npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@axtary/actionpass

v0.1.0

Published

Scoped, signed ActionPass artifacts for runtime-governed AI agent actions.

Downloads

439

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

axtary-useraxtary-user

Keywords

ai-agentsauthorizationruntime-securityjwtmcp

Readme

@axtary/actionpass

Scoped, signed ActionPass artifacts for runtime-governed AI agent actions.

Early 0.x release: the runtime path is real and tested, but the API is not stable yet and may change between minor versions.

npm install @axtary/actionpass

What It Does

  • Validates normalized agent actions at runtime.
  • Produces canonical SHA-256 payload hashes.
  • Produces payload-bound approval artifacts for exact human or policy override approvals.
  • Issues signed ActionPass JWT/JWS artifacts for allowed actions.
  • Produces revocation records and rejects revoked passes during verification.
  • Verifies passes against a keyring by kid so rotated keys can coexist.
  • Persists local public verification keys and revocations in a JSON trust store.
  • Verifies that a signed pass and any embedded approval evidence still match the exact action payload.
  • Records ledger entries with hashable decision evidence.

Current Status

0.x versions are early releases. Do not use them for production authorization yet.

Before production use, Axtary still needs:

  • Stable schema versioning.
  • External signing-key management.
  • Hosted approval queue integration.
  • External security review.

The package builds to dist/ and publishes JavaScript plus TypeScript declarations.

Quickstart

This example runs as-is with Node 20+:

import { generateKeyPair } from "jose";
import {
  authorize,
  createApprovalArtifact,
  demoAction,
  verifyActionPass,
} from "@axtary/actionpass";

const { publicKey, privateKey } = await generateKeyPair("ES256");

// Bind a human approval to the exact payload hash.
const { artifact } = createApprovalArtifact({
  action: demoAction,
  mode: "human",
  approvedBy: "user:[email protected]",
  reason: "Reviewed the exact PR payload",
});

// Evaluate policy, issue a signed ActionPass, produce a ledger record.
const result = await authorize({
  action: demoAction,
  issuer: "https://axtary.local",
  tenant: "org:example",
  signingKey: privateKey,
  approvalArtifact: artifact,
});

console.log(result.decision.decision, result.payloadHash);

// Verification fails closed on expiry, revocation, or payload mismatch.
const verified = await verifyActionPass({
  token: result.actionPass.token,
  action: demoAction,
  verificationKey: publicKey,
  issuer: "https://axtary.local",
});

console.log(verified.valid);

Security Notes

ActionPass is designed to fail closed:

  • Malformed actions fail schema validation.
  • Denied and step-up actions do not receive passes.
  • Verification rejects expired tokens.
  • Verification rejects revoked pass IDs.
  • Verification rejects payload hash mismatches.
  • Pass issuance rejects approval artifacts that were created for a different action or payload.
  • Keyring verification fails closed when the JWT kid is unknown.
  • The local trust store persists public verification JWKs only; signing keys should remain in KMS, env-managed dev secrets, or another controlled key custodian.
  • Verification binds agent, human owner, runtime, task, tool, resource, and payload hash.

Signing currently defaults to ES256.