
Security News
Next.js moves to scheduled security releases
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.
@kepler-project/almanac
Advanced tools
MCP server exposing Kepler Almanac tools (customers, communications, briefs, product gaps, Confluence/Jira search) for Claude Code, Cursor, OpenAI Codex CLI, and other stdio MCP clients.
Distribution:
@kepler-project/almanac: pure JavaScript MCP stdio server used directly via npx -y -p @kepler-project/almanac@latest -c almanac.npx -y -p @kepler-project/almanac@latest -c almanac
The npx package runs as a JavaScript MCP server, connects to the hosted Kepler gRPC services, and mints its auth token internally from KEPLER_CLIENT_ID and KEPLER_CLIENT_SECRET.
Tool execution in this package is gRPC-only. The only HTTP request is the auth token mint to /v1/auth/service-token, which has no gRPC equivalent.
The npm distribution targets hosted Kepler production services only. There is no local-dev mode in the npx package.
/v1/auth/service-token.KEPLER_CLIENT_ID.| Client | Where to merge |
|---|---|
| Cursor | ~/.cursor/mcp.json (or project .cursor/mcp.json) under mcpServers |
| Claude Code | mcpServers in ~/.claude.json or project config per Anthropic docs |
| Codex CLI | ~/.codex/config.toml – [mcp_servers.kepler-almanac] (see Codex MCP) |
Use the portal Kepler MCP tab to download ready-made fragments.
Example shape (Cursor / Claude Code JSON):
{
"mcpServers": {
"kepler-almanac": {
"command": "npx",
"args": ["-y", "-p", "@kepler-project/almanac@latest", "-c", "almanac"],
"env": {
"KEPLER_CLIENT_ID": "your-client-id",
"KEPLER_CLIENT_SECRET": "your-client-secret"
}
}
}
}
KEPLER_CLIENT_ID=... KEPLER_CLIENT_SECRET=... npx -y -p @kepler-project/almanac@latest -c almanacKEPLER_CLIENT_ID or KEPLER_CLIENT_SECRET should fail fast.tools/list should advertise the Almanac, briefs, Salesforce, Confluence, Jira, and team tool families.local-dev, record IDs use Surreal format (table:id); tool inputs accept id or communication_id where documented.local-dev, schema uses dual-field compatibility for some fields (e.g. type / comm_type, occurred_at / started).local-dev, vector/semantic search uses the graph store’s Surreal backend; ensure HNSW indices and schema are applied per Kepler infra.KEPLER_PORTAL_URL is not used by the npm package. Portal access is only for humans obtaining service credentials and downloading config fragments.FAQs
Kepler Almanac MCP server.
The npm package @kepler-project/almanac receives a total of 6 weekly downloads. As such, @kepler-project/almanac popularity was classified as not popular.
We found that @kepler-project/almanac demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.