npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@nugehs/bouncer

v0.2.0

Published

bouncer — static compliance-controls checker. Verifies the controls a regulation requires actually exist in your code (UK Online Safety Act, ICO Children's Code), as deterministic rule packs. No LLM required.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

davidoludavidolu

Keywords

climcpmcp-servercomplianceonline-safety-actage-appropriate-design-codechildrens-codeaadcage-assurancestatic-analysispolicy-as-codecideveloper-tools

Readme

bouncer

Static compliance-controls checker — the controls a regulation requires, verified in your code.

npm CI license: MIT node dependencies

nugehs.github.io/bouncer-web (site)

bouncer demo

bouncer verifies that the controls a regulation requires actually exist in your code — UK Online Safety Act, ICO Children's Code (AADC), and Nigeria (NDPC, FCCPC, FIRS) — expressed as deterministic rule packs. It runs in CI, exits non-zero when a required control is missing, and needs no LLM.

It checks IDs at the door so non-compliant code doesn't get in.

bouncer is an engineering aid, not legal advice. A green report means the coded controls a rule looks for were found — it is not a substitute for a compliance / DPO review.

Why

Regulators now expect demonstrable controls: age assurance, high-privacy defaults for children, report/block affordances on user-generated content, a DPIA, a risk assessment. Those are concrete things that either exist in a codebase or don't. bouncer turns a regulation into a set of static checks over your repo, the same way tieline turns an API contract into drift checks — the engine knows nothing about the law; the rule packs do.

bouncer vs semgrep / policy-as-code

Scanners like semgrep, CodeQL, or Snyk answer "is there bad code here?" — they hunt for vulnerabilities and dangerous patterns that shouldn't exist. bouncer answers the opposite question: "does the code the regulation requires actually exist?" — age assurance on sign-up, report/block on UGC surfaces, high-privacy defaults for children. A repo can be vulnerability-free and still fail every one of those obligations. Policy-as-code tools (OPA/Rego, Conftest) gate configs and infrastructure against policy; bouncer gates application source against regulatory rule packs, with file:line evidence for every control and an honest unknown when a surface can't be located. In short: semgrep finds vulnerabilities; bouncer proves required controls exist. They complement each other — run both.

Install

npx @nugehs/bouncer init
npx @nugehs/bouncer check

Or clone and run with plain Node (zero runtime dependencies, Node ≥ 18).

Usage

bouncer init [path]                 # write a starter bouncer.config.json
bouncer check                       # run packs, print report, exit 1 on a missing control
bouncer check --pack uk-aadc        # restrict to one pack
bouncer check --status fail         # show only the failures
bouncer report --out report.html    # self-contained HTML audit report
bouncer list                        # every rule the configured packs apply
bouncer explain <ruleId>            # what a rule requires + how it is checked
bouncer packs                       # rule packs shipped with bouncer
bouncer doctor                      # sanity-check config, adapter, packs
bouncer mcp                         # start the MCP server (stdio)

Verdicts

| Verdict | Meaning | | ----------- | ---------------------------------------------------------------------------- | | pass | the required control was found (evidence: file:line) | | fail | the surface exists, but no evidence of the control was found | | unknown | the surface could not be located in this repo — can't determine, not a pass |

unknown is deliberate: bouncer never reports a green pass for a surface it could not find. Missing surface → honest "can't determine".

Configuration

bouncer.config.json:

{
  "target": {
    "adapter": "next",
    "repo": "./my-app",
    "roots": ["app", "src", "components"]
  },
  "packs": ["uk-osa", "uk-aadc"],
  "packDirs": [],
  "ignore": [],
  "failOn": ["fail"]
}
  • adapter — how regulation surfaces (sign-up, profile, chat, livestream…) map onto files for your stack.

Adapters shipped today: next (App Router) and react-native. That's it — if your stack isn't covered, an adapter is a single small file mapping surface aliases to file globs (see src/lib/adapters/next.js). Adapter PRs are very welcomenuxt, sveltekit, remix, flutter, django are all natural candidates.

