npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@act-spec/runtime-core

v0.2.0-rc.1

Published

PRD-500 runtime SDK contract — resolver shape, identity context, capability negotiation, conditional GET helpers. Shared by every first-party runtime SDK leaf (PRD-501 Next.js, PRD-502 Express, PRD-505 generic fetch).

Downloads

53

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jdforsythejdforsythe

Keywords

Readme

@act-spec/runtime-core

Runtime SDK contract for ACT (Agent Content Tree).

This package is the framework that all first-party runtime SDK leaves (@act-spec/runtime-next, @act-spec/runtime-express, @act-spec/runtime-fetch) consume. Leaf packages are thin framework adapters; the resolver shape, identity context, capability negotiation, conditional GET handling, error envelope construction, and discovery hand-off all live here.

Status

ACT v0.1 internal hand-test candidate. Public release lands at v0.2.

Install

Unpublished in v0.1. Consume via the workspace:

// package.json
{ "dependencies": { "@act-spec/runtime-core": "workspace:*" } }

Public surface

The exports group under three families:

Resolver contract

import type { ActRuntime, Outcome, ActContext } from '@act-spec/runtime-core';

A host application implements ActRuntime (Core methods resolveManifest, resolveIndex, resolveNode; Standard resolveSubtree; Strict resolveIndexNdjson, resolveSearch) and returns an Outcome<T> discriminated union (ok, not_found, auth_required, rate_limited, validation, internal).

Identity & tenancy hooks

import type { Identity, Tenant, IdentityResolver, TenantResolver } from '@act-spec/runtime-core';

Identity.key and Tenant.key are stable opaque strings — never session tokens, never per-request values.

Construction & dispatch

import { createActRuntime } from '@act-spec/runtime-core';
const runtime = createActRuntime({ manifest, runtime, identityResolver, ... });
const response = await runtime.dispatch(actRequest);

createActRuntime validates capability negotiation at construction time — declaring conformance.level: "strict" without registering resolveSearch throws synchronously, never at request time.

Helpers

  • encodeIdForUrl(id) — per-segment percent-encoding for ACT IDs.
  • buildAuthChallenges(manifest) — one WWW-Authenticate value per advertised scheme in auth.schemes order.
  • defaultEtagComputer(input) — runtime ETag triple (JCS + SHA-256 + base64url no-pad + truncate to 22 + s256: prefix). Re-exports @act-spec/validator's implementation.
  • actLinkHeaderMiddleware({ basePath }) — emits the runtime-only Link rel="act" header for non-ACT branches.

Two-principal probe harness (@act-spec/runtime-core/test-utils)

import { runTwoPrincipalProbe } from '@act-spec/runtime-core/test-utils';

await runTwoPrincipalProbe({
  runtime,
  principalA: { identity: { kind: 'principal', key: 'alice' }, tenant: { kind: 'scoped', key: 'acme' }, visibleNodeIds: ['a-doc'] },
  principalB: { identity: { kind: 'principal', key: 'bob' }, tenant: { kind: 'scoped', key: 'globex' }, visibleNodeIds: ['b-doc'] },
  absentNodeId: 'definitely-not-a-real-doc',
});

The harness is mandatory for every leaf runtime SDK. It probes:

  • Cross-tenant non-disclosure. Principal A cannot resolve principal B's visible node IDs; the response is byte-equivalent to a request for a node that does not exist.
  • Existence-non-leak. The cross-tenant 404 has identical body, identical headers, and identical Content-Length to the absent-node 404. The discovery Link header is identical (it does not leak tenant identity).

The probe accepts a synthetic conformant resolver in this package's tests and is wired into the leaf SDK conformance gates.

Links