mcp-shipcheck is a read-only auditing server for Node.js/TypeScript packages, helping you verify npm publish readiness, preview package contents, and understand audit failures.
shipcheck.audit: Analyze a local package folder to check npm publish readiness — validatingpackage.jsonfields,SHIP_GATE.md, versioning, dependencies, exports, and other shipcheck hard-gate criteria.shipcheck.packPreview: Show which files would be included bynpm packalong with size totals — useful for catching accidentally included or excluded files before publishing.shipcheck.explainFailure: Look up a specific shipcheck failure code (e.g.,PKG.EXPORTS.MISSING) and get a plain-language explanation plus suggested fixes.
All tools are read-only — no files are written, no network requests are made, and no telemetry is collected.
Provides tools to audit local package directories for npm publish-readiness, analyzing configuration files and previewing tarball contents to ensure a successful release.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-shipcheckaudit the current folder for npm publish readiness"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Why
"Done" used to mean the code works. That's not enough. A product is code + safety + error handling + docs + identity + shipping hygiene. Shipcheck defines the bar.
What's in here
Standard | What it covers |
27 hard-gate + 4 soft-gate pre-release checklist | |
2-tier structured error standard with code registry | |
Report email, response timeline, threat scope | |
Operational field manual for complex tools | |
Pre/post remediation scoring | |
Apply shipcheck to any repo in <30 minutes |
Quick start
Read ADOPTION.md
Copy
templates/SHIP_GATE.mdinto your repo rootCheck off applicable items, mark non-applicable with
SKIP:Ship when all hard gates pass
How it works
Hard gates (A-D) block release:
A. Security Baseline — SECURITY.md, threat model, no secrets, no telemetry, default safety posture
B. Error Handling — structured error shape (code/message/hint/retryable), safe output, graceful degradation
C. Operator Docs — README, CHANGELOG, LICENSE, tool documentation
D. Shipping Hygiene — verify script, version alignment, dependency scanning, lockfile
Soft gate (E) doesn't block but defines "whole":
E. Identity — logo, translations, landing page, repo metadata
The gate says what must be true, not how to implement it. Applicability tags ([all], [npm], [mcp], [cli], [desktop], [vsix], [container]) prevent checkbox shame on repos where items don't apply.
Error contract at a glance
Tier 1 — Shape (mandatory everywhere):
{
"code": "INPUT_TEXT_EMPTY",
"message": "Text must not be empty",
"hint": "Provide at least one character of text",
"retryable": false
}Tier 2 — Base type + exit codes (CLI/MCP/desktop):
Exit code | Meaning |
0 | OK |
1 | User error (bad input, missing config) |
2 | Runtime error (crash, backend failure) |
3 | Partial success (some items succeeded) |
Error codes use namespaced prefixes: IO_, CONFIG_, PERM_, DEP_, RUNTIME_, PARTIAL_, INPUT_, STATE_. Codes are stable once released.
Trust model
Data touched: reads package.json, pyproject.toml, and SHIP_GATE.md in the current working directory. Writes template files (SHIP_GATE.md, SECURITY.md, CHANGELOG.md, SCORECARD.md) to the current directory only.
No network requests. All operations are local file reads and writes.
No secrets handling. Does not read, store, or transmit credentials.
No telemetry collected or sent.
Reference implementation
mcp-voice-soundboard was the first repo to pass Ship Gate — scoring 46/50 after remediation.
Scorecard
Category | Score | Notes |
A. Security | 6/8 | SECURITY.md, trust model, no secrets/telemetry. MCP items skipped (not an MCP server) |
B. Error Handling | 3/7 | Structured error shape + exit codes + no raw stacks. MCP/desktop/vscode skipped |
C. Operator Docs | 4/7 | README, CHANGELOG, LICENSE, --help. Logging/MCP/complex skipped |
D. Shipping Hygiene | 6/9 | verify script, version=tag, npm audit in CI, engines.node, lockfile. Zero deps = no update mechanism |
E. Identity | 4/4 | Logo, translations, landing page, metadata |
Total | 23/31 | 14 items skipped with justification · |
License
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.