t1162: Worker MCP isolation for Claude CLI dispatch

[marcusquinn]

Summary

Worker MCP isolation for Claude CLI dispatch — generates per-worker MCP config JSON for --mcp-config --strict-mcp-config flags. Equivalent to generate_worker_mcp_config() for OpenCode.

Ref #1759

Changes

Core: dispatch.sh

• Refactored generate_worker_mcp_config() to be CLI-aware ($2=ai_cli):
  • opencode: Preserves existing behavior — copies opencode.json with heavy indexers disabled, returns XDG_CONFIG_HOME path
  • claude: Generates standalone mcpServers JSON from user's ~/.claude/settings.json and project .mcp.json, filters out heavy indexers (osgrep, augment-context-engine), returns JSON file path
• Added --mcp-config flag to build_cli_cmd(): When building Claude CLI commands, emits --mcp-config <path> --strict-mcp-config to ensure workers only get specified MCP servers
• Updated all 4 dispatch sites to generate MCP config BEFORE building CLI commands (required for Claude CLI where config is a CLI flag, not an env var):
  • cmd_dispatch (main dispatch)
  • do_prompt_repeat (prompt-repeat retry)
  • cmd_reprompt (retry dispatch)
  • deploy.sh review-fix dispatch

Cleanup: cleanup.sh

• cleanup_worker_processes() now removes per-worker ${task_id}-config/ directory

Tests: test-dispatch-claude-cli.sh

• 12 new tests (Section 11) covering:
  • Claude MCP config generation (valid JSON, mcpServers key)
  • Heavy indexer filtering (osgrep, augment-context-engine excluded)
  • Non-heavy server preservation (context7, sentry kept)
  • build_cli_cmd with/without --mcp-config flag
  • OpenCode backward compatibility (XDG_CONFIG_HOME still works)
  • Config directory cleanup

Verification

• ShellCheck: 0 violations on all modified .sh files
• Tests: 72 total, 71 passed, 0 failed, 1 skipped (pre-existing)
• Backward compat: OpenCode dispatch path unchanged — same XDG_CONFIG_HOME mechanism

Summary by CodeRabbit

• New Features

  • Added per-worker configuration generation with automatic exclusion of heavy indexing tools to improve performance and reduce resource overhead.
  • Enabled worker isolation from global configuration, allowing independent configuration management for concurrent operations.
  • Introduced configuration cleanup during worker termination.

• Tests

  • Added test coverage for worker configuration generation and validation.

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 27 minutes and 10 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

The PR introduces per-worker MCP config generation to isolate Claude workers from global MCP configuration. Changes add new helper functions to generate worker-specific configs for both Claude and OpenCode paths, update CLI command builders to accept and propagate MCP config parameters, and extend cleanup routines to remove per-worker config directories.

Changes

Cohort / File(s)	Summary
MCP Config Generation & Dispatch .agents/scripts/supervisor/dispatch.sh	Introduces generate_worker_mcp_config() and internal helpers to produce per-worker MCP configs for both Claude (merging user settings + project .mcp.json, filtering heavy indexers) and OpenCode (copying and disabling heavy MCPs). Updates build_cli_cmd(), build_dispatch_cmd(), and build_verify_dispatch_cmd() to accept and thread MCP config parameters through CLI invocation; extends task dispatch and reprompt flows to generate and propagate worker-specific MCP configs.
CLI Integration & Deployment .agents/scripts/supervisor/deploy.sh	Integrates worker MCP config into Claude CLI invocation via --mcp-config and --strict-mcp-config flags; preserves OpenCode behavior using XDG_CONFIG_HOME. Creates pids directory prior to use and evaluates generated worker MCP configs conditionally based on CLI path (Claude vs. OpenCode).
Cleanup & Artifact Management .agents/scripts/supervisor/cleanup.sh	Adds cleanup step to remove per-worker MCP config directories at SUPERVISOR_DIR/pids/${task_id}-config after per-task dispatch/wrapper script removal.
Test Coverage tests/test-dispatch-claude-cli.sh	Adds comprehensive test section for Worker MCP Config Generation (t1162): validates config generation, verifies heavy indexers are excluded while non-heavy servers preserved, confirms CLI flag propagation, tests backward compatibility with OpenCode, and validates cleanup of per-worker config directories.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant Dispatcher as Dispatch System
    participant MCP as MCP Config<br/>Generator
    participant Claude as Claude CLI
    participant Worker as Worker Process
    participant Cleanup as Cleanup System

    User->>Dispatcher: Initiate task dispatch
    Dispatcher->>MCP: generate_worker_mcp_config(task_id, path)
    
    rect rgba(100, 150, 200, 0.5)
        Note over MCP: For Claude path:<br/>Merge user + project config<br/>Filter heavy indexers
    end
    
