@octocodeai/octocode-engine 16.5.1 → 16.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/README.md +153 -235
  2. package/dist/lsp/client.d.ts +6 -0
  3. package/dist/lsp/client.js +31 -0
  4. package/dist/lsp/config.d.ts +29 -1
  5. package/dist/lsp/config.js +156 -1
  6. package/dist/lsp/ideContext.d.ts +18 -0
  7. package/dist/lsp/ideContext.js +29 -0
  8. package/dist/lsp/index.d.ts +8 -3
  9. package/dist/lsp/index.js +7 -2
  10. package/dist/lsp/manager.d.ts +11 -0
  11. package/dist/lsp/manager.js +75 -13
  12. package/dist/lsp/native.d.ts +5 -0
  13. package/dist/lsp/platform.d.ts +20 -0
  14. package/dist/lsp/platform.js +64 -0
  15. package/dist/lsp/serverDiscovery.d.ts +63 -0
  16. package/dist/lsp/serverDiscovery.js +226 -0
  17. package/dist/lsp/serverManifest.d.ts +70 -0
  18. package/dist/lsp/serverManifest.js +78 -0
  19. package/dist/lsp/serverManifestData.d.ts +2 -0
  20. package/dist/lsp/serverManifestData.js +33 -0
  21. package/dist/lsp/serverProvisioner.d.ts +19 -0
  22. package/dist/lsp/serverProvisioner.js +253 -0
  23. package/dist/lsp/types.d.ts +7 -0
  24. package/dist/lsp/workspaceRoot.d.ts +1 -1
  25. package/dist/lsp/workspaceRoot.js +3 -1
  26. package/dist/security/commandValidator.js +10 -10
  27. package/dist/security/discoveryFilter.js +7 -3
  28. package/dist/security/filePatterns.js +6 -0
  29. package/dist/security/ignoredPathFilter.js +5 -0
  30. package/dist/security/mask.js +5 -22
  31. package/dist/security/maskUtils.d.ts +6 -0
  32. package/dist/security/maskUtils.js +22 -0
  33. package/dist/security/native.js +5 -22
  34. package/dist/security/pathPatterns.js +5 -0
  35. package/dist/security/pathValidator.js +21 -18
  36. package/dist/security/withSecurityValidation.d.ts +0 -3
  37. package/dist/security/withSecurityValidation.js +3 -21
  38. package/index.cjs +32 -2
  39. package/index.d.ts +113 -0
  40. package/index.js +5 -0
  41. package/package.json +49 -8
package/README.md CHANGED
@@ -1,4 +1,4 @@
1
- # Agentic Research Platform
1
+ # Octocode - Agentic Research Platform
2
2
 
3
3
  <div align="center">
4
4
  <img src="https://github.com/bgauryy/octocode/raw/main/packages/octocode-mcp/assets/logo_white.png" width="400px" alt="Octocode Logo">
@@ -20,7 +20,9 @@ Run it as a **CLI** or an **MCP server**. A **Rust engine** keeps every call fas
20
20
 
21
21
  ## Table of Contents
22
22
 
23
+ - [Quick Start](#quick-start)
23
24
  - [Why Octocode](#why-octocode)
25
+ - [What You Can Do](#what-you-can-do)
24
26
  - [Tools](#tools)
25
27
  - [MCP](#mcp)
26
28
  - [CLI](#cli)
@@ -31,98 +33,87 @@ Run it as a **CLI** or an **MCP server**. A **Rust engine** keeps every call fas
31
33
  - [Skills](#skills)
32
34
  - [Architecture](#architecture)
33
35
  - [Documentation](#documentation)
34
- - [Contributing](#contributing)
35
36
 
36
37
  ---
37
38
 
38
- ## Why Octocode
39
-
40
- Agents write better code from evidence than from assumptions. Octocode turns *guess-driven* work into **research-driven** work. Before an agent changes, reviews, or explains code, it gathers real evidence from your local workspace **and** from GitHub repositories, pull requests, and npm packages, then hands it back as compact, citable context. *Code is truth; context is the map.*
39
+ ## Quick Start
41
40
 
42
- Most tools cover one slice: searching the web, or grepping your repo. Octocode covers the **whole research flow, end to end**:
41
+ **1. Install the Octocode CLI**
43
42
 
44
- - **Built for scale.** In organizations with thousands of repositories and endless code, Octocode is the solution: spot a pattern in one repo, follow it through the pull request that introduced it, then trace the same shape across other repos and your own files without leaving the conversation. Clone any repo and study it locally, on any machine.
45
- - **Smart GitHub workflows.** Parallel bulk queries and built-in **next-step hints** keep the agent on the cheapest path: search broadly, read narrowly, trace semantically. Each result points to the natural follow-up.
46
- - **No GitHub required.** Even without GitHub, clone any repository locally and point Octocode's local tools (search, structural AST, LSP, content) at it for the same evidence-first research.
47
- - **Reads the shape, not the noise.** Code is minified and skeletonized on the fly across 70+ languages, so an agent grasps a 100 KB file in a few hundred tokens instead of spending its context on boilerplate.
48
- - **Fast and self-contained.** Search, parsing, semantic navigation, and redaction run in one prebuilt **Rust engine**: quick on a laptop or a mega-repo, with no extra toolchain to install.
49
- - **Safe by default.** Every byte returned to the model is scanned and secrets redacted first (see [Security](#security)).
43
+ ```bash
44
+ npm install -g octocode
45
+ ```
50
46
 
51
- ### Get Started
47
+ **2. Authenticate with GitHub** — optional, but unlocks private repositories and higher API rate limits:
52
48
 
53
- Add Octocode to an AI assistant with MCP, or run the same tools directly from
54
- your terminal with the CLI.
49
+ ```bash
50
+ octocode auth login
51
+ ```
55
52
 
56
- **MCP fast install:**
53
+ **3. Choose your interface.** The same engine and 14 tools run identically either way.
57
54
 
58
- [<img src="https://cursor.com/deeplink/mcp-install-dark.svg" alt="Install in Cursor">](https://cursor.com/en/install-mcp?name=octocode&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyJvY3RvY29kZS1tY3BAbGF0ZXN0Il19) [<img src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Server&color=0098FF" alt="Install in VS Code">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%257B%2522name%2522%253A%2522octocode%2522%252C%2522command%2522%253A%2522npx%2522%252C%2522args%2522%253A%255B%2522octocode-mcp%2540latest%255D%257D) [<img alt="Install in VS Code Insiders" src="https://img.shields.io/badge/VS_Code_Insiders-VS_Code_Insiders?style=flat-square&label=Install%20Server&color=24bfa5">](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Amcp%2Finstall%3F%257B%2522name%2522%253A%2522octocode%2522%252C%2522command%2522%253A%2522npx%2522%252C%2522args%2522%253A%255B%2522octocode-mcp%2540latest%255D%257D)
55
+ **🖥️ CLI** research straight from your terminal:
59
56
 
60
57
  ```bash
61
- # Interactive installer for Cursor, Claude Code, Codex, VS Code, and more
62
- npx octocode install
58
+ octocode
63
59
  ```
64
60
 
65
- **CLI fast install:**
61
+ **🤖 MCP** add Octocode to your AI assistant:
66
62
 
67
- ```bash
68
- # Run without installing globally
69
- npx octocode
63
+ - **Cursor / VS Code** — one-click install:
70
64
 
71
- # Or install once on macOS/Linux
72
- brew install bgauryy/octocode/octocode
73
- octocode
74
- ```
65
+ [<img src="https://cursor.com/deeplink/mcp-install-dark.svg" alt="Install in Cursor">](https://cursor.com/en/install-mcp?name=octocode&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyJAb2N0b2NvZGVhaS9tY3BAbGF0ZXN0Il19) [<img src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Server&color=0098FF" alt="Install in VS Code">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%257B%2522name%2522%253A%2522octocode%2522%252C%2522command%2522%253A%2522npx%2522%252C%2522args%2522%253A%255B%2522%2540octocodeai%252Fmcp%2540latest%255D%257D) [<img alt="Install in VS Code Insiders" src="https://img.shields.io/badge/VS_Code_Insiders-VS_Code_Insiders?style=flat-square&label=Install%20Server&color=24bfa5">](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Amcp%2Finstall%3F%257B%2522name%2522%253A%2522octocode%2522%252C%2522command%2522%253A%2522npx%2522%252C%2522args%2522%253A%255B%2522%2540octocodeai%252Fmcp%2540latest%255D%257D)
75
66
 
76
- Authenticate GitHub when you want private repositories or higher API limits:
67
+ - **Claude Code:**
77
68
 
78
- ```bash
79
- npx octocode auth login
80
- ```
69
+ ```bash
70
+ claude mcp add-json octocode --scope user '{"command":"npx","args":["@octocodeai/mcp@latest"]}'
71
+ ```
81
72
 
82
- ### Benchmarks
73
+ - **Any other client** — interactive installer:
83
74
 
84
- Latest benchmark output:
85
- [packages/octocode-benchmark/output](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/output/).
75
+ ```bash
76
+ octocode install
77
+ ```
86
78
 
87
- #### ast-grep Structural Comparison
79
+ ➡️ Learn more at **[octocode.ai](https://octocode.ai)**.
88
80
 
89
- Bars show relative throughput. Higher is better; lower `ms` is better.
81
+ ---
90
82
 
91
- What we tested: ast-grep CLI and Octocode structural grep on the same real
92
- repository files, using the same broad AST node-kind searches
93
- (`call_expression`, `call`, `method_invocation`). The goal was to check
94
- structural AST grep compatibility by match count, then measure where time is
95
- spent across Octocode's raw matcher, agent tool path, and public CLI.
83
+ ## Why Octocode
96
84
 
97
- This benchmark does not test text grep, LSP navigation, rewriting, or the full
98
- ast-grep rule language. Those are separate capabilities.
85
+ Agents write better code from evidence than from assumptions. Octocode turns *guess-driven* work into **research-driven** work. Before an agent changes, reviews, or explains code, it gathers real evidence from your local workspace **and** from GitHub repositories, pull requests, and npm packages, then hands it back as compact, citable context. *Code is truth; context is the map.*
99
86
 
100
- ```text
101
- Octocode raw native ████████████████████ 5.0 ms median │ 3.0x faster │ 6/6 matched
102
- ast-grep CLI ███████░░░░░░░░░░░░░ 15.1 ms median │ baseline │ 6/6 matched
103
- ```
87
+ Most tools cover one slice: searching the web, or grepping your repo. Octocode covers the **whole research flow, end to end**:
104
88
 
105
- `Octocode raw native` means the direct Rust/NAPI `structuralSearchFiles`
106
- matcher: parse and match only, with no tool validation, sanitizer, pagination,
107
- JSON shaping, or Node CLI startup. The agent-facing `localSearchCode` and public
108
- `octocode grep` paths are intentionally slower because they include those safety
109
- and DX layers.
89
+ - **Built for scale.** In organizations with thousands of repositories and endless code, Octocode is the solution: spot a pattern in one repo, follow it through the pull request that introduced it, then trace the same shape across other repos and your own files without leaving the conversation. Clone any repo and study it locally, on any machine.
90
+ - **Smart GitHub workflows.** Parallel bulk queries and built-in **next-step hints** keep the agent on the cheapest path: search broadly, read narrowly, trace semantically. Each result points to the natural follow-up.
91
+ - **No GitHub required.** Even without GitHub, clone any repository locally and point Octocode's local tools (search, structural AST, LSP, content) at it for the same evidence-first research.
92
+ - **Reads the shape, not the noise.** Code is minified and skeletonized on the fly across 70+ languages, so an agent grasps a 100 KB file in a few hundred tokens instead of spending its context on boilerplate.
93
+ - **Fast and self-contained.** Search, parsing, semantic navigation, and redaction run in one prebuilt **Rust engine**: quick on a laptop or a mega-repo, with no extra toolchain to install.
94
+ - **Safe by default.** Every byte returned to the model is scanned and secrets redacted first (see [Security](#security)).
110
95
 
111
- What was checked: we took ast-grep's benchmark scenario repo list, picked one
112
- deterministic file from each supported repo, asked both tools to find the same
113
- AST node kind in that file, verified identical match counts, then timed the
114
- median run.
96
+ ## What You Can Do
115
97
 
116
- Benchmark files:
117
- [runner](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/benchmark/ast-grep/compare-upstream-scenarios.mjs) ·
118
- [scenario manifest](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/benchmark/ast-grep/upstream-outline-scenarios.json) ·
119
- [latest output](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/output/comparison.md)
98
+ Octocode is useful whenever the next coding step depends on finding and proving context, not guessing it.
99
+
100
+ | Need | Use Octocode to |
101
+ |------|-----------------|
102
+ | **Codebase questions** | Search local or GitHub code, read exact regions, browse trees, and carry file/line anchors into the answer. |
103
+ | **Implementation research** | Compare patterns across repositories, npm packages, pull requests, commits, and local files before changing code. |
104
+ | **Semantic navigation** | Resolve definitions, references, callers/callees, call hierarchy, hovers, symbols, diagnostics, and type relationships through LSP. |
105
+ | **Structural matching** | Run AST-shaped searches with patterns or YAML rules so comments and strings do not become false positives. |
106
+ | **Large-file context** | Minify, skeletonize, or paginate code so agents spend tokens on relevant structure instead of boilerplate. |
107
+ | **Binary or archive inspection** | Inspect archives, compressed streams, native binaries, and strings without leaving the research flow. |
108
+ | **Agent workflows** | Expose the same engine through MCP, CLI, OQL, and Agent Skills so assistants and humans use one evidence model. |
109
+
110
+ See [Quick Start](#quick-start) to install in your terminal or AI assistant.
120
111
 
