Connect Your IDE to VibeDoctor MCP to Monitor AI-Generated Code Live

Why Live Monitoring Beats Scanning After the Fact

A typical vibe-coded workflow looks like this: build fast with AI, ship, then hope nothing breaks. When something does break - a leaked API key, a SQL injection, an N+1 query destroying performance - you find out from a user complaint or a security alert, not from your tools.

VibeDoctor MCP flips that model. Instead of scanning a finished codebase and producing a report, it integrates directly into the code generation loop. Your AI agent validates each file as it writes it, using the same 100+ checks VibeDoctor runs on full scans - but in real time, in your editor, before a single line reaches production.

The data makes a strong case for this approach. Our analysis of 3,200+ AI-generated codebases found that 62% contain at least one critical or high-severity security vulnerability. These are not subtle issues - they include hardcoded credentials, unprotected API routes, and SQL injection in database queries. Most of them were written by AI tools that did not know any better. The MCP integration gives your AI agent the knowledge it was missing.

How VibeDoctor MCP Works

VibeDoctor implements the Model Context Protocol (MCP), the open standard for connecting AI tools to external services. The connection uses Streamable HTTP - the same transport that Cursor, VS Code Copilot, Claude Code, and Windsurf all support natively.

Each project gets a unique MCP token. That token is embedded in a single URL:

https://vibedoctor.io/mcp?token=YOUR_PROJECT_TOKEN

You add that URL to your IDE's MCP server list. From that point, your AI agent has access to 4 tools:

The architecture is stateless: every request authenticates with your project token, checks your plan's rate limits, runs the relevant scanners in memory, and returns structured findings. No data leaves the request/response cycle. Your code is not stored.

Step 1 - Get Your MCP Token

Log in to your VibeDoctor dashboard at app.vibedoctor.io. Open a project, go to Settings, and find the MCP Integration section. Click "Generate Token" if one does not exist yet. Copy the full MCP URL shown - it looks like:

https://vibedoctor.io/mcp?token=a1b2c3d4e5f6...64_hex_chars

This URL is project-specific. Each project has its own token, so the AI agent's context is always scoped to the right codebase. If you need to revoke access, regenerate the token - the old URL becomes invalid immediately.

Step 2 - Add to Your IDE

Pick your IDE below. Each one needs the MCP URL added in a slightly different place.

Cursor

Open Cursor Settings (Cmd/Ctrl + Shift + J), navigate to MCP, and click Add New MCP Server. Enter:

{
  "mcpServers": {
    "vibedoctor": {
      "url": "https://vibedoctor.io/mcp?token=YOUR_PROJECT_TOKEN"
    }
  }
}

Or edit ~/.cursor/mcp.json directly and add the block above. Restart Cursor. You should see "vibedoctor" listed as a connected MCP server with 4 tools available.

VS Code with GitHub Copilot

Open your workspace .vscode/mcp.json (create it if it does not exist) and add:

{
  "servers": {
    "vibedoctor": {
      "type": "http",
      "url": "https://vibedoctor.io/mcp?token=YOUR_PROJECT_TOKEN"
    }
  }
}

Reload VS Code. In the GitHub Copilot Chat panel, switch to Agent mode. The VibeDoctor tools will appear in the tool list. VS Code also supports a global settings.json entry under github.copilot.chat.mcp.servers if you want the server available in every workspace.

Claude Code

Run the following command in your terminal from the project root:

claude mcp add vibedoctor \
  --transport http \
  "https://vibedoctor.io/mcp?token=YOUR_PROJECT_TOKEN"

Or add it manually to your ~/.claude.json file under mcpServers. Claude Code will pick up the server on the next session start. You can verify it is connected with claude mcp list.

Windsurf

Open Windsurf Settings and navigate to Cascade > MCP Servers. Click Add Server and enter the URL. Alternatively, edit ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "vibedoctor": {
      "serverUrl": "https://vibedoctor.io/mcp?token=YOUR_PROJECT_TOKEN"
    }
  }
}

Restart Windsurf. The vibedoctor tools will be available in all Cascade conversations for this project.