    MCP->>MCP: Create per-worker config<br/>at pids/${task_id}-config
    MCP-->>Dispatcher: Return config path
    
    Dispatcher->>Claude: build_cli_cmd with<br/>--mcp-config flag
    Dispatcher->>Claude: Invoke with --strict-mcp-config
    Claude->>Worker: Execute with isolated<br/>MCP configuration
    Worker-->>Claude: Return results
    
    Dispatcher->>Cleanup: Task complete
    Cleanup->>Cleanup: Remove pids/${task_id}-config
    Cleanup-->>User: Cleanup finished

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• t1160.1: Create build_cli_cmd() abstraction in supervisor/dispatch.sh #2053: Introduces build_cli_cmd() function that this PR extends with --mcp-config parameter support and MCP config propagation logic.
• fix: supervisor integration testing fixes (t128.7) #384: Modifies cleanup_worker_processes() and build_dispatch_cmd() to add artifact cleanup and parameter threading; this PR builds upon that pattern for MCP config management.
• t1031: Modularize supervisor-helper.sh into domain modules #1359: Introduces per-worker MCP config generation patterns and cleanup scaffolding that this PR refines and integrates into the full dispatch and deployment pipeline.

Poem

🔧 Workers now wear their own configs, light and lean,
Heavy indexers sidelined—a cleaner machine.
Claude speaks in isolation, Claude speaks with grace,
While cleanup sweeps away each temporary trace.
MCP-driven freedom for each supervised place. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: introducing per-worker MCP isolation for Claude CLI dispatch, which is the primary objective across all modified files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/t1162

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 34 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 21 09:27:30 UTC 2026: Code review monitoring started
Sat Feb 21 09:27:31 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 34

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 34
• VULNERABILITIES: 0

Generated on: Sat Feb 21 09:27:33 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 34 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 21 09:29:08 UTC 2026: Code review monitoring started
Sat Feb 21 09:29:09 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 34

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 34
• VULNERABILITIES: 0

Generated on: Sat Feb 21 09:29:11 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to worker isolation by implementing CLI-aware Multi-Client Protocol (MCP) configuration generation. The primary goal is to optimize resource usage and ensure predictable behavior for AI workers, particularly when using the Claude CLI. By generating tailored MCP configurations that exclude heavy indexers like osgrep and augment-context-engine, the system prevents unnecessary CPU consumption during worker startup. This change also standardizes how MCP configurations are applied across different AI clients, using CLI flags for Claude and environment variables for OpenCode, while maintaining full backward compatibility.

Highlights

• CLI-Aware MCP Configuration: The generate_worker_mcp_config() function has been refactored to be CLI-aware, distinguishing between 'opencode' and 'claude' clients. For OpenCode, it continues to generate an XDG_CONFIG_HOME path with heavy indexers disabled. For Claude, it now generates a standalone JSON file containing mcpServers from user settings and project configuration, also filtering out heavy indexers.
• Claude CLI MCP Isolation: Claude CLI commands are now built with --mcp-config <path> and --strict-mcp-config flags, ensuring that workers only utilize the specifically provided MCP servers and preventing them from inheriting a broader, potentially resource-intensive global configuration.
• Dispatch Flow Updates: All four dispatch sites (cmd_dispatch, do_prompt_repeat, cmd_reprompt, deploy.sh) have been updated to generate the worker-specific MCP configuration before building the CLI commands. This is crucial for Claude CLI, where the configuration is passed as a command-line flag rather than an environment variable.
• Resource Cleanup: The cleanup_worker_processes() function in cleanup.sh has been enhanced to remove the temporary per-worker ${task_id}-config/ directories, ensuring proper cleanup of generated MCP configuration files.
• Comprehensive Testing: Twelve new tests have been added to test-dispatch-claude-cli.sh to thoroughly cover Claude MCP config generation, heavy indexer filtering, non-heavy server preservation, build_cli_cmd behavior with and without --mcp-config, OpenCode backward compatibility, and the cleanup process.

