feat: add git-explorer MCP server for read-only repository access

Implements a new MCP server that provides read-only access to git repositories using go-git. Designed for deployment verification by comparing deployed flake revisions against source repositories. 9 tools: resolve_ref, get_log, get_commit_info, get_diff_files, get_file_at_commit, is_ancestor, commits_between, list_branches, search_commits. Includes CLI commands, NixOS module, and comprehensive tests. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-08 04:26:38 +01:00
parent 98bad6c9ba
commit 75673974a2
16 changed files with 2814 additions and 11 deletions
--- a/README.md
+++ b/README.md
@@ -27,6 +27,20 @@ Query Prometheus metrics, Alertmanager alerts, and Loki logs from your monitorin
 - Manage alert silences
 - Query logs via LogQL (when Loki is configured)

+### Git Explorer (`git-explorer`)
+
+Read-only access to git repository information. Designed for deployment verification — comparing deployed flake revisions against source repositories.
+
+- Resolve refs (branches, tags, commits) to commit hashes
+- View commit logs with filtering by author, path, or range
+- Get full commit details including file change statistics
+- Compare commits to see which files changed
+- Read file contents at any commit
+- Check ancestry relationships between commits
+- Search commit messages
+
+All operations are read-only and will never modify the repository.
+
 ### NixOS Options (`nixos-options`) - Legacy

 Search and query NixOS configuration options. **Note**: Prefer using `nixpkgs-search` instead, which includes this functionality plus package search.
@@ -48,11 +62,13 @@ Search and query NixOS configuration options. **Note**: Prefer using `nixpkgs-se
 nix build git+https://git.t-juice.club/torjus/labmcp#nixpkgs-search
 nix build git+https://git.t-juice.club/torjus/labmcp#hm-options
 nix build git+https://git.t-juice.club/torjus/labmcp#lab-monitoring
+nix build git+https://git.t-juice.club/torjus/labmcp#git-explorer

 # Or run directly
 nix run git+https://git.t-juice.club/torjus/labmcp#nixpkgs-search -- --help
 nix run git+https://git.t-juice.club/torjus/labmcp#hm-options -- --help
 nix run git+https://git.t-juice.club/torjus/labmcp#lab-monitoring -- --help
+nix run git+https://git.t-juice.club/torjus/labmcp#git-explorer -- --help
 ```

 ### From Source
@@ -61,6 +77,7 @@ nix run git+https://git.t-juice.club/torjus/labmcp#lab-monitoring -- --help
 go install git.t-juice.club/torjus/labmcp/cmd/nixpkgs-search@latest
 go install git.t-juice.club/torjus/labmcp/cmd/hm-options@latest
 go install git.t-juice.club/torjus/labmcp/cmd/lab-monitoring@latest
+go install git.t-juice.club/torjus/labmcp/cmd/git-explorer@latest
 ```

 ## Usage
@@ -101,6 +118,13 @@ Configure in your MCP client (e.g., Claude Desktop):
        "ALERTMANAGER_URL": "http://alertmanager.example.com:9093",
        "LOKI_URL": "http://loki.example.com:3100"
      }
+    },
+    "git-explorer": {
+      "command": "git-explorer",
+      "args": ["serve"],
+      "env": {
+        "GIT_REPO_PATH": "/path/to/your/repo"
+      }
    }
  }
 }
@@ -140,6 +164,13 @@ Alternatively, if you have Nix installed, you can use the flake directly without
        "ALERTMANAGER_URL": "http://alertmanager.example.com:9093",
        "LOKI_URL": "http://loki.example.com:3100"
      }
+    },
+    "git-explorer": {
+      "command": "nix",
+      "args": ["run", "git+https://git.t-juice.club/torjus/labmcp#git-explorer", "--", "serve"],
+      "env": {
+        "GIT_REPO_PATH": "/path/to/your/repo"
+      }
    }
  }
 }
@@ -155,6 +186,7 @@ nixpkgs-search options serve --transport http
 nixpkgs-search packages serve --transport http
 hm-options serve --transport http
 lab-monitoring serve --transport http
+git-explorer serve --transport http

