Zephex_dev_info
Vetted production patterns for auth, databases, and security—so your agent stops inventing them.
Zephex is a hosted Model Context Protocol (MCP) server. **Zephex_dev_info** is its expert developer knowledge base: curated entries with principles, SQL/TypeScript snippets, checklists, and common mistakes—not live web scraping and **not** the deprecated inspect_url tool. Always **search** with a precise query, then **get** by the returned slug.
When to use
- Implementing auth (OAuth, JWT, Supabase Auth, session cookies, MFA).
- Database design: RLS, Stripe billing tables, chat schemas, connection pooling.
- Security hardening: CSP, HSTS, CORS, OWASP-style API checks.
- Frontend/backend deployment: Next.js App Router, Bun, Docker, Render, Railway patterns.
- Mobile signing and store release (Android, iOS, Expo) when covered in the KB.
- Before accepting agent-generated security or payment code you have not verified.
When not to use
- Reading **your repo**—use get_project_context, scope_task, find_code, read_code.
- Auditing a **live deployed URL** headers/TLS—use audit_headers.
- Checking if an npm package exists or has CVEs—use check_package / audit_package.
- Mapping **your** codebase architecture—use explain_architecture.
- Arbitrary public URL content extraction—the old inspect_url tool is removed; this is KB-only.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| operation | "search" | "get" | No (default: search) | search finds the best entry; get returns full content for a slug from search. |
| query | string | Yes for search | Natural-language question, e.g. "Stripe webhook deduplication postgres". |
| slug | string | Yes for get | Exact slug from a prior search result (e.g. stripe-webhook-events). |
| category | enum | No | databases | security | frontend | backend | auth | mobile | android — narrows search. |
Limits: KB coverage is finite—if no entry matches, rephrase or combine with read_code on your project. Hourly Zephex_dev_info caps apply per user. Does not replace legal/compliance review. Requires KB service deployment on self-hosted proxies.
Try it — copy a prompt
Paste into Cursor, Claude Code, Windsurf, VS Code, or any editor with a hosted MCP connection.
Before you call it
- Zephex API key and hosted MCP in your editor.
- A specific question (not “tell me about databases”—narrow to “Supabase RLS multi-tenant SaaS”).
- Optional **category** filter when you know the domain (auth, security, databases, etc.).
- KB service must be configured server-side (KB_SERVICE_URL); otherwise the tool returns a setup message.
Token and request cost
Search responses are compact (~100–300 tokens). Full **get** entries target under ~1,200 tokens with structured fields agents can cite. Each MCP call counts as one request on your plan; Zephex_dev_info also has per-user hourly caps (Free: 100/hour, Pro: 500, Max: 2000) separate from monthly request limits.
Example
{ "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "Zephex_dev_info", "arguments": { "operation": "search", "query": "Stripe webhook idempotency postgres deduplication", "category": "databases" } }}Response shape
{ "slug": "stripe-webhook-events", "title": "Stripe Webhook Event Deduplication Table", "why_this_matters": "Stripe retries failed deliveries for up to 72 hours…", "key_principles": ["Verify signature first", "UNIQUE on stripe_event_id", "…"], "code_snippets": [{ "title": "PostgreSQL webhook_events table", "language": "sql", "code": "…" }], "checklist": ["constructEvent before branching", "…"], "common_mistakes": ["Inserting before processing", "…"], "related_slugs": ["supabase-rls-policies"], "token_count": 680}Which Zephex tool when
| Task | Use this tool | Not this tool |
|---|---|---|
| Supabase RLS / auth schema | Zephex_dev_info | read_code alone |
| Read my handler code | read_code | Zephex_dev_info |
| Grade production URL headers | audit_headers | Zephex_dev_info |
| Map my app’s modules | explain_architecture | Zephex_dev_info |
| CVE on a package upgrade | audit_package | Zephex_dev_info |
What it can do in your codebase
- Anti-hallucination layer for production auth, payments, and security—agents cite checklists instead of inventing policies.
- Search → get workflow keeps tokens low: discover the right slug, then pull one dense entry.
- Category filters (databases, security, frontend, backend, auth, mobile, android) narrow noisy queries.
- Entries include common_mistakes—the failures teams actually ship (insert-before-process webhooks, localStorage JWTs, etc.).
- related_slugs chain topics (e.g. Stripe webhooks → Supabase RLS).
- Read-only: does not modify your repo or call arbitrary URLs.
Common response fields
Why teams use it
Search then get (required)
Never call get with a guessed slug. Search returns the best-matching entry; get returns the full structured article for that slug only.
Production-grade snippets
SQL and TypeScript examples tied to real footguns (webhook dedup tables, refresh rotation, RLS policies)—not generic tutorials.
Not inspect_url
The retired inspect_url / URL inspector is gone. Zephex_dev_info is the correct tool name on tools/list and in MCP calls.
Pairs with codebase tools
Use Zephex_dev_info for how to build safely; use scope_task + read_code to apply patterns to your files.
What it looks at vs skips
- Curated KB JSON (auth, databases, security, frontend, backend, mobile, payments topics)
- Keyword + tag scoring across titles, summaries, and search_keywords
- Structured get payload: principles, snippets, checklist, mistakes
- Your local git tree (use get_project_context / read_code)
- Live URL fetches and browser rendering (removed with inspect_url)
- Package registry CVE deep dives (use audit_package)
- Hallucinated slugs—search must precede get
Query mode examples
category: auth
JWT refresh token rotation Next.js
OAuth, sessions, Supabase Auth entries.
category: databases
stripe webhook idempotency table
Stripe billing + Postgres patterns.
category: security
API OWASP checklist JSON
CSP, CORS, hardening lists.
Categories (search filter)
| Field | Meaning |
|---|---|
| databases | Postgres, Supabase schemas, RLS, Stripe tables, pooling, realtime. |
| auth | OAuth, JWT, sessions, Supabase Auth, MFA, Auth.js patterns. |
| security | CSP, CORS, OWASP API risks, headers, hardening checklists. |
| frontend | Next.js App Router, React 19, Tailwind, Server Components. |
| backend | Bun, Express, Docker, AWS, Render, Railway deployment. |
| mobile / android | Expo, store signing, mobile release gotchas. |
How it fits your workflow
- Narrow the question (stack + risk: e.g. “multi-tenant Supabase RLS for Next.js 16”).
- Zephex_dev_info operation=search + query (+ category if obvious).
- Zephex_dev_info operation=get + exact slug from search.
- Apply patterns to your repo with scope_task → read_code on relevant files.
- audit_headers on deployed URLs when security headers matter.
Troubleshooting
- No results → rephrase query; drop category filter; use concrete tech names (Stripe, Supabase, Next.js).
- KB_SERVICE_URL not configured → deploy the /kb service and set env on mcp-proxy (see tool error text).
- 429 / rate limited → Zephex_dev_info hourly cap hit; wait for reset or upgrade tier.
- get returns 404 → slug must match search exactly; always search first.
- Agent skipped search → force operation=search before any get call.
How to verify it works
- tools/list includes Zephex_dev_info (exact capitalization).
- search with query "supabase rls policies" returns at least one slug.
- get with slug from search returns key_principles and code_snippets arrays.
- Confirm response is JSON text, not HTML from a random URL.
Common questions
Billing and plan limits: FAQ, usage limits.
What is the difference between Zephex_dev_info and inspect_url?
inspect_url was a deprecated URL/network inspector and is removed from Zephex. The correct tool is Zephex_dev_info (capital Z in MCP): a searchable expert knowledge base with search and get operations—no arbitrary URL scraping.
How do I stop my agent from hallucinating Supabase or Stripe patterns?
Require search → get on Zephex_dev_info before writing auth or payment code. Paste key_principles and checklist items into the plan, then use read_code to align with your actual files.
Which categories should I pass?
Use category when the domain is obvious: auth for OAuth/JWT, databases for RLS/Stripe tables, security for CSP/OWASP, frontend for Next.js/React, backend for deploy targets, mobile/android for Expo/store signing. Omit category if search returns nothing.
Can Zephex_dev_info read a documentation URL for me?
No. For public URL header/TLS grades use audit_headers. For your codebase use read_code. Zephex_dev_info only returns curated KB entries from the Zephex knowledge service.
What if the tool says KB_SERVICE_URL is not configured?
The hosted proxy needs the separate /kb service deployed and KB_SERVICE_URL (optional KB_SECRET) set. Until then, search/get cannot run—contact your admin or see Zephex deployment docs.
Shipping to production? audit_headers grades your live URL; Zephex_dev_info teaches the patterns to fix findings.
Billing: Each tool call counts as one request on your Zephex plan (Free includes 300 requests/month). See usage limits for tier details. Usage limits.
Data: Queries go to the Zephex KB service; do not embed secrets in search queries. Entries are curated text, not your source code. Data use.
audit_headers checks live HTTP; Zephex_dev_info supplies expert patterns—use both for secure shipping. For local code, read_code.
For AI agents (JSON)
{"tool":"Zephex_dev_info","workflow":["search with precise query","get with returned slug"],"never":"guess slug or use inspect_url","pair":["read_code","audit_headers"]}