npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@mcptoolshop/repomesh

v1.0.0

Published

Trust infrastructure for repo networks — verify releases, check anchors, and onboard repos from anywhere.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mikefrilotmikefrilot

Keywords

trustverificationsupply-chainxrplledgerattestationsbomprovenancemcp-tool-shop

Readme

Trust infrastructure for repo networks. Verify releases, check XRPL anchors, and onboard repos — all from the command line.

Quick Start

# Verify a release (works from anywhere — no clone needed)
npx @mcptoolshop/repomesh verify-release \
  --repo mcp-tool-shop-org/shipcheck --version 1.0.4 --anchored

# Verify an XRPL anchor transaction
npx @mcptoolshop/repomesh verify-anchor --tx <txHash>

# Onboard a repo to the network
npx @mcptoolshop/repomesh init --repo your-org/your-repo --profile open-source

# Diagnose your repo's integration
npx @mcptoolshop/repomesh doctor --dir .

Commands

verify-release

Verify a release's full trust chain: signature, attestations, and optional XRPL anchor proof.

repomesh verify-release --repo org/repo --version 1.0.0 [--anchored] [--json]

In standalone mode (installed via npm), fetches ledger data from GitHub. In dev mode (inside a RepoMesh checkout), reads local files.

| Flag | Description | |------|-------------| | --repo | Target repo (required) | | --version | Release version (required) | | --anchored | Also verify XRPL anchor inclusion | | --json | Structured JSON output (for CI gates) | | --ledger-url | Override ledger events URL | | --nodes-url | Override nodes base URL | | --manifests-url | Override manifests base URL |

verify-anchor

Verify an XRPL anchor transaction by recomputing the Merkle root from ledger data.

repomesh verify-anchor --tx <hash> [--network testnet] [--json]

init

Generate all onboarding files for a repo joining the RepoMesh network.

repomesh init --repo your-org/your-repo [--profile open-source] [--dir .]

Creates: node.json, repomesh.profile.json, repomesh.overrides.json, .github/workflows/repomesh-broadcast.yml, and an Ed25519 signing keypair.

doctor

Validate your local repo's RepoMesh configuration against schemas.

repomesh doctor [--dir .] [--repo org/repo] [--json]

Checks: node.json schema, profile schema, overrides schema, broadcast workflow, .gitignore for keys.

Standalone vs Dev Mode

| Mode | Detection | Data source | |------|-----------|-------------| | Standalone | Default (npm install) | Fetches from GitHub raw URLs | | Dev | Inside a RepoMesh checkout | Reads local ledger/, registry/, etc. |

Dev mode is auto-detected when ledger/events/events.jsonl, registry/, and schemas/ exist in the working directory.

What Verification Proves

When verify-release --anchored passes, you know:

  1. The release event exists in the ledger and its Ed25519 signature is valid
  2. All attestations (SBOM, provenance, license, security) are signed and present
  3. The release is included in a Merkle partition whose root is posted to the XRPL testnet
  4. The partition's manifest hash matches the on-chain memo

What it does not prove: that the code does what it claims, that the SBOM is complete, or that the security scan found all vulnerabilities. Trust is multi-dimensional — scores reflect evidence, not guarantees.

Security

No telemetry. No analytics. No phone-home. Network access is limited to GitHub raw URLs (for ledger data) and XRPL WebSocket (for anchor verification). See SECURITY.md.

License

MIT

Built by MCP Tool Shop