@yawlabs/npmjs-mcp 0.7.0 → 0.9.0

package/README.md

@@ -1,29 +1,42 @@
 # @yawlabs/npmjs-mcp
 
-MCP server for the [npm](https://www.npmjs.com) registry. Package intelligence, security audits, dependency analysis, and org management from any MCP-compatible AI assistant.
+[![npm version](https://img.shields.io/npm/v/@yawlabs/npmjs-mcp)](https://www.npmjs.com/package/@yawlabs/npmjs-mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![GitHub stars](https://img.shields.io/github/stars/YawLabs/npmjs-mcp)](https://github.com/YawLabs/npmjs-mcp/stargazers)
+[![CI](https://github.com/YawLabs/npmjs-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/YawLabs/npmjs-mcp/actions/workflows/ci.yml) [![Release](https://github.com/YawLabs/npmjs-mcp/actions/workflows/release.yml/badge.svg)](https://github.com/YawLabs/npmjs-mcp/actions/workflows/release.yml)
 
-## Quick start
+**Run npm registry operations from Claude Code, Cursor, and any MCP client.** 63 tools covering the full registry surface: package intelligence, security audits, dependency analysis, org/team management, and the write ops that normally fight you locally (`npm deprecate`, `npm dist-tag`, `npm owner`, `npm unpublish`).
 
-```bash
-npx @yawlabs/npmjs-mcp
-```
+Built and maintained by [Yaw Labs](https://yaw.sh).
 
-## Setup
+[![Add to mcp.hosting](https://mcp.hosting/install-button.svg)](https://mcp.hosting/install?name=npm&command=npx&args=-y%2C%40yawlabs%2Fnpmjs-mcp&env=NPM_TOKEN&description=npm%20registry%20-%20package%20intel%2C%20security%2C%20dependency%20analysis%2C%20write%20ops&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fnpmjs-mcp)
 
-No API key is required for read-only tools (search, packages, downloads, security, analysis). For authenticated tools (auth, access, orgs, hooks), set your npm token:
+One click adds this to your [mcp.hosting](https://mcp.hosting) account so it syncs to every MCP client you use. Or install manually below.
 
-```bash
-export NPM_TOKEN="your-token"
-```
+## Why this one?
+
+Other npm MCP servers wrap `npm search` and call it done. This one doesn't.
 
-### Claude Code
+- **Full registry HTTP surface** — 63 tools across reads, writes, orgs, teams, hooks, provenance, trusted publishers, and ops health. Not just `npm view`.
+- **Write ops that actually work in agents** — `npm_deprecate`, `npm_dist_tag_set`, `npm_owner_add`, `npm_unpublish_version` go directly to the HTTP API with your token. No 2FA prompts, no `--otp` hunts, no `ENEEDAUTH` from a session-bound `.npmrc`.
+- **Agent-aware failure surfacing** — write tools detect non-interactive context and return specific human-runnable commands (`npm login --auth-type=web`) instead of looping on unrecoverable errors.
+- **Safety by default** — `npm_unpublish_*` requires `confirm: true`. `npm_owner_remove` blocks you from locking yourself out. `npm_deprecate` validates the message format (em-dash, no trailing period) that npmjs.com's API actually accepts.
+- **Ops playbook built in** — `npm_ops_playbook` returns the canonical tool-vs-CLI-vs-CI decision matrix so your agent picks the right path on the first try.
+- **Tool annotations** — every tool declares `readOnlyHint`, `destructiveHint`, `idempotentHint`, and `openWorldHint`, so MCP clients can skip confirmation on safe ops.
+- **No API key required for reads** — search, packages, downloads, security, dep tree, licenses all work anonymously. Auth is opt-in via `NPM_TOKEN`.
+- **Instant startup** — ships as a single bundled file with zero runtime dependencies. No 5-minute `node_modules` install.
+- **Input hardening** — package names, scopes, versions, dist-tags, and team names are all regex-validated against npm's actual constraints. Defends against CRLF and path-traversal in URL construction.
+
+## Quick start
 
-Add to your MCP config:
+**1. Create `.mcp.json` in your project root**
+
+macOS / Linux / WSL:
 
 ```json
 {
   "mcpServers": {
-    "npmjs": {
+    "npm": {
       "command": "npx",
       "args": ["-y", "@yawlabs/npmjs-mcp"]
     }
@@ -31,153 +44,254 @@ Add to your MCP config:
 }
 ```
 
-With authentication:
+Windows:
 
 ```json
 {
   "mcpServers": {
-    "npmjs": {
-      "command": "npx",
-      "args": ["-y", "@yawlabs/npmjs-mcp"],
-      "env": {
-        "NPM_TOKEN": "your-token"
-      }
+    "npm": {
+      "command": "cmd",
+      "args": ["/c", "npx", "-y", "@yawlabs/npmjs-mcp"]
     }
   }
 }
 ```
 
-### Claude Desktop
+> **Why the extra step on Windows?** Since Node 20, `child_process.spawn` cannot directly execute `.cmd` files (that's what `npx` is on Windows). Wrapping with `cmd /c` is the standard workaround.
+
+**2. Restart and approve**
+
+Restart Claude Code (or your MCP client) and approve the npm MCP server when prompted.
 
-Add to `claude_desktop_config.json`:
+**3. (Optional) Add your npm token for write operations**
+
+Read-only tools work without any setup. For write tools (`deprecate`, `dist-tag`, `owner`, `team_*`, `org_member_*`, `unpublish`, `hook_*`, `access_set*`, `token_revoke`), add `NPM_TOKEN` to the `env` block:
 
 ```json
 {
   "mcpServers": {
-    "npmjs": {
+    "npm": {
       "command": "npx",
       "args": ["-y", "@yawlabs/npmjs-mcp"],
       "env": {
-        "NPM_TOKEN": "your-token"
+        "NPM_TOKEN": "npm_xxxxxxxxxxxx"
       }
     }
   }
 }
 ```
 
