|
IBM BOB
Build & Review
Context · Modes · Code Review · MCP
Master context mentions, build reusable custom modes, and connect Bob to external tools
Labs 3–5 • All Labs • Resources
|
|
Continuation from March 26th Touchpoint
By the end of exercise you will: use all context mentions types fluently, write multi-step literate coding instructions, run AI-powered code reviews with /review, build a custom Security Reviewer mode in YAML, and configure an MCP server.
• Lab 3: Context mentions, literate coding deep-dive, /init and AGENTS.md
• Lab 4/5: Code reviews, custom modes (YAML), MCP server configuration
Time commitment: 3–4 hours per week
Prerequisites: Lab 1 & 2 complete. Bob IDE running, IBM/bob-demo cloned.
|
|
FN 1 ✓
Get Started
|
FN 2 ← NOW
Build & Review
|
FN 3
Modernize
|
FN 4
Ship & Scale
|
Fortnight 2 — Learning Plan
|
Context Mastery, Literate Coding & AGENTS.md
Context Mastery, Literate Coding & AGENTS.md
|
|
Objective: Master all 7 @ mention types, write multi-step literate coding instructions, and give Bob persistent project context with /init.
📖 Required Reading
• Context mentions — all 7 types, ignore-file interactions, combining mentions
• Literate coding — Cmd/Ctrl+M, generate, accept, reject, multi-block usage
• Start a project with /init and AGENTS.md
• Context window management
• Context poisoning — what it is, how to avoid it
🎬 Videos (youtube.com/@ibm-bob)
• Literate Coding in Action — generate code from plain-English comments
• Bob Shell in Your Terminal
🔬 Lab 3
• Context Mastery — use all 7 mention types, multi-step literate coding, /init and AGENTS.md
📝 Power Prompts to Try
|
# File comparison (2 @ mentions in one prompt):
@/src/db.ts @/src/index.ts How do these relate? What data flows between them?
# Fix all diagnostics at once:
@problems Fix all these issues and explain what was wrong.
# Debug from terminal output:
@terminal What went wrong and how do I fix it?
# Commit message from staged changes:
Suggest a conventional commit message for @git-changes
# Live documentation reference:
@https://bob.ibm.com/docs/ide/features/literate-coding Summarise this page.
|
✅ Lab 3 Checklist
□ Used @/src/... to reference a specific file
□ Used @problems to fix all diagnostics in one go
□ Used @terminal to debug a failing command
□ Used @git-changes to generate a commit message
□ Used @URL to fetch live documentation
□ Wrote a multi-step literate coding instruction across 3 file locations
□ Ran /init and reviewed the generated AGENTS.md
|
|
Code Reviews, Custom Modes & MCP
Code Reviews, Custom Modes & MCP
|
|
Objective: Run AI-powered code reviews, build a reusable custom mode for your team, and configure Bob with an MCP server.
📖 Required Reading
• Code reviews — Review Panel, /review, Bob Findings, issue coverage mode
• Custom modes — YAML format, tool groups, file restrictions, overriding defaults
• Understanding MCP
• MCP server transports — stdio vs streamable-http
• Security guidelines — credentials, .bobignore, MCP security
🎬 Videos (youtube.com/@ibm-bob)
• Shift-Left Code Review — security and quality before CI/CD
• IBM Bob Modes Demo
🔬 Labs
• Lab 4: Code Review — /review, Bob Findings panel, ZAP scan prompt, configure exclusions
• Lab 5: Custom Mode + MCP — Security Reviewer mode in YAML, .bob/mcp.json, MCP tools in Advanced mode
📋 Performance Insights Mode — Real Config from IBM Bob Team
This is the exact Performance Insights mode configuration used in IBM Bob team demos:
|
Name: Performance Insights
Slug: performance-insights
API Configuration: Premium
Role Definition:
You are an experienced performance analyst. Your goal is to gather
information, analyse performance data, and provide insights on the
data that developers, architects and project managers can understand.
Short description: Get insights on performance data
Available Tools: Read Files, Edit Files, Use Browser, Run Commands, Use MCP
Custom Instructions:
Make key summary statements supported with tabular data. Identify trends,
patterns, anomalies and performance issues. Focus on customer impact.
Assume an SLA of P95 < 10 seconds for the analysis.
|
✅ Lab 4 Checklist
□ /review ran on uncommitted changes, Bob Findings panel populated
□ At least 3 findings triaged (Fix, Resolve, Dismiss)
□ Custom Security Reviewer mode created in .bob/custom_modes.yaml
□ Mode-specific rule file in .bob/rules-security-reviewer/
□ .bob/mcp.json configured with at least one MCP server
□ .bob/mcp.json verified in .gitignore — no hardcoded credentials
|
Fortnight 2 — Labs
All labs use github.com/IBM/bob-demo. Make sure you have it cloned from Fortnight 1.