121
112
  ---
122
113
 
123
114
  ## Tools
124
115
 
125
- Octocode ships **13 research tools**; the same implementations run identically over [MCP](#mcp) and the [CLI](#cli). `ghCloneRepo` is opt-in for MCP (`ENABLE_CLONE=true`) and enabled by default for CLI; local tools require `ENABLE_LOCAL` (CLI default: on, MCP default: off). All flags: [Configuration Reference](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CONFIGURATION.md).
116
+ Octocode ships **14 research tools**; the same implementations run identically over [MCP](#mcp) and the [CLI](#cli). Local tools are enabled by default; `ENABLE_LOCAL=false` disables them. `ghCloneRepo` is opt-in for MCP (`ENABLE_CLONE=true`) and enabled by default for CLI. All flags: [Configuration Reference](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CONFIGURATION.md).
126
117
 
127
118
  **Token knobs.** `concise:true` returns path/title-only lists. `minify` controls file read density: `symbols` = skeleton with line numbers, `standard` = comments/blanks stripped (default), `none` = exact bytes.
128
119
 
@@ -157,37 +148,23 @@ Octocode ships **13 research tools**; the same implementations run identically o
157
148
 
158
149
  | Tool | What it does |
159
150
  |------|--------------|
160
- | `lspGetSemantics` | Typed semantic navigation. Raw tools support `definition`, `references`, `callers`, `callees`, `callHierarchy`, `hover`, `documentSymbols`, `typeDefinition`, and `implementation`. The CLI `lsp` shortcut is for symbol-anchored queries only; use `ls --symbols` for `documentSymbols`. Navigation runs through installed language servers (see the [LSP Tools Reference](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/LSP_TOOLS.md)). |
161
-
162
- **Per-tool references** (full schemas, fields, and examples) live in **[`docs/mcp`](https://github.com/bgauryy/octocode/tree/main/docs/mcp)**:
163
- - [GitHub Tools](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/GITHUB_TOOLS.md)
164
- - [Local Tools](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/LOCAL_TOOLS.md)
165
- - [Binary Tools](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/BINARY_TOOLS.md)
166
- - [LSP Tools](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/LSP_TOOLS.md)
167
- - [Tool Behavior Guide](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/TOOL_BEHAVIOR.md)
151
+ | `lspGetSemantics` | Typed semantic navigation. Raw tools support `definition`, `references`, `callers`, `callees`, `callHierarchy`, `hover`, `documentSymbols`, `typeDefinition`, `implementation`, `workspaceSymbol`, `supertypes`, `subtypes`, and `diagnostic`. The CLI uses `octocode search <file> --op <type>` for semantics and `octocode search <file> --symbols` for file or directory symbol outlines. Navigation runs through installed language servers (see the [LSP Tools Reference](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/LSP_TOOLS.md)). |
168
152
 
169
- ---
153
+ ### OQL Search
170
154
 
171
- ## MCP
172
-
173
- The MCP server exposes all 13 tools directly to your AI assistant over stdio. Install once; the assistant calls tools automatically.
155
+ | Tool | What it does |
156
+ |------|--------------|
157
+ | `oqlSearch` | Runs typed OQL queries across code, content, structure, files, semantics, repositories, packages, pull requests, commits, artifacts, diff, research, graph, and materialization targets. |
174
158
 
175
- ### Install
159
+ Full schemas, fields, and examples for every tool live in [`docs/mcp/tools`](https://github.com/bgauryy/octocode/tree/main/docs/mcp/tools) (linked under [Documentation](#documentation)).
176
160
 
177
- **Fast install:**
161
+ ---
178
162
 
179
- [<img src="https://cursor.com/deeplink/mcp-install-dark.svg" alt="Install in Cursor">](https://cursor.com/en/install-mcp?name=octocode&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyJvY3RvY29kZS1tY3BAbGF0ZXN0Il19) [<img src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Server&color=0098FF" alt="Install in VS Code">](https://insiders.vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%257B%2522name%2522%253A%2522octocode%2522%252C%2522command%2522%253A%2522npx%2522%252C%2522args%2522%253A%255B%2522octocode-mcp%2540latest%255D%257D) [<img alt="Install in VS Code Insiders" src="https://img.shields.io/badge/VS_Code_Insiders-VS_Code_Insiders?style=flat-square&label=Install%20Server&color=24bfa5">](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Amcp%2Finstall%3F%257B%2522name%2522%253A%2522octocode%2522%252C%2522command%2522%253A%2522npx%2522%252C%2522args%2522%253A%255B%2522octocode-mcp%2540latest%255D%257D)
163
+ ## MCP
180
164
 
181
- **Or use the installer (detects your installed clients):**
165
+ The MCP server exposes the Octocode tool catalog directly to your AI assistant over stdio. Install once; the assistant calls tools automatically.
182
166
 
183
- ```bash
184
- # Interactive: detects your installed clients
185
- npx octocode install
186
-
187
- # Non-interactive
188
- octocode install --ide cursor
189
- octocode install --ide claude-code
190
- ```
167
+ **Install:** see [Quick Start](#quick-start) for one-click badges, the `claude mcp add-json` command, or the interactive `octocode install` (non-interactive: `octocode install --ide cursor|claude-code|…`).
191
168
 
192
169
  https://github.com/user-attachments/assets/de8d14c0-2ead-46ed-895e-09144c9b5071
193
170
 
