@yawlabs/npmjs-mcp 0.3.0 → 0.5.0

package/README.md

@@ -65,7 +65,7 @@ Add to `claude_desktop_config.json`:
 }
 ```
 
-## Tools (35)
+## Tools (37)
 
 ### Search
 - `npm_search` — Search the npm registry with qualifiers (keywords, author, scope)
@@ -76,6 +76,7 @@ Add to `claude_desktop_config.json`:
 - `npm_versions` — List all published versions with dates
 - `npm_readme` — Get README content
 - `npm_dist_tags` — Get dist-tags (latest, next, beta, etc)
+- `npm_types` — Check TypeScript type support (built-in types or @types/*)
 
 ### Dependencies
 - `npm_dependencies` — Get dependency lists (prod, dev, peer, optional)
@@ -106,10 +107,14 @@ Add to `claude_desktop_config.json`:
 ### Provenance
 - `npm_provenance` — Get Sigstore provenance attestations (SLSA, publish)
 
+### Trusted Publishers (requires NPM_TOKEN)
+- `npm_trusted_publishers` — List OIDC trust relationships with CI/CD providers
+
 ### Auth (requires NPM_TOKEN)
 - `npm_whoami` — Check authenticated user
 - `npm_profile` — Get profile, email, 2FA status
 - `npm_tokens` — List access tokens
+- `npm_user_packages` — List packages published by a user
 
 ### Access (requires NPM_TOKEN)
 - `npm_collaborators` — List package collaborators and permissions
@@ -121,16 +126,13 @@ Add to `claude_desktop_config.json`:
 - `npm_org_teams` — List org teams
 - `npm_team_packages` — List team package permissions
 
-### Hooks (requires NPM_TOKEN)
-- `npm_hooks` — List npm webhooks
-
 ### Workflows
 - `npm_check_auth` — Auth health check with headless publish feasibility
 - `npm_publish_preflight` — Pre-publish validation checklist
 
 ## Features
 
-- **35 tools** covering search, packages, deps, downloads, security, analysis, auth, orgs, provenance, and publish workflows
+- **37 tools** covering search, packages, deps, downloads, security, analysis, auth, orgs, provenance, trust, and publish workflows
 - **No API key required** for read-only tools — authenticated tools opt-in via NPM_TOKEN
 - **Zero runtime dependencies** — Single bundled file for instant `npx` startup
 - **Agent-aware publish tools** — Detects non-interactive context, provides human hand-off actions instead of unworkable retries

package/dist/index.js

@@ -21087,6 +21087,141 @@ function downloadsGet(path) {
 function replicateGet(path) {
   return request(REPLICATE_URL, path);
 }
+function createLimiter(max) {
+  let active = 0;
+  const queue = [];
+  return function runLimited(fn) {
+    return new Promise((resolve, reject) => {
+      const run = () => {
+        active++;
+        fn().then(resolve, reject).finally(() => {
+          active--;
+          if (queue.length > 0) queue.shift()();
+        });
+      };
+      if (active < max) run();
+      else queue.push(run);
+    });
+  };
+}
+function parseSemver(v) {
+  const m = v.match(/^(\d+)\.(\d+)\.(\d+)/);
+  return m ? [Number(m[1]), Number(m[2]), Number(m[3])] : null;
+}
+function cmpSemver(a, b) {
+  for (let i = 0; i < 3; i++) {
+    if (a[i] < b[i]) return -1;
+    if (a[i] > b[i]) return 1;
+  }
+  return 0;
+}
+function parseSingleConstraint(r) {
+  if (r === "*" || r === "") {
+    return { min: null, max: null };
+  }
+  if (r.startsWith("^")) {
+    const base = parseSemver(r.slice(1));
+    if (!base) return null;
+    let max;
+    if (base[0] > 0) max = [base[0] + 1, 0, 0];
+    else if (base[1] > 0) max = [0, base[1] + 1, 0];
+    else max = [0, 0, base[2] + 1];
+    return { min: base, max };
+  }
+  if (r.startsWith("~")) {
+    const base = parseSemver(r.slice(1));
+    if (!base) return null;
+    return { min: base, max: [base[0], base[1] + 1, 0] };
+  }
+  if (r.startsWith(">=")) {
+    const base = parseSemver(r.slice(2));
+    if (!base) return null;
+    return { min: base, max: null };
+  }
+  if (r.startsWith(">")) {
+    const base = parseSemver(r.slice(1));
+    if (!base) return null;
+    return { min: [base[0], base[1], base[2] + 1], max: null };
+  }
+  if (r.startsWith("<=")) {
+    const base = parseSemver(r.slice(2));
+    if (!base) return null;