Lab 3 — Context Mastery & AGENTS.md
|
Overview
Time: ~50 min | Difficulty: Intermediate | Modes: Ask, Code
Goal: Use all 7 @ mention types fluently and set up AGENTS.md for persistent project context.
|
Context Exercises
1. File comparison.
|
@/src/db.ts @/src/index.ts How do these relate? What data flows between them?
|
2. @problems fix-all. Introduce a deliberate TypeScript error, then:
|
@problems Fix all these issues and explain what was wrong with each one.
|
3. @terminal debug. Run a failing build, then:
|
@terminal What went wrong and how do I fix it?
|
4. @git-changes commit. Stage changes, then:
|
Suggest a conventional commit message for @git-changes
|
5. @URL fetch.
|
@https://bob.ibm.com/docs/ide/features/literate-coding Summarise how literate coding works.
|
6. Multi-step literate coding. Open a source file. Toggle Cmd/Ctrl+M. Write 3 instruction comments in 3 different locations. Click Generate. Observe how Bob resolves all 3 as one coherent change.
/init and AGENTS.md
7. Run /init. In the bob-demo project root, type /init in chat. Bob generates AGENTS.md.
8. Inspect AGENTS.md.
|
@AGENTS.md What persistent instructions did /init add? How will they affect Bob?
|
9. Test persistence. Start a new chat. Ask a coding question. Note that AGENTS.md rules apply even in a fresh conversation.
|
✅ Success Criteria
• All 7 mention types used at least once in this lab session
• Multi-step literate coding change generated and accepted
• AGENTS.md created by /init and rules visible in fresh conversations
|
Lab 4 — Code Review: /review & Bob Findings
|
Overview
Time: ~45 min | Difficulty: Intermediate | Modes: Code, Review
Goal: Run AI-powered code reviews, triage Bob Findings, and use the OWASP ZAP scan prompt.
|
Steps
10. Add a vulnerable route. In Code mode, ask Bob to add a new API route with no input validation.
11. Run /review.
12. Triage findings. "Fix with Bob" for security issues, "Mark as Resolved" for intentional patterns, "Dismiss" for non-applicable items.
13. OWASP ZAP scan prompt (Bob Shell). If you have OWASP ZAP 2.16.1+, scan localhost:3000. Then:
|
bob -p "Explain and resolve the OWASP ZAP Scan results from @report.html"
|
14. Configure exclusions. Settings → Bob Findings → Review Exclusions. Add: *.test.ts and .vscode/**
15. Re-run /review. Confirm excluded files no longer appear in findings.
|
✅ Success Criteria
• At least 3 findings visible in Bob Findings panel after /review
• One finding fixed with Bob, one marked resolved, one dismissed
• Exclusions working — excluded files absent from next run
|
Lab 5 — Custom Mode + MCP Integration
|
Overview
Time: ~60 min | Difficulty: Intermediate | Modes: Custom mode, Advanced
Goal: Build a Security Reviewer mode in YAML and configure an MCP server from IBM/bob-demo/bob-modes.
|
Part A — Security Reviewer Custom Mode
16. Settings → Modes → +. Create:
|
Name: 🔒 Security Reviewer | Slug: security-reviewer
Role: You are a security-focused code reviewer. You identify OWASP Top 10
vulnerabilities, credential leaks, and injection risks. Report each
finding with severity (High/Medium/Low) and a specific code fix.
Tools: read only (no edit, no command, no mcp)
|
17. Add rule. Create .bob/rules-security-reviewer/01-output.md:
|
## Output Format
### [HIGH/MED/LOW] Finding Title
**File:** path/to/file.ts:line **Issue:** description **Fix:** code change
|
18. Test. Switch to Security Reviewer. Ask:
|
@/src Review this directory for OWASP Top 10 vulnerabilities.
|
Part B — MCP Configuration
19. Read the bob-modes README.
|
@/bob-modes/README.md Walk me through the setup steps for this demo.
|
20. Create .bob/mcp.json.
|
{
"mcpServers": {
"docs-langchain": {"type": "streamable-http", "url": "https://docs.langchain.com/mcp"},
"next-devtools": {"command": "npx", "args": ["-y", "next-devtools-mcp@latest"]}
}
}
|
21. Test in Advanced mode. "What MCP tools are available? List them with descriptions."
22. Security check. Verify .bob/mcp.json is in .gitignore with no hardcoded credentials.
|
✅ Success Criteria
• Security Reviewer mode in mode picker, outputs findings in correct format
• MCP tools listed and at least one invoked in Advanced mode
• .bob/mcp.json in .gitignore — zero hardcoded secrets
|