Deterministic IR/IR-LINT validation, policy packs, drift vs exports (archrad). Apache-2.0.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-archradhq-deterministic": {
"args": [
"-y",
"@archrad/deterministic"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Your architecture drifts before you write a single line of code. archrad validate catches it — deterministically, in CI, before the PR merges.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@archrad/deterministic' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked @archrad/deterministic against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in developer-tools
A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
Copy/paste detector for programming source code, supports 223 formats. AI-ready with token-efficient reporter, skill and MCP server.
XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
Manage Supabase projects — databases, auth, storage, and edge functions
MCP Security Weekly
Get CVE alerts and security updates for io.github.archradhq/deterministic and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.

Your architecture drifts before you write a single line of code. archrad validate catches it — deterministically, in CI, before the PR merges.
Define your system as a graph. ArchRAD compiles it, lints it against architecture rules, and tells you exactly what's wrong — with rule codes, not opinions.
npm install -g @archrad/deterministic
archrad validate --ir fixtures/demo-direct-db-violation.json
You should see something like (exact wording may vary slightly by version):
⚠️ IR-LINT-DIRECT-DB-ACCESS-002: API node "orders-api" connects directly to datastore node "orders-db"
Fix: Introduce a service or domain layer between HTTP handlers and persistence.
For a smaller graph (single endpoint, no DB edge), try fixtures/minimal-graph.json — you will get different warnings (e.g. health/auth heuristics), not IR-LINT-DIRECT-DB-ACCESS-002.
No IR file yet? Cold-start from an existing OpenAPI spec:
archrad ingest openapi --spec ./openapi.yaml --out ./graph.json
archrad validate --ir ./graph.json
ArchRAD is a blueprint compiler and governance layer. You define your architecture as an IR — nodes, edges, allowed connections — and ArchRAD validates it against a deterministic rule engine. The same IR, the same rules, the same inputs always produce the same findings.
| Command | What it checks | Codes |
|---|---|---|
archrad validate | Graph structure + architecture lint | IR-STRUCT-* IR-LINT-* |
archrad lint | Architecture lint only (fast inner-loop; skips structural) | IR-LINT-* |
archrad explain <code> | Canonical rule guidance without running a pass | — |
archrad policies-sha256 --dir <policies> | Generate a archrad-policy-pack.sha256 manifest for signed PolicyPacks | — |
archrad validate-drift | IR vs generated code on disk | DRIFT-* |
archrad ingest openapi | Derive IR from OpenAPI (local path or https URL for --spec; -H for URL auth headers) | — |
archrad ingest backstage | Backstage catalog-info.yaml → IR (Component, Resource, API, System; Location file targets) | — |
archrad fragment merge | Merge 2+ IR files — union by node.id (conflicts → stderr); --prefix-fragments for disjoint union | — |
archrad export | Compile IR → FastAPI or Express + Docker | — |
Ingest + merge workflows: docs/INGEST.md. All commands / flags: docs/CLI_REFERENCE.md. Codegen (export): docs/EXPORT.md.
archrad reconstruct + --codebase)"The IR looks clean — but is that what was actually shipped?"
The validation pipeline above checks your authored IR (the design contract). The --codebase flag bridges the gap to the real codebase by reconstructing an IR from source code and comparing them.
A developer can author a compliant IR (passes all IR-STRUCT-* and IR-LINT-* rules) while the actual code bypasses the documented architecture. The most dangerous pattern: an IR that shows a clean service layer but code that directly queries the database.
# Catch discrepancies between the authored design and the shipped code
archrad validate --ir authored-ir.json --codebase ./src --report findings.html
When --codebase is provided, the pipeline runs three stages:
Implementation drift uses a **separate