MCP Trust Score #8
Conversation
WalkthroughIntroduces a Node.js MCP server project scaffold: adds package manifest and lockfile, TypeScript config, Dockerfile, environment example, gitignore, license, documentation, Smithery start config, and two shell scripts for install and runtime. No existing code modified; new files provide build, run, and configuration paths. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor User
participant Shell as run-server 2.sh
participant FS as Filesystem
participant Node as Node.js
participant App as dist/index.js
User->>Shell: ./run-server\ 2.sh
alt dist missing
Shell->>FS: Check dist/
Shell->>Node: npm run build
Node-->>Shell: Build artifacts
end
Shell->>Shell: Check OCTAGON_API_KEY
alt not set
Shell->>FS: Read .env
Shell->>Shell: export vars
end
alt key still missing
Shell-->>User: Error: set OCTAGON_API_KEY
Shell->>Shell: exit 1
else key present
Shell->>Node: node dist/index.js
Node->>App: Start server
App-->>User: MCP server running
end
sequenceDiagram
autonumber
actor Client as Smithery Runner
participant Config as smithery 2.yaml
participant Node as Node.js
participant App as dist/index.js
Client->>Config: startCommand(config)
Config-->>Client: { command: 'node', args: ['dist/index.js'], env: { OCTAGON_API_KEY } }
Client->>Node: Spawn process with env
Node->>App: Execute dist/index.js
App-->>Client: MCP stdio session
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches
🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (25)
Dockerfile 2 (3)
1-1: Upgrade to active LTS Node image (Node 18 is EOL).Using an EOL base image carries avoidable security risk and missed patches. Recommend moving to Node 20 (current LTS) or 22.
Apply:
-FROM node:18-alpine +FROM node:20-alpineOptional: pin by digest for supply-chain stability.
9-9: Use npm ci for deterministic, faster installs.Since you’re copying package-lock.json, prefer
npm ciovernpm installto ensure reproducible builds and improved performance.-RUN npm install --ignore-scripts +RUN npm ci --ignore-scripts
12-18: Harden and slim the image: prune dev deps and drop root.Two small additions improve security and size without reworking the build:
- Remove devDependencies after build
- Run as non-root user
# Copy source code COPY . . # Build the application RUN npm run build +# Remove devDependencies and clean npm cache to reduce image size +RUN npm prune --omit=dev && npm cache clean --force + +# Drop privileges +# The official Node images provide a 'node' user +RUN chown -R node:node /app +USER node + # Run the server CMD ["node", "dist/index.js"]Additionally, add a .dockerignore to avoid bloating the image/context and accidental inclusion of secrets:
# .dockerignore node_modules dist .git .gitignore .env .env.* !.env.example npm-debug.log*README.md (1)
3-4: Nit: Consider placing badges on one line for compactness.Purely a style/readability tweak; keeps the header area tight.
-[](https://archestra.ai/mcp-catalog/octagonai__octagon-mcp-server) -[](https://smithery.ai/server/@OctagonAI/octagon-mcp-server) +[](https://archestra.ai/mcp-catalog/octagonai__octagon-mcp-server) [](https://smithery.ai/server/@OctagonAI/octagon-mcp-server).gitignore 2 (1)
1-5: Tighten ignore patterns and protect env variants.Use directory-specific patterns and ignore common env variants while keeping the example file tracked.
.DS_Store node_modules -build -.env -dist* +build/ +.env +.env.* +!.env.example +dist/tsconfig 2.json (1)
3-12: Optional: improve DX with source maps and stricter CI failure.Emit source maps for better stack traces and fail builds on TS errors.
"compilerOptions": { "target": "ES2022", "module": "NodeNext", "moduleResolution": "NodeNext", "outDir": "./dist", "rootDir": "./src", "strict": true, "esModuleInterop": true, "skipLibCheck": true, + "sourceMap": true, + "noEmitOnError": true, "forceConsistentCasingInFileNames": true },run-server 2.sh (4)
1-1: Enable strict bash options for safer executionRecommend failing fast and catching unset variables.
