PR Orchestrator MCP

Overview

A tools-only MCP server that gives LLM agents the ability to fix issues, run tests, and open PRs — without compromising security. The goal: make safety the default, not an opt-in.

Safety architecture

The server is designed around the assumption that the orchestrator (the LLM) may be confused, prompt-injected, or simply wrong. Every dangerous capability is gated:

• Isolated execution — all shell commands run inside E2B sandboxes, never on the host
• Command allowlisting — only a curated set of git, npm, python commands are exposed
• Fork-only workflow — the agent never writes to the upstream repo directly; all changes go through fork → PR
• Multi-layer approval — risky operations (file deletes, force pushes, large diffs) require explicit human approval
• Secret redaction — environment variables and detected secrets are scrubbed from every tool response
• Repository allowlists — the agent can only operate on pre-approved repos

Why MCP

The Model Context Protocol gives us a standardised interface that any compliant orchestrator (Cursor, custom clients, any MCP-compatible IDE) can use without modification. The same server works across all of them.

What's in the box

A handful of well-defined tools — clone_repo, apply_patch, run_tests, create_pr, comment_on_issue — each with strict input validation and predictable side effects. The orchestrator composes these; the server enforces the safety boundary.