MCP Repo Scanner: DVA Agent Library Interface
Summary¶
This EPICON establishes the MCP Repo Scanner - a Model Context Protocol server that exposes the Mobius-Substrate repository as a queryable knowledge substrate for DVA agents. It transforms the monorepo from "just code" into a digital library with structured JSON tools.
1. Context¶
- Mobius-Substrate is the canonical monorepo for the civilization substrate
- DVA agents (AUREA, Echo, ATLAS, external MCP clients) need structured access to:
- Repository topology
- EPICON reasoning artifacts
- Documentation
- Code files
- Current approaches rely on ad-hoc GitHub scraping or incomplete local context
- We need a stable, scoped, auditable MCP entrypoint
2. Assumptions¶
- A1: MCP (Model Context Protocol) is the emerging standard for AI-tool integration
- A2: DVA agents benefit from structured JSON responses over raw file content
- A3: Security requires path scoping to prevent traversal attacks
- A4: EPICON documents should be first-class queryable artifacts
3. Problem Statement¶
Without a repo-aware MCP server: - Each client implements ad-hoc scanning logic - No clear contract for "where is what" in the repo - Risk of over-scanning or leaking sensitive files - EPICONs are hidden in the file tree rather than indexed
We need a scoped, auditable, agent-friendly interface to the Mobius knowledge surface.
4. Options Considered¶
Option A: GitHub API Scraping¶
- Description: Use GitHub's REST/GraphQL API to fetch repo contents
- Upside: No custom server needed
- Downside: Rate limits, latency, incomplete file access
- Risks: Breaks with API changes, no local dev story
Option B: Local File System Access¶
- Description: Give agents direct fs access via existing tools
- Upside: Fast, no new infrastructure
- Downside: No security boundary, no structured output
- Risks: Path traversal, context overflow, no filtering
Option C: Custom MCP Server (Chosen)¶
- Description: Purpose-built MCP server with scoped tools
- Upside: Full control, security, structured JSON, EPICON awareness
- Downside: Requires maintenance, new package
- Risks: Need to keep in sync with repo structure
5. Decision / Design¶
- Chosen option: Option C - Custom MCP Server
- Why: Provides security (path scoping), structure (JSON tools), and first-class EPICON support
- Package:
@mobius/mcp-repo-scanneratmcp/mobius-repo-scanner/ - Revisit when: MCP SDK has breaking changes, or GitHub adds native MCP support
Scope of Access (Authority Clarification)¶
This section clarifies what authority the MCP server grants to agents:
| Aspect | Value | Notes |
|---|---|---|
| Access Mode | Read-only | No write, delete, or modify operations |
| Scope | Local repository only | Scoped to MOBIUS_REPO_ROOT environment variable |
| Path Traversal | Blocked | .. segments rejected; paths must resolve within repo root |
| Excluded Paths | Yes | node_modules/, .git/, .env*, *.pem, *.key, secrets/, build artifacts |
| File Size Limit | 200KB max | Prevents memory exhaustion; truncates larger files |
| Rate Limits | None (local) | MCP runs locally; no network rate limiting needed |
| External Access | No | Internal sentinels only; not exposed to external networks |
| Symlink Following | No | Symlinks are not followed to prevent escape attacks |
Who Can Call This Server: - Internal DVA sentinels (ATLAS, AUREA, Echo, etc.) - Local MCP clients (Cursor, Claude Desktop) - CI/CD pipelines for catalog generation
Who Cannot Call This Server: - External agents over the network (not exposed) - Untrusted third-party tools - Public APIs
Authority Surface Justification & Safety Boundaries¶
This MCP scanner does not introduce new execution authority or mutation capability. It operates strictly as a read-only introspection tool for indexing, archive consistency, and DVA agent context retrieval.