Apply this diff:
#!/bin/bash +set -Eeuo pipefail +# If you need to debug: +# set -x
8-11: Optional: Rebuild when sources change, not only when dist is missingOnly building when ./dist is absent can run stale code if TS sources changed. Consider adding a rebuild flag or a simple timestamp check.
For example:
-if [ ! -d "./dist" ]; then - echo "Dist directory not found. Building project..." - npm run build -fi +if [ ! -d "./dist" ] || [ "$(find src -type f -newer dist 2>/dev/null | wc -l || echo 1)" -gt 0 ]; then + echo "Building project..." + npm run build +fi
29-31: Use exec to hand off signals and PID to nodeThis allows proper signal handling (e.g., SIGTERM) and cleaner shutdown in containers or supervisors.
Apply this diff:
-echo "Running server..." -node dist/index.js +echo "Running server..." +exec node dist/index.js
1-1: Consider renaming the script to avoid spaces in filenameSpaces in script filenames make CLI usage error-prone. Prefer run-server.sh.
README 2.md (5)
12-21: Tighten grammar and list formatting (“yrs” → “years”; markdownlint MD007)Minor polish for professionalism and linter compliance.
Apply this diff:
-✅ **Comprehensive Market Intelligence** - Orchestrates multiple specialized agents for complete market analysis - - SEC filings analysis and data extraction (8000+ public companies 10-K, 10-Q, 8-K, 20-F, S-1) - - Earnings call transcript analysis (10 yrs of historical and current) - - Financial metrics and ratios analysis (10 yrs of historical and current) - - Stock market data access (over 10,000 active tickers, daily historical and current) - - Private company research (3M+ companies) - - Funding rounds and venture capital research (500k+ deals) - - M&A and IPO transaction research (2M+ deals) - - Institutional holdings and Form 13F filings - - Cryptocurrency market data and analysis +✅ **Comprehensive Market Intelligence** — Orchestrates multiple specialized agents for complete market analysis +- SEC filings analysis and data extraction (8,000+ public companies; 10‑K, 10‑Q, 8‑K, 20‑F, S‑1) +- Earnings call transcript analysis (10 years of historical and current) +- Financial metrics and ratios analysis (10 years of historical and current) +- Stock market data access (10,000+ active tickers; daily historical and current) +- Private company research (3M+ companies) +- Funding rounds and venture capital research (500k+ deals) +- M&A and IPO transaction research (2M+ deals) +- Institutional holdings and Form 13F filings +- Cryptocurrency market data and analysis
170-180: Add languages to fenced code blocks (markdownlint MD040)These are plain-text example prompts; annotate fences to satisfy MD040.
Apply this diff:
-``` +```text Retrieve year-over-year growth in key income-statement items for AAPL, limited to 5 records and filtered by period FY Analyze the latest 10-K filing for AAPL and extract key financial metrics and risk factors ...```diff -``` +```text Extract all data fields from zillow.com/san-francisco-ca/ ...```diff -``` +```text Research the financial impact of Apple's privacy changes on digital advertising companies' revenue and margins ...Also applies to: 188-194, 201-207 --- `226-226`: **Hyphenate compound adjective “rate-limiting”** Minor grammar fix. Apply this diff: ```diff -3. **Rate Limiting**: If you encounter rate limiting errors, reduce the frequency of your requests. +3. **Rate Limiting**: If you encounter rate-limiting errors, reduce the frequency of your requests.
230-231: Link the license section to the LICENSE fileImproves discoverability.
Apply this diff:
-## License - -MIT +## License + +[MIT](./LICENSE)
83-95: Add a caution about API keys in client configsDocs embed API keys in config examples. Add a brief note not to commit real keys.
Suggested addition (example placement after each config block):
```json { "mcpServers": { "octagon-mcp-server": { "command": "npx", "args": ["-y", "octagon-mcp@latest"], "env": { "OCTAGON_API_KEY": "YOUR_API_KEY_HERE" } } } }+Note: Do not commit your real API keys to version control. Use environment variables or secrets managers for production setups.