  • packs — which rule packs to run. Built-ins: uk-osa, uk-aadc, ng-ndpc, ng-fccpc, ng-firs.
  • packDirs — extra directories of your own *.json packs.
  • ignore — rule ids to skip.
  • failOn — which buckets make check exit non-zero (default ["fail"]).

Rule packs

A pack is JSON. Each rule maps a legal standard to a static assertion over a surface:

{
  "id": "aadc.geolocation-default-off",
  "standard": "Standard 10 — Geolocation",
  "severity": "high",
  "surface": "profile",
  "intent": "Geolocation must default to off for children.",
  "fix": "Default any location-sharing setting to off.",
  "assert": {
    "find": "(geo|location)[^\\n;,]{0,30}(default|initial)[^\\n;,]{0,15}(false|off)",
    "in": ["profile", "any"],
    "expect": "present"
  }
}

Assertion nodes:

  • { "find": "<regex>", "in": "<surface|glob>", "expect": "present|absent" }
  • { "allOf": [ … ] } · { "anyOf": [ … ] } · { "not": … }

in accepts a surface alias (resolved by the adapter), an array of aliases/globs, or a raw glob. expect: "absent" flips the meaning — a match is a violation (used for nudge patterns, self-declared age checkboxes, etc.).

Surfaces (next adapter)

any, signup, auth, profile, chat, livestream, ugc, governance.

Nigeria packs

For a platform operating in Nigeria, three packs ship built-in:

  • ng-ndpc — Nigeria Data Protection Act 2023 (NDPC): privacy notice, opt-in & granular consent, data-subject rights, encryption, retention/erasure, NDPA localization, DPO designation, 72-hour breach plan, cross-border safeguards.
  • ng-fccpc — consumer protection (FCCPC): blanket "no refund / all sales final" clauses flagged as void — and high-precision, so a tiered or conditional refund policy doesn't trip it — plus refund-policy present, no drip pricing, explicit terms acceptance, terms of service present.
  • ng-firs — tax (FIRS): 7.5% VAT rate, VAT on commission, WHT on payouts, VAT tax invoice.

Some obligations are process, not code — NDPC registration, signed cross-border DPAs, the WHT remittance itself. Those rules surface as gaps to track (add them to ignore with a note), not things a static scan can prove.

MCP

bouncer is also an MCP server (stdio), so an agent can pull the same deterministic results:

| Tool | Purpose | | ------------------ | ------------------------------------------------------------ | | compliance_check | run packs, return per-control verdicts + evidence | | list_rules | list rules the configured packs apply | | explain_rule | a rule's standard, intent, fix, and how it is checked | | list_packs | available rule packs |

// .mcp.json
{ "mcpServers": { "bouncer": { "command": "npx", "args": ["-y", "@nugehs/bouncer", "mcp"] } } }

CI

- run: npx @nugehs/bouncer check

Fails the build when a required control goes missing — e.g. someone removes an age-gate or a report button from a UGC surface.

Tests

npm test    # node --test — zero dependencies, nothing to install

The suite runs on Node's built-in test runner against throwaway fixture repos: glob/brace expansion, every assertion probe (find, allOf/anyOf/not, allInFile + within windows, expect: "absent"), the pass/fail/unknown verdict semantics, and pack loading. CI runs it on Node 18, 20, and 22.

License

MIT

Part of the toolchain

bouncer is one of four tools that form a deterministic trust layer for AI-assisted development. Each answers a question people keep handing to an LLM — with static analysis instead.

  • repoctx — context: what does this change actually touch?
  • tieline — contracts: did the front end and back end quietly stop agreeing?
  • bouncer (this tool) — compliance: could you defend this to Ofcom?
  • aiglare — governance: where can the model do something you can't undo?

More at segunolumbe.com. static analysis, never the model.