npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@observer-protocol/wdk-op-policy

v0.1.0

Published

Observer Protocol delegation-credential enforcement for the Tether WDK transaction policy engine (PR #55). Ships an ALLOW+DENY policy pair as one unit — the DENY companion is mandatory and fails closed — so a WDK account verifies a signed agent mandate at

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

boydcohenboydcohen

Keywords

wdktetherobserver-protocolagent-walletpolicy-enginetransaction-policyverifiable-credentialsdiddelegationeddsa-jcs-2022

Readme

@observer-protocol/wdk-op-policy

Enforce a signed Observer Protocol delegation credential on a Tether WDK account — at the signer boundary, fail-closed — via the WDK transaction policy engine (tetherto/wdk #55).

The third Observer Protocol enforcement engine. Same credential, same mandate vocabulary, same vendored core as the OWS verifier and the mppx account — here as a pair of WDK policy rules. The API always registers an ALLOW + DENY pair together: the DENY companion is the mandatory fail-closed backbone (DENY-wins + fail-closed-on-throw), so it holds regardless of what else the consumer registered.

Install

npm install @observer-protocol/wdk-op-policy @tetherto/wdk

Requires @tetherto/wdk >= 1.0.0-beta.11 — the first published release carrying the transaction policy engine (PR #55). Verified against 1.0.0-beta.11 (see docs/CONFORMANCE.md).

Use

import { registerObserverPolicy } from '@observer-protocol/wdk-op-policy';

registerObserverPolicy(wdk, {
  policy: {
    credentialPath: '~/.op/agent-delegation.json',     // the signed ObserverDelegationCredential
    issuerDid: 'did:web:observerprotocol.org',
    schemaAllowlist: ['https://observerprotocol.org/schemas/delegation/v2.1.json'],
    agentDid: 'did:web:observerprotocol.org:agents:my-agent',
    revocation: { maxStalenessHours: 24, onUnreachable: 'cache-then-deny', fetchTimeoutMs: 1500 },
    auditLog: '~/.op/decisions.jsonl',
    // evmTokens / rails as needed; defaults cover mainnet USDC/USDT
  },
  wallets: { ethereum: 'eip155:1' },                   // wallet label -> CAIP-2 (MUST resolve to a rail)
}, { wallet: 'ethereum' });

// Every write op on the governed account now verifies the mandate before signing.
// Out-of-mandate / unverifiable -> PolicyViolationError; the key never signs.

registerObserverPolicy emits two rules — an ALLOW (in-mandate) and a DENY (violation/uncertainty). Do not hand-author a lone ALLOW, and never pair OP with a broad permissive wildcard ALLOW on the same operations without the DENY — that reopens a fail-open hole (proven; see SUPPORT-MATRIX).

What it enforces

Gates sendTransaction, signTransaction, transfer, approve, signTypedData against per-rail ceiling, counterparty, temporal window, and cross-tx velocity. Exact decode per operation, the fail-closed construction, rail resolution, and limitations are in docs/SUPPORT-MATRIX.md; scope/non-goals in docs/SCOPE.md.

Security model

  • Fail-closed: uncertainty (DID/status outage, thrown verification, timeout) blocks — the DENY condition never resolves uncertainty to a silent allow.
  • Default-deny aware: OP relies on the engine's default-deny on governed accounts, and the DENY backbone holds even alongside a permissive baseline.
  • Enforcement locus: the signer boundary, from the actual operation params — portable across OWS, mppx, and WDK. The binding layer is contested; the enforcement locus is not.
  • Validated against the real merged engine (tetherto/wdk@a00b391), 20 conformance cases.

Develop

npm test                  # typecheck + build + fixtures + 20 conformance cases (real engine)
npm run check:core-sync   # vendored core must match ows-op-verify byte-for-byte

MIT.