Also applies to: 123-135, 111-115 </blockquote></details> <details> <summary>smithery 2.yaml (2)</summary><blockquote> `16-16`: **Fix trailing spaces and add newline at EOF (yamllint)** Lint issues reported: trailing spaces and missing newline at EOF. Apply this diff: ```diff - }) + }) +
3-11: Optional: Extend schema to allow base URL and validate non-empty keyConsider adding an optional octagonApiBaseUrl with a default, and ensure octagonApiKey is non-empty before launching.
Example change:
configSchema: type: object required: - octagonApiKey properties: octagonApiKey: type: string description: Your Octagon API key (get a free one at https://app.octagonai.co/signup) + octagonApiBaseUrl: + type: string + description: Optional API base URL override (defaults to service default)And in commandFunction:
env: { OCTAGON_API_KEY: config.octagonApiKey } + // Optionally pass through base URL if provided: + // env: { + // OCTAGON_API_KEY: config.octagonApiKey, + // ...(config.octagonApiBaseUrl ? { OCTAGON_API_BASE_URL: config.octagonApiBaseUrl } : {}) + // }install 2.sh (6)
1-1: Enable strict bash mode for safer installsAdd strict flags to fail fast on errors and catch unset vars.
Apply this diff:
#!/bin/bash +set -euo pipefail +IFS=$'\n\t'
7-17: Also enforce Node.js >= 18 (per engines) instead of only presenceScript checks for node/npm presence but not minimum version. Add a simple version gate.
Apply this diff:
if ! command -v node &> /dev/null; then echo "Node.js is not installed. Please install Node.js before continuing." exit 1 fi # Check if npm is installed if ! command -v npm &> /dev/null; then echo "npm is not installed. Please install npm before continuing." exit 1 fi + +# Enforce Node.js >= 18 +NODE_MAJOR="$(node -v | sed -E 's/^v([0-9]+)\..*/\1/')" +if [ "${NODE_MAJOR}" -lt 18 ]; then + echo "Node.js >= 18 is required by this project. Found $(node -v). Please upgrade." + exit 1 +fi
20-26: Avoid double-building: npm install already runs prepare → buildpackage 2.json defines "prepare": "npm run build", so after npm install the project is already built. The extra build here is redundant.
Apply this diff:
# Install dependencies echo "Installing dependencies..." npm install -# Build the server -echo "Building the server..." -npm run build +# Build already runs via package.json `prepare` on install
41-44: Clarify global vs npx usage (they’re different paths)Using npx does not require a global install; if you do install globally, run the binary directly.
Apply this diff:
-echo "2. Install globally and run with npx:" +echo "2. Install globally and run the CLI:" echo " npm install -g ." -echo " env OCTAGON_API_KEY=your_octagon_api_key npx octagon-mcp" +echo " env OCTAGON_API_KEY=your_octagon_api_key octagon-mcp" +echo "" +echo "2b. Or run from the npm registry without installing globally (recommended):" +echo " env OCTAGON_API_KEY=your_octagon_api_key npx -y octagon-mcp"
45-53: Use a consistent MCP server name (“octagon-mcp”) in client configsThe README/Cursor example uses “octagon-mcp” while the Claude snippet uses “octagon”. Aligning names reduces confusion.
Apply this diff:
echo "3. To use with Claude Desktop, add the following to your claude_desktop_config.json:" echo '{ "mcpServers": { - "octagon": { + "octagon-mcp": { "command": "env", "args": ["OCTAGON_API_KEY=your_octagon_api_key", "npx", "-y", "octagon-mcp"] } } }'
1-1: File name contains a space; consider renaming for portabilitySpaces in script filenames cause quoting issues in some environments/tools. Prefer “install.sh”.
If you rename the file, remember to update any docs or references accordingly.
package 2.json (2)
16-24: Build script uses CommonJS require under type:module; consider a simpler/clearer approachIt works because node -e defaults to CJS, but it’s a bit surprising in an ESM package. Two options:
- Preferred: add a shebang in src/index.ts so the emitted dist/index.js is executable, then drop chmod.
- Or keep chmod but use ESM style for consistency.
