npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@decent-render/protocol

v0.1.1

Published

Decent render-network wire protocol (v2) — shared TS types and zod schemas, pinned to Rust by shared fixtures and cross-language conformance tests.

Readme

@decent-render/protocol

The wire protocol (v2) between the Decent render-network dispatch service and a worker — TypeScript types + zod schemas.

Canonical home

This package is the TypeScript consumer API, open-source in the decent-render repo. Rust's typed emitter/consumer lives in crates/supervisor-core/src/protocol.rs. fixtures/v2.json is the shared wire-format truth: Rust locks the fixtures and both sides assert every fixture round-trips with no field drift.

  • TS: src/__tests__/conformance.test.ts (parses each fixture with zod, re-serializes, asserts deep field-set equality).
  • Rust: protocol::tests::cross_language_fixtures_round_trip (parses each fixture into the typed enums, re-serializes, asserts deep value equality).

If either side drops or adds a field, its test fails. This is exactly the tripwire that would have caught the outputSizeInBytes drift bug (the field existed in TS, was missing on Rust, both had green tests, nothing compared them).

Usage

import {
  WorkerMessageSchema,
  ServerMessageSchema,
  PROTOCOL_VERSION,
} from '@decent-render/protocol';

const msg = WorkerMessageSchema.parse(JSON.parse(raw));

peerDependency: zod >=4 <5 (Zod 4 only). Zod 3 support was dropped in 0.1.1; the schema surface is tested against Zod 4 exclusively.

Develop

cd packages/protocol
bun install
bunx vitest run          # TS conformance (13 tests)

Rust side, from the repo root:

cargo test -p supervisor-core cross_language

Publishing

OIDC trusted publishing — no npm token exists. The publish is a GitHub Actions workflow (workflow_dispatch) that authenticates to npm with a short-lived, per-run OIDC token from GitHub — no long-lived token to steal, rotate, or store. npm trusts only this specific workflow + repo + environment; combined with the package setting "Require 2FA and disallow tokens", no token can publish this package, ever — only this CI workflow can. (OpenSSF trusted-publishers standard, same as PyPI/RubyGems.)

To publish a new version:

  1. bump version in packages/protocol/package.json,
  2. commit + push,
  3. GitHub → Actions → Publish protocol package → Run workflow,
  4. approve the publish environment prompt.

One-time setup (owner): on npmjs.com configure the package's Trusted Publisher (GitHub Actions; org decent-render, repo decent-render, workflow publish-protocol.yml, environment publish, action npm publish) and set Publishing access = "Require 2FA and disallow tokens (recommended)". On GitHub, create the publish environment with Required reviewers = you. No NPM_TOKEN secret is needed.

Wire format

Plain JSON, camelCase keys, messages discriminated by type.

  • Worker → server: register, heartbeat, jobAccepted, jobProgress, jobComplete (metrics: wallMs, frames, outputSizeInBytes?), jobFailed.
  • Server → worker: jobAssign, cancel, ping, updateAvailable.
  • purgeAfter is a z.literal(true) / Rust PurgeAfter — the privacy rule baked into the type (deserialization rejects false).

Payload-agnostic (future, not this version)

v2 is render-specific. The intended evolution — a future wire-version bump, not now — is a payloadType discriminator on jobAssign so the same protocol carries render + genAI payloads. The package is named protocol (not render-protocol) to keep that door open; don't couple new fields to "render" specifically.

License

Apache-2.0.