Welcome

MCP Server + CLI

Stop risky packages before they reach your machine.

safe-pkgs runs package safety checks before install and returns a single decision your tools can enforce: allow, risk, reasons, and metadata.

Start in 60 Seconds See config spec

Typical Decision

{
  "allow": false,
  "risk": "high",
  "reasons": [
    "package is too new (published 2 days ago)",
    "postinstall script found"
  ],
  "metadata": {
    "latest": "1.2.4",
    "requested": "1.2.3"
  }
}
7 checksaggregated into one risk score
2 registriesnpm + crates.io
Audit logappend-only local trail

Why safe-pkgs

Fast installs are great. Blind installs are not.

Catch common supply-chain risk

Typosquat checks, install-script detection, and advisory lookups reduce obvious package abuse before install.

Enforce policy, not vibes

Configure a max allowed risk. If checks fail or risk is too high, the decision is explicit and machine-enforceable.

Keep decisions auditable

Every decision can be logged with reasons and metadata so teams can review what was blocked and why.

How it works + pipeline

One combined decision map.

Combined safe-pkgs architecture showing input surfaces, concurrent checks, risk aggregation, policy gate, and decision output.

In-editor flow

What usage looks like

safe-pkgs VS Code example result safe-pkgs VS Code example check flow

How to start

Copy, run, integrate.

Build and run MCP server

cargo build --release
./target/release/safe-pkgs serve --mcp

Optional: run one-off audit

safe-pkgs audit /path/to/project-or-lockfile

MCP client config snippet

{
  "servers": {
    "safe-pkgs": {
      "type": "stdio",
      "command": "/path/to/safe-pkgs",
      "args": ["serve", "--mcp"]
    }
  },
  "inputs": []
}