Obra Cto
FreeNot checkedLocal-first MCP that scores your codebase's build readiness. Your code never leaves your machine.
About
Local-first MCP that scores your codebase's build readiness. Your code never leaves your machine.
README
A local-first MCP server that scores your codebase's Build Readiness. You install it in your own Claude. Your Claude reads your code on your machine and runs your tests there. Nothing is uploaded.
This is the free preview of Obra's role lineup, and it stays free and local. The CTO reads your code and tells you what an investor's technical diligence would find: real security holes, weak design decisions, and the gaps that stop a serious review. The rest of the team (the Obra CFO for funding-ready materials, and more) lives in the Build with Obra community.
The Obra founders' toolkit
Two free, local, open-source MCPs built to work as a pair:
- Obra CTO (this one): is it built? Scores your codebase and surfaces what a technical diligence would flag. GitHub · npm
- Obra CFO: is it fundable? Runs the investment committee on your pitch and turns your verified build into a funding case. GitHub · npm
Run the CTO first. The CFO reads its report as grade-A technical evidence. The method, the deep versions, and Obra in beta live in Build with Obra.
Why local-first
A tool that reads your code should not ship your code somewhere. Your source never
leaves your machine. This server makes exactly one kind of network call, and only
when you run the dependency check: it sends your package names and versions to the
OSV vulnerability database, never a line of your code (you can see the single call
in src/deps.ts). Everything else is local: it returns counts, presence flags, a
redacted secrets scan, and a score. You can read every line of this server before
you run it, which is the point of keeping it open.
What you get
The Obra CTO Score, out of 100, calibrated to your stage (prototype, MVP, or growth), across six dimensions:
| Dimension | Weight |
|---|---|
| Security | 25 |
| Product reality (what is actually built) | 20 |
| Robustness | 15 |
| Architecture | 15 |
| Maintainability | 15 |
| Deploy readiness | 10 |
Every finding carries an evidence grade: A verified, B multiple sources, C partial or inferred, D claim only, E speculation. The score is built from grade A and C evidence, what is true in your code, not what a deck says. When the CTO runs your tests and they pass, reliability becomes grade A. A deck-scorer can never earn that.
What a run looks like
Point it at a real project and you get a scored report with a ranked risk register. Here is a run on a scrappy Supabase app (anonymized):
# Obra CTO Score: financeapp
## 46 / 100 · Not yet ready
Assessed as: mobile (react-native, expo) | Backend: supabase
| Dimension | Score | Evidence |
|------------------|-------|----------|
| Security | 6/25 | A |
| Product reality | 20/20 | A |
| Robustness | 3/15 | A |
| Architecture | 9/15 | A |
| Maintainability | 6/15 | A |
| Deploy readiness | 2/10 | C |
## Top Risks
- [critical] RLS policies defined but never enabled; data may be open to any authenticated user
Fix: enable row level security on every table, then verify a second user cannot read your rows.
- [high] Access control gap: a privileged action checks only that the user is logged in, not that they own the resource
- [medium] No tests found
On a well-built app it scores high and credits the good engineering. It is calibrated, not a fear machine.
Tools
scan_projectreads the project and returns mechanical signals.check_dependencieschecks your locked dependencies against the OSV vulnerability database. Only package names and versions leave your machine, never your code.run_testsruns your test suite (this executes code, so your Claude asks first) and parses the pass and fail counts.prepare_code_reviewselects your highest-signal files (schema and policy files, entry points, security-relevant code) and hands them to your Claude with a checklist tuned to your stack, including a Backend-as-a-Service lens (Supabase, Firebase) and a design red-team that critiques the architecture, not just the code.score_build_readinessproduces the Obra CTO Score with a Top Risks register.
A normal run is: scan, check dependencies, run tests, prepare the code review, then score.
Install
Add it to your Claude MCP config (Claude Desktop or Claude Code):
{
"mcpServers": {
"obra-cto": {
"command": "npx",
"args": ["-y", "obra-cto"]
}
}
}
Then ask your Claude: "Score this project's build readiness with Obra CTO."
Prefer to run from source? Clone the repo, run npm install && npm run build, and
point the config at node /absolute/path/to/obra-cto/dist/index.js.
What this is not
Not a linter, not a security scanner, not a replacement for your own Claude reading the code. It is technical-diligence readiness inside funding readiness: the question an investor's CTO would ask, answered from your real code.
What's next
The Obra CTO is the free preview. To go further:
- The Method: the full playbook for shipping production software with AI, the disciplines that make code score like the example above, each lesson with a paste-in prompt or tool you can use today.
- The rest of the team: the Obra CFO for funding-ready materials, and each new role as it ships.
- Obra itself, in beta: the AI employee that runs your back office. Members go first.
See the whole toolset and where it is going at https://get-obra.com/build
The full method and the community live in Build with Obra: https://www.skool.com/build-with-obra-5361/about
License
Apache-2.0.
Install Obra Cto in Claude Desktop, Claude Code & Cursor
unyly install obra-ctoInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add obra-cto -- npx -y obra-ctoFAQ
Is Obra Cto MCP free?
Yes, Obra Cto MCP is free — one-click install via Unyly at no cost.
Does Obra Cto need an API key?
No, Obra Cto runs without API keys or environment variables.
Is Obra Cto hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Obra Cto in Claude Desktop, Claude Code or Cursor?
Open Obra Cto on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Obra Cto with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
