rebar-mcp 2.0.0

package/src/tools/enterprise.ts

@@ -0,0 +1,666 @@
+/**
+ * Tier 3: Enterprise and Compliance Tools
+ * rebar_apply_compliance, rebar_create_ci_workflow,
+ * rebar_create_security_hook, rebar_generate_mcp_config
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import * as path from "node:path";
+import {
+  ApplyComplianceInputSchema,
+  CreateCIWorkflowInputSchema,
+  CreateSecurityHookInputSchema,
+  GenerateMCPConfigInputSchema,
+} from "../schemas/scaffolding.js";
+import {
+  resolveProjectPath,
+  sanitizePath,
+  atomicWrite,
+  ensureDir,
+  readFileSafe,
+  safeWriteFile,
+} from "../services/file-ops.js";
+import {
+  DANGEROUS_COMMANDS_STANDARD,
+  DANGEROUS_COMMANDS_STRICT,
+  DANGEROUS_COMMANDS_PARANOID,
+  SECRET_PATTERNS,
+} from "../constants.js";
+import type { ToolResult } from "../types.js";
+
+function makeResult(text: string, isError = false): ToolResult {
+  return {
+    content: [{ type: "text", text }],
+    ...(isError ? { isError: true } : {}),
+  };
+}
+
+export function registerEnterpriseTools(server: McpServer): void {
+  // ─── rebar_apply_compliance ──────────────────────────────────────
+  server.registerTool(
+    "rebar_apply_compliance",
+    {
+      title: "Apply Compliance Pack",
+      description:
+        "[Rebar] Applies a compliance template pack to the project — generates hooks for audit logging, " +
+        "skills for compliance-aware code review, and CLAUDE.md sections with regulatory requirements.\n\n" +
+        "Supported standards:\n" +
+        "• hipaa: PHI handling, audit logging, encryption requirements, data classification\n" +
+        "• soc2: Access controls, audit trails, change management, encryption\n" +
+        "• pci-dss: Card number blocking, tokenization requirements, OWASP checks\n" +
+        "• sox: Financial calculation review, audit trails, separation of duties\n\n" +
+        "Scope options:\n" +
+        "• full: Hooks + skills + CLAUDE.md section\n" +
+        "• hooks_only: Just audit/blocking hooks\n" +
+        "• skills_only: Just compliance review skills\n\n" +
+        "Examples:\n" +
+        "  rebar_apply_compliance({ project_path: '.', standard: 'hipaa', scope: 'full' })\n" +
+        "  rebar_apply_compliance({ project_path: '.', standard: 'soc2', scope: 'hooks_only' })\n\n" +
+        "Idempotent: Safe to run multiple times — won't duplicate hooks.",
+      inputSchema: ApplyComplianceInputSchema,
+      annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+      },
+    },
+    async (args) => {
+      const { project_path, standard, scope } = args;
+      const absPath = resolveProjectPath(project_path);
+      const generated: string[] = [];
+
+      try {
+        const complianceConfig = getComplianceConfig(standard);
+
+        // Generate hooks
+        if (scope === "full" || scope === "hooks_only") {
+          const settingsPath = sanitizePath(absPath, ".claude/settings.json");
+          let settings: Record<string, unknown> = {};
+          const existing = await readFileSafe(settingsPath);
+          if (existing) {
+            settings = JSON.parse(existing) as Record<string, unknown>;
+          }
+
+          if (!settings.hooks) settings.hooks = {};
+          const hooks = settings.hooks as Record<string, unknown[]>;
+
+          for (const hook of complianceConfig.hooks) {
+            const eventKey = hook.event as string;
+            if (!hooks[eventKey]) hooks[eventKey] = [];
+            const eventHooks = hooks[eventKey] as Record<string, unknown>[];
+            const exists = eventHooks.some((h) => h.command === hook.command);
+            if (!exists) {
+              eventHooks.push(hook);
+            }
+          }
+
+          await ensureDir(path.dirname(settingsPath));
+          await atomicWrite(settingsPath, JSON.stringify(settings, null, 2));
+          generated.push(`✓ Added ${complianceConfig.hooks.length} compliance hook(s) to settings.json`);
+        }
+
+        // Generate skills
+        if (scope === "full" || scope === "skills_only") {
+          for (const skill of complianceConfig.skills) {
+            const skillDir = sanitizePath(absPath, `.claude/skills/${skill.name}`);
+            await ensureDir(skillDir);
