Developer Tool and Utility Servers

Developer-focused infrastructure

The previous section covered servers that connect agents to external services. This section covers servers that extend what agents can do locally: access files, manage repositories, persist knowledge, reason through problems, and automate browsers.

These are the workhorses. Reading code, committing changes, remembering context, testing in browsers—these operations happen constantly during development. The servers here handle that foundational layer.

Filesystem server

The Filesystem MCP server (@modelcontextprotocol/server-filesystem) gives agents controlled file system access. Anthropic maintains it as one of seven reference implementations.

What it does

The server exposes 14 tools for read and write operations:

Read operations:

read_text_file and read_media_file for file contents
read_multiple_files for batch operations with fault tolerance
list_directory and directory_tree for structure navigation
search_files for pattern-based discovery
get_file_info for metadata (size, timestamps, permissions)
list_allowed_directories to view accessible paths

Write operations:

create_directory for idempotent directory creation
write_file for creating or overwriting files
edit_file for selective modifications with dry-run preview
move_file for renaming or relocating

Security model

The allowed directories configuration is the primary security boundary. The server only touches directories you explicitly permit.

Path validation prevents traversal attacks. Components like .. are resolved before validation, so sneaky paths like /allowed/../secrets get caught. All operations stay within configured boundaries.

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/username/projects",
        "/Users/username/documents"
      ]
    }
  }
}

The MCP Roots protocol allows dynamic directory updates without server restarts. When the client provides roots, they completely replace server-side configuration.

The server runs with your user permissions. Only grant access to directories you are comfortable with an AI agent reading and modifying.

Docker isolation

Docker adds another layer through mount points:

{
  "mcpServers": {
    "filesystem": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "--mount", "type=bind,src=/path/to/code,dst=/projects/code,ro",
        "mcp/filesystem",
        "/projects"
      ]
    }
  }
}

The ro flag gives read-only access. All mounts target the /projects directory inside the container.

Git server

The Git MCP server (mcp-server-git) handles repository operations. It requires Python 3.10 or higher.

Tools provided

Tool	Purpose
`git_status`	Working tree status
`git_diff_unstaged`	Unstaged changes
`git_diff_staged`	Staged changes
`git_diff`	Differences between branches or commits
`git_commit`	Record changes
`git_add`	Stage files
`git_reset`	Unstage all changes
`git_log`	Commit history with date filtering
`git_create_branch`	Create branches
`git_checkout`	Switch branches
`git_show`	Commit contents
`git_branch`	List branches

The git_init tool was removed in version 2025.9.25 after security concerns. The server now only works with existing repositories.

Security vulnerabilities

Three vulnerabilities were reported in June 2025 and patched in December 2025. Worth knowing about:

CVE-2025-68143 (Unrestricted git_init): The removed git_init tool accepted arbitrary paths, allowing repository creation anywhere on the filesystem. Fixed by removing the tool entirely.

CVE-2025-68144 (Argument injection): git_diff and git_checkout passed arguments directly to the CLI. Flag-like values such as --output=/path/to/file were interpreted as commands. Fixed by validating that arguments do not start with -.

CVE-2025-68145 (Path validation bypass): The --repository flag did not verify that requested paths stayed within configured boundaries. Fixed by resolving both configured and requested paths including symlinks.

Researchers demonstrated that combining the Git and Filesystem servers could achieve remote code execution through Git's smudge/clean filters. Each server appeared safe in isolation, but together they created a dangerous combination. Keep both servers updated.

Configuration

Always use the --repository flag to restrict access:

uvx mcp-server-git --repository /path/to/repo

Current version is 2026.1.14. Verify you have a patched version before production use.

Memory server

The Memory MCP server (@modelcontextprotocol/server-memory) gives agents persistent memory through a local knowledge graph. Information survives across conversations.

Storage model

Data persists as a JSONL file (default: memory.jsonl). The knowledge graph has three components:

Entities are primary nodes with a name, type, and observations:

{"type": "entity", "name": "ProjectX", "entityType": "project", "observations": ["Uses React", "Deadline March 2026"]}

Relations are directed connections between entities:

{"type": "relation", "from": "Alice", "to": "ProjectX", "relationType": "leads"}

Observations are discrete facts attached to entities. Storing atomic facts separately prevents conflation when information changes—you can update "Deadline March 2026" without touching "Uses React."

Tools

Tool	Purpose
`create_entities`	Add nodes to the graph
`create_relations`	Connect entities
`add_observations`	Append facts to entities
`delete_entities`	Remove nodes (cascades to relations)
`delete_observations`	Remove specific facts
`delete_relations`	Remove connections
`read_graph`	Export complete graph
`search_nodes`	Query names, types, and observations
`open_nodes`	Retrieve specific nodes with relations

Use cases

Memory servers work well for:

User preference persistence across sessions
Entity tracking (people, projects, organizations)
Relationship mapping (team structures, dependencies)
Context preservation for long-running tasks

A practical workflow: retrieve relevant memory at conversation start, then update memory at conversation end with newly gathered information.

