Back to Browse
Free
Server data from the Official MCP Registry
Knowledge graph for token-efficient code reviews with fixed search and configurable embeddings
About
Knowledge graph for token-efficient code reviews with fixed search and configurable embeddings
Security Report
4.7
Use Caution4.7High RiskA well-architected MCP server for code analysis with proper authentication via environment variables and reasonable permission scoping. The codebase demonstrates good error handling and input validation practices. However, there are moderate concerns around dynamic file system access through user-supplied paths, subprocess execution for git operations without full validation, and potential sensitive data exposure through error messages and graph exports. Supply chain analysis found 1 known vulnerability in dependencies (1 critical, 0 high severity). Package verification found 1 issue.
3 files analyzed · 10 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Permissions Required
This plugin requests these system permissions. Most are normal for its category.
What You'll Need
Set these up before or after installing:
Embedding backend override: 'local' (qwen3-embed ONNX) or 'litellm' (cloud). Auto-detected if omitted.
Environment variable: EMBEDDING_BACKEND
API keys for LiteLLM cloud embedding (format: ENV_VAR:key). Enables LiteLLM backend.Required
Environment variable: API_KEYS
LiteLLM Proxy URL for self-hosted gateway. Enables LiteLLM backend via proxy.
Environment variable: LITELLM_PROXY_URL
LiteLLM Proxy virtual key.Required
Environment variable: LITELLM_PROXY_KEY
How to Install
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-n24q02m-better-code-review-graph": {
"env": {
"API_KEYS": "your-api-keys-here",
"EMBEDDING_BACKEND": "your-embedding-backend-here",
"LITELLM_PROXY_KEY": "your-litellm-proxy-key-here",
"LITELLM_PROXY_URL": "your-litellm-proxy-url-here"
},
"args": [
"better-code-review-graph"
],
"command": "uvx"
}
}
}Documentation
View on GitHubFrom the project's GitHub README.
Better Code Review Graph
mcp-name: io.github.n24q02m/better-code-review-graph
Knowledge graph for token-efficient code reviews -- fixed search, configurable embeddings, qualified call resolution.
| Project | Tagline | Tag |
|---|---|---|
| better-code-review-graph | Knowledge graph for token-efficient code reviews -- fixed search, configurabl... | MCP |
| better-email-mcp | IMAP/SMTP email server for AI agents -- 6 composite tools with multi-account ... | MCP |
| better-godot-mcp | Composite MCP server for Godot Engine -- 17 mega-tools for AI-assisted game d... | MCP |
| better-notion-mcp | Markdown-first Notion API server for AI agents -- 10 composite tools replacin... | MCP |
| better-telegram-mcp | MCP server for Telegram with dual-mode support: Bot API (httpx) for quick bot... | MCP |
| claude-plugins | Full documentation: mcp.n24q02m.com — unified docs for all 8 servers + the mc... | Marketplace |
| imagine-mcp | Production-grade MCP server for image and video understanding + generation ac... | MCP |
| jules-task-archiver | Chrome Extension for bulk operations on Jules tasks via batchexecute API -- a... | Tooling |
| mcp-core | Unified MCP Streamable HTTP 2025-11-25 transport, OAuth 2.1 Authorization Ser... | MCP |
| mnemo-mcp | Persistent AI memory with hybrid search and embedded sync. Open, free, unlimi... | MCP |
| qwen3-embed | Lightweight Qwen3 text embedding and reranking via ONNX Runtime and GGUF | Library |
| skret | Secrets without the server. | CLI |
| web-core | Shared web infrastructure package for search, scraping, HTTP security, and st... | Library |
| wet-mcp | Open-source MCP Server for web search, content extraction, library docs & mul... | MCP |
Table of contents
Fork of code-review-graph with critical bug fixes, configurable embeddings, and production CI/CD. Parses your codebase with Tree-sitter, builds a structural graph of functions/classes/imports, and gives Claude (or any MCP client) precise context so it reads only what matters.
v2.0 migration (BREAKING)
See BREAKING_CHANGES.md for the full schema-change list, behavior-change summary, environment requirements, and rollback procedure.
