Server data from the Official MCP Registry
The API-change deploy gate for AI coding agents. Read-only breaking-change detection.
The API-change deploy gate for AI coding agents. Read-only breaking-change detection.
This is a well-architected MCP server with strong security practices. Authentication is required via API key, all tools are read-only/analyze-only, and sensitive data (specs, keys) is never logged or echoed in error messages. Code quality is high with proper input validation, error handling, and no dangerous patterns detected. Minor observations: env var handling could be more explicit in documentation, and broad exception handling in error paths is standard practice. Supply chain analysis found 3 known vulnerabilities in dependencies (2 critical, 0 high severity). Package verification found 1 issue.
7 files analyzed · 7 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: SPECSHIELD_API_KEY
Environment variable: SPECSHIELD_API_URL
Environment variable: SPECSHIELD_TIMEOUT_MS
Environment variable: SPECSHIELD_LOG_LEVEL
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-specshield26-specshield-mcp-server": {
"env": {
"SPECSHIELD_API_KEY": "your-specshield-api-key-here",
"SPECSHIELD_API_URL": "your-specshield-api-url-here",
"SPECSHIELD_LOG_LEVEL": "your-specshield-log-level-here",
"SPECSHIELD_TIMEOUT_MS": "your-specshield-timeout-ms-here"
},
"args": [
"-y",
"specshield-mcp-server"
],
"command": "npx"
}
}
}From the project's GitHub README.
The API-change deploy gate for AI coding agents. Ask "is it safe to ship this API change to my consumers?" right inside Claude, Cursor, and other MCP clients — and catch breaking changes before they reach your consumers.
It's a thin adapter over the SpecShield backend. Every tool is read-only / analyze-only — it never modifies your code.
Why not just diff specs? Plenty of tools (including free ones) list breaking changes. SpecShield's job is the decision: can I deploy this? — the deploy gate is the hero tool here.
⚙️ In CI/CD instead of an agent? The
specshieldCLI runs the same breaking-change andcan-i-deploychecks in your pipeline (GitHub Action, exit codes). Same job, two entry points: this server for AI agents, the CLI for CI/CD.
| # | Tool | What it answers |
|---|---|---|
| 1 | is_change_safe ⭐ | Is this change safe to merge/deploy? Will it break consumers? (safeToMerge + risk + blocking reasons) |
| 2 | explain_breaking_changes | What breaks, developer & consumer impact, suggested migration |
| 3 | generate_migration_guide | Migration guide (markdown) + safe rollout steps |
| 4 | generate_release_notes | Release notes for developer / customer / internal |
| 5 | compare_specs | The raw diff (breaking / additions / modifications / warnings) + risk score |
Each tool accepts specs inline (baseSpecContent / targetSpecContent) or by path
(baseSpecPath / targetSpecPath).
run_governance_review is planned — it ships once the backend governance endpoint
lands.
Full setup, verification & troubleshooting: docs/mcp-server-setup.md.
Requires Node.js ≥ 20 and a SpecShield API key (from specshield.io/account).
npx -y specshield-mcp-server
claude_desktop_config.json:
{
"mcpServers": {
"specshield": {
"command": "npx",
"args": ["-y", "specshield-mcp-server"],
"env": { "SPECSHIELD_API_KEY": "ss_your_key_here" }
}
}
}
claude mcp add specshield --env SPECSHIELD_API_KEY=ss_your_key_here -- npx -y specshield-mcp-server
~/.cursor/mcp.json (or the project .cursor/mcp.json):
{
"mcpServers": {
"specshield": {
"command": "npx",
"args": ["-y", "specshield-mcp-server"],
"env": { "SPECSHIELD_API_KEY": "ss_your_key_here" }
}
}
}
| Env var | Required | Default | Purpose |
|---|---|---|---|
SPECSHIELD_API_KEY | yes | — | Your SpecShield API key. Store it as a secret; never commit it. |
SPECSHIELD_API_URL | no | https://api.specshield.io | Backend base URL (override for self-hosted/staging). |
SPECSHIELD_TIMEOUT_MS | no | 30000 | Per-request timeout. |
SPECSHIELD_LOG_LEVEL | no | info | debug | info | warn | error (logs go to stderr). |
openapi.yaml — is it safe to ship this API change to my consumers?"v1.yaml and v2.yaml and tell me if I can deploy, and why not."X-Api-Key header to your configured backend.npm install
npm run build # tsc → dist/
npm test # vitest (no network)
npm run lint
npm run smoke # boots the server against a stubbed backend and lists tools
npm start # run the built server over stdio
MIT © SpecShield Software Private Limited
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.