Configuration

{
  "mcpServers": {
    "memory": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-memory"],
      "env": {
        "MEMORY_FILE_PATH": "/path/to/custom/memory.jsonl"
      }
    }
  }
}

All data stays local. No cloud dependencies.

Sequential Thinking server

The Sequential Thinking MCP server (@modelcontextprotocol/server-sequential-thinking) structures step-by-step reasoning. It formalizes chain-of-thought prompting into a tool-based process.

What it does

The server exposes a sequential_thinking tool with these parameters:

Parameter	Purpose
`thought`	Current reasoning step content
`nextThoughtNeeded`	Whether another step is required
`thoughtNumber`	Current step number
`totalThoughts`	Estimated total steps
`isRevision`	Marks reconsideration of prior thinking
`revisesThought`	Which thought is being reconsidered
`branchFromThought`	Branching point for alternatives
`branchId`	Branch identifier
`needsMoreThoughts`	Signals need for expansion

How it differs from prompting

Chain-of-thought prompting encourages reasoning through text. Sequential Thinking externalizes reasoning as structured objects.

Aspect	Prompting	Sequential Thinking
State	Stateless	Thoughts tracked as objects
Capabilities	Linear	Supports revision and branching
Audit	Parse text	Machine-readable trail
Persistence	Lost after response	Maintained externally

The server itself does no reasoning. It provides scaffolding for the agent to organize multi-step thinking.

When to use it

Sequential Thinking helps with:

Complex problems requiring multiple steps
Analysis that might need course correction
Problems where the full scope is unclear at first
Tasks requiring context across many steps

Models with built-in extended thinking (Claude's extended thinking mode, OpenAI o1) reduce the need for this server. It remains useful for getting more out of models without native multi-step reasoning.

Configuration

{
  "mcpServers": {
    "sequential-thinking": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-sequential-thinking"]
    }
  }
}

Playwright server

The Playwright MCP server (@playwright/mcp) from Microsoft handles browser automation. With 26,000+ GitHub stars, it is the most popular MCP server by community adoption.

The accessibility tree approach

Playwright MCP uses the browser's accessibility tree instead of screenshots. The accessibility tree is the structured data that browsers expose for screen readers.

Aspect	Accessibility Tree	Screenshots
Speed	Fast (structured text)	Slower (visual processing)
Vision model	Not required	Required
Determinism	High	Subject to visual interpretation
Token cost	Lower (text)	Higher (images)

The agent receives clean text describing page elements, roles, states, and relationships. No vision model overhead.

Operating modes

Snapshot mode (default) uses the accessibility tree for fast, deterministic interactions. Covers 95% of use cases.

Vision mode enables coordinate-based interactions for visual elements absent from the accessibility tree. Requires a vision-capable model.

Tools overview

Navigation: browser_navigate, browser_navigate_back, browser_close, browser_tabs, browser_resize

Interactions: browser_click, browser_type, browser_fill_form, browser_select_option, browser_hover, browser_press_key, browser_drag, browser_file_upload

Analysis: browser_snapshot, browser_take_screenshot, browser_console_messages, browser_network_requests

Verification: browser_verify_element_visible, browser_verify_text_visible, browser_verify_value

Advanced: browser_evaluate (JavaScript execution), browser_wait_for, browser_pdf_save

Use cases

Web scraping: Extract structured data via accessibility tree navigation
End-to-end testing: Deterministic element targeting
Form automation: Fill and submit forms programmatically
Authentication flows: Navigate to login, allow manual auth, continue automated

Cookies and sessions persist across tool calls within a session.

Configuration

claude mcp add playwright npx @playwright/mcp@latest

Or in configuration:

{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": ["@playwright/mcp@latest", "--headless"]
    }
  }
}

Options include --browser (chrome, firefox, webkit, msedge), --headless, and --device for mobile emulation.

Run npx playwright install first to download browser binaries. On Linux, npx playwright install-deps installs system dependencies.

Choosing developer tool servers

Server	Primary use	Key consideration
Filesystem	File operations	Restrict to necessary directories
Git	Repository management	Verify patched version
Memory	Cross-session persistence	Local storage only
Sequential Thinking	Complex reasoning	Less needed with reasoning models
Playwright	Browser automation	Most popular, well-maintained

These servers handle the operational infrastructure for agentic development. The next sections cover installing, configuring, and securing them in Claude Code.

On this page