Add configurable MCP support for ReSpec report workflows#5168
Add configurable MCP support for ReSpec report workflows#5168danielcamposramos wants to merge 1 commit intospeced:mainfrom
Conversation
Introduce a stdio MCP interface for ReSpec so editors and AI tools can scaffold, preflight, validate, and build reports from repo-local profiles. Keep group-specific policy out of the core implementation by loading statuses, templates, required sections, required links, and phrase checks from repository configuration. Add a Docker runtime for Node 24 and Chromium-based environments so the same workflow can run consistently in local and containerized setups.
|
Can you share a video demo to show how it works? |
Hi @sidvishnoi, Thanks for looking at this. We built this MCP as a side project within the PM-KR Community Group to support our own report authoring workflow. The group's focus is on the main specification work, so we don't have the bandwidth to record a video demo right now — but the MCP is functional and has already been used in practice. How to use it: VSCode agents (Claude Code, Cline, GitHub Copilot, etc.) — add to your MCP settings: { Docker (includes Node 24 + headless Chromium for respec_build): docker build -t respec-mcp:local . CLI (directly, for scripting or CI): node tools/respec-mcp.js --repo-root /path/to/your/spec-repo Once connected, the agent gets five tools: Live artifact Happy to answer any questions about the implementation or integration patterns. |
|
Will take a look soon… |
|
Thanks for putting this together, Daniel. The profile/policy pattern is a genuinely interesting idea: letting each repo declare its own allowed statuses, required sections, forbidden phrases, and templates is a clean way to handle CG governance without forking ReSpec. The references in the authoring guide are solid too. I checked them all and they hold up. That said, I have concerns in two areas: security and packaging. SecurityPath traversal / arbitrary file write: There are no containment checks on any resolved paths. Every tool that accepts if (output) {
return path.resolve(state.repoRoot, output);
}An MCP client (i.e., an LLM) sending Since MCP tool inputs come from LLMs (which can be manipulated via prompt injection from document content), this is a meaningful attack surface. Every Unrestricted URL navigation:
Prototype pollution via const merged = {
...repoDefaults,
...profileDefaults,
...overrides, // LLM-controlled
};Keys like Design / PackagingSeparate package, not bundled in core:
Compliance checks are shallow: Required sections are detected via Happy to discuss any of this further. |
There was a problem hiding this comment.
Pull request overview
This PR introduces a new respec-mcp stdio MCP server that wraps ReSpec rendering and adds repo-local profile/config discovery so AI tools can scaffold, validate, preflight, and build spec reports using repository-defined policies and templates.
Changes:
- Add MCP server + core workflow modules (
listProfiles,scaffoldSource,validate/preflight/build) and a newrespec-mcpCLI entrypoint. - Add MCP-focused Jasmine tests and wire them into
pnpm test. - Add documentation (MCP usage + LLM authoring guidance) and a Docker image intended for a Node 24 + Chromium runtime.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/respecMcpServer.js | Registers MCP tools and formats MCP responses. |
| tools/respecMcpCore.js | Implements repo config/profile discovery, templated scaffolding, rendering, and compliance checks. |
| tools/respec-mcp.js | New stdio CLI entrypoint (respec-mcp) that boots the MCP server. |
| tests/mcp.cjs | Adds focused tests for profile discovery, scaffolding, building, and preflight compliance. |
| package.json | Exposes new bin/script entries and adds MCP dependencies. |
| pnpm-lock.yaml | Locks newly added dependencies (@modelcontextprotocol/sdk, zod, transitive deps). |
| docs/MCP.md | Documents MCP configuration contract and usage patterns. |
| docs/MCP_LLM_AUTHORING_GUIDE.md | Adds authoring guidance intended to be discoverable by MCP clients. |
| README.md | Publicly advertises the new MCP server and points to docs. |
| Dockerfile | Adds a Docker runtime intended for MCP usage in a Chromium-capable environment. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (/^\w+:\/\//.test(sourceRef)) { | ||
| const response = await fetch(sourceRef); | ||
| if (!response.ok) { | ||
| throw new Error(`Failed to fetch source ${sourceRef}: ${response.status}`); | ||
| } |
| } | ||
|
|
||
| function applyTemplate(template, values) { | ||
| return template.replace(/\{\{\s*([\w.]+)\s*\}\}/g, (_match, key) => { |
| RUN corepack enable \ | ||
| && pnpm install --frozen-lockfile | ||
|
|
||
| ENTRYPOINT ["node", "tools/respec-mcp.js", "--repo-root", "/workspace"] |
| "zod": "^3.25.76" | ||
| }, | ||
| "files": [ | ||
| "builds/", |
|
After thinking about this more, I think the right next step would be to incubate this in a separate repository rather than merging it into the ReSpec core package. There's precedent for this in the A separate repo like Happy to help set that up if you'd like. |
|
Closing this out... but happy to keep discussing here. |
|
Hi @marcoscaceres — thanks for the careful review. You were right that this belonged in its own repo. I took the feedback seriously and rebuilt it as a standalone package: → https://github.com/danielcamposramos/respec-mcp Every concern you and Copilot raised is addressed. Summary for the record: Security (your blockers)
Design
Packaging
Copilot's items
Also
If you're up for taking this under the |
|
Do you want some time for the community to experiment? I think it would be great to see what you all come up with. Having built several MCPs, I know how rapidly they can evolve. How about you check-in in 6 weeks or so once you’ve had a chance for the design to stabilize and have gained some usage experience across the CG? No objections to setting up a repo for you. But would like to be sure you’ve gained significant experience with it first. Then we can bring it over piecemeal and go hard on privacy, security, performance, etc. audits to make it generally available if it proves useful. I’ll try to find time to play with it and provide feedback. |
Summary
This PR adds a configurable stdio MCP companion for ReSpec so AI tools and editors can scaffold, preflight, validate, and build reports from repo-local profiles.
What Changed
respec-mcpstdio entrypoints and MCP core/server modulesrespec-mcp.config.jsonandrespec-mcp/profiles/*.jsonWhy
The goal is to let Community Groups and similar spec repositories keep local policy and templates while reusing one upstream MCP runtime. The added authoring guidance is meant to make the MCP useful for real standards-oriented writing and review, not only for rendering HTML.
Validation
docker build -t respec-mcp:local .docker run --rm --entrypoint node respec-mcp:local /app/node_modules/jasmine/bin/jasmine.js --random=false /app/tests/mcp.cjs