install pre-commit install --hook-type commit-msg .PHONY: check-commit check-commit: pre-commit run --all-files ``` **Update documentation to include:** ```bash # After cloning repository make install make install-hooks # One-time setup ``` **MEDIUM: Missing Container Development Environment** No Docker/Podman support for consistent local development. **Recommendation - Add `docker-compose.yml`:** ```yaml version: '3.8' services: postgres: image: postgres:14 container_name: workflow-mcp-postgres environment: POSTGRES_PASSWORD: ${SETUP_POSTGRES_PASSWORD:-devpassword} POSTGRES_DB: project_registry ports: - "5432:5432" volumes: - postgres_data:/var/lib/postgresql/data - ./scripts/init_registry_schema.sql:/docker-entrypoint-initdb.d/01-init.sql healthcheck: test: ["CMD-SHELL", "pg_isready -U postgres"] interval: 10s timeout: 5s retries: 5 workflow-mcp: build: context: . dockerfile: Dockerfile container_name: workflow-mcp-server environment: POSTGRES_HOST: postgres POSTGRES_PORT: 5432 POSTGRES_USER: mcp_user POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} POSTGRES_DB: project_registry MCP_SERVER_PORT: 8002 ports: - "8002:8002" depends_on: postgres: condition: service_healthy volumes: - ./src:/app/src - ./tests:/app/tests command: ["python", "-m", "workflow_mcp.server"] volumes: postgres_data: ``` **Add `Dockerfile`:** ```dockerfile FROM python:3.11-slim WORKDIR /app # Install system dependencies RUN apt-get update && apt-get install -y \ gcc \ postgresql-client \ && rm -rf /var/lib/apt/lists/* # Copy dependency files COPY pyproject.toml ./ COPY src/workflow_mcp/__init__.py src/workflow_mcp/ # Install Python dependencies RUN pip install --no-cache-dir -e ".[dev]" # Copy application code COPY src/ src/ COPY tests/ tests/ # Run as non-root user RUN useradd -m -u 1000 mcp && chown -R mcp:mcp /app USER mcp EXPOSE 8002 CMD ["python", "-m", "workflow_mcp.server"] ``` **Update Makefile:** ```makefile .PHONY: docker-up docker-down docker-logs docker-test docker-up: docker-compose up -d docker-down: docker-compose down docker-logs: docker-compose logs -f workflow-mcp docker-test: docker-compose exec workflow-mcp pytest tests/ -v ``` **MEDIUM: Incomplete Documentation** The `README.md` and `CONTRIBUTING.md` lack operational procedures. **Add `OPERATIONS.md`:** ```markdown # Operations Guide ## Local Development ### First-Time Setup ```bash # 1. Clone repository git clone <repo-url> cd workflow-mcp # 2. Install dependencies make install # 3. Setup pre-commit hooks make install-hooks # 4. Configure environment cp .env.template .env # Edit .env with secure credentials # 5. Setup database make db-setup # 6. Verify setup make db-verify make test ``` ### Daily Development Workflow ```bash # Start development session make run # In terminal 1 # Run tests (watch mode) pytest-watch tests/ # In terminal 2 # Before committing make lint make test-cov git commit ``` ### Docker Development ```bash # Start services make docker-up # View logs make docker-logs # Run tests in container make docker-test # Stop services make docker-down ``` ## Troubleshooting ### Database Connection Errors ```bash # Check PostgreSQL is running pg_isready -h localhost -p 5432 # Verify credentials psql -h localhost -U mcp_user -d project_registry -c "SELECT version();" # Reset database ./scripts/setup_database.sh ``` ### Test Failures ```bash # Run specific test pytest tests/unit/test_server.py::test_health_check -v # Run with debugging pytest --pdb tests/unit/ # Clean test artifacts make clean ``` ### Performance Issues ```bash # Collect baseline ./scripts/collect_baseline.sh # Run performance tests only pytest tests/performance --benchmark-only ``` ## Production Deployment ### Prerequisites - PostgreSQL 14+ with CREATEDB permission - Python 3.11+ - Secure credential management (Vault/AWS Secrets Manager) ### Deployment Steps 1. Pull latest code: `git pull origin main` 2. Install dependencies: `pip install -e .` 3. Run migrations: `./scripts/migrate_database.sh` 4. Verify health: `curl http://localhost:8002/health` 5. Monitor logs: `tail -f /tmp/workflow-mcp.log` ### Monitoring - Health endpoint: `GET /health` - Metrics endpoint: `GET /metrics` (TODO: Phase 2) - Logs: `/tmp/workflow-mcp.log` ``` **LOW: Missing Changelog Management** Add `CHANGELOG.md`: ```markdown # Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added - Initial repository structure - FastMCP server boilerplate - Database setup scripts - CI/CD pipeline ## [0.1.0] - 2025-10-11 (Phase 0) ### Added - Project initialization - FastMCP server with health check endpoint - PostgreSQL database setup with CREATEDB permission - GitHub Actions CI/CD workflows - Development tooling (Makefile, VSCode config, linting) - Comprehensive documentation [Unreleased]: https://github.com/org/workflow-mcp/compare/v0.1.0...HEAD [0.1.0]: https://github.com/org/workflow-mcp/releases/tag/v0.1.0 ``` **LOW: Missing Development Environment Verification** Add `scripts/verify_dev_environment.sh`: ```bash #!