npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@e-sig/uaid-exch

v0.1.0-preview.0

Published

Preview implementation of the IAASO Exchange Profile (ADR-006, under review). Wraps @e-sig/core envelopes as per-transaction signed authorizations on the UUAID Network with subject + issuer proofs and Polygon-anchored batch receipts. Wire format will be f

Readme

@e-sig/uaid-exch

Preview implementation of the proposed IAASO Exchange Profile (ADR-006). The doctrine is under review by the IAASO standards council. This package is versioned 0.1.0-preview and its wire format will be re-shaped to conform to the accepted schemas when ADR-006 lands. Use in production only after ADR-006 is Accepted and the schemas ship under iaaso/artifacts/schemas/exchange/*/v1/.

Wraps every @e-sig/core signing operation as a per-transaction signed authorization on the UUAID Network — subject + issuer proofs, network-side receipt, scope-checked authorization, and a Polygon-anchored batch inclusion proof that anyone can look up at tx.uuaid.org/<id>.

Wire format note. The current preview uses W3C DataIntegrityProof shape (eddsa-jcs-2022) as an ergonomic starting point. Per IAASO ADR-002, the accepted wire format for IAASO objects is the UUAID SignatureEnvelope ({alg, keyId?, publicKey?, sig, created?} — JCS + Ed25519, keccak256 for anchor). When ADR-006 is Accepted, this package will re-emit both shapes (VC shape for external interop, SignatureEnvelope for IAASO conformance) via a single call.

npm i @e-sig/uaid-exch @uuaid/sdk

MIT-licensed. Opt-in. If UUAID env is unset, this package is a no-op.

Why

@e-sig/core already produces a real cryptographic PDF signature. @e-sig/uuaid already stamps the acting agent's UUAID into the audit log. This package closes the loop by producing a portable, per-exchange Verifiable Credential that:

  • Public. Anyone can GET https://api.uuaid.org/v1/exchanges/<id> without a key.
  • Three-party attested. Agent proof + Issuer TSP proof + (asynchronously) a Network receipt.
  • Scope-checked. The Signing Credential's scope (actions, counterparty allowlist, value ceiling, assurance minimum) is machine-enforced by verifiers before the counterparty acts.
  • Anchored. Every batch of receipts is Merkle-rooted and anchored to Polygon mainnet by the UUAID registry. Rewriting history means contradicting a public blockchain.
  • Interoperable. Compatible with Google AP2 as an extension credential (uuaid.exchange.v1); the AP2 Payment Mandate id can be cross-referenced in external_refs.ap2_payment_mandate.

Quickstart

import { signDocument } from "@e-sig/core";
import { UuaidClient } from "@uuaid/sdk";
import {
  createExchange,
  exchangeInputFromEsigEnvelope,
  UaidNetworkClient,
} from "@e-sig/uaid-exch";

// 1. Sign the PDF as usual with @e-sig/core.
const signed = await signDocument({ /* ...as usual... */ });

// 2. Build a UAP-EXCH-1 Exchange over that signing action.
const network = new UaidNetworkClient({ apiKey: process.env.UUAID_API_KEY! });

const exchange = await createExchange(
  exchangeInputFromEsigEnvelope({
    envelopeId: signed.envelopeId,
    signingCredentialId: process.env.UUAID_SIGNING_CREDENTIAL_ID!,
    principal: "did:web:acme.com",
    counterparty: "did:web:customer.com",
    pdfSha256: `sha256:${signed.pdfSha256Hex}`,
    pdfSize: signed.signedPdfBytes.length,
    pdfUri: signed.signedPdfUrl,
    purpose: "MSA Q3 renewal",
    value_impact: { currency: "USD", amount: 24000, term_months: 12 },
    soleControl: {
      challenge_type: "webauthn-prf",
      challenge_at: signed.consent.givenAt,
      challenge_evidence_hash: `sha256:${signed.consent.evidenceSha256Hex}`,
    },
  }),
  agentSigner,   // provide { agentUuaid, verificationMethod, sign(bytes) }
  issuerSigner   // provide { issuerDid,  verificationMethod, sign(bytes) }
);

// 3. Submit to the network. The receipt anchors ~10 minutes later.
const { exchange_id, estimated_anchor_at } = await network.submit(exchange);

// 4. Anyone can now verify at tx.uuaid.org/<tx_short_id> once anchored.
console.log(network.resolverUrl(exchange_id));

Assurance ladder

Per UAP-EXCH-1 § 4:

| Level | Requirements | |---|---| | L0 | Software-key Agent, no KYA. | | L1 | Software-key + verified Principal. | | L2 | HW-attested key + org-verified Principal. | | L3 | L2 + continuous evidence from an Assurance Provider (e.g. DSalvus). | | L4 | L3 + industry KYA depth (HIPAA / PCI / SOX / 21 CFR Part 11) + insurance. | | L5 | L4 + eIDAS QES by a QTSP on the EU Trusted List. |

Counterparties enforce a minimum level; this SDK renders it into the Signing Credential and Exchange so verification is one JSON check.

Strictly opt-in

Absent UUAID_API_KEY, the package is a pure library — no network calls. UaidNetworkClient.submit() throws early rather than dropping data into a silent no-op. Reads (get, getReceipt) are unauthenticated per the spec.

Interoperability

  • AP2 (Google + 60 partners). UAID Exchange embeds inside an AP2 A2A task under extension key uuaid.exchange.v1; conversely, the AP2 Payment Mandate id can be referenced from external_refs.ap2_payment_mandate.
  • W3C VC-Data-Model 2.0. Every artifact this package produces is a conformant VC.
  • eIDAS QES. At L5, external_refs also carries the QTSP-produced PKCS#7/CAdES-T reference.

Development

npm install
npm run build
npm test

License

MIT. Part of the esig-suite family.