VibeCheck MCP Server

Code intelligence for AI-built software — wired into your agent.

Truth-grounded. Runtime-aware. Multi-agent.

The Model Context Protocol server that lets Cursor, Claude, Windsurf, and any MCP-compatible AI agent verify what they ship — scanning for hallucinations, computing trust scores, and gating deployments using the same 16-engine pipeline as the CLI and VS Code extension.

What is this?

The Model Context Protocol (MCP) is the open standard that connects AI coding agents to external tools. VibeCheck's MCP server exposes the full scanning, scoring, and guarding pipeline as tools that any MCP-compatible client can call.

Your AI agent writes the code. VibeCheck verifies it didn't hallucinate.

API compatibility

Billable scan tools that sync usage to VibeCheck’s API require @vibecheck-ai/mcp 24.x or newer. Older MCP builds are rejected at the API with SCAN_CLIENT_UPGRADE_REQUIRED. Update your MCP config to npx -y @vibecheck-ai/mcp@latest (or the matching published version).

How it works

┌──────────────────┐     stdio / MCP      ┌────────────────────┐
│   Cursor / Claude │ ◄──────────────────► │  VibeCheck MCP     │
│   Windsurf / Cline│     tool calls       │  Server            │
│   Any MCP client  │                      │                    │
└──────────────────┘                      │  ┌──────────────┐  │
                                          │  │ 14 Detection  │  │
                                          │  │ Engines       │  │
                                          │  └──────────────┘  │
                                          │  ┌──────────────┐  │
                                          │  │ Trust Score   │  │
                                          │  │ Engine        │  │
                                          │  └──────────────┘  │
                                          │  ┌──────────────┐  │
                                          │  │ Context       │  │
                                          │  │ Engine        │  │
                                          │  └──────────────┘  │
                                          └────────────────────┘

Quick Start

Cursor

Add to your .cursor/mcp.json:

{
  "mcpServers": {
    "vibecheck": {
      "command": "npx",
      "args": ["-y", "@vibecheck-ai/mcp"]
    }
  }
}

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "vibecheck": {
      "command": "npx",
      "args": ["-y", "@vibecheck-ai/mcp"]
    }
  }
}

Windsurf

Add to your Windsurf MCP config:

{
  "mcpServers": {
    "vibecheck": {
      "command": "npx",
      "args": ["-y", "@vibecheck-ai/mcp"]
    }
  }
}

Any MCP Client (stdio)

npx @vibecheck-ai/mcp

The server communicates over stdio using the MCP protocol. No HTTP. No ports. No config files.

Tools

The server exposes 7 tools that your AI agent can call:

Core Tools (Free)

| Tool | Description | |:---|:---| | vibecheck_scan | Scan a file or directory for AI hallucinations and code trust issues. Returns findings with severity, location, and fix suggestions. | | vibecheck_score | Compute a 0–100 trust score with letter grade (A–F) and ship decision (SHIP / REVIEW / NO_SHIP). | | vibecheck_guard | Run a pass/fail gate check. Returns structured pass/fail based on trust score and critical findings. | | vibecheck_roast | Scan and return findings with maximum sass. Same brutal honesty as vibecheck roast in the CLI. |

Context Engine Tools (Paid)

| Tool | Description | |:---|:---| | vibecheck_context_proactive | Get proactive context for a focused file — file context, graph neighbors, and learned co-edits. | | vibecheck_context_intent | Query the codebase by natural language intent. Returns matching files and symbols. | | vibecheck_context_evolve | Learn from provenance (edits.jsonl) and update learned.json. Run periodically to improve context quality. | | vibecheck_context_feedback | Record explicit feedback (helpful / not helpful) to improve future context ranking. |

What Your Agent Can Do

Once connected, your AI agent can ask VibeCheck to verify its own work:

Scan before committing

"Scan this file for hallucinations before I save it."

The agent calls vibecheck_scan and gets back every finding with severity, line number, and a suggested fix.

Gate deployments

"Check if this project is safe to ship."

The agent calls vibecheck_guard and gets a structured SHIP / NO_SHIP verdict with the exact issues blocking deployment.

Score trust

"What's the trust score for src/payments/?"

The agent calls vibecheck_score and gets a 0–100 score, letter grade, and dimensional breakdown.

Get roasted

"Roast this codebase."

The agent calls vibecheck_roast for an opinionated, brutally honest assessment.

14 Detection Engines

The same engines that power the CLI and VS Code extension (CLI FileRunner registration order):

| # | Engine | What it catches | |:---:|:---|:---| | 1 | Undefined env vars | process.env references not backed by your env / truthpack | | 2 | Ghost routes | Client calls to API paths with no handler | | 3 | Phantom dependencies | Imports of packages not declared or not resolvable | | 4 | API hallucinations | SDK or API usage that does not exist for your stack | | 5 | Hardcoded secrets | Keys, tokens, and passwords committed to source | | 6 | Security vulnerabilities | Injection, XSS, SSRF, weak crypto, and related OWASP-style issues | | 7 | Fake features | Placeholder flags, empty handlers, mock data in prod paths | | 8 | Version mismatches | APIs incompatible with installed package versions | | 9 | Logic gaps | Contradictory or impossible control flow | | 10 | Error-handling gaps | Swallowed errors, risky try/catch shape, unchecked async results | | 11 | Incomplete implementation | Stubs, empty bodies, unfinished paths | | 12 | Type contracts | Types asserted vs actual JSON/API shape mismatches | | 13 | Security patterns | Unprotected routes, CSRF, JWT misuse, redirects, CSP gaps | | 14 | Performance anti-patterns | N+1 queries, sync I/O in async paths, fetch-in-render, and similar |

Plan-Gated Access

Scanning and product features require an active Vibe Coder (or higher) subscription unless your tool host applies a separate payment model (e.g. x402).

| Tool | Free | Vibecoder | Developer | Engineer | |:---|:---:|:---:|:---:|:---:| | vibecheck_scan | ✓ | ✓ | ✓ | ✓ | | vibecheck_score | ✓ | ✓ | ✓ | ✓ | | vibecheck_guard | ✓ | ✓ | ✓ | ✓ | | vibecheck_roast | ✓ | ✓ | ✓ | ✓ | | vibecheck_context_* | | | ✓ | ✓ |

When a tool is gated, the server returns a clear error message with upgrade instructions — your agent can surface this to the user.

Production Hardening

The MCP server includes enterprise-grade reliability features:

• Input validation — All tool arguments are validated before execution
• Rate limiting — Prevents runaway agents from overwhelming the scanner
• Circuit breaker — Automatic recovery from transient failures
• Health monitoring — Built-in health check endpoint
• Observability — Structured logging for debugging and monitoring
• Error sanitization — Sensitive paths and data are never leaked in error messages

Available on 4 Surfaces

| Surface | Install | Use case | |:---|:---|:---| | MCP Server (you are here) | npx @vibecheck-ai/mcp | AI agent integration (Cursor, Claude, etc.) | | CLI | npm i -g @vibecheck-ai/cli | CI/CD pipelines, terminal workflows, scripting | | VS Code Extension | Marketplace | Interactive scanning, sidebar dashboard, inline fixes | | GitHub Action | vibecheck-ai/action@v2 | Pull request verification, deployment gating |

Privacy & Security

• All scanning runs locally on your machine
• Zero code is transmitted — ever
• The MCP server communicates via stdio only — no network ports opened
• Works fully offline and in air-gapped environments
• No telemetry on your code. Tools run in-process.

Build with AI. Ship with proof.

vibecheckai.dev   ·   [email protected]

MIT License  ·  Copyright 2024–2026 VibeCheck AI