feat(tasks/mcp): Add all 18 Oxc examples as MCP server tools #13226
Conversation
How to use the Graphite Merge QueueAdd either label to this PR to merge it via the merge queue:
You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. |
Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com>
Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com>
Copilot
AI
changed the title
Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com>
I've unified the code by extracting all tool implementations into modular functions following the same pattern as the existing |
|
@copilot move logic of tasks/mcp/src/parser.ts to tasks/mcp/src/tools.ts and remove tasks/mcp/src/parser.ts |
Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com>
Moved the parseCode function and ParseOptions interface from |
Boshen
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR significantly expands the MCP server functionality by adding 17 new tools that expose all Oxc examples, transforming it from a simple echo server into a comprehensive JavaScript/TypeScript analysis toolchain accessible through the Model Context Protocol.
Key changes:
- Added 17 new MCP tools covering the entire Oxc toolchain (parser, linter, formatter, semantic analysis, transformation, compilation, minification, etc.)
- Consolidated tool implementations into a unified
tools.tsfile with shared temporary file handling - Updated documentation to reflect the comprehensive tool set available
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
tasks/mcp/src/tools.ts |
New comprehensive file containing all 18 Oxc tool implementations with shared utilities |
tasks/mcp/src/parser.ts |
Removed - functionality moved to tools.ts |
tasks/mcp/src/index.ts |
Updated to expose all 18 tools through MCP interface with proper schemas |
tasks/mcp/README.md |
Extensively updated documentation covering all available tools and usage examples |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
tasks/mcp/src/tools.ts
Outdated
| // Create temp directory if it doesn't exist | ||
| mkdirSync('/tmp/oxc-mcp', { recursive: true }); | ||
|
|
||
| const tempPath = join('/tmp/oxc-mcp', filename); |
There was a problem hiding this comment.
The filename parameter is directly used in the path construction without sanitization, which could lead to path traversal vulnerabilities if malicious filenames like '../../../etc/passwd' are provided. Consider sanitizing the filename or using a generated unique filename.
| const tempPath = join('/tmp/oxc-mcp', filename); | |
| const safeFilename = basename(filename); | |
| const tempPath = join('/tmp/oxc-mcp', safeFilename); |
Copilot uses AI. Check for mistakes.
tasks/mcp/src/tools.ts
Outdated
| const literalContent = `/${pattern}/${flags}`; | ||
| const tempPath = writeTempFile(literalContent, 'regex.txt'); | ||
|
|
||
| try { |
There was a problem hiding this comment.
The parseLiteral function duplicates the temporary file handling logic instead of using the executeWithTempFile helper. This creates code duplication and maintenance overhead. Consider refactoring to use the shared helper function.
| try { | |
| return executeWithTempFile(literalContent, 'regex.txt', async (tempPath) => { |
Copilot uses AI. Check for mistakes.
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
tasks/mcp/src/tools.ts
Outdated
| */ | ||
| function writeTempFile(sourceCode: string, filename: string): string { | ||
| // Create temp directory if it doesn't exist | ||
| mkdirSync('/tmp/oxc-mcp', { recursive: true }); |
There was a problem hiding this comment.
The hardcoded path /tmp/oxc-mcp creates a cross-platform compatibility issue. Windows systems don't have a /tmp directory, which will cause mkdirSync to fail at runtime. Consider using os.tmpdir() from Node's standard library to get the platform-appropriate temporary directory:
import { tmpdir } from 'os';
// ...
const tempDir = join(tmpdir(), 'oxc-mcp');
mkdirSync(tempDir, { recursive: true });This ensures the code works correctly across all operating systems that Node.js supports.
| mkdirSync('/tmp/oxc-mcp', { recursive: true }); | |
| import { tmpdir } from 'os'; | |
| import { join } from 'path'; | |
| const tempDir = join(tmpdir(), 'oxc-mcp'); | |
| mkdirSync(tempDir, { recursive: true }); |
Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
tasks/mcp/src/tools.ts
Outdated
| // Create temp directory if it doesn't exist | ||
| mkdirSync('/tmp/oxc-mcp', { recursive: true }); | ||
|
|
||
| const tempPath = join('/tmp/oxc-mcp', filename); |
There was a problem hiding this comment.
The hardcoded path /tmp/oxc-mcp introduces both a path traversal vulnerability and cross-platform compatibility issues. The filename parameter could be manipulated to write files outside the intended directory (e.g., using ../ sequences).
