npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@longarc/verify

v0.1.1

Published

Verify mdash attestation credentials. Zero deps. One function.

Downloads

24

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

longarcstudioslongarcstudios

Keywords

mdashattestationverificationed25519cryptographytrustai-agents

Readme

@longarc/verify

Verify mdash attestation credentials. Zero deps. One function.

Install

npm install @longarc/verify

Quick Start

import { verify } from '@longarc/verify';

const result = verify(credential);
if (result.valid) {
  console.log(`Verified: tier=${result.tier}, scope=${result.scope}`);
} else {
  console.log(`Rejected: ${result.reason}`);
}

API

verify(credential, options?): VerificationResult

Full trust assessment. Checks structure, timestamps, and Ed25519 signature.

const result = verify(credential);
// { valid: true, tier: 'L2', scope: ['read', 'write'], issuer: 'a1b2c3d4e5f6...' }

const result = verify(expiredCredential);
// { valid: false, tier: 'L2', scope: ['read'], issuer: '...', reason: 'expired' }

isAttested(credential, options?): boolean

Boolean gate. Returns true if the credential is valid and not expired.

if (isAttested(credential)) {
  // Proceed with trusted operation
}

extractTier(credential): 'L1' | 'L2' | 'L3' | null

Fast tier extraction without full verification. Returns null for structurally invalid credentials.

const tier = extractTier(credential);
// 'L1' | 'L2' | 'L3' | null

extractScope(credential): string[] | null

Extract scope array without full verification.

const scope = extractScope(credential);
// ['read', 'write'] | null

createVerifier(options): Verifier

Factory for pre-configured verifier with pinned keys.

import { createVerifier } from '@longarc/verify';

const verifier = createVerifier({
  pinnedKeys: ['a1b2c3...'], // Only accept credentials from these issuers
  strictIssuedAt: true,       // Reject future-dated credentials
});

const result = verifier.verify(credential);

Integration Examples

MCP Middleware

import { isAttested } from '@longarc/verify';

function mdashGate(credential) {
  if (!isAttested(credential)) throw new Error('Unattested agent');
}

LangChain Callback

import { verify } from '@longarc/verify';

const handler = { handleToolStart(tool, input, meta) {
  const result = verify(meta.credential);
  if (!result.valid) throw new Error(`Rejected: ${result.reason}`);
}};

Express Middleware

import { verify } from '@longarc/verify';

app.use('/api/agent', (req, res, next) => {
  const result = verify(req.headers['x-mdash-credential']);
  if (!result.valid) return res.status(403).json({ error: result.reason });
  req.attestation = result;
  next();
});

Credential Format

interface Credential {
  payload: {
    agentId: string;
    tier: 'L1' | 'L2' | 'L3';
    scope: string[];
    services?: string[];
    memoryHash?: string;
  };
  signature: string;   // Ed25519 signature (hex)
  publicKey: string;    // Ed25519 public key (hex)
  issuedAt: string;     // ISO-8601
  expiresAt: string;    // ISO-8601
}

Security Model

  • Offline: No network calls, no external dependencies
  • Deterministic: Payload serialized with sorted keys before verification
  • Ed25519: Industry-standard signature scheme via Node.js crypto
  • Distillation-resistant: Signature covers all payload fields — tier, scope, services, memory state. Altering any field invalidates the signature.

This package verifies credentials. It does not issue them (that's the Depot) or enforce runtime constraints (that's the Warden).

License

Apache-2.0 — Long Arc Studios