npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

lkpgestao-mcp

v0.7.0

Published

MCP server for LKPGestão — exposes the CEO cockpit API to Claude Cowork as tools and prompts.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

denisvandradedenisvandrade

Keywords

mcpmodel-context-protocolclaudecoworklkpgestao

Readme

lkpgestao-mcp

MCP server for LKPGestão — exposes the CEO cockpit API to Claude Cowork / Claude Desktop as tools and prompts.

  • 31 tools covering resources, projects, opportunities (full CRUD incl. 11 writes across opp / activity / contact), clients, helpdesk, billing, alerts, CEO weekly report, and 3 composites (lkp_skill_match, lkp_weekly_brief, lkp_timesheet_anomalies).
  • 5 slash prompts: /weekly-brief, /morning-standup, /opportunity-action, /consultant-investigation, /pipeline-health-check.
  • Stdio JSON-RPC transport, zero network exposure.
  • Structured stderr logs (pino) with token redaction; never leaks Authorization headers.

Requirements

  • Node.js ≥ 20 (ships fetch natively).
  • A Bearer token from LKPGestão at /settings/api-tokens with the scopes you need (read:* + write:opportunities for the full catalog).

Install (Claude Desktop / Cowork)

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "lkpgestao": {
      "command": "npx",
      "args": ["-y", "lkpgestao-mcp"],
      "env": {
        "LKP_API_BASE_URL": "https://lkpgestaodev.linkupconsultoria.com",
        "LKP_API_TOKEN": "<paste token from /settings/api-tokens>",
        "LKP_LOG_LEVEL": "info"
      }
    }
  }
}

Restart the client. First launch downloads the package via npx.

Configuration

| Var | Required | Default | Description | |---|---|---|---| | LKP_API_BASE_URL | ✓ | — | HTTPS base URL (trailing slashes stripped). HTTP is rejected. | | LKP_API_TOKEN | ✓* | — | Bearer token (without Bearer prefix). *Required unless LKP_API_TOKEN_KEYCHAIN_SERVICE is set. | | LKP_API_TOKEN_KEYCHAIN_SERVICE | | — | macOS only. Service name in the Keychain (-s flag of security find-generic-password). Used when LKP_API_TOKEN is absent. | | LKP_API_TOKEN_KEYCHAIN_ACCOUNT | | — | Optional account name (-a flag) to disambiguate Keychain entries. | | LKP_LOG_LEVEL | | info | trace/debug/info/warn/error/fatal/silent | | LKP_REQUEST_TIMEOUT_MS | | 10000 | Per-request HTTP timeout. | | LKP_RETRY_ATTEMPTS | | 2 | Retries on 5xx/network. 429 is retried once honoring Retry-After. | | LKP_CACHE_TTL_SECONDS | | 30 | Reserved for future read cache. |

Develop from source

git clone https://github.com/denisvandrade/lkpgestao-mcp.git
cd lkpgestao-mcp
npm install
npm run typecheck
npm test            # 54 unit tests (errors, config, keychain, http-client incl. DELETE/204 + Retry-After cap, logger redaction, timesheet detectors)
npm run build       # dist/index.js (ESM, shebang, ~59 KB)
node dist/index.js  # speaks MCP on stdio

Loading the token from macOS Keychain

To avoid storing the token in plaintext inside the MCP client config, use Keychain instead:

# Store once (prompts for the token)
security add-generic-password -s lkpgestao-mcp-token -a "$USER" -w

Then point the config at the Keychain entry — no secret touches disk:

{
  "mcpServers": {
    "lkpgestao": {
      "command": "lkpgestao-mcp",
      "env": {
        "LKP_API_BASE_URL": "https://lkpgestaodev.linkupconsultoria.com",
        "LKP_API_TOKEN_KEYCHAIN_SERVICE": "lkpgestao-mcp-token"
      }
    }
  }
}

The server shells out to /usr/bin/security at startup. If the lookup fails (item missing, user cancels the Keychain prompt), startup aborts with a clear error.

Security

  • Token is loaded once at startup; never written to logs or tool results.
  • pino redaction covers authorization, token, bearer fields in any log record — verified by integration tests that capture stderr and assert the token value never appears (including under headers.*, env.*, and child loggers).
  • Keychain resolution uses execFileSync("security", [...]) with args as an array — service/account names are passed verbatim to the security binary; no shell interpretation, no injection surface.
  • Retry-After values are capped at 60 s — a hostile or misconfigured server returning Retry-After: 99999 cannot hang the process for hours.
  • Every request sends X-Request-ID (UUID v4) for cross-correlating stderr lines with API-side traces.
  • Write tools (opportunity create/update/archive, activity add/update/delete, contact attach/update/detach, plus the pre-existing lkp_opportunity_activity_add and lkp_opportunity_update) require explicit user approval in the prompt contract — the server does not gate; the slash prompts and tool descriptions instruct the LLM to summarize and wait for confirmation before every destructive or state-changing call.

License

UNLICENSED — internal LKP Consultoria use.