MCP that provides fast, token-efficient tools for navigating, searching, and understanding codebases
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"abf": {
"env": {
"ABF_PROJECT_ROOT": "/path/to/your/project"
},
"args": [
"/path/to/AgentsBestFriend/packages/cli/dist/index.js",
"start"
],
"command": "node"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A local MCP server that gives AI coding agents fast, token-efficient tools for navigating, searching, and understanding codebases — including monorepos.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'turbo' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
Trubo: Login callback CSRF/session fixation
### Impact Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the `turbo` CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login
Turbo: Unexpected local code execution during Yarn Berry detection
### Impact Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed `yarn --version` from the project directory, which could cause Yarn to load and execute a project-controlled `yarnPath` from `.yarnrc.yml`. An attacker who controls repository contents could cause code execution when a user or CI system runs affected `turbo`, `@turbo/codemod`, or `@turbo/worksp
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in developer-tools
A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
Context7 Platform -- Up-to-date code documentation for LLMs and AI code editors
XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
Copy/paste detector for programming source code, supports 223 formats. AI-ready with token-efficient reporter, skill and MCP server.
MCP Security Weekly
Get CVE alerts and security updates for io.github.TheRealFloatDev/agentsbestfriend and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Give your AI coding agents superpowers — a local MCP server for fast, token-efficient code navigation, search & analysis.
Works with VS Code Copilot, Cursor, Claude Code/Desktop, Codex, Cline, Zed, Gemini CLI, Goose, OpenCode, and any other MCP-compatible agent.
AI coding agents waste tokens re-reading files and searching blindly. ABF gives them purpose-built tools that return exactly what they need — in compact, structured responses that preserve context.
| Tool | What it does |
|---|---|
abf_search | Code search — exact (ripgrep), keyword-ranked, or semantic (embedding-based) |
abf_search_multi | Run multiple search queries (exact/keyword/semantic) in one call with weighted score merging |
abf_symbols | Functions, classes, exports in a file (AST-based for TS/JS, regex for Python) |
abf_chunk | Smart file chunk by symbol name, chunk index, or file overview |
abf_project_overview | Tech stack, folder structure, key dependencies at a glance |
abf_dependencies | Import graph — who imports what |
abf_impact | Find all usages of a symbol across the project |
abf_impact_typed | AST-aware (ts-morph) impact analysis with classified references (definition/call/import/type_ref/jsx) and confidence levels |
abf_blast_radius | BFS over reverse-import graph for a file with risk scoring (low/medium/high) |
abf_related_tests | Heuristically rank test files most likely to cover a file or symbol |
abf_preview_changes | Read-only preview: diff + symbol/import deltas + risk flags + external usage probe (no writes) |
abf_refactor_plan | Read-only ordered edit plan for rename/move/extract/split with collision detection |
abf_apply_edit | Write tool — atomic file write with sha256 hash check (disabled unless ABF_ENABLE_WRITES=1) |
abf_diagnostics | TypeScript diagnostics (errors/warnings) for one file or all tracked TS/JS files |
abf_definition | Goto-definition via the TypeScript language service — file, line range, and source preview |
abf_hover | Type signature + JSDoc for an identifier (IDE-style hover) |
abf_call_graph | Transitive callers/callees of a function or method (TS/JS, ts-morph) |
abf_git | Git log, blame, diff (recent/staged/unstaged) |
abf_file_summary | Full-text search across LLM-generated file summaries (FTS5, OR/AND mode) |
abf_conventions | Detected naming, structure, and formatting conventions |
abf_index | Index status, rebuild, incremental update, or trigger re-summarization |
abf_ping | Health check — returns version and project root |
npm install -g agentsbestfriend
brew install ripgrep (macOS) / apt install ripgrep (Linux)abf init
abf init walks you through everything:
git ls-files(12/80) progress.abf/ to .gitignore — prompts before writingnpx agentsbestfriend start (always latest) or abf start (local install)If you prefer to configure manually, add ABF as a stdio MCP server. Using npx is recommended — it always runs the latest published version without requiring a global install:
VS Code / GitHub Copilot (.vscode/mcp.json):
{
"servers": {
"abf": {
"command": "npx",
"args": ["agentsbestfriend", "start"]
}
}
}
Cursor (.cursor/mcp.json):
{
"mcpServers": {
"abf": {
"command": "npx",
"args": [
... [View full README on GitHub](https://github.com/TheRealFloatDev/AgentsBestFriend#readme)