npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

obra-cto

v0.3.1

Published

Obra CTO: a local-first MCP that scores a codebase's Build Readiness. Your code never leaves your machine; your own Claude reads it and runs your tests. The free preview of Obra's role lineup.

Readme

Obra CTO

A local-first MCP server that scores your codebase's Build Readiness. You install it in your own Claude. Your Claude reads your code on your machine and runs your tests there. Nothing is uploaded.

This is the free preview of Obra's role lineup, and it stays free and local. The CTO reads your code and tells you what an investor's technical diligence would find: real security holes, weak design decisions, and the gaps that stop a serious review. The rest of the team (the Obra CFO for funding-ready materials, and more) lives in the Build with Obra community.

The Obra founders' toolkit

Two free, local, open-source MCPs built to work as a pair:

  • Obra CTO (this one): is it built? Scores your codebase and surfaces what a technical diligence would flag. GitHub · npm
  • Obra CFO: is it fundable? Runs the investment committee on your pitch and turns your verified build into a funding case. GitHub · npm

Run the CTO first. The CFO reads its report as grade-A technical evidence. The method, the deep versions, and Obra in beta live in Build with Obra.

Why local-first

A tool that reads your code should not ship your code somewhere. Your source never leaves your machine. This server makes exactly one kind of network call, and only when you run the dependency check: it sends your package names and versions to the OSV vulnerability database, never a line of your code (you can see the single call in src/deps.ts). Everything else is local: it returns counts, presence flags, a redacted secrets scan, and a score. You can read every line of this server before you run it, which is the point of keeping it open.

What you get

The Obra CTO Score, out of 100, calibrated to your stage (prototype, MVP, or growth), across six dimensions:

| Dimension | Weight | |---|---| | Security | 25 | | Product reality (what is actually built) | 20 | | Robustness | 15 | | Architecture | 15 | | Maintainability | 15 | | Deploy readiness | 10 |

Every finding carries an evidence grade: A verified, B multiple sources, C partial or inferred, D claim only, E speculation. The score is built from grade A and C evidence, what is true in your code, not what a deck says. When the CTO runs your tests and they pass, reliability becomes grade A. A deck-scorer can never earn that.

What a run looks like

Point it at a real project and you get a scored report with a ranked risk register. Here is a run on a scrappy Supabase app (anonymized):

# Obra CTO Score: financeapp
## 46 / 100 · Not yet ready
Assessed as: mobile (react-native, expo)  |  Backend: supabase

| Dimension        | Score | Evidence |
|------------------|-------|----------|
| Security         | 6/25  | A |
| Product reality  | 20/20 | A |
| Robustness       | 3/15  | A |
| Architecture     | 9/15  | A |
| Maintainability  | 6/15  | A |
| Deploy readiness | 2/10  | C |

## Top Risks
- [critical] RLS policies defined but never enabled; data may be open to any authenticated user
    Fix: enable row level security on every table, then verify a second user cannot read your rows.
- [high] Access control gap: a privileged action checks only that the user is logged in, not that they own the resource
- [medium] No tests found

On a well-built app it scores high and credits the good engineering. It is calibrated, not a fear machine.

Tools

  • scan_project reads the project and returns mechanical signals.
  • check_dependencies checks your locked dependencies against the OSV vulnerability database. Only package names and versions leave your machine, never your code.
  • run_tests runs your test suite (this executes code, so your Claude asks first) and parses the pass and fail counts.
  • prepare_code_review selects your highest-signal files (schema and policy files, entry points, security-relevant code) and hands them to your Claude with a checklist tuned to your stack, including a Backend-as-a-Service lens (Supabase, Firebase) and a design red-team that critiques the architecture, not just the code.
  • score_build_readiness produces the Obra CTO Score with a Top Risks register.

A normal run is: scan, check dependencies, run tests, prepare the code review, then score.

Install

Add it to your Claude MCP config (Claude Desktop or Claude Code):

{
  "mcpServers": {
    "obra-cto": {
      "command": "npx",
      "args": ["-y", "obra-cto"]
    }
  }
}

Then ask your Claude: "Score this project's build readiness with Obra CTO."

Prefer to run from source? Clone the repo, run npm install && npm run build, and point the config at node /absolute/path/to/obra-cto/dist/index.js.

What this is not

Not a linter, not a security scanner, not a replacement for your own Claude reading the code. It is technical-diligence readiness inside funding readiness: the question an investor's CTO would ask, answered from your real code.

What's next

The Obra CTO is the free preview. To go further:

  • The Method: the full playbook for shipping production software with AI, the disciplines that make code score like the example above, each lesson with a paste-in prompt or tool you can use today.
  • The rest of the team: the Obra CFO for funding-ready materials, and each new role as it ships.
  • Obra itself, in beta: the AI employee that runs your back office. Members go first.

See the whole toolset and where it is going at https://get-obra.com/build

The full method and the community live in Build with Obra: https://www.skool.com/build-with-obra-5361/about

License

Apache-2.0.