Local DeepWiki MCP Server

CODE_REVIEW.md•12.9 KiB

# Code Review: Local DeepWiki MCP Server **Date**: 2026-01-12 **Reviewer**: Claude (Opus 4.5) ## Issues Fixed The following issues have been addressed: - **[CRITICAL #1]** SQL injection - Added input validation against allowed Language/ChunkType enums - **[CRITICAL #2]** Path traversal - Added path validation with `is_relative_to()` check - **[HIGH #3]** Ollama health check - Added connection validation with clear error messages - **[HIGH #4]** Unbounded memory - Implemented batched chunk processing with configurable batch size - **[HIGH #5]** Global mutable state - Added thread-safe singleton with `threading.Lock` and `contextvars` for async contexts - **[MEDIUM #6]** Multi-line docstring - Implemented `_collect_preceding_comments()` for all languages - **[MEDIUM #7]** Hardcoded limits - Added `WikiConfig` class with configurable limits - **[MEDIUM #8]** Missing retry logic - Added retry with exponential backoff to all LLM providers - **[MEDIUM #9]** Inefficient get_chunk_by_id - Added LanceDB scalar indexes on `id` and `file_path` columns - **[MEDIUM #10]** Sync file I/O in async functions - Converted to async using `asyncio.to_thread()` - **[QUALITY #11]** Duplicate chunk-to-dict code - Added `to_vector_record()` method to `CodeChunk` model - **[QUALITY #12]** Missing input validation on MCP tools - Added validation helpers for integers, strings, enums, and provider values with bounds checking - **[QUALITY #13]** Test coverage gaps - Added tests for MCP server handlers (24 tests), provider error handling (17 tests), and vectorstore edge cases (19 tests) - **[QUALITY #14]** Inconsistent exception handling - Added logging to all silent exception handlers (7 files updated) - **[QUALITY #15]** Type hints could be more specific - Added `ProgressCallback` Protocol type and updated all callback signatures - **[ARCH #16]** Manifest caching - Added `ManifestCacheEntry` class and `get_cached_manifest()` function with file modification time-based invalidation - **[ARCH #17]** Large file processing - Added memory-mapped file reading for files >1MB and chunked hash computation via `_read_file_content()` and `_compute_file_hash()` helpers - **[ARCH #18]** Structured logging - Added `logging.py` module with structured logging throughout - **[ARCH #19]** Database migrations - Added `schema_version` field to `IndexStatus` model and migration logic in `indexer.py` with version history tracking - **[ARCH #20]** Web UI template caching - Moved inline HTML to `templates/page.html` file and configured Flask with Jinja2 template caching - **[MINOR #21]** Missing languages in config defaults - Added ruby, php, kotlin, csharp to default `parsing.languages` list - **[MINOR #22]** Dataclass pattern - Already implemented; all data holder classes use `@dataclass` (ClassInfo, Parameter, FunctionSignature, TocEntry, EntityInfo, etc.) - **[MINOR #23]** Add `__repr__` methods - Added concise `__repr__` methods to all Pydantic models (CodeChunk, FileInfo, IndexStatus, WikiPage, WikiStructure, SearchResult, WikiPageStatus, WikiGenerationStatus) - **[MINOR #24]** Use pathlib consistently - Changed `str.split("/")` to `Path.parts` in diagrams.py for cross-platform compatibility; codebase already uses Path appropriately elsewhere - **[MINOR #25]** Pre-commit hooks - Added `.pre-commit-config.yaml` with black, isort, mypy, and pre-commit-hooks; added tool configs to `pyproject.toml` --- ## Executive Summary This is a well-architected, ~10,000 line Python codebase implementing a local, privacy-focused documentation generator with RAG capabilities. The code is well-organized with good separation of concerns, type hints throughout, and solid test coverage (320 tests). Below are my findings organized by severity and area. --- ## Critical Issues ### 1. SQL Injection Vulnerability in VectorStore (`core/vectorstore.py:161-166`) ```python # Lines 161-166 - Unsafe string interpolation in SQL-like filter if language: filters.append(f"language = '{language}'") if chunk_type: filters.append(f"chunk_type = '{chunk_type}'") ``` **Risk**: User-controlled `language` or `chunk_type` parameters are directly interpolated into filter strings. While LanceDB may not be as exploitable as SQL, this is a dangerous pattern. **Suggestion**: Use parameterized queries or validate/sanitize inputs against allowed values: ```python if language: if language not in [l.value for l in Language]: raise ValueError(f"Invalid language: {language}") filters.append(f"language = '{language}'") ``` ### 2. Path Traversal Risk in Wiki Page Reading (`server.py:373-386`) ```python # Lines 378-379 page_path = wiki_path / page if not page_path.exists(): ``` **Risk**: The `page` argument is user-supplied and joined directly to `wiki_path` without validation. A malicious path like `../../etc/passwd` could escape the wiki directory. **Suggestion**: Add path validation: ```python page_path = (wiki_path / page).resolve() if not page_path.is_relative_to(wiki_path.resolve()): return [TextContent(type="text", text="Error: Invalid page path")] ``` --- ## High Priority Issues ### 3. Missing Error Handling for LLM Provider Initialization In `providers/llm/ollama.py:22`, the client is created synchronously but there's no validation that Ollama is actually running: ```python self._client = AsyncClient(host=base_url) ``` **Suggestion**: Add a health check or better error messaging when Ollama is unavailable to give users actionable feedback. ### 4. Unbounded Memory Usage in Large Repo Indexing (`core/indexer.py:105-120`) ```python all_chunks: list[CodeChunk] = [] # ... later ... all_chunks.extend(chunks) ``` For very large repositories, all chunks are accumulated in memory before being stored. This could cause OOM errors. **Suggestion**: Implement batched processing - write chunks to the vector store incrementally (e.g., every 1000 chunks). ### 5. Global Mutable State with Config (`config.py:141-156`) ```python _config: Config | None = None def get_config() -> Config: global _config if _config is None: _config = Config.load() return _config ``` **Risk**: Global state makes testing harder and can cause issues in concurrent scenarios. **Suggestion**: Consider using a context variable or dependency injection pattern for better testability. --- ## Medium Priority Issues ### 6. Incomplete Docstring Extraction for Multi-line Comments In `parser.py:269-284`, Go and other languages only check a single preceding sibling for doc comments: ```python prev = node.prev_sibling if prev and prev.type == "comment": ``` **Issue**: Multi-line doc comments (common in Go) are not properly captured. **Suggestion**: Iterate through all preceding comment siblings: ```python comments = [] prev = node.prev_sibling while prev and prev.type == "comment": comments.insert(0, get_node_text(prev, source)) prev = prev.prev_sibling return "\n".join(comments) if comments else None ``` ### 7. Hardcoded Limits Throughout Codebase Several magic numbers are scattered: - `wiki.py:869`: `max_files = 20` - `wiki.py:357`: `limit=200` for import search - `chunker.py:361`: `lines > 100` threshold for class splitting **Suggestion**: Move these to `Config` or make them configurable parameters. ### 8. Missing Retry Logic for LLM Calls All LLM providers make single attempts without retry logic. Network issues or rate limits will cause hard failures. **Suggestion**: Add retry with exponential backoff: ```python @retry(stop=stop_after_attempt(3), wait=wait_exponential(min=1, max=10)) async def generate(self, prompt: str, ...) -> str: ``` ### 9. Inefficient Search in `get_chunk_by_id` (`vectorstore.py:208`) ```python results = table.search().where(f"id = '{chunk_id}'").limit(1).to_list() ``` Using `search()` for a direct ID lookup is inefficient. LanceDB likely has faster direct lookup methods. **Suggestion**: Use direct row access if LanceDB supports it, or maintain an ID index. ### 10. Synchronous File I/O in Async Functions In `wiki.py:1127-1131`: ```python def _write_page(self, page: WikiPage) -> None: page_path.parent.mkdir(parents=True, exist_ok=True) page_path.write_text(page.content) ``` **Issue**: Synchronous file operations in an async codebase can block the event loop. **Suggestion**: Use `aiofiles` for async file I/O or run in executor: ```python async def _write_page(self, page: WikiPage) -> None: loop = asyncio.get_event_loop() await loop.run_in_executor(None, self._sync_write_page, page) ``` --- ## Code Quality Suggestions ### 11. Duplicate Code for Chunk-to-Dict Conversion The pattern for converting `CodeChunk` to dict appears multiple times: - `vectorstore.py:67-80` (create_or_update_table) - `vectorstore.py:110-125` (add_chunks) - Multiple result conversion points **Suggestion**: Add a `to_vector_record()` method to `CodeChunk` model. ### 