CodeGuard MCP Server

Centralized security instruction server for AI-assisted code generation

🎯 Overview

Problem: Every repository needs .github/instructions/ files to enforce security rules with GitHub Copilot and AI assistants. This leads to:

• Duplicated instruction files across repositories

• Inconsistent rule versions

• Difficult to update security policies organization-wide

• Manual maintenance overhead

Solution: CodeGuard MCP Server provides centralized security instructions via the Model Context Protocol (MCP), eliminating per-repo instruction files while ensuring all AI-generated code follows security best practices.

🚀 Quick Start

Prerequisites

• Node.js 18+

Installation

Setup with Claude Desktop

1. Build first: npm run build

2. Configure Claude Desktop (%APPDATA%\Claude\claude_desktop_config.json):

   { "mcpServers": { "codeguard": { "command": "node", "args": ["C:\\repo\\contextpilot-server\\dist\\index.js"] } } }

3. Restart Claude Desktop

4. Test: Ask Claude to generate Python code with password hashing!

Setup with GitHub Copilot (VS Code)

Add to your project's .github/.mcp.json:

Note: GitHub Copilot MCP support is pending. Currently works best with Claude Desktop.

🏗️ How It Works

Current Approach (Per-Repository)

CodeGuard MCP Approach (Centralized + Smart)

🏗️ Architecture

📋 Core Components

1. MCP Resources

AI assistants can query instructions as resources:

2. MCP Prompts

Dynamic instruction injection based on context:

3. Rule Matching Engine

Smart rule selection based on:

• Language Detection: **/*.py → Python rules (auto-detected from file extensions)

• File Patterns: **/*.test.js → Testing rules

• Context Keywords: "authentication" → Auth/MFA rules (50+ keywords)

• Priority Scoring: 4-tier system (Critical/High/Medium/Low)

• Custom Rules: Organization rules get priority boost

• Critical Rules: Always include hardcoded credentials, weak crypto

• Frontmatter Parsing: applyTo, version, description

🎨 Rule Structure

Each instruction file follows this format:

Current Rules (21+ instruction files):

• codeguard-1-hardcoded-credentials ⚠️ Critical

• codeguard-1-crypto-algorithms ⚠️ Critical

• codeguard-1-digital-certificates ⚠️ Critical

• codeguard-0-authentication-mfa

• codeguard-0-authorization-access-control

• codeguard-0-input-validation-injection

• codeguard-0-api-web-services

• codeguard-0-client-side-web-security

• codeguard-0-session-management-and-cookies

• ... (and 12+ more)

💡 Usage Examples

Example 1: Python Password Hashing

User Prompt:

What Happens:

1. AI detects: language=python, context=crypto password

2. MCP Server returns instructions:

   • codeguard-1-crypto-algorithms (no MD5/SHA-1)

   • codeguard-0-authentication-mfa

   • codeguard-1-hardcoded-credentials

Generated Code:

Example 2: Node.js Database Query

User Prompt:

What Happens:

1. AI detects: language=typescript, context=database

2. MCP Server returns instructions:

   • codeguard-0-input-validation-injection

   • codeguard-0-data-storage

   • codeguard-0-authorization-access-control

Generated Code:

Example 3: React Authentication Component

User Prompt:

What Happens:

1. AI detects: language=typescript, context=auth, filepath=*.tsx

2. MCP Server returns instructions:

   • codeguard-0-client-side-web-security (XSS, CSRF)

   • codeguard-0-authentication-mfa

   • codeguard-0-session-management-and-cookies

Generated Code:

✨ Custom Organization Rules (Phase 3 ✅)

Overview

CodeGuard supports custom organization-specific rules that extend or override default security rules.

Features

• Override Default Rules: Replace any default rule with your organization's version

• Add New Rules: Create organization-specific standards (API conventions, logging format, etc.)

• Priority Boost: Custom rules automatically ranked higher than defaults

• Automatic Loading: No configuration needed - just add files to rules/custom/

Quick Start

1. Create custom rule file in rules/custom/:

   rules/custom/org-api-standards.instructions.md

2. Use standard frontmatter format:

   --- applyTo: '**/*.ts,**/*.js,**/*.py' description: 'Organization API Standards' version: '1.0.0' --- # Organization API Standards Your organization-specific guidance...

3. Restart MCP server - custom rules load automatically:

   Loaded 22 default + 3 custom = 24 total instruction files Custom rule 'org-api-standards' loaded

Examples

Example 1: Override Hardcoded Credentials Rule

Create rules/custom/codeguard-1-hardcoded-credentials.instructions.md:

• Specifies your organization's approved secret managers (Azure Key Vault, HashiCorp Vault)

• Documents rotation policies and incident response

• Lists organization contacts

Example 2: API Standards

Create rules/custom/org-api-standards.instructions.md:

• REST conventions (methods, status codes, pagination)

• Error response format

• Rate limiting headers

• Authentication requirements

Example 3: Logging Format

Create rules/custom/org-logging-format.instructions.md:

• Required log fields (timestamp, traceId, service, userId)

• Log levels (DEBUG, INFO, WARN, ERROR, FATAL)

• What NOT to log (passwords, PII)

• Structured logging examples

See rules/custom/README.md for complete documentation.

