npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@vectros-ai/cli

v0.9.0

Published

The Vectros provisioning CLI — `vectros bootstrap` mints a least-privilege MCP credential (ssk_* + AccessProfile + optional blueprint) without the root key. Owns the scope gate (the trust boundary).

Readme

@vectros-ai/cli

npm license

The Vectros provisioning CLI — the vectros binary. Two command groups:

  • vectros bootstrap — provision a least-privilege MCP credential (+ optional blueprint).
  • vectros blueprint — author + inspect blueprints (init / validate / plan / list), creds-free.
  • vectros blueprint-test — apply a blueprint to a live env, assert it provisioned a working credential, then tear it down.
npx -y @vectros-ai/cli bootstrap          # provision a credential
npx -y @vectros-ai/cli blueprint --help   # the authoring commands

Every command has --help. The authoring loop is documented in AUTHORING.md.

vectros bootstrap

Provisions a least-privilege Vectros credential for the @vectros-ai/mcp-server in one command — without your root key and without manual admin-app steps. It:

  • mints a scoped key (ssk_*) for this machine (independently rotatable),
  • creates the matching AccessProfile — data-plane only,
  • optionally scaffolds a use-case blueprint (e.g. task-management: a schema + seed data), and
  • safe-merges the vectros server entry into your MCP client config (claude_desktop_config.json — Claude Desktop, Cursor, Cline), backing up the original first. Pass --client code to target Claude Code instead: it merges the project .mcp.json and prints the equivalent claude mcp add command.
# Interactive — pick a blueprint (or a blank read-only credential), sign in once.
npx -y @vectros-ai/cli bootstrap

# Scripted / agent — token in the env, no prompts.
VECTROS_BOOTSTRAP_TOKEN=… npx -y @vectros-ai/cli bootstrap \
  --blueprint task-management --yes

# Login once, then bootstrap unattended — no token needed; --yes reuses your
# stored `vectros login` session.
npx -y @vectros-ai/cli login
npx -y @vectros-ai/cli bootstrap --blueprint task-management --yes

# Provision a PRODUCTION context: the blueprint's schemas + key, but NONE of its
# illustrative sample records.
npx -y @vectros-ai/cli bootstrap --blueprint task-management --no-seed --yes

# See every flag.
npx -y @vectros-ai/cli bootstrap --help

Re-running is idempotent; --rotate revokes + re-mints just this machine's key.

A bundled blueprint ships with sample seed records so the credential works the moment it's minted. For a production context that's synthetic clutter: --no-seed provisions everything else — the schemas, the AccessProfile and the scoped key — but creates no sample records, leaving the context clean for real data. (Interactively, a blueprint with seeds asks before adding them.) This differs from --blank, which is credential-only and drops the schemas too.

vectros blueprint — authoring (creds-free)

Author and inspect blueprints without an account. You'll run these repeatedly, so install once and drop the npx prefix (npm i -g @vectros-ai/cli, or prefix each command with npx -y @vectros-ai/cli). The inner loop:

vectros blueprint init my-thing                      # scaffold a commented YAML starter
#   …edit ./my-thing.blueprint.yaml…
vectros blueprint validate ./my-thing.blueprint.yaml # structural + scope-gate + lint
vectros blueprint plan     ./my-thing.blueprint.yaml # preview what bootstrap would provision
vectros bootstrap --blueprint ./my-thing.blueprint.yaml   # apply it
  • init — write a starter (--from <bundled> copies an exemplar; --out, --force).
  • validate — structural parse → scope gate → linter. Accepts a file or a bundled name.
  • plan — validate, then a terraform-style preview; mints nothing.
  • list — the bundled library.

Full guide: AUTHORING.md. Format reference: @vectros-ai/blueprints.

vectros blueprint-test — verify it actually provisions (creds-required)

validate/plan check a blueprint statically; blueprint-test proves it end-to-end against a live environment. It applies the blueprint, asserts the result (the app-context + each schema are readable back, and the freshly minted ssk_* authenticates as a scoped key with the requested actions), then tears down what it created — schemas, the AccessProfile, seed records, and the key. Teardown is created-only: anything that already existed before the run is left untouched, so it's safe to point at a shared staging tenant.

# Apply → assert → teardown against staging (sign in first, or pass --token).
vectros blueprint-test ./my-thing.blueprint.yaml --env staging

# Leave the provisioned graph in place to inspect it.
vectros blueprint-test task-management --keep

Exit 0 = applied and every assertion passed; 1 = an assertion failed or apply errored; 2 = no credential, or the blueprint requested control-plane scope. The app-context is intentionally not deleted (it's idempotent and reused).

The scope gate (the trust boundary)

Blueprints are untrusted input (agent- or community-authored) and the CLI runs under an elevated ephemeral bridge token. So the trust boundary is this binary, not the blueprint: a hardcoded scope gate bounds every mint to a data-plane allowlist (records / schemas / search / documents / folders / inference). Any control-plane scope (keys / profiles / users / billing / admin) or * wildcard hard-rejects — the CLI mints nothing and exits non-zero. There is intentionally no override flag.

Rate limits

blueprint-test provisions against the live API, so a large blueprint can brush the per-account per-minute rate limit. The CLI surfaces the 429 (with its Retry-After hint) directly — rerun after the window resets, or split a large blueprint. See the rate limits guide.

See also

Security & trust

Vectros enforces per-customer, fail-closed isolation and least-privilege scoped keys, with a tamper-evident audit and version history. Customer-facing surfaces are hardened through extensive adversarial security review. For the full trust posture, drawn plainly with its boundaries, see the compliance and trust guide.

License

Apache-2.0. See the LICENSE file.