Option A (preferred; assumes you add “#!/usr/bin/env node” to src/index.ts which tsc preserves):
- "build": "tsc && node -e \"require('fs').chmodSync('dist/index.js', '755')\"", + "build": "tsc",Option B (stay with chmod but ESM):
- "build": "tsc && node -e \"require('fs').chmodSync('dist/index.js', '755')\"", + "build": "tsc && node --input-type=module -e \"import { chmodSync } from 'fs'; chmodSync('dist/index.js', 0o755)\"",
16-24: Consider whether “prepare” is the right hook“prepare” runs on local install and for git installs, which is fine. It can also make “npm install” slower for contributors. Alternative is “prepack” to build only when publishing. If you keep prepare, remove redundant builds elsewhere (see install 2.sh).
Apply this diff if you prefer building only for publish:
- "prepare": "npm run build", + "prepack": "npm run build",Note: If you change to prepack, update your contributor workflow to run “npm run build” or “npm run start” locally.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (12)
.env 2.example(1 hunks).gitignore 2(1 hunks)Dockerfile 2(1 hunks)LICENSE 2(1 hunks)README 2.md(1 hunks)README.md(1 hunks)install 2.sh(1 hunks)package 2.json(1 hunks)package-lock 2.json(1 hunks)run-server 2.sh(1 hunks)smithery 2.yaml(1 hunks)tsconfig 2.json(1 hunks)
🧰 Additional context used
🪛 Shellcheck (0.10.0)
run-server 2.sh
[warning] 17-17: Quote this to prevent word splitting.
(SC2046)
🪛 LanguageTool
README 2.md
[grammar] ~13-~13: There might be a mistake here.
Context: ...ic companies 10-K, 10-Q, 8-K, 20-F, S-1) - Earnings call transcript analysis (10 yr...
(QB_NEW_EN)
[grammar] ~14-~14: There might be a mistake here.
Context: ...lysis (10 yrs of historical and current) - Financial metrics and ratios analysis (1...
(QB_NEW_EN)
[grammar] ~15-~15: There might be a mistake here.
Context: ...lysis (10 yrs of historical and current) - Stock market data access (over 10,000 ac...
(QB_NEW_EN)
[grammar] ~16-~16: There might be a mistake here.
Context: ...e tickers, daily historical and current) - Private company research (3M+ companies)...
(QB_NEW_EN)
[grammar] ~17-~17: There might be a mistake here.
Context: ...Private company research (3M+ companies) - Funding rounds and venture capital resea...
(QB_NEW_EN)
[grammar] ~18-~18: There might be a mistake here.
Context: ...d venture capital research (500k+ deals) - M&A and IPO transaction research (2M+ de...
(QB_NEW_EN)
[grammar] ~19-~19: There might be a mistake here.
Context: ...and IPO transaction research (2M+ deals) - Institutional holdings and Form 13F fili...
(QB_NEW_EN)
[grammar] ~20-~20: There might be a mistake here.
Context: ...titutional holdings and Form 13F filings - Cryptocurrency market data and analysis ...
(QB_NEW_EN)
[grammar] ~32-~32: There might be a mistake here.
Context: ...gonai.co/api-keys) 2. After logging in, from left menu, navigate to API Keys 3....
(QB_NEW_EN)
[grammar] ~100-~100: There might be a mistake here.
Context: ... Cursor Configuring Cursor Desktop 🖥️ Note: Requires Cursor version 0.45.6+ To...
(QB_NEW_EN)
[grammar] ~101-~101: There might be a mistake here.
Context: ...?️ Note: Requires Cursor version 0.45.6+ To configure Octagon MCP in Cursor: 1. O...
(QB_NEW_EN)
[grammar] ~108-~108: There might be a mistake here.
Context: ... New MCP Server" 4. Enter the following: - Name: "octagon-mcp" (or your preferred n...
(QB_NEW_EN)
[grammar] ~109-~109: There might be a mistake here.
Context: ...: "octagon-mcp" (or your preferred name) - Type: "command" - Command: `env OCTAG...
(QB_NEW_EN)
[grammar] ~110-~110: There might be a mistake here.
Context: ...our preferred name) - Type: "command" - Command: `env OCTAGON_API_KEY=your-octag...
(QB_NEW_EN)
[grammar] ~151-~151: There might be a mistake here.
Context: ...ase visit our official documentation at: [https://docs.octagonagents.com](https:/...
