A Rust-based MCP server for comprehensive code quality analysis. Designed to work alongside harness enforcement gates, giving Claude proactive self-correction capabilities.
| Tool | Description |
|---|---|
quality_scan |
Placeholder/TODO detection, stubs, mocks, debug statements |
security_audit |
SAST-lite: SQLi, XSS, CMDi, path traversal, secrets, SSRF, deserialization, XXE, weak crypto |
complexity_report |
Cyclomatic complexity, function length, nesting depth |
drift_check |
Compare implementation against spec/requirements |
dependency_audit |
Check for vulnerable/outdated packages (Cargo, npm, pip, go) |
pattern_history |
Query past violations from cognitive-memory |
suggest_fix |
Get fix suggestions for specific violations |
full_audit |
Run all checks in one call |
┌──────────────────────────────────────────────────────────────┐
│ Claude (Code Generation) │
└──────────────────────────────┬───────────────────────────────┘
│
┌────────────────────┼────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ quality_scan │ │ security_audit │ │ complexity_ │
│ (proactive) │ │ (proactive) │ │ report │
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ │ │
└────────────────────┼────────────────────┘
│
▼
┌─────────────────┐
│ Fix Issues │
└────────┬────────┘
│
▼
┌──────────────────────────────────────┐
│ Harness Gates (mandatory) │
│ ┌──────────────────────────────┐ │
│ │ Final placeholder check │ │
│ │ Final security check │ │
│ │ Test requirements │ │
│ └──────────────────────────────┘ │
└──────────────────────────────────────┘
│
▼
┌─────────────────┐
│ Pass / Fail │
└─────────────────┘
cd code-quality-mcp
cargo build --releaseAdd to ~/.claude/settings.json:
{
"mcpServers": {
"code-quality": {
"command": "/path/to/code-quality-mcp/run-mcp.sh"
}
}
}| Variable | Default | Description |
|---|---|---|
COGNITIVE_MEMORY_URL |
http://localhost:8050 |
URL for cognitive-memory MCP (pattern history) |
RUST_LOG |
code_quality_mcp=info |
Log level |
Use full_audit on /path/to/project
Use security_audit on /path/to/src
Categories: ["sqli", "secrets", "cmdi"]
Use drift_check with:
spec_path: /path/to/SPEC.md
code_path: /path/to/src
Use pattern_history with query "SQL injection"
Category: "security"
- SQL Injection (string concatenation in queries)
- Command Injection (shell=True, os.system, eval)
- Hardcoded secrets (API keys, passwords, private keys)
- Insecure deserialization (pickle, yaml.load, unserialize)
- XSS (innerHTML, dangerouslySetInnerHTML, v-html)
- Path traversal (dynamic file paths)
- XXE (XML parsing without entity restrictions)
- Weak crypto (MD5, SHA1, DES, ECB mode)
- SSRF (dynamic URLs in HTTP requests)
- Debug statements (console.log, print, dbg!)
- Weak random (Math.random for security)
- TODO/FIXME/HACK/XXX/TBD comments
- Empty pass statements (Python)
- unimplemented!() / todo!() macros (Rust)
- NotImplementedError
- Empty catch blocks
- Placeholder strings ("changeme", "REPLACE_ME")
Default thresholds (configurable):
| Metric | Default | Description |
|---|---|---|
| Cyclomatic Complexity | 10 | Max branches per function |
| Function Length | 50 | Max lines per function |
| Nesting Depth | 4 | Max nesting levels |
| Language | Manifest | Backend |
|---|---|---|
| Rust | Cargo.toml | cargo-audit |
| Node | package.json | npm audit |
| Python | requirements.txt | pip-audit |
| Go | go.mod | govulncheck |
When cognitive-memory MCP is running, pattern_history queries past violations to:
- Identify recurring issues in your codebase
- Show which patterns you tend to produce
- Provide personalized suggestions based on history
MIT