+    return { min: null, max: [base[0], base[1], base[2] + 1] };
+  }
+  if (r.startsWith("<")) {
+    const base = parseSemver(r.slice(1));
+    if (!base) return null;
+    return { min: null, max: base };
+  }
+  if (r.startsWith("=")) {
+    const base = parseSemver(r.slice(1));
+    if (!base) return null;
+    return { min: base, max: [base[0], base[1], base[2] + 1] };
+  }
+  const xm = r.match(/^(\d+)(?:\.(\d+|x|\*)(?:\.(\d+|x|\*))?)?$/);
+  if (xm) {
+    const major = Number(xm[1]);
+    const minor = xm[2] !== void 0 && xm[2] !== "x" && xm[2] !== "*" ? Number(xm[2]) : null;
+    if (minor === null) {
+      return { min: [major, 0, 0], max: [major + 1, 0, 0] };
+    }
+    const patch = xm[3] !== void 0 && xm[3] !== "x" && xm[3] !== "*" ? Number(xm[3]) : null;
+    if (patch === null) {
+      return { min: [major, minor, 0], max: [major, minor + 1, 0] };
+    }
+    return null;
+  }
+  return null;
+}
+function parseRange(r) {
+  const hyphenMatch = r.match(/^(\d+\.\d+\.\d+)\s+-\s+(\d+\.\d+\.\d+)$/);
+  if (hyphenMatch) {
+    const low = parseSemver(hyphenMatch[1]);
+    const high = parseSemver(hyphenMatch[2]);
+    if (low && high) return { min: low, max: [high[0], high[1], high[2] + 1] };
+    return null;
+  }
+  const parts = r.trim().split(/\s+/);
+  if (parts.length > 1) {
+    let min = null;
+    let max = null;
+    for (const part of parts) {
+      const constraint = parseSingleConstraint(part);
+      if (!constraint) return null;
+      if (constraint.min) {
+        if (!min || cmpSemver(constraint.min, min) > 0) min = constraint.min;
+      }
+      if (constraint.max) {
+        if (!max || cmpSemver(constraint.max, max) < 0) max = constraint.max;
+      }
+    }
+    return { min, max };
+  }
+  return parseSingleConstraint(r.trim());
+}
+function maxSatisfying(versions, range) {
+  const r = range.trim().replace(/^v/, "");
+  if (versions.includes(r)) return r;
+  const subRanges = r.split("||").map((s) => s.trim());
+  let best = null;
+  let bestParsed = null;
+  for (const sub of subRanges) {
+    const parsed = parseRange(sub);
+    if (!parsed) continue;
+    for (const v of versions) {
+      if (v.includes("-") && !sub.includes("-")) continue;
+      const vp = parseSemver(v);
+      if (!vp) continue;
+      if (parsed.min && cmpSemver(vp, parsed.min) < 0) continue;
+      if (parsed.max && cmpSemver(vp, parsed.max) >= 0) continue;
+      if (!bestParsed || cmpSemver(vp, bestParsed) > 0) {
+        best = v;
+        bestParsed = vp;
+      }
+    }
+  }
+  return best;
+}
 
 // src/tools/access.ts
 var accessTools = [
@@ -21184,12 +21319,9 @@ var analysisTools = [
     handler: async (input) => {
       const results = await Promise.all(
         input.packages.map(async (name) => {
-          const [pkgRes, dlRes, auditRes] = await Promise.all([
+          const [pkgRes, dlRes] = await Promise.all([
             registryGet(`/${encPkg(name)}`),
-            downloadsGet(`/downloads/point/last-week/${encPkg(name)}`),
-            registryPost("/-/npm/v1/security/advisories/bulk", {
-              [name]: ["latest"]
-            })
+            downloadsGet(`/downloads/point/last-week/${encPkg(name)}`)
           ]);
           if (!pkgRes.ok) {
             return { name, error: pkgRes.error };
@@ -21198,6 +21330,15 @@ var analysisTools = [
           const latest = pkg["dist-tags"]?.latest;
           const latestVersion = latest ? pkg.versions[latest] : void 0;
           const versionKeys = Object.keys(pkg.versions);
+          let vulnerabilities = 0;
+          if (latest) {
+            const auditRes = await registryPost("/-/npm/v1/security/advisories/bulk", {
+              [name]: [latest]
+            });
+            if (auditRes.ok && auditRes.data?.[name]) {
+              vulnerabilities = auditRes.data[name].length;
+            }
+          }
           return {
             name,
             description: pkg.description,
@@ -21212,7 +21353,7 @@ var analysisTools = [
             hasReadme: !!(pkg.readme && pkg.readme.length > 0),
