npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@api-doctor/cli

v0.0.10

Published

Deterministic verification rules for AI-generated API integrations

Readme

api-doctor

node version npm downloads

api-doctor scans AI-generated code for bad API integrations.

Deterministic AST rules. Not a prompt. Same input, same output, every time.

Full story and examples at apidoctor.co

https://github.com/user-attachments/assets/53dab24f-528b-4f1b-87a9-8870002053d8

Quick Start

# Scan your project
npx @api-doctor/cli .

# Or install as an agent skill (Claude Code, Cursor, Windsurf)
npx @api-doctor/cli install

📦 Supported Providers

| Provider | Rules | | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | | Resend | 13 rules | | Supabase | 12 rules | | Auth0 | 4 rules | | Firebase | 19 rules | | Lovable | 4 rules | | Browserbase | 11 rules | | OpenAI Computer Use | 7 rules | | TipTap | 10 rules | | ElevenLabs | 10 rules | | Twilio | 9 rules | | OpenAI Realtime | 9 rules | | S2 | 17 rules | | AgentMail | 14 rules |

Full rule catalogs live in the GitHub repo under src/providers/<name>/README.md.


What it catches

Rules cover four categories: security (CWE/OWASP mapped), correctness (wrong endpoints), reliability (production failure modes), and integration (wiring gaps).

| Category | What it means | Examples | | --------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | | Security | Issues that expose you to compromise. Mapped to CWE and OWASP audits. | Hardcoded API keys, secrets in the client bundle, webhooks read before signature verification | | Correctness | Wrong endpoint or API for the job. | Marketing email via batch send, missing unsubscribe links, test domain in production | | Reliability | Production failure modes the provider docs warn about. | Missing idempotency keys, batch limits not enforced, error codes not mapped | | Integration | Wiring gaps your agent won't add on its own. | No tags, no request ID logging, bare from address instead of "Name <email>" |


Why deterministic matters

You can't test AI code with AI. api-doctor breaks that loop. Same rules, same output, every time. Not a model call. Not a prompt.


Telemetry

api-doctor sends anonymous usage data to PostHog so we can see whether the tool is helping developers catch real bugs.

What we collect:

  • CLI version, Node.js version, platform
  • Run context: local, CI, or agent
  • Which API SDKs were detected (e.g. resend, supabase) — provider names only
  • Which rules fired — rule names only, no code
  • Score and finding counts
  • Score delta between runs on the same project (stored locally in that project's .api-doctor/run-history.json)
  • A hashed project identifier (project_hash) — SHA-256 of the scanned directory path, not the path itself
  • Sanitized error messages and stack traces on unexpected crashes (paths redacted)

What we never collect:

  • Your code or file contents
  • Raw file paths or project names
  • Email, name, or any personally identifying information

A random anonymous ID is stored at ~/.api-doctor/install-id. Per-project run history is stored at <project>/.api-doctor/run-history.json. Both stay on your machine — only the event data above is sent to PostHog.

Opt out:

npx @api-doctor/cli . --no-telemetry
npx @api-doctor/cli install --no-telemetry

Or set API_DOCTOR_TELEMETRY=0 or DO_NOT_TRACK=1 in your environment.


Help

MIT © Qualty