+            const skillPath = path.join(skillDir, "SKILL.md");
+            const result = await safeWriteFile(skillPath, skill.content, true);
+            generated.push(`✓ ${result.message}`);
+          }
+        }
+
+        // Append to CLAUDE.md
+        if (scope === "full") {
+          const claudemdPath = sanitizePath(absPath, "CLAUDE.md");
+          const existingMd = await readFileSafe(claudemdPath);
+          const section = complianceConfig.claudemdSection;
+          if (existingMd && !existingMd.includes(section.substring(0, 50))) {
+            await atomicWrite(claudemdPath, existingMd + "\n\n" + section);
+            generated.push("✓ Added compliance section to CLAUDE.md");
+          } else if (!existingMd) {
+            await atomicWrite(claudemdPath, `# Project\n\n${section}`);
+            generated.push("✓ Created CLAUDE.md with compliance section");
+          } else {
+            generated.push("• CLAUDE.md already contains compliance section");
+          }
+        }
+
+        return makeResult(
+          `Compliance pack applied: ${standard.toUpperCase()}\n` +
+          `Scope: ${scope}\n\n` +
+          generated.join("\n") +
+          `\n\nReview the generated artifacts and customize as needed.`
+        );
+      } catch (err: unknown) {
+        const message = err instanceof Error ? err.message : String(err);
+        return makeResult(`Failed to apply compliance pack: ${message}`, true);
+      }
+    }
+  );
+
+  // ─── rebar_create_ci_workflow ────────────────────────────────────
+  server.registerTool(
+    "rebar_create_ci_workflow",
+    {
+      title: "Create CI Workflow",
+      description:
+        "[Rebar] Generates a GitHub Actions workflow that enables Claude Code to review pull requests. " +
+        "Creates a .github/workflows/claude-review.yml file that triggers on PRs and @claude mentions.\n\n" +
+        "Review focus options:\n" +
+        "• security: OWASP vulnerabilities, auth issues, data exposure\n" +
+        "• performance: N+1 queries, memory leaks, bundle size\n" +
+        "• style: Code conventions, naming, organization\n" +
+        "• all: Comprehensive review covering all areas\n\n" +
+        "Examples:\n" +
+        "  rebar_create_ci_workflow({ repo_path: '.', review_focus: 'all', branch_pattern: 'main' })\n" +
+        "  rebar_create_ci_workflow({ repo_path: '.', review_focus: 'security', branch_pattern: 'develop' })\n\n" +
+        "Requires: ANTHROPIC_API_KEY in repository secrets.\n" +
+        "Idempotent: Updates existing workflow if present.",
+      inputSchema: CreateCIWorkflowInputSchema,
+      annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+      },
+    },
+    async (args) => {
+      const { repo_path, review_focus, branch_pattern } = args;
+      const absPath = resolveProjectPath(repo_path);
+      const workflowDir = sanitizePath(absPath, ".github/workflows");
+      const workflowPath = path.join(workflowDir, "claude-review.yml");
+
+      try {
+        await ensureDir(workflowDir);
+
+        const focusInstructions = getReviewFocusInstructions(review_focus);
+
+        const workflow = `name: Claude Code Review
+
+on:
+  pull_request:
+    branches: [${branch_pattern}]
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  claude-review:
+    if: |
+      (github.event_name == 'pull_request') ||
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude'))
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Claude Code Review
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: \${{ secrets.ANTHROPIC_API_KEY }}
+          review_focus: "${review_focus}"
+          custom_instructions: |
+            ${focusInstructions}
+`;
+
+        const result = await safeWriteFile(workflowPath, workflow, true);
+
+        return makeResult(
+          `CI workflow created!\n\n` +
+          `Location: ${workflowPath}\n` +
+          `Review focus: ${review_focus}\n` +
+          `Branch pattern: ${branch_pattern}\n\n` +
+          `${result.message}\n\n` +
+          `Next steps:\n` +
+          `1. Add ANTHROPIC_API_KEY to your repository secrets\n` +
+          `2. Push the workflow file to your repository\n` +
+          `3. Create a PR to trigger the review`
+        );
