npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@kehto/firewall

v0.3.1

Published

Pure, WASM-ready behavioral firewall engine for the napplet protocol — zero dependencies, zero side effects

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sandwichessandwiches

Keywords

nostrnappletkehtofirewallrate-limit

Readme

@kehto/firewall

Pure, WASM-ready behavioral firewall engine for the napplet protocol — zero dependencies, zero side effects.

Alpha status: Kehto is an early runtime implementation for a draft NIP-5D protocol. The firewall engine API is not yet final; treat this package as current implementation guidance, not as a stable protocol guarantee.

Install

pnpm add @kehto/firewall

Overview

@kehto/firewall is Kehto's behavioral abuse-detection engine. It is the temporal complement to @kehto/acl: where ACL asks "is this napplet statically allowed to perform this operation?", the firewall asks "is this napplet abusing an operation over time?".

Every function is pure: config + state + observation in, decision + next state out. No I/O, no timers, no globals — the module is trivially compilable to WASM and is the single source of truth for behavioral-firewall decisions.

The core evaluate(config, state, observation) function implements:

  • Token-bucket rate limiting per (napplet dTag, opClass) pair with O(1) lazy refill.
  • Init-burst guard — catches a napplet flooding ops immediately after initialization.
  • Content matchers — declarative rules matching op class, event kind, payload size, or focus state.
  • Focus multiplier — tightens rate budgets for unfocused napplets without hard-blocking.
  • Rule precedence — per-napplet policy override → op-class rule → global fallback → built-in defaults.

Quick Start

import {
  evaluate,
  defaultConfig,
  createState,
} from '@kehto/firewall';

const config = defaultConfig();
let state = createState();

const obs = {
  napplet: 'chat',
  opClass: 'relay:write',
  focused: true,
  now: Date.now(),
};

const result = evaluate(config, state, obs);
// result.decision: 'pass' | 'reject' | 'prompt'
// result.newState: updated counter state (original unchanged)

state = result.newState;

Public API

Types

  • Observation — normalized engine input (never a raw protocol envelope)
  • FirewallConfig — immutable configuration container (rules + defaults)
  • FirewallState — immutable counter state (token buckets + burst counters)
  • EvaluateResult{ decision, action, ruleId, reason, newState }
  • Decision'pass' | 'reject' | 'prompt'
  • Action'flag' | 'block' | 'ignore'
  • NappletPolicy'allow' | 'deny' | 'ask'
  • RateLimit, BurstGuard, ContentMatcher, NappletRules
  • Bucket, BurstCounter

Constants

  • DEFAULT_RATE_LIMIT, DEFAULT_BURST_GUARD
  • DEFAULT_EXCEED_ACTION, DEFAULT_BURST_ACTION
  • DEFAULT_UNFOCUSED_MULTIPLIER

Core function

  • evaluate — pure decision function (config + state + observation → result)
  • toKey — derive the napplet:opClass bucket key

Config mutations

  • defaultConfig — built-in conservative config
  • createState — empty counter state
  • setPolicy, setRateLimit, addMatcher — immutable config mutations
  • serialize, deserialize — JSON round-trip for persistence

License

MIT