npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@adlc/build-gate

v1.3.0

Published

Machine-checkable fitness-to-build gate — denies starting a high-risk P4 build in a degraded (context-rot) session unless an audited override is recorded (C13).

Downloads

413

Readme

build-gate

Machine-checkable fitness-to-build gate (ADLC C13 — issue #48).

Nothing else in ADLC deterministically prevents starting a high-blast-radius ticket's build (P4) when the executing session's context is degraded ("context rot"). build-gate closes that gap: it derives a ticket's risk tier, checks a machine-checkable context-fitness signal, and denies the build unless an audited override is recorded.

ADLC Phase

P3 → P4 entry gate. Sits between rail-freeze (P3) and supervised build execution (P4). Guards one invariant: a high-risk ticket must not begin its build in a degraded session.

Usage

build-gate <ticket-id> [--depth <n>] [--session-bytes <n>] [--transcript <path>]
           [--depth-threshold <n>] [--bytes-threshold <n>] [--tickets <path>]
           [--reason <text>] [--json]

Flags

| Flag | Default | Description | |------|---------|-------------| | <ticket-id> | — | Ticket to gate (required) | | --depth <n> | — | Precomputed tool-call-count depth signal | | --session-bytes <n> | — | Precomputed transcript byte-size signal | | --transcript <path> | — | Derive depth/session-bytes from this transcript file | | --depth-threshold <n> | 40 | Tool-call count past which a session is "degraded" | | --bytes-threshold <n> | 262144 (256 KiB) | Transcript bytes past which a session is "degraded" | | --tickets <path> | .adlc/tickets.json | Path to tickets file | | --reason <text> | — | Free-text reason recorded with an override | | --json | off | Emit machine-readable JSON result | | --help | — | Print this help and exit 0 |

A CLI process can't observe its own caller's context state — the caller (a hook, CI wrapper, or any harness) must supply the signal via --depth/ --session-bytes, or point --transcript at a transcript file to derive it from. Supplying neither defaults the signal to "not degraded" — a gate given no signal cannot deny.

Exit codes

0  allow (gate passes)
1  operational error (bad ticket id, missing tickets file, bad thresholds)
2  deny (gate fails)

Risk tier

A ticket is high risk if it declares "risk": "high", OR any of these derived signals fire from fields already on the ticket:

  • external: true — writes back to / creates / deletes in an external system
  • mutatesIdentity: true — mutates identity
  • scope/rails glob-matches .adlc/manifest.jsonl — mutates the gate-evidence ledger
  • scope/rails glob-matches .adlc/tickets.json or .adlc/current-ticket.json — touches the trust root
  • category is contract or architecture

A declared "risk": "normal" can never downgrade a derived-high signal — that would be a silent, undetectable way to defeat the gate.

Context-fitness signal

A proxy for "this session is deep," mirroring @adlc/flail-detector's existing transcript-size / tool-call-count scanning approach: a tool-call-count (--depth) and a transcript byte count (--session-bytes), each compared to a threshold. Either signal past its threshold means the session is degraded.

Audited override

Set ADLC_BUILD_GATE_BYPASS=1 to deliberately override a deny (mirrors the ADLC_RAILS_BYPASS pattern used by rails-guard). The override is only honored if it can be durably recorded to .adlc/manifest.jsonl as a build-gate-bypass entry — an override that cannot be recorded is refused, never silently allowed.

Toolkit modules (Path A — reusable by any harness)

  • lib/risk.mjscomputeRiskTier(ticket) / deriveRiskSignals(ticket)
  • lib/depth-signal.mjscomputeDepthSignal({ text, bytes }) / isDegraded({...})
  • lib/decide.mjsdecideBuildGate({ riskTier, degraded, bypass, recordBypass })
  • lib/override.mjsrecordOverride({...})
  • lib/active-ticket.mjsresolveActiveTicketId({ dir, env }), the shared ADLC_TICKET env var / .adlc/current-ticket.json convention already used by every other harness integration (codex, opencode, cursor, antigravity)

Claude Code integration (Path B — self-enforcing)

plugins/adlc-claude-code/hooks/adlc-hook.mjs's buildgate PreToolUse mode supplies the in-session context signal (the same transcript-window staging the flail mode already does) and computes the risk tier, context-fitness signal, and allow/deny decision entirely locally — verbatim ports of this package's lib/risk.mjs / lib/depth-signal.mjs / lib/decide.mjs logic, marked "KEEP IN SYNC" in the hook source. It does not shell out to adlc build-gate for the decision; adlc (via gate-manifest) is invoked only to durably record an audited override, mirroring how rails never needs adlc for its own core decision either. See docs/specs/build-gate-fitness.md, including its Known limitations section (unreadable-transcript fail-closed behavior, and the unprotected .adlc/current-ticket.json pointer as a Bash-reachable, CI-unbackstopped escape hatch).