mcp-shipcheck
mcp-shipcheck is a read-only auditing server for Node.js/TypeScript packages, helping you verify npm publish readiness, preview package contents, and understand audit failures.
shipcheck.audit: Analyze a local package folder to check npm publish readiness — validatingpackage.jsonfields,SHIP_GATE.md, versioning, dependencies, exports, and other shipcheck hard-gate criteria.shipcheck.packPreview: Show which files would be included bynpm packalong with size totals — useful for catching accidentally included or excluded files before publishing.shipcheck.explainFailure: Look up a specific shipcheck failure code (e.g.,PKG.EXPORTS.MISSING) and get a plain-language explanation plus suggested fixes.
All tools are read-only — no files are written, no network requests are made, and no telemetry is collected.
Provides tools to audit local package directories for npm publish-readiness, analyzing configuration files and previewing tarball contents to ensure a successful release.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-shipcheckaudit the current folder for npm publish readiness"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Why
"Done" used to mean the code works. That's not enough. A product is code + safety + error handling + docs + identity + shipping hygiene. Shipcheck defines the bar.
What's in here
Standard | What it covers |
31 hard-gate + 4 soft-gate pre-release checklist | |
2-tier structured error standard with code registry | |
Report email, response timeline, threat scope | |
Operational field manual for complex tools | |
Pre/post remediation scoring | |
Apply shipcheck to any repo in <30 minutes |
CLI usage
npx @mcptoolshop/shipcheck init # Copy templates into current repo
npx @mcptoolshop/shipcheck audit # Check SHIP_GATE.md progress
npx @mcptoolshop/shipcheck dogfood # Check dogfood freshness (Gate F)
npx @mcptoolshop/shipcheck help # Show help
npx @mcptoolshop/shipcheck --version # Show versionSet SHIPCHECK_JSON=1 to get structured JSON error output instead of coloured text.
Quick start
Read ADOPTION.md
Run
npx @mcptoolshop/shipcheck initin your repo rootCheck off applicable items in
SHIP_GATE.md, mark non-applicable withSKIP:Run
npx @mcptoolshop/shipcheck audit— exits 0 when all hard gates passShip when audit passes
How it works
Hard gates (A-D) block release:
A. Security Baseline — SECURITY.md, threat model, no secrets, no telemetry, default safety posture
B. Error Handling — structured error shape (code/message/hint/retryable), safe output, graceful degradation
C. Operator Docs — README, CHANGELOG, LICENSE, tool documentation
D. Shipping Hygiene — verify script, version alignment, dependency scanning, lockfile
Soft gate (E) doesn't block but defines "whole":
E. Identity — logo, translations, landing page, repo metadata
Gate F — Dogfood Freshness (optional, requires dogfood-labs):
Checks for a fresh, verified, passing dogfood record
Supports enforcement modes:
required,warn-only,exemptConfigurable freshness window (default: 30 days)
The gate says what must be true, not how to implement it. Applicability tags ([all], [npm], [mcp], [cli], [desktop], [vsix], [container]) prevent checkbox shame on repos where items don't apply.
Error contract at a glance
Tier 1 — Shape (mandatory everywhere):
{
"code": "INPUT_TEXT_EMPTY",
"message": "Text must not be empty",
"hint": "Provide at least one character of text",
"retryable": false
}Tier 2 — Base type + exit codes (CLI/MCP/desktop):
Exit code | Meaning |
0 | OK |
1 | User error (bad input, missing config) |
2 | Runtime error (crash, backend failure) |
3 | Partial success (some items succeeded) |
Error codes use namespaced prefixes: IO_, CONFIG_, PERM_, DEP_, RUNTIME_, PARTIAL_, INPUT_, STATE_. Codes are stable once released.
Trust model
Data touched: reads package.json, pyproject.toml, and SHIP_GATE.md in the current working directory. Writes template files (SHIP_GATE.md, SECURITY.md, CHANGELOG.md, SCORECARD.md) to the current directory only.
No network requests. All operations are local file reads and writes.
No secrets handling. Does not read, store, or transmit credentials.
No telemetry collected or sent.
Reference implementation
mcp-voice-soundboard was the first repo to pass Ship Gate — scoring 46/50 after remediation.
Scorecard
Category | Score | Notes |
A. Security | 6/8 | SECURITY.md, trust model, no secrets/telemetry. MCP items skipped (not an MCP server) |
B. Error Handling | 3/7 | Structured error shape + exit codes + no raw stacks. MCP/desktop/vscode skipped |
C. Operator Docs | 4/7 | README, CHANGELOG, LICENSE, --help. Logging/MCP/complex skipped |
D. Shipping Hygiene | 6/9 | verify script, version=tag, npm audit in CI, engines.node, lockfile. Zero deps = no update mechanism |
E. Identity | 4/4 | Logo, translations, landing page, metadata |
Total | 23/31 | 14 items skipped with justification · |
License
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mcp-tool-shop-org/mcp-shipcheck'
If you have feedback or need assistance with the MCP directory API, please join our Discord server