+      } catch (err: unknown) {
+        const message = err instanceof Error ? err.message : String(err);
+        return makeResult(`Failed to create CI workflow: ${message}`, true);
+      }
+    }
+  );
+
+  // ─── rebar_create_security_hook ──────────────────────────────────
+  server.registerTool(
+    "rebar_create_security_hook",
+    {
+      title: "Create Security Hooks",
+      description:
+        "[Rebar] Generates a comprehensive security hook system that blocks dangerous commands and detects secret leaks " +
+        "before they happen. Creates a blocker script and hooks it into Claude Code's PreToolCall lifecycle.\n\n" +
+        "Strictness levels:\n" +
+        "• standard: Blocks rm -rf, force push, DROP TABLE, TRUNCATE (8 patterns)\n" +
+        "• strict: + git reset --hard, chmod 777, curl|sh, wget|sh (13 patterns)\n" +
+        "• paranoid: + eval(), exec(), sudo, su, pkill, killall (19 patterns)\n\n" +
+        "Also detects secret patterns: AWS keys, API keys, GitHub tokens, private keys.\n\n" +
+        "Examples:\n" +
+        "  rebar_create_security_hook({ project_path: '.', strictness: 'standard' })\n" +
+        "  rebar_create_security_hook({ project_path: '.', strictness: 'paranoid' })\n\n" +
+        "Idempotent: Updates existing security hook if present.",
+      inputSchema: CreateSecurityHookInputSchema,
+      annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+      },
+    },
+    async (args) => {
+      const { project_path, strictness } = args;
+      const absPath = resolveProjectPath(project_path);
+
+      try {
+        // Get the appropriate command list
+        let commands: string[];
+        switch (strictness) {
+          case "paranoid":
+            commands = DANGEROUS_COMMANDS_PARANOID;
+            break;
+          case "strict":
+            commands = DANGEROUS_COMMANDS_STRICT;
+            break;
+          default:
+            commands = DANGEROUS_COMMANDS_STANDARD;
+        }
+
+        // Create the blocker script
+        const scriptsDir = sanitizePath(absPath, ".claude/scripts");
+        await ensureDir(scriptsDir);
+
+        const patterns = commands.map((c) => `  "${c.replace(/"/g, '\\"')}"`).join("\n");
+        const secretPatterns = SECRET_PATTERNS.map((p) => `  "${p}"`).join("\n");
+
+        const blockerScript = `#!/usr/bin/env bash
+# Security hook: blocks dangerous commands
+# Strictness level: ${strictness}
+# Generated by rebar-mcp
+
+COMMAND="$TOOL_INPUT_COMMAND"
+
+# Dangerous command patterns
+DANGEROUS_PATTERNS=(
+${patterns}
+)
+
+for pattern in "\${DANGEROUS_PATTERNS[@]}"; do
+  if echo "$COMMAND" | grep -qiF "$pattern"; then
+    echo "BLOCKED: Command contains dangerous pattern: $pattern" >&2
+    echo "If you need to run this command, do it manually outside Claude Code." >&2
+    exit 1
+  fi
+done
+
+# Secret leak detection
+SECRET_PATTERNS=(
+${secretPatterns}
+)
+
+for pattern in "\${SECRET_PATTERNS[@]}"; do
+  if echo "$COMMAND" | grep -qE "$pattern"; then
+    echo "BLOCKED: Command may expose secrets matching pattern: $pattern" >&2
+    exit 1
+  fi
+done
+
+exit 0
+`;
+
+        const scriptPath = path.join(scriptsDir, "security-blocker.sh");
+        await atomicWrite(scriptPath, blockerScript);
+        // Make executable
+        const { chmod } = await import("node:fs/promises");
+        await chmod(scriptPath, 0o755);
+
+        // Add hook to settings.json
+        const settingsPath = sanitizePath(absPath, ".claude/settings.json");
+        let settings: Record<string, unknown> = {};
+        const existing = await readFileSafe(settingsPath);
+        if (existing) {
+          settings = JSON.parse(existing) as Record<string, unknown>;
+        }
+
+        if (!settings.hooks) settings.hooks = {};
+        const hooks = settings.hooks as Record<string, unknown[]>;
+        if (!hooks.PreToolCall) hooks.PreToolCall = [];
+
+        const hookEntry = {
+          description: `Security blocker (${strictness})`,
+          matcher: "Bash",
+          command: scriptPath,
+          exit_behavior: "block",
+        };
+
+        const eventHooks = hooks.PreToolCall as Record<string, unknown>[];
+        const existingIdx = eventHooks.findIndex(
