npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@chaoscypherinc/ccx-format

v0.1.1

Published

Reference TypeScript reader/validator for CCX (Chaos Cypher eXchange) — the open, JSON-LD-native knowledge-graph package format.

Readme

@chaoscypherinc/ccx-format

npm License

The Apache-2.0 TypeScript reference reader for CCX 3.0 — parity-tested against the Python ccx-format reader on the shared conformance fixtures.

CCX (Chaos Cypher eXchange) is an open, JSON-LD-native package format for portable, source-backed knowledge graphs. A .ccx file is a ZIP that is, semantically, an RDF Dataset: a knowledge default graph plus any number of namespaced named graphs. It carries entities, relationships, the sources they were extracted from, citations linking claims back to those sources, and — optionally — vector embeddings, SHACL shapes, and cryptographic signatures, all in a single file you can move between tools without losing provenance.

This package is a reader/validator (read + validate + inspect). To write .ccx files, use the Python ccx-format package (pip install ccx-format).

npm i @chaoscypherinc/ccx-format

Node ≥ 18. Self-contained: the only runtime dependencies are jszip and ajv.


Read and validate a package

import { readFileSync } from "node:fs";
import { openPackage } from "@chaoscypherinc/ccx-format";

// openPackage takes raw bytes (Uint8Array). Read the file however you like.
const pkg = await openPackage(readFileSync("people.ccx"));

const report = await pkg.validate();
console.log(report.ok, report.classes); // true [ 'core', 'sources' ]
for (const w of report.warnings) console.log("warn:", w);

// Manifest metadata
const m = pkg.manifest;
console.log(m.name, m.packageVersion, m.license); // demo/people 1.0.0 CC-BY-4.0

// Walk the graphs (the default `knowledge` graph + any named graphs)
for (const g of await pkg.graphDocuments()) {
  console.log(g.namespace, g.name, g.role); // ccx knowledge default
  const doc = g.doc as { "@graph"?: { "@id": string; "@type"?: unknown }[] };
  for (const node of doc["@graph"] ?? []) {
    console.log(node["@id"], node["@type"]);
  }
}

// Sources + chunks (Core + Sources packages)
for (const rec of await pkg.sources()) {
  console.log(rec["@id"], rec["@type"]); // ccx:Source / ccx:Chunk
}

Higher-class accessors:

await pkg.context();           // the parsed bundled JSON-LD @context
await pkg.shapes();            // the shapes.ttl text, or null
pkg.embeddings();              // embedding descriptors from the manifest
await pkg.verifySignatures();  // offline, fail-closed ed25519 verification
await pkg.assetBytes(path);    // raw bytes of a content-addressed asset
await pkg.computeStats();      // { nodeCount, edgeCount, sourceCount }

Error handling

openPackage rejects unsafe archives (zip bomb, path traversal, symlink escape, bad ZIP) and missing/malformed/schema-invalid manifests. Recoverable validation problems are reported on report.errors (with report.ok === false) rather than thrown.

import { openPackage, CcxValidationError, CcxSecurityError } from "@chaoscypherinc/ccx-format";

try {
  const pkg = await openPackage(bytes);
  const report = await pkg.validate();
  if (!report.ok) console.error("invalid:", report.errors);
} catch (err) {
  if (err instanceof CcxSecurityError) console.error("unsafe package:", err.message);
  else if (err instanceof CcxValidationError) console.error("malformed package:", err.message);
  else throw err;
}

Conformance classes

validate() reports every class a package satisfies in report.classes. They are independent capabilities, not a linear ladder — a package can be core + sources without embeddings or shapes.

| Class | A package qualifies when it… | |---|---| | core | is a well-formed .ccx: STORED mimetype, schema-valid manifest.json, every declared file present with matching SHA-256 + SHA-512, a knowledge default graph, no remote @context. | | sources | adds sources.jsonl with source/chunk records (offset selectors into a text asset, or inline content) and citations aligned to W3C Web Annotation. | | embeddings | declares embedding descriptors (model + dimensions), optionally with content-addressed vector sidecars. | | shapes | ships a valid SHACL shapes.ttl. | | signed | ships ≥ 1 detached signature over the manifest (ed25519, verified offline). |

Full normative requirements (RFC-2119) are in the specification.


Security & hardening

The reader is built to consume untrusted packages:

  • No network at read time — remote @context / @import references are rejected; the bundled context.jsonld is authoritative.
  • Decompression bounds — entry-count, per-entry, and total-uncompressed limits guard against zip-bombs.
  • Path safety — path traversal, absolute paths, and symlink entries are rejected.
  • Integrity — every declared file's SHA-256 and SHA-512 are verified.
  • Signatures verify offline and fail closed; the signature format field is crypto-agile, with post-quantum (ML-DSA / SLH-DSA) formats reserved.

License

Apache-2.0. This is the TypeScript reference reader for the CCX format, the second independent implementation alongside the Python ccx-format reader and verified against it on the shared conformance fixtures. CCX is an open, documented format — there is no vendor lock-in, and a .ccx produced by any tool is readable by any conformant reader.

Issues and discussion: https://github.com/chaoscypherinc/ccx/issues.