MCP-Powered CI Review Enhancement — Standard

[don-petry]

Summary

Integrate MCP (Model Context Protocol) servers into the Claude Code CI
review workflow so reviews can draw on real-time documentation and
external signal instead of relying solely on the model's training data.
This adds framework-aware suggestions and detection of deprecated APIs
and breaking changes that static training data can miss.

Concretely: add an optional mcp_servers input to the existing
claude-code-reusable.yml workflow, document recommended servers per tech
stack, and pilot on one downstream repository.

Motivation

• Stale training data. Reviews currently depend entirely on Claude's
  training data, which can lag the latest library releases by months —
  risking missed breaking changes and deprecated patterns.
• Diverse downstream stacks. Downstream repos span React, Python, and
  Go; framework-specific, version-aware review needs live context.
• Market convergence. Context-rich, multi-source review is becoming the
  baseline expectation across the ecosystem:
  • The MCP ecosystem has grown to 2,300+ public servers (May 2026) under
    Linux Foundation governance; adoption spans Cursor, Windsurf, VS Code,
    and 200+ other tools.
  • CodeRabbit (2026) ships MCP integrations (Context7 for real-time library
    docs; connections to Datadog, New Relic, SonarQube, Snyk, Grafana) plus
    an Issue Planner beta and code-graph analysis — proving the concept in
    production.
  • GitHub Copilot's agentic code review (Mar 2026) now gathers full project
    context before analyzing PRs.
  • GitHub's own MCP Server reached GA for secret scanning (May 2026)
    and entered public preview for dependency scanning, with
    enterprise-managed plugin distribution in preview.

Design

1. Optional input. Add mcp_servers to claude-code-reusable.yml.
   When unset, behavior is unchanged — zero impact on existing adopters.
2. Starter server: Context7. Free, stateless, no authentication —
   lowest-friction entry point for real-time library documentation.
3. Graceful degradation (Fail Loud, Never Fake). If an MCP server is
   unavailable, the review emits a warning annotation and proceeds —
   never a silent failure and never a fabricated "all clear."
4. Per-stack recommendations. Document a recommended server set per tech
   stack (e.g. Context7 for library docs; GitHub MCP for secret/dependency
   scanning; SonarQube MCP for code-quality enrichment).

Assessment (as of 2026-05-29)

Dimension	Rating	Notes
Feasibility	High	Minimal workflow changes; MCP support is built into Claude Code; GitHub's MCP Server is now GA.
Impact	Medium	Improves framework-specific issue detection; broader signal (secret/dependency scanning) available but incremental.
Urgency	Medium	Quality improvement, not a critical threat; raised from low as the market converges on context-rich review.

Adversarial Review

• Objection: Latency and failure modes if MCP servers become
  unavailable.
• Rebuttal: Marginal latency (millisecond-range responses) and
  disclosed degradation via warning annotations rather than silent
  failure. Starting with stateless, no-auth Context7 minimizes failure
  surface.

Sequencing

The organization's immediate priorities are security (action allowlisting,
input sanitization). Pilot MCP-powered review after those land. When
ready, the lowest-risk concrete first steps are either:

• GitHub MCP secret scanning (now GA), or
• SonarQube MCP to enrich reviews with existing code-quality data.

Next Steps

1. Land in-flight security-hardening work first.
2. Add the optional mcp_servers input to claude-code-reusable.yml.
3. Document recommended servers per tech stack.
4. Pilot with Context7 (or GitHub MCP secret scanning) on one downstream
   repository; measure review quality and latency before broader rollout.

[github-actions[bot]]

Weekly Update

What Changed

Several significant developments since this proposal was authored (2026-05-29):

1. GitHub MCP Server — Secret Scanning GA (May 5, 2026): Secret scanning via the GitHub MCP Server reached general availability. Agents can now scan code for exposed secrets during code generation, before commit or PR — honoring existing push protection customization at the repo/org level. This validates the proposal's sequencing suggestion to start with "GitHub MCP secret scanning (now GA)."

2. GitHub MCP Server — Dependency Scanning Public Preview (May 5, 2026): The MCP Server now also scans for vulnerable dependencies before commit. Available for repos with Dependabot alerts enabled. This adds a second ready-to-use MCP server to the project's integration candidates.

3. Copilot Code Review Billing Change (June 1, 2026): Copilot code review now consumes Actions minutes at a 13x premium-request multiplier per review. This increases the cost-effectiveness argument for the project's self-hosted pr-review pipeline and raises the value of MCP-enriched reviews that improve self-hosted review quality.

