zero-mcp
zero-mcp is a lightweight TypeScript toolkit for implementing MCP (Model Context Protocol) servers that expose JSON-RPC tool endpoints over native HTTP. It provides a McpServer abstraction with tool registration (Zod-based schemas + JSON schema generation) and lifecycle hooks, plus CORS controls for browser-based clients.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
TLS enforcement is not explicitly documented; typical HTTP best practice would be HTTPS, but this is not stated. Authentication/authorization is not described (only CORS controls), so access control likely relies on external infrastructure. Dependency list is minimal (zod + zod-to-json-schema), reducing dependency surface. README warns that allowedOrigins defaults to '*' for local tooling; production should use an allow-list.
⚡ Reliability
Best When
You want a minimal HTTP-based MCP tool server with quick setup and Zod-driven schema definitions, and you can manage security/auth at the infrastructure layer or via custom controls.
Avoid When
You need OAuth/auth flows, fine-grained scope-based access control, or a well-documented, versioned HTTP API contract beyond the MCP endpoint itself.
Use Cases
- • Provide MCP tool servers over HTTP for LLM agents or MCP clients
- • Create small, fast-running tool endpoints (including serverless/edge-friendly deployments)
- • Define tool input validation with Zod and automatically expose JSON schemas
- • Instrument MCP server behavior via lifecycle hooks (connect, register, call start/finish/error, server errors)
- • Serve browser-accessible MCP endpoints with configurable CORS allow-lists
Not For
- • Full MCP spec coverage requiring stdio transports, prompts API, SSE streaming, or complex auth flows (as implied by the README’s comparison)
- • High-assurance deployments needing strong authentication/authorization mechanisms out of the box
- • Use cases that require an OpenAPI/SDK-first REST platform beyond the MCP HTTP transport
Interface
Authentication
README describes CORS configuration but does not describe authentication/authorization mechanisms for clients calling the MCP endpoint. Any auth would need to be handled externally (reverse proxy, network controls) or via custom additions not documented here.
Pricing
This is an open-source npm package; pricing is not applicable.
Agent Metadata
Known Gotchas
- ⚠ No documented auth: agents may need to rely on external network/proxy controls.
- ⚠ CORS defaults appear permissive for convenience ('*' for allowedOrigins) which can be unsafe in production if not overridden.
- ⚠ No documented rate limiting or backoff/retry guidance in the provided material; agent clients should be prepared for generic JSON-RPC failures.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for zero-mcp.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-04-04.