npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@acegalaxy/ott-gateway

v0.1.2

Published

Inbound message security gateway for bots — 5-layer default-deny (caller-validator, identity-resolver, rate-limit, audit, forward) for Telegram/WhatsApp/WeChat and other OTT platforms.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kanelrkanelr

Keywords

otttelegramwhatsappbotsecuritygatewayauthz

Readme

@acegalaxy/ott-gateway

npm version npm downloads License: MIT Node

Inbound message security gateway for bots — 5 layers, default-deny.

Stop bot framework abuse. Most Telegram/WhatsApp/WeChat bot frameworks treat "can the bot read this message?" as the only access check. That's not authz — that's just delivery. ott-gateway sits between your bot transport and your handler and enforces real authorization on every inbound message.

Why

A raw bot token says nothing about who is on the other end. Anyone who can DM your bot, or get added to a group with it, can hit your handlers. Real products need:

  • per-platform policy (block bots, block forwarded floods, block unknown chats)
  • mapped identity (Telegram user_id → your internal user/role)
  • rate limits per identity, not per IP
  • audit log of every accept/deny decision
  • a single forward point so handlers never see un-vetted input

ott-gateway gives you all five as composable layers.

The 5 layers

Every inbound message walks the chain top-to-bottom. Any layer can deny.

  1. caller-validator — platform policy. Reject bots-talking-to-bots, disallowed chat types, missing fields, suspicious forwards.
  2. identity-resolver — map platform principal (e.g. telegram:user_id) to your internal identity + role. Unknown principal → deny.
  3. rate-limit — token bucket per resolved identity (not per chat), so one user can't burn quota by switching groups.
  4. audit — structured log of {ts, platform, principal, identity, decision, reason} for every message, accept or deny. Pluggable sink.
  5. forward — only here does your handler see the message, with resolved identity attached.

Default at every layer is deny. You allowlist explicitly.

Install

npm install @acegalaxy/ott-gateway

Quick start (Telegram)

import { createGateway } from '@acegalaxy/ott-gateway';

const gateway = createGateway({
  platform: 'telegram',
  identityMap: async (principal) => {
    // your DB lookup; return null to deny
    return await db.users.findByTelegramId(principal.userId);
  },
  rateLimit: { perMinute: 30 },
  auditSink: async (record) => log.info(record),
  handler: async (msg, identity) => {
    // only reaches here if all 5 layers passed
    await myBot.dispatch(msg, identity);
  },
});

telegramBot.on('message', (msg) => gateway.ingest(msg));

vs raw bot framework

| | raw node-telegram-bot-api | ott-gateway | |---|---|---| | who can talk to bot | anyone in any chat | allowlisted identities only | | rate limit | none (or per-chat) | per-identity, cross-chat | | audit trail | you write it | built-in, structured | | identity in handler | raw user_id | resolved internal user + role | | add WhatsApp later | rewrite handlers | swap adapter, keep chain |

Status

0.1.x — API may shift. Used in production internally at ACE Galaxy across multiple bots. Telegram adapter ships; WhatsApp/WeChat adapters in progress.

License

MIT (c) 2026 ACE Galaxy. See LICENSE.

Security issues -> SECURITY.md. Contributions -> CONTRIBUTING.md.