Changelog

• .agents/scripts/supervisor/cleanup.sh
  • Added logic to cleanup_worker_processes to remove per-worker MCP config directories, ensuring proper resource cleanup.
• .agents/scripts/supervisor/deploy.sh
  • Moved the generation of worker-specific MCP config to occur earlier in the script, before building CLI commands.
  • Modified the Claude CLI command construction to include --mcp-config and --strict-mcp-config flags when a worker MCP config is available.
  • Updated the XDG_CONFIG_HOME export logic to apply only for OpenCode, as Claude CLI uses command-line flags for MCP configuration.
• .agents/scripts/supervisor/dispatch.sh
  • Refactored generate_worker_mcp_config to accept an ai_cli argument, enabling it to dispatch to _generate_worker_mcp_config_claude or _generate_worker_mcp_config_opencode.
  • Introduced _generate_worker_mcp_config_opencode to encapsulate the existing OpenCode-specific MCP config generation logic.
  • Added _generate_worker_mcp_config_claude to generate Claude-specific MCP config JSON, merging user and project settings while filtering out heavy indexers.
  • Updated build_cli_cmd to accept a --mcp-config argument and to emit --mcp-config and --strict-mcp-config flags for Claude CLI.
  • Modified do_prompt_repeat, cmd_dispatch, and cmd_reprompt functions to generate worker MCP config earlier and pass the resulting path to build_cli_cmd or build_dispatch_cmd/build_verify_dispatch_cmd.
  • Adjusted build_dispatch_cmd and build_verify_dispatch_cmd to accept an optional mcp_config parameter for Claude CLI.
  • Updated the environment variable export for XDG_CONFIG_HOME in dispatch scripts to be conditional on the AI client type, applying it only for OpenCode.
• tests/test-dispatch-claude-cli.sh
  • Added a new section (Section 11) dedicated to testing worker MCP config generation for Claude CLI.
  • Included tests to verify that generate_worker_mcp_config for Claude produces valid JSON with the mcpServers key.
  • Added tests to confirm that heavy indexers (osgrep, augment-context-engine) are correctly excluded from Claude's worker MCP config.
  • Verified that non-heavy MCP servers (context7, sentry) are preserved in Claude's worker MCP config.
  • Tested that build_cli_cmd correctly includes --mcp-config and --strict-mcp-config flags for Claude when provided, and omits them otherwise.
  • Confirmed backward compatibility for OpenCode, ensuring generate_worker_mcp_config still functions as expected and disables osgrep.
  • Added a test to verify that the cleanup process successfully removes per-worker MCP config directories.

Activity

• The pull request introduces a new feature to isolate worker MCP configurations for Claude CLI, addressing issue t1162: Worker MCP isolation for Claude CLI dispatch #1759.
• The core logic for generating worker-specific MCP configurations has been refactored to support both OpenCode and Claude CLIs.
• Dispatch mechanisms across deploy.sh, dispatch.sh (including do_prompt_repeat, cmd_dispatch, cmd_reprompt) have been updated to integrate the new CLI-aware MCP config generation.
• A cleanup mechanism was added to cleanup.sh to remove temporary worker config directories.
• Extensive new tests (12 in total) were added to test-dispatch-claude-cli.sh to validate the new Claude MCP config generation, filtering, and integration, as well as OpenCode backward compatibility.
• The author verified the changes with ShellCheck (0 violations), confirmed all tests passed (71/72, 1 skipped pre-existing), and ensured backward compatibility for OpenCode dispatch.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request successfully implements worker MCP isolation for the Claude CLI, addressing performance issues caused by heavy indexers. However, there are several opportunities to improve the code's robustness and adherence to the project's style guide. Key areas for improvement include replacing eval with safer array construction, avoiding blanket error suppression with 2>/dev/null, ensuring all functions have explicit return statements, and consolidating jq operations for better efficiency.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

tests/test-dispatch-claude-cli.sh (2)

1152-1184: Replace hardcoded /tmp/test-mcp-config.json with a $TEST_DIR-scoped path for test isolation.

Lines 1163 and 1215 pass /tmp/test-mcp-config.json as the --mcp-config argument. Since the test only verifies that build_cli_cmd propagates the flag verbatim (the file doesn't need to exist), the path value itself is arbitrary — but /tmp/ is global and shared across concurrent test runs. Using $TEST_DIR keeps the value consistent with the rest of the file's isolation strategy and eliminates any theoretical collision with other processes.

♻️ Proposed fix

-    build_cli_cmd --cli claude --action run --output array \
-        --model 'anthropic/claude-sonnet-4-6' \
-        --mcp-config '/tmp/test-mcp-config.json' \
-        --prompt 'Test prompt'
+    build_cli_cmd --cli claude --action run --output array \
+        --model 'anthropic/claude-sonnet-4-6' \
+        --mcp-config '$TEST_DIR/test-mcp-config.json' \
+        --prompt 'Test prompt'

Apply the same substitution at line 1179 (grep -q "/tmp/test-mcp-config.json" → grep -q "$TEST_DIR/test-mcp-config.json") and line 1215.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test-dispatch-claude-cli.sh` around lines 1152 - 1184, Replace the
hardcoded /tmp/test-mcp-config.json with a TEST_DIR-scoped path by using
"$TEST_DIR/test-mcp-config.json" where the mcp config is passed to build_cli_cmd
(the mcp_cmd assignment) and in the subsequent grep check that asserts the
config file path; update the grep pattern that looks for
"/tmp/test-mcp-config.json" accordingly. Ensure you reference the same variable
TEST_DIR and leave the other checks for --mcp-config and --strict-mcp-config
unchanged so the test still validates flag propagation for build_cli_cmd and the
mcp_cmd output.