12. Missing Input Validation on MCP Tools The MCP tool handlers don't validate inputs beyond existence checks: ```python # server.py:186 repo_path = Path(args["repo_path"]).resolve() ``` **Suggestion**: Add schema validation for enum values, path existence checks, and reasonable bounds on numeric parameters. ### 13. Test Coverage Gaps Tests exist for most modules, but I notice: - No integration tests for the full indexing → wiki generation pipeline - No tests for MCP server handlers (`server.py`) - No tests for provider error handling - No tests for vectorstore edge cases (empty DB, corrupted data) **Suggestion**: Add integration tests and error scenario tests. ### 14. Inconsistent Exception Handling Some functions silently catch and ignore exceptions: ```python # indexer.py:219-224 try: with open(status_path) as f: data = json.load(f) return IndexStatus.model_validate(data) except Exception: return None # Silent failure ``` **Suggestion**: Log warnings when recovering from errors to aid debugging: ```python except Exception as e: logger.warning(f"Failed to load index status: {e}") return None ``` ### 15. Type Hints Could Be More Specific Several places use `Any`: - `wiki.py:281`: `progress_callback: Any = None` - Various `dict[str, Any]` where more specific types would help **Suggestion**: Define protocol/callback types: ```python from typing import Protocol class ProgressCallback(Protocol): def __call__(self, message: str, current: int, total: int) -> None: ... ``` --- ## Architecture Suggestions ### 16. Consider Caching for Manifest Parsing `manifest.py` re-parses package files on every wiki generation. For incremental updates, this is redundant. **Suggestion**: Cache the `ProjectManifest` and invalidate on relevant file changes. ### 17. Consider Streaming for Large File Processing Currently, entire files are read into memory (`parser.py:129`): ```python source = file_path.read_bytes() ``` **Suggestion**: For very large files, consider memory-mapped files or streaming parsers. ### 18. Add Logging Infrastructure The codebase lacks structured logging. Only `progress_callback` provides visibility. **Suggestion**: Add Python logging with configurable levels: ```python import logging logger = logging.getLogger("local_deepwiki") ``` ### 19. Consider Database Migrations The LanceDB schema is implicit. Schema changes could break existing indexes. **Suggestion**: Add version field to index_status.json and migration logic for schema changes. ### 20. Web UI Could Use Template Caching The Flask app generates HTML from a massive inline template on every request (`web/app.py:13-500+`). **Suggestion**: Use Jinja2 template files and enable caching. --- ## Minor Suggestions 21. **Typo in config defaults**: `parsing.languages` includes `"swift"` but is missing `"ruby"`, `"php"`, `"kotlin"` which are supported. 22. **Consider using `dataclasses` for internal data structures**: Some classes like `ClassInfo` in `diagrams.py` use `@dataclass` which is good - extend this pattern. 23. **Add `__repr__` methods**: Models like `CodeChunk` would benefit from meaningful repr for debugging. 24. **Use `pathlib` consistently**: Some places mix `str` paths with `Path` objects. 25. **Consider pre-commit hooks**: Add black, isort, mypy to maintain code quality. --- ## Summary | Category | Count | |----------|-------| | Critical | 2 | | High Priority | 3 | | Medium Priority | 5 | | Code Quality | 5 | | Architecture | 5 | | Minor | 5 | **Overall Assessment**: This is a solid, well-designed codebase. The architecture is clean with good separation of concerns. The main areas for improvement are security hardening (input validation), resilience (retry logic, error handling), and scalability (batched processing for large repos). The test suite is comprehensive but could benefit from integration tests and error scenario coverage. --- ## Priority Action Items 1. **[CRITICAL]** Fix input sanitization in `core/vectorstore.py:161-166` 2. **[CRITICAL]** Add path traversal protection in `server.py:378-379` 3. **[HIGH]** Implement batched processing in `core/indexer.py:105-120` for large repositories 4. **[HIGH]** Add retry logic to LLM providers 5. **[MEDIUM]** Add structured logging throughout the codebase

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/UrbanDiver/local-deepwiki-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

CODE_REVIEW.md•12.9 KiB