firepass-mcp
The firepass-mcp server turns Kimi K2.6 Turbo into an autonomous coding agent with tool loops for file operations, shell commands, code search, and structured code review — all sandboxed to a working directory you specify.
Tools Available
firepass_worker— Full read/write coding agent: read, write, and edit files; run bash commands; search with ripgrep, ast-grep, jq, and glob; navigate directories. Autonomously iterates on coding, refactoring, and bug fixes (up to 60 iterations by default).firepass_researcher— Read-only analysis agent: read files, search codebases, perform code/architecture analysis. No writes or shell execution — safe for exploration.firepass_reviewer— Read-only code review agent: reviews files, diffs, or PR descriptions and returns structured feedback (blocking issues, suggestions, positives).firepass_trio— Orchestrator that chains researcher → worker → reviewer in a single call, with an optional bounded fix loop based on review feedback.
Key Capabilities
Provide a
promptandcwdto scope the agent's file access; optionally pre-loadcontext(file contents, errors, specs, diffs).Configurable
max_iterations(default 60, up to 200), shell command timeouts, and output/file size limits.All file operations are sandboxed to
cwd; read-only agents strictly block write/execute capabilities.Results returned as XML envelopes with an executive summary and activity log for structured parsing.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@firepass-mcpFind and fix the failing test in test_api.py"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
firepass-mcp
MCP server that turns Kimi K2.6 Turbo into an agentic coding assistant. The model gets a tool loop — it can read/write files, run shell commands, and search code with ripgrep, ast-grep, jq, and glob — and iterates autonomously until the task is done.
Four tools exposed over MCP:
Tool | Capabilities | Use case |
| read_file, write_file, edit_file, bash, ripgrep, glob_find, ast_grep, jq, list_dir, tree, done | Coding, refactoring, bug fixes |
| read_file, ripgrep, glob_find, ast_grep, jq, list_dir, tree, done (read-only) | Code analysis, architecture review |
| read_file, ripgrep, glob_find, ast_grep, jq, list_dir, tree, done (read-only) | Code review with structured output |
| researcher → worker → reviewer chain with bounded fix loop-back | Plan-then-implement-then-review in one MCP call |
Requirements
Python 3.10+
A Fireworks AI API key
rg(ripgrep),sg(ast-grep),jq,treeon PATH for full tool coveragebash,ls(standard on POSIX systems)
Install
uvx firepass-mcpConfiguration
Set your API key:
export FIREWORKS_API_KEY="fw-..."Codex CLI
Add the server with:
codex mcp add firepass --env FIREWORKS_API_KEY=fw-... -- uv run firepass-mcpThis writes a config like:
[mcp_servers.firepass]
command = "uv"
args = ["run", "firepass-mcp"]
[mcp_servers.firepass.env]
FIREWORKS_API_KEY = "fw-..."Claude Code
Add the server with:
claude mcp add -e FIREWORKS_API_KEY=fw-... firepass -- uv run firepass-mcpThis writes a config like:
{
"mcpServers": {
"firepass": {
"type": "stdio",
"command": "uv",
"args": ["run", "firepass-mcp"],
"env": {
"FIREWORKS_API_KEY": "fw-..."
}
}
}
}Claude Desktop / Generic MCP JSON
If your client reads MCP JSON directly, use:
{
"mcpServers": {
"firepass": {
"command": "uvx",
"args": ["firepass-mcp"],
"env": {
"FIREWORKS_API_KEY": "fw-..."
}
}
}
}Environment variables
Variable | Default | Description |
| (required) | Fireworks AI API key |
|
| Model ID |
|
| Shell command timeout (seconds) |
|
| Max chars per tool result |
|
| Max chars per file read |
How it works
You call
firepass_worker,firepass_researcher,firepass_reviewer, orfirepass_triowith a prompt and a requiredcwdThe server (
server.py) sends the prompt to Kimi K2.6 Turbo with function-calling enabled, usingtools.pyfor the typed ToolSpec registry and executors andmessages.pyfor context budgetingThe model explores the codebase, makes edits, runs tests, and iterates
Every tool has a frozen-dataclass argument contract with
additionalProperties: falseenforced at runtime — unknown fields are rejectedWhen done, it calls
done()with an executive summaryThe summary (plus an activity log) is returned as the tool result
All roles get 60 iterations by default (capped at 200), configurable per call.
firepass_trio chains researcher, worker, and reviewer: the researcher gathers context, the worker implements, and the reviewer audits the result. The reviewer can send the worker back for fixes up to max_review_rounds times (default 2, capped at 5). The response is an XML envelope that contains each sub-result as a separate tag so the calling LLM can address them individually.
Response format
Every tool result is returned as an XML envelope so the calling LLM can read sub-results structurally.
Single tool (e.g. firepass_worker):
<firepass_worker status="completed" iterations="4" tool_calls="3">
<result>Done: refactored auth logic into helpers.py</result>
<activity>
<call>read_file(path="src/auth.py")</call>
<call>write_file(path="src/helpers.py", content="...")</call>
<call>done(result="Done: refactored auth logic into helpers.py")</call>
</activity>
</firepass_worker>Trio call (firepass_trio):
<firepass_trio status="approved" rounds="1">
<research status="completed" iterations="3" tool_calls="2">...</research>
<rounds>
<round n="1">
<implementation status="completed" iterations="5" tool_calls="4">...</implementation>
<review status="completed" iterations="2" tool_calls="1">...</review>
</round>
</rounds>
</firepass_trio>Security model
All file operations (read_file, write_file, edit_file, glob_find, ripgrep, ast_grep, jq, tree, list_dir) are sandboxed to the required cwd you provide. Paths are resolved and validated against the working directory before any I/O.
The researcher and reviewer are read-only — bash, write_file, and edit_file are blocked both at the API schema level (model never sees them) and at runtime (server rejects them even if hallucinated). Dangerous ripgrep flags (--pre, --pre-glob, --search-zip, --replace, -r, -z) are also blocked.
The worker has full access including bash. It is not sandboxed at the command level — treat it like giving shell access to a remote developer scoped to your project directory.
Limits:
File writes capped at 1 MB per operation
File reads capped at 100K characters
Tool output capped at 50K characters
Context budget of 200K characters. Phase 1 truncates oldest tool outputs to
[truncated]; phase 2 compacts assistant tool_call arguments to{}. If still over budget, an error is raised rather than silently exceeding.Configurable iteration limits (default 60 for all roles, capped at 200)
Review rounds capped at 5 in the trio (default 2)
Development
Install dev dependencies and run tests:
uv sync
uv run pytest -q tests/test_server.pyLint and type-check:
uv run ruff check src tests
uv run ty check srcLicense
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/jameshgrn/firepass-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server