@@ -200,63 +177,48 @@ Add to your MCP client config file:
200
177
  "mcpServers": {
201
178
  "octocode": {
202
179
  "command": "npx",
203
- "args": ["octocode-mcp@latest"]
180
+ "args": ["@octocodeai/mcp@latest"]
204
181
  }
205
182
  }
206
183
  }
207
184
  ```
208
185
 
209
- For GitHub auth, add a token under `env` (see [Authentication Methods](#authentication-methods)).
210
-
211
- ### Configuration
212
-
213
- Set tokens and options as `env` entries here, or machine-wide in `.octocoderc`. See [Configuration](#configuration) for every setting, the home-folder layout, and precedence.
186
+ Add a GitHub token and options under `env` see [Authentication](#authentication-methods) and [Configuration](#configuration).
214
187
 
215
188
  ---
216
189
 
217
190
  ## CLI
218
191
 
219
- The CLI exposes the same research engine without an MCP client. Use quick commands for humans, or call raw tools from scripts and CI.
220
-
221
- ### Install
192
+ Same research engine, no MCP client needed. Local paths route to local tools; `owner/repo[/path]` routes to GitHub.
222
193
 
223
194
  ```bash
224
- brew install bgauryy/octocode/octocode
225
- # or
226
- npm install -g octocode
195
+ octocode auth login # authenticate once
196
+ octocode status # verify setup
197
+ octocode --help # full usage
227
198
  ```
228
199
 
229
- ```bash
230
- octocode login
231
- octocode status
232
- ```
200
+ ### Commands
201
+
202
+ #### Search
203
+
204
+ | Command | What it does |
205
+ |---------|--------------|
206
+ | `octocode search <term> <path\|owner/repo>` | Text, regex, AST structural (`--pattern`), or full OQL (`--query`) |
207
+ | `octocode search <path\|owner/repo> --tree` | Browse directory or repository structure |
208
+ | `octocode search <file>` | Read file content; `--content-view exact\|compact\|symbols` or `--raw` |
209
+ | `octocode search <file> --symbols` | Symbol outline for a file or source tree |
210
+ | `octocode search --query <oql-json>` | Full OQL across all target types (code, commits, PRs, packages, artifacts …) |
233
211
 
234
- ### All Commands
235
-
236
- Local paths route to local tools; `owner/repo[/path]` targets route to GitHub tools.
237
-
238
- | Command | Use it for |
239
- |---------|------------|
240
- | `octocode ls <path\|owner/repo>` | Browse local or GitHub structure; a file or `--symbols` shows a symbol outline |
241
- | `octocode cat <path\|owner/repo/path>` | Read a file, symbol skeleton (`--mode symbols`), line range, or matched slice |
242
- | `octocode grep <term> <path\|owner/repo>` | Text/regex search, or AST structural search with `--pattern` / `--rule` (local). `--type` accepts extensions and language aliases such as `ts`, `rust`, `typescript`, and `*.rs`. |
243
- | `octocode find <query> [path\|owner/repo]` | Find files by name, path, metadata, or content |
244
- | `octocode lsp <file> --type <type> --symbol <name> --line <n>` | Trace `definition`, `references`, `callers`, `callees`, `callHierarchy`, `hover`, `typeDefinition`, and `implementation`; use `ls --symbols` for file outlines |
245
- | `octocode pr <owner/repo[#N]\|PR-URL>` | Search or deep-read pull requests |
246
- | `octocode history <owner/repo[/path]>` | Inspect commit history for a repo, directory, or file |
247
- | `octocode repo <keywords...>` | Discover GitHub repositories |
248
- | `octocode pkg <package\|keywords>` | Search npm and hand off to source repositories |
249
- | `octocode binary <file>` | Inspect archives, compressed files, and native binaries |
250
- | `octocode unzip <archive>` | Unpack an archive to `<octocode-home>/tmp/unzip/<name>-<timestamp>/`, then use local `ls`, `grep`, `cat`, and `lsp` |
251
- | `octocode clone <owner/repo[/path][@branch]>` | Clone a repo or subtree to `<octocode-home>/tmp/clone/` for local/LSP analysis (`ENABLE_CLONE=true`) |
252
- | `octocode tools` | List tools, read schemas, or run any MCP tool directly from the terminal |
253
- | `octocode context` | Print agent-facing protocol, system prompt, tool descriptions, and schemas |
254
- | `octocode install` | Configure Octocode in MCP clients |
255
- | `octocode auth` | Manage GitHub authentication with `login`, `logout`, or `refresh` |
256
- | `octocode login` / `octocode logout` | Sign in or clear stored GitHub credentials |
257
- | `octocode status` | Check token presence, auth identity, MCP installs, sync state, and cache paths |
258
-
259
- Full command syntax, flags, examples, and exit codes live in the [CLI Reference](https://github.com/bgauryy/octocode/blob/main/docs/cli/REFERENCE.md).
212
+ #### More commands
213
+
214
+ - **GitHub & npm** `search <…> --target repositories|packages|pullRequests|commits|artifacts`
215
+ - **LSP** — `search <file> --op definition|references|callers|callees|hover|diagnostic|callHierarchy` (`--symbol`, `--line` to narrow)
216
+ - **Cache & clone** `clone`, `unzip`, `cache fetch|status|clear`
217
+ - **Skills** — `skill --list | --name <skill> | --add <github-folder>`
218
+ - **Language servers** `lsp-server list|install|status|uninstall`
219
+ - **Setup & introspection** `install`, `auth`, `status`, `tools`, `context`
220
+
221
+ Full syntax, flags, and exit codes: [CLI Reference](https://github.com/bgauryy/octocode/blob/main/docs/cli/REFERENCE.md)
260
222
 
261
223
  ---
262
224
 
@@ -272,7 +234,7 @@ environment variables > <octocode-home>/.octocoderc > built-in defaults
272
234
  2. **Global config**: `<octocode-home>/.octocoderc`, machine-wide defaults read by **both the CLI and the MCP server**.
273
235
  3. **Built-in defaults**: used when neither is set.
274
236
 
275
- **Octocode home** (`<octocode-home>`) holds the global config, encrypted credentials, sessions, stats, logs, and tmp materialization caches. Its location is fixed per platform (there is no override):
237
+ **Octocode home** (`<octocode-home>`) holds the global config, encrypted credentials, sessions, stats, and tmp materialization caches. Its location is fixed per platform (there is no override):
276
238
 
277
239
  | Platform | Location |
278
240
  |----------|----------|
@@ -280,25 +242,7 @@ environment variables > <octocode-home>/.octocoderc > built-in defaults
280
242
  | Linux | `${XDG_CONFIG_HOME:-~/.config}/.octocode` |
281
243
  | Windows | `%APPDATA%\.octocode` |
282
244
 
283
- **Set in MCP** (env entries; these win over `.octocoderc`):
284
-
285
- ```json
286
- {
287
- "mcpServers": {
288
- "octocode": {
289
- "command": "npx",
290
- "args": ["octocode-mcp@latest"],
291
- "env": {
292
- "GITHUB_TOKEN": "ghp_xxxxxxxx",
293
- "ENABLE_LOCAL": "true",
294
- "ENABLE_CLONE": "false"
295
- }
296
- }
297
- }
298
- }
299
- ```
300
-
301
- **Set globally** for both the CLI and MCP in `<octocode-home>/.octocoderc` (JSON, comments and trailing commas tolerated; never put tokens here). See the ready-to-copy [example below](#example-octocoderc).
245
+ Set values as MCP `env` entries (per client; these win over `.octocoderc`) or globally in `<octocode-home>/.octocoderc` (JSON with comments). **Tokens never go in `.octocoderc`** — use `env` or `octocode auth login`.
302
246
 
303
247
  ### Common settings
304
248
 
@@ -308,7 +252,7 @@ The **Scope** column shows where a setting applies: `Both`, or `MCP` (the CLI ig
308
252
  |---------|-------------------|---------|-------|--------------|
309
253
  | `OCTOCODE_TOKEN` / `GH_TOKEN` / `GITHUB_TOKEN` | env only | unset | Both | GitHub token, in priority order. Tokens stay in env, never in `.octocoderc`. |
310
254
  | `GITHUB_API_URL` | `github.apiUrl` | `https://api.github.com` | Both | API endpoint; use `/api/v3` for GitHub Enterprise. |
311
- | `ENABLE_LOCAL` | `local.enabled` | CLI `true`, MCP `false` | Both | Turns local filesystem + LSP tools on/off. |
255
+ | `ENABLE_LOCAL` | `local.enabled` | `true` | Both | Turns local filesystem + LSP tools on/off; set `false` to disable. |
312
256
  | `ENABLE_CLONE` | `local.enableClone` | CLI `true`, MCP `false` | Both | `ghCloneRepo` and directory fetch. Default differs by surface; set `false` to disable in either. |
313
257
  | `WORKSPACE_ROOT` | `local.workspaceRoot` | `cwd` | Both | Absolute root for resolving relative local paths. |
314
258
  | `ALLOWED_PATHS` | `local.allowedPaths` | `[]` | Both | Extra path allowlist for local access; empty means home directory only after validation. |
@@ -317,83 +261,38 @@ The **Scope** column shows where a setting applies: `Both`, or `MCP` (the CLI ig
317
261
  | `MAX_RETRIES` | `network.maxRetries` | `3` | Both | Retry attempts (clamped `0..10`). |
318
262
  | `OCTOCODE_OUTPUT_FORMAT` | `output.format` | `yaml` | Both | Response format: `yaml` or `json`. |
319
263
 
320
- > **Local and clone defaults differ by surface.** The **CLI** honors `ENABLE_LOCAL` and defaults local tools on; clone is enabled by default. The **MCP server** honors `ENABLE_LOCAL` and defaults local tools and clone off, so a deployment can control what an assistant may touch. Explicit env or `.octocoderc` values override those defaults.
321
-
322
- ### Example `.octocoderc`
323
-
324
- Drop this at `<octocode-home>/.octocoderc` for machine-wide defaults shared by the CLI and the MCP server. Every field is optional; keep only what you want to change. **Tokens never go here** (use env or `octocode login`).
325
-
326
- ```jsonc
327
- {
328
- // GitHub Enterprise users: point at your API endpoint.
329
- "github": { "apiUrl": "https://api.github.com" },
330
-
331
- "local": {
332
- "enabled": true, // overrides the surface default for CLI and MCP
333
- "enableClone": false, // false disables ghCloneRepo for CLI and MCP
334
- "workspaceRoot": "~/code", // base for relative local paths (absolute or ~)
335
- "allowedPaths": [] // extra dirs the local tools may read
336
- },
264
+ > **Local defaults on; clone differs by surface.** Both CLI and MCP default local tools on; set `ENABLE_LOCAL=false` to disable them. The **CLI** defaults clone on, while the **MCP server** requires `ENABLE_CLONE=true`.
337
265
 