             repository: pkg.repository,
             homepage: pkg.homepage,
-            vulnerabilities: auditRes.ok && auditRes.data?.[name] ? auditRes.data[name].length : 0
+            vulnerabilities
           };
         })
       );
@@ -21243,6 +21384,16 @@ var analysisTools = [
       const latest = pkg["dist-tags"]?.latest;
       const latestVersion = latest ? pkg.versions[latest] : void 0;
       const versionKeys = Object.keys(pkg.versions);
+      let vulnerabilityCount = null;
+      if (latest) {
+        const auditRes = await registryPost("/-/npm/v1/security/advisories/bulk", {
+          [input.name]: [latest]
+        });
+        if (auditRes.ok) {
+          const advisories = auditRes.data?.[input.name];
+          vulnerabilityCount = Array.isArray(advisories) ? advisories.length : 0;
+        }
+      }
       const publishDates = versionKeys.map((v) => pkg.time[v]).filter(Boolean).map((d) => new Date(d).getTime()).sort((a, b) => b - a);
       const now = Date.now();
       const daysSinceLastPublish = publishDates.length > 0 ? Math.floor((now - publishDates[0]) / 864e5) : null;
@@ -21274,6 +21425,7 @@ var analysisTools = [
             versionCount: versionKeys.length,
             daysSinceLastPublish,
             avgDaysBetweenReleases,
+            vulnerabilityCount,
             hasLicense,
             hasReadme,
             hasRepo,
@@ -21454,7 +21606,6 @@ var authTools = [
         data: {
           total: data.total,
           tokens: data.objects.map((t) => ({
-            token: t.token,
             key: t.key,
             readonly: t.readonly,
             cidrWhitelist: t.cidr_whitelist,
@@ -21464,6 +21615,38 @@ var authTools = [
         }
       };
     }
+  },
+  {
+    name: "npm_user_packages",
+    description: "List all packages published by a specific npm user. Shows package names and the user's access level for each. Requires authentication.",
+    annotations: {
+      title: "List user packages",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      username: external_exports.string().describe("npm username")
+    }),
+    handler: async (input) => {
+      const authErr = requireAuth();
+      if (authErr) return authErr;
+      const res = await registryGetAuth(
+        `/-/user/org.couchdb.user:${encodeURIComponent(input.username)}/package`
+      );
+      if (!res.ok) return res;
+      const packages = Object.entries(res.data).map(([name, access]) => ({ name, access }));
+      return {
+        ok: true,
+        status: 200,
+        data: {
+          username: input.username,
+          packageCount: packages.length,
+          packages
+        }
+      };
+    }
   }
 ];
 
@@ -21521,28 +21704,13 @@ var dependencyTools = [
     }),
     handler: async (input) => {
       const maxDepth = input.depth ?? 3;
-      const MAX_CONCURRENT = 10;
+      const runLimited = createLimiter(10);
       const packumentCache = /* @__PURE__ */ new Map();
       const resolved = /* @__PURE__ */ new Set();
       const tree = {};
       const warnings = [];
-      let active = 0;
-      const queue = [];
-      function runLimited(fn) {
-        return new Promise((resolve2, reject) => {
-          const run = () => {
-            active++;
-            fn().then(resolve2, reject).finally(() => {
-              active--;
-              if (queue.length > 0) queue.shift()();
-            });
-          };
-          if (active < MAX_CONCURRENT) run();
-          else queue.push(run);
-        });
-      }
-      async function resolve(name, versionHint, currentDepth) {
-        const hintKey = `${name}@${versionHint}`;
+      async function resolve(name, versionHint2, currentDepth) {
+        const hintKey = `${name}@${versionHint2}`;
         if (resolved.has(hintKey) || currentDepth > maxDepth) return;
         resolved.add(hintKey);
         let pkg = packumentCache.get(name);
@@ -21550,19 +21718,21 @@ var dependencyTools = [
           const res = await runLimited(() => registryGetAbbreviated(`/${encPkg(name)}`));