+Use a [Granular Access Token](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-granular-access-tokens) scoped to just the packages and orgs you want your agent to manage.
+
+That's it. Now ask your AI assistant:
+
+> "Deprecate my-old-pkg 1.x with a pointer to v2"
+>
+> "What's the dep tree for fastify look like three levels deep?"
+>
+> "Audit express for known CVEs and tell me the fix"
+>
+> "Who are the maintainers of next.js and when did each one last publish?"
+
+## Configuration
+
+| Environment variable | Default | Description |
+|---|---|---|
+| `NPM_TOKEN` | (none) | npm access token. Required only for write/auth/org/access/hooks tools. A Granular Access Token is strongly preferred over a Classic Automation token. |
+| `NPM_REGISTRY` | `https://registry.npmjs.org` | Alternate registry (enterprise/private). Must support the npm HTTP API shape. |
+
+**Alternate MCP clients:**
+
+| Client | Config file |
+|---|---|
+| Claude Code | `.mcp.json` (project root) or `~/.claude.json` (global) |
+| Claude Desktop | `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) |
+| Cursor | `~/.cursor/mcp.json` |
+| Windsurf | `~/.codeium/windsurf/mcp_config.json` |
+| VS Code | `.vscode/mcp.json` |
+
+Use the same JSON block shown above in any of these.
+
 ## Tools (63)
 
-### Search
-- `npm_search` — Search the npm registry with qualifiers (keywords, author, scope)
-
-### Packages
-- `npm_package` — Get package metadata (description, dist-tags, maintainers, license)
-- `npm_version` — Get detailed metadata for a specific version
-- `npm_versions` — List all published versions with dates
-- `npm_readme` — Get README content
-- `npm_dist_tags` — Get dist-tags (latest, next, beta, etc)
-- `npm_types` — Check TypeScript type support (built-in types or @types/*)
-
-### Dependencies
-- `npm_dependencies` — Get dependency lists (prod, dev, peer, optional)
-- `npm_dep_tree` — Resolve transitive dependency tree (configurable depth)
-- `npm_license_check` — Check licenses of a package and its direct deps
-
-### Downloads
-- `npm_downloads` — Get total download count for a period
-- `npm_downloads_range` — Get daily download breakdown
-- `npm_downloads_bulk` — Compare downloads for up to 128 packages
-- `npm_version_downloads` — Per-version download counts
-
-### Security
-- `npm_audit` — Check packages for known vulnerabilities
-- `npm_audit_deep` — Full audit with CVSS scores, CWEs, fix recommendations
-- `npm_signing_keys` — Get registry ECDSA signing keys
-
-### Analysis
-- `npm_compare` — Compare 2-5 packages side-by-side
-- `npm_health` — Assess maintenance, downloads, security, deprecation status
-- `npm_maintainers` — Get maintainers and their publish history
-- `npm_release_frequency` — Analyze release cadence and gaps
-
-### Registry
-- `npm_registry_stats` — Total npm-wide download counts
-- `npm_recent_changes` — Recent package publishes from the CouchDB changes feed
-- `npm_ops_playbook` — Canonical recipes for npm operations (call this FIRST when unsure which tool to use)
-
-### Provenance
-- `npm_provenance` — Get Sigstore provenance attestations (SLSA, publish)
-
-### Trusted Publishers (requires NPM_TOKEN)
-- `npm_trusted_publishers` — List OIDC trust relationships with CI/CD providers
-
-### Auth (requires NPM_TOKEN)
-- `npm_whoami` — Check authenticated user
-- `npm_profile` — Get profile, email, 2FA status
-- `npm_tokens` — List access tokens
-- `npm_verify_token` — One-call capability check (call this FIRST when debugging write failures)
-- `npm_user_packages` — List packages published by a user
-
-### Access (requires NPM_TOKEN)
-- `npm_collaborators` — List package collaborators and permissions
-- `npm_package_access` — Get package access settings
-
-### Organizations (requires NPM_TOKEN)
-- `npm_org_members` — List org members and roles
-- `npm_org_packages` — List org packages
-- `npm_org_teams` — List org teams
-- `npm_team_packages` — List team package permissions
-
-### Workflows
-- `npm_check_auth` — Auth health check with headless publish feasibility
-- `npm_publish_preflight` — Pre-publish validation checklist
-
-### Write Operations (requires NPM_TOKEN with write scope)
-
-These bypass the CLI/2FA friction that causes `npm deprecate` and similar commands to 422 locally. All use the HTTP API with your `NPM_TOKEN`.
-
-- `npm_deprecate` — Deprecate a package or specific versions (validates message format)
-- `npm_undeprecate` — Clear deprecation
-- `npm_unpublish_version` — Unpublish a specific version (requires `confirm: true`)
-- `npm_unpublish_package` — Unpublish an entire package (requires `confirm: true`)
-- `npm_dist_tag_set` — Point a dist-tag at a version
-- `npm_dist_tag_remove` — Remove a dist-tag (except `latest`)
-- `npm_owner_add` — Add a maintainer (resolves user via `/-/user/`)
-- `npm_owner_remove` — Remove a maintainer (prevents lockout)
-- `npm_access_set` — Set public/private/restricted access
-- `npm_access_set_mfa` — Configure 2FA requirement for publish (none/publish/automation)
-- `npm_team_grant` / `npm_team_revoke` — Grant/revoke team permissions on a package
-- `npm_team_create` / `npm_team_delete` — Create/delete a team in an org
-- `npm_team_member_add` / `npm_team_member_remove` — Manage team members
-- `npm_org_member_set` / `npm_org_member_remove` — Add/remove org members, set roles
-- `npm_token_revoke` — Revoke an access token by key (creation requires a password and isn't exposed)
-
-### Webhooks (requires NPM_TOKEN)
-- `npm_hook_add` — Register a webhook on a package, scope, or user
-- `npm_hook_list` — List webhooks (optional package filter)
-- `npm_hook_get` — Fetch a single webhook
-- `npm_hook_update` — Update endpoint/secret of a webhook
-- `npm_hook_remove` — Delete a webhook
-
-### Operation Decision Matrix
+### Search (1)
+- **npm_search** — Search the npm registry with qualifiers (keywords, author, scope).
+
+### Packages (6)
+- **npm_package** — Metadata: description, dist-tags, maintainers, license, repository.
+- **npm_version** — Detailed metadata for a specific version.
+- **npm_versions** — All published versions with dates.
+- **npm_readme** — README content.
+- **npm_dist_tags** — Dist-tags (latest, next, beta, etc).
+- **npm_types** — TypeScript type support (built-in types or `@types/*`).
+
+### Dependencies (3)
+- **npm_dependencies** — Dependency lists (prod, dev, peer, optional).
+- **npm_dep_tree** — Transitive dependency tree (configurable depth).
+- **npm_license_check** — License audit of a package and its direct deps.
+
+### Downloads (4)
+- **npm_downloads** — Total download count for a period.
+- **npm_downloads_range** — Daily download breakdown.
+- **npm_downloads_bulk** — Compare downloads for up to 128 packages.
+- **npm_version_downloads** — Per-version download counts.
+
+### Security (3)
+- **npm_audit** — Check packages for known vulnerabilities.
+- **npm_audit_deep** — Full audit with CVSS scores, CWEs, fix recommendations.
+- **npm_signing_keys** — Registry ECDSA signing keys.
+
+### Analysis (4)
+- **npm_compare** — Compare 2–5 packages side-by-side.
+- **npm_health** — Maintenance, downloads, security, deprecation summary.
+- **npm_maintainers** — Maintainers and publish history.
+- **npm_release_frequency** — Release cadence and gaps.
+
+### Registry (3)
+- **npm_registry_stats** — Total npm-wide download counts.
+- **npm_recent_changes** — Recent publishes from the CouchDB changes feed.
+- **npm_ops_playbook** — Canonical recipes for npm operations. **Call this first** when unsure which tool to use.
+
+### Provenance & trust (2)
+- **npm_provenance** — Sigstore attestations (SLSA, publish).
+- **npm_trusted_publishers** — OIDC trust relationships with CI/CD providers.
+
+### Auth (5, requires NPM_TOKEN)
+- **npm_whoami** — Authenticated user.
+- **npm_profile** — Profile, email, 2FA status.
+- **npm_tokens** — List access tokens.
+- **npm_verify_token** — One-call capability check. **Call this first** when debugging write failures.
+- **npm_user_packages** — Packages published by a user.
+
+### Access & orgs (6, requires NPM_TOKEN)
+- **npm_collaborators** — Package collaborators and permissions.
+- **npm_package_access** — Package access settings.
+- **npm_org_members** — Org members and roles.
+- **npm_org_packages** — Org packages.
+- **npm_org_teams** — Org teams.
+- **npm_team_packages** — Team package permissions.
+
+### Workflows (2)
+- **npm_check_auth** — Auth health check with headless publish feasibility.
+- **npm_publish_preflight** — Pre-publish validation checklist.
+
+### Write operations (19, requires NPM_TOKEN with write scope)
+
+These bypass the CLI/2FA friction that makes `npm deprecate` and friends fail locally. All use the HTTP API with your `NPM_TOKEN`.
+
+- **npm_deprecate** — Deprecate a package or specific versions (validates message format).
+- **npm_undeprecate** — Clear deprecation.
+- **npm_unpublish_version** — Unpublish a version. Requires `confirm: true`.
+- **npm_unpublish_package** — Unpublish an entire package. Requires `confirm: true`.
+- **npm_dist_tag_set** — Point a dist-tag at a version.
+- **npm_dist_tag_remove** — Remove a dist-tag (refuses `latest`).
+- **npm_owner_add** — Add a maintainer (resolves user via `/-/user/`).
+- **npm_owner_remove** — Remove a maintainer (prevents self-lockout).
+- **npm_access_set** — Set public/private/restricted access.
+- **npm_access_set_mfa** — Configure 2FA requirement (none/publish/automation).
+- **npm_team_grant** / **npm_team_revoke** — Grant/revoke team permissions on a package.
+- **npm_team_create** / **npm_team_delete** — Create/delete a team in an org.
+- **npm_team_member_add** / **npm_team_member_remove** — Manage team members.
+- **npm_org_member_set** / **npm_org_member_remove** — Manage org membership and roles.
+- **npm_token_revoke** — Revoke an access token by key.
+
+### Webhooks (5, requires NPM_TOKEN)
+- **npm_hook_add** — Register a webhook on a package, scope, or user.
+- **npm_hook_list** — List webhooks (optional package filter).
+- **npm_hook_get** — Fetch a single webhook.
+- **npm_hook_update** — Update endpoint/secret.
+- **npm_hook_remove** — Delete a webhook.
+
+## Operation decision matrix
 
