Is Codevira safe to use?

Codevira has 1 known CVE tracked by MCPpedia. You can verify these on OSV.dev by searching for "pip". Review the Security section above for details before installing.

How do I install Codevira?

Codevira supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What can Codevira do?

Codevira provides 4 tools: get_session_context, get_node, get_impact, search_codebase. See the full tools list on the server page for descriptions and parameters.

What AI clients work with Codevira?

Codevira is compatible with claude-desktop, cursor, claude-code. It uses stdio and http transport.

Is Codevira actively maintained?

Codevira is actively maintained — last commit was 5 days ago. It has 9 GitHub stars.

Codevira

Name: Codevira
Author: sachinshelke

pip · by sachinshelke

Persistent memory and project context for AI coding agents — context graph, semantic search, decision log, roadmap, and cross-tool continuity via local MCP server

9 4 tools GitHub PyPI

1 open CVE

MIT license

Actively maintained

Last commit 5d ago

Works with most clients

Transport: stdio, http

4 tools

Grade F

Edit this pageView history

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "codevira": {
      "cwd": "/path/to/your-project",
      "args": [],
      "command": "codevira"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/codevira)](https://mcppedia.org/s/codevira)

Read me

What Codevira does

Persistent memory and project context for AI coding agents — context graph, semantic search, decision log, roadmap, and cross-tool continuity via local MCP server

Test This Server

This server supports HTTP transport. Be the first to test it — help the community know if it works.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

54/100across 5 weighted dimensions

How we score →

0255075100

−46

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

1 open10 fixed

CVE-2026-6357medium · fixedCVSS 4

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Affected: >= 0Fixed in 26.1source →

CVE-2026-3219mediumCVSS 4

pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Affected: >= 0source →

CVE-2026-1703medium · fixedCVSS 4

pip Path Traversal vulnerability

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Affected: >= 0Fixed in 26.0source →

CVE-2025-8869medium · fixedCVSS 4

pip's fallback tar extraction doesn't check symbolic links point to extraction directory

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulne

Affected: >= 0Fixed in 25.3source →

CVE-2023-5752low · fixedCVSS 3.1

PYSEC-2023-228

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Affected: >= 0Fixed in 23.3source →

Inventory

Tools (4)

Click any tool to inspect its schema.

Inventory

Resources (1)

decision_replay

Browse decision timeline as terminal / markdown / HTML; available as MCP resource for Claude Desktop

codevira://decisions

Help improve this page

This server is missing a description.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Codevira safe to use?: Codevira has 1 known CVE tracked by MCPpedia. You can verify these on OSV.dev by searching for "pip". Review the Security section above for details before installing.
How do I install Codevira?: Codevira supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What can Codevira do?: Codevira provides 4 tools: get_session_context, get_node, get_impact, search_codebase. See the full tools list on the server page for descriptions and parameters.
What AI clients work with Codevira?: Codevira is compatible with claude-desktop, cursor, claude-code. It uses stdio and http transport.
Is Codevira actively maintained?: Codevira is actively maintained — last commit was 5 days ago. It has 9 GitHub stars.

Similar servers

Others in search

View all →

Brave Search MCP Server98

Web and local search using Brave Search API

85.9k 2

Tavily Mcp96

Production ready MCP server with real-time search, extract, map & crawl.

2.0k 4

Open WebSearch96

Multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval — skill-guided workflows, no API keys.

1.2k 4

Firecrawl Mcp95

MCP server for Firecrawl — search, scrape, and interact with the web. Supports both cloud and self-hosted instances. Features include web search, scraping, page interaction, batch processing, and LLM-powered content analysis.

6.3k 5

MCP Security Weekly

Get CVE alerts and security updates for Codevira and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "codevira": {
      "cwd": "/path/to/your-project",
      "args": [],
      "command": "codevira"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/codevira)](https://mcppedia.org/s/codevira)

Read me

What Codevira does

Persistent memory and project context for AI coding agents — context graph, semantic search, decision log, roadmap, and cross-tool continuity via local MCP server

Test This Server

This server supports HTTP transport. Be the first to test it — help the community know if it works.

README

Codevira

One memory layer for every AI coding tool you use. Switch between Claude Code, Cursor, Windsurf, and Antigravity without losing context, decisions, or progress.

