SnapBack MCP Server

CODE_REVIEW_ANALYSIS.md•27.3 kB

# SnapBack MCP Server - Comprehensive Code Review **Date:** October 26, 2025 **Reviewer:** Claude Code + Sequential Thinking **Version:** 0.1.1 **Status:** ⚠️ **Needs Attention** - TypeScript errors, DX issues, missing patterns --- ## Executive Summary ### ✅ Strengths - **Comprehensive test coverage** (20 tests passing) - **Clean separation of concerns** (client, tools, prompts, resources) - **MCP protocol correctly implemented** with proper handlers - **API client has Zod validation** for runtime safety - **Error handling** present in most critical paths ### ❌ Critical Issues 1. **TypeScript compilation fails** - 7 `possibly 'undefined'` errors 2. **apiClient can be undefined** but not properly handled 3. **Missing TDD patterns** from spec - no test-first workflow evident 4. **DX inconsistencies** - verbose error messages instead of user-friendly 5. **No performance budgets** tracked (spec requires <100ms fast analysis) 6. **Development agent unused** - exists but not integrated with main server --- ## 1. TypeScript Issues (CRITICAL) ### Problem TypeScript compilation fails with 7 errors where `apiClient` is possibly undefined: ```typescript // src/index.ts - Lines 242, 310, 345, 476, 494, 554, 560 const analysis = await apiClient.analyzeFast({...}); // ❌ apiClient possibly undefined ``` ### Root Cause ```typescript // src/index.ts:63-76 export async function startServer(apiClient?: SnapBackAPIClient) { const storage = createStorage(); // ... guardian, dep, mcpManager setup ... // Create SnapBack API client if not provided const client = apiClient || createAPIClient(); // ✅ 'client' is defined // But later usage references 'apiClient' directly instead of 'client' const analysis = await apiClient.analyzeFast({...}); // ❌ Wrong variable! } ``` ### Fix Required **Replace all `apiClient` references with `client`:** ```typescript // ❌ WRONG (current code) const analysis = await apiClient.analyzeFast({...}); // ✅ CORRECT const analysis = await client.analyzeFast({...}); ``` **Impact:** High - Prevents compilation, blocks deployment **Effort:** 10 minutes - Simple find/replace in src/index.ts **Priority:** P0 - Fix immediately --- ## 2. Adherence to Code Review Standards ### Testing Standards (code-review-standards.md:21-437) #### ✅ What's Done Right ```typescript // test/client/snapback-api.test.ts follows Arrange-Act-Assert it("should call the analyze/fast endpoint with correct parameters", async () => { // Arrange const mockResponse = {...}; mockFetch.mockResolvedValue({...}); // Act const result = await client.analyzeFast({...}); // Assert expect(result).toEqual(mockResponse); expect(mockFetch).toHaveBeenCalledWith(...); }); ``` **Follows Pattern 1: Pure Logic (code-review-standards.md:43-125)** - Clear test names ✅ - Focused assertions ✅ - Descriptive scenarios ✅ #### ❌ What's Missing **1. No TDD Evidence** - Spec requires TDD approach (snapback-mcp-server-spec.md:897-924) - Tests exist but were likely written after implementation - No red→green→refactor cycle visible in commit history **2. Integration Test Incomplete** ```typescript // test/integration.test.ts - Only 2 tests! // Should have complete workflow tests per spec line 299-361 // ❌ MISSING: Full flow test it("full flow: AI edit → warning → restore", async () => { // Simulate 5 consecutive AI edits // Verify warning triggers at iteration 5 // Test snapshot creation // Validate restoration flow }); ``` **3. Performance Testing Absent** Per spec line 990-996, should track: ```typescript // ❌ MISSING: Performance validation it('should complete fast analysis under 100ms', async () => { const start = performance.now(); await client.analyzeFast({...