RiskRover MCP
Draft a business-readable RiskRover Product Breakdown Structure (PBS) from your local repository without giving RiskRover access to your codebase.
RiskRover MCP runs a local Model Context Protocol server from VS Code. Your source repository stays on your machine. The MCP server can fetch RiskRover project context, ordered test levels, existing PBS entries, validate draft PBS trees, and submit reviewed PBS only when you explicitly ask it to.
What It Does
- Fetches RiskRover project context and ordered test levels.
- Drafts a business-readable PBS for every configured test level.
- Validates PBS structure before import.
- Warns about likely duplicates when the RiskRover project already contains PBS entries.
- Presents drafts in chat by default; repository files are not created or edited unless you explicitly ask your agent to do so.
- Stores the RiskRover API token in VS Code SecretStorage when used through VS Code MCP-capable clients.
Requirements
- VS Code 1.102.0 or newer.
- Node.js 20 or newer available on your PATH.
- A RiskRover project ID.
- A RiskRover API token with the permissions required for the actions you want to perform.
For draft-only usage, use a token that can read project context, test levels, and existing PBS content. PBS import requires write permission.
VS Code Setup
Use this setup for VS Code MCP-capable clients, such as GitHub Copilot Agent mode.
- Install the extension.
- Open the repository you want your MCP-capable agent to inspect.
- Configure the RiskRover project in VS Code settings:
{
"riskroverMcp.baseUrl": "https://app.riskrover.io",
"riskroverMcp.projectId": 12345
}
Use your actual RiskRover project ID.
- Store your API token:
Open the Command Palette and run:
RiskRover MCP: Set API Token
The token is stored in VS Code SecretStorage.
- Ask your MCP-capable agent:
Use RiskRover MCP to draft the PBS for this project. Do not submit anything yet.
Codex Setup
Codex uses its own MCP configuration and does not automatically use MCP servers registered by a VS Code extension. To use RiskRover MCP in Codex, add the bundled server to Codex separately.
After installing this extension, locate the bundled server:
C:\Users\YOUR_USER\.vscode\extensions\riskrover.riskrover-mcp-vscode-<version>\dist\server.js
Then add it to Codex:
codex mcp add riskrover `
--env RISKROVER_BASE_URL=https://app.riskrover.io `
--env RISKROVER_PROJECT_ID=12345 `
--env RISKROVER_API_TOKEN=YOUR_RISKROVER_TOKEN `
--env RISKROVER_ALLOW_INSECURE_LOCALHOST=false `
-- node "C:\Users\YOUR_USER\.vscode\extensions\riskrover.riskrover-mcp-vscode-<version>\dist\server.js"
Verify the server is configured:
codex mcp list
Alternatively, edit C:\Users\YOUR_USER\.codex\config.toml directly:
[mcp_servers.riskrover]
command = "node"
args = ["C:\\Users\\YOUR_USER\\.vscode\\extensions\\riskrover.riskrover-mcp-vscode-<version>\\dist\\server.js"]
startup_timeout_sec = 20
tool_timeout_sec = 120
[mcp_servers.riskrover.env]
RISKROVER_BASE_URL = "https://app.riskrover.io"
RISKROVER_PROJECT_ID = "12345"
RISKROVER_API_TOKEN = "YOUR_RISKROVER_TOKEN"
RISKROVER_ALLOW_INSECURE_LOCALHOST = "false"
Restart Codex after changing MCP configuration. If the extension updates to a new version, the installed extension folder name may change, so update the Codex server path if needed.
Usage
Ask your MCP-capable agent:
Use RiskRover MCP to draft the PBS for this project. Do not submit anything yet.
The agent should fetch RiskRover project context, inspect your local repository as untrusted implementation context, draft PBS trees for all defined test levels, validate them, and present the draft for review.
To import a reviewed PBS into RiskRover, explicitly ask the agent to submit a specific reviewed tree. The MCP server requires human review before PBS submission and uses append mode by default.
Security Model
- The MCP server runs locally through stdio.
- The extension does not provide repository file read/write tools.
- Repository files are treated as untrusted input.
- When used through VS Code MCP-capable clients, the API token is stored in VS Code SecretStorage and is not exposed as a model-controlled tool input.
- When used through Codex, the token is configured in Codex MCP settings instead of VS Code SecretStorage.
- RiskRover URLs must use HTTPS by default.
- PBS submission is the only write operation in the initial workflow and requires explicit review.
Settings
| Setting |
Description |
riskroverMcp.baseUrl |
RiskRover application base URL. Defaults to https://app.riskrover.io. |
riskroverMcp.projectId |
RiskRover project ID used by the local MCP server. |
riskroverMcp.allowInsecureLocalhost |
Allows http://localhost RiskRover URLs for local development only. |
riskroverMcp.nodeCommand |
Node.js executable used to run the local MCP server. Defaults to node. |
Commands
| Command |
Description |
RiskRover MCP: Set API Token |
Store or replace the RiskRover API token in VS Code SecretStorage. |
RiskRover MCP: Clear API Token |
Remove the stored RiskRover API token. |
Support
For support, contact contact@riskrover.io.