(QB_NEW_EN)
[grammar] ~154-~154: There might be a mistake here.
Context: ...agents.com) The documentation includes: - Detailed API references - Agent-specific...
(QB_NEW_EN)
[grammar] ~155-~155: There might be a mistake here.
Context: ...tion includes: - Detailed API references - Agent-specific query guidelines - Exampl...
(QB_NEW_EN)
[grammar] ~156-~156: There might be a mistake here.
Context: ...rences - Agent-specific query guidelines - Examples and use cases - Best practices ...
(QB_NEW_EN)
[grammar] ~157-~157: There might be a mistake here.
Context: ...uery guidelines - Examples and use cases - Best practices for investment research ...
(QB_NEW_EN)
[style] ~196-~196: Consider a different adjective to strengthen your wording.
Context: ...t that can utilize multiple sources for deep research analysis. Aggregate research a...
(DEEP_PROFOUND)
[grammar] ~216-~216: There might be a mistake here.
Context: ...ields from zillow.com/san-francisco-ca/" 7. "Research the financial impact of Apple'...
(QB_NEW_EN)
[grammar] ~218-~218: There might be a mistake here.
Context: ...e in AI startups in the last 12 months?" 9. "Retrieve historical Bitcoin price data ...
(QB_NEW_EN)
[uncategorized] ~226-~226: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ... 3. Rate Limiting: If you encounter rate limiting errors, reduce the frequency of your re...
(EN_COMPOUND_ADJECTIVE_INTERNAL)
[grammar] ~243-~243: There might be a mistake here.
Context: ...filings ### Private Market Data Servers - **[Octagon Private Companies MCP](https://g...
(QB_NEW_EN)
[grammar] ~244-~244: There might be a mistake here.
Context: ...rivate company research and intelligence - **[Octagon Investors MCP](https://github.co...
(QB_NEW_EN)
[grammar] ~245-~245: There might be a mistake here.
Context: ...estor profiles and investment strategies - **[Octagon Funding Data MCP](https://github...
(QB_NEW_EN)
[grammar] ~248-~248: There might be a mistake here.
Context: ...venture capital data ### Research Tools - **[Octagon Deep Research MCP](https://githu...
(QB_NEW_EN)
🪛 markdownlint-cli2 (0.17.2)
README 2.md
13-13: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
14-14: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
15-15: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
16-16: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
17-17: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
18-18: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
19-19: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
20-20: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
21-21: Unordered list indentation
Expected: 0; Actual: 3
(MD007, ul-indent)
170-170: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
188-188: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
201-201: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🪛 YAMLlint (1.37.1)
smithery 2.yaml
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
[error] 16-16: trailing spaces
(trailing-spaces)
🔇 Additional comments (10)
README.md (1)
3-3: Badge URLs validated – no changes needed.Both the badge image endpoints (mixed-case
OctagonAIand lowercaseoctagonai) and the target link return HTTP 200 when following redirects. The current paths are correct and will not 404..env 2.example (1)
1-5: LGTM: Clear placeholders and defaults.The example file is concise and aligns with the README instructions.
tsconfig 2.json (1)
3-5: Confirm module system alignment with package.json/runtime.
"module": "NodeNext"expects Node ESM semantics. Ensurepackage.jsonsets"type": "module"or that you emit.mjswhere needed; otherwise Node will treatdist/*.jsas CJS and runtime may fail.If you intend to ship CJS, switch to
"module": "CommonJS". If ESM, confirm"type": "module"exists in package.json.run-server 2.sh (1)
21-26: Good: clear error message when OCTAGON_API_KEY is missingThe messaging is explicit and actionable.
LICENSE 2 (1)
1-21: MIT license inclusion looks correctLicense text and copyright attribution are standard. Matches MIT license declared in package metadata per PR context.
README 2.md (1)
2-2: Trust Score badge and catalog link verified: Both URLs correctly redirect (HTTP 307) to thewww.archestra.aidomain and resolve as expected. No changes required.package-lock 2.json (1)
12-16: Runtime deps look reasonable; engines enforce Node 18+Nothing blocking here. Lockfile pins modern versions of MCP SDK and OpenAI.