           if (!res.ok) {
             warnings.push(`Failed to fetch ${name}: ${res.error}`);
-            tree[hintKey] = { version: versionHint, dependencies: {} };
+            tree[hintKey] = { version: versionHint2, dependencies: {} };
             return;
           }
           pkg = res.data;
           packumentCache.set(name, pkg);
         }
         let resolvedVersion;
-        if (pkg.versions[versionHint]) {
-          resolvedVersion = versionHint;
-        } else if (pkg["dist-tags"][versionHint]) {
-          resolvedVersion = pkg["dist-tags"][versionHint];
+        if (pkg.versions[versionHint2]) {
+          resolvedVersion = versionHint2;
+        } else if (pkg["dist-tags"][versionHint2]) {
+          resolvedVersion = pkg["dist-tags"][versionHint2];
         } else {
-          resolvedVersion = pkg["dist-tags"]?.latest ?? versionHint;
+          const available = Object.keys(pkg.versions);
+          const matched = maxSatisfying(available, versionHint2);
+          resolvedVersion = matched ?? pkg["dist-tags"]?.latest ?? versionHint2;
         }
         const resolvedKey = `${name}@${resolvedVersion}`;
         if (tree[resolvedKey]) return;
@@ -21578,12 +21748,14 @@ var dependencyTools = [
           await Promise.all(tasks);
         }
       }
-      await resolve(input.name, input.version ?? "latest", 1);
+      const versionHint = input.version ?? "latest";
+      await resolve(input.name, versionHint, 1);
+      const rootKey = Object.keys(tree).find((k) => k.startsWith(`${input.name}@`)) ?? `${input.name}@${versionHint}`;
       return {
         ok: true,
         status: 200,
         data: {
-          root: `${input.name}@${input.version ?? "latest"}`,
+          root: rootKey,
           depth: maxDepth,
           totalPackages: Object.keys(tree).length,
           tree,
@@ -21614,39 +21786,28 @@ var dependencyTools = [
       const res = await registryGet(`/${encPkg(input.name)}/${ver}`);
       if (!res.ok) return res;
       const pkg = res.data;
-      const deps = Object.keys(pkg.dependencies ?? {});
-      const MAX_CONCURRENT = 10;
-      let active = 0;
-      const queue = [];
-      function runLimited(fn) {
-        return new Promise((resolve, reject) => {
-          const run = () => {
-            active++;
-            fn().then(resolve, reject).finally(() => {
-              active--;
-              if (queue.length > 0) queue.shift()();
-            });
-          };
-          if (active < MAX_CONCURRENT) run();
-          else queue.push(run);
-        });
-      }
+      const depEntries = Object.entries(pkg.dependencies ?? {});
+      const runLimited = createLimiter(10);
       const depLicenses = await Promise.all(
-        deps.map(async (depName) => {
-          const depRes = await runLimited(() => registryGet(`/${encPkg(depName)}/latest`));
+        depEntries.map(async ([depName, depRange]) => {
+          const abbrevRes = await runLimited(() => registryGetAbbreviated(`/${encPkg(depName)}`));
+          if (!abbrevRes.ok) return { name: depName, version: depRange, license: "FETCH_ERROR" };
+          const abbrev = abbrevRes.data;
+          const available = Object.keys(abbrev.versions);
+          const resolved = maxSatisfying(available, depRange) ?? abbrev["dist-tags"]?.latest;
+          if (!resolved) return { name: depName, version: depRange, license: "UNKNOWN" };
+          const verRes = await runLimited(() => registryGet(`/${encPkg(depName)}/${resolved}`));
           return {
             name: depName,
-            license: depRes.ok ? depRes.data?.license ?? "UNKNOWN" : "FETCH_ERROR"
+            version: resolved,
+            license: verRes.ok ? verRes.data?.license ?? "UNKNOWN" : "FETCH_ERROR"
           };
         })
       );
       const allowedSet = new Set(
         input.allowed ?? ["MIT", "ISC", "BSD-2-Clause", "BSD-3-Clause", "Apache-2.0", "0BSD", "Unlicense"]
       );
-      const results = [
-        { name: pkg.name, version: pkg.version, license: pkg.license ?? "UNKNOWN" },