Intent & Purpose¶
- Improve continuity and context recall across modules
- Support DVA agents in non-destructive indexing and archive lookup
- Reduce drift by strengthening repo-level semantic mapping
- Convert implicit knowledge into inspectable civic memory
Authority Boundaries¶
| Capability | Status | Notes |
|---|---|---|
| Read repository structure | ✅ Allowed | Directory trees, file metadata |
| Read file contents | ✅ Allowed | With size limits (200KB max) |
| Search file contents | ✅ Allowed | Text-based, case-insensitive |
| Write to repository | ❌ Blocked | No mutation capability |
| Delete files | ❌ Blocked | No deletion capability |
| Execute code | ❌ Blocked | No eval, spawn, or exec |
| Network exfiltration | ❌ Blocked | No outbound network calls |
| Cross-repo traversal | ❌ Blocked | Scoped to single REPO_ROOT |
| Symlink following | ❌ Blocked | Prevents escape attacks |
| Privileged escalation | ❌ Blocked | Runs with invoker's permissions |
Non-Enumerated Constraints¶
- Scanner cannot mutate repos — only read + index
- Scanner cannot persist state outside designated catalog output
- Scanner cannot invoke other tools or chain commands
- Scanner cannot access paths outside
MOBIUS_REPO_ROOT - Scanner cannot bypass exclusion patterns programmatically
Risk Envelope & Safeguards¶
| Risk | Mitigation |
|---|---|
| Path traversal attack | resolveScopedPath() rejects .. escapes |
| Sensitive file exposure | EXCLUDE_PATTERNS blocks .env, .pem, secrets/, etc. |
| Memory exhaustion | Hard cap of 200KB per file read |
| Denial of service | maxFiles, maxMatches, maxDepth limits |
| TOCTOU race condition | Atomic fs.promises.readFile() pattern |
Failure / Rollback Conditions¶
- Disable: Remove MCP config from
.cursor/mcp.jsonor stop the server - Sandbox: Run with restricted
MOBIUS_REPO_ROOTpointing to safe subset - Audit: All tool invocations can be logged via MCP transport layer
- Rollback: Delete
mcp/mobius-repo-scanner/directory; no persistent state
Why This Change Improves Integrity (Not Fragility)¶
- Strengthens historical traceability — EPICONs become first-class queryable artifacts
- Supports reproducible agent reasoning — Agents query structured data, not ad-hoc scraping
- Reduces ambiguity — Module ownership and lineage become explicit
- Converts implicit knowledge — Repo structure becomes inspectable civic memory
- Improves auditability — All catalog changes are Git-tracked and diffable
- Prevents drift — CI gate ensures catalog stays synchronized with source
This is a capability contraction, not expansion — agents that previously scraped GitHub ad-hoc now use a constrained, auditable, read-only interface.
Tools Implemented¶
| Tool | Purpose |
|---|---|
repo_summary | High-level snapshot of repo structure |
list_tree | Directory tree as JSON with depth/extension filtering |
read_file | Safe, bounded file retrieval (max 200KB) |
search_files | Grep-like search with configurable limits |
list_epicons | Discover EPICON documents |
export_catalog | Generate catalog/mobius_catalog.json manifest |
Security Features¶
- Path scoping: All paths validated to stay within
MOBIUS_REPO_ROOT - Exclusion patterns:
node_modules/,.git/,.env*,*.pem,secrets/blocked - Size limits: Hard caps on file reads, search results, tree depth
6. Risk & Integrity Notes¶
- Integrity tradeoffs: Adding MCP tooling increases attack surface, but path scoping mitigates
- Risk bearers: Repository operators if exclusion patterns are incomplete
- Metrics to watch: Error rates, path traversal attempts, context size of responses
- Follow-up needed: If secrets leak, or if agents start hitting limits frequently
7. Implementation Links¶
- PRs: (this PR)
- Package:
mcp/mobius-repo-scanner/ - Script:
scripts/exportCatalog.ts - Config:
.cursor/mcp.json - Catalog:
catalog/mobius_catalog.json
8. Reflection Hook¶
Questions for future reflections:
- Did DVA agents actually use the MCP tools effectively?
- Were there any path traversal attempts or security issues?
- Did the catalog become the canonical "table of contents" for agents?
- Were the exclusion patterns sufficient, or did sensitive data leak?
- Did EPICON adoption increase now that they're queryable?