Connect a coding agent
Preview before writing, then inspect the result:glean-feed at
https://app.gleanfeed.com/api/mcp. It never adds an API key, local command,
environment secret, access token, or refresh token. Re-running it is safe.
Target or remove one client when needed:
uninstall removes only the glean-feed entry. It preserves unrelated servers
and leaves OAuth credential removal to the client that owns those credentials.
For Claude Desktop or an unsupported client, the CLI reports the manual remote
Streamable HTTP configuration instead of editing a settings-owned connector.
Read the MCP guide for consent, scopes, and manual setup.
Verify read-only before granting writes
Run in CI
Create a dedicated least-privilege API key and store it in the CI provider’s secret manager. On an ephemeral runner:.gleanfeed.json with profile ci, but it must never
commit the API key or isolated config directory. Rotate the secret if job output,
artifacts, or runner state could have exposed it.
Make writes explicit
JSON and noninteractive callers cannot answer a prompt. Pass--yes only on the
reviewed command that needs it:
--agent adds a length-limited, non-secret audit label. It does not select a workspace,
grant a scope, or replace authentication. Parse .ok and use the documented
exit codes; do not scrape human output.
Disable the initialization event
gleanfeed init sends one best-effort, content-free authenticated success event
when it uses the production API. It contains the workspace ID and fixed event
type, not repository data, config values, commands, paths, credentials, or user
content. It runs after the repository config is written, has a 1.5-second
deadline, and never changes the setup result. Set GLEAN_FEED_TELEMETRY=0 to
disable it: