npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@agentproto/governance

v0.1.0-alpha.0

Published

agentgovernance/v1 — universal contractual approval framework. Doctypes (signature.json, audit-log.jsonl, POLICY.md) describe how to record signatures, append hash-chained audit events, and declare autonomy policies as workspace files. Vendor-neutral, fil

Downloads

121

Readme

@agentproto/governance

agentgovernance/v1 — the universal contractual approval framework, published as the open standard at governance.sh.

⚠️ Alpha (v0.1). Spec stabilizing. APIs may change pre-1.0.

Trust boundary (read this first)

v0.1 ships an honest internal building block, not a fully-credible contractual-approval product. Three pillars distinguish a credible standard from this alpha; v0.1 has the first only:

| Pillar | v0.1 | Provided by | | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | | Bytes integrity — "this artifact has not changed since signing" | ✅ SHA-256 of artifact bytes recorded in signature.json; runtime always re-hashes from disk | @agentproto/governance-engine | | Identity authenticity — "the signer was actually who the file says" | ❌ The signer field is a declarative string. Anyone with FS write access can author a signature.json claiming any signer. | Cryptographic JWS over the signature payload, bound to a per-identity key. Roadmap M4. | | History integrity vs. workspace owner — "the workspace owner cannot rewrite the chain undetected" | ❌ The hash chain is verifiable by anyone who has the file, but the workspace owner can rewrite the file and re-chain. No external witness in v0.1. | OpenTimestamps / RFC 3161 / on-chain anchor sink. Roadmap M5. |

Use v0.1 in trusted contexts only: an internal workspace where everyone with FS write is already inside your trust boundary, and you want a structured record of approvals that's portable, type-checkable, and machine-verifiable (within that trust boundary). Do not use v0.1 where any of the following is true:

  • The workspace owner is one of the parties whose signature you need to trust.
  • Counterparties outside your trust boundary author signature.json files.
  • A regulator, court, or external auditor will be asked to rely on the chain.

The roadmap to close all three pillars (cryptographic identity in M4, external anchoring in M5, RFC 8785 / cross-language conformance in M6) is published in the agentproto spec series. v1.0 of the package will not ship until those three are in place.

What this is

A small, vendor-neutral, filesystem-first standard for recording approvals as signatures, appending tamper-evident audit logs, and declaring autonomy policies — usable by any AI agent system that needs auditable decisions.

Three doctypes:

| Doctype | File | Purpose | | ----------------- | ------------------------------------------------------ | --------------------------------------------------------------------------------------- | | signature.json | <artifact>/signatures/<signer>-<date>.signature.json | Universal approval primitive (typed_name, agent_confirm, click_through, esign_external) | | audit-log.jsonl | <scope>/audit/audit-log.jsonl | Append-only, hash-chained event log | | POLICY.md | <scope>/policies/<slug>/POLICY.md | Declarative autonomy rule (caps, thresholds, requiredSignatures-when-exceeded) |

The full spec is in AGENTGOVERNANCE.md.

Why a peer standard

Governance doctypes are domain-agnostic: signature.json, audit-log.jsonl, POLICY.md don't reference services, engagements, or counterparties. Any workflow that needs an auditable approval — clinician overrides, approve-to-publish flows, board votes, AI-agent actions — uses the same files.

Why filesystem

A client receiving a workspace folder can verify every signature + the entire audit chain without our infrastructure using the published hash-chain protocol. Third-party verifiers can be implemented in any language.

Install

npm install @agentproto/governance

Subpath exports

import {
  signatureSchema,
  auditEventSchema,
  policySchema,
} from "@agentproto/governance/doctypes"
import {
  computeChainSignature,
  verifyChain,
} from "@agentproto/governance/hash-chain"
import {
  validateSignature,
  validateAuditEvent,
  validatePolicy,
} from "@agentproto/governance/validators"
import {
  recordAuditEvent,
  signArtifact,
  listPendingSignatures,
} from "@agentproto/governance/runtime"

Vendor neutrality

This package depends only on zod, gray-matter, yaml, and Node's built-in crypto. There are zero imports from Mastra, LangChain, Temporal, or any other workflow runtime. Adapters live in separate packages:

  • @agentproto/governance-mastra — Mastra suspend/resume hooks
  • (future) @agentproto/governance-langchain, @agentproto/governance-temporal, etc.

Status

This is the canonical implementation of agentgovernance/v1. The spec is open; alternative implementations are welcome at governance.sh.

License

MIT