dobbe
Integrates with Dependabot via GitHub for scanning and resolving security alerts.
Provides integration with GitHub for scanning Dependabot alerts, managing pull requests, reviewing code, computing DORA metrics, and generating changelogs.
Used for test generation and verification workflows in projects using Jest.
Supports vulnerability resolution, dependency analysis, and migration planning for npm packages.
Used for test generation and verification workflows in projects using pytest.
Enables triage of Sentry incidents with AI-powered root cause analysis.
Allows sending notifications to configured Slack channels.
Used for test generation and verification workflows in projects using Vitest.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@dobbescan and fix vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
$ /dobbe-vuln-resolve
[scan] Found 3 Dependabot alerts (2 critical, 1 high)
[fix] Upgraded lodash 4.17.20 -> 4.17.21, axios 0.21.1 -> 0.21.4
[verify] Running tests... FAILED (TypeError in utils.js:42)
[retry] Attempt 2/3 -- feedback injected, retrying with error context
[fix] Pinned axios 0.21.4, added @types/lodash
[verify] Running tests... PASSED (147/147)
[pr] Created PR #142: "fix: resolve vulnerable dependencies"Why dobbe?
Your AI skips steps. dobbe can't. Every pipeline is a finite state machine with Zod validation at each transition. Claude submits results, the server validates them, and only then advances to the next step. If tests fail, the server loops back automatically with the exact error output injected as context. This is program control flow, not prompt engineering.
45 minutes to 3 minutes. A typical Dependabot triage: open GitHub, read 12 alerts, figure out which matter, checkout a branch, upgrade packages, run tests, debug failures, run tests again, push, create a PR. With dobbe: type
/dobbe-vuln-resolve. The pipeline handles all steps including up to 3 retry loops if tests break.One command. No config files.
npx dobbe installregisters the MCP server and 24 slash commands. No YAML. No dashboard. No SaaS signup. Uninstall withnpx dobbe uninstall.
Before vs. After
Task | Without dobbe | With dobbe |
Resolve Dependabot alerts | Open GitHub, read alerts, checkout, upgrade, test, fix, test again, PR (~45 min) |
|
Code review all open PRs | Read each diff, write comments, check security/tests/quality |
|
Find coverage gaps + write tests | Run coverage, find gaps, write tests, run, fix, repeat |
|
DORA metrics | Query GitHub API, compute 4 metrics, format report |
|
Triage Sentry incidents | Open Sentry, read stack traces, search codebase, write analysis |
|
Quick Start
npx dobbe installRestart Claude Code, then try:
/dobbe-vuln-scan
/dobbe-review-digest
/dobbe-metrics-dora# Uninstall
npx dobbe uninstallHow It Works
The MCP server runs a finite state machine. Each step declares what needs to happen (intent, mode, context) and Claude decides how to accomplish it. Results are validated with Zod schemas before advancing.
graph LR
A[scan] --> B[fix]
B --> C[commit]
C --> D{verify}
D -->|pass| E[report]
D -->|fail| B
E --> F[pr]
F --> G((done))
D -->|max retries| H((failed))The server controls the workflow, not the prompt. Each step has a declarative
intent(what to do),mode(plan, act, gather, or report), andcontext(structured parameters). Claude uses its best tools and UX for the job. If results fail Zod validation, the server rejects them. If tests fail at the verify step, the server loops back tofixwith the error output injected as feedback -- up to 3 iterations.
Commands
AI-Powered Pipelines
Command | What it does | Pipeline flow | Retry |
| Scan + triage Dependabot alerts | scan -> report -> done | -- |
| Scan, fix, test, retry, create PR | scan -> fix -> commit -> verify -> report -> pr -> done | 3x |
| Fetch PRs, deep review, generate digest | fetch -> review -> done | -- |
| Review PRs, post comments to GitHub | fetch -> review -> post -> done | -- |
| Security audit (vulns, licenses, secrets, quality) | analyze -> done | -- |
| Dependency health, licensing, usage analysis | analyze -> done | -- |
| Find coverage gaps, generate tests, verify, PR | analyze -> generate -> verify -> commit -> pr -> done | 3x |
| Git history to categorized release notes | analyze -> done | -- |
| Plan + execute dependency migrations | plan -> apply -> verify -> commit -> pr -> done | 3x |
| Sentry issue triage with AI root cause analysis | fetch -> triage -> done | -- |
Multi-Perspective Reviews
Command | What it does |
| Product Manager review -- feature gaps, prioritization, roadmap |
| Engineering review -- architecture, code quality, tech debt |
| Design review -- UX, accessibility, interaction patterns |
| QA review -- test coverage, edge cases, reliability |
| Test architecture review -- strategy, frameworks, coverage |
| Marketing review -- positioning, messaging, go-to-market |
| Sales review -- competitive positioning, pricing, objections |
| Run all 7 perspectives + synthesized summary |
Each review pipeline uses gather mode to understand the project interactively, then plan mode for deep analysis.