This release adds temporal columns (valid_from_sha /
valid_to_sha on every node + edge) and an opt-in security
scanner. The schema migration is auto-applied on first
GraphStore open, and a backup of the pre-2.0 DB is saved to
<graph_db>.pre-2.0.bak so you can roll back if needed.
To downgrade and restore the pre-2.0 backup:
CRG_DOWNGRADE_TO_1_X=1 uv run better-code-review-graph
The backup is created the first time alembic crosses the breaking
boundary (revision 005_temporal_columns); subsequent runs reuse
the existing backup file. After a downgrade the v2-state DB is
preserved at <graph_db>.post-2.0.archived so you can forward-roll
again later.
What you get on v2.0+:
- Temporal queries --
query/search/impactacceptas_of=<sha>for snapshot semantics;query(action="diff", from_sha=X, to_sha=Y)returns{added, removed, modified}buckets driven entirely by the temporal columns (no re-parse). Seehelp(topic="query"). - Refactor auditing --
review(action="delta", show_line_shifts=true, ...)surfaces symbols whoseline_startmoved between two commits. - Security scanning --
security(action="scan", ...)runs a regex-based Tier-1 scanner (5 rules) by default; passengine="semgrep"(afteruv add 'better-code-review-graph[security]') for the ~120-rule Tier-2 overlay. Findings persist onnodes.security_tags;reportre-emits the cache as JSON or SARIF v2.1.0. Seehelp(topic="security").
What's new in v1.6
- LLM-generated summaries --
graph(action="summarize")writes a one-paragraph docstring for eachFunctionnode via Gemini or OpenAI (cloud opt-in, no key = no-op). Run it aftergraph(action="update")to lift semantic-search recall by ~15% on repos with terse function names. - Graph export in 4 formats --
graph(action="export", format=...)emitsgraphml(Gephi/Cytoscape),json-ld,dot(Graphviz), orcypher(Neo4j replay). Inline by default; passoutput_pathto write to disk. - Source text capture --
Functionnodes now persist their raw source so summaries can be regenerated whenever an edit changes the body. The cache key issha256(source_text):provider; unchanged nodes cost zero LLM calls on re-run. - Cost cap on summaries --
max_nodes(default 500) caps LLM calls per invocation; pair with cron /updatecadence for predictable spend. - Phase 1 quality wins (also new in this train):
query(action="spot_check")for random callsite snippets,query(action="renamed_in_diff")for shifted callsites, dynamic-dispatch hints incallers_ofresults, a dedicatedrecipeshelp topic, andembeddings_countexposed ingraph(action="stats").
Example -- after pulling new functions in, refresh embeddings with summaries:
graph(action="update")
graph(action="summarize", max_nodes=200)
graph(action="embed")
Features
| Feature | code-review-graph | better-code-review-graph |
|---|---|---|
| Multi-word search | Broken (literal substring) | AND-logic word splitting |
| callers_of/callees_of | Empty results (bare name targets) | Qualified name resolution + bare fallback |
| Embedding | sentence-transformers + torch (1.1 GB) | qwen3-embed ONNX + cloud (200 MB), dual-mode |
| Output size | Unbounded (500K+ chars) | Paginated (max_results, truncated flag) |
| Tool design | 9 individual tools | 6 tools: graph + query + review + config + setup + help |
| Plugin hooks | Invalid PostEdit/PostGit | Valid PostToolUse |
Status
2026-05-02 -- Architecture stabilization update
Past months saw significant churn around credential handling and the daemon-bridge auto-spawn pattern. This caused multi-process races, browser tab spam, and inconsistent setup UX across plugins. As of v, the architecture is stable: 2 clean modes (stdio + HTTP), no daemon-bridge layer, no auto-spawn from stdio.
Apologies for the instability period. If you encountered issues with prior versions, please update to v+ and follow the current
docs/setup-manual.md-- most prior workarounds are no longer needed.Related plugins from the same author:
- wet-mcp -- Web search + content extraction
- mnemo-mcp -- Persistent AI memory
- imagine-mcp -- Image/video understanding + generation
- better-notion-mcp -- Notion API
- better-email-mcp -- Email management
- better-telegram-mcp -- Telegram
- better-godot-mcp -- Godot Engine
All plugins share the same architecture -- install once, learn pattern transfers.