Priority System

Custom rules get automatic advantages:

• +25 baseline score boost

• Elevated priority tier (LOW→MEDIUM, MEDIUM→HIGH)

• Appear before equivalent default rules in results

🛠️ Technology Stack

• Runtime: Node.js 18+ / TypeScript

• Protocol: MCP SDK (@modelcontextprotocol/sdk)

• Transport: stdio (standard MCP)

• Parser: Gray-matter (frontmatter), micromatch (glob patterns)

• Testing: Vitest (59 tests, 80-85% coverage)

🚦 Roadmap

See ROADMAP.md for detailed implementation plan.

Phase 1: Core MCP Server ✅ COMPLETED (January 16, 2026)

• MCP server setup with stdio transport

• Rule loader with frontmatter parsing

• Pattern matching engine (glob patterns, language detection)

• Basic resource handlers

• Prompt handlers for dynamic instruction injection

• 22 instruction files loaded and working

• TypeScript build system configured

• Basic tests implemented (37 tests)

Phase 2: Smart Matching ✅ COMPLETED (January 20, 2026)

• Enhanced language detection (30+ languages, auto-detection from file paths)

• Context keyword matching (50+ keywords with weighted scoring)

• Rule prioritization system (4-tier: Critical/High/Medium/Low)

• Advanced pattern matching (negative patterns, complex globs)

• Multi-factor scoring algorithm

• Response optimization (top 15 most relevant rules)

• Comprehensive test coverage (51 tests, 80-85%)

Current Status:

• ✅ Server built and functional (dist/index.js)

• ✅ Works with Claude Desktop (MCP supported)

• ✅ Intelligent rule selection with priority scoring

• ✅ Auto-detects language from file extensions

• ✅ Context-aware matching (< 10ms response time)

• ⏳ Waiting for GitHub Copilot MCP support

Phase 3: Enhanced Features (Week 3)

• Custom organization rules support

• Rule versioning and updates

• Caching with TTL and invalidation

• Configuration management (config.json)

• Structured logging and metrics

Phase 4: Production Ready (Week 4+)

• Docker containerization

• HTTP transport option

• Health check endpoint

• Monitoring dashboard

• GitHub Copilot integration (when available)

🎯 Success Metrics

• ✅ Zero duplication: No .github/instructions in any repo

• ✅ Centralized updates: Update once, apply everywhere

• ✅ Automatic enforcement: AI follows rules without developer intervention

• ✅ Fast response: < 10ms with priority scoring (target: < 100ms) ✅

• ✅ High accuracy: 90%+ correct rule matching with context awareness ✅

• ✅ Developer experience: Transparent, no workflow changes

🤝 Benefits

For Developers

• No manual rule maintenance per repo

• Consistent security standards across projects

• AI generates secure code automatically

• Clear, actionable security guidance

For Organizations

• Centralized security policy management

• Easy to update and enforce rules organization-wide

• Audit trail of instruction versions

• Reduced security vulnerabilities in AI-generated code

For Security Teams

• Single source of truth for security rules

• Version control for policy changes

• Measurable compliance across all projects

• Proactive security guidance at code generation time

🏗️ Architecture

Component Overview

MCP Endpoints

Resources:

• codeguard://instructions/all - All instructions

• codeguard://instructions/{language} - Language-specific

• codeguard://instructions/file?path={file} - File-specific

Prompts:

• get_security_instructions - Context-aware instruction retrieval

  • Args: language, context, filepath

Tools:

• get_security_instructions - Get rules for code generation

• validate_code_security - Validate code against rules

Pattern Matching

The server intelligently matches rules based on:

• File patterns: **/*.py, src/auth/**

• Language: Detected from extensions or prompts

• Context: Keywords like "auth", "crypto", "database"

• Critical rules: Always included (credentials, crypto, certificates)

📦 Project Structure

🧪 Development

🚦 Current Status

✅ Completed (Phase 1)

• Core MCP server with stdio transport

• Rule loader with frontmatter parsing

• Pattern matching (glob, language, context)

• Resource & Prompt handlers

• 22 instruction files loaded

• Works with Claude Desktop

⏳ Pending

• GitHub Copilot MCP support (waiting on Microsoft)

• Advanced caching & optimization

• Custom organization rules

🤝 Benefits

For Developers:

• No manual rule maintenance per repo

• Consistent security across projects

• AI generates secure code automatically

For Organizations:

• Centralized security policy management

• Easy organization-wide updates

• Reduced security vulnerabilities

For Security Teams:

• Single source of truth

• Version control for policies

• Proactive security at code generation time

📝 License

MIT

🔗 Resources

• Model Context Protocol

• MCP SDK

• Roadmap

Built with ❤️ for secure AI-assisted development