}); const duration = performance.now() - start; expect(duration).toBeLessThan(100); // Per spec target }); ``` **4. Edge Cases Not Tested** ```typescript // ❌ MISSING from test/client/snapback-api.test.ts it('should handle network timeout gracefully', async () => {...}); it('should retry on transient failures', async () => {...}); it('should validate response schema', async () => {...}); // Has Zod but no test ``` ### Web Dashboard DX Standards (code-review-standards.md:441-796) #### ❌ Error Messages Not User-Friendly **Current Implementation:** ```typescript // src/index.ts:293-302 return { content: [ { type: "text", text: "Error analyzing suggestion: " + (error.message || "Unknown error"), }, ], isError: true, }; ``` **Problem:** Generic error messages violate DX principle from spec: > "Error states with helpful messages" (code-review-standards.md:508-530) **Better Approach:** ```typescript // ✅ User-friendly error messages const errorMessages = { ECONNREFUSED: "Unable to connect to SnapBack backend. Is the server running?", ENOTFOUND: "SnapBack API endpoint not found. Check SNAPBACK_API_URL.", ETIMEDOUT: "Request timed out. The analysis took too long.", AUTH_FAILED: "API key invalid. Check SNAPBACK_API_KEY environment variable.", }; return { content: [ { type: "text", text: errorMessages[error.code] || `Analysis failed: ${error.message}\n\nTry:\n1. Check server is running\n2. Verify API key\n3. Check network connection`, }, ], isError: true, }; ``` ### Architecture Integration (code-review-standards.md:799-936) #### ✅ Good Patterns Followed **1. Dependency Injection** ```typescript // src/index.ts:63 export async function startServer(apiClient?: SnapBackAPIClient) { // Allows test injection ✅ const client = apiClient || createAPIClient(); } ``` **2. Factory Pattern** ```typescript // src/index.ts:43-60 export function createAPIClient(): SnapBackAPIClient { const apiUrl = process.env.SNAPBACK_API_URL; const apiKey = process.env.SNAPBACK_API_KEY; if (!apiUrl) { console.error("[SnapBack MCP] Warning: SNAPBACK_API_URL not set..."); } return new SnapBackAPIClient({...}); } ``` #### ❌ Architecture Issues **1. Mixed Concerns in index.ts** ```typescript // src/index.ts has 632 lines with: // - Server setup // - All tool implementations // - All resource handlers // - All prompt handlers // - Error handling // ❌ Violates Single Responsibility Principle ``` **Should be:** (per snapback-mcp-server-spec.md:76-96) ``` src/ ├── index.ts # Server setup only (~100 lines) ├── tools/ │ ├── analyze.ts # analyze_suggestion tool │ ├── check-iteration.ts │ └── create-snapshot.ts ├── resources/ │ ├── session-context.ts │ └── safety-guidelines.ts └── prompts/ ├── safety-prompt.ts └── warning-prompt.ts ``` **2. Development Agent Unused** ```typescript // src/agent/snapback-development-agent.ts exists but: // - Not imported in index.ts // - Not integrated with main server // - Appears to be proof-of-concept code // Either integrate or remove to avoid confusion ``` ### PostHog Analytics Patterns (code-review-standards.md:1199-1455) #### ❌ NO ANALYTICS IMPLEMENTATION **Completely missing from MCP server!** Per spec requirements (snapback-mcp-server-spec.md:1020-1036), should track: ```typescript // ❌ MISSING: Usage analytics posthog.capture("mcp_tool_called", { tool_name: "analyze_suggestion", risk_level: analysis.riskLevel, analysis_time_ms: analysis.analysisTimeMs, ai_tool: "claude", // or 'copilot', 'cursor' }); posthog.capture("iteration_warning_shown", { iteration_count: stats.consecutiveAIEdits, risk_level: stats.riskLevel, user_action: "pending", // update on user decision }); ``` **Why Critical:** - Can't measure adoption (spec target: 30% users enable MCP) - Can't track detection accuracy improvement (80%→100%) - Can't validate ROI claims ### Logging Strategy (code-review-standards.md:1459-1699) #### ✅ Good Logging Practices ```typescript // Proper use of stderr for logs (doesn't corrupt stdout JSON-RPC) console.error("[SnapBack MCP] Warning: SNAPBACK_API_URL not set..."); console.error("[SnapBack MCP] Error analyzing suggestion:", error); ``` #### ❌ Missing Structured Logging **Current:** ```typescript console.error("[SnapBack MCP] Error analyzing suggestion:", error); ``` **Should be:** (per code-review-standards.md:1510-1533) ```typescript logger.error("Suggestion analysis failed", { tool_name: "analyze_suggestion", file_path: args.file_path, error_code: error.code, error_message: error.message, api_endpoint: "analyze/fast", analysis_time_ms: Date.now() - startTime, user_id: getUserId(), // if available }); ``` **Benefits:** - Queryable logs (WHERE analysis_time_ms > 100) - Structured debugging - Performance tracking - User signal capture --- ## 3. Specification Adherence ### MCP Server Spec (snapback-mcp-server-spec.md) #### ✅ Core Features Implemented **1. Tools (spec:90-227)** - `analyze_suggestion` ✅ - `check_iteration_safety` ✅ - `create_snapshot` ✅ **2. Resources (spec:451-466)** - `snapback://session/current` ✅ - `snapback://guidelines/safety` ✅ **3. Prompts (spec:518-544)** - `safety_context` ✅ - `risk_warning` ✅ #### ❌ Missing Features **1. No Performance Tracking** ```typescript // spec:989-996 requires: const PERFORMANCE_TARGETS = { toolCallLatency: 200, // ms fastAnalysis: 100, // ms (backend) resourceFetch: 50, // ms mcpOverhead: 10, // ms }; // ❌ Not measured anywhere in code ``` **2. Research-Backed Warnings Missing** ```typescript // spec:496-506 requires specific 37.6% statistic if (stats.consecutiveAIEdits >= 5) { responseText += `\n🚨 CRITICAL WARNING: Research shows that 5+ consecutive AI iterations increase vulnerability risk by 37.6%. ... `; } // ✅ Present in index.ts:316-326 but no source citation ``` **3. Backend API Endpoints Not Created** Per spec:854-893, backend needs these routes: ```typescript // ❌ NOT IMPLEMENTED (should be in apps/web/app/api/) // app/api/session/iteration-stats/route.ts // app/api/session/current/route.ts // app/api/guidelines/safety/route.ts ``` **Current workaround:** MCP server expects these but they don't exist, so tests mock them. **Impact:** MCP server works in tests but will fail in production. --- ## 4. DX Issues ### Developer Experience Problems #### 1. Confusing .env.example **Problem:** ```bash # .env.example has 178 lines with: MCP_SERVER_HOST=localhost # ❌ Not used (stdio mode) MCP_SERVER_PORT=3001 # ❌ Not used MCP_MAX_CONNECTIONS=10 # ❌ Not used RATE_LIMIT_ENABLED=true # ❌ Not implemented CORS_ENABLED=true # ❌ Not applicable (stdio) ... (and 30+ more unused vars) ``` **Reality:** ```bash # Only 2 variables actually used: SNAPBACK_API_URL=http://localhost:3000 SNAPBACK_API_KEY=your-key-here ``` **Fix:** ```bash # .env.example (simplified) # SnapBack MCP Server Configuration # Backend API (REQUIRED) SNAPBACK_API_URL=http://localhost:3000 SNAPBACK_API_KEY= # Development (OPTIONAL) LOG_LEVEL=info # debug, info, warn, error NODE_ENV=development # That's it! MCP uses stdio transport, no ports needed. ``` #### 2. Missing Quick Start Guide **Currently in README.md:** ```markdown # SnapBack MCP Server [Basic setup instructions] ``` **Needs:** (per spec:1101-1122) ````markdown # Quick Start (5 minutes) ## 1. Install ```bash pnpm install pnpm build ``` ```` ## 2. Configure Claude Desktop Edit `~/Library/Application Support/Claude/claude_desktop_config.json`: ```json { "mcpServers": { "snapback": { "command": "node", "args": ["/path/to/dist/index.js"], "env": { "SNAPBACK_API_URL": "http://localhost:3000", "SNAPBACK_API_KEY": "your-key" } } } } ``` ## 3. Test Open Claude Desktop and try: > "Analyze this code for security issues: eval(userInput)" Should see: 🚨 Risk Analysis with specific warnings. ``` #### 3. No Error Recovery Guidance When errors occur, users see: ``` Error analyzing suggestion: API error: 500 Internal Server Error ``` **Should see:** ``` ❌ Analysis Failed: SnapBack backend returned an error 🔍 Troubleshooting: 1. Check backend is running: curl http://localhost:3000/health 2. Verify API key: echo $SNAPBACK_API_KEY 3. Check logs: tail -f ~/.snapback/mcp.log Need help? https://docs.snapback.dev/mcp/troubleshooting ```` --- ## 5. Best Practices Review ### ✅ Following Standards **1. Modern TypeScript** ```typescript // src/client/snapback-api.ts uses Zod schemas ✅ const AnalysisResponseSchema = z.object({...}); return AnalysisResponseSchema.parse(response); ```` **2. Testability** ```typescript // Dependency injection enables testing ✅ export async function startServer(apiClient?: SnapBackAPIClient); ``` **3. Error Boundaries** ```typescript // Top-level try-catch in tool handlers ✅ try { const analysis = await client.analyzeFast({...}); return {content: [...], isError: false}; } catch (error: any) { return {content: [...], isError: true}; } ``` ### ❌ Violating Standards **1. No YAGNI** ```typescript // src/agent/snapback-development-agent.ts: // - 386 lines of code // - Not used anywhere // - "Mock storage implementation - replace with actual storage in production" // - Violates "You Aren't Gonna Need It" // ❌ Either integrate or delete ``` **2. Complexity Not Justified** ```typescript // .env.example has 178 lines for 2 used variables // Violates KISS principle (Keep It Simple) ``` **3. Magic Numbers** ```typescript // src/index.ts:557 const riskLevel = iterations >= 5 ? "HIGH" : iterations >= 3 ? "MEDIUM" : "LOW"; // ❌ Should be constants: const RISK_THRESHOLDS = { CRITICAL: 5, // Research-backed (37.6% increase) MEDIUM: 3, // Observable quality degradation LOW: 0, }; ``` --- ## 6. Testing Coverage Analysis ### Current Coverage ```bash ✓ test/client/snapback-api.test.ts 6 tests ✅ ✓ test/server.test.ts 6 tests ✅ ✓ test/integration.test.ts 2 tests ⚠️ ✓ test/integration/api-tools.test.ts 4 tests ✅ ✓ src/agent/snapback-development-agent.test.ts 8 tests ⚠️ Total: 26 tests passing ``` ### Coverage Gaps (vs code-review-standards.md:371-396) #### Expected Coverage: - **Core Logic**: 80-90% (SessionManager, IterationTracker) - **Public APIs**: 90%+ (MCP tools, API client) - **Integration**: 50-60% (key workflows) #### Current Issues: **1. Integration Tests Insufficient** ```typescript // test/integration.test.ts has only 2 tests: // - should list all tools ✅ // - should have proper error handling ✅ // ❌ MISSING (per spec:298-361): // - Full AI edit workflow // - Iteration count tracking across multiple edits // - Warning threshold validation // - Snapshot creation and restoration flow ``` **2. No Performance Tests** ```typescript // ❌ MISSING: Performance validation // Per code-review-standards.md:1647-1699 describe('Performance', () => { it('should complete analysis under 100ms', async () => { const measurements = []; for (let i = 0; i < 100; i++) { const start = performance.now(); await client.analyzeFast({...}); measurements.push(performance.now() - start); } const avg = measurements.reduce((a, b) => a + b) / measurements.length; const p95 = measurements.sort()[95]; expect(avg).toBeLessThan(100); expect(p95).toBeLessThan(200); }); }); ``` **3. Edge Cases Untested** ```typescript // ❌ MISSING: Error scenarios it("should handle rate limiting gracefully"); it("should retry on network errors"); it("should timeout long-running requests"); it("should validate malformed API responses"); it("should handle concurrent tool calls safely"); ``` --- ## 7. Security Review ### ✅ Good Security Practices **1. API Key Protection** ```typescript // Credentials from environment, not hardcoded ✅ const apiKey = process.env.SNAPBACK_API_KEY; ``` **2. Input Validation** ```typescript // Using Zod schemas for validation ✅ const parsed = z.object({ changes: z.array(z.object({...