npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@sonoma-security/mcp-gateway

v0.1.12

Published

Local MCP gateway for tool-level visibility and enforcement

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

werkamsuswerkamsusstephen-sonomastephen-sonoma

Keywords

mcpmodel-context-protocolgatewayaitoolsvisibility

Readme

@sonoma-security/mcp-gateway

Local MCP gateway for tool-level visibility and policy enforcement. Intercepts MCP tool calls, reports telemetry to Sonoma, and enforces allowlist/blocklist policies.

Quick Start

Add to your MCP client config (~/.cursor/mcp.json, Claude Desktop, etc.):

{
  "mcpServers": {
    "sonoma": {
      "command": "npx",
      "args": ["@sonoma-security/mcp-gateway@latest"],
      "servers": {
        "filesystem": {
          "command": "npx",
          "args": ["@modelcontextprotocol/server-filesystem", "/tmp"]
        }
      }
    }
  }
}

On first run, the gateway prompts for OAuth login. That's it - tool calls are now visible in your Sonoma dashboard.

How It Works

AI Client (stdio) -> Sonoma Gateway -> [Upstream MCP Servers]
                           |
                           +-> Telemetry to Sonoma
                           +-> Policy enforcement

The gateway:

  1. Spawns your upstream MCP servers
  2. Aggregates tools (namespaced as serverName__toolName)
  3. Forwards tool calls to the appropriate server
  4. Reports telemetry (tool name, duration, status)
  5. Blocks tools per your org's allowlist/blocklist

Auto-Detection

By default (no arguments), the gateway auto-detects config from:

  • ~/.claude.json (Claude Code)
  • ~/.cursor/mcp.json (Cursor)
  • ~/Library/Application Support/Claude/claude_desktop_config.json (Claude Desktop)
  • ~/.codeium/windsurf/mcp_config.json (Windsurf)

Non-Standard Config Location

If your config is elsewhere, pass --mcp-json-path:

{
  "mcpServers": {
    "sonoma": {
      "command": "npx",
      "args": ["@sonoma-security/mcp-gateway@latest", "--mcp-json-path", "/custom/path/mcp.json"],
      "servers": { ... }
    }
  }
}

Auth Modes

User ID (default)

Opens browser for OAuth on first run. Tool calls attributed to logged-in user.

Org Key

Device-level telemetry via API key. No login required.

"env": {
  "SONOMA_API_KEY": "org_xxx_yyy",
  "SONOMA_GATEWAY_AUTH_MODE": "org_key"
}

CLI

npx @sonoma-security/mcp-gateway@latest --help

# Auth commands
npx @sonoma-security/mcp-gateway@latest --login   # OAuth login
npx @sonoma-security/mcp-gateway@latest --logout  # Clear credentials
npx @sonoma-security/mcp-gateway@latest --status  # Show auth status

# Debug mode
npx @sonoma-security/mcp-gateway@latest --debug

Environment Variables

| Variable | Description | |----------|-------------| | SONOMA_ENDPOINT | Sonoma API URL (default: https://app.sonoma.dev) | | SONOMA_API_KEY | Org API key (for org_key mode) | | SONOMA_GATEWAY_AUTH_MODE | user_id or org_key |

Limitations

  • Stdio servers only - HTTP MCP servers not supported
  • Nested config - Servers must be nested under the gateway entry

Development

# Run tests
bun run test

# Typecheck
bun run typecheck

# Test with MCP Inspector
npx @modelcontextprotocol/inspector bun run src/cli.ts --config ./test-config.json --debug

Releasing

Publishing is automated via GitHub Actions with npm trusted publishing (OIDC).

To release a new version:

  1. Update version in package.json
  2. Commit: git commit -am "chore(mcp-gateway): bump to x.y.z"
  3. Tag: git tag mcp-gateway-vX.Y.Z
  4. Push both: git push origin staging --tags

CI automatically builds, tests, and publishes to npm. No tokens required.

What's automated: build, test, typecheck, npm publish with provenance What's manual: version bump, git tag, push

License

MIT