Also applies to: 70-89, 552-591
package 2.json (3)
48-50: Engine constraint is good; surface it earlier in install flowNode >= 18 is declared here; the installer now checks it too. Good alignment.
37-42: Runtime deps look minimal and reasonableSDK, dotenv, openai, zod are standard for an MCP server. No issues from this manifest alone.
10-12: Action Required: Verify package tarball contents locallyThe dry-run failed (
tsc: not found) because the build step wasn’t available in this environment. To confirm which files get published (and ensure your README.md and LICENSE are included), please run locally:npm install # install devDependencies (e.g. typescript) npm run build # compile into dist/ npm pack --dry-run | sed -n '/^=== Tarball Contents ===/,$p'Once you’ve inspected the output:
If README.md and LICENSE are missing, update your package.json:
"files": [ - "dist" + "dist", + "README.md", + "LICENSE" ],Re-run the dry-run to confirm they’re now included.
| # Create .env file if it doesn't exist | ||
| if [ ! -f .env ]; then | ||
| echo "Creating .env file..." | ||
| cp .env.example .env | ||
| echo "Please edit the .env file and add your Octagon API key." | ||
| fi | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
Harden .env creation: check template presence and restrict permissions
Ensure .env.example exists; if not, create a minimal .env. Also set chmod 600 to protect secrets.
Apply this diff:
# Create .env file if it doesn't exist
if [ ! -f .env ]; then
echo "Creating .env file..."
- cp .env.example .env
- echo "Please edit the .env file and add your Octagon API key."
+ if [ -f .env.example ]; then
+ cp .env.example .env
+ else
+ printf "OCTAGON_API_KEY=\nOCTAGON_API_BASE_URL=\n" > .env
+ fi
+ chmod 600 .env || true
+ echo "Please edit the .env file and add your Octagon API key (and other values if needed)."
fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Create .env file if it doesn't exist | |
| if [ ! -f .env ]; then | |
| echo "Creating .env file..." | |
| cp .env.example .env | |
| echo "Please edit the .env file and add your Octagon API key." | |
| fi | |
| # Create .env file if it doesn't exist | |
| if [ ! -f .env ]; then | |
| echo "Creating .env file..." | |
| if [ -f .env.example ]; then | |
| cp .env.example .env | |
| else | |
| printf "OCTAGON_API_KEY=\nOCTAGON_API_BASE_URL=\n" > .env | |
| fi | |
| chmod 600 .env || true | |
| echo "Please edit the .env file and add your Octagon API key (and other values if needed)." | |
| fi |
🤖 Prompt for AI Agents
In install 2.sh around lines 27 to 33, the script assumes .env.example exists
and creates .env without restricting permissions; update it to first check for
the existence of .env.example and if present copy it to .env, otherwise create a
minimal .env with at least the OCTAGON_API_KEY placeholder; after creating .env
always set restrictive permissions (chmod 600 .env) and handle copy/create
failures by exiting with a non-zero status so the installer doesn't continue
with missing secrets.
| { | ||
| "name": "octagon-mcp", | ||
| "version": "1.0.13", | ||
| "lockfileVersion": 3, | ||
| "requires": true, | ||
| "packages": { | ||
| "": { | ||
| "name": "octagon-mcp", | ||
| "version": "1.0.13", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "@modelcontextprotocol/sdk": "^1.0.0", | ||
| "dotenv": "^16.3.1", | ||
| "openai": "^4.20.1", | ||
| "zod": "^3.22.4" | ||
| }, | ||
| "bin": { | ||
| "octagon-mcp": "dist/index.js" | ||
| }, | ||
| "devDependencies": { | ||
| "@types/node": "^20.10.0", | ||
| "ts-node": "^10.9.2", | ||
| "typescript": "^5.3.2" | ||
| }, | ||
| "engines": { | ||
| "node": ">=18.0.0" | ||
| } | ||
| }, |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Verify package.json and package-lock.json versions match
Lockfile shows version 1.0.13; PR context elsewhere references 1.0.22. Mismatched versions can confuse publishing and tagging flows.