Metrics & Scanning
Command | What it does |
| DORA metrics (deploy frequency, lead time, failure rate, MTTR) |
| PR velocity and cycle time metrics |
| Secrets and credentials scanner |
Utilities
Command | What it does |
| Interactive configuration wizard |
| Environment health check |
| View and manage configuration |
Works With
Integration | Used by |
GitHub (Dependabot, PRs, Actions) | vuln-scan, vuln-resolve, review-, metrics-, changelog-gen |
Sentry | incident-triage |
Slack | Notification delivery (configurable channel) |
npm / pip / bundler / Cargo / Go mod | vuln-resolve, deps-analyze, migration-plan |
Jest / pytest / Vitest / Go test / RSpec | test-gen (auto-detects framework) |
Auto-detects your framework: Django, Angular, React, Next.js, Express, Flask, FastAPI, Spring Boot, Rails.
Prerequisites
Claude Code -- installed and authenticated
Node.js 18+ -- for the MCP server
gh CLI -- for GitHub API access (
brew install gh)MCP servers (optional) -- GitHub, Sentry, Slack for enhanced capabilities
Architecture
Why a state machine? LLMs are stateless -- they forget context between tool calls. A state machine ensures every step executes in order, results are validated with Zod schemas before advancing, and retry loops inject the exact error output from the previous attempt. This is control flow, not prompt engineering.
Claude Code (executor)
|
v
dobbe MCP Server (state machine controller)
|
+-- 21 Pipeline definitions
| +-- Each pipeline: states, transitions, Zod schemas, intent/mode/context/hints
| +-- 3 pipelines with retry loops (vuln-resolve, test-gen, migration-plan)
| +-- 7 role-based review pipelines + 1 aggregate project-review
|
+-- State machine engine (generic FSM)
| +-- Zod validation per step
| +-- Retry logic with feedback injection
| +-- Persistent sessions (crash recovery)
|
+-- 14 MCP Tools
| +-- pipeline_start, pipeline_step, pipeline_complete, pipeline_status
| +-- pipeline_list, pipeline_list_sessions, pipeline_abort
| +-- config_read, config_write
| +-- cache_get, cache_set
| +-- session_load, session_save
|
+-- Utilities
+-- Atomic file writes (crash-safe)
+-- Structured logging (JSON + pretty mode)
+-- Framework detection (Django, React, Angular, Express, etc.)
+-- File-based cache with TTLBuilt to Ship
373 tests with 94% coverage -- every pipeline path is tested
21 pipelines with Zod validation at every state transition
3 retry pipelines with automatic feedback injection
Zero global mutable state --
PipelineServiceis fully isolated and testableAtomic file writes -- crash-safe session persistence via write-to-temp + rename
CI on Node 18, 20, 22 -- tested across all active LTS versions
Config is stored in ~/.dobbe/config.toml. Run /dobbe-setup in Claude Code to configure.
[general]
default_org = "acme"
default_format = "table"
default_severity = "critical,high,medium,low"
[notifications]
slack_channel = "#security-alerts"
[timeouts]
scan = 300
resolve = 600
review = 300Environment variables:
Variable | Description | Default |
| Override ~/.dobbe directory |
|
|
|
|
|
|
|
Development
git clone https://github.com/nareshnavinash/dobbe-mcp.git
cd dobbe-mcp
npm install
npm test # 373 tests
npm run test:coverage # 94%+ coverage
npm run build
npm run lintSee CONTRIBUTING.md for development guidelines.
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/nareshnavinash/dobbe-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server