npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@dorado.dev/cmd-k

v0.1.40

Published

Command-palette style AI assistant component for Dorado. Drop into any React app to add an AI assistant powered by Dorado's runtime.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

pclevelandpcleveland

Keywords

reactaiassistantcmdkdoradoragchatllmcomponent

Readme

@dorado.dev/cmd-k

A drop-in command-palette style assistant for your app.
Connects directly to Dorado (your AI runtime) for chat, streaming, RAG, and tools—no secrets in the browser.

  • ⚡️ Plug & play: mount a component, pass your assistantId & user JWT.
  • 💬 Realtime: token-level streaming (SSE) with auto-reconnect.
  • 📚 Grounded: works with Dorado Knowledge Bases (RAG) when your assistant is configured to retrieve.
  • 🛠 Tools: renders tool call states and results (when enabled server-side).
  • 🧭 Keyboard-first: "cmd-k" palette UI with accessible navigation.
  • 🌍 Anywhere: talks to Dorado Cloud or your on-prem/classified deployment.

Quick start

1) Install

npm i @dorado/cmd-k
# or
yarn add @dorado/cmd-k
# or
pnpm add @dorado/cmd-k

2) Configure Dorado (one-time per project)

In the Dorado Console → Project → End-User Auth:

  1. Mode: JWT
  2. Issuer: your IdP issuer (e.g., https://acme.okta.com/oauth2/default)
  3. JWKS URI: your IdP JWKS endpoint
  4. Audience: add dorado:<project_id> (or your chosen audience)
  5. Claim mapping:
    • externalUserIdsub
    • (optional) emailemail, namename
  6. CORS: add your app origin(s), e.g., https://app.acme.com

Dorado will validate incoming Authorization: EndUser <USER_IDP_JWT> against this config.

Required claims in the user JWT: iss, aud (must include your Dorado audience), sub, exp.

Usage

import { CmdK } from "@dorado/cmd-k";

export default function App() {
  return (
    <CmdK
      projectId="proj_12345678-90ab-cdef-1234-567890abcdef"
      assistantId="asst_abc"
      getUserToken={async () => {
        // Return the user's IdP JWT (ID token preferred).
        const token = await myAuthLib.getIdToken();
        return token;
      }}
    />
  );
}

That’s it—you have a working assistant with streaming responses.
No Dorado API keys are ever exposed to the browser.

Auth patterns by IdP

Use whichever yields a short-lived JWT with iss/aud/sub/exp.

NextAuth (Next.js)

import { getSession } from "next-auth/react";
export async function getUserToken() {
  const session = await getSession();
  return session?.idToken ?? ""; // configure your NextAuth provider to include an ID token
}

Auth0 (SPA)

import { useAuth0 } from "@auth0/auth0-react";
const { getIdTokenClaims } = useAuth0();

async function getUserToken() {
  const claims = await getIdTokenClaims();
  return claims.__raw; // raw ID token JWT
}

Okta

import { OktaAuth } from "@okta/okta-auth-js";
const okta = new OktaAuth({ /* config */ });

async function getUserToken() {
  const { tokens } = await okta.tokenManager.getTokens();
  return tokens.idToken?.idToken || ""; // prefer ID token
}

Azure AD (MSAL)

import { PublicClientApplication } from "@azure/msal-browser";
const msal = new PublicClientApplication(msalConfig);

async function getUserToken() {
  const accounts = msal.getAllAccounts();
  const req = { scopes: ["openid", "profile"], account: accounts[0] };
  const { idToken } = await msal.acquireTokenSilent(req);
  return idToken;
}

Component props

type CmdKProps = {
  /** Dorado project that holds auth config & resources */
  projectId: string;

  /** Assistant to use (model, system prompt, tools/RAG config live server-side) */
  assistantId: string;

  /** Return a fresh EndUser JWT from your IdP (short-lived) */
  getUserToken: () => Promise<string>;

  /** Optional: Dorado API base (defaults to window.location-based or https://api.dorado.dev/v1) */
  apiBaseUrl?: string;

  /** Optional: seed metadata saved on Dorado sessions/messages */
  initialMetadata?: Record<string, unknown>;

  /** Called when authentication fails (JWT invalid/expired/CORS) */
  onAuthError?: (err: unknown) => void;

  /** Called for run-level lifecycle (created/started/completed/errored) */
  onRunEvent?: (evt: { type: string; data?: unknown }) => void;

  /** Provide your own className or style overrides */
  className?: string;

  /** i18n/localization overrides */
  locale?: string;
};

What it sends to Dorado

  • Authorization: EndUser <USER_IDP_JWT>
  • X-Dorado-Project-Id: <projectId>
  • JSON body per API (see OpenAPI).
    It uses:
  • POST /v1/assistants/{assistant_id}:stream for live responses (SSE)
  • POST /v1/assistants/{assistant_id}:respond for one-shot (fallback)
  • POST /v1/sessions and POST /v1/sessions/{id}/messages under the hood to persist conversation

Each write includes an Idempotency-Key header to avoid duplicate runs on flaky networks.

Styling & UX

  • Command palette UX (⌘K / Ctrl+K to open), full keyboard navigation.
  • Theming: component is unstyled primitives by default + minimal sensible styles. Add your CSS or Tailwind classes by passing className or targeting data attributes.
  • A11y: ARIA roles for listbox/menu/dialog, focus traps, screen-reader labels.

Examples

Minimal (one-liner)

<CmdK
  projectId={PROJECT_ID}
  assistantId={ASSISTANT_ID}
  getUserToken={() => auth.getIdToken()}
/>

With custom container + events

<CmdK
  className="fixed bottom-4 right-4 w-[420px] rounded-xl shadow-xl"
  projectId={PROJECT_ID}
  assistantId={ASSISTANT_ID}
  getUserToken={getUserToken}
  initialMetadata={{ app: "dashboard", plan: "pro" }}
  onRunEvent={(e) => {
    if (e.type === "run.completed") console.log("Tokens:", e.data);
  }}
  onAuthError={(e) => toast.error("Sign in to use the assistant")}
/>

Security notes

  • Never pass Dorado API keys to the client. This package does not accept an apiKey prop.
  • Ensure your IdP JWT is short-lived (≤ 60 minutes; 5–15 ideal).
  • Lock CORS in Dorado to your app origins.
  • Use opaque sub (no PII) as the stable external user id; store PII in end_users.profile if desired.
  • If your JWT aud isn’t dorado:<project_id>, set the expected audience in Dorado to match your IdP.

Troubleshooting

401 jwt_invalid_audience
Your token’s aud doesn’t match Dorado’s expected audience. Update Dorado Project → End-User Auth to include your token audience, or configure your IdP to issue aud = dorado:<project_id>.

401 jwks_signature_mismatch
Dorado can’t validate the signature. Check the Issuer/JWKS URI in project settings; make sure you’re passing an ID token from the same issuer.

403 project_not_configured_for_jwt
Enable JWT mode in Dorado and add your issuer/JWKS/audience.

CORS error in browser
Add your app origin to Dorado’s allowed origins list.

Streams don’t update
Corporate proxies sometimes buffer SSE. The component auto-retries with respond as a fallback; consider proxying via your backend if SSE is blocked.

FAQ

ID token or access token?
Prefer ID token (more predictable claims). Access tokens can work if their aud/issuer are configured.

Multi-tenant apps?
Pass the right projectId per tenant; configure each Dorado project with that tenant’s IdP.

Can I bring my own UI?
Yes. @dorado/sdk (coming alongside) offers typed client calls. This component is for zero-lift UI.

Roadmap (MVP → near term)

  • [ ] File upload & inline citations UI (when assistant retrieval returns sources)
  • [ ] Tool call UI affordances (pending/accepted/failed states, input forms)
  • [ ] Theming tokens + dark mode primitives
  • [ ] i18n strings externalization
  • [ ] Optional WebSocket transport (alongside SSE)

Development

pnpm i
pnpm dev     # storybook/dev playground
pnpm build   # typecheck + bundle

License

AGPL-3.0