npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

secure-usage-mcp

v2.0.1

Published

Model Context Protocol server for secure code guidance and high-risk tool mediation.

Downloads

11

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

yeminimatanyeminimatan

Keywords

mcpsecurityowaspnist

Readme

Secure Usage MCP Server

This Model Context Protocol (MCP) server enforces secure-by-design guardrails for AI-assisted development.

Features

  • Secure coding guidance (secure-code-review) – Produces a NIST SSDF and OWASP-aligned remediation plan, stack-specific hardening tips, and verification checklist. Optional code snippets are scanned for common anti-patterns (hardcoded secrets, eval, weak crypto, etc.).
  • High-risk tool mediation (tool-risk-gatekeeper) – Evaluates planned tool executions for destructive operations (filesystem, infrastructure, database). Flags commands that require human approval and emits a ready-to-display confirmation prompt.
  • Agent configuration hardening (agent-configuration-hardener) – Builds an endpoint hardening blueprint for IDE, CLI, and vibe coding agents. Covers sandboxing, remote indexing controls, plugin/MCP inventories, reasoning guardrails, and monitoring playbooks.
  • Reusable guardrail prompt – Exposes the secure-coding-governor prompt that IDEs/agents can apply as a baseline secure coding instruction set.

Getting Started

Runtime requirements

  • Node.js 18.17.0 or newer.

Run with npx

Install and launch the compiled server directly from npm without cloning the repository:

npx -y secure-usage-mcp@latest

This resolves the published package, runs the compiled binary declared in the package manifest, and exposes the MCP server over STDIO. The shebang header ensures npx can execute it on all major platforms.

Run from source

npm install
npm run build
npm start

The server communicates over STDIO. Integrate it with an MCP-compatible client (e.g., Claude Desktop, Cursor, or custom tooling) by referencing the compiled binary secure-usage-mcp.

Configuration

  • SECURE_USAGE_LOG_LEVEL – Optional log level override (debug, info, warn, or error). Logs are emitted to stderr so the MCP protocol payloads on stdout remain untouched.

Testing the MCP Server

  1. Build the server output:

    npm run build

  2. Run the automated smoke test, which spawns the compiled server via the MCP SDK client and exercises both tools:

    node scripts/smokeTest.mjs

    The script prints the server instructions, a preview of the secure-coding-governor prompt, and structured output from the two tools. It also verifies that high-risk tooling requires an explicit Yes/No confirmation.

  3. For a minimal verification that focuses on risk mediation, execute the included test-client.js script:

    node test-client.js

    This script connects to the built server, prints the instructions, and runs a sample tool-risk-gatekeeper request to confirm high-risk detection.

  4. For interactive debugging, you can also run the server manually and inspect it with the open-source MCP Inspector:

    npm start # in one terminal

    Follow the Inspector README to point it at node dist/index.js via stdio and explore prompts/tools in a GUI.

IDE Integration

Cursor

  1. Open Settings → Experimental → MCP Servers (or edit ~/.cursor/config.json).

  2. Register the server with the published npm package so Cursor can resolve it via npx:

    {
  "mcpServers": {
    "secure-usage": {
      "command": "npx",
      "args": ["-y", "secure-usage-mcp@latest"],
      "env": {}
    }
  }
}

  3. Restart Cursor. When a high-risk tool call is attempted, the chat panel will show a Yes/No confirmation. Answer No (or anything other than Yes) to halt execution.

Claude Code (Claude Desktop)

Claude Code supports MCP servers over STDIO via a JSON config. You can either reference the built script directly or use npx to always fetch the latest published version.

  1. Find your Claude Desktop config file:
  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%/Claude/claude_desktop_config.json
  • Linux: ~/.config/Claude/claude_desktop_config.json
  1. Recommended: configure via npx so Claude resolves the published package automatically:
{
  "mcpServers": {
    "secure-usage": {
      "command": "npx",
      "args": ["-y", "secure-usage-mcp@latest"],
      "env": {}
    }
  }
}

Alternatively, point directly at a local build (useful for development):

{
  "mcpServers": {
    "secure-usage": {
      "command": "/usr/local/bin/node",
      "args": ["/absolute/path/to/secure-usage-mcp/dist/index.js"],
      "env": {}
    }
  }
}

On Windows, adjust paths accordingly, for example:

{
  "mcpServers": {
    "secure-usage": {
      "command": "C:/Program Files/nodejs/node.exe",
      "args": ["C:/Users/<you>/projects/secure-usage-mcp/dist/index.js"],
      "env": {}
    }
  }
}
  1. Save and relaunch Claude Code. Open the MCP panel to confirm the server is connected. The guardrail prompt secure-coding-governor becomes available, and destructive tools will require a Yes/No confirmation.

Verify

  • Ask Claude to run a risky command (e.g., mention rm -rf /tmp/demo) after connecting. You should see a risk assessment and a Yes/No prompt from tool-risk-gatekeeper.
  • Call the secure guidance tool by asking Claude to use secure-code-review with your request and a short code snippet.

Troubleshooting

  • If the server does not appear: ensure Node ≥ 18.17.0 is installed and on PATH inside Claude.
  • If you see permission errors with npx: pre-install globally with npm i -g secure-usage-mcp and set command to secure-usage-mcp (no args).
  • If stdout looks noisy: this server logs to stderr by default. Ensure your config does not redirect stderr to stdout.
  • If high-risk prompts aren’t shown: your client must surface the userPrompt and block execution until the operator answers "Yes". Treat any other response as "No".

The guardrail policy requires explicit human approval. If an IDE cannot surface a Yes/No prompt, treat that as a No and halt.

Workflow Recommendations

  1. Wrap AI code generation by calling secure-code-review with the request context and candidate code. Adopt the returned mitigations before accepting any changes.
  2. Guard destructive tooling by routing every mutation command through tool-risk-gatekeeper. If requiresApproval is true, surface the provided userPrompt to the operator and block execution until they explicitly approve.
  3. Lock down agent configurations using agent-configuration-hardener before enabling new plugins, MCP servers, or vibe coding agents. Apply the per-agent runtime controls, sandbox requirements, and monitoring hooks it prescribes.
  4. Apply the secure prompt secure-coding-governor as a system/assistant message to keep large language models aligned with NIST and OWASP requirements.

Tool Reference

  • secure-code-review – Request/response schema, response structure, and usage tips for the secure guidance generator.
  • tool-risk-gatekeeper – Input parameters, output contract, and operator workflow for high-risk tooling mediation.
  • agent-configuration-hardener – Inventory format, policy coverage, and sample outputs for IDE/CLI/vibe agent hardening.

Development

  • npm run dev – Start the TypeScript server with hot reload using ts-node.
  • npm run build – Compile TypeScript to JavaScript (output in dist/).
  • npm start – Run the compiled server.

License

This project is licensed under the MIT License. See LICENSE.