npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@unfragile/mcp-server

v0.7.0

Published

Unfragile MCP Server — verify-before-invoke trust resolver + agent-native discovery and routing for AI artifacts. Implements the Unfragile Capability Protocol v1.

Readme

@unfragile/mcp-server

Query the Unfragile match graph from any AI agent. Find AI artifacts, discover MCP servers, assemble stacks, compare alternatives, and fetch trust passports. Every query feeds the graph.

Unfragile is built for the agent era: humans click links, agents call capabilities. This server gives Claude Code, Cursor, Windsurf, Claude Desktop, and custom MCP clients a runtime discovery and trust layer for AI artifacts.

Install

Claude Code

claude mcp add unfragile -- npx -y @unfragile/mcp-server

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "unfragile": {
      "command": "npx",
      "args": ["-y", "@unfragile/mcp-server"]
    }
  }
}

Cursor

Add to .cursor/mcp.json:

{
  "mcpServers": {
    "unfragile": {
      "command": "npx",
      "args": ["-y", "@unfragile/mcp-server"]
    }
  }
}

Windsurf

Add to ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "unfragile": {
      "command": "npx",
      "args": ["-y", "@unfragile/mcp-server"]
    }
  }
}

Verify before you install (CLI guard)

Don't add an MCP server blind. Verify it first — identity, known security incidents, data-access risk, and cross-vendor reputation, in one signed verdict. Install the unfragile CLI once:

npm i -g @unfragile/mcp-server
# Check a target before installing
unfragile verify mcp:@modelcontextprotocol/server-postgres

# Guard a real install — runs the command only if the target isn't FLAGGED
unfragile guard -- claude mcp add pg -- npx -y @scope/pg-mcp

No global install? Run it on demand with npx -p (note: -p, not the bare package form):

npx -p @unfragile/mcp-server unfragile verify npm:postmark-mcp

The guard wrapper extracts the install target from your claude mcp add / cursor mcp add / npx command, verifies it, and blocks on a flagged verdict (known-bad package, exfiltration, typosquat) unless you pass --force. Every verdict is Ed25519-signed and audit-logged — defensible evidence for compliance (EU AI Act Annex III logging/oversight).

Verdicts: trusted · caution · unverified · flagged.

Tools

Verify (the trust resolver)

| Tool | Description | |------|-------------| | unfragile_verify | Call BEFORE invoking or installing any tool/MCP server. Returns a signed verdict (trusted/caution/unverified/flagged) from identity + typosquat checks, the MCP CVE/incident registry, structural data-access risk, and cross-vendor match-graph reputation. Do not invoke anything that comes back flagged. |

Resolve (the headline call)

| Tool | Description | |------|-------------| | unfragile_resolve | Sprint 4.0 headline. Resolve an agent intent into the single best AI artifact to invoke, with an invocation-ready snippet, an Ed25519-signed trust passport, and ranked alternatives. The outside calibration layer for agent tool selection. |

Example:

// From any MCP-compatible agent
await mcpClient.callTool("unfragile_resolve", {
  intent: "send email from agent",
  context: { language: "typescript", deploymentTarget: "vercel" },
});

// Returns the single best match with:
// - Invocation snippet ready to copy/paste
// - Ed25519-signed trust passport (offline-verifiable)
// - Top 3 alternatives with why_alternative
// - matchConfidence score

Use unfragile_resolve when an agent has decided WHAT it wants to do and needs to choose WHICH artifact to call. Use search (below) when an agent needs to browse alternatives rather than commit to one.

Discovery and trust (human-readable)

| Tool | Description | |------|-------------| | search | Find AI tools by intent. "best framework for building AI agents" | | find_mcps | Discover MCP servers by capability. "Postgres + Slack integration" | | get_artifact | Get full details + capabilities for a specific artifact | | resolve_capability | Resolve a capability://... URI to ranked trusted artifacts (GET-based, formatted) | | trust_passport | Get machine-readable trust evidence: capability URIs, permissions, data access risk, failure modes | | compare | Compare two artifacts side-by-side | | find_stack | Assemble a complete harness stack for a use case | | feedback | Report success/failure to improve future routing | | subscribe | Watch for new artifacts matching a capability need | | unsubscribe | Cancel a monitor |

Capability Protocol v1 (raw JSON, machine-readable)

| Tool | Description | |------|-------------| | unfragile_validate | Validate an unfragile.yml manifest against the Capability Protocol v1 schema. Returns errors, warnings, and the parsed manifest. | | unfragile_passport | Fetch the raw trust_passport_v1 JSON for an artifact by slug. Suitable for programmatic policy checks. | | unfragile_resolve_capability | Resolve a capability:// URI or natural-language intent into ranked artifacts as raw JSON. Optional inline passports for one-call decisioning. |

Learn more about the protocol: https://unfragile.ai/protocol.

Examples

Once installed, ask your agent:

  • "Find me MCP servers for Postgres and Slack"
  • "Resolve capability://database.postgres.query.readonly"
  • "What's the best framework for building AI agents?"
  • "Compare LangChain vs CrewAI"
  • "Get the trust passport for Cursor"
  • "I'm building a customer support agent — what tools do I need?"
  • "Get details on Cursor's capabilities"

How it works

The MCP server calls the Unfragile API under the hood. Search and stack queries become match records in the graph. Trust passport requests use /api/v1/passport/{slug} to return artifact identity, capability URIs, constraints, permissions, data access risk, observed outcomes, and UnfragileRank evidence.

13,160 active AI artifacts. 106,955 capabilities. 24 populated software categories. The match graph for AI.

Environment Variables

| Variable | Description | Default | |----------|-------------|---------| | UNFRAGILE_API_URL | API base URL | https://unfragile.ai | | UNFRAGILE_API_KEY | API key for higher rate limits | (none) |

License

MIT