---

1117-1150: Add a jq prerequisite guard — missing jq causes FAILs instead of SKIPs.

jq is invoked at four places (lines 1118, 1126–1127, 1140–1141, 1259) with no availability check. On a host without jq:

• Line 1118's compound condition short-circuits to false → reports FAIL (not SKIP).
• Lines 1126–1127 produce empty strings → the [[ "$has_osgrep" == "false" ]] comparisons fail silently → FAIL.

This can produce misleading CI failures that have nothing to do with the feature under test.

♻️ Proposed fix: add a jq prerequisite skip block at the top of Section 11

 section "Worker MCP Config Generation (t1162)"
+
+if ! command -v jq &>/dev/null; then
+    skip "generate_worker_mcp_config (jq not available — install jq to run MCP config tests)"
+    # Jump to summary; remaining assertions in this section depend on jq
+else

Then close the else block just before the SUMMARY comment (line 1292):

+fi  # end jq prerequisite guard
+
 # ============================================================
 # SUMMARY

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test-dispatch-claude-cli.sh` around lines 1117 - 1150, Add a guard that
checks for the jq executable before Section 11’s tests run and SKIPs the entire
block if jq is missing: detect jq with command -v jq >/dev/null and if not found
call skip (or echo SKIP) for the whole Claude MCP config test block that
contains the "Generated config is valid JSON with mcpServers key", "Heavy
indexers are excluded", and "Non-heavy MCP servers are preserved" checks (which
use jq on $claude_mcp_result); wrap those tests in an if/else so jq-missing
yields SKIP and ensure you close the else block just before the SUMMARY comment
so the rest of the script behavior is unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/scripts/supervisor/dispatch.sh:
- Around line 1811-1958: The function generate_worker_mcp_config currently
assumes project .mcp.json locations and must accept a repo/worktree root
parameter and propagate it to _generate_worker_mcp_config_claude so
project-level MCPs are discovered; update generate_worker_mcp_config signature
to add a third arg (repo_root), pass it through to
_generate_worker_mcp_config_claude, and inside
_generate_worker_mcp_config_claude replace the hardcoded
"$HOME/Git/aidevops/.mcp.json" and "./.mcp.json" checks with a lookup that uses
the passed repo_root (e.g., "$repo_root/.mcp.json") while still falling back to
other sensible locations, then update all callers (e.g., cmd_dispatch,
do_prompt_repeat, cmd_reprompt and the review-fix dispatch sites) to pass the
worktree_path/repo root when invoking generate_worker_mcp_config.

In `@tests/test-dispatch-claude-cli.sh`:
- Around line 1066-1069: Remove the incorrect "duplicate SECTION 11" claim in
the test header for "Worker MCP Config Generation (t1162)"; replace both
hardcoded /tmp/test-mcp-config.json occurrences passed as mock CLI args with
"$TEST_DIR/test-mcp-config.json" so the test uses the same per-run artifact
variable; and add a prerequisite check near the top of this test (before any jq
usage) such as: command -v jq >/dev/null || skip "jq required" so jq absence
produces a clear skip rather than obscure failures (leave existing jq error
suppression and file-existence guards in place).

---

Nitpick comments:
In `@tests/test-dispatch-claude-cli.sh`:
- Around line 1152-1184: Replace the hardcoded /tmp/test-mcp-config.json with a
TEST_DIR-scoped path by using "$TEST_DIR/test-mcp-config.json" where the mcp
config is passed to build_cli_cmd (the mcp_cmd assignment) and in the subsequent
grep check that asserts the config file path; update the grep pattern that looks
for "/tmp/test-mcp-config.json" accordingly. Ensure you reference the same
variable TEST_DIR and leave the other checks for --mcp-config and
--strict-mcp-config unchanged so the test still validates flag propagation for
build_cli_cmd and the mcp_cmd output.
- Around line 1117-1150: Add a guard that checks for the jq executable before
Section 11’s tests run and SKIPs the entire block if jq is missing: detect jq
with command -v jq >/dev/null and if not found call skip (or echo SKIP) for the
whole Claude MCP config test block that contains the "Generated config is valid
JSON with mcpServers key", "Heavy indexers are excluded", and "Non-heavy MCP
servers are preserved" checks (which use jq on $claude_mcp_result); wrap those
tests in an if/else so jq-missing yields SKIP and ensure you close the else
block just before the SUMMARY comment so the rest of the script behavior is
unchanged.

Auto-dismissed: bot review does not block autonomous pipeline

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 34 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 21 09:58:19 UTC 2026: Code review monitoring started
Sat Feb 21 09:58:20 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 34

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 34
• VULNERABILITIES: 0

Generated on: Sat Feb 21 09:58:22 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud