CLI — Forge

MCP Integration

forge mcp

Runs the Forge CLI as an MCP server over stdio. Once configured, AI clients like Claude Code and Cursor can search the registry, vet packages, audit your MCP configs, install skills, and publish — all inline in conversation, without you switching to a terminal.

Setup — add to your client config

Claude Code · .mcp.json

{
  "mcpServers": {
    "forge": {
      "command": "npx",
      "args": ["-y", "@forge-registry/cli", "mcp"]
    }
  }
}

Cursor · .cursor/mcp.json

{
  "mcpServers": {
    "forge": {
      "command": "npx",
      "args": ["-y", "@forge-registry/cli", "mcp"]
    }
  }
}

VS Code · .vscode/mcp.json

{
  "servers": {
    "forge": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@forge-registry/cli", "mcp"]
    }
  }
}

Antigravity · ~/.gemini/config/mcp_config.json

{
  "mcpServers": {
    "forge": {
      "command": "npx",
      "args": ["-y", "@forge-registry/cli", "mcp"]
    }
  }
}

In Antigravity, open the agent panel's … menu → Manage MCP Servers → View raw config to edit this file; it reloads automatically on save.

Tools exposed

Tool	Description
`forge_search`	Search MCP servers, A2A agents, and skills with verification filters
`forge_get_package`	Full trust profile: verification, revocation, live OSV CVE scan, install-script analysis
`forge_audit`	Audit every MCP server configured in the project's config files
`forge_get_skill`	Fetch a skill's full prompt and metadata
`forge_add_skill`	Install a skill into the project's client config
`forge_inspect`	Statically extract a package's MCP tool surface (never executes it); flags privileged tools
`forge_publish`	Register or claim a package in the Forge registry (requires `forge login` first)

Example workflow

Ask your AI client: "I need a web scraping MCP — find something trustworthy and set it up." The client chains three calls without you leaving the conversation:

forge_search — finds verified web scraping servers, ranked by trust and downloads
forge_get_package — fetches the live trust profile of the top result: verified publisher, zero CVEs, clean install scripts
forge_audit — re-audits the project config after adding it to confirm nothing is now flagged

Supply-chain checking stops being a step you remember to do and becomes something your AI client does by default every time a new tool enters the project.

Command

forge verify

Checks a package before you use it. Queries the Forge registry for trust status and publisher identity, runs a live OSV vulnerability scan against the exact version, and inspects npm lifecycle scripts for suspicious patterns.

bash

forge verify <package>
forge verify @modelcontextprotocol/server-memory
forge verify @upstash/context7-mcp
forge verify sam-rivera/my-mcp-server     # GitHub shorthand

Example output

  $ forge verify @modelcontextprotocol/server-memory

  @modelcontextprotocol/server-memory · v2026.1.26
  ──────────────────────────────────────────────────────

  PACKAGE
    Author            Anthropic, PBC
    License           MIT

  REGISTRY
    Forge index       ✓  Listed
    Publisher         ✓  @modelcontextprotocol  (verified)
    forge.json        ·  Not present
    Signature         ✓  Valid  @modelcontextprotocol · Ed25519

  SECURITY  (scanned 2026-05-27)
    Vulnerabilities   ✓  None found
    Scripts           ✓  No suspicious lifecycle scripts

  ──────────────────────────────────────────────────────
  ✓  CLEAN & VERIFIED
  ──────────────────────────────────────────────────────

Options

Flag	Description
`--json`	Output raw JSON — useful for scripting and CI pipelines

Exit codes

Code	Meaning
`0`	Clean or verified (warnings don't fail)
`1`	Critical or high vulnerabilities found

Command

forge install

A trust-aware wrapper around npm install. Runs the same checks as forge verify, then blocks on critical vulnerabilities and prompts before installing unverified packages. Accepts npm package names and GitHub URLs.

