INTEGRATION · CLAUDE CODE
Add one MCP server and Claude Code gets a QA engineer it can call. The agent drives a real browser; plain code grades the evidence. Free first audit, no card.
Free audit — no signup, no card. The same run Claude Code triggers through MCP.
We pointed this audit at 49 Show HN launches: 78% had a critical bug on day one.
Claude Code can write the feature, but it can't tell you whether the deployed page actually works. Out of the box it has no way to load your site in a browser, watch the network, and check that the analytics fired or the form submitted. You're left running the smoke test by hand — or wiring Claude Code up with Playwright MCP and then writing and grading the tests yourself.
Prufa ships a dedicated QA MCP server that hands
Claude Code a finished QA tool, not
raw browser primitives. When the agent calls
prufa_run_audit({url}), a managed agent loop opens a
real browser, navigates the public pages, and records
everything over CDP — every analytics beacon, console error, cookie,
response code, and a DOM snapshot. Then
deterministic code grades the captured evidence against
declarative specs. The LLM navigates; it never decides whether a
beacon is correct or a link is broken — captured traffic is asserted
against a spec, so the same input gives the same verdict.
That separation is what makes a verdict Claude Code can act on. See how Prufa verifies a flow without letting the model grade the result.
Two moves to add the tool, one ask to get a verdict — then the evidence, not the model, keeps the score.
Install it with pip install prufa-mcp, then register it: claude mcp add prufa --transport stdio -- prufa-mcp. Flags go before the server name; everything after -- is the launch command Claude Code spawns. No key needed for the free audit.
In the agent, say “audit https://yourapp.com with Prufa.” It calls prufa_run_audit, which blocks (wait=true, up to ~90s) while a real browser loads the pages and captures network traffic, console output, cookies, and response codes.
The tool returns the JSON report and a share_token. Six sections graded A–F — Works, Fast, Found, Measured, Accessible, Compliant — plus an ungraded Flows section. Counts and grades come from VERIFIED findings only; ADVISORY observations are labeled and excluded. There is no composite 0–100 score — we don't fake precision.
Real, copy-pasteable. Install the server, then add it over stdio — or
hand-edit a committable .mcp.json at your repo root.
{
"mcpServers": {
"prufa": {
"command": "prufa-mcp",
"env": { "PRUFA_API_TOKEN": "prk_..." }
}
}
} Official Claude Code MCP docs --transport, --env, --scope and --header must precede prufa; everything after -- is the command Claude Code launches. Scopes: local (default, personal), project (writes the shareable .mcp.json above), user (all your projects). (Source: code.claude.com/docs/en/mcp.)prufa_run_audit and prufa_get_report work anonymously — PRUFA_API_TOKEN is optional and only for persistent tiers. The key is a workspace bearer token (prk_...): an agent can self-provision a free, no-card trial via prufa_setup_workspace (it just needs the human's email), or a human can mint one in the dashboard for a persistent tier.prufa-mcp is a stdio server published on PyPI (pip install prufa-mcp or pipx install prufa-mcp, console script prufa-mcp). The pip install + -- prufa-mcp launch command is the verified setup — Claude Code passes everything after -- through untouched. (An npx/uvx one-liner is planned for when the package is published to npm; until that lands, use pip.)prufa_run_audit / prufa_get_report tools are the stable, no-key path; persistent tools are gated server-side.--transport http; a hosted Prufa MCP endpoint is the path for that. The pip-installed stdio server above is the verified setup today.Two tiers, never interleaved. VERIFIED findings carry a Geist Mono evidence line and a severity chip; ADVISORY observations are labeled opinion and count toward nothing.
The build ships blind — no events fired across the public pages (the most common critical in our 49-launch audit, 38 of 49).
Search engines are told the real page lives somewhere else.
No CSP means a single injected script can run unchecked.
A user (or your agent's next step) hits a dead end.
A judgment call, not a verified fact — excluded from every count and grade.
The questions a developer asks before handing Claude Code a new tool — including where the alternative wins.
Different jobs. Playwright MCP gives Claude Code raw browser primitives — click, type, navigate — and you still author and judge the test. Prufa returns a verdict: the agent loop drives the browser, then deterministic code grades the captured evidence and labels each finding VERIFIED or ADVISORY. If you want fine-grained browser control, Playwright MCP wins. If you want a trustworthy pass/fail without writing assertions, use Prufa. Many people run both. More: agentic testing vs scripted testing.
The agent loop only navigates and drives the browser. Grades and severity counts are computed by deterministic code from captured evidence — the LLM never judges whether a finding is real, so the verdict is reproducible (regression-tested against a golden fixture site). LLM-judged observations ship as a separate, labeled ADVISORY tier and count toward nothing. There is no composite 0–100 score; we don't fake precision.
Honest limits: the free audit walks public pages, not authenticated flows — login/checkout flows use prufa_create_flow / prufa_run_flow and need a card-first paid workspace. Prufa does not scan for exposed secrets. Full-auto discovery is gated, not a one-call feature. The evidence-gated AI-VERIFIED path currently lives in the Gremlin chaos modality, not the standard audit — in a standard audit the lone LLM check stays advisory.
What developers ask before adding a QA MCP server to Claude Code.
It is a Model Context Protocol server that gives Claude Code a QA tool it can call mid-task. Prufa's MCP server (prufa-mcp) exposes tools like prufa_run_audit and prufa_get_report. Once added, Claude Code can point a real browser at a URL, capture network traffic, console errors and cookies, and read back a graded verdict — without you leaving the agent or writing a test.
Two steps: install the server (pip install prufa-mcp), then register it — claude mcp add prufa --transport stdio -- prufa-mcp. Flags (--transport, --env, --scope) go before the server name; everything after -- is the launch command. Use --scope project to write a shareable .mcp.json at your repo root. The free audit needs no key — add --env PRUFA_API_TOKEN=prk_... only for persistent tiers (flows, monitors) — the agent can self-provision a free, no-card trial token by calling prufa_setup_workspace with the human's email, or a human mints one in the dashboard for a paid workspace.
Yes. prufa-mcp is open source (Apache-2.0, GitHub prufa-dev/prufa-mcp) and its core audit tools run with no key and no card. prufa_run_audit on a public URL returns a JSON verdict anonymously — the free 60-second audit is the first tool call. Persistent tools (saved flows, deploy monitors) are gated server-side and start on the paid tiers; a free-tier call to them returns the API's checkout hint.
Yes, within honest limits. Through prufa_run_audit Claude Code runs a real-browser audit of public pages and reads six graded sections plus findings as JSON. Authenticated flows (login, checkout) use prufa_create_flow and prufa_run_flow and require a card-first paid workspace. The free audit walks public pages only; it does not scan for exposed secrets, and full-auto discovery is gated, not a one-call feature.
Try the free 60-second audit
from the browser first — same run Claude Code triggers through
MCP, no card. Then install prufa-mcp, add it with one
claude mcp add, and let the agent verify what it just built.
Prefer to call Prufa straight from your own code? The same audit runs over the
HTTP API. The
free audit tools (prufa_run_audit, prufa_get_report)
need no key; saved flows, deploy monitoring and the full MCP tool set start on
the paid tiers — see
pricing.