 | Operation | Preferred path | Why |
 |---|---|---|
-| Read (search/view/stats) | These MCP tools, no auth required | Fast, zero friction |
-| Deprecate / dist-tag / owner | `npm_deprecate`, `npm_dist_tag_*`, `npm_owner_*` | HTTP API, no CLI auth issues |
+| Read (search/view/stats) | These MCP tools, no auth | Fast, zero friction |
+| Deprecate / dist-tag / owner / team / hook | `npm_deprecate`, `npm_dist_tag_*`, etc. | HTTP API, no CLI 2FA friction |
 | Publish | CI tag-push workflow | Version discipline, provenance, org token |
 | Unpublish | `npm_unpublish_version` (with `confirm: true`) | Safer than CLI; irreversible within 72h |
-| CLI fallback (only if MCP returns 422) | `npm login --auth-type=web` then `npm <op>` | End-user interactive path |
+| CLI fallback (rare) | `npm login --auth-type=web` then `npm <op>` | Only if MCP returns 422 |
+
+Call `npm_ops_playbook` at the start of any session to get the up-to-date matrix.
+
+## Examples
+
+### Audit a dependency
+
+```
+> "What vulnerabilities does lodash 4.17.20 have and what's the fix?"
+→ npm_audit_deep({ name: "lodash", version: "4.17.20" })
+```
+
+### Deprecate a package
+
+```
+> "Deprecate @myorg/legacy-sdk with a pointer to @myorg/sdk"
+→ npm_deprecate({ name: "@myorg/legacy-sdk", message: "Renamed to @myorg/sdk — install that instead" })
+```
+
+### Compare package health
+
+```
+> "Compare fastify vs express vs koa for maintenance health"
+→ npm_compare({ names: ["fastify", "express", "koa"] })
+→ npm_health({ name: "fastify" }) // ...etc
+```
+
+### Rotate a dist-tag
+
+```
+> "Point @myorg/pkg@latest at 3.2.1"
+→ npm_dist_tag_set({ name: "@myorg/pkg", tag: "latest", version: "3.2.1" })
+```
+
+### Debug a write failure
+
+```
+> "My deprecate keeps returning 422 — what's wrong?"
+→ npm_verify_token()  // Confirms token scope, packages, 2FA state
+→ npm_ops_playbook()  // Returns the canonical retry sequence
+```
+
+## Troubleshooting
+
+**"Error: NPM_TOKEN is required"**
+
+- The tool you called needs auth. Add `NPM_TOKEN` to the `env` block of your MCP config and restart the client.
+- Prefer a [Granular Access Token](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-granular-access-tokens) scoped to just the packages and orgs you want touched.
+
+**"HTTP 401 Unauthorized" or "HTTP 403 Forbidden"**
+
+- Your token lacks scope on the target package. Call `npm_verify_token` — it reports which packages and orgs the token can actually write.
+- If the package requires 2FA for writes, your token must be an automation token or come from an OIDC trusted publisher. A user token will 403.
+
+**"HTTP 422 Unprocessable" on deprecate**
 
