pkgproof-mcp
v0.0.1
Published
MCP server (verify_package) — the agent-loop guard that blocks hallucinated/slopsquatted npm installs.
Maintainers
Readme
pkgproof-mcp
The agent-loop install guard — an MCP server exposing verify_package so a coding agent
(Claude Code, Cursor, VS Code) checks an npm package before it installs it or edits package.json.
⚠️ Pre-alpha (
v0.0.1) — not for production usepkgproof is under active development. Verdicts, APIs, and the bundled blocklist will change without notice. This early release reserves the name and shares progress — please don't depend on it yet.
On BLOCK the agent stops; on WARN it confirms with the user; on ALLOW it proceeds. Same deterministic,
explainable verdict engine as the pkgproof CLI.
Pre-alpha on npm. Published under the
alphatag asv0.0.1:npm install -g pkgproof-mcp@alpha. Or build from source — see the repo README.
Setup
pkgproof init claude # or: cursor | vscode — wires this server into your editor's MCP configAdd to your project rules (CLAUDE.md / .cursorrules):
"Before any npm/pnpm/yarn install or package.json dependency edit, call
verify_package. If it returns BLOCK, do NOT install — stop and tell the user why."
The verify_package contract
Input: { name: string }. Output is BOTH a human/agent directive (text) and machine-readable
structuredContent (documented by the tool's outputSchema):
| field | type | meaning |
|---|---|---|
| verdict | "ALLOW" \| "WARN" \| "BLOCK" | the install decision — BLOCK means DO NOT install |
| package | string | the name checked |
| reason | string | ≤120 chars; quote verbatim to the user |
| confidence | number | 0..1 |
| suggestion | string | null | nearest real package when the name is a likely typo |
| blocklist_loaded | number | count of confirmed-malicious names in the loaded signature blocklist |
| gate_ok | boolean | true only if the blocklist loaded non-empty. If false, signature coverage is DOWN and an ALLOW is not malware-verified — the ALLOW directive degrades to say so. Do not silently trust it. |
Environment
PKGPROOF_BLOCKLIST— optional path to override where the signature blocklist is loaded from. If it points at a missing/empty file, the gate runs degraded:gate_okisfalse, every ALLOW carries a "confirmed-malware coverage is DOWN" warning, and the startup log printsGATE EMPTY. Leave it unset for normal resolution (the bundledblocklist.json).
Apache-2.0.
