npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@authpass.ai/mcp

v0.1.1

Published

Model Context Protocol server for AuthPass — query findings and submit false-positive feedback from Claude Code.

Readme

@authpass.ai/mcp

A Model Context Protocol server for AuthPass. It lets you query AuthPass findings and submit false-positive feedback directly from Claude Code — no dashboard round-trips:

"Hey Claude, review the AuthPass findings on this PR and dismiss the false positives."

The server is a thin wrapper over the AuthPass REST API. Every call is authenticated with your Personal Access Token (PAT).

Tools

| Tool | What it does | REST endpoint | |---|---|---| | list_pr_findings(pr_url) | Open findings for a pull request URL | GET /api/v1/findings?pr_url=… | | list_open_findings(repo?, severity?) | Open findings, optionally filtered by repo / severity | GET /api/v1/findings?… | | submit_feedback(finding_id, verdict, reason_code, reason_detail?) | Record a triage verdict (e.g. mark a false positive) | POST /api/v1/findings/{id}/feedback | | get_repo_context(repo) | The repo's .authpass/context.yaml (trust boundary, admin routes, compliance, dev-only paths) | GET /api/v1/repositories/{repo}/context | | regenerate_context(repo) | Manually trigger context regeneration — scores two candidate contexts against existing findings and opens a PR with the better one | POST /api/v1/repositories/{repo}/context/regenerate |

verdict is one of false_positive, wont_fix, confirmed.

reason_code is required and is one of:

| code | meaning | |---|---| | out_of_scope | Code path doesn't run in prod (dev scripts, tests, examples) | | compensating_control | Mitigated upstream (backend ABAC, WAF, IdP, gateway) | | authorized_pattern | Intentional, permission-gated access (admin views, support tools) | | compliance_required | The "violation" is mandated by FERPA/HIPAA/SOC2/etc. | | other | Free-text only — use reason_detail to explain |

Setup

1. Mint a Personal Access Token (PAT)

  1. Sign in to the AuthPass dashboard.
  2. Go to Settings → API.
  3. Click Create API key, give it a name (e.g. claude-code-laptop), and create it.
  4. Copy the token immediately — it starts with ap_live_ and is shown only once. AuthPass stores only a hash; you cannot retrieve it later. (Tokens default to a 90-day expiry and can be revoked anytime from the same screen.)

Prefer the API? POST /api/v1/api-keys with your dashboard session returns the token once in its response.

2. Add the server to Claude Code

Add this to your Claude Code MCP config (claude mcp add or your .mcp.json / settings):

{
  "mcpServers": {
    "authpass": {
      "command": "npx",
      "args": ["-y", "@authpass.ai/mcp"],
      "env": {
        "AUTHPASS_API_KEY": "ap_live_...",
        "AUTHPASS_API_URL": "https://api.authpass.ai"
      }
    }
  }
}

| Env var | Required | Default | Notes | |---|---|---|---| | AUTHPASS_API_KEY | yes | — | Your ap_live_… PAT. The server exits with a clear message if it's missing. | | AUTHPASS_API_URL | no | https://api.authpass.ai | API base. You may include or omit the /api/v1 suffix — both work. |

AUTHPASS_API_KEY must live in the MCP server's env block (above), not in a .env file. Claude Code launches the MCP server as a subprocess and does not load .env files, so a key sitting in .env is never seen and every call fails with Invalid API key. Put it in the env block shown above, or export it in the shell that launches Claude Code (export AUTHPASS_API_KEY=ap_live_…) and reference it from the config — e.g. drop the env value and let the inherited shell environment provide it.

If the default URL doesn't reach your AuthPass instance, set AUTHPASS_API_URL explicitly. The default https://api.authpass.ai targets the hosted AuthPass API. Self-hosted or differently-routed deployments should point this at their own base (with or without the /api/v1 suffix).

Restart Claude Code (or reload MCP servers). You should see the authpass tools become available.

3. Sample prompts

Once configured, try:

  1. Triage a PR:

    "Use AuthPass to list the open findings on https://github.com/acme/web/pull/128, then explain which look like real issues versus false positives."

  2. Dismiss false positives with rationale:

    "These AuthPass findings are all in tests/ fixtures and never run in prod. Submit false_positive feedback for each with reason_code out_of_scope."

  3. Review a repo's posture before triaging:

    "Show me the AuthPass context for acme/web, then list all open high-severity findings and flag any that contradict the repo's declared trust boundary."

Errors

If your PAT is invalid, expired, or revoked, tools return a clean error message telling you to mint a new key under Settings → API — never a stack trace. Network failures (wrong AUTHPASS_API_URL, no connectivity) report the unreachable URL.

Development

npm install
npm run build        # compile TypeScript → dist/
npm test             # build + smoke test + integration test (mock API)
  • src/index.ts — entry point; sets up the MCP server over stdio.
  • src/client.ts — typed REST client wrapping the AuthPass API.
  • src/tools.ts — the four tool definitions and handlers.
  • test/smoke.mjs — drives the built server over stdio (initialize, tools/list, tools/call).
  • test/integration.mjs — runs every tool against a local mock API and asserts each hits the right endpoint.