-        ...depLicenses.map((d) => ({ name: d.name, version: "latest", license: d.license }))
-      ];
+      const results = [{ name: pkg.name, version: pkg.version, license: pkg.license ?? "UNKNOWN" }, ...depLicenses];
       const flagged = results.filter((r) => !allowedSet.has(r.license));
       return {
         ok: true,
@@ -21744,57 +21905,6 @@ var downloadTools = [
   }
 ];
 
-// src/tools/hooks.ts
-var hookTools = [
-  {
-    name: "npm_hooks",
-    description: "List all npm webhooks configured for the authenticated user. Shows hook type (package, scope, or owner), endpoint URL, delivery status, and last response code.",
-    annotations: {
-      title: "List npm hooks",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports.object({
-      package: external_exports.string().optional().describe("Filter hooks by package name"),
-      limit: external_exports.number().min(1).max(100).optional().describe("Max results (default: 25)"),
-      offset: external_exports.number().min(0).optional().describe("Pagination offset")
-    }),
-    handler: async (input) => {
-      const authErr = requireAuth();
-      if (authErr) return authErr;
-      const params = new URLSearchParams();
-      if (input.package) params.set("package", input.package);
-      if (input.limit !== void 0) params.set("limit", String(input.limit));
-      if (input.offset !== void 0) params.set("offset", String(input.offset));
-      const qs = params.toString();
-      const path = `/-/npm/v1/hooks${qs ? `?${qs}` : ""}`;
-      const res = await registryGetAuth(path);
-      if (!res.ok) return res;
-      const data = res.data;
-      return {
-        ok: true,
-        status: 200,
-        data: {
-          total: data.total,
-          hooks: data.objects.map((h) => ({
-            id: h.id,
-            type: h.type,
-            name: h.name,
-            endpoint: h.endpoint,
-            status: h.status,
-            lastDelivery: h.last_delivery,
-            lastResponseCode: h.response_code,
-            created: h.created,
-            updated: h.updated
-          }))
-        }
-      };
-    }
-  }
-];
-
 // src/tools/orgs.ts
 var orgTools = [
   {
@@ -22019,7 +22129,7 @@ var packageTools = [
   },
   {
     name: "npm_versions",
-    description: "List all published versions of a package with their publish dates, ordered newest first.",
+    description: "List published versions of a package with their publish dates, ordered newest first. Returns up to `limit` versions (default 50). Set limit=0 to return all.",
     annotations: {
       title: "List versions",
       readOnlyHint: true,
@@ -22028,25 +22138,29 @@ var packageTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      name: external_exports.string().describe("Package name")
+      name: external_exports.string().describe("Package name"),
+      limit: external_exports.number().min(0).optional().describe("Max versions to return, newest first (default 50, 0 = all)")
     }),
     handler: async (input) => {
       const res = await registryGet(`/${encPkg(input.name)}`);
       if (!res.ok) return res;
       const pkg = res.data;
-      const versions = Object.keys(pkg.versions).map((v) => ({
+      const limit = input.limit ?? 50;
+      const allVersions = Object.keys(pkg.versions).map((v) => ({
         version: v,
         date: pkg.time[v],
         deprecated: pkg.versions[v].deprecated,
         npmUser: pkg.versions[v]._npmUser?.name
       })).sort((a, b) => new Date(b.date).getTime() - new Date(a.date).getTime());
+      const versions = limit > 0 ? allVersions.slice(0, limit) : allVersions;
       return {
         ok: true,
         status: 200,
         data: {
           name: pkg.name,
           distTags: pkg["dist-tags"],
-          total: versions.length,
+          total: allVersions.length,
+          showing: versions.length,
           versions
         }
       };
@@ -22091,6 +22205,61 @@ var packageTools = [
     handler: async (input) => {
       return registryGet(`/-/package/${encPkg(input.name)}/dist-tags`);
