deepwork
This server provides a quality-gated, evidence-first workflow for managing coding tasks, enforcing a structured cycle: inspect, plan, implement, verify, and gate completion.
task_begin: Register a new task by recording its objective, acceptance criteria, workspace root, and optional metadata (non-goals, assumptions, constraints, allowed/protected paths) — establishing the contract before any code changes occur.inspect_repository: Perform a deterministic, read-only inventory of the repository using ripgrep, Git, manifests, and symlink/junction scans, producing a concise snapshot of the codebase before implementation begins.record_plan: Persist a structured, step-by-step implementation plan — including files to change, verification commands, and risks — after inspection and before any writes are permitted, enforcing plan-before-code discipline.run_verification: Execute a single planned test, lint, build, or check command (without a shell), fingerprinting the workspace before and after to detect unexpected mutations; also allows recording evidence that no executable tests apply.task_status: Return the append-only evidence log and current quality-gate stage for a given task (read-only).final_gate: Evaluate the final quality gate, refusing PASS unless inspection, plan, post-change verification, diff summary, and acceptance evidence for every defined criterion are all present.
Provides a quality and safety layer for Windsurf's Cascade, enabling evidence-first development cycles with multi-model execution via Arena mode, task management, and verification gates.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@deepworkrun deep-build on the authentication module"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Deepwork for Windsurf
Documentation · Security policy · Research matrix
Independent community project. Deepwork is not affiliated with or endorsed by Cognition, Windsurf, or Devin.
Deepwork is a quality-and-safety layer for Cascade. It makes difficult coding work follow an evidence-first cycle—inspect, contract, plan, implement, test, review, and only then claim completion—and uses Windsurf's native Arena mode for genuine multi-model execution.
It addresses the fixable parts of the recurring problems summarized in research/problem-matrix.md: shallow repository scans, lost requirements, broad edits, repair loops, missing tests, unsupported “done” claims, unsafe paths, MCP configuration risk, and weak durable state.
Components
.windsurf/skills/deep-build/: the reusable@deep-buildprocedure and focused playbooks..windsurf/workflows/deep-build.md: the explicit/deep-buildrunbook..windsurf/workflows/deep-review.md: an independent candidate-review runbook..windsurf/rules/deep-build.md: short always-on behavioral constraints..windsurf/hooks.json: fail-closed pre-action policy and metadata-only post-action audit hooks.src/: a six-tool localdeepworkMCP plus CLI, user-global locked state, content-fingerprinted verifier, and hook engine.scripts/install.ps1: idempotent global installation with ownership metadata, predecessor restoration, atomic config writes, and path-link defenses.
Related MCP server: sumo-qa
Honest boundary
An MCP can expose tools to Cascade; the documented interface cannot switch Cascade's selected Windsurf-hosted model, launch another Cascade, or start Arena. Native Arena Mode is the supported path that runs multiple Windsurf models and charges their credit multipliers additively.
Deepwork mitigates but cannot repair provider outages, editor crashes, billing/refund policy, finite model context, Enterprise allowlists, host MCP bugs, or editor vulnerabilities. The July 8, 2026 GhostApproval disclosure demonstrated a Windsurf trust-boundary failure; check the vendor's current remediation status before relying on any editor-level approval UI. Do not open untrusted repositories with privileged host access merely because these guards are installed. Hooks run before host actions and therefore cannot remove filesystem time-of-check/time-of-use races. Use low-privilege OS isolation for untrusted repositories.
Build and test
npm ci
npm test
node src/cli.js doctorThe current automated suite covers 51 cases, including real stdio initialization/tool discovery, an external-project task through stdio, official hook payloads, fail-closed internal errors, hardlink/link escapes, Windows short-path aliases and PowerShell encodings, trajectory isolation, hostile command forms, repeat writes, verification-time mutations, stale same-file/untracked changes, every planned command, and final Git scope enforcement.
Install globally
Clone and validate the package from PowerShell before opening the clone as a Windsurf workspace; the repository contains fail-closed hook configuration whose runtime dependencies must exist first.
npm ci
npm run check
powershell -NoProfile -ExecutionPolicy Bypass -File .\scripts\install.ps1The installer:
stages and atomically installs a runtime under
~\.codeium\windsurf\deepwork-runtime;installs the global skill and workflows;
appends a bounded managed block to
global_rules.md;merges global hooks without removing existing hooks;
merges one
deepworkentry intomcp_config.json;stores an ownership manifest and predecessor backups under
~\.codeium\windsurf\deepwork-backups, proves the Windows hook launcher, and runs the state/hook/stdio doctor.
Runtime task events and transcript metadata are stored outside projects under ~\.codeium\windsurf\deepwork-state, keyed by the canonical workspace. A repository .deepwork/task.md is used only as the explicit fallback when the MCP is unavailable and should not be committed.
Uninstall intentionally retains deepwork-state as audit/continuity data. Review and remove that directory manually only when its retention is no longer wanted.
Enterprise administrators may still need to enable or allowlist the MCP. Windsurf was not installed in the machine environment where this package was built, so local MCP protocol, hooks, state, and verification can be tested here, while UI discovery and Enterprise policy must be checked in the photographed Windsurf installation.
Use
For a normal complex task:
Ensure the repository is initialized in Git and preserve/commit the intended baseline.
Invoke
/deep-buildand mention@deep-buildin Cascade. The workflow creates an explicit task ID and passes the exact project root; both are required.Let the workflow call the
deepworktools and obey blocking hooks. Direct agent terminal execution is limited to read-only inspection; planned tests/builds run through the approval-bearing verifier. Foreign MCP tools are denied by default unless their exactserver/toolidentity is deliberately allowlisted.
For deliberate multi-model use of the Enterprise credit pool:
Open the model picker and enter Arena.
Select two strong, different models currently available to the account; avoid Adaptive when deliberate frontier-model comparison is the goal.
Send the same
/deep-build @deep-buildtask to both isolated candidates.Compare repository evidence, diffs, tests, and risk; select a winner.
Run
/deep-reviewwith the retained Arena models, resolve high-severity findings, and requiredeepwork.final_gateto pass.
Use additional prompts for distinct investigation, implementation, or adversarial-review phases—not for repetition without new evidence.
Completion states
Verified: the task contract, inspection, plan, actual Git scope, acceptance evidence, every planned command, and the current content fingerprint passed the final gate.Partially verified: useful work exists, but a relevant check was skipped, unavailable, or manual.Blocked: evidence contradicts completion or a required decision/platform capability is unavailable.
If the MCP/final gate is unavailable, the maximum honest status is Partially verified, even when repository-native tests pass.
WhatsApp and remote control
This repository does not include a WhatsApp bot, hosted API, database, or remote Windsurf controller. The local MCP needs direct access to the repository filesystem, and native Arena is started manually in Windsurf. The documentation site explains a safe companion architecture for notifications or a separately built, authenticated job service without pretending those cloud components already exist here.
License status
The repository is publicly visible, but no software license has been selected. Public visibility alone does not grant reuse, redistribution, or derivative-work rights. Keeping that legal decision explicit avoids silently choosing a license on the owner's behalf.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/saisharan0103/windsurf-deepwork'
If you have feedback or need assistance with the MCP directory API, please join our Discord server