338
- "network": { "timeout": 30000, "maxRetries": 3 },
339
-
340
- "output": { "format": "yaml" } // "yaml" or "json"
341
- }
342
- ```
343
-
344
- Per-project overrides and custom LSP servers live in a workspace `.octocode/` folder (for example `.octocode/lsp-servers.json`). For every variable, the full `.octocoderc` schema, clone-cache tuning, GitHub Enterprise setup, local-state paths, and precedence details, see the [Configuration Reference](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CONFIGURATION.md).
266
+ Per-project overrides and custom LSP servers live in a workspace `.octocode/` folder. For the full `.octocoderc` schema, a ready-to-copy example, clone-cache tuning, GitHub Enterprise setup, and precedence details, see the [Configuration Reference](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CONFIGURATION.md).
345
267
 
346
268
  ---
347
269
 
348
270
  ## Authentication Methods
349
271
 
350
- GitHub-backed tools require authentication. Pick whichever method fits your setup; any one is enough. Full details: [Authentication Setup](https://github.com/bgauryy/octocode/blob/main/docs/mcp/AUTHENTICATION.md).
272
+ GitHub-backed tools require authentication. Any one method is enough. Full details: [Authentication Setup](https://github.com/bgauryy/octocode/blob/main/docs/AUTHENTICATION.md).
351
273
 
352
274
  ### Option 1: Octocode CLI (Recommended)
353
275
 
354
- The simplest setup. Octocode stores OAuth credentials encrypted on disk.
355
-
356
276
  ```bash
357
- npx octocode auth login # or: octocode login
358
- npx octocode status # verify the active token source
277
+ octocode auth login
278
+ octocode status # verify the active token source
359
279
  ```
360
280
 
361
- ### Option 2: GitHub CLI
281
+ Interactive login lets you choose Octocode browser OAuth or `gh auth login`. Octocode OAuth credentials are stored encrypted on disk.
362
282
 
363
- Use your existing `gh` credentials: automatic token management, works with 2FA and SSO.
283
+ ### Option 2: GitHub CLI (also supported)
364
284
 
365
285
  ```bash
366
- # Install GitHub CLI
367
- brew install gh # macOS
368
- winget install --id GitHub.cli # Windows
369
- # Linux: https://github.com/cli/cli/blob/trunk/docs/install_linux.md
370
-
371
286
  gh auth login
372
287
  ```
373
288
 
374
- No `GITHUB_TOKEN` is needed; Octocode reads the `gh` token automatically.
375
-
376
- ### Option 3: Personal Access Token
289
+ Octocode reads the `gh` token automatically — no further config needed.
377
290
 
378
- Best for CI/CD, automation, MCP client configs, or GitHub Enterprise.
291
+ ### Option 3: Personal Access Token (also supported)
379
292
 
380
- 1. Create a token at [github.com/settings/tokens](https://github.com/settings/tokens)
381
- 2. Select scopes: `repo`, `read:user`, `read:org`
382
- 3. Provide it via `OCTOCODE_TOKEN`, `GH_TOKEN`, or `GITHUB_TOKEN` (in your shell or MCP client `env`):
293
+ Set `OCTOCODE_TOKEN`, `GH_TOKEN`, or `GITHUB_TOKEN` in your shell. Required scopes: `repo`, `read:user`, `read:org`.
383
294
 
384
- ```json
385
- {
386
- "mcpServers": {
387
- "octocode": {
388
- "command": "npx",
389
- "args": ["octocode-mcp@latest"],
390
- "env": {
391
- "GITHUB_TOKEN": "<your-token>"
392
- }
393
- }
394
- }
395
- }
396
- ```
295
+ Create a token at [github.com/settings/tokens](https://github.com/settings/tokens).
397
296
 
398
297
  > **Security tip**: Never commit tokens to version control. Use environment variables or secure secret management.
399
298
 
@@ -401,21 +300,21 @@ Best for CI/CD, automation, MCP client configs, or GitHub Enterprise.
401
300
 
402
301
  ## Security
403
302
 
404
- **Every byte that reaches the model is scanned and redacted first.** All content (local files, GitHub and npm responses, error messages, and tool outputs) passes through the Rust engine's secret scanner on the way *in* (tool inputs) and on the way *out* (results), so secrets never reach the LLM or logs. The same enforcement runs identically under MCP and the CLI.
303
+ **Every byte that reaches the model is scanned and redacted first.** All content (local files, GitHub and npm responses, error messages, and tool outputs) passes through the Rust engine's secret scanner on the way *in* (tool inputs) and on the way *out* (results), so secrets never reach the LLM. The same enforcement runs identically under MCP and the CLI.
405
304
 
406
- - **Secret redaction, in and out.** 270+ provider credential patterns (AWS, Azure, GCP, GitHub, OpenAI, Anthropic, Stripe, Slack, 1Password, and more) plus generic JWTs, PEM/private keys, bearer tokens, database connection strings, and high-entropy strings. Masked values surface a `Secrets detected and redacted` warning so the agent knows.
407
- - **Content sanitized at the source.** Local reads (`localGetFileContent`, ripgrep, structural search, binary, find, structure) and external fetches (GitHub code/files, npm) are scanned as they are read, not only at the boundary.
408
- - **Path safety.** Local reads are bounded to `WORKSPACE_ROOT` and `ALLOWED_PATHS` (default: your home directory). Symlinks are resolved and the real target is **re-validated** against the same rules, so a link cannot escape into a blocked location. Every local tool runs this check before touching the filesystem.
305
+ - **Secret redaction, in and out.** 300+ provider credential patterns (AWS, Azure, GCP, GitHub, OpenAI, Anthropic, Stripe, Slack, 1Password, and more) plus generic JWTs, PEM/private keys, bearer tokens, database connection strings, and high-entropy strings. Masked values surface a redaction warning so the agent knows.
306
+ - **Content sanitized at the source.** Local reads (`localGetFileContent`, ripgrep, structural search, binary, file discovery, structure) and external fetches (GitHub code/files, npm) are scanned as they are read, not only at the boundary.
307
+ - **Path safety.** Relative inputs resolve from `WORKSPACE_ROOT` / config / `cwd`, then local reads are bounded to the engine's allowed roots (home by default, plus `ALLOWED_PATHS` and Octocode-registered roots). Symlinks are resolved and the real target is **re-validated**, so a link cannot escape into a blocked location.