     }
+  },
+  {
+    name: "npm_types",
+    description: "Check TypeScript type support for a package \u2014 whether it ships built-in types (types/typings field) or has a DefinitelyTyped companion (@types/* package).",
+    annotations: {
+      title: "Check TypeScript types",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      name: external_exports.string().describe("Package name (e.g. 'express' or '@anthropic-ai/sdk')"),
+      version: external_exports.string().optional().describe("Semver version or dist-tag (default: 'latest')")
+    }),
+    handler: async (input) => {
+      const ver = input.version ?? "latest";
+      let typesPackage;
+      if (input.name.startsWith("@")) {
+        const withoutAt = input.name.slice(1);
+        typesPackage = `@types/${withoutAt.replace("/", "__")}`;
+      } else {
+        typesPackage = `@types/${input.name}`;
+      }
+      const [versionRes, typesRes] = await Promise.all([
+        registryGet(`/${encPkg(input.name)}/${ver}`),
+        registryGet(`/${encPkg(typesPackage)}`)
+      ]);
+      if (!versionRes.ok) return versionRes;
+      const v = versionRes.data;
+      const hasBuiltinTypes = !!(v.types || v.typings);
+      const typesEntry = hasBuiltinTypes ? v.types ?? v.typings : void 0;
+      const hasTypesPackage = typesRes.ok;
+      const typesPackageLatest = hasTypesPackage ? typesRes.data?.["dist-tags"]?.latest : void 0;
+      let recommendation;
+      if (hasBuiltinTypes) {
+        recommendation = "Built-in types included \u2014 no additional install needed.";
+      } else if (hasTypesPackage) {
+        recommendation = `Install types separately: npm install -D ${typesPackage}`;
+      } else {
+        recommendation = "No TypeScript types available (built-in or @types).";
+      }
+      return {
+        ok: true,
+        status: 200,
+        data: {
+          name: v.name,
+          version: v.version,
+          builtinTypes: hasBuiltinTypes,
+          typesEntry,
+          typesPackage: hasTypesPackage ? { name: typesPackage, latest: typesPackageLatest } : null,
+          recommendation
+        }
+      };
+    }
   }
 ];
 
@@ -22157,7 +22326,7 @@ var registryTools = [
   },
   {
     name: "npm_recent_changes",
-    description: "Get the most recent package publishes/updates from the npm registry via the CouchDB changes feed.",
+    description: "Get the most recent package publishes/updates from the npm registry via the CouchDB changes feed. Note: uses replicate.npmjs.com which may have intermittent availability.",
     annotations: {
       title: "Recent registry changes",
       readOnlyHint: true,
@@ -22170,21 +22339,20 @@ var registryTools = [
     }),
     handler: async (input) => {
       const limit = input.limit ?? 25;
-      const dbRes = await replicateGet("/");
-      if (!dbRes.ok) return dbRes;
-      const since = dbRes.data.update_seq - limit;
-      const changesRes = await replicateGet(`/_changes?since=${since}&limit=${limit}&descending=false`);
+      const [dbRes, changesRes] = await Promise.all([
+        replicateGet("/"),
+        replicateGet(`/_changes?limit=${limit}&descending=true`)
+      ]);
       if (!changesRes.ok) return changesRes;
       const changes = changesRes.data.results.map((r) => ({
         package: r.id,
-        seq: r.seq,
         rev: r.changes[0]?.rev
       }));
       return {
         ok: true,
         status: 200,
         data: {
-          totalPackages: dbRes.data.doc_count,
+          totalPackages: dbRes.ok ? dbRes.data.doc_count : null,
           changes
         }
       };
@@ -22230,9 +22398,7 @@ var searchTools = [
         publisher: obj.package.publisher,
         keywords: obj.package.keywords,
         links: obj.package.links,
-        score: obj.score.detail,
-        downloads: obj.downloads,
-        dependents: obj.dependents
+        score: obj.score.detail
       }));
       return { ok: true, status: 200, data: { total: res.data.total, results } };
     }
