{"id":"sniko-zero-mcp","name":"zero-mcp","homepage":null,"repo_url":"https://github.com/SNIKO/zero-mcp","category":"ai-ml","subcategories":[],"tags":["mcp","model-context-protocol","tooling","json-rpc","http","typescript","zod","cors","server-kit"],"what_it_does":"zero-mcp is a lightweight TypeScript toolkit for implementing MCP (Model Context Protocol) servers that expose JSON-RPC tool endpoints over native HTTP. It provides a McpServer abstraction with tool registration (Zod-based schemas + JSON schema generation) and lifecycle hooks, plus CORS controls for browser-based clients.","use_cases":["Provide MCP tool servers over HTTP for LLM agents or MCP clients","Create small, fast-running tool endpoints (including serverless/edge-friendly deployments)","Define tool input validation with Zod and automatically expose JSON schemas","Instrument MCP server behavior via lifecycle hooks (connect, register, call start/finish/error, server errors)","Serve browser-accessible MCP endpoints with configurable CORS allow-lists"],"not_for":["Full MCP spec coverage requiring stdio transports, prompts API, SSE streaming, or complex auth flows (as implied by the README’s comparison)","High-assurance deployments needing strong authentication/authorization mechanisms out of the box","Use cases that require an OpenAPI/SDK-first REST platform beyond the MCP HTTP transport"],"best_when":"You want a minimal HTTP-based MCP tool server with quick setup and Zod-driven schema definitions, and you can manage security/auth at the infrastructure layer or via custom controls.","avoid_when":"You need OAuth/auth flows, fine-grained scope-based access control, or a well-documented, versioned HTTP API contract beyond the MCP endpoint itself.","alternatives":["@modelcontextprotocol/sdk (official SDK, includes broader transport/auth features)","Other community MCP server frameworks/SDKs (stdio/SSE/auth capable)","Build a minimal MCP HTTP server directly (JSON-RPC handling + MCP message schema)"],"af_score":51.5,"security_score":40.0,"reliability_score":30.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"low","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T19:53:05.513958+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://{host}:{port}/mcp (path configurable via start options; README shows /mcp)","has_sdk":false,"sdk_languages":["TypeScript","JavaScript"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":[],"oauth":false,"scopes":false,"notes":"README describes CORS configuration but does not describe authentication/authorization mechanisms for clients calling the MCP endpoint. Any auth would need to be handled externally (reverse proxy, network controls) or via custom additions not documented here."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"This is an open-source npm package; pricing is not applicable."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":51.5,"security_score":40.0,"reliability_score":30.0,"mcp_server_quality":78.0,"documentation_accuracy":80.0,"error_message_quality":null,"error_message_notes":"README includes an onServerError hook and onToolCallError hook, but does not specify structured error codes/formats or retry semantics. Error-handling quality is inferred as present via hooks rather than fully documented.","auth_complexity":20.0,"rate_limit_clarity":0.0,"tls_enforcement":70.0,"auth_strength":15.0,"scope_granularity":0.0,"dependency_hygiene":75.0,"secret_handling":55.0,"security_notes":"TLS enforcement is not explicitly documented; typical HTTP best practice would be HTTPS, but this is not stated. Authentication/authorization is not described (only CORS controls), so access control likely relies on external infrastructure. Dependency list is minimal (zod + zod-to-json-schema), reducing dependency surface. README warns that allowedOrigins defaults to '*' for local tooling; production should use an allow-list.","uptime_documented":0.0,"version_stability":35.0,"breaking_changes_history":45.0,"error_recovery":40.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["No documented auth: agents may need to rely on external network/proxy controls.","CORS defaults appear permissive for convenience ('*' for allowedOrigins) which can be unsafe in production if not overridden.","No documented rate limiting or backoff/retry guidance in the provided material; agent clients should be prepared for generic JSON-RPC failures."]}}