+          (h) => (h.description as string)?.startsWith("Security blocker")
+        );
+        if (existingIdx >= 0) {
+          eventHooks[existingIdx] = hookEntry;
+        } else {
+          eventHooks.push(hookEntry);
+        }
+
+        // Also add deny rules to permissions
+        if (!settings.permissions) settings.permissions = {};
+        const perms = settings.permissions as Record<string, unknown>;
+        if (!perms.deny) perms.deny = [];
+        const denyList = perms.deny as string[];
+        const denyRules = [
+          "Bash(rm -rf *)",
+          "Read(./.env)",
+          "Read(./.env.*)",
+        ];
+        for (const rule of denyRules) {
+          if (!denyList.includes(rule)) {
+            denyList.push(rule);
+          }
+        }
+
+        await ensureDir(path.dirname(settingsPath));
+        await atomicWrite(settingsPath, JSON.stringify(settings, null, 2));
+
+        return makeResult(
+          `Security hooks installed!\n\n` +
+          `Strictness: ${strictness}\n` +
+          `Blocked patterns: ${commands.length} dangerous commands\n` +
+          `Secret patterns: ${SECRET_PATTERNS.length} leak detectors\n\n` +
+          `Generated files:\n` +
+          `  ✓ ${scriptPath} — Blocker script\n` +
+          `  ✓ ${settingsPath} — Hook configuration\n\n` +
+          `The following will be blocked:\n` +
+          commands.map((c) => `  • ${c}`).join("\n")
+        );
+      } catch (err: unknown) {
+        const message = err instanceof Error ? err.message : String(err);
+        return makeResult(`Failed to create security hooks: ${message}`, true);
+      }
+    }
+  );
+
+  // ─── rebar_generate_mcp_config ───────────────────────────────────
+  server.registerTool(
+    "rebar_generate_mcp_config",
+    {
+      title: "Generate MCP Config",
+      description:
+        "[Rebar] Creates a .mcp.json file with pre-configured MCP server entries for your services. " +
+        "Each entry includes the correct npx command and environment variable placeholders.\n\n" +
+        "Supported services: github, sentry, postgres, slack, linear, jira, datadog, pagerduty, vercel, supabase\n\n" +
+        "Scope:\n" +
+        "• project: Creates .mcp.json in project root (team-shared)\n" +
+        "• user: Creates in ~/.claude/.mcp.json (personal)\n\n" +
+        "Examples:\n" +
+        "  rebar_generate_mcp_config({ project_path: '.', services: ['github', 'slack'], scope: 'project' })\n" +
+        "  rebar_generate_mcp_config({ project_path: '.', services: ['github', 'sentry', 'postgres'], scope: 'project' })\n\n" +
+        "Returns: Config file location, list of configured services, next steps.",
+      inputSchema: GenerateMCPConfigInputSchema,
+      annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+      },
+    },
+    async (args) => {
+      const { project_path, services, scope } = args;
+      const absPath = resolveProjectPath(project_path);
+
+      try {
+        const mcpServers: Record<string, unknown> = {};
+
+        for (const service of services) {
+          mcpServers[service] = getMCPServiceConfig(service);
+        }
+
+        const config = { mcpServers };
+        const configContent = JSON.stringify(config, null, 2);
+
+        let configPath: string;
+        if (scope === "project") {
+          configPath = sanitizePath(absPath, ".mcp.json");
+        } else {
+          const homeDir = process.env.HOME || process.env.USERPROFILE || "~";
+          configPath = path.join(homeDir, ".claude", ".mcp.json");
+        }
+
+        const result = await safeWriteFile(configPath, configContent, true);
+
+        const serviceList = services
+          .map((s) => `  • ${s}`)
+          .join("\n");
+
+        return makeResult(
+          `MCP configuration generated!\n\n` +
+          `Location: ${configPath}\n` +
+          `Scope: ${scope}\n\n` +
+          `Configured services:\n${serviceList}\n\n` +
+          `${result.message}\n\n` +
+          `Next steps:\n` +
+          `1. Fill in API keys and tokens in the configuration\n` +
+          `2. Run 'claude mcp list' to verify the servers are registered\n` +
+          `3. Restart Claude Code to load the new MCP servers`
+        );
+      } catch (err: unknown) {