@@ -22243,7 +22409,7 @@ var searchTools = [
 var securityTools = [
   {
     name: "npm_audit",
-    description: "Check specific packages and versions for known vulnerabilities. Returns advisories with severity, CVEs, and patched versions.",
+    description: "Quick vulnerability check for specific packages and versions using the bulk advisory API. Returns matching advisories with severity, CVEs, and patched versions. For richer detail (CVSS scores, CWEs, fix recommendations), use npm_audit_deep instead.",
     annotations: {
       title: "Audit packages",
       readOnlyHint: true,
@@ -22260,7 +22426,7 @@ var securityTools = [
   },
   {
     name: "npm_audit_deep",
-    description: "Run a full security audit on a set of dependencies. Returns detailed advisories with CVSS scores, CWEs, fix recommendations, and vulnerability metadata.",
+    description: "Full security audit on a dependency set \u2014 returns detailed advisories with CVSS scores, CWEs, affected version ranges, fix recommendations, and full vulnerability metadata. Uses the npm audit v1 endpoint which provides richer detail than the bulk advisory API (npm_audit). Requires you to provide the dependency map (use npm_dependencies to get it first).",
     annotations: {
       title: "Deep security audit",
       readOnlyHint: true,
@@ -22302,6 +22468,60 @@ var securityTools = [
   }
 ];
 
+// src/tools/trust.ts
+var trustTools = [
+  {
+    name: "npm_trusted_publishers",
+    description: "List trusted publishing configurations for a package. Shows OIDC trust relationships with CI/CD providers (GitHub Actions, GitLab CI, CircleCI) that allow tokenless publishing. Requires authentication with write access to the package.",
+    annotations: {
+      title: "List trusted publishers",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports.object({
+      name: external_exports.string().describe("Package name (e.g. 'express' or '@yawlabs/npmjs-mcp')")
+    }),
+    handler: async (input) => {
+      const authErr = requireAuth();
+      if (authErr) return authErr;
+      const res = await registryGetAuth(`/-/package/${encPkg(input.name)}/trust`);
+      if (!res.ok) return res;
+      const configs = (res.data ?? []).map((c) => {
+        const result = {
+          id: c.id,
+          provider: c.type
+        };
+        if (c.type === "github") {
+          result.repository = c.claims?.repository;
+          const workflowRef = c.claims?.workflow_ref;
+          result.workflowFile = workflowRef?.file;
+          result.environment = c.claims?.environment;
+        } else if (c.type === "gitlab") {
+          result.project = c.claims?.project_path;
+          const configRef = c.claims?.ci_config_ref_uri;
+          result.configFile = configRef?.file;
+          result.environment = c.claims?.environment;
+        } else if (c.type === "circleci") {
+          result.project = c.claims?.project_id;
+          result.context = c.claims?.context_ids;
+        }
+        return result;
+      });
+      return {
+        ok: true,
+        status: 200,
+        data: {
+          package: input.name,
+          trustedPublisherCount: configs.length,
+          trustedPublishers: configs
+        }
+      };
+    }
+  }
+];
+
 // src/tools/workflows.ts
 var workflowTools = [
   {
@@ -22576,7 +22796,7 @@ var workflowTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.3.0" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.5.0" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "version" || subcommand === "--version") {
   console.log(version2);
@@ -22594,7 +22814,7 @@ var allTools = [
   ...orgTools,
   ...accessTools,
   ...provenanceTools,
-  ...hookTools,
+  ...trustTools,
   ...workflowTools
 ];
 var server = new McpServer({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/npmjs-mcp",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "description": "npm registry MCP server — package intelligence, security audits, and dependency analysis for AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",