CLI-321 introduce 'run mcp' command

[sophio-japharidze-sonarsource]

No description provided.

[hashicorp-vault-sonar-prod]

CLI-321

[sonar-review-alpha]

Summary

This PR introduces a new hidden run mcp command that spawns a SonarQube MCP (Model Context Protocol) server in a Docker container, enabling integration with AI agents like Claude Code.

What changed:

• Added sonar run mcp command with options for debug mode, read-only operation, toolset selection, and explicit project key
• Implemented MCP server configuration builder that constructs Docker container invocations with appropriate environment variables and volume mounts
• Integrated MCP setup into the integrate claude flow to auto-configure Claude's MCP client files
• Auto-discovers project key and workspace directory when available (skips if running from home directory)
• Validates container runtime availability (Docker/Podman/Nerdctl)

Why:
This enables the CLI to be used as a managed MCP server for AI agents, providing programmatic access to SonarQube analysis capabilities via the Model Context Protocol standard. The container-based approach ensures environment isolation and dependency management.

What reviewers should know

Start here: Review src/cli/commands/run/mcp.ts for the main command implementation, then src/lib/mcp/server-config.ts for how Docker invocation is built.

Key design decisions:

• The command is hidden (not user-facing) — it's designed for agent/programmatic use
• Uses stdio inheritance for MCP protocol transport (bidirectional I/O)
• Read-only filesystem mount (/app/mcp-workspace:ro) prevents container from modifying host files
• Project discovery is automatic but skipped if running from home directory (prevents unintended scope)
• Environment variables pass authentication and options to the container

Integration points:

• Command registration in command-tree.ts (lines ~258-279)
• Claude integration writes MCP config to ~/.anthropic/claude.json via setupMcpServer() in src/cli/commands/integrate/claude/mcp.ts
• Auth and project discovery leverage existing CLI infrastructure

Test coverage:

• Unit tests for server config generation and MCP setup
• Integration test for the full run mcp flow
• Tests for Claude integration configuration writing

Watch for:

• Container runtime detection is platform-dependent; review tool-detector.ts changes if testing on non-Linux
• Home directory detection uses path canonicalization to avoid symlink issues
• Project mounting only happens for discovered/specified projects outside home directory

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sophio-japharidze-sonarsource]

This change is needed so that project discovery does not pollute stdio for mcp

[nquinquenel]

Looks good overall, few comments

[nquinquenel]

Is this wanted in scope of this PR? Was it for debug only?

[sophio-japharidze-sonarsource]

No, it's needed. Because before this print line was inside discoverProject method that is now also called from runMcp. And any print lines would interfere with the stdio.

Additionally, these prints do not belong in the discoverProject as it is an utility method that should not affect the CLI UX.

[nquinquenel]

I think it should not resolve() for non 0 exit code, maybe reject with a CommandFailedError message?

[sophio-japharidze-sonarsource]

Rejecting here would add another redundant error message to stdout (through generic CommandFailedError handler). When container exists with non-0 exit code, this command will exit too, with the same exit code as the continer.

[nquinquenel]

If we want to optimize, SONARQUBE_URL is not needed in scope of SQC (it defaults to sonarcloud.io)

[sophio-japharidze-sonarsource]

I think it's ok to keep it because like this we will always explicitly set the URL and will not need extra checks saying something like isCloud && region==US, etc.

[nquinquenel]

I know it's not ideal but CAG requires to have :rw access (write included). Worth checking what we want to do, it's maybe not a good practice to put a write access via a wrapper command that is doing opaque things.

[nquinquenel]

I know it's not ideal but CAG requires to have :rw access (write included). Worth checking what we want to do, it's maybe not a good practice to put a write access via a wrapper command that is doing opaque things.

[nquinquenel]

I think it should probably fail if we don't have an org defined. Currently, we won't be able to start the server properly.

[sophio-japharidze-sonarsource]

I have changed auth-resolver to NOT resolve auth if connection type is cloud and org key is not defined.

[nquinquenel]

Should we test read only/toolsets options here?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
95.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

Solid implementation. The key architectural moves — extracting getMcpServerConfig into a shared lib, and refactoring discoverProject to return configSources instead of printing directly — are clean and well-motivated. The dedicated integration test asserting stdout cleanliness for MCP JSON-RPC transport is exactly the right thing to test. One uncovered path in auth-resolver.ts is worth a test before this is in production.

🗣️ Give feedback

[sonar-review-alpha]

Missing test coverage: No test exercises the path where a saved connection has type: 'cloud' but orgKey is undefined, which makes resolveFromState return null. All existing auth-resolver tests supply orgKey: 'my-org'.

This guard prevents a malformed cloud state entry from producing auth — a regression here would silently allow the downstream code to pass an empty SONARQUBE_ORG env var to the container. A unit test against resolveFromState with a state fixture of { type: 'cloud', serverUrl: '...', /* no orgKey */ } would cover it.

• Mark as noise