npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@musunoa/ghost

v0.1.24

Published

Git hook for origin source tracking — AI code attribution for git repos

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

musunoamusunoa

Keywords

gitaiattributioncode-reviewagentopencode

Readme

Ghost

AI code attribution and repo-owner policy enforcement for Git.

Ghost records which AI agent changed which lines, stores that attribution in Git notes, and lets maintainers enforce AI-code policy in local checks and CI. It is built for open-source repositories where the owner needs clear provenance rules rather than voluntary self-reporting.

What Ghost Does

  • Captures AI edits from supported agent hooks.
  • Stores pending attribution in .git/ghost/ghost.db.
  • Writes durable notes on commit:
    • refs/notes/ghost
    • refs/notes/ghost-verified
    • refs/notes/ghost-signatures for digest or trusted SSH signatures
  • Shows current setup and pending sessions with ghost status.
  • Predicts staged attribution before commit with ghost check.
  • Audits committed history with ghost audit.
  • Supports owner-controlled policy through ghost.yml, CODEOWNERS, and GitHub Actions.

Ghost does not guess whether code is AI-generated. No note means human unless repo policy treats missing verification as a warning or block.

Install

Linux:

curl -sSL https://raw.githubusercontent.com/farhankhan197/ghost/main/install.sh | bash

Windows PowerShell:

irm https://raw.githubusercontent.com/farhankhan197/ghost/main/install.ps1 | iex

npm:

npm install -g @musunoa/ghost

Quick Start

Setup auto-detects whether you are the repo owner or a contributor:

ghost init

Maintainers can still be explicit:

ghost init --owner --mode restrictive --github-owner @your-org-or-user
git add ghost.yml GHOST.md .github/CODEOWNERS .github/workflows/ghost-audit.yml
git commit -m "Add Ghost policy"

Contributor setup:

ghost init --contributor

Daily flow:

ghost status
git add <files>
ghost check
git commit -m "Your change"
ghost audit HEAD

Command Model

| Command | Scope | Purpose | |---|---|---| | ghost init | repo + machine setup | Install Ghost binaries, auto-detect owner/contributor role, install repo Git hooks and global agent capture hooks | | ghost init --owner | repo setup | Create owner policy, hooks, workflow, CODEOWNERS, and contributor guide | | ghost init --contributor | local setup | Preserve checked-in policy while installing local repo hooks and global agent capture hooks | | ghost status | current repo | Show setup, staged work, pending sessions, and HEAD attribution | | ghost check | staged diff | Preview AI attribution before commit | | ghost audit | committed codebase | Show HEAD codebase attribution and final policy using Git notes | | ghost verify-pr | final PR diff | Enforce base-branch policy on code that survives into the PR | | ghost policy | ghost.yml | Inspect and manage owner-controlled rules | | ghost blame <file> | file lines | Show line-by-line attribution |

Policy

ghost.yml is the repo-owner contract.

version: 1
mode: restrictive
required: true
threshold: 20
on_exceed: block
enforcement:
  scope: final_diff
  history: warn
unverified: block
owner: [email protected]
owners:
  - [email protected]
ignore:
  - ".git/"
  - "vendor/**"
gitai_fb: true
trusted_signers:
  - name: Maintainer
    email: [email protected]
    ssh_key: ssh-ed25519 AAAA...

In CI, use ghost verify-pr --base origin/main so PRs are enforced against the final diff and base-branch policy, not policy changes made inside the PR. Historical commits remain available as warnings or strict blocks through enforcement.history. Repositories with trusted_signers can require ghost policy verify --trusted and ghost notes verify --trusted for cryptographic provenance checks.

Attribution Lifecycle

AI agent hook
-> ghost-checkpoint pre/post
-> SQLite pending session
-> git commit
-> post-commit hook
-> refs/notes/ghost + refs/notes/ghost-verified
-> ghost audit / blame / verify-pr

Pending sessions live in the repo-local SQLite DB. Durable attribution lives in Git notes and should be pushed with commits.

Documentation

Build From Source

cmake -S . -B build
cmake --build build --target ghost ghost-checkpoint
ctest --test-dir build --output-on-failure

Requires C++20, CMake 3.20+, Git, and sqlite3 through vcpkg.

Non-Goals

  • Detecting AI code by heuristics.
  • Rewriting old commits to invent attribution.
  • Requiring cloud infrastructure.
  • Replacing Git review or maintainer judgment.

License

MIT.