npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@ibisllc/maintainers

v0.1.0

Published

Pin-a-mandate, verify-forward trust protocol: declare, renew, and transfer signing authority over a versioned artifact. The bake is the ceremony.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

ibisllcibisllc

Keywords

Readme

@ibisllc/maintainers

A trust protocol for declaring, renewing, and transferring signing authority over a versioned artifact (typically a git repository, but the storage layer is content-addressed and adapter-driven). The model is pin-a-mandate, verify-forward: a consumer bakes the canonical hash of one chosen Mandate (the pin) into its own signed build, then accepts a track's authority only by walking that track's mandate log forward from the pinned mandate, applying each mandate's own embedded succession rule to authorize the next. There is no separate policy file and no privileged self-renewal — one uniform rule, signed into each mandate, governs the next. The bake is the ceremony: trust is established once, at compile time, by choosing what to pin; everything after is mechanical forward verification against that anchor.

This package is the TypeScript reference implementation: canonical-bytes, Ed25519 sign/verify, the mandate-chain / release-endorsement / CA-endorsement verifiers, storage + encrypted-blob adapters, and a zero-dependency fetch() client.

Install

npm i @ibisllc/maintainers

ESM only. Runtime deps: @noble/curves, @noble/hashes.

Verify from a fetched repo

verifyFromFetch GETs a project's .maintainers/index.json tree from a base URL and runs the full verifier against your baked pin, at your own clock. It is total — every adversarial input (missing index, oversized doc, path escape, malformed envelope, absent or forked pin) is a fail-closed return value, never a thrown exception.

import { verifyFromFetch } from "@ibisllc/maintainers";

const verdict = await verifyFromFetch("https://example.org", {
  pin: "<the mandate pin hash you compiled into your build>",
  now: new Date(),
});

const release = verdict.tracks["release"];
if (release?.accepted) {
  // release.holder is the pubkey authorized to sign releases right now
} else {
  // release?.rejectReason is the exact landed fail-closed reason
}

Verify a chain you already have

import {
  verifyMandateChainFromPin,
  currentAuthority,
  pinOf,
} from "@ibisllc/maintainers";

const chain = verifyMandateChainFromPin(pin, mandates); // never throws
const auth = currentAuthority(chain, new Date());        // holder or null
// pinOf(mandate) derives the canonical pin you bake into a build

Conformance & spec (bundled)

This tarball ships the protocol's primary portable artifact so a non-TypeScript adopter has everything needed to build an independent, provably-conformant implementation:

  • SPEC.md — the normative protocol specification (wire-version 1).
  • conformance/manifest.json + conformance/vectors/*.json — 17 language-agnostic, deterministically-generated test vectors. An implementation is conformant if and only if it produces the expected verdict for every vector, including every fail-closed negative. Accepting an input a negative vector expects rejected is not conformant — it has silently weakened fail-closed.

Threat model (one line)

Fail-closed by construction: no pin, a pin not in the log, a forked or tampered log, sub-threshold approvals, a lapsed CA lease at your clock — every one rejects. There is no path that accepts on ambiguity.

Status

0.1.0 — first public release. The spec is Draft, targeting stabilization at v1.0 once the reference implementation and at least one independent implementation interoperate against the bundled conformance vectors.

License

BUSL-1.1 (Business Source License 1.1), (c) 2026 Ibis LLC. Change Date 2030-05-03, after which the Change License is Apache License, Version 2.0. See LICENSE.