npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@hachej/boring-governance

v0.1.89

Published

Reusable boring-ui tenant governance plugin: YAML policy loading, model filtering, budget metering, company-context bindings, and Company Admin UI.

Readme

@hachej/boring-governance

Reusable tenant governance wiring for boring-ui apps: YAML policy loading, model filtering, budget metering, company-context bindings, routes, and Company Admin rendering.

Server wiring

Call createGovernance(config) after loading core config and before createCoreWorkspaceAgentServer so invalid production policy still refuses boot early.

const governance = await createGovernance(config)
const credits = buildCreditsWiring()
let appDb: unknown
const app = await createCoreWorkspaceAgentServer({
  config,
  plugins: createAppPlugins([governance.serverPlugin]),
  metering: governance.createMeteringSink(credits.meteringSink, () => appDb as never),
  filterModels: governance.filterModels,
  getFilesystemBindings: governance.getFilesystemBindings(),
  pi: governance.pi,
})
appDb = app.db
credits.attach(app)

Front wiring

const governanceCompanyAdmin = createGovernanceCompanyAdmin()

<CoreWorkspaceAgentFront companyAdmin={governanceCompanyAdmin} />

Policy source is configured with BORING_GOVERNANCE_POLICY_PATH. Company context source roots use BORING_GOVERNANCE_COMPANY_CONTEXT_ROOT or the default workspace root resolver outside sandbox mode. When an explicit, governance-owned company-context root is configured, verified tenant admins receive a tenant-wide read/write company_context binding; ordinary policy users receive only their regex-filtered readonly projection. Custom resolvers must opt into admin mutations with allowAdminMutations: true only when no other actor can mutate the root outside the governance store.

Policy budgets

Model grants remain the model picker allowlist. Optional user budgets cap aggregate monthly spend across all allowed models; optional per-model budgets cap individual models.

users:
  - email: [email protected]
    role: user
    budgets:
      monthlyEur: 10
    models:
      - provider: infomaniak
        id: Qwen/Qwen3.5-122B-A10B-FP8
        monthlyBudgetEur: 2

A run is admitted only when the user is allowed to use the selected model, the aggregate user budget has remaining monthly capacity, and the selected model budget has remaining monthly capacity.

Governance access matrix smoke

The package includes a reusable HTTP matrix runner for deployment smoke tests:

boring-governance-access-matrix
# or from the source package:
pnpm --filter @hachej/boring-governance smoke:governance-matrix

It signs in two environment-provided users and verifies the expected read/write behavior for:

  • company-context public paths
  • company-context Adam-private paths
  • each user's own user workspace filesystem
  • cross-user workspace access denial

All deployment-specific values must be supplied explicitly; the reusable package intentionally does not ship real credentials or workspace IDs.

| Var | Required value | | --- | --- | | MATRIX_BASE_URL / DEPLOY_URL | Deployment base URL | | MATRIX_ADAM_EMAIL | Admin fixture email | | MATRIX_ADAM_PASSWORD | Admin fixture password | | MATRIX_ADAM_WORKSPACE_ID | Admin fixture workspace ID | | MATRIX_READONLY_EMAIL | Readonly fixture email | | MATRIX_READONLY_PASSWORD | Readonly fixture password | | MATRIX_READONLY_WORKSPACE_ID | Readonly fixture workspace ID | | MATRIX_COMPANY_PUBLIC_READ_PATH | Existing public company-context file readable by both users | | MATRIX_COMPANY_PRIVATE_READ_PATH | Existing private company-context file readable by admin and denied to readonly | | MATRIX_COMPANY_PUBLIC_WRITE_DIR | Company-context directory used for admin public write probes | | MATRIX_COMPANY_PRIVATE_WRITE_DIR | Company-context directory used for admin private write probes | | MATRIX_ADMIN_COMPANY_WRITE_EXPECTED | Optional admin company-context write status, defaults to 403 for the base readonly plugin | | MATRIX_READONLY_COMPANY_WRITE_EXPECTED | Optional readonly company-context write status, defaults to 403 |