# Zephex MCP server

MCP gateway with tools for code analysis, architecture, package audit & security.

## Links
- Registry page: https://www.getdrio.com/mcp/io-github-tanbir404-zephex
- Website: https://zephex.dev

## Install
- Endpoint: https://zephex.dev/mcp
- Auth: Auth required by registry metadata

## Setup notes
- Remote header: Authorization (required; secret)
- The upstream registry signals required auth or secrets.
- Remote endpoint: https://zephex.dev/mcp
- Header: Authorization

## Tools
- get_project_context (Get Project Context) - Orient on any codebase before editing. One focused slice per call — 11 topics: identity, framework, backend, frontend, database, auth, deploy, run, structure, integrations, security. Each topic returns different fields (focus, summary, data, hint, related_topics, next_calls, meta). Sources: (1) local absolute path — stdio MCP reads disk directly, e.g. /Users/alice/myapp; (2) GitHub/GitLab URL — hosted server clones once and caches, e.g. https://github.com/owner/repo; (3) inline_files when transport has no filesystem. Workflow: get_project_context({ topic: "identity" }) first, then 1-2 related_topics. DO NOT use for function bodies (read_code), search (find_code), or flows (explain_architecture). Read-only. Endpoint: https://zephex.dev/mcp
- explain_architecture (Explain Architecture) - Structural wiring map — how files connect, not file bodies. Returns concern_cluster (roles + import edges for ANY subsystem label), layer_map, entry_points, integration_map, auth_flow, request_flows in deep mode, Mermaid. CALL WHEN: how does this feature/subsystem work across files before a cross-cutting edit; pass concern (any name: widget-factory, billing, q7x) or seed_files from find_code — seeds via concept search + import graph, not hardcoded vocab. DO NOT: stack/scripts (get_project_context), search (find_code), read bodies (read_code). focus: api|auth|integrations|database|security|full. mode: overview|deep|audit. subpath for monorepos. Path: absolute dir or github:owner/repo. Endpoint: https://zephex.dev/mcp
- read_code (Read Code) - Surgical code read — symbols, batch files, keyword scan, bug smells. NOT whole-repo search (find_code). CALL WHEN: path known from find_code — batch-read files[] (mode:file); extract function by name (mode:symbol); scan 3–8 files for TODO/error/keyword (mode:scan); quick bug smells in focus_files (mode:smell); TOC before 300+ line file (mode:outline). DO NOT: unknown location (find_code first); file <50 lines (editor Read); repo-wide grep (find_code). Returns envelope: focus, summary, data, hint, next_calls. Read-only. Endpoint: https://zephex.dev/mcp
- find_code (Find Code) - Find text inside project files (ripgrep). Rename old project name (Crystal→Max, 200 files) → intent everywhere + whole_word + also_try [crystal]; returns every file:line in files_summary. Pasted line → snippet. Known name → symbol. Topic → concept + also_try. Messy repo → include (docs/config/data). Response: summary, data.matches or data.all_occurrences, files_hit, next_calls. Then read_code on top hit. Not for known-file reads or repo overview. Read-only. Endpoint: https://zephex.dev/mcp
- audit_headers (Audit HTTP Headers) - Site Audit — full HTTP intelligence for a public URL in one call. Security grade A–F (headers, SSL/TLS, cookies, redirects, CORS, CDN), health verdict ALIVE/DEGRADED/BROKEN + trust score, tech stack (framework/hosting/CDN/third-party), secret scan (scan_depth=quick: light HTML/3 bundles; scan_depth=deep: full supply URL phase with JWT decode, source maps, path probes, live verification), and HTTP request timing. Default probe_engine=fetch (HTTP, 1–3s quick / 8–12s deep secrets). Optional probe_engine=browser runs headless Chrome on Zephex servers (AWS worker when SITE_SQS_QUEUE_URL is set, else in-process Chromium) for real JS console errors and browser network capture — security headers still use raw HTTP fetch. CALL when: user pastes a URL; post-deploy security check; cert expiry or HSTS/CSP questions; cookie flag audit; redirect chain; is the site up; what framework; exposed secrets on a live page; JS console errors (probe_engine=browser). RETURNS: product (site_audit), duration_ms, plain_summary, fix_first, summary (security_grade, site_verdict, trust_score, load_ms, secrets_critical, secrets_verified, supply_paths_probed, supply_headers_grade), health (probe_engine, console_errors when browser), tech, secrets (findings, scan_meta, scan_depth), network, issues[], ssl, security_headers, cookie_flags, redirect_chain, infra, dns (security_depth=full only). LIMITS: Public hostnames on ports 80/443 only. Blocks localhost, private IPs, and URLs with embedded credentials. probe_engine=browser requires server-side Chromium or cloud worker — gracefully falls back to fetch with probe_fallback_warning if unavailable. Rate limit: one scan per hostname per 5 seconds. Endpoint: https://zephex.dev/mcp