Step 3 - Generate IDE Instruction Files (Recommended)

Adding the MCP server gives your AI agent the ability to use VibeDoctor tools. But by default, it will not know when to call them. The vibedoctor_setup tool solves this by generating IDE-specific instruction files that tell your AI agent exactly when and how to use each tool automatically.

Once connected, ask your AI agent:

Run vibedoctor_setup for cursor

The tool returns ready-to-create files for your IDE. For Cursor it creates .cursor/rules/vibedoctor.mdc. For VS Code it creates .github/copilot-instructions.md and a scoped instruction file. For Claude Code it creates CLAUDE.md. For Windsurf it creates .windsurfrules.

These files contain instructions like:

• Call vibedoctor_status at the start of every coding session
• Call vibedoctor_check with category: "security" after writing auth, API routes, or database queries
• Call vibedoctor_check with category: "imports" after adding new dependencies
• Call vibedoctor_check with category: "performance" after writing loops or I/O code
• Do not mark a task complete without running at least one check on modified files

Once these files exist in your repo, the behavior is automatic - your AI agent validates code without you asking it to.

What Gets Checked in Real Time

The vibedoctor_check tool runs the same checks as a full scan, scoped to the files you pass in. It supports five check categories:

Security (category: "security")

Detects SQL injection via string interpolation, XSS vectors (dangerouslySetInnerHTML, innerHTML), unprotected API routes with no auth middleware, hardcoded credentials, CORS wildcard origins, insecure cookie settings, and eval() usage. These are the checks that matter most when an AI agent is writing auth or database code.

Imports (category: "imports")

Catches hallucinated npm packages - packages that an AI model invented but do not actually exist on npm. This is one of the most common problems with AI-generated code and one of the hardest to spot in a code review. The import checker cross-references your imports against a known-bad package database.

Performance (category: "performance")

Finds await inside Array.map() (sequential instead of parallel), synchronous file I/O in async code, N+1 database query patterns (query inside a loop), and three or more sequential awaits that could be Promise.all().

Structure (category: "structure")

Identifies god files (500+ lines), overly complex functions (50+ lines), empty catch blocks, incomplete implementations (throw new Error('Not implemented')), and mixed async patterns in the same file.

All (category: "all" - default)

Runs all categories at once. Best for general-purpose validation after any significant code change.

Using vibedoctor_status at Session Start

The vibedoctor_status tool is the best way to start any coding session. It pulls from your project's latest scan and returns:

• Overall health score (0-100)
• Per-section scores (Security, Code Quality, Performance, etc.)
• Top findings by severity across the entire project
• File-specific findings if you pass a filePath argument
• Known dismiss patterns (issues you have already reviewed and dismissed)
• Hotspot symbols - functions with the highest finding concentrations
• Remaining check credits for the current billing period

This gives your AI agent immediate context about what is already wrong in the codebase before it starts generating code. An agent that knows about a pre-existing SQL injection in src/db/queries.ts will not make the same pattern worse.

Asking Questions About Your Codebase

The vibedoctor_ask tool connects to VibeDoctor's Code Intelligence Q&A pipeline. It works after you have at least one code scan with Code Intelligence data. You can ask questions like:

• "What broke in the last scan?" - returns regressions since the previous version
• "What is the riskiest module right now?" - returns modules sorted by finding density
• "What does the auth handler depend on?" - returns blast radius analysis
• "Tell me about src/routes/payments.ts" - returns file-level findings and symbols
• "Is the code getting better or worse over time?" - returns health score trend

The Q&A system classifies your question, retrieves the relevant data from stored snapshots and diffs, and generates a structured answer. Template-based answers (structured data questions) return immediately. Questions requiring cross-referencing use a brief LLM call.

Rate Limits by Plan

MCP check credits are per-project, per-month. Q&A credits are per-day.

vibedoctor_status and vibedoctor_setup are always free - they do not consume any credits. Template-based vibedoctor_ask answers (structured data queries) are also free. Only LLM-powered answers count against the daily Q&A limit.

Revoking Access

If your MCP token is ever compromised or shared accidentally, go to the project Settings in your VibeDoctor dashboard and click "Regenerate Token". This immediately invalidates the old URL. Anyone still using the old token will receive 401 Unauthorized responses. Your scan data and project settings are unaffected - only the token changes.

Because each project has its own token, you can revoke access for one project without affecting any others.

FAQ