/bin/bash set -e echo "🔍 Verifying development environment..." # Check Python version PYTHON_VERSION=$(python --version 2>&1 | grep -oE '[0-9]+\.[0-9]+') MAJOR=$(echo $PYTHON_VERSION | cut -d. -f1) MINOR=$(echo $PYTHON_VERSION | cut -d. -f2) if [ "$MAJOR" -lt 3 ] || [ "$MINOR" -lt 11 ]; then echo "❌ Python version $PYTHON_VERSION is too old (need 3.11+)" exit 1 fi echo "✅ Python $PYTHON_VERSION" # Check PostgreSQL if command -v psql &> /dev/null; then PG_VERSION=$(psql --version | grep -oE '[0-9]+\.[0-9]+' | head -1) echo "✅ PostgreSQL $PG_VERSION" else echo "❌ PostgreSQL not installed" exit 1 fi # Check virtual environment if [ -z "$VIRTUAL_ENV" ]; then echo "⚠️ Not in a virtual environment (recommended)" else echo "✅ Virtual environment active: $VIRTUAL_ENV" fi # Check dependencies installed if python -c "import fastmcp" 2>/dev/null; then echo "✅ FastMCP installed" else echo "❌ FastMCP not installed (run: make install)" exit 1 fi # Check database connection if [ -f ".env" ]; then echo "✅ .env file exists" else echo "⚠️ .env file not found (copy from .env.template)" fi # Check pre-commit hooks if [ -f ".git/hooks/pre-commit" ]; then echo "✅ Pre-commit hooks installed" else echo "⚠️ Pre-commit hooks not installed (run: make install-hooks)" fi echo "" echo "🎉 Development environment verification complete!" ``` --- ## Recommendations ### Priority 1: CRITICAL (Must Fix Before Execution) **1. Remove Hardcoded Passwords (Security)** - **Impact:** High - Security vulnerability, credentials in git history - **Effort:** 2 hours - **Changes Required:** - Update `setup_database.sh` to use `.pgpass` and generated passwords - Remove example passwords from `.env.template` - Update `.github/workflows/ci.yml` to use GitHub Secrets - Add `.env.local` to `.gitignore` **2. Add Security Scanning to CI/CD** - **Impact:** High - Prevents vulnerable dependencies in production - **Effort:** 1 hour - **Changes Required:** - Create `.github/workflows/security.yml` - Add Safety, Bandit, and Gitleaks scans - Configure scheduled weekly scans ### Priority 2: HIGH (Should Fix Before Execution) **3. Implement Baseline Validation** - **Impact:** Medium - Ensures baseline collection actually works - **Effort:** 2 hours - **Changes Required:** - Complete `test_baseline.py` with actual implementations - Add `compare_baseline.py` script - Integrate into CI/CD performance workflow **4. Add Configuration Validation** - **Impact:** Medium - Prevents misconfiguration errors - **Effort:** 1 hour - **Changes Required:** - Enhance `config.py` with Pydantic validators - Add password strength checks - Add range validation for numeric settings **5. Enhance Test Fixture Isolation** - **Impact:** Medium - Prevents test pollution and flakiness - **Effort:** 2 hours - **Changes Required:** - Update `conftest.py` with per-process database isolation - Add connection timeout configuration - Add proper cleanup on test failures ### Priority 3: MEDIUM (Nice to Have) **6. Add Pre-commit Hooks** - **Impact:** Medium - Improves code quality, prevents bad commits - **Effort:** 1 hour - **Changes Required:** - Create `.pre-commit-config.yaml` - Add `make install-hooks` target - Update documentation **7. Add Container Development Environment** - **Impact:** Medium - Ensures consistent development environment - **Effort:** 3 hours - **Changes Required:** - Create `docker-compose.yml` and `Dockerfile` - Add Docker-related Makefile targets - Update documentation with Docker workflow **8. Enhance Database Setup Scripts** - **Impact:** Medium - Better database initialization and management - **Effort:** 2 hours - **Changes Required:** - Improve `init_registry_schema.sql` with migrations tracking - Add connection pooling validation - Add backup/restore scripts ### Priority 4: LOW (Future Improvement) **9. Add Operations Documentation** - **Impact:** Low - Improves onboarding and troubleshooting - **Effort:** 2 hours - **Changes Required:** - Create `OPERATIONS.md` with procedures - Add troubleshooting guide - Document production deployment steps **10. Add Matrix Testing** - **Impact:** Low - Broader compatibility testing - **Effort:** 1 hour - **Changes Required:** - Update CI workflow with matrix strategy - Test Python 3.11, 3.12 - Test PostgreSQL 14, 15, 16 --- ## Overall Assessment ### Summary by Category | Category | Status | Grade | Critical Issues | High Issues | Medium Issues | |----------|--------|-------|-----------------|-------------|---------------| | Repository Structure | Sound | A- | 0 | 1 | 2 | | CI/CD Pipeline | Needs Improvement | B | 1 | 3 | 2 | | Database Setup | Needs Improvement | B- | 1 | 2 | 3 | | Development Workflow | Sound | B+ | 0 | 2 | 3 | | **Overall** | **SOUND WITH RECOMMENDATIONS** | **B+** | **2** | **8** | **10** | ### Estimated Time Impact | Priority | Fixes | Estimated Time | Cumulative | |----------|-------|----------------|------------| | Phase 0 (Original) | N/A | 40 hours | 40 hours | | Critical Fixes | 2 items | +3 hours | 43 hours | | High Priority | 3 items | +5 hours | 48 hours | | Medium Priority | 3 items | +6 hours | 54 hours | | Low Priority | 2 items | +3 hours | 57 hours | **Recommended Minimum:** Phase 0 + Critical + High = **48 hours** (vs. 40 planned) ### Risk Assessment **Before Fixes:** - **Security Risk:** HIGH (hardcoded passwords, no security scanning) - **Quality Risk:** MEDIUM (no baseline validation, limited test isolation) - **Operational Risk:** MEDIUM (no container environment, incomplete docs) **After Critical + High Fixes:** - **Security Risk:** LOW (passwords secured, scanning enabled) - **Quality Risk:** LOW (baseline validated, tests isolated) - **Operational Risk:** MEDIUM (still needs container environment) ### Architectural Principles Compliance | Principle | Compliance | Notes | |-----------|------------|-------| | **Simplicity** | ✅ Excellent | Clean structure, minimal boilerplate | | **Local-First** | ✅ Excellent | No cloud dependencies | | **Protocol Compliance** | ✅ Excellent | FastMCP properly configured | | **Performance** | ⚠️ Partial | Baseline collection needs validation | | **Production Quality** | ⚠️ Partial | Security issues, missing error handling | | **Specification-First** | ✅ Excellent | Phase 0 properly specified | | **Test-Driven** | ✅ Excellent | Test infrastructure before implementation | | **Type Safety** | ✅ Excellent | mypy --strict enabled | | **Git Micro-Commits** | ✅ Excellent | Atomic commits demonstrated | | **FastMCP Foundation** | ✅ Excellent | Proper FastMCP usage | ### Constitutional Compliance The Phase 0 plan aligns well with the project constitution: ✅ **Aligned:** - Focus on simplicity (minimal boilerplate) - Local-first architecture (no cloud dependencies) - TDD approach (test infrastructure first) - Type safety (mypy strict, Pydantic) - Git micro-commits demonstrated ⚠️ **Partial Alignment:** - Production quality needs security improvements - Performance guarantees need baseline validation ❌ **Misaligned:** - None identified --- ## Conclusion The Phase 0 Foundation plan is **architecturally sound** with a comprehensive approach to infrastructure setup. The plan demonstrates strong software engineering practices including: - Modern Python project structure - Test-driven development foundation - CI/CD automation - Proper database lifecycle management - Clear documentation **However**, the plan requires **critical security improvements** before execution, particularly around password management and security scanning. The recommended fixes add approximately **8 hours** to the 40-hour timeline (20% increase) but significantly reduce security and quality risks. **Final Recommendation:** **APPROVE PHASE 0 WITH MANDATORY CRITICAL FIXES** Execute Phase 0 with the following adjustments: 1. ✅ Implement Critical fixes (passwords, security scanning) - **MANDATORY** 2. ✅ Implement High priority fixes (baseline validation, config validation) - **STRONGLY RECOMMENDED** 3. ⏸️ Defer Medium/Low priority fixes to Phase 1 or later - **OPTIONAL** Revised timeline: **48 hours** (6 days × 8 hours) --- **Review Status:** COMPLETE **Next Step:** Address critical recommendations, then proceed with Phase 0 execution **Reviewer Signature:** Claude Code (Software Architect) **Date:** 2025-10-11

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Ravenight13/codebase-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

PHASE-0-ARCHITECTURAL-REVIEW.md•45.3 kB