Code Review MCP — Cursor-first PR reviewer

End-to-end MCP that reviews GitHub PRs using your local toolchain and Cursor’s AI. It fetches PR diffs, loads project docs, runs static/security/tests, posts inline comments (when allowed), and generates a Markdown report.

Requirements

• Node.js 18+

• Cursor

• GitHub Personal Access Token (repo permissions) — loaded via .env.mcp

• Optional tools (auto-detected; skipped if missing):

  • ESLint, Prettier, TypeScript (tsc) from project devDependencies

  • Semgrep CLI (pipx install semgrep or brew install semgrep)

  • Playwright (npm i -D @playwright/test and npx playwright install)

Installation

• Clone this repo (or copy tools/mcp-code-review.mjs and .mcp/code-review/ into your project repo)

• Install Node deps in the repo: npm ci (or npm i)

• Ensure .cursor/mcp.json points to the absolute path of tools/mcp-code-review.mjs

Example .cursor/mcp.json:

Environment (auth)

• The MCP loads only .env.mcp (repo root) by default, or --env-file=/path/to/env

• Required:

  • GITHUB_TOKEN=... (must have access to the target repo; SSO-authorized if org enforces it)

• Optional:

  • JIRA_BASE_URL, JIRA_EMAIL, JIRA_API_KEY

  • FIGMA_TOKEN

  • SEMGREP_RULES_DIR=.mcp/code-review/semgrep-rules

Project files the MCP auto-detects

• Repo docs (AI context):

  • codebase_structure.md and watchouts.md at repo root

  • All .md under .mcp/code-review/ (e.g., your-rules.md)

• Lint/format/types:

  • ESLint/Prettier run from local node_modules/.bin using your project configs

  • TypeScript runs if tsconfig.json exists

• Security:

  • Semgrep rules from .mcp/code-review/semgrep-rules/ if present, otherwise p/ci

• Tests:

  • Playwright runs if playwright.config.ts/js exists at repo root

Usage

In Cursor chat inside the target repo:

• @code-review 123 (auto-detect repo from git origin)

• @code-review owner/repo#123

• @code-review https://github.com/owner/repo/pull/123

• @code-review latest

Flags:

• --env-file=/abs/path/to/.env.mcp (override default)

• --dry-run (skip posting/comments, still generate report)

• --commit-report (commit report to PR branch when permitted)

• --auto-fix or --auto-fix=force (apply ESLint/Prettier fixes, commit & push)

• --skip-static --skip-security --skip-tests --skip-figma

• --semgrep-rules-dir=/path/to/rules (override rules)

• --max-diff-chars=20000 --max-file-hunks=10 --verbose

Outputs:

• Logs: mcp-logs/ (per-run files)

• Artifacts: mcp-artifacts/<owner>-<repo>-PR<#>-<ts>/

• Report: mcp-reports/code-review-<owner>-<repo>-PR<#>-<ts>.md

Notes:

• If the authenticated user is the PR author, GitHub may reject review posting; the MCP will skip comments but still write the report (see Pipeline Status in the report).

• Older logs/reports (>1 day) are pruned, and only the latest report for a PR is kept.

Sub-tools (advanced)

You can call focused tools directly:

• @github.resolve_pr { prId: "owner/repo#123" }

• @github.fetch_files { owner: "owner", repo: "repo", pull_number: 123 }

• @jira.fetch { prMeta: { title: "...", body: "...", branch: "..." } }

• @analysis.run_static { files: ["src/..."], runTsc: true }

• @security.run_semgrep {}

• @tests.run_playwright {}

• @report.generate {...}

• @cleanup.prune { owner:"owner", repo:"repo", pull_number:123 }

CI recommendations

Run the same tools in CI for consistent enforcement:

• ESLint: npx eslint . --max-warnings=0

• Prettier: npx prettier --check .

• Semgrep: pipx install semgrep && semgrep --config .mcp/code-review/semgrep-rules --error -- .

• Playwright: npx playwright install --with-deps && npx playwright test --reporter=line

Troubleshooting

• Bad credentials: ensure .env.mcp is present and logs show Auth loaded from .env.mcp:.... Verify PAT: curl -H "Authorization: Bearer $GITHUB_TOKEN" https://api.github.com/user → must be 200.

• Jira skipped: ensure Jira key in PR branch/title/body, and JIRA_* are set.

• Semgrep skipped: install CLI or set rules dir.

• Playwright skipped: add playwright.config.* and install browsers.

For platform-specific setup (macOS/Windows), see docs/Platform-Setup.md.