409
308
  - **Sensitive files and directories are blocked by default.** Octocode refuses to read known secret-bearing files and folders wherever they live, returning a redacted error instead of contents. Blocked patterns include:
410
309
  - **Keys and certs:** `*.pem`, `*.key`, `*.crt`/`*.cer`/`*.csr`, `*.p12`/`*.pfx`/`*.jks`/`*.keystore`, and SSH keys (`id_rsa`, `*_ed25519`, `authorized_keys`, `known_hosts`, `.ssh/`).
411
310
  - **Credentials and tokens:** `.env` / `.env.*`, `.netrc`, `.npmrc`, `.pgpass`, `.git-credentials`, `*_token` / `.token`, `client_secret*.json`, `*service-account*.json`, `auth.json`, `.htpasswd`.
412
311
  - **Cloud and infra:** `.aws/`, `.azure/`, `.config/gcloud/`, `.kube/` / `kubeconfig`, `.docker/`, `.terraform/` and `*.tfstate`.
413
312
  - **OS and app secret stores:** `.git/`, `secrets/`, `private/`, browser login data (Chrome/Firefox), OS keychains, password managers (`*.kdbx`), shell history files, and crypto wallets.
414
- - **Command safety.** Local execution is whitelisted to `rg`, `find`, and `ls` via `spawn` with argument arrays: no shell strings, no injection.
313
+ - **Command safety.** Normal local search runs in-process inside `octocode-engine`. External helpers are fixed per lane, command/argument allowlisted, and run via `spawn` with argument arrays: no shell strings, no injection.
415
314
  - **Schema validation** runs before any tool executes; untrusted input size and shape are bounded.
416
315
  - **Credentials.** GitHub auth via env tokens, AES-256-GCM-encrypted on-disk OAuth, or the `gh` CLI; tokens are never logged.
417
316
 
418
- **Full security model, pipeline, and threat coverage: [SECURITY.md](https://github.com/bgauryy/octocode/blob/main/docs/SECURITY.md).** Related: [Authentication](https://github.com/bgauryy/octocode/blob/main/docs/mcp/AUTHENTICATION.md) · [Configuration](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CONFIGURATION.md) · [Credentials](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CREDENTIALS.md)
317
+ **Full security model, pipeline, and threat coverage: [SECURITY.md](https://github.com/bgauryy/octocode/blob/main/docs/SECURITY.md).** Related: [Authentication](https://github.com/bgauryy/octocode/blob/main/docs/AUTHENTICATION.md) · [Configuration](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CONFIGURATION.md) · [Credentials](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CREDENTIALS.md)
419
318
 
420
319
  ---
421
320
 
@@ -425,12 +324,12 @@ Four code-intelligence axes; three are native to the Rust engine and need no ext
425
324
 
426
325
  | Axis | What it does | How to use it |
427
326
  |------|--------------|---------------|
428
- | **Structural AST** | Tree-sitter shape queries (`pattern` or YAML `rule`) across 33 grammars. | `localSearchCode mode:"structural"` · CLI `grep --pattern`/`--rule` |
429
- | **Signature outline** | Body-free skeleton with line numbers from real tree-sitter parsing, no heuristics. An anti-growth guard returns the real file when a skeleton wouldn't be smaller. | `minify:"symbols"` · CLI `cat --mode symbols` |
327
+ | **Structural AST** | Tree-sitter shape queries (`pattern` or YAML `rule`) across 60+ extensions. | `localSearchCode mode:"structural"` · CLI `search --pattern`/`--rule` |
328
+ | **Signature outline** | Body-free skeleton with line numbers from real tree-sitter parsing, no heuristics. An anti-growth guard returns the real file when a skeleton wouldn't be smaller. | `minify:"symbols"` · CLI `search <file> --content-view symbols` |
430
329
  | **Content minification** | Comment/whitespace stripping for 70+ languages and config formats; HTML/Vue/Svelte also minify embedded `<style>`/`<script>`. | `minify:"standard"` (default) |
431
- | **LSP navigation** | definition, references, callers/callees, callHierarchy, hover, typeDefinition, implementation, documentSymbols, via an installed language server; JS/TS also have a native, no-server path. | `lspGetSemantics` · CLI `lsp` / `ls --symbols` |
330
+ | **LSP navigation** | definition, references, callers/callees, callHierarchy, hover, typeDefinition, implementation, documentSymbols, via an installed language server; JS/TS also have a native, no-server path. | `lspGetSemantics` · CLI `search --op` / `search --symbols` |
432
331
 
433
- 📋 **Full support matrix:** every extension with its exact AST, signature, LSP, and minify capability, machine-generated from the shipped binary, lives in **[`benchmark/SUPPORT.md`](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/benchmark/SUPPORT.md)** (150 extensions: 61 AST, 47 signature, 56 LSP, 89 minify-only). Regenerate or verify with `yarn workspace @octocodeai/octocode-benchmark matrix:check`.
332
+ 📋 **Full support matrix:** every extension with its exact AST, signature, LSP, and minify capability, machine-generated from the shipped binary, lives in the **[Full format support matrix](https://github.com/bgauryy/octocode/blob/main/docs/LSP_SERVER_LIFECYCLE.md#full-format-support-matrix)** (151 extensions: 61 AST, 47 signature, 32 LSP, 90 minify-only). Regenerate or verify with `yarn workspace @octocodeai/octocode-benchmark matrix:check`.
434
333
 
435
334
  ---
436
335
 
@@ -439,17 +338,29 @@ Four code-intelligence axes; three are native to the Rust engine and need no ext
439
338
  > [Agent Skills](https://agentskills.io/what-are-skills) are a lightweight, open format for extending AI agent capabilities.
440
339
  > Browse and install on [**skills.sh/bgauryy/octocode-mcp**](https://www.skills.sh/bgauryy/octocode-mcp) · Skills index: [skills/README.md](https://github.com/bgauryy/octocode/blob/main/skills/README.md)
441
340
 
442
- These are the skills the Octocode team itself uses to build Octocode. ⭐ **[Engineer](https://www.skills.sh/bgauryy/octocode-mcp/octocode-engineer)** is the recommended starting skill.
341