-Call `npm_ops_playbook` at the start of any session for the up-to-date matrix.
+- Common cause: message format. Use an em-dash and no trailing period: `"Renamed to @x/y — install that instead"`, not `"Renamed to @x/y. Install that instead."`
+- Another: specifying a `versions` range that doesn't match any published version. Call `npm_versions` to confirm.
 
-## Features
+**Windows: MCP server doesn't start**
+
+- Use the `cmd /c npx ...` pattern from the Quick start section. Node 20+ can't spawn `.cmd` files directly.
+
+## Requirements
+
+- Node.js 18+
+- (Optional) npm access token for write operations
+
+## Contributing
+
+```bash
+git clone https://github.com/YawLabs/npmjs-mcp.git
+cd npmjs-mcp
+npm install
+npm run lint       # Biome check
+npm run lint:fix   # Auto-fix
+npm run build      # tsc + esbuild bundle
+npm test           # node --test
+```
 
-- **63 tools** covering search, packages, deps, downloads, security, analysis, auth, orgs, access, provenance, trust, publish workflows, write operations, and registry webhooks
-- **No API key required** for read-only tools — authenticated tools opt-in via NPM_TOKEN
-- **Zero runtime dependencies** — Single bundled file for instant `npx` startup
-- **Agent-aware publish tools** — Detects non-interactive context, provides human hand-off actions instead of unworkable retries
-- **MCP annotations** — Every tool declares read-only, destructive, and idempotent hints
+See [CONTRIBUTING.md](CONTRIBUTING.md) for the full workflow, including release process.
 
 ## License
 

package/dist/index.js

@@ -21015,8 +21015,21 @@ var REGISTRY_URL = "https://registry.npmjs.org";
 var DOWNLOADS_URL = "https://api.npmjs.org";
 var REPLICATE_URL = "https://replicate.npmjs.com";
 var REQUEST_TIMEOUT_MS = 3e4;
+var PACKAGE_NAME_MAX_LENGTH = 214;
+var PACKAGE_NAME_PATTERN = /^(?:@[a-zA-Z0-9][a-zA-Z0-9\-_.]*\/)?[a-zA-Z0-9][a-zA-Z0-9\-_.]*$/;
+function validatePackageName(name) {
+  if (typeof name !== "string" || name.length === 0) return "Package name is empty";
+  if (name.length > PACKAGE_NAME_MAX_LENGTH) {
+    return `Package name exceeds ${PACKAGE_NAME_MAX_LENGTH} characters (got ${name.length}).`;
+  }
+  if (!PACKAGE_NAME_PATTERN.test(name)) {
+    return `Invalid package name '${name}'. Names must start with an alphanumeric character and contain only [a-zA-Z0-9-_.], optionally prefixed with '@scope/' for scoped packages.`;
+  }
+  return null;
+}
 function encPkg(name) {
-  if (!name || name === "@") throw new Error("Invalid package name");
+  const err = validatePackageName(name);
+  if (err) throw new Error(err);
   return name.startsWith("@") ? `@${encodeURIComponent(name.slice(1))}` : encodeURIComponent(name);
 }
 function isAuthenticated() {
@@ -21232,6 +21245,61 @@ function maxSatisfying(versions, range) {
   return best;
 }
 