Documentation
Full docs at mcp.n24q02m.com/servers/better-code-review-graph/:
- Setup -- install methods for Claude Code, Codex, Gemini CLI, Cursor, Windsurf, mcp.json
- Modes overview -- stdio / local-relay / remote-relay / remote-oauth
- Multi-user setup -- per-JWT-sub credential model
Install with AI agent -- paste this to your AI coding agent:
Install MCP server
better-code-review-graphfollowing the steps at https://raw.githubusercontent.com/n24q02m/claude-plugins/main/plugins/better-code-review-graph/setup-with-agent.md
Tools
graph -- Graph lifecycle
Actions: build | update | stats | embed | export | summarize
| Action | Description |
|---|---|
build | Full or incremental graph build. Set full_rebuild=true to re-parse all files. |
update | Alias for build with full_rebuild=false (incremental). |
stats | Graph size, languages, node/edge breakdown, embedding count. |
embed | Compute vector embeddings for semantic search. Dual-mode: local ONNX or cloud. |
export | Export graph in graphml / json-ld / dot / cypher. Inline or to output_path. |
summarize | LLM-generated one-paragraph docstrings for Function nodes (Gemini or OpenAI, cloud opt-in). Cost-capped via max_nodes. |
query -- Graph queries
Actions: query | search | impact | large_functions
| Action | Description |
|---|---|
query | Predefined pattern queries: callers_of, callees_of, imports_of, importers_of, children_of, tests_for, inheritors_of, file_summary. |
search | Search code entities by name/keyword or semantic similarity. |
impact | Blast radius of changed files. Auto-detects from git diff. Paginated with max_results. |
large_functions | Find functions/classes exceeding a line-count threshold. |
review -- Code review context
Token-optimized review context with structural summary, source snippets, and review guidance. Auto-detects changed files from git diff.
config -- Server configuration
Actions: status | set | cache_clear
| Action | Description |
|---|---|
status | Server info: version, graph path, node/edge counts, embedding backend. |
set | Update runtime settings (e.g., log_level). |
cache_clear | Remove all computed embeddings. |
setup -- Credential setup
Actions: status | start | skip | reset | complete
| Action | Description |
|---|---|
status | Show current credential state and setup URL. |
start | Start relay setup to configure API keys via browser. |
skip | Set local mode (skip relay permanently, use ONNX only). |
reset | Clear credentials and reset state. |
complete | Re-resolve credentials from environment variables. |
help -- Full documentation
Topics: graph | query | review | config
Returns complete documentation for each tool. Use when the compressed descriptions above are insufficient.
Security
- Graceful fallbacks -- Cloud embedding failure falls back to local ONNX
- Error handling -- Tools return error strings with fix suggestions, never crash
- Read-only mount -- Docker mode mounts repo as
:ro(read-only)
Build from Source
git clone https://github.com/n24q02m/better-code-review-graph
cd better-code-review-graph
uv sync --group dev
uv run pytest
uv run better-code-review-graph
Requirements: Python 3.13, uv
Trust Model
This plugin implements TC-Local (machine-bound, single trust principal). See mcp-core/docs/TRUST-MODEL.md for full classification.
| Mode | Storage | Encryption | Who can read your data? |
|---|---|---|---|
| stdio (default) | ~/.better-code-review-graph-mcp/config.json | AES-GCM, machine-bound key | Only your OS user (file perm 0600) |
| HTTP self-host | Same as stdio | Same | Only you (admin = user) |
License
MIT -- See LICENSE.
Reviews
No reviews yet
Be the first to review this server!
More Developer Tools MCP Servers
Git
Freeby Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
80.0K
Stars
4
Installs
6.5
Security
No ratings yet
Local
Toleno
Freeby Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
137
Stars
446
Installs
8.0
Security
4.8
Local
mcp-creator-python
Freeby mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
-
Stars
59
Installs
10.0
Security
5.0
Local