 # Custom address and CORS configuration
 nixpkgs-search options serve --transport http \
@@ -271,6 +303,35 @@ lab-monitoring labels
 lab-monitoring labels --values job
 ```

+**Git Explorer CLI:**
+
+```bash
+# Resolve a ref to commit hash
+git-explorer --repo /path/to/repo resolve main
+git-explorer --repo /path/to/repo resolve v1.0.0
+
+# View commit log
+git-explorer --repo /path/to/repo log --limit 10
+git-explorer --repo /path/to/repo log --author "John" --path src/
+
+# Show commit details
+git-explorer --repo /path/to/repo show HEAD
+git-explorer --repo /path/to/repo show abc1234
+
+# Compare commits
+git-explorer --repo /path/to/repo diff HEAD~5 HEAD
+
+# Show file at specific commit
+git-explorer --repo /path/to/repo cat HEAD README.md
+
+# List branches
+git-explorer --repo /path/to/repo branches
+git-explorer --repo /path/to/repo branches --remote
+
+# Search commit messages
+git-explorer --repo /path/to/repo search "fix bug"
+```
+
 **Delete an indexed revision:**

 ```bash
@@ -354,6 +415,20 @@ hm-options -d "sqlite://my.db" index hm-unstable
 | `list_labels` | List available label names from Loki (requires `LOKI_URL`) |
 | `list_label_values` | List values for a specific label from Loki (requires `LOKI_URL`) |

+### Git Explorer Server (git-explorer)
+
+| Tool | Description |
+|------|-------------|
+| `resolve_ref` | Resolve a git ref (branch, tag, commit) to its full commit hash |
+| `get_log` | Get commit log with optional filters (author, path, limit) |
+| `get_commit_info` | Get full details for a specific commit |
+| `get_diff_files` | Get list of files changed between two commits |
+| `get_file_at_commit` | Get file contents at a specific commit |
+| `is_ancestor` | Check if one commit is an ancestor of another |
+| `commits_between` | Get all commits between two refs |
+| `list_branches` | List all branches in the repository |
+| `search_commits` | Search commit messages for a pattern |
+
 ## NixOS Modules

 NixOS modules are provided for running the MCP servers as systemd services.
@@ -445,6 +520,29 @@ The `nixpkgs-search` module runs two separate MCP servers (options and packages)
 }
 ```

+### git-explorer
+
+```nix
+{
+  inputs.labmcp.url = "git+https://git.t-juice.club/torjus/labmcp";
+
+  outputs = { self, nixpkgs, labmcp }: {
+    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        labmcp.nixosModules.git-explorer-mcp
+        {
+          services.git-explorer = {
+            enable = true;
+            repoPath = "/path/to/your/git/repo";
+          };
+        }
+      ];
+    };
+  };
+}
+```
+
 ### nixos-options (Legacy)

 ```nix
@@ -519,6 +617,25 @@ Both `options.http` and `packages.http` also support:

 The lab-monitoring module uses `DynamicUser=true`, so no separate user/group configuration is needed.

+#### git-explorer
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enable` | bool | `false` | Enable the service |
+| `package` | package | from flake | Package to use |
+| `repoPath` | string | *(required)* | Path to the git repository to serve |
+| `defaultRemote` | string | `"origin"` | Default remote name for ref resolution |
+| `http.address` | string | `"127.0.0.1:8085"` | HTTP listen address |
+| `http.endpoint` | string | `"/mcp"` | HTTP endpoint path |
+| `http.allowedOrigins` | list of string | `[]` | Allowed CORS origins |
+| `http.sessionTTL` | string | `"30m"` | Session timeout |
+| `http.tls.enable` | bool | `false` | Enable TLS |
+| `http.tls.certFile` | path | `null` | TLS certificate file |
+| `http.tls.keyFile` | path | `null` | TLS private key file |
+| `openFirewall` | bool | `false` | Open firewall for HTTP port |
+
+The git-explorer module uses `DynamicUser=true` and grants read-only access to the repository path.
+
 #### hm-options-mcp / nixos-options-mcp (Legacy)

 | Option | Type | Default | Description |
@@ -579,6 +696,7 @@ go test -bench=. ./internal/database/...
 go build ./cmd/nixpkgs-search
 go build ./cmd/hm-options
 go build ./cmd/lab-monitoring
+go build ./cmd/git-explorer
 ```

 ## License