phabricator-mcp
phabricator-mcp is an MCP (Model Context Protocol) server that wraps Phabricator's Conduit API, exposing MCP tools for interacting with tasks (Maniphest), code reviews/diffs (Differential), repositories and file contents (Diffusion), users, projects, pastes, wiki (Phriction), blogs (Phame), transactions, uploads/files, builds (Harbormaster), owners, activity feed, chat threads (Conpherence), audits, and PHID lookup—via stdio MCP transport.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Uses a Phabricator Conduit API token for authentication (no OAuth). The README recommends allowlisting read-only MCP tools to reduce risk. Rate-limit and error-handling behaviors are not documented here. Dependency and CVE posture cannot be confirmed from provided data.
⚡ Reliability
Best When
You want a local/agent-driven integration that can translate natural language into specific, allowlisted Phabricator Conduit actions using MCP tools.
Avoid When
You cannot securely handle long-lived Conduit API tokens or cannot restrict tool permissions to read-only operations for untrusted agent workflows.
Use Cases
- • Search and manage Phabricator tasks (query, create, edit, comment)
- • Perform code review workflows (search revisions, inspect diffs, add inline comments, accept/reject/abandon)
- • Browse repositories and retrieve file contents/history/code search
- • Query builds and build logs for revisions/diffs
- • Look up users/projects/PHIDs and query recent activity
- • Read/write collaboration artifacts like wiki pages, pastes, and blog posts
- • Use an LLM/MCP client to execute Phabricator workflows from natural language
Not For
- • Public-facing or high-risk automation without careful tool permissioning (it can support write operations)
- • Environments that require OAuth-style authentication or federated identity (it uses Conduit API tokens)
- • Use cases needing a web REST/GraphQL API or webhooks from this package (it is primarily an MCP server)
Interface
Authentication
Authentication is performed via a Phabricator Conduit API token configured via PHABRICATOR_API_TOKEN or read from ~/.arcrc. MCP-side tool permissions (e.g., Claude allowlist) are used for controlling which MCP tools can be called, but this is not the same as OAuth scopes.
Pricing
No pricing information is provided for the server package itself (MIT-licensed open source). Runtime costs depend on your Phabricator instance and LLM/MCP client usage.
Agent Metadata
Known Gotchas
- ⚠ Write-capable tools exist; clients like Claude may prompt for permissions—use allowlists to restrict to read-only where appropriate
- ⚠ Authentication uses a Conduit token; mishandling tokens can grant broad access depending on token permissions
- ⚠ Tool naming/permissions must match the MCP client’s allowlist format (example uses mcp__phabricator__<tool_name>)
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for phabricator-mcp.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.