npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@manukyalo/scopelock

v3.0.2

Published

Anti-hallucination scope locking for AI coding agents.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

manukyalomanukyalo

Keywords

Readme

npm install -g @manukyalo/scopelock

scopelock solves a specific, well-documented problem: AI coding agents frequently exhibit scope creep — modifying files outside the intended change — and lack persistent project memory across sessions.

scopelock acts as a physical guardrail (via a pre-commit hook) and an architectural memory bank (via the context block) to keep agents strictly confined to their authorized scope.

Features

  • File & Function Locks: Run scopelock lock src/auth.ts or scopelock lock src/auth.ts:validateToken to make code read-only for agents.
  • Production Path Locks (Seal): Use scopelock seal for critical paths like billing. Agents cannot override this; it requires explicit human sign-off via scopelock unseal --human-approved=<ticket>.
  • Blast Radius Map: Prevent scope creep before it happens. Run scopelock impact <file> to see every file that imports a target file before you touch it.
  • Dependency Lockdown: Zero-trust dependency management. Automatically locks package.json on init to prevent silent dependency drift.
  • Secret Sentinel: A hard-blocking pre-commit scanner that physically prevents agents from committing AWS keys, Stripe tokens, or .env leaks.
  • Test Coverage Gate: Run scopelock guard --tests to block any source code changes that aren't accompanied by tests.
  • Rollback Snapshots: Run scopelock save before an agent starts working, and scopelock restore to obliterate any rogue changes instantly.

Commands

🛡️ Guardrails & Locks

| Command | Description | | :--- | :--- | | scopelock lock <file>[:<func>] [reason] | Lock a file or a specific AST function | | scopelock unlock <file>[:<func>] <reason> | Unlock (reason is mandatory) | | scopelock seal <file> <reason> | Permanent production-path lock (cannot be unlocked normally) | | scopelock unseal <file> --human-approved=<ticket> <reason> | Release a seal with a Jira/PR ticket | | scopelock guard [--tests] | Wire as pre-commit to check diffs for violations & leaked secrets | | scopelock trust <file> <reason> | Explicitly bypass Secret Sentinel for a mock/test file |

🛠️ Agent Tools (Godmode)

| Command | Description | | :--- | :--- | | scopelock impact <file> | Show the Blast Radius (all files importing this file) before modifying it | | scopelock save | Auto-snapshot repo state into a hidden git stash before an agent session | | scopelock restore | Instant escape hatch: obliterate agent changes and restore the snapshot | | scopelock context [task] | Generate a token-efficient AI context block mapping the locked boundaries |

⚙️ Core

| Command | Description | | :--- | :--- | | scopelock init | Scan repo and generate .scopelock.json manifest | | scopelock status | Show a summary of all locked/sealed files |

scopelock lock & unlock

Lock a whole file or a specific named function. Unlock requires a reason that gets logged to history.

scopelock lock src/lib/supabase.ts "production client — stable"
scopelock lock src/auth/token.ts:validateToken "tested — do not touch"
scopelock unlock src/auth/token.ts:validateToken "fixing JWT expiry edge case"

scopelock seal & unseal

For files that should never be touched without human oversight (e.g., /billing, /migrations). Seals cannot be removed by unlock.

scopelock seal src/billing/stripe.ts "core billing logic"
scopelock unseal src/billing/stripe.ts --human-approved=PR-123 "updating webhook"

scopelock impact

Before making a change, see the blast radius. Outputs a list of all files in the repository that import the target file.

scopelock impact src/utils/auth.ts

scopelock guard

Two-tier scope violation check against git diff HEAD. Exits non-zero on violations or secret leaks. Wire this up as a pre-commit hook. Add --tests to strictly enforce test coverage for any changed logic.

scopelock guard
scopelock guard --tests

scopelock save & restore

Never fear an agent hallucination destroying your workspace again. save stores a snapshot in git stash that survives hard resets. restore obliterates the working directory and cleanly reverts to the snapshot.

scopelock save
scopelock restore

scopelock trust

Bypass the Secret Sentinel hard-block for a specific file (e.g., when intentionally committing a mock test key).

scopelock trust test/run.js "this is a mock stripe key for testing"

scopelock context

Output a token-efficient AI context block with all locks clearly flagged for the agent's system prompt.

scopelock context "Update the login page"

Agent Skills (Godmode)

scopelock ships with 7 native AI Agent Skills located in the skills/ folder. If you use an agent framework (like Antigravity or Cline) that supports Markdown skills, point it to these folders to automatically teach the agent how to use scopelock safely.

The skills map directly to features:

  • scope-enforcement
  • dependency-lockdown
  • secret-sentinel
  • test-coverage-gate
  • rollback-snapshot
  • blast-radius
  • production-path-lock

Data Model

All state is stored in .scopelock.json at the root of your repo. The manifest is project state, not a personal config. Commit it so your whole team — and all their AI agents — share the same scope boundaries.