README.md
Production-grade MCP server for GitHub triage, site auditing, and releases.
OmniAudit MCP
Single self-hosted MCP connector that ships three production modules:
AuditLens(auditlens.*): GitHub PR/run evidence triage and issue drafting.SiteLint(sitelint.*): live URL audit and report generation.Release Butler(releasebutler.*): release asset checksums and release-note workflows.
It exposes one MCP endpoint at POST /mcp and includes a lightweight dashboard at GET /ui.
Features implemented
- MCP tools across all required namespaces (
auditlens,sitelint,releasebutler,core). - Backward-compatible
releasebutler.generate_notesextensions:- optional
from_tag - optional
to_tag - optional
fallback_window
- optional
releasebutler.create_releaselocal file asset upload (assets[]) with per-file outcome metadata:uploaded_assets[]failed_assets[]
- Object storage hardening:
localbackends3backend with dual-read behavior (new writes to S3, legacy local refs still readable)
- Policy controls:
- repo write allowlist
- URL allowlist/denylist
- write-operation confirmation token gate
- rate limiting for scan submissions and GitHub writes
- Receipt-first write operations with immutable output references.
- Append-only audit log storage with hashed tool inputs.
- Observability baseline:
- structured logs (
LOG_FORMAT=json|plain) - optional OTLP traces (
OTEL_ENABLED=true) - Prometheus
/metricsendpoint (PROMETHEUS_ENABLED=true)
- structured logs (
- GitHub auth providers:
- fine-grained PAT
- GitHub App installation token flow
- S3/MinIO-compatible object storage support for artifacts and reports.
- SQL storage for jobs, receipts, audit logs, and secret records.
Repository layout
apps/mcp_server- FastAPI MCP server and dashboard endpointspackages/omniaudit- domain modules, runtime, security, storageservices/worker- Celery worker and async SiteLint tasktests- unit + integration testsinfra- Dockerfiles
Architecture diagram
flowchart LR
ChatGPT -->|MCP JSON-RPC| API["FastAPI /mcp"]
API --> Runtime["MCP Runtime"]
Runtime --> AuditLens["AuditLens"]
Runtime --> SiteLint["SiteLint"]
Runtime --> ReleaseButler["Release Butler"]
Runtime --> Policy["Policy + Risk Gate + Rate Limits"]
Runtime --> Receipts["Receipts + Audit Logs"]
Runtime --> ObjectStore["ObjectStore (Local or S3 Dual-Read)"]
Runtime --> Jobs["JobStore"]
Worker["Celery Worker"] --> SiteLint
SiteLint --> Reports["Reports + Evidence"]
ReleaseButler --> GitHub["GitHub API"]
AuditLens --> GitHub
API --> Metrics["/metrics"]
Support matrix
| Capability | Status | Notes |
|---|---|---|
| MCP tool registry and dispatch | Ready | Backward-compatible tool names and required args maintained |
| Object storage backends | Ready | local and s3 with dual-read fallback |
| Release asset uploads | Ready | Local file path assets supported |
| Live smoke automation | Ready | scripts/smoke_hardening_pass2.sh |
| SiteLint wave 1 optional args | Ready | crawl_budget, entry_paths, auth_profile_id, baseline_scan_id |
| AuditLens wave 1 optional args | Ready | parser_profile, dedupe_strategy, issue drafting extensions |
| Release Butler wave 1 optional args | Ready | group_by, include_pr_links, draft, prerelease, dry_run |
| Governance baseline | Ready | CI workflows, templates, CODEOWNERS, policy docs |
Quickstart (local)
- Create env and install dependencies:
uv venv .venv
uv pip install --python .venv/bin/python -e '.[test]'
- Configure environment:
cp .env.example .env
- Bootstrap local data folders and key:
./scripts/bootstrap.sh
- Run API:
PYTHONPATH=packages:apps:services .venv/bin/uvicorn mcp_server.main:app --host 0.0.0.0 --port 8080
Optional SiteLint browser stack:
./scripts/install_sitelint_toolchain.sh
- Health check:
curl -s http://localhost:8080/healthz
Quickstart (Docker Compose)
cp .env.example .env
./scripts/bootstrap.sh
docker compose up --build
API endpoint: http://localhost:8080/mcp
Metrics endpoint: http://localhost:8080/metrics
ChatGPT Connector setup
In ChatGPT Developer Mode connector modal:
- Name:
OmniAudit MCP - MCP Server URL:
https://<your-host>/mcp - Authentication:
- set to
NoneifMCP_AUTH_MODE=none - set to API key flow if you enable
MCP_AUTH_MODE=api_key
- set to
Storage backend modes
Default mode is local:
OBJECT_STORE_BACKEND=local
S3/MinIO mode with dual-read, S3-write:
OBJECT_STORE_BACKEND=s3
OBJECT_STORE_BUCKET=omniaudit
OBJECT_STORE_PREFIX=omniaudit
S3_ENDPOINT_URL=http://minio:9000
S3_FORCE_PATH_STYLE=true
S3_ACCESS_KEY_ID=minioadmin
S3_SECRET_ACCESS_KEY=minioadmin
Behavior in s3 mode:
- new immutable objects are written to
s3://<bucket>//<sha256>... - existing local file refs continue to resolve via fallback reads
- no migration is required for existing receipt `result_re
Tools (3)
auditlensHandles GitHub PR/run evidence triage and issue drafting.sitelintPerforms live URL audit and report generation.releasebutlerManages release asset checksums and release-note workflows.Environment Variables
OBJECT_STORE_BACKENDStorage backend mode (local or s3)LOG_FORMATLog output format (json or plain)OTEL_ENABLEDEnable OTLP tracesPROMETHEUS_ENABLEDEnable Prometheus metrics endpointConfiguration
claude_desktop_config.json
{"mcpServers": {"omniaudit": {"command": "uv", "args": ["run", "mcp_server.main"], "env": {"OBJECT_STORE_BACKEND": "local"}}}}Try it
→Audit the pull request at this URL and draft a summary of the changes and potential issues.
→Run a site audit on https://example.com and generate a report of accessibility findings.
→Generate release notes for the repository between v1.0.0 and v1.1.0 including PR links.
→Create a new release for the current tag and upload the build artifacts from the local folder.