- keep_thinking (Structured Reasoning) - Multi-call reasoning scaffold for AI coding agents — NOT Anthropic's single-call think tool, NOT extended thinking. Tracks hypotheses, observations, conclusions, and assumptions across iterative tool-call chains. Detects circular debugging, repeated failed approaches, and dangerous operations. Returns: shouldContinue, riskLevel (high/critical blocks continuation), repetitionWarning, reflectionPrompt (recovery questions on loop), boredLoopDetected (same tool called twice), approachingLimit (2 thoughts before cap). Call when: (1) high-blast-radius edit — schema, auth, billing, multi-file refactor, production deploy. (2) Debugging after 2+ failed attempts. (3) Task spans 3+ files. (4) Ambiguous requirements — surface assumptions first. DO NOT call when: (1) you already know the answer — act. (2) Single-step task — rename, typo, file read. (3) You're calling again without new evidence — that's a loop, stop. (4) Session is closed (nextThoughtNeeded:false was set). Pass lastActions (last 2-5 tool calls) to enable boredom detection. Set actionReady:true to exit early when planning is done. Set nextThoughtNeeded:false to close the session and write a Supabase checkpoint. Pass sessionId to resume — previously rejected approaches are injected so you don't repeat them. Hard cap: 10 thoughts per session. Endpoint: https://zephex.dev/mcp
- check_package (Check Package) - Verify any package on live registries before install — and plan upgrades from GitHub release notes. One tool, 5 tasks via task: check (default), upgrade, security, migrate, debug. Each task returns focus, summary, data, hint, related_tasks, next_calls, meta. Use for frameworks (next, react, vite, express), payments (stripe), auth (next-auth, @clerk/nextjs, passport), databases (prisma, drizzle-orm, pg), and any dep on npm/PyPI/cargo/gem/go/maven/nuget/packagist/pub/hex/cocoapods/spm. Version resolution: pass version/from_version, or source:github:owner/repo to read the pinned version from package.json via GitHub API (primary path for hosted MCP upgrades). Workflow: get_project_context({ topic: "integrations" }) → check_package({ task: "check" }) → task=security if vulnerable → task=upgrade with from_version when bumping. task=upgrade|migrate parses GitHub releases for breaking_changes, migration_steps, code_example, advisories. DO NOT use for repo orientation (get_project_context), lockfile transitive audit (npm audit), API docs (Context7), or install verification (project_memory). Read-only. Endpoint: https://zephex.dev/mcp
- check_test (Test Pulse) - Run project tests and return structured health — per-file pass/fail counts, coverage %, failures with Expected/Received, broken_areas (grouped by module), fix_first bullets, failure_clusters (same-root-cause grouping), coverage_by_area (per-module lcov rollup), blind_spots (flaky/patch/missing-test warnings), triage bundle, area_graph, graph_mermaid, health. task:why for follow-ups. Cheaper than parsing 600-line test logs — run once, query slices from session cache. Call when: after code changes; user asks if tests pass; before push; need per-file test status or failure details without re-running. Use after edits: pass diff_base: main to see if your changes broke tests. Scope to module with area: proxy, auth, handlers. DO NOT call when: package CVE check (check_package); prove deploy claim (project_memory); repo orientation (get_project_context); find symbol (find_code). Workflow: task=run once → task=list|failures|status|why on same session_id (<100ms). task=detect for framework/command only. task=history|compare for cloud scan rows (hosted). Hosted MCP: 1 credit per task:run; session queries, why, and compare are free. path: absolute directory (stdio MCP) or github:owner/repo / GitHub URL (hosted MCP). Endpoint: https://zephex.dev/mcp
- Zephex_dev_info (Zephex Developer Knowledge Base) - Expert developer knowledge base by Zephex. Use when the user asks how to build, structure, secure, or deploy anything. Covers: database schemas (Stripe, Supabase, Convex, Postgres), security (CSP, CORS, OWASP, JWT hardening), frontend (Next.js, React 19, Tailwind CSS), authentication (Supabase Auth, OAuth, refresh tokens), backend (AWS ECS, Docker, Bun), and mobile (Android, iOS, Expo, Play Store signing). Two operations: use 'search' with a query to find the right entry, then 'get' with the returned slug to fetch full expert knowledge. Always search first, then get. Endpoint: https://zephex.dev/mcp
- project_memory (Project Memory) - Store and recall project-specific learned facts (decisions, gotchas, goals, conventions) across agent sessions. NOT for codebase structure — use get_project_context. Returns: remember {id,status}; recall {matches,match_count,tokens_estimate}; list {memories,total,cap}; forget {status}. Call when: user says remember/recall; before editing an unfamiliar subsystem; after a non-obvious decision. DO NOT call when: repo orientation (get_project_context); symbol search (find_code); raw file bodies (read_code). After recall: apply returned facts; do not re-scan the repo. remember max 200/project; recall FTS5 max 5 hits; list titles only; forget by id. Local stdio only (npx zephex) — hosted MCP returns local_stdio_required. Endpoint: https://zephex.dev/mcp

## Resources
Not captured

## Prompts
Not captured

## Metadata
- Owner: io.github.Tanbir404
- Version: 1.0.0
- Runtime: Streamable Http
- Transports: HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: May 12, 2026
- Source: https://registry.modelcontextprotocol.io
