Summary
A single tool call that walks your Next.js project tree and returns a compact overview covering routes, API endpoints, database schema, and security issues. It detects App Router structure, flags dynamic routes and client components, checks for auth and validation on API routes using patterns like next-auth and Zod, parses Prisma or Drizzle schemas to map relations, and scans for hardcoded secrets or missing rate limits. The output is a formatted tree with counts and flags, saving you from manual file exploration when onboarding to a codebase or auditing before deployment. Takes an absolute path and optional focus parameter to drill into routes, API, schema, or security specifically.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
nextscan
MCP server that scans Next.js projects and returns a compact summary. One tool call → full project overview.
What it does
| Without nextscan | With nextscan |
|---|---|
| Manual file-by-file exploration | Single scan call |
| Multiple tool calls to understand routes | Compact route tree with flags |
| Missing security issues | Hardcoded secrets + env leak detection |
| Unknown API coverage | Auth + validation status per endpoint |
| Schema guesswork | Prisma/Drizzle relation mapping |
Quick Install
# Clone and build
cd nextscan
npm install
npm run build
# Add to Claude Code
claude mcp add nextscan -- node /path/to/nextscan/dist/index.js
Tool: scan
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | Yes | Absolute path to Next.js project root |
focus | enum | No | routes | api | schema | security |
Example Output
nextscan — my-app
────────────────────────────────────────
Root: /Users/dev/my-app
src/ : yes app/ : yes middleware: yes
ORM : prisma
Routes
Pages: 12 Layouts: 3 API: 5
Dynamic: 4 Static: 8
Client: 3 Server: 9
Groups: (marketing), (auth)
Matchers: /dashboard/:path*, /api/:path*
┌─ Pages
├─ /
├─ /about
├─ /dashboard [client]
├─ /blog/[slug] [dyn,SSG]
└─ /settings [client]
API Endpoints
Total: 5 Unprotected: 1
├─ GET,POST /api/users [auth:next-auth | val:zod]
├─ GET /api/health [no-auth,no-rate-limit]
└─ POST /api/webhook [no-auth,no-validation]
Schema
Models: 5 Relations: 4
Orphans: AuditLog
User ─< Post (1:N)
User ─ Profile (1:1)
Post >─< Tag (N:N)
Security
Score: 75/100 Headers: yes Middleware: yes
[high] API route /api/health has no auth: [GET]
[medium] No rate limiting on /api/users
Example Prompts
- "Scan my Next.js project at /Users/dev/my-app"
- "Check the security of my Next.js app"
- "Show me the route structure"
- "Analyze the database schema"
Architecture
src/
├── index.ts # MCP server entry point
├── tools/scan.ts # Orchestrator
├── analyzers/
│ ├── routes.ts # App router analysis
│ ├── api.ts # API endpoint analysis
│ ├── schema.ts # Schema orchestration
│ └── security.ts # Security scanning
├── parsers/
│ ├── typescript.ts # ts-morph utilities
│ ├── prisma.ts # Regex-based Prisma parser
│ └── drizzle.ts # AST-based Drizzle parser
├── formatters/
│ └── compact.ts # Unicode tree formatter
└── utils/
├── fs.ts # File system utilities
└── detect.ts # Project detection
Requirements
- Node.js 18+
- An MCP-compatible client (Claude Code, Claude Desktop, etc.)
Development
npm install
npm run build
npm test
npm run test:coverage
Author
Berkay Derin — github.com/berkayderin
License
MIT
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →