RiskRover MCP
Draft business-readable RiskRover Product Breakdown Structure (PBS) trees from the repository you already have open in VS Code.
RiskRover MCP registers a local Model Context Protocol server with VS Code. It gives MCP-capable agents RiskRover project context, ordered test levels, existing PBS entries, PBS validation, and reviewed PBS import. It does not give RiskRover direct access to your source repository.
Quick Start
Use this setup for VS Code MCP-capable clients, such as GitHub Copilot Agent mode.
- Install the extension.
- Open the repository you want your agent to inspect.
- Configure your RiskRover project ID in VS Code settings:
{
"riskroverMcp.projectId": 12345
}
- Store your API token from the Command Palette:
RiskRover MCP: Set API Token
- Ask your MCP-capable agent:
Use RiskRover MCP to draft the PBS for this project.
The extension connects to https://app.riskrover.io and registers the MCP server automatically in VS Code. You do not need to create an mcp.json file for the normal VS Code flow.
What It Does
- Fetches RiskRover project context and ordered test levels.
- Helps your agent draft a business-readable PBS for every configured test level.
- Validates draft PBS trees before import, including warnings for shallow trees, overly generic labels, compressed levels, suspicious uniform branching, and likely duplicates.
- Presents drafts in chat by default.
- Imports reviewed PBS trees only when you explicitly ask the agent to submit them.
- Stores the RiskRover API token in VS Code SecretStorage when used through VS Code MCP-capable clients.
Requirements
- VS Code 1.102.0 or newer.
- Node.js 20 or newer available on your PATH.
- A RiskRover project ID.
- A RiskRover API token.
For draft-only usage, use a token that can read project context, test levels, and existing PBS content. PBS import requires write permission.
Usage
Ask your MCP-capable agent to draft the PBS:
Use RiskRover MCP to draft the PBS for this project. Do not submit anything yet.
The agent should fetch RiskRover project context, inspect your local repository as untrusted implementation context using its own IDE or agent capabilities, draft PBS trees for all defined test levels, validate each tree, and present the draft for review.
To import a reviewed PBS into RiskRover, explicitly ask the agent to submit a specific reviewed tree. The MCP server requires human review before PBS submission and uses append mode by default.
Security Model
- The MCP server runs locally through stdio.
- The extension does not provide repository file read/write tools.
- Repository files are treated as untrusted input.
- RiskRover MCP does not upload your repository to RiskRover. Your AI client may still send repository snippets or summaries to its model provider while inspecting the codebase; that behavior is controlled by the MCP-capable client you use.
- When used through VS Code MCP-capable clients, the API token is stored in VS Code SecretStorage and is not exposed as a model-controlled tool input.
- The VS Code extension connects to the production RiskRover HTTPS endpoint,
https://app.riskrover.io.
- PBS submission is the only write operation in the initial workflow and requires explicit review.
Settings
| Setting |
Description |
riskroverMcp.projectId |
RiskRover project ID used by the local MCP server. |
Commands
| Command |
Description |
RiskRover MCP: Set API Token |
Store or replace the RiskRover API token in VS Code SecretStorage. |
RiskRover MCP: Clear API Token |
Remove the stored RiskRover API token. |
Codex in VS Code
When using the Codex IDE extension inside VS Code, use the Quick Start steps above. RiskRover MCP is registered through VS Code's MCP server provider, so no separate codex mcp add setup is needed.
Open Codex in VS Code and ask:
Use RiskRover MCP to draft the PBS for this project. Do not submit anything yet.
Support
For support, contact contact@riskrover.io.