For better security and compatibility:
- Use
os.tmpdir()to get the system's temporary directory - Create a unique subdirectory with
mkdtemp() - Sanitize the
filenameparameter to prevent path traversal
Example implementation:
import { mkdtempSync } from 'fs';
import { tmpdir } from 'os';
import { join, basename } from 'path';
// Create a secure temporary directory
const tempDir = mkdtempSync(join(tmpdir(), 'oxc-mcp-'));
// Use basename to strip any path components from filename
const safePath = join(tempDir, basename(filename));This approach works across platforms and prevents writing files outside the temporary directory.
| const tempPath = join('/tmp/oxc-mcp', filename); | |
| const tempDir = mkdtempSync(join(tmpdir(), 'oxc-mcp-')); | |
| const tempPath = join(tempDir, basename(filename)); |
Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
tasks/mcp/src/tools.ts
Outdated
| const regexContent = `/${pattern}/${flags}`; | ||
| const tempPath = writeTempFile(regexContent, 'regex.txt'); |
There was a problem hiding this comment.
Security Vulnerability: The code creates a regex string by directly concatenating user-provided pattern and flags without validation or escaping. This introduces a potential regex injection vulnerability that could lead to ReDoS (Regular Expression Denial of Service) attacks or parsing failures.
Consider adding validation for both the pattern and flags:
// Validate flags (should only contain valid regex flags: gimsuyd)
if (flags && !/^[gimsuyd]*$/.test(flags)) {
throw new Error('Invalid regex flags');
}
// Consider validating pattern syntax or using a safe regex construction method
// instead of string concatenationAdditionally, the pattern itself should be validated to ensure it represents a valid regular expression before being passed to the parser.
Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
tasks/mcp/src/tools.ts
Outdated
| function writeTempFile(sourceCode: string, filename: string): string { | ||
| // Create temp directory if it doesn't exist | ||
| mkdirSync('/tmp/oxc-mcp', { recursive: true }); | ||
| const tempPath = join('/tmp/oxc-mcp', filename); |
There was a problem hiding this comment.
The temporary file path lacks a unique identifier, which creates a risk of race conditions when handling concurrent requests. Consider adding a timestamp and random string to ensure uniqueness:
const tempPath = join('/tmp/oxc-mcp', `${Date.now()}-${Math.random().toString(36).substring(2)}-${filename}`);This approach is similar to what's already implemented in the original parser.ts file, which properly handles concurrent requests with unique filenames.
| const tempPath = join('/tmp/oxc-mcp', filename); | |
| const tempPath = join('/tmp/oxc-mcp', `${Date.now()}-${Math.random().toString(36).substring(2)}-${filename}`); |
Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot apply review comments |
…move broken code Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com>
Applied all review comments to clean up the code. Fixed duplicate imports, removed broken code patterns, and unified all tools to use the consistent |
| const args = ['run', '-p', 'oxc_linter', '--example', 'linter', tempPath]; | ||
| if (opts.showAst) { |
There was a problem hiding this comment.
There appears to be an incorrect package and example reference in the parseCode function. The function is using oxc_linter and the linter example, but based on the function name and purpose, it should be using oxc_parser and the parser example instead:
const args = ['run', '-p', 'oxc_linter', '--example', 'linter', tempPath];This will cause the parse tool to execute the linter example rather than the parser example, which would produce incorrect results when users attempt to use the parse functionality.
| const args = ['run', '-p', 'oxc_linter', '--example', 'linter', tempPath]; | |
| if (opts.showAst) { | |
| const args = ['run', '-p', 'oxc_parser', '--example', 'parser', tempPath]; | |
| if (opts.showAst) { |
Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
|
I'll add these 1 by 1 so I can test them. |
This PR expands the MCP server to expose all Oxc examples as tools, providing comprehensive access to the entire Oxc toolchain through a unified Model Context Protocol interface.
Changes
Added 17 New MCP Tools
The MCP server now provides access to all 18 Oxc examples (previously only had the
parsetool):Parser Tools:
parser_tsx- Parse TSX filesvisitor- Demonstrate AST visitor patternregular_expression- Parse regular expressionsAnalysis Tools:
linter- Lint JavaScript/TypeScript codesemantic- Perform semantic analysis with symbol resolutioncfg- Generate control flow graph visualizationsCode Processing Tools:
formatter- Format JavaScript/TypeScript codetransformer- Transform code with environment targetingdefine- Replace global defines using transformer pluginsCompilation Tools:
compiler- Run complete Oxc pipeline (parse → transform → codegen)codegen- Generate code from ASTMinification Tools:
minifier- Minify JavaScript codedce- Perform dead code eliminationmangler- Mangle variable namesType Tools:
isolated_declarations- Generate isolated TypeScript declarationsRegular Expression Tools:
regex_visitor- Analyze regex patterns with visitor patternparse_literal- Parse regex literalsTechnical Implementation
/tmp/oxc-mcp/before processingcargo run -p <crate> --example <example>commandUsage Example
This makes the entire Oxc toolchain easily accessible through MCP-compatible clients, enabling powerful JavaScript/TypeScript analysis and transformation workflows.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.