npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@r4-sdk/mcp

v1.0.4

Published

Official R4 MCP server — zero-trust secret retrieval and project metadata for agent runtimes

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

r4-sdkr4-sdk

Keywords

r4mcpmodel-context-protocolsecretszero-trustagent

Readme

@r4-sdk/mcp

Official R4 MCP server for local agent runtimes. It wraps the existing zero-trust R4 SDK and machine API so MCP clients can:

  • verify local R4 auth/setup
  • inspect the current machine principal, tenant binding, and capability constraints
  • list accessible vaults
  • inspect vault-item metadata
  • search secret names
  • retrieve a specific decrypted secret value
  • inspect accessible project metadata
  • call arbitrary authenticated machine API routes when the higher-level tools do not cover a workflow

This package is intentionally a local stdio MCP server. It keeps the RSA private key on the agent host and uses the existing AGENT API key + local private key runtime flow.

Install

npm install -g @r4-sdk/mcp

You can also run it without a global install:

npx -y @r4-sdk/mcp

Required Environment Variables

| Variable | Required | Description | | --- | --- | --- | | R4_API_KEY | Yes | AGENT API key in {accessKey}.{secret} format | | R4_PRIVATE_KEY_PATH | Yes* | Absolute path to the local PEM-encoded RSA private key | | R4_PRIVATE_KEY | Yes* | Inline PEM-encoded RSA private key; use instead of R4_PRIVATE_KEY_PATH when needed | | R4_BASE_URL | No | API base URL, defaults to https://r4.dev | | R4_PROJECT_ID | No | Optional project filter for vault access | | R4_TRUST_STORE_PATH | No | Optional path to the local trust-store JSON |

* Provide either R4_PRIVATE_KEY_PATH or R4_PRIVATE_KEY.

Example MCP Client Config

{
  "mcpServers": {
    "r4": {
      "command": "npx",
      "args": ["-y", "@r4-sdk/mcp"],
      "env": {
        "R4_API_KEY": "agent_access_key.secret",
        "R4_PRIVATE_KEY_PATH": "/absolute/path/to/agent-private-key.pem"
      }
    }
  }
}

Available Tools

  • r4_auth_status — Validate the current R4 MCP configuration and return vault/secret counts plus machine scope/context/capabilities
  • r4_list_vaults — List accessible vaults
  • r4_list_vault_items — List vault-item metadata across one vault or all visible vaults
  • r4_search_secrets — Search decrypted secret keys by name without returning values
  • r4_get_secret — Return one decrypted secret value by exact key
  • r4_list_projects — List accessible projects
  • r4_get_project — Get one project's detail payload
  • r4_machine_request — Call any authenticated machine API route; this may perform writes and may return sensitive machine payloads

r4_machine_request is the escape hatch for newer headless features. Prefer the specialized tools first when they already express the workflow you need.

Development

pnpm run build
pnpm run test
pnpm run test:pack