bash

forge install <package>

# npm packages
forge install @modelcontextprotocol/server-memory
forge install @upstash/context7-mcp --save-dev

# GitHub sources (all equivalent)
forge install sam-rivera/my-mcp-server
forge install github.com/sam-rivera/my-mcp-server
forge install https://github.com/sam-rivera/my-mcp-server

Options

Flag	Description
`-f, --force`	Skip confirmation prompts (still blocks on critical CVEs)
`-g, --global`	Install globally via `npm install -g`
`--save-dev`	Install as a dev dependency

GitHub sources: OSV and script scans are skipped for GitHub URLs since there's no versioned npm metadata to query. The Forge registry trust check still runs if the repo is indexed.

Command

forge publish

Registers a package in the Forge registry under your GitHub identity. Generates an Ed25519 keypair on first run, signs the package manifest, and submits to the registry. The server verifies you are the repo owner or collaborator before listing the package.

bash

# Run from your package directory
forge publish

# Preview — validates and signs but does not submit
forge publish --dry-run

# Different directory
forge publish --dir ./packages/my-mcp-server

What it does

Reads package.json and forge.json from the package directory
Generates an Ed25519 keypair at ~/.forge/keys/ if one doesn't exist
Signs the (packageName, githubUrl, publisherLogin) triple
Submits to the Forge registry — server runs the GitHub collaborator check
Auto-verified if you are the repo owner or collaborator. Otherwise queued for review.

Requirements

Your package.json must have a repository field pointing to a GitHub URL, and you must be logged in via forge login.

package.json

{
  "name": "@your-scope/my-mcp-server",
  "version": "1.0.0",
  "repository": {
    "url": "https://github.com/your-username/my-mcp-server"
  }
}

Command

forge login

Authenticates with GitHub using the device flow. Saves your token to ~/.forge/config.json. Required before running forge publish.

bash

forge login            # authenticate
forge login --logout   # remove stored credentials

  $ forge login

  Forge uses GitHub to verify publisher identity.

  AUTHORIZE
    URL     https://github.com/login/device
    Code    ABCD-1234

  Open the URL above and enter the code to continue.

  ──────────────────────────────────────────────────────
  ✓  Logged in as @sam-rivera
  ──────────────────────────────────────────────────────

Reference

Installing the CLI

The CLI can be used without installing via npx, or installed globally for the forge shorthand.

npx (no install)

bash

npx @forge-registry/cli verify @modelcontextprotocol/server-memory
npx @forge-registry/cli install @upstash/context7-mcp

Global install

bash

npm install -g @forge-registry/cli

# then use the forge shorthand
forge verify @modelcontextprotocol/server-memory
forge login
forge publish

Requirements

Node.js 18 or later.

Reference

Configuration

The CLI stores credentials and settings in ~/.forge/config.json, written by forge login. All values can be overridden with environment variables.

~/.forge/config.json

{
  "githubToken":  "gho_...",
  "githubLogin":  "sam-rivera",
  "registryUrl":  "https://forgeregistry.com"
}

Environment variables

Variable	Description
`FORGE_GITHUB_TOKEN`	GitHub access token — overrides the saved token
`FORGE_REGISTRY_URL`	Registry URL (default: `https://forgeregistry.com`). Set to `http://localhost:3000` for local development.
`FORGE_GITHUB_CLIENT_ID`	OAuth App client ID — only needed if you run your own registry

Publisher keys

An Ed25519 keypair is generated on your first forge publish and stored at ~/.forge/keys/. The private key (private.pem) is written with mode 0600 — readable only by you. The public key is registered in the Forge registry and used to verify your signature whenever anyone runs forge verifyon your package.

The Forge CLI

forge mcp

Setup — add to your client config

Tools exposed

Example workflow

forge verify

Example output

Options

Exit codes

forge install

Options

forge publish

What it does

Requirements

forge login

Installing the CLI

npx (no install)

Global install

Requirements

Configuration

Environment variables

Publisher keys