+// src/errors.ts
+function translateError(res, context) {
+  if (res.ok) return res;
+  const pkgPart = context.pkg ? ` for ${context.pkg}` : "";
+  const opPart = context.op ? ` during ${context.op}` : "";
+  switch (res.status) {
+    case 401:
+      return {
+        ...res,
+        error: `Authentication failed${pkgPart}${opPart}. Your NPM_TOKEN may be invalid, expired, or lack write scope. Create a Granular Access Token with 'Read and write' permission at https://www.npmjs.com/settings/~/tokens, or use a classic Automation token (which bypasses 2FA). Raw: ${res.error}`
+      };
+    case 403:
+      return {
+        ...res,
+        error: `Not authorized${pkgPart}${opPart}. You may not be a maintainer of this package, or the token's scope doesn't include it. Check current maintainers with npm_collaborators or npm_package_access. Raw: ${res.error}`
+      };
+    case 404:
+      return {
+        ...res,
+        error: `Not found${pkgPart}${opPart}. Check the exact package name (scoped packages require the @scope/ prefix). If the version is specified, verify it exists with npm_package. Raw: ${res.error}`
+      };
+    case 422:
+      return {
+        ...res,
+        error: `Registry rejected the request payload${pkgPart}${opPart} (422 Unprocessable Entity). Most common causes: (1) invalid semver range \u2014 validate with npm_package versions first; (2) deprecation message format \u2014 em-dash form works, period-capital form sometimes 422s; (3) account-level 2FA policy requires interactive CLI session. If #3, CLI fallback: \`npm login --auth-type=web\` followed by the npm CLI command. Raw: ${res.error}`
+      };
+    case 429:
+      return {
+        ...res,
+        error: `Rate limited${opPart}. Wait 60 seconds and retry. Raw: ${res.error}`
+      };
+    case 0:
+      return {
+        ...res,
+        error: `Network error${opPart}. Could not reach the registry. Raw: ${res.error}`
+      };
+    default:
+      return res;
+  }
+}
+function validateDeprecationMessage(msg) {
+  if (msg.length > 1024) {
+    return "Deprecation message exceeds 1024 characters (registry limit).";
+  }
+  if (msg.length === 0) return null;
+  if (/\.\s+[A-Z]/.test(msg)) {
+    return `Deprecation message contains the "period + space + capital letter" pattern that has triggered 422 Unprocessable Entity on at least one scoped package. The working form uses em-dash and lowercase continuation: e.g. "Renamed to @yawlabs/spend \u2014 install that instead". Pass force: true to bypass this validation.`;
+  }
+  return null;
+}
+function versionsMatchingRange(versions, range, maxSatisfying2) {
+  if (range === "*" || range === "") return [...versions];
+  return versions.filter((v) => maxSatisfying2([v], range) === v);
+}
+
 // src/tools/access.ts
 var accessTools = [
   {
@@ -21251,7 +21319,7 @@ var accessTools = [
       const authErr = requireAuth();
       if (authErr) return authErr;
       const res = await registryGetAuth(`/-/package/${encPkg(input.name)}/collaborators`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: "collaborators" });
       const collaborators = Object.entries(res.data).map(([username, permissions]) => ({
         username,
         permissions
@@ -21287,7 +21355,7 @@ var accessTools = [
         registryGetAuth(`/-/package/${encPkg(input.name)}/access`),
         registryGetAuth(`/-/package/${encPkg(input.name)}/collaborators`)
       ]);
-      if (!accessRes.ok && !collabRes.ok) return collabRes;
+      if (!accessRes.ok && !collabRes.ok) return translateError(collabRes, { pkg: input.name, op: "package_access" });
       const result = {
         package: input.name,
         isScoped: input.name.startsWith("@")
@@ -21388,7 +21456,7 @@ var analysisTools = [
         downloadsGet(`/downloads/point/last-week/${encPkg(input.name)}`),
         downloadsGet(`/downloads/point/last-month/${encPkg(input.name)}`)
       ]);
-      if (!pkgRes.ok) return pkgRes;
+      if (!pkgRes.ok) return translateError(pkgRes, { pkg: input.name, op: "health" });
       const pkg = pkgRes.data;
       const latest = pkg["dist-tags"]?.latest;
       const latestVersion = latest ? pkg.versions[latest] : void 0;
@@ -21462,7 +21530,7 @@ var analysisTools = [
     }),
     handler: async (input) => {
       const res = await registryGet(`/${encPkg(input.name)}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: "maintainers" });
       const pkg = res.data;
       const publishCounts = {};
       for (const ver of Object.values(pkg.versions)) {
@@ -21498,7 +21566,7 @@ var analysisTools = [
     }),
     handler: async (input) => {
       const res = await registryGet(`/${encPkg(input.name)}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: "release_frequency" });
       const pkg = res.data;
       const limit = input.limit ?? 20;
       const releases = Object.keys(pkg.versions).map((v) => ({ version: v, date: pkg.time[v] })).filter((r) => r.date).sort((a, b) => new Date(b.date).getTime() - new Date(a.date).getTime()).slice(0, limit);
@@ -21545,7 +21613,8 @@ var authTools = [
     handler: async () => {
       const authErr = requireAuth();
       if (authErr) return authErr;
-      return registryGetAuth("/-/whoami");
+      const res = await registryGetAuth("/-/whoami");
+      return res.ok ? res : translateError(res, { op: "whoami" });
     }
   },
   {
@@ -21563,7 +21632,7 @@ var authTools = [
       const authErr = requireAuth();
       if (authErr) return authErr;
       const res = await registryGetAuth("/-/npm/v1/user");
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { op: "profile" });
       const p = res.data;
       return {
         ok: true,
@@ -21607,7 +21676,7 @@ var authTools = [
       const qs = params.toString();
       const path = `/-/npm/v1/tokens${qs ? `?${qs}` : ""}`;
       const res = await registryGetAuth(path);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { op: "tokens" });
       const data = res.data;
       return {
         ok: true,
@@ -21681,7 +21750,7 @@ var authTools = [
       const res = await registryGetAuth(
         `/-/user/org.couchdb.user:${encodeURIComponent(input.username)}/package`
       );
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { op: `user_packages ${input.username}` });
       const packages = Object.entries(res.data).map(([name, access]) => ({ name, access }));
       return {
         ok: true,
@@ -21715,7 +21784,7 @@ var dependencyTools = [
     handler: async (input) => {
       const ver = input.version ?? "latest";
       const res = await registryGet(`/${encPkg(input.name)}/${ver}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: `dependencies ${ver}` });
       const v = res.data;
       return {
         ok: true,
@@ -21830,7 +21899,7 @@ var dependencyTools = [
     handler: async (input) => {
       const ver = input.version ?? "latest";
       const res = await registryGet(`/${encPkg(input.name)}/${ver}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: `license_check ${ver}` });
       const pkg = res.data;
       const depEntries = Object.entries(pkg.dependencies ?? {});
       const runLimited = createLimiter(10);
@@ -21888,7 +21957,8 @@ var downloadTools = [
     }),
     handler: async (input) => {
       const period = input.period ?? "last-week";
-      return downloadsGet(`/downloads/point/${period}/${encPkg(input.name)}`);
+      const res = await downloadsGet(`/downloads/point/${period}/${encPkg(input.name)}`);
+      return res.ok ? res : translateError(res, { pkg: input.name, op: `downloads ${period}` });
     }
   },
   {
@@ -21907,7 +21977,8 @@ var downloadTools = [
     }),
     handler: async (input) => {
       const period = input.period ?? "last-month";
-      return downloadsGet(`/downloads/range/${period}/${encPkg(input.name)}`);
+      const res = await downloadsGet(`/downloads/range/${period}/${encPkg(input.name)}`);
+      return res.ok ? res : translateError(res, { pkg: input.name, op: `downloads_range ${period}` });
     }
   },
   {
@@ -21927,7 +21998,8 @@ var downloadTools = [
     handler: async (input) => {
       const period = input.period ?? "last-week";
       const names = input.packages.map((p) => encPkg(p)).join(",");
-      return downloadsGet(`/downloads/point/${period}/${names}`);
+      const res = await downloadsGet(`/downloads/point/${period}/${names}`);
+      return res.ok ? res : translateError(res, { op: `downloads_bulk ${period}` });
     }
   },
   {
@@ -21946,66 +22018,12 @@ var downloadTools = [
     }),
     handler: async (input) => {
       const period = input.period ?? "last-week";
-      return downloadsGet(`/versions/${encPkg(input.name)}/${period}`);
+      const res = await downloadsGet(`/versions/${encPkg(input.name)}/${period}`);
+      return res.ok ? res : translateError(res, { pkg: input.name, op: `version_downloads ${period}` });
     }
   }
 ];
 
-// src/errors.ts
-function translateError(res, context) {
-  if (res.ok) return res;
-  const pkgPart = context.pkg ? ` for ${context.pkg}` : "";
-  const opPart = context.op ? ` during ${context.op}` : "";
-  switch (res.status) {
-    case 401:
-      return {
-        ...res,
-        error: `Authentication failed${pkgPart}${opPart}. Your NPM_TOKEN may be invalid, expired, or lack write scope. Create a Granular Access Token with 'Read and write' permission at https://www.npmjs.com/settings/~/tokens, or use a classic Automation token (which bypasses 2FA). Raw: ${res.error}`
-      };
-    case 403:
-      return {
-        ...res,
-        error: `Not authorized${pkgPart}${opPart}. You may not be a maintainer of this package, or the token's scope doesn't include it. Check current maintainers with npm_collaborators or npm_package_access. Raw: ${res.error}`
-      };
-    case 404:
-      return {
-        ...res,
-        error: `Not found${pkgPart}${opPart}. Check the exact package name (scoped packages require the @scope/ prefix). If the version is specified, verify it exists with npm_package. Raw: ${res.error}`
-      };
-    case 422:
-      return {
-        ...res,
-        error: `Registry rejected the request payload${pkgPart}${opPart} (422 Unprocessable Entity). Most common causes: (1) invalid semver range \u2014 validate with npm_package versions first; (2) deprecation message format \u2014 em-dash form works, period-capital form sometimes 422s; (3) account-level 2FA policy requires interactive CLI session. If #3, CLI fallback: \`npm login --auth-type=web\` followed by the npm CLI command. Raw: ${res.error}`
-      };
-    case 429:
-      return {
-        ...res,
-        error: `Rate limited${opPart}. Wait 60 seconds and retry. Raw: ${res.error}`
-      };
-    case 0:
-      return {
-        ...res,
-        error: `Network error${opPart}. Could not reach the registry. Raw: ${res.error}`
-      };
-    default:
-      return res;
-  }
-}
-function validateDeprecationMessage(msg) {
-  if (msg.length > 1024) {
-    return "Deprecation message exceeds 1024 characters (registry limit).";
-  }
-  if (msg.length === 0) return null;
-  if (/\.\s+[A-Z]/.test(msg)) {
-    return `Deprecation message contains the "period + space + capital letter" pattern that has triggered 422 Unprocessable Entity on at least one scoped package. The working form uses em-dash and lowercase continuation: e.g. "Renamed to @yawlabs/spend \u2014 install that instead". Pass force: true to bypass this validation.`;
-  }
-  return null;
-}
-function versionsMatchingRange(versions, range, maxSatisfying2) {
-  if (range === "*" || range === "") return [...versions];
-  return versions.filter((v) => maxSatisfying2([v], range) === v);
-}
-
 // src/tools/hooks.ts
 function classifyHookTarget(target) {
   if (target.startsWith("~")) return { type: "owner", name: target.slice(1) };
@@ -22159,7 +22177,7 @@ var orgTools = [
       const authErr = requireAuth();
       if (authErr) return authErr;
       const res = await registryGetAuth(`/-/org/${encodeURIComponent(input.org)}/user`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { op: `org_members ${input.org}` });
       const members = Object.entries(res.data).map(([username, role]) => ({ username, role }));
       return {
         ok: true,
@@ -22189,7 +22207,7 @@ var orgTools = [
       const authErr = requireAuth();
       if (authErr) return authErr;
       const res = await registryGetAuth(`/-/org/${encodeURIComponent(input.org)}/package`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { op: `org_packages ${input.org}` });
       const packages = Object.entries(res.data).map(([name, access]) => ({ name, access }));
       return {
         ok: true,
@@ -22219,7 +22237,7 @@ var orgTools = [
       const authErr = requireAuth();
       if (authErr) return authErr;
       const res = await registryGetAuth(`/-/org/${encodeURIComponent(input.org)}/team`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { op: `org_teams ${input.org}` });
       return {
         ok: true,
         status: 200,
@@ -22251,7 +22269,7 @@ var orgTools = [
       const res = await registryGetAuth(
         `/-/team/${encodeURIComponent(input.org)}/${encodeURIComponent(input.team)}/package`
       );
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { op: `team_packages ${input.org}:${input.team}` });
       const packages = Object.entries(res.data).map(([name, permissions]) => ({ name, permissions }));
       return {
         ok: true,
@@ -22284,7 +22302,7 @@ var packageTools = [
     }),
     handler: async (input) => {
       const res = await registryGet(`/${encPkg(input.name)}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: "package" });
       const pkg = res.data;
       const latest = pkg["dist-tags"]?.latest;
       const latestVersion = latest ? pkg.versions[latest] : void 0;
@@ -22328,7 +22346,7 @@ var packageTools = [
     handler: async (input) => {
       const ver = input.version ?? "latest";
       const res = await registryGet(`/${encPkg(input.name)}/${ver}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: `version ${ver}` });
       const v = res.data;
       return {
         ok: true,
@@ -22378,7 +22396,7 @@ var packageTools = [
     }),
     handler: async (input) => {
       const res = await registryGet(`/${encPkg(input.name)}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: "versions" });
       const pkg = res.data;
       const limit = input.limit ?? 50;
       const allVersions = Object.keys(pkg.versions).map((v) => ({
@@ -22416,7 +22434,7 @@ var packageTools = [
     }),
     handler: async (input) => {
       const res = await registryGet(`/${encPkg(input.name)}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: "readme" });
       const readme = res.data.readme;
       if (!readme) {
         return { ok: true, status: 200, data: { name: input.name, readme: "(no readme available)" } };
@@ -22438,7 +22456,8 @@ var packageTools = [
       name: external_exports.string().describe("Package name")
     }),
     handler: async (input) => {
-      return registryGet(`/-/package/${encPkg(input.name)}/dist-tags`);
