npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

aura-mcp-connect

v0.5.0

Published

Zero-config WebRTC bridge for AURA's on-device MCP server. Lets any MCP client (Claude Code, VS Code, Cursor, Cline, Windsurf, Zed, custom SDK agents) talk to the AURA Android app from anywhere — no IP addresses, no firewall rules, no certificates. End-to

Readme

aura-mcp-connect

A zero-config WebRTC bridge for AURA's on-device MCP server.

Lets any MCP-capable client — Claude Desktop, VS Code (Copilot MCP), Cursor, Cline, Windsurf, Zed — talk to AURA completely wirelessly from anywhere in the world, securely, without fighting firewalls or configuring IP addresses.

Architecture & Security Model

This bridge implements a true production-grade WebRTC edge stack for connecting IDEs to mobile devices:

  1. Persistent Device Pairing: The phone generates a random 6-digit PIN. The PC proxy uses this PIN once to exchange a secure clientToken and a permanent deviceId over Firebase. The PC saves this token to ~/.aura/webrtc.json.
  2. Device Approval: On the first connection, the phone intercepts the connection and prompts the user via an Android UI popup (Approve PC Client?). If approved, the phone saves the PC as a Trusted Client.
  3. Seamless Reconnects: On all future IDE restarts, the connection happens instantly and silently in the background without any new PINs or UI popups.
  4. NAT Traversal (STUN + TURN): Both devices use Google's STUN to punch through local NATs/routers. If STUN fails (e.g. strict corporate firewalls), it seamlessly falls back to a public TURN relay.
  5. End-to-End Encryption (DTLS/SCTP): Once the peer-to-peer connection is established, the actual MCP JSON-RPC data flows directly between your PC and your phone. The data is always encrypted end-to-end via WebRTC's mandatory DTLS encryption.

Installation

For a production setup, install the bridge globally on your PC:

npm install -g aura-mcp-connect

Usage

Open the Aura UI app on your phone, tap Start WebRTC, and note the 6-digit PIN.

Configure your MCP client (e.g. Cursor, Claude Desktop) with the following JSON. You only need to provide the PIN once for the initial pairing:

{
  "mcpServers": {
    "aura-android": {
      "command": "aura-mcp",
      "args": [
        "--pin=123456"
      ]
    }
  }
}

Whenever the session ends or you restart your IDE, it will connect automatically. You do not need to generate a new PIN — drop the --pin arg entirely and the saved pairing in ~/.aura/webrtc.json is reused:

{
  "mcpServers": {
    "aura-android": { "command": "aura-mcp", "args": [] }
  }
}

Arguments

| Argument | Description | |---|---| | --pin | The 6-digit PIN generated by the Aura app. Required for the first pairing; omit it afterwards to reuse the saved pairing. |

Failure modes & limitations

| What happens | What you see | |---|---| | Incorrect PIN or phone offline | WebRTC signaling timed out waiting for answer from phone | | Strict Corporate Firewall blocks UDP | WebRTC fails to establish ICE connection (STUN blocked) | | First-time pairing not approved quickly | The free public TURN relay drops an unapproved idle channel after ~20–30 s, so the connection closes before you tap Approve. Approve promptly on the first pairing. After that, the saved trusted token auto-approves with no dialog, so this never applies to reconnects. For production, point both ends at a dedicated TURN server with a longer idle timeout. |

Security model

Signalling flows through Firebase Realtime Database, but the actual MCP traffic is end-to-end encrypted over WebRTC DTLS and never touches Firebase. Access control is known-key: the RTDB rules (database.rules.json at the repo root) block listing of the pins/devices collections, so an attacker cannot enumerate active PINs or device IDs — they can only reach a node whose exact 6-digit PIN (short-lived, consumed on use) or 122-bit device UUID they already hold. Deploy those rules before exposing the project; for stronger guarantees, enable Firebase Anonymous Auth and require auth != null.

All log output goes to stderr, never stdout — stdout is reserved strictly for MCP JSON-RPC frames.

License

MIT. See LICENSE.