4. GitHub Agentic Workflows Public Preview (June 11, 2026): GitHub's agentic workflow platform now includes built-in threat detection scanning and a working-tree sanitization firewall. The platform acknowledges context-enrichment as a first-class concern. The new GITHUB_TOKEN support (no PATs) simplifies authentication for MCP-consuming workflows.

5. CodeRabbit MCP Integration GA: CodeRabbit's MCP integration is now generally available, connecting to Slack, Confluence, Notion, Datadog, and Sentry for context-enriched reviews. Their multi-repo analysis feature (March 2026) checks downstream repos for breakage — proving the value of cross-ecosystem review context in production.

6. MCP Ecosystem Growth: The MCP ecosystem has reached 2,300+ public servers under Linux Foundation governance, up from the "growing ecosystem" noted in the original proposal.

Updated Assessment

Dimension	Previous	Current	Delta
Feasibility	High	High	→ (unchanged — MCP support in Claude Code remains built-in)
Impact	Medium	Medium-High	↑ (Copilot billing change increases self-hosted review ROI; more MCP servers ready)
Urgency	Medium	Medium	→ (security-first sequencing still correct; GitHub MCP secret scanning GA strengthens the case for starting there)

Recommendation

Advance — with revised sequencing. The original proposal suggested starting with Context7 or GitHub MCP secret scanning. Given that:

• GitHub MCP secret scanning is now GA (not just preview)
• Dependency scanning is in public preview
• Both require zero authentication and integrate with existing repo security settings

The lowest-risk first step is now clearer: start with GitHub MCP Server (secret + dependency scanning) rather than Context7. This aligns with the project's security-first priorities and provides immediate, measurable value (catching secrets/vulnerabilities during agent code generation) before adding library-documentation enrichment via Context7.

[github-actions[bot]]

[don-petry]

petry-projects/.github/.github/workflows/claude-code-reusable.yml is Deprecated. Scope should be pr-review and dev-lead engine

1st focus is Github Security MCP
2nd is Context7 eval

[github-actions[bot]]

📋 Initiative planned by the BMAD Scrum Master (Bob).

Epic #676 — MCP-powered review enrichment for the self-hosted Claude review engine (engine.sh)

5 stories created (inert — labelled initiative, NOT initiative:auto):

• [Phase 1] Thread an optional MCP config into the Claude agentic review tiers (engine.sh) #677 (M) — [Phase 1] Thread an optional MCP config into the Claude agentic review tiers (engine.sh)
• [Phase 1] Graceful degradation: warn (never fake) when an MCP server is unavailable #678 (M) — [Phase 1] Graceful degradation: warn (never fake) when an MCP server is unavailable
• [Phase 1] Surface the MCP knob to the review workflow without breaking template sync #679 (S) — [Phase 1] Surface the MCP knob to the review workflow without breaking template sync
• [Phase 2] Document recommended MCP servers per tech stack #680 (S) — [Phase 2] Document recommended MCP servers per tech stack
• [Phase 2] Pilot MCP-enriched review on one downstream repo and measure quality + latency #681 (M) — [Phase 2] Pilot MCP-enriched review on one downstream repo and measure quality + latency

Open questions for review:

• MCP-Powered CI Review Enhancement — Standard #650 targets a claude-code-reusable.yml workflow and an mcp_servers input, but neither exists in this repo. The plan retargets the real Claude review engine (scripts/engine.sh, invoked by pr-review.yml). Confirm this retargeting matches intent.
• The cited prerequisite — 'land in-flight security-hardening work first' (action allowlisting, input sanitization) — is not tracked as a repo issue in the planning context (referenced_issues is empty). Which issue/epic gates the story-5 pilot?
• pr-review.yml is org-template-synced (AGENTS.md). Preferred enablement path for the MCP knob: source it from a committed config file (no workflow edit) vs. add a documented env-passthrough exception? Story 3 must pick one.
• Which downstream repo and which starter server (GitHub MCP secret scanning vs. Context7) should the pilot use?
• Open epic Generalize pr-review into a context-adaptive review agent (artifact contract + rubric registry) #610 (generalize pr-review into a context-adaptive review agent) also reshapes the review engine. Confirm the MCP plumbing should land independently rather than folded into that initiative.

---

Review the epic and its sub-issue DAG, adjust as needed, then add initiative:auto to epic #676 to hand it to initiative-driver for auto-implementation.