+      const res = await registryGet(`/-/package/${encPkg(input.name)}/dist-tags`);
+      return res.ok ? res : translateError(res, { pkg: input.name, op: "dist_tags" });
     }
   },
   {
@@ -22468,7 +22487,7 @@ var packageTools = [
         registryGet(`/${encPkg(input.name)}/${ver}`),
         registryGet(`/${encPkg(typesPackage)}`)
       ]);
-      if (!versionRes.ok) return versionRes;
+      if (!versionRes.ok) return translateError(versionRes, { pkg: input.name, op: `types ${ver}` });
       const v = versionRes.data;
       const hasBuiltinTypes = !!(v.types || v.typings);
       const typesEntry = hasBuiltinTypes ? v.types ?? v.typings : void 0;
@@ -22516,9 +22535,9 @@ var provenanceTools = [
     }),
     handler: async (input) => {
       const res = await registryGet(
-        `/-/npm/v1/attestations/${encPkg(input.name)}@${input.version}`
+        `/-/npm/v1/attestations/${encPkg(input.name)}@${encodeURIComponent(input.version)}`
       );
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: `provenance ${input.version}` });
       const attestations = (res.data.attestations ?? []).map((a) => ({
         predicateType: a.predicateType,
         bundle: a.bundle
@@ -22556,7 +22575,8 @@ var registryTools = [
     }),
     handler: async (input) => {
       const period = input.period ?? "last-week";
-      return downloadsGet(`/downloads/point/${period}`);
+      const res = await downloadsGet(`/downloads/point/${period}`);
+      return res.ok ? res : translateError(res, { op: `registry_stats ${period}` });
     }
   },
   {
@@ -22578,7 +22598,7 @@ var registryTools = [
         replicateGet("/"),
         replicateGet(`/_changes?limit=${limit}&descending=true`)
       ]);
-      if (!changesRes.ok) return changesRes;
+      if (!changesRes.ok) return translateError(changesRes, { op: "recent_changes" });
       const changes = changesRes.data.results.map((r) => ({
         package: r.id,
         rev: r.changes[0]?.rev
@@ -22689,7 +22709,7 @@ var searchTools = [
       if (input.popularity !== void 0) params.set("popularity", String(input.popularity));
       if (input.maintenance !== void 0) params.set("maintenance", String(input.maintenance));
       const res = await registryGet(`/-/v1/search?${params}`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { op: `search "${input.query}"` });
       const results = res.data.objects.map((obj) => ({
         name: obj.package.name,
         version: obj.package.version,
@@ -22722,7 +22742,34 @@ var securityTools = [
       packages: external_exports.record(external_exports.array(external_exports.string())).describe('Object mapping package names to arrays of version strings, e.g. {"lodash": ["4.17.20"]}')
     }),
     handler: async (input) => {
-      return registryPost("/-/npm/v1/security/advisories/bulk", input.packages);
+      const res = await registryPost("/-/npm/v1/security/advisories/bulk", input.packages);
+      if (!res.ok) return translateError(res, { op: "audit" });
+      const advisoriesByPackage = res.data ?? {};
+      const summary = Object.entries(advisoriesByPackage).map(([name, advisories]) => {
+        const list = Array.isArray(advisories) ? advisories : [];
+        const severityCounts = {};
+        for (const adv of list) {
+          const severity = adv?.severity ?? "unknown";
+          severityCounts[severity] = (severityCounts[severity] ?? 0) + 1;
+        }
+        return { name, advisoryCount: list.length, severityCounts };
+      });
+      const queried = Object.keys(input.packages);
+      const vulnerable = summary.filter((s) => s.advisoryCount > 0).map((s) => s.name);
+      const clean = queried.filter((n) => !vulnerable.includes(n));
+      return {
+        ok: true,
+        status: 200,
+        data: {
+          queriedCount: queried.length,
+          vulnerableCount: vulnerable.length,
+          cleanCount: clean.length,
+          vulnerable,
+          clean,
+          summary,
+          advisories: advisoriesByPackage
+        }
+      };
     }
   },
   {
@@ -22749,7 +22796,8 @@ var securityTools = [
           Object.entries(input.dependencies).map(([pkg, ver]) => [pkg, { version: ver }])
         )
       };
-      return registryPost("/-/npm/v1/security/audits", body);
+      const res = await registryPost("/-/npm/v1/security/audits", body);
+      return res.ok ? res : translateError(res, { pkg: input.name, op: "audit_deep" });
     }
   },
   {
@@ -22764,7 +22812,8 @@ var securityTools = [
     },
     inputSchema: external_exports.object({}),
     handler: async () => {
-      return registryGet("/-/npm/v1/keys");
+      const res = await registryGet("/-/npm/v1/keys");
+      return res.ok ? res : translateError(res, { op: "signing_keys" });
     }
   }
 ];
@@ -22788,7 +22837,7 @@ var trustTools = [
       const authErr = requireAuth();
       if (authErr) return authErr;
       const res = await registryGetAuth(`/-/package/${encPkg(input.name)}/trust`);
-      if (!res.ok) return res;
+      if (!res.ok) return translateError(res, { pkg: input.name, op: "trusted_publishers" });
       const configs = (res.data ?? []).map((c) => {
         const result = {
           id: c.id,
@@ -23100,6 +23149,10 @@ var workflowTools = [
 async function fetchPackument(pkg) {
   return registryGetAuth(`/${encPkg(pkg)}?write=true`);
 }
+function parseTeamTarget(target) {
+  const m = target.match(/^@?([^:]+):(.+)$/);
+  return m ? { scope: m[1], team: m[2] } : null;
+}
 function highestVersion(versions) {
   const parsed = [];
   for (const v of versions) {
@@ -23116,7 +23169,7 @@ var writeTools = [
   // ───────────────────────────────────────────────────────
   {
     name: "npm_deprecate",
-    description: "Deprecate a package or specific versions. Shows a warning message on install. Uses the HTTP API with NPM_TOKEN, bypassing the CLI auth friction that causes 422 errors on accounts with 2FA. Message format: prefer em-dash form ('Renamed to @scope/pkg \u2014 install that instead'); period-capital form sometimes triggers 422.",
