npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@attestly/compliance-core

v0.1.3

Published

Zero-latency, Web Standard-based SDK that enforces AI compliance

Readme

@attestly/compliance-core

A zero-latency, Web Standard-based SDK that strictly enforces AI compliance at the route boundary, before your API executes.

Built specifically to shift EU AI Act Compliance, Model Version Locking, and PII Scrubbing to the absolute left of your development cycle, without adding any overhead to your production environment.

🚀 Key Value Propositions

  • Zero-Dependency Core: The SDK is incredibly lightweight and natively relies on Web Standard Request and Response objects. No heavy AST parsers or backend-bloat.
  • Zero-Latency (TTFB Protected): Validation runs entirely synchronously in milliseconds. In production, the wrapper acts as a near-zero-cost pass-through unless explicitly configured to intercept.
  • EU AI Act Shift-Left: Catches Prohibited Practices (Article 5), auto-escalates Annex III High-Risk domains (like Law Enforcement, Biometrics, Healthcare, and Critical Infrastructure), and strictly enforces required metadata traceability according to EU regulations.
  • Vercel AI SDK First: Out-of-the-box support for streaming UIs. It inspects the prompt, scrubs PII, and returns the native DataStreamResponse totally untouched so your Lighthouse scores remain pinned at 100.

📦 Installation

npm install @attestly/compliance-core

🛠 Setup & Initialization

Instead of hand-coding your manifest, use our interactive CLI to intelligently scan your local codebase and generate a compliant ai-manifest.json.

npx @attestly/cli init

The CLI will:

  1. Scan your project for AI model strings (e.g., gpt-4o, claude-3-opus).
  2. Ask you to classify your primary System Domain under the EU AI Act.
  3. Automatically escalate the risk category if you select high-risk domains.
  4. Output your locked-down ai-manifest.json.

💻 Usage

The "One-Shot" AI Setup Prompt

Instead of reading docs, just copy and paste this prompt directly into Cursor, GitHub Copilot, or ChatGPT to have it auto-configure your entire repository:

Please configure my codebase for EU AI Act Compliance using Attestly:

  1. Run `npm install @attestly/compliance-core` and `npm install -D @attestly/cli`
  2. I know `npx @attestly/cli init` is interactive, so please bypass it and directly create an `ai-manifest.json` at the root with my allowed AI models and set the euRiskCategory based on my system domain.
  3. Directly create a global Next.js `middleware.ts` (or update my existing one) and inject the `withAttestlyCompliance` wrapper from `@attestly/compliance-core`.
  4. Run `npx @attestly/cli scan` to verify my API routes are 100% compliant.

Global Middleware (Recommended)

Instead of wrapping every single API route, drop the wrapper into your Next.js middleware.ts. The Attestly CLI scanner will automatically detect this and mark all your routes as protected!

import { withAttestlyCompliance } from '@attestly/compliance-core';
import manifest from './ai-manifest.json';
import { NextResponse } from 'next/server';

export default withAttestlyCompliance(async (req) => {
  return NextResponse.next();
}, manifest as any);

export const config = {
  matcher: '/api/:path*',
};

Per-Route Usage (Alternative)

Wrap your existing API routes in Next.js, Remix, or Hono.

Standard API Route

import { withAttestlyCompliance } from '@attestly/compliance-core';
import manifest from '../../ai-manifest.json';

async function handler(req: Request) {
  // Your standard LLM logic here...
  return new Response(JSON.stringify({ success: true }));
}

export const POST = withAttestlyCompliance(handler, manifest);

Streaming API Route (Vercel AI SDK)

import { withAttestlyStream } from '@attestly/compliance-core';
import { streamText } from 'ai';
import { openai } from '@ai-sdk/openai';
import manifest from '../../ai-manifest.json';

async function handler(req: Request) {
  const result = await streamText({
    model: openai('gpt-4-0613'),
    prompt: 'Hello world',
  });
  return result.toDataStreamResponse();
}

export const POST = withAttestlyStream(handler, manifest);

📊 Attestly Studio (Local Telemetry)

You don't need to deploy to test your compliance barriers! Spin up the Attestly Studio right inside your terminal to see a real-time, local dashboard of your AI traffic.

npx @attestly/cli studio

This launches a local dashboard at http://localhost:5050.

  • Real-Time Feed: Watch your local API requests stream in.
  • Inspector: Click on a request to see the raw payload, the PII-scrubbed output, and any triggered EU AI Act violations.
  • Handoff: Click the "Generate Trust Center" button to seamlessly hand off your local manifest to the Attestly SaaS platform to generate a public, SOC2-ready Trust Center!