+        const message = err instanceof Error ? err.message : String(err);
+        return makeResult(`Failed to generate MCP config: ${message}`, true);
+      }
+    }
+  );
+}
+
+// ─── Helper Functions ─────────────────────────────────────────────────
+
+function getComplianceConfig(standard: string): {
+  hooks: Array<Record<string, unknown>>;
+  skills: Array<{ name: string; content: string }>;
+  claudemdSection: string;
+} {
+  switch (standard) {
+    case "hipaa":
+      return {
+        hooks: [
+          {
+            event: "PreToolCall",
+            matcher: "Bash",
+            description: "HIPAA: Audit logging for all commands",
+            command: 'echo "[$(date -u)] HIPAA_AUDIT: $TOOL_INPUT_COMMAND" >> .claude/audit.log',
+            exit_behavior: "notify",
+          },
+          {
+            event: "PreToolCall",
+            matcher: "Write|Edit",
+            description: "HIPAA: Check for PHI in written files",
+            command: 'if grep -qiE "(SSN|social.security|patient.id|medical.record|health.insurance)" "$TOOL_INPUT_FILE_PATH" 2>/dev/null; then echo "WARNING: Possible PHI detected in file" >&2; fi',
+            exit_behavior: "notify",
+          },
+        ],
+        skills: [
+          {
+            name: "phi-handler",
+            content:
+              "---\nname: phi-handler\ndescription: Ensures Protected Health Information (PHI) is handled according to HIPAA requirements\ninvocation: auto\ncontext: inline\n---\n\n# PHI Handler\n\nWhen working with code that handles health data:\n\n1. Never log PHI to console or debug output\n2. Ensure PHI is encrypted at rest and in transit\n3. Apply minimum necessary access principle\n4. Add audit trail for all PHI access\n5. Use de-identification where possible\n",
+          },
+        ],
+        claudemdSection:
+          "## HIPAA Compliance\n\n" +
+          "This project handles Protected Health Information (PHI).\n\n" +
+          "### Requirements\n" +
+          "- All PHI must be encrypted at rest (AES-256) and in transit (TLS 1.2+)\n" +
+          "- Access to PHI requires authentication and authorization\n" +
+          "- All PHI access must be logged for audit purposes\n" +
+          "- Data retention policies must be enforced\n" +
+          "- Never log PHI in application logs, console output, or error messages\n" +
+          "- Use de-identified data for development and testing\n\n" +
+          "### Data Classification\n" +
+          "- **PHI**: Patient names, SSN, medical records, insurance IDs, dates of service\n" +
+          "- **ePHI**: Electronic PHI stored or transmitted digitally\n" +
+          "- **De-identified**: Data with all 18 HIPAA identifiers removed\n",
+      };
+
+    case "soc2":
+      return {
+        hooks: [
+          {
+            event: "PreToolCall",
+            matcher: "Bash",
+            description: "SOC2: Audit logging",
+            command: 'echo "[$(date -u)] SOC2_AUDIT: $TOOL_INPUT_COMMAND" >> .claude/audit.log',
+            exit_behavior: "notify",
+          },
+        ],
+        skills: [
+          {
+            name: "access-control-review",
+            content:
+              "---\nname: access-control-review\ndescription: Reviews code for proper access control implementation per SOC2 requirements\ninvocation: auto\ncontext: fork\n---\n\n# Access Control Review\n\nVerify that code changes implement proper access controls:\n\n1. Authentication is required for all protected endpoints\n2. Authorization checks match the principle of least privilege\n3. Session management follows security best practices\n4. API keys and tokens are properly scoped\n",
+          },
+        ],
+        claudemdSection:
+          "## SOC2 Compliance\n\n" +
+          "This project follows SOC2 Trust Service Criteria.\n\n" +
+          "### Security Controls\n" +
+          "- All changes require code review\n" +
+          "- Access follows principle of least privilege\n" +
+          "- Audit logging enabled for all state-changing operations\n" +
+          "- Encryption required for sensitive data\n" +
+          "- Regular dependency vulnerability scanning\n",
+      };
+
+    case "pci-dss":
+      return {
+        hooks: [
+          {
