npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@cowork-trust/trust

v0.5.0

Published

NPM SDK and CLI for adding hosted trust decisions to AI agent actions.

Downloads

63

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kamesh231kamesh231

Keywords

coworktrust-engineai-agentsauditapi

Readme

@cowork-trust/trust

NPM SDK and CLI for the CoWork Trust Engine. Use it to ask a hosted Trust Engine whether an agent action should be allowed, reviewed, approved, or denied before the agent executes external work.

Install

npm install @cowork-trust/trust
npx @cowork-trust/trust --help

SDK: Agent Runtime

For production agent code, use an actor-bound API key. Create the actor and key from the hosted UI or admin API, then give the agent runtime only that actor key.

import { CoworkTrust } from "@cowork-trust/trust";

const trust = new CoworkTrust({
  apiUrl: process.env.COWORK_TRUST_API_URL,
  apiKey: process.env.COWORK_TRUST_AGENT_KEY,
  actor: {
    externalId: "support-bot-1",
    type: "agent",
    platform: "claude",
  },
});

const decision = await trust.evaluate({
  action: {
    type: "commerce.replacement.create",
    category: "write",
    topic: "commerce.replacements",
  },
  resource: {
    type: "order",
    id: "order-123",
  },
});

Decision handling pattern:

allow -> execute
allow_with_review -> execute with audit/review
require_approval -> ask a human first
deny -> block

After execution, send feedback so trust can learn:

await trust.feedback(decision.evaluationId, {
  signalType: "executed_successfully",
});

You can inspect the configured actor without repeating its ID:

await trust.currentActor.score();
await trust.currentActor.score({ topic: "commerce.replacements" });
await trust.currentActor.topics();
await trust.currentActor.history({ topic: "commerce.replacements" });

Actor-Bound Keys

Actor-bound keys are the recommended runtime credential for agents:

workspace
  -> actor-bound API key
    -> actor
      -> topic scores
      -> evaluations/signals

An actor-bound key can only evaluate as, read scores for, and submit feedback for its bound actor. It cannot create workspaces, create actors, manage API keys, mutate policy, or read another actor's trust data.

Workspace admin keys and Clerk dashboard auth are for setup and management flows.

Topic Trust

Add action.topic to make trust contextual. An agent can be trusted for crm.contacts or commerce.replacements while still requiring approval for billing.export or commerce.refunds.

await trust.score("agent-1", { topic: "crm.contacts" });
await trust.actors.topics("agent-1");

Admin Key Creation Helpers

Management should normally happen through the hosted UI or admin API. The SDK still exposes key helpers for server/admin automation:

await trust.keys.create({
  name: "support-bot-1-runtime",
  keyType: "actor",
  actorExternalId: "support-bot-1",
});

Raw API keys are returned only once. Store only the generated key in the agent runtime secret store.

CLI Login

npx @cowork-trust/trust login --api-url https://cowork-hubspot-integration-staging.up.railway.app
npx @cowork-trust/trust whoami
npx @cowork-trust/trust smoke

The CLI stores credentials in ~/.cowork/trust/config.json. You can also pass --api-url and --api-key, or set COWORK_API_URL and COWORK_API_KEY.

CLI Commands

cowork-trust evaluate --category read --action resource.read --resource record:123 --topic crm.contacts
cowork-trust score --actor agent-1 --topic crm.contacts
cowork-trust feedback --evaluation <evaluation-id> --signal approved
cowork-trust actors topics agent-1
cowork-trust actors history agent-1 --topic crm.contacts
cowork-trust keys create --name support-bot-runtime --actor support-bot-1
cowork-trust policy get
cowork-trust evaluations list

Workspace and actor creation are intentionally not CLI-first for V0. Use the hosted UI or admin API so workspace setup stays auditable.

Hosted UI

Open the hosted API root, for example:

https://cowork-hubspot-integration-staging.up.railway.app/dashboard

The UI lets workspace users create API keys, inspect evaluations, review actor/topic scores, send feedback signals, and update policy thresholds.

Security Boundary

CoWork Trust does not execute external actions and does not store connector credentials. Agent tools and connector gateways keep external credentials; the Trust Engine decides, audits, scores, and learns.