Skip to content
NuGetKeep

MCP tools

NuGetKeep exposes a stateless Model Context Protocol server at /mcp with read-only tools so AI assistants can safely query your packages — search, fetch metadata, list versions, read a README, and inspect a package’s supply-chain assessment. The tool surface is role-filtered: anonymous and Reader principals get read-only tools that never mutate the feed, while Publisher/Admin keys unlock a small set of gated write tools (see below).

Enabling

Section titled “Enabling”

The MCP server is toggled in the admin UI (MCP server page). When the feature is off — or when the server is unlicensed (Community) — /mcp returns 503. With an Enterprise license and the toggle on, AI clients can connect to https://your-host/mcp.

Tools (read-only)

Section titled “Tools (read-only)”
  • search_packages — search the feed (supports a packageType filter).
  • get_package — metadata for a package id.
  • list_versions — versions of a package.
  • get_readme — a version’s README.
  • assess_package — a version’s supply-chain assessment (vulnerabilities, signature, license).
  • find_secure_version — the latest version of a package with no known vulnerabilities.
  • package_health — a version’s health grade and severity roll-up.
  • get_dependency_graph — a version’s transitive dependencies with health information.

Publishers and admins additionally see role-gated tools (request_publish, list_quarantined).

Because the tools reuse the same Application use cases as the API, they respect the same authorization — an AI client sees only what its principal is allowed to see.