+            event: "PreToolCall",
+            matcher: "Bash|Write|Edit",
+            description: "PCI-DSS: Block card number patterns in code",
+            command: 'if echo "$TOOL_INPUT" | grep -qE "\\b[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}\\b"; then echo "BLOCKED: Possible card number detected" >&2; exit 1; fi',
+            exit_behavior: "block",
+          },
+        ],
+        skills: [],
+        claudemdSection:
+          "## PCI-DSS Compliance\n\n" +
+          "This project handles payment card data.\n\n" +
+          "### Requirements\n" +
+          "- Never store full card numbers in code, logs, or comments\n" +
+          "- Use tokenization for card data references\n" +
+          "- All cardholder data must be encrypted\n" +
+          "- Follow secure coding guidelines (OWASP)\n",
+      };
+
+    case "sox":
+      return {
+        hooks: [
+          {
+            event: "PreToolCall",
+            matcher: "Bash",
+            description: "SOX: Audit logging for financial systems",
+            command: 'echo "[$(date -u)] SOX_AUDIT: $TOOL_INPUT_COMMAND" >> .claude/audit.log',
+            exit_behavior: "notify",
+          },
+        ],
+        skills: [],
+        claudemdSection:
+          "## SOX Compliance\n\n" +
+          "This project is subject to Sarbanes-Oxley requirements.\n\n" +
+          "### Requirements\n" +
+          "- All changes to financial calculations require dual review\n" +
+          "- Audit trail for all data modifications\n" +
+          "- Separation of duties in deployment pipeline\n" +
+          "- Change management documentation required\n",
+      };
+
+    default:
+      return { hooks: [], skills: [], claudemdSection: "" };
+  }
+}
+
+function getReviewFocusInstructions(focus: string): string {
+  switch (focus) {
+    case "security":
+      return "Focus on security vulnerabilities: injection attacks, auth issues, data exposure, OWASP Top 10.";
+    case "performance":
+      return "Focus on performance issues: N+1 queries, memory leaks, unnecessary re-renders, bundle size.";
+    case "style":
+      return "Focus on code style: naming conventions, code organization, readability, documentation.";
+    default:
+      return "Review for security, performance, code quality, and correctness.";
+  }
+}
+
+function getMCPServiceConfig(service: string): Record<string, unknown> {
+  const configs: Record<string, Record<string, unknown>> = {
+    github: {
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-github"],
+      env: { GITHUB_PERSONAL_ACCESS_TOKEN: "<your-github-token>" },
+    },
+    sentry: {
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-sentry"],
+      env: { SENTRY_AUTH_TOKEN: "<your-sentry-token>" },
+    },
+    postgres: {
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-postgres"],
+      env: { POSTGRES_CONNECTION_STRING: "<your-postgres-url>" },
+    },
+    slack: {
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-slack"],
+      env: { SLACK_BOT_TOKEN: "<your-slack-token>" },
+    },
+    linear: {
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-linear"],
+      env: { LINEAR_API_KEY: "<your-linear-key>" },
+    },
+    jira: {
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-jira"],
+      env: {
+        JIRA_URL: "<your-jira-url>",
+        JIRA_API_TOKEN: "<your-jira-token>",
+        JIRA_EMAIL: "<your-email>",
+      },
+    },
+    datadog: {
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-datadog"],
+      env: {
+        DD_API_KEY: "<your-datadog-api-key>",
+        DD_APP_KEY: "<your-datadog-app-key>",
+      },
+    },
+    pagerduty: {
+      command: "npx",
+      args: ["-y", "@modelcontextprotocol/server-pagerduty"],
+      env: { PAGERDUTY_API_KEY: "<your-pagerduty-key>" },
+    },
+    vercel: {
+      command: "npx",
+      args: ["-y", "@vercel/mcp"],
+      env: { VERCEL_TOKEN: "<your-vercel-token>" },
+    },
+    supabase: {
+      command: "npx",
+      args: ["-y", "@supabase/mcp-server"],
+      env: { SUPABASE_ACCESS_TOKEN: "<your-supabase-token>" },
+    },
+  };
+
+  return configs[service] || {
+    command: "npx",
+    args: ["-y", `@modelcontextprotocol/server-${service}`],
+    env: {},
+  };
+}