})) }).parse(args); ``` **3. Safe Error Messages** ```typescript // No stack traces in prod errors ✅ return { content: [{ text: "Error processing request..." }], isError: true, }; ``` ### ⚠️ Security Concerns **1. No Input Sanitization** ```typescript // src/index.ts:236-246 const code = (args as any).code; const file_path = (args as any).file_path; // ❌ Sent directly to API without sanitization await client.analyzeFast({ code, filePath: file_path, context }); // Potential issues: // - Path traversal in file_path (../../../etc/passwd) // - Code injection if API doesn't sanitize // - Resource exhaustion (very large code strings) ``` **Fix:** ```typescript // ✅ Add validation const MAX_CODE_LENGTH = 100000; // 100KB const ALLOWED_FILE_PATTERNS = /^[a-zA-Z0-9._/-]+$/; if (!ALLOWED_FILE_PATTERNS.test(file_path)) { throw new Error("Invalid file path"); } if (code.length > MAX_CODE_LENGTH) { throw new Error("Code exceeds maximum length"); } ``` **2. No Rate Limiting** ```typescript // ❌ MCP server can spam backend API // No throttling on tool calls // No queue for concurrent requests // .env.example mentions rate limiting but not implemented ``` --- ## 8. Documentation Quality ### README.md Analysis #### ✅ Present: - Installation instructions - Basic usage - Environment variables #### ❌ Missing: - Quick start guide (5-minute setup) - Troubleshooting section - Performance expectations - Integration examples (Claude, Cursor, Copilot) - Architecture diagram - API endpoint requirements ### Code Documentation #### ✅ Good Examples: ```typescript // src/index.ts:92-97 { name: "analyze_suggestion", description: "Analyze an AI code suggestion for potential risks before applying it. " + "Returns risk level, specific issues, and recommendation (allow/warn/block). " + "Use this BEFORE accepting any AI-generated code.", // Clear, actionable description ✅ } ``` #### ❌ Poor Examples: ```typescript // src/index.ts:16-40 // Export storage factory for testing export function createStorage() { return { create: async (options?: { description?: string; protected?: boolean; }) => { return { id: `snap-${Date.now()}`, timestamp: Date.now(), meta: options || {}, } as Snapshot; }, // ... more methods }; } // ❌ "Mock implementation" comment but looks production-ready // ❌ No JSDoc explaining this is temporary // ❌ No link to real implementation plan ``` --- ## 9. Performance Assessment ### Not Measurable (No Metrics!) **The spec requires** (snapback-mcp-server-spec.md:989-996): ```typescript | Operation | Target | Rationale | |-----------|--------|-----------| | Tool call latency | <200ms | Fast enough for real-time | | Fast analysis | <100ms | Backend target | | Resource fetch | <50ms | Cached session data | | MCP overhead | <10ms | Protocol negligible | ``` **Current state:** - ❌ No performance tracking code - ❌ No benchmarks - ❌ No profiling - ❌ No metrics collection **Evidence:** ```bash $ grep -r "performance" apps/mcp-server/src/ # No results $ grep -r "performance.now" apps/mcp-server/src/ # No results $ grep -r "Date.now" apps/mcp-server/src/ src/index.ts: id: `snap-${Date.now()}`, # For snapshot IDs only ``` **Impact:** Can't validate core value proposition: > "Detection Accuracy: 80% → 100%" > "Intervention Timing: 30-60s earlier" --- ## 10. Recommendations ### Priority 0 (Fix Immediately) **1. Fix TypeScript Compilation Errors** ```bash # Find/replace in src/index.ts apiClient.analyzeFast → client.analyzeFast apiClient.getIterationStats → client.getIterationStats apiClient.createSnapshot → client.createSnapshot