Run this script to compare versions and ensure lock consistency:
🏁 Script executed:
#!/bin/bash
set -euo pipefail
if fd -a -g "package*.json" | rg -n "node_modules" >/dev/null 2>&1; then
echo "Skipping node_modules files"
fi
pkg="$(fd -a -g "package*.json" | rg -v node_modules | rg -nP '/package(\s|\.json)$' -N -o || true)"
# fallback: any package.json at repo root or near-root
if [ -z "${pkg:-}" ]; then
pkg="$(fd -a -g "package.json" | rg -v node_modules | head -n1)"
fi
echo "package.json path: $pkg"
jq -r '.name,.version' "$pkg"
jq -r '.name,.version' package-lock\ 2.json | head -n2
echo "If versions differ, run: npm install && git add package-lock.json"Length of output: 387
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate package.json and package-lock.json, excluding node_modules
pkg=$(fd -HI -t f -g 'package.json' . | grep -v '^node_modules/' | head -n1)
lock=$(fd -HI -t f -g 'package-lock.json' . | grep -v '^node_modules/' | head -n1)
echo "Using package.json: $pkg"
jq -r '.name + "@" + .version' "$pkg"
echo "Using package-lock.json: $lock"
jq -r '.name + "@" + .version' "$lock"
# If they differ, suggest updating
if [ "$(jq -r .version "$pkg")" != "$(jq -r .version "$lock")" ]; then
echo ""
echo "❗ Versions mismatch. To synchronize, run:"
echo " npm install"
echo " git add package-lock.json"
exit 1
fi
echo ""
echo "✅ Versions are in sync."Length of output: 858
Sync package-lock.json version with package.json
The project’s package.json is at version 1.0.22, but package-lock.json remains at 1.0.13. This mismatch will break publishing and tagging flows.
To resolve:
- Run
npm install - Stage and commit the updated lockfile:
git add package-lock.json
Files to update:
- package-lock.json (version field at the top)
🤖 Prompt for AI Agents
In package-lock 2.json around lines 1 to 28, the lockfile's "version" field
(1.0.13) is out of sync with package.json (1.0.22) which will break publishing;
fix by running npm install at the repo root to regenerate/update
package-lock.json so its top-level version matches package.json, then stage and
commit the updated package-lock.json (git add package-lock.json && git commit -m
"chore: sync package-lock with package.json v1.0.22").
| # Try to load from .env file | ||
| if [ -f ".env" ]; then | ||
| export $(grep -v '^#' .env | xargs) | ||
| fi |
There was a problem hiding this comment.
Fix unsafe .env loading (SC2046) and handle spaces/quotes correctly
export $(grep … | xargs) breaks on spaces and special characters and is flagged by shellcheck. Use allexport + source instead.
Apply this diff:
- if [ -f ".env" ]; then
- export $(grep -v '^#' .env | xargs)
- fi
+ if [ -f ".env" ]; then
+ # Load .env safely; allows quoted values and spaces
+ set -a
+ # shellcheck disable=SC1091
+ . ./.env
+ set +a
+ fi🧰 Tools
🪛 Shellcheck (0.10.0)
[warning] 17-17: Quote this to prevent word splitting.
(SC2046)
🤖 Prompt for AI Agents
In run-server 2.sh around lines 15 to 18, the current pattern using export
$(grep -v '^#' .env | xargs) is unsafe (SC2046) and fails on values with spaces
or quotes; replace it by enabling automatic export, sourcing the .env file, then
disabling automatic export: check if .env exists, run set -a, source the .env
file (so lines are parsed correctly with quotes/spaces preserved), and then run
set +a to restore behavior.
Hi!
This PR adds the "Trust Score" badge from our new Open Source MCP catalog.
Our catalog evaluates MCP servers based on technical quality—like protocol feature implementation and dependency health—rather than vanity metrics like GitHub stars.
The scoring process is fully transparent and reproducible:
The badge is designed to be respectful to the structure of your readme, example:
Projects like Grafana MCP (https://github.com/grafana/mcp-grafana) are already participating.
We believe that transparent and truly open source MCP catalog should help the community to identify great MCP servers like yours 😊
We'd appreciate your support by merging this PR!
Summary by CodeRabbit
New Features
Documentation
Chores