+    description: "Deprecate a package or specific versions. Shows a warning message on install. Uses the HTTP API with NPM_TOKEN, bypassing the CLI auth friction that causes 422 errors on accounts with 2FA. Message format tip: the period-then-capital pattern ('... install that instead. Thanks.') has 422'd on at least one scoped package; em-dash form is the known-good workaround. Pass force: true to skip the preflight check if you want the exact message as-is.",
     annotations: {
       title: "Deprecate package",
       readOnlyHint: false,
@@ -23125,7 +23178,7 @@ var writeTools = [
       openWorldHint: true
     },
     inputSchema: external_exports.object({
-      name: external_exports.string().describe("Package name (e.g. '@yawlabs/tokenmeter-mcp')"),
+      name: external_exports.string().describe("Package name (e.g. '@yawlabs/spend')"),
       message: external_exports.string().describe("Deprecation message. Empty string to clear deprecation (use npm_undeprecate instead)."),
       versionRange: external_exports.string().optional().describe("Semver range. Omit to deprecate ALL versions. Example: '<1.0.0' or '0.3.x'."),
       force: external_exports.boolean().optional().describe("Bypass message format validation (default: false).")
@@ -23661,15 +23714,15 @@ var writeTools = [
     handler: async (input) => {
       const authErr = requireAuth();
       if (authErr) return authErr;
-      const m = input.team.match(/^@?([^:]+):(.+)$/);
-      if (!m) {
+      const parsed = parseTeamTarget(input.team);
+      if (!parsed) {
         return {
           ok: false,
           status: 400,
           error: `Team must be in the form '@scope:team' (got '${input.team}').`
         };
       }
-      const [, scope, team] = m;
+      const { scope, team } = parsed;
       const res = await registryPutAuth(`/-/team/${encodeURIComponent(scope)}/${encodeURIComponent(team)}/package`, {
         package: input.package,
         permissions: input.permissions
@@ -23702,15 +23755,15 @@ var writeTools = [
     handler: async (input) => {
       const authErr = requireAuth();
       if (authErr) return authErr;
-      const m = input.team.match(/^@?([^:]+):(.+)$/);
-      if (!m) {
+      const parsed = parseTeamTarget(input.team);
+      if (!parsed) {
         return {
           ok: false,
           status: 400,
           error: `Team must be in the form '@scope:team' (got '${input.team}').`
         };
       }
-      const [, scope, team] = m;
+      const { scope, team } = parsed;
       const res = await registryDeleteAuth(`/-/team/${encodeURIComponent(scope)}/${encodeURIComponent(team)}/package`, {
         package: input.package
       });
@@ -23742,11 +23795,11 @@ var writeTools = [
     handler: async (input) => {
       const authErr = requireAuth();
       if (authErr) return authErr;
-      const m = input.team.match(/^@?([^:]+):(.+)$/);
-      if (!m) {
+      const parsed = parseTeamTarget(input.team);
+      if (!parsed) {
         return { ok: false, status: 400, error: `Team must be in the form '@scope:team' (got '${input.team}').` };
       }
-      const [, scope, team] = m;
+      const { scope, team } = parsed;
       const res = await registryPutAuth(`/-/org/${encodeURIComponent(scope)}/team`, {
         name: team,
         description: input.description
@@ -23774,11 +23827,11 @@ var writeTools = [
     handler: async (input) => {
       const authErr = requireAuth();
       if (authErr) return authErr;
-      const m = input.team.match(/^@?([^:]+):(.+)$/);
-      if (!m) {
+      const parsed = parseTeamTarget(input.team);
+      if (!parsed) {
         return { ok: false, status: 400, error: `Team must be in the form '@scope:team' (got '${input.team}').` };
       }
-      const [, scope, team] = m;
+      const { scope, team } = parsed;
       const res = await registryDeleteAuth(`/-/team/${encodeURIComponent(scope)}/${encodeURIComponent(team)}`);
       if (!res.ok) return translateError(res, { op: `team_delete ${input.team}` });
       return { ok: true, status: 200, data: { team: `@${scope}:${team}`, deleted: true } };
@@ -23804,11 +23857,11 @@ var writeTools = [
     handler: async (input) => {
       const authErr = requireAuth();
       if (authErr) return authErr;
-      const m = input.team.match(/^@?([^:]+):(.+)$/);
-      if (!m) {
+      const parsed = parseTeamTarget(input.team);
+      if (!parsed) {
         return { ok: false, status: 400, error: `Team must be in the form '@scope:team' (got '${input.team}').` };
       }
-      const [, scope, team] = m;
+      const { scope, team } = parsed;
       const res = await registryPutAuth(`/-/team/${encodeURIComponent(scope)}/${encodeURIComponent(team)}/user`, {
         user: input.user
       });
@@ -23836,11 +23889,11 @@ var writeTools = [
     handler: async (input) => {
       const authErr = requireAuth();
       if (authErr) return authErr;
-      const m = input.team.match(/^@?([^:]+):(.+)$/);
-      if (!m) {
+      const parsed = parseTeamTarget(input.team);
+      if (!parsed) {
         return { ok: false, status: 400, error: `Team must be in the form '@scope:team' (got '${input.team}').` };
       }
-      const [, scope, team] = m;
+      const { scope, team } = parsed;
       const res = await registryDeleteAuth(`/-/team/${encodeURIComponent(scope)}/${encodeURIComponent(team)}/user`, {
         user: input.user
       });
@@ -23934,7 +23987,7 @@ var writeTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.7.0" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.9.0" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "version" || subcommand === "--version") {
   console.log(version2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/npmjs-mcp",
-  "version": "0.7.0",
+  "version": "0.9.0",
   "description": "npm registry MCP server — package intelligence, security audits, and dependency analysis for AI assistants",
   "license": "MIT",
   "author": "YawLabs <contact@yaw.sh>",
@@ -39,6 +39,10 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {},
+  "overrides": {
+    "hono": "^4.12.14",
+    "@hono/node-server": "^1.19.13"
+  },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
     "@modelcontextprotocol/sdk": "^1.29.0",