apiClient.getCurrentSession → client.getCurrentSession apiClient.getSafetyGuidelines → client.getSafetyGuidelines # Test pnpm typecheck # Should pass ``` **Effort:** 10 minutes **Impact:** Blocks all deployment **2. Simplify .env.example** ```bash # Keep only 2 variables: SNAPBACK_API_URL=http://localhost:3000 SNAPBACK_API_KEY= # Delete other 176 lines ``` **Effort:** 5 minutes **Impact:** Improves DX, reduces confusion ### Priority 1 (This Week) **3. Add Backend API Endpoints** ```bash # Create in apps/web/app/api/: - session/iteration-stats/route.ts - session/current/route.ts - guidelines/safety/route.ts # Implement per spec:854-893 ``` **Effort:** 2-3 hours **Impact:** Makes MCP server functional in production **4. Add Performance Tracking** ```typescript // src/utils/metrics.ts export class PerformanceTracker { track(operation: string, fn: () => Promise<any>) { const start = performance.now(); return fn().finally(() => { const duration = performance.now() - start; logger.info("Operation completed", { operation, duration_ms: duration, threshold_ms: PERFORMANCE_TARGETS[operation], within_budget: duration < PERFORMANCE_TARGETS[operation], }); }); } } ``` **Effort:** 3-4 hours **Impact:** Validates performance claims, enables optimization **5. Restructure codebase** ```bash # Move from src/index.ts (632 lines) to: src/ ├── index.ts # 100 lines ├── tools/ │ ├── analyze.ts │ ├── check-iteration.ts │ └── create-snapshot.ts ├── resources/ │ ├── session.ts │ └── guidelines.ts └── prompts/ ├── safety.ts └── warnings.ts ``` **Effort:** 4-5 hours **Impact:** Improves maintainability, follows spec structure ### Priority 2 (This Sprint) **6. Add Analytics** ```typescript // src/utils/analytics.ts import posthog from "posthog-js"; export function trackToolCall(toolName: string, result: any) { posthog.capture("mcp_tool_called", { tool_name: toolName, risk_level: result.riskLevel, analysis_time_ms: result.analysisTimeMs, }); } ``` **Effort:** 2-3 hours **Impact:** Enables data-driven decisions, tracks adoption **7. Complete Integration Tests** ```typescript // test/integration/workflows.test.ts describe("AI Edit Workflow", () => { it("should track 5 iterations and show warning", async () => { // Create 5 AI edits // Verify warning at iteration 5 // Check 37.6% stat mentioned }); it("should reset counter after human edit", async () => { // 3 AI edits → human edit → counter resets }); }); ``` **Effort:** 3-4 hours **Impact:** Confidence in core functionality **8. Improve Error Messages** ```typescript // src/utils/errors.ts export const USER_FRIENDLY_ERRORS = { ECONNREFUSED: { message: "Cannot connect to SnapBack backend", actions: [ "Check if backend is running: curl http://localhost:3000/health", "Verify SNAPBACK_API_URL in config", "Check firewall settings", ], docs: "https://docs.snapback.dev/mcp/connection-errors", }, // ... more errors }; ``` **Effort:** 2-3 hours **Impact:** Better DX, faster debugging ### Priority 3 (Nice to Have) **9. Delete or Integrate Development Agent** ```bash # Option A: Delete unused code rm src/agent/snapback-development-agent.ts # Option B: Integrate with main server # - Document purpose # - Connect to index.ts # - Add tests for integration ``` **Effort:** 1 hour (delete) or 6-8 hours (integrate) **Impact:** Reduces codebase confusion **10. Add Security Hardening** ```typescript // Input validation, rate limiting, sanitization // Per security review recommendations ``` **Effort:** 4-6 hours **Impact:** Production readiness --- ## 11. Test Execution Summary ### Current State (All Passing ✅) ```bash ✓ test/client/snapback-api.test.ts 6 tests 5ms ✓ test/integration.test.ts 2 tests 2ms ✓ test/integration/api-tools.test.ts 4 tests ?ms ✓ test/server.test.ts 6 tests ?ms ✓ src/agent/snapback-development-agent.test.ts 8 tests 4ms Total: 26 tests passing ``` ### Test Quality Assessment **Good:** - Tests use proper mocking - Clear arrange-act-assert structure - Descriptive test names - Edge cases covered (API errors, timeouts) **Needs Improvement:** - No performance tests - Missing workflow integration tests - No concurrent request testing - No load/stress testing --- ## 12. Final Verdict ### Overall Grade: **B- (Functional but Needs Polish)** **Breakdown:** - Functionality: **A-** (Core features work) - Code Quality: **C+** (TypeScript errors, structure issues) - Testing: **B** (Good unit tests, weak integration) - Documentation: **C** (Basic docs, missing guides) - DX: **C+** (Works but confusing setup) - Performance: **N/A** (Not measured) - Security: **B** (Basic protections, missing hardening) ### Can This Ship? **No, not yet.** Must fix: 1. TypeScript compilation errors (30 min) 2. Backend API endpoints (3 hours) 3. .env.example cleanup (10 min) **After P0 fixes:** Can ship to beta users for testing. **For production:** Need P1 items (performance tracking, analytics, better errors). --- ## 13. Action Items Checklist ### Immediate (Today) - [ ] Fix `apiClient` → `client` references (30 min) - [ ] Run `pnpm typecheck` until clean - [ ] Simplify .env.example (10 min) - [ ] Test manual MCP server startup ### This Week - [ ] Create backend API endpoints (3 hours) - [ ] Add performance tracking (4 hours) - [ ] Restructure codebase (5 hours) - [ ] Update README with quick start (1 hour) ### This Sprint - [ ] Add PostHog analytics (3 hours) - [ ] Complete integration tests (4 hours) - [ ] Improve error messages (3 hours) - [ ] Add input validation (2 hours) ### Before Launch - [ ] Delete or integrate development agent - [ ] Add security hardening - [ ] Performance benchmarking - [ ] Full documentation pass - [ ] User acceptance testing (5 users) --- ## Appendix A: Code Snippets for Fixes ### Fix 1: TypeScript Errors ```typescript // src/index.ts - Replace all occurrences // ❌ Before const analysis = await apiClient.analyzeFast({...}); // ✅ After const analysis = await client.analyzeFast({...}); // Full list of replacements needed: // Line 242: apiClient.analyzeFast → client.analyzeFast // Line 310: apiClient.getIterationStats → client.getIterationStats // Line 345: apiClient.createSnapshot → client.createSnapshot // Line 476: apiClient.getCurrentSession → client.getCurrentSession // Line 494: apiClient.getSafetyGuidelines → client.getSafetyGuidelines // Line 554: apiClient.getCurrentSession → client.getCurrentSession // Line 560: apiClient.getSafetyGuidelines → client.getSafetyGuidelines ``` ### Fix 2: Simplified .env.example ```bash # SnapBack MCP Server Configuration # Minimal configuration for stdio transport mode # Backend API Connection (REQUIRED) SNAPBACK_API_URL=http://localhost:3000 SNAPBACK_API_KEY= # Optional: Development Settings # LOG_LEVEL=info # NODE_ENV=development # That's all! The MCP server uses stdio transport, so no ports or network # configuration needed. Just point it at your backend API. # # For production: Update SNAPBACK_API_URL to your deployed backend. ``` --- **End of Code Review** **Next Steps:** Address P0 items, then schedule follow-up review.

Latest Blog Posts

The 50MB Markdown Files That Broke Our Server
By punkpeye on December 3, 2025.
react
react-router
node-js
OpenTelemetry for Model Context Protocol (MCP) Analytics and Agent Observability
By Om-Shree-0709 on November 29, 2025.
observability
mcp
opentelemetry
Securing Enterprise AI Agents with Unique Identities in the Model Context Protocol (MCP)
By Om-Shree-0709 on November 27, 2025.

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/snapback-dev/mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server