Skip to main content

A periscope for your repos - read-only MCP server for sibling repository context

Project description

Repiscope

A periscope for your repos — see everything, touch nothing.

Repiscope is a read-only MCP server that gives your coding agent (Claude Code, Cursor, or any MCP client) awareness of the sibling repositories next to the one it's working in — without ever letting it modify them.

Why

I built a personal assistant to help me decide where my time goes: for that it needs to know the real state of every project — what changed, what stalled, what the next step is. So it has to see all my repos. But telling an agent "don't touch anything" is a request, not a guarantee. Repiscope makes it a guarantee: the server exposes zero write tools, so the agent structurally cannot modify your repos. And the same periscope helps any coding agent working in project A that needs to know how a part of project B works.

Sandboxes make this worse, not better: mine (rightly) stops the agent from even reading outside the repo it started in without asking. Widening the sandbox would grant write access too. Repiscope is the third way — the agent gets structured, read-only sight of every sibling repo through one MCP server, and the sandbox stays tight.

See it in action

You're working in project-a and need to pull data from another project's API. Instead of you digging through that codebase, the agent asks Repiscope directly:

You:    Use Repiscope to find out what kind of data I can retrieve
        from billing-api through its API.

Agent:  (calls list_projects → sees "billing-api")
        (calls project_overview "billing-api" → spots src/routes/)
        (calls search "route" project="billing-api")
        (calls read_file "billing-api" "src/routes/invoices.py")

        billing-api exposes three endpoints: /invoices (list, filterable
        by customer and date), /invoices/{id} (full invoice with line
        items), and /customers/{id}/balance (current balance). All
        responses are JSON; auth is a bearer token.

The agent explored a repo it has no ability to write to. No copy-paste, no "please don't edit anything," no risk.

Tools

Tool Input Returns
list_projects() every sibling repo + one-line description
project_overview(project) repo name full overview: purpose, stack, structure, recent commits
search(query, project?) text, optional repo files & lines matching the query
read_file(project, path) repo + file path full file contents (size-capped)
store_summary(project, summary) repo + your text caches an agent-written summary (see below)

How it stays fresh

Overviews are cached as markdown and refreshed lazily: on each call Repiscope compares the repo's current git commit hash against the one recorded when the overview was built. Same hash → serve the cache. Different → rebuild just that repo's overview. No cron, no daemons.

Borrowed intelligence

Repiscope has no LLM of its own — no API key, no model calls, zero cost. But it talks to LLMs all day, so it borrows them: when an overview has no fresh agent-written summary, it ends with a note asking the calling agent to write one and hand it back via store_summary. The summary then opens every future overview of that project — written by one agent, read by all the next — until the repo's next commit marks it outdated and the cycle repeats.

Security by architecture

Repiscope is built so that the safe behaviour is not a promise — it's the only behaviour possible:

  • Zero repo-write tools. The server exposes no tool that can create, edit or delete anything inside your repositories. The one tool that accepts data, store_summary, can only write to Repiscope's own cache in ~/.cache/repiscope. An agent cannot misuse a capability that doesn't exist.
  • Secrets are invisible. A single filter (privacy.py) is enforced by every tool: private keys, certificates (.pem, .pfx, .p12, …), .env* files, keystores, and anything named like a credential never appear in overviews, trees, search results or file reads. Honest limit: the filter hides sensitive files — it does not scrub mentions of e.g. a password pasted inside an ordinary text file.
  • Symlinks can't smuggle. A cloned repo is untrusted content — it may contain a symlink like notes.txt → ~/.ssh/id_rsa. Anything whose real location falls outside the project is invisible to every tool, the secret filter also checks a link's real target, and path traversal (../) is refused.
  • You define the perimeter. Repiscope only sees the folder you explicitly pass (--root), and --exclude makes chosen repos fully invisible — they can't even be resolved by name.
  • It leaves no trace. Overview caches live in ~/.cache/repiscope, never inside your repositories.

Every claim above is enforced by the test suite in tests/ — clone the repo and run pytest to check them yourself.

Quick start

pip install repiscope
claude mcp add repiscope --scope user -- repiscope --root ~/your/projects/folder

That's it — point --root at the folder containing your repos (not a repo itself). Optionally hide repos with --exclude repo-a --exclude repo-b. Works with any MCP client; for Claude Desktop there's also a one-click .mcpb bundle (build it with mcpb/build.sh).

From source instead:

git clone https://github.com/3xpr1ment/repiscope.git
cd repiscope
python -m venv .venv && .venv/bin/pip install -e .[dev]
.venv/bin/pytest   # the security claims, as executable proof

Limitations

Honesty section — what Repiscope deliberately does not do:

  • The secret filter works at file level. Sensitive files are invisible, but a password pasted inside an ordinary notes.md will not be scrubbed. The perimeter is yours: only point --root at folders you are comfortable showing to your agent — whatever the tools can see, your LLM provider will see too.
  • Search is deliberately dumb. Case-insensitive substring match, capped results, no index, no regex. The calling LLM supplies the intelligence at both ends; for heavy code search, use a real code-search tool.
  • Overviews are mechanical. Without an agent-written summary they are README excerpts, language stats and git logs — useful, not insightful. The insight arrives once your agents start leaving summaries behind.
  • Read-only cuts both ways. There is no refresh tool to call: caches refresh lazily on the next commit, and stale summaries are served marked as stale until an agent writes a new one.
  • Python ≥ 3.11, developed and tested on macOS; Linux should behave identically, Windows symlink semantics are untested.

Status

v0.2.2 — working and dogfooded daily. Four read-only tools plus borrowed-LLM summaries, lazy cache refresh, sensitive-file filtering, and a test suite proving the security claims (path traversal, symlink escapes, secret filtering — see tests/). API may still change.

How this was built

To be completely clear about authorship: I am not an engineer. Every architecture decision in Repiscope is mine — what it does, what it refuses to do, where the security gates live — but the coding itself is done by Claude (Anthropic's Fable model). My rule for the collaboration: nothing goes in that I don't understand. The commit history carries the co-authorship openly, commit by commit.

License

MIT


mcp-name: io.github.3xpr1ment/repiscope

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

repiscope-0.2.2.tar.gz (17.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

repiscope-0.2.2-py3-none-any.whl (15.2 kB view details)

Uploaded Python 3

File details

Details for the file repiscope-0.2.2.tar.gz.

File metadata

  • Download URL: repiscope-0.2.2.tar.gz
  • Upload date:
  • Size: 17.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for repiscope-0.2.2.tar.gz
Algorithm Hash digest
SHA256 10875407f39c8f4b287e8b4e88e319010d0e4197bc887178525ea113f94a246f
MD5 571b47346376c05903d248e0c89300e5
BLAKE2b-256 67f71a762e263a70db61134a9c2388c4202630858556fc763828197e0daca50f

See more details on using hashes here.

File details

Details for the file repiscope-0.2.2-py3-none-any.whl.

File metadata

  • Download URL: repiscope-0.2.2-py3-none-any.whl
  • Upload date:
  • Size: 15.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for repiscope-0.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 144e913ba81dd9e80600d0845700103535fb5650497c11f414c6441f71da63fd
MD5 a7a326de61615895b22b895b51d83c85
BLAKE2b-256 ee4fcbdde0a5cbac70a39b74be0434bd5845fb3fe84f6e511f63504794ece181

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page