npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@okeyamy/drs-sdk

v0.1.1

Published

Delegation Receipt Standard SDK — issuance path

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

okeyamyokeyamy

Keywords

oauthjwtdelegationagentaccountabilitymcpa2a

Readme

@okeyamy/drs-sdk

npm license

TypeScript SDK for the Delegation Receipt Standard (DRS) — the issuance path.

DRS is a JWT-based delegation receipt system for agentic accountability: every step an agent takes is backed by a signed, attenuated, hash-chained receipt that a verifier can check independently. This package is how an issuer mints those receipts and assembles the bundle that travels with a request. Verification itself is performed by the drs-verify service; this SDK only issues receipts and offers a thin client for calling a verifier.

  • RFC 8785 (JCS) canonicalization
  • Ed25519 signatures
  • did:key identity
  • SHA-256 chain linkage (prev_dr_hash / dr_chain)

Scope: issuance only. The SDK does not make trust decisions — that is the verifier's job.

Install

pnpm add @okeyamy/drs-sdk
# or: npm install @okeyamy/drs-sdk

Quick start

Issue a root delegation, build an invocation bundle for a tool call, and verify it against a running drs-verify:

import {
  issueRootDelegation,
  createInvocationBundle,
  derivePublicKey,
  VerifyClient,
} from "@okeyamy/drs-sdk";

// 32-byte Ed25519 private keys (use `drs keygen` or your KMS in production).
const ownerKey = /* Uint8Array(32) */;
const agentKey = /* Uint8Array(32) */;

const ownerDid = "did:key:z6Mk...owner";
const agentDid = "did:key:z6Mk...agent";
const toolServer = "did:key:z6Mk...tool";

// 1. Owner delegates a constrained capability to the agent.
const rootReceipt = await issueRootDelegation({
  signingKey: ownerKey,
  issuerDid: ownerDid,
  subjectDid: ownerDid,
  audienceDid: agentDid,
  cmd: "/mcp/tools/call",
  policy: { allowed_tools: ["expenses.read"], max_cost_usd: 5 },
  nbf: Math.floor(Date.now() / 1000),
  exp: Math.floor(Date.now() / 1000) + 3600,
});

// 2. Agent issues an invocation and assembles the chain bundle.
const bundle = await createInvocationBundle({
  rootReceipt,
  signingKey: agentKey,
  issuerDid: agentDid,
  subjectDid: ownerDid,
  toolServer,
  tool: "expenses.read",
  args: { month: "2026-06" },
});