Built for solo developers working on local projects with AI agents. Codevira gives every AI tool you use access to the same persistent project memory — so you stop re-explaining your codebase every session, stop losing carefully-made decisions, and stop burning tokens on re-discovery.

Works with: Claude Code · Claude Desktop · Cursor · Windsurf · Google Antigravity · OpenAI Codex · GitHub Copilot · Continue.dev · Aider · any MCP-compatible AI tool

What you get

🧠 One brain across every AI tool. A decision you log in Claude Code shows up in Cursor. Style preferences learned in one session enforce in the next. No per-tool re-onboarding.
🛡️ Active guardrails, not passive notes. Codevira intercepts every AI tool call (Edit, Write, prompt submit, session start). Decisions you mark do_not_revert block silent regressions. Out-of-scope edits get warned. The AI literally cannot undo your protected choices without surfacing the conflict to you first.
⚡ Zero-friction setup. pipx install codevira && codevira setup — auto-detects every AI tool you have and configures all of them. No JSON to hand-edit, no per-IDE script, no team server to spin up.
🔒 Local-first, MIT-licensed. Your decisions, code graph, and learned preferences live in ~/.codevira/ on your machine. No cloud, no account, no telemetry, no SaaS.
📊 Honest measurement. codevira insights shows which past decisions held up vs got reverted across your real git history. codevira budget reports per-session AI token spend. You can audit what the memory layer is actually costing and earning.

The Problem (Four Pains Codevira Solves)

If you code with AI agents on a project longer than a week, you've felt all of these:

1. Re-explaining your codebase every session

Every new chat starts from zero. The AI doesn't know your architecture, your conventions, your "we don't do it that way" decisions. You waste the first 10 minutes (and thousands of tokens) catching it up — only to do it again tomorrow.

2. AI undoing your careful decisions

Last week you debugged a tricky retry policy for 3 hours. Today's AI session refactors it to a simpler version because it has no idea why the complexity exists. Now it's broken again.

3. Cross-tool amnesia

You started planning in Claude Code. Switched to Cursor for autocomplete. Opened Antigravity to run tests. Three different agents, three different blind copies of your project state. Nothing carries over.

4. Token budget burned on re-discovery

Your AI agent reads the same 12 files every session before doing any actual work. You're paying API costs for the same lookups, over and over.

Codevira is a persistent memory layer that fixes all four — for every AI tool, on every project, on your local machine.

What's new in v2.1.2 — trust recovery

v2.1.1 shipped hybrid search (BM25 + semantic) but without a similarity floor, so off-topic prompts kept surfacing irrelevant decisions. v2.1.2 is a trust-recovery release based on four independent field-test reports: every fix restores confidence in something codevira already does.

Area	What changed
Smart similarity threshold	`search_decisions` self-calibrat

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

54/100across 5 weighted dimensions

How we score →

0255075100

−46

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

1 open10 fixed

CVE-2026-6357medium · fixedCVSS 4

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

Affected: >= 0Fixed in 26.1source →

CVE-2026-3219mediumCVSS 4

pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files

Affected: >= 0source →

CVE-2026-1703medium · fixedCVSS 4

pip Path Traversal vulnerability

Affected: >= 0Fixed in 26.0source →

CVE-2025-8869medium · fixedCVSS 4

pip's fallback tar extraction doesn't check symbolic links point to extraction directory

Affected: >= 0Fixed in 25.3source →

CVE-2023-5752low · fixedCVSS 3.1

PYSEC-2023-228

Affected: >= 0Fixed in 23.3source →

Inventory

Tools (4)

Click any tool to inspect its schema.

Inventory

Resources (1)

decision_replay

Browse decision timeline as terminal / markdown / HTML; available as MCP resource for Claude Desktop

codevira://decisions

Help improve this page

This server is missing a description.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Codevira safe to use?: Codevira has 1 known CVE tracked by MCPpedia. You can verify these on OSV.dev by searching for "pip". Review the Security section above for details before installing.
How do I install Codevira?: Codevira supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What can Codevira do?: Codevira provides 4 tools: get_session_context, get_node, get_impact, search_codebase. See the full tools list on the server page for descriptions and parameters.
What AI clients work with Codevira?: Codevira is compatible with claude-desktop, cursor, claude-code. It uses stdio and http transport.
Is Codevira actively maintained?: Codevira is actively maintained — last commit was 5 days ago. It has 9 GitHub stars.