+ These are the skills the Octocode team itself uses to build Octocode. **9 skills** live under [`skills/`](https://github.com/bgauryy/octocode/tree/main/skills); the table mirrors the [Skills Index](https://github.com/bgauryy/octocode/blob/main/skills/README.md). ⭐ **[Engineer](https://www.skills.sh/bgauryy/octocode-mcp/octocode-engineer)** is the recommended starting skill.
443
342
 
444
- | Skill | What it does |
445
- |-------|--------------|
446
- | [**Engineer**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-engineer) | Codebase understanding, implementation, bug investigation, refactors, PR review, and RFC validation with AST + LSP evidence |
447
- | [**Research**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-research) | Deep code exploration with HTTP-based tool orchestration: trace flow, find usages, understand a codebase |
448
- | [**Brainstorming**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-brainstorming) | Validate ideas against GitHub, npm, and web evidence; produces a decision-ready brief |
449
- | [**RFC Generator**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-rfc-generator) | Evidence-backed RFCs, design docs, migration and implementation plans before coding |
450
- | [**Install**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-install) | Interactive step-by-step Octocode installer for macOS and Windows |
451
- | [**Search Skill**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-search-skill) | Find, evaluate, install, rate, and refactor Agent Skills (SKILL.md format) |
452
- | [**Stats**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-stats) | Render an Octocode MCP usage dashboard from stats.json (tokens saved, cache hits, errors) |
343
+ ```bash
344
+ npx octocode skill --list # browse available skills
345
+ npx octocode skill --name octocode-engineer # install to ~/.agents/skills (default)
346
+ npx octocode skill --name octocode-engineer --platform claude # Claude Code + Claude Desktop
347
+ npx octocode skill --name octocode-engineer --all --dry-run # preview before installing everywhere
348
+ npx octocode skill --add owner/repo/skills/my-skill # any GitHub folder
349
+ ```
350
+
351
+ Platforms: `common` (default, `~/.agents/skills`), `cursor`, `claude`, `codex`, `opencode`, `all` · Modes: `copy` (default), `symlink`, `hybrid` · [Skills Guide](https://github.com/bgauryy/octocode/blob/main/docs/SKILLS_GUIDE.md)
352
+
353
+ | Skill | Directory | Use it when |
354
+ |-------|-----------|-------------|
355
+ | [**CLI**](https://www.skills.sh/bgauryy/octocode-mcp/octocode) | `octocode/` | You want to research code from the terminal without MCP: local, GitHub, npm, file, repo, PR, or package lookup. |
356
+ | ⭐ [**Engineer**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-engineer) | `octocode-engineer/` | You need to understand, implement, review, refactor, or audit code. The default for "work on this code." |
357
+ | [**Loop**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-loop) | `octocode-loop/` | The goal and research path are clear and the work needs grounded Act -> Observe -> Learn -> Repeat loops until evidence converges. |
358
+ | [**Brainstorming**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-brainstorming) | `octocode-brainstorming/` | The idea is fuzzy: validate prior art, check whether something is worth building, or produce a decision brief. |
359
+ | [**RFC Generator**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-rfc-generator) | `octocode-rfc-generator/` | You need a design doc, RFC, architecture proposal, migration plan, or rollout plan before coding. |
360
+ | [**Roast**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-roast) | `octocode-roast/` | You want brutal but actionable code critique with severity-ranked findings and fixes. |
361
+ | [**Skills**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-skills) | `octocode-skills/` | You are working on Agent Skills themselves: find, evaluate, install, lint, create, or update `SKILL.md` folders. |
362
+ | [**Awareness**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-awareness) | `octocode-awareness/` | You need memory, file locks, or verify-before-conclude across runs or concurrent agents in a shared/dirty repo. |
363
+ | [**Stats**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-stats) | `octocode-stats/` | You want to visualize Octocode usage: tokens/chars saved, cache hits, errors, and rate limits from `stats.json`. |
453
364
 
454
365
  ---
455
366
 
@@ -488,7 +399,7 @@ client → sanitize inputs (Rust) → run tool (GitHub / FS / LSP) → sanitize
488
399
 
489
400
  | Directory | npm package | Role |
490
401
  |-----------|-------------|------|
491
- | [`packages/octocode`](https://github.com/bgauryy/octocode/tree/main/packages/octocode) | `octocode` | CLI: quick commands, raw tool runner, auth/login/logout, install, status, context. |
402
+ | [`packages/octocode`](https://github.com/bgauryy/octocode/tree/main/packages/octocode) | `octocode` | CLI: quick commands, raw tool runner, skill installs, auth/login/logout, install, status, context. |
492
403
  | [`packages/octocode-mcp`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-mcp) | `octocode-mcp` | MCP server (stdio) that registers the tool catalog for AI assistants. |
493
404
  | [`packages/octocode-tools-core`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-tools-core) | `@octocodeai/octocode-tools-core` | Shared tool core: implementations, GitHub client, credentials and token resolution, session, pagination, security bridge. |
494
405
  | [`packages/octocode-engine`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-engine) | `@octocodeai/octocode-engine` | Rust/napi native engine: security scanning, minification, signatures, structural AST, ripgrep/diff/YAML, LSP. |
@@ -498,35 +409,42 @@ client → sanitize inputs (Rust) → run tool (GitHub / FS / LSP) → sanitize
498
409
 
499
410
  ## Documentation
500
411
 
501
- Website: **[octocode.ai](https://octocode.ai)** · Full docs: **[github.com/bgauryy/octocode/tree/main/docs](https://github.com/bgauryy/octocode/tree/main/docs)** · Index: **[docs/README.md](https://github.com/bgauryy/octocode/blob/main/docs/README.md)**. All monorepo documentation lives in [`docs/`](https://github.com/bgauryy/octocode/tree/main/docs) (no per-package `docs/`).
412
+ Website: **[octocode.ai](https://octocode.ai)** · Product docs: **[github.com/bgauryy/octocode/tree/main/docs](https://github.com/bgauryy/octocode/tree/main/docs)** · Index: **[docs/README.md](https://github.com/bgauryy/octocode/blob/main/docs/README.md)**. Product documentation lives in [`docs/`](https://github.com/bgauryy/octocode/tree/main/docs); benchmark methodology, evals, and run artifacts live in [`packages/octocode-benchmark`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-benchmark).
502
413
 
503
414
  **Docs map**
504
415
  - [`docs/mcp/`](https://github.com/bgauryy/octocode/tree/main/docs/mcp): MCP server configuration, authentication, tools, workflows, architecture
505
- - [`docs/cli/`](https://github.com/bgauryy/octocode/tree/main/docs/cli): CLI commands, flags, benchmarks
506
- - [`docs/`](https://github.com/bgauryy/octocode/tree/main/docs): guides for development, security, skills, Pi setup
416
+ - [`docs/cli/`](https://github.com/bgauryy/octocode/tree/main/docs/cli): CLI commands, flags, and reference material
417
+ - [`docs/`](https://github.com/bgauryy/octocode/tree/main/docs): guides for development, security, and Pi setup
418
+ - [`packages/octocode-benchmark/`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-benchmark): benchmark methodology, support matrix, unified eval, recipes, output schema, and run artifacts
507
419
 
508
420
  **Setup**
509
- - [Authentication Setup](https://github.com/bgauryy/octocode/blob/main/docs/mcp/AUTHENTICATION.md)
421
+ - [Authentication Setup](https://github.com/bgauryy/octocode/blob/main/docs/AUTHENTICATION.md)
510
422
  - [Configuration Reference](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CONFIGURATION.md)
511
423
  - [Using octocode-mcp with Pi](https://github.com/bgauryy/octocode/blob/main/docs/PI/PI_SETUP_GUIDE.md)
512
424
 
513
425
  **Tool References**
514
426
  - [GitHub Tools](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/GITHUB_TOOLS.md)
515
427
  - [Local Tools](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/LOCAL_TOOLS.md)
428
+ - [Binary Tools](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/BINARY_TOOLS.md)
516
429
  - [LSP Tools](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/LSP_TOOLS.md)
517
430
  - [Clone & Local Workflow](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CLONE_WORKFLOW.md)
431
+ - [Tool Behavior Guide](https://github.com/bgauryy/octocode/blob/main/docs/mcp/tools/TOOL_BEHAVIOR.md)
432
+
433
+ **Benchmarks & Evals**
434
+ - [Benchmark Summary](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/BENCHMARK.md)
435
+ - [Unified CLI/Tool/OQL Eval](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/benchmark/octocode/README.md)
436
+ - [Benchmark Runbook](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/recipes/agent-benchmark-runbook.md)
437
+ - [Support Matrix](https://github.com/bgauryy/octocode/blob/main/docs/LSP_SERVER_LIFECYCLE.md#full-format-support-matrix)
518
438
 
519
439
  **Security, CLI & Skills**
520
440
  - [Security Model](https://github.com/bgauryy/octocode/blob/main/docs/SECURITY.md)
521
441
  - [CLI Reference](https://github.com/bgauryy/octocode/blob/main/docs/cli/REFERENCE.md)
522
- - [Skills Guide](https://github.com/bgauryy/octocode/blob/main/docs/SKILLS_GUIDE.md) · [Skills Index](https://github.com/bgauryy/octocode/blob/main/skills/README.md)
442
+ - [Skills Guide](https://github.com/bgauryy/octocode/blob/main/docs/SKILLS_GUIDE.md)
443
+ - [Skills Index](https://github.com/bgauryy/octocode/blob/main/skills/README.md)
523
444
 
524
445
  **Shared Internals**
525
446
  - [Credentials Architecture](https://github.com/bgauryy/octocode/blob/main/docs/mcp/CREDENTIALS.md) · [Session Persistence](https://github.com/bgauryy/octocode/blob/main/docs/mcp/SESSION.md)
526
447
 
527
- **Operations**
528
- - [Development Guide](https://github.com/bgauryy/octocode/blob/main/docs/DEVELOPMENT_GUIDE.md) · [Agent Guidance (AGENTS.md)](https://github.com/bgauryy/octocode/blob/main/AGENTS.md)
529
-
530
448
  ### Recommended dev mode: Pi + Octocode
531
449
 
532
450
  [Pi](https://github.com/earendil-works/pi) is a fast, local-first coding agent whose stated philosophy is *"CLI tools with READMEs (Skills) over MCP."* Pairing it with Octocode gives a lean, evidence-driven dev loop — **Pi edits, Octocode researches**. Two routes, pick by how much surface you need:
@@ -534,10 +452,10 @@ Website: **[octocode.ai](https://octocode.ai)** · Full docs: **[github.com/bgau
534
452
  - **Skill route — recommended, leanest.** Drop the [`octocode-engineer`](https://www.skills.sh/bgauryy/octocode-mcp/octocode-engineer) skill into Pi's global skills dir. It drives the Octocode **CLI** directly — no MCP transport, minimal token overhead — and Pi auto-discovers it:
535
453
 
536
454
  ```bash
537
- npx -y degit bgauryy/octocode/skills/octocode-engineer ~/.pi/agent/skills/octocode-engineer
455
+ npx octocode skill --name octocode-engineer
538
456
  ```
539
457
 
540
- - **Adapter route — full tool surface.** Install [`pi-mcp-adapter`](https://github.com/nicobailon/pi-mcp-adapter) to expose all 13 Octocode MCP tools behind a single ~200-token proxy tool, so servers stay disconnected until a tool is actually called. Enable clone tools with `ENABLE_CLONE=true`.
458
+ - **Adapter route — full tool surface.** Install [`pi-mcp-adapter`](https://github.com/nicobailon/pi-mcp-adapter) to expose all 14 Octocode MCP tools behind a single ~200-token proxy tool, so servers stay disconnected until a tool is actually called. Enable clone tools with `ENABLE_CLONE=true`.
541
459
 
542
460
  Tune Pi's behavior with an `APPEND_SYSTEM.md` (a compact starter lives at [`docs/PI/APPEND_SYSTEM.md`](https://github.com/bgauryy/octocode/blob/main/docs/PI/APPEND_SYSTEM.md)). The full walkthrough — adapter install, MCP config scopes, skills, system-prompt tuning, and custom models — is in the [**Pi Setup Guide**](https://github.com/bgauryy/octocode/blob/main/docs/PI/PI_SETUP_GUIDE.md).
543
461