npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@eubound/ax

v0.1.0

Published

Local-first EUBound AX harness for external coding agents.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ghalebighalebi

Keywords

aiagentscomplianceeugatewayllmreceiptssovereign-ai

Readme

@eubound/ax

Local-first EUBound AX harness for external customer-controlled coding agents.

The harness does not upload repository source code. It scans locally, sends only a synthetic smoke prompt when smoke is run, verifies receipts, audits obvious logging/fallback risks, and writes eubound-proof.json.

npx @eubound/ax init
npx @eubound/ax doctor --json
npx @eubound/ax contract --json
npx @eubound/ax scan --json
npx @eubound/ax fetch-jwks --json
npx @eubound/ax validate --json
npx @eubound/ax smoke --json
npx @eubound/ax verify --json --jwks .eubound/jwks.json
npx @eubound/ax audit-logs --json
npx @eubound/ax proof --json

Offline verification requires trusted EUBound JWKS. --allow-embedded-key is a development-only escape hatch for local fixtures and is not production proof. doctor --json lists every AX networked command and explicitly declares source, repository-metadata, customer-prompt, customer-completion, API-key, and prompt/completion-storage behavior for that command. proof requires the signed receipt artifact from smoke or --receipt and recomputes verification against trusted JWKS instead of trusting .eubound/verify.json. Generated proof packs include sha256: hashes for the local AX evidence artifacts they were built from, without embedding source code, prompts, or completions. validate --json recomputes those non-null evidence hashes and blocks proof if local AX evidence drifted after proof generation.

Required runtime variables for smoke tests:

export EUBOUND_API_BASE_URL=https://api.eubound.eu/v1
export EUBOUND_API_KEY=...
export EUBOUND_MODEL=mistral-small-alpha
export EUBOUND_POLICY=EU_HARD_BOUNDARY

Release is intentionally guarded from the repository root:

EUBOUND_API_KEY=... just ax-publish-dry-run
npm login --registry https://registry.npmjs.org/
EUBOUND_API_KEY=... just ax-publish

The publish script forces the npmjs registry, checks package contents, installs and smoke-tests the packed tarball, runs authenticated production readiness before publish, and reruns full readiness after publish. The current Forgejo release path uses AX_NPM_PROVENANCE=off because npm provenance requires supported cloud-hosted CI/CD. Use AX_NPM_PROVENANCE=required only from a future supported npm OIDC publisher.

The repository just ax-check gate also installs the packed tarball into a temporary consumer project and runs the installed eubound-ax binary, so package file selection, package metadata, and bin wiring are tested before publication. After publication, just ax-production-readiness installs @eubound/ax@<version> from npm and runs the same binary smoke so public metadata alone cannot count as release readiness. The same readiness gate also validates linked schema, recipe, and error catalog shapes, then compares manifest-embedded error_codes with the linked error catalog so failure semantics cannot drift across AX contract surfaces. The live gate also requires the full AX error-code vocabulary.

CI release uses .forgejo/workflows/ax-publish.yaml with NPM_TOKEN and EUBOUND_API_KEY secrets on the EU runner.

Documentation Map

  • Map key: packages-ax-cli
  • Documentation map: ../../docs/documentation-map.md
  • Scope: Local-first AX CLI command behavior and safety boundaries.
  • Audience: External coding agents, customer developers, and CLI maintainers
  • Recommended related docs:
  • Update rule: Review this README whenever CLI commands, output files, proof semantics, or network behavior changes.
  • Last map sync date: 2026-05-15
  • Update attempt log:
    • What was attempted: Add documentation for the initial dependency-light AX CLI package.
    • What failed: Nothing known in this update.
    • What worked: The README documents local-first behavior, commands, and required smoke-test environment variables.