trace-mcp — Pre-Commit & Pre-PR Checks

Before creating a commit or opening a pull request, run the trace-mcp validation suite. Fix any critical or high findings before committing.

When to Use

• The user asks to commit, stage, or push changes
• The user asks to open a PR
• The agent has finished implementing a feature or fix and is about to hand off

Checklist

1. Security scan

scan_security({ rules: ["all"] })

OWASP Top-10 vulnerability scan across the changed scope. If the change touches untrusted data flows, add:

taint_analysis({})

Trace untrusted sources to sensitive sinks (SQL, shell, file system, HTTP).

2. Quality gates on the changed scope

check_quality_gates({ scope: "changed" })

Validates complexity, coverage, duplication, and any project-configured gates on only the files you changed.

3. Antipattern scan

detect_antipatterns({})

Flags N+1 queries, eager loading, inefficient iteration, and language-specific performance footguns.

4. Symbol-level diff for the PR description

compare_branches({ branch: "current" })

Produces a symbol-level diff (functions added/removed/modified, signatures changed, exports changed). Use this as the basis for an accurate PR description instead of a raw line diff.

5. Bug prediction (optional, for risky changes)

predict_bugs({})
get_risk_hotspots({})

Flags files where the combination of high complexity and high churn makes regressions likely. If your change touches a hotspot, add extra tests.

Fix or Escalate

• Critical / High findings: fix before committing. Do not suppress without discussion.
• Medium findings: fix if cheap, otherwise note in the PR description.
• Low / Info findings: note in the PR description.

After Commit

If the commit is part of a larger series, consider:

get_changed_symbols({ since: "<base-ref>" })

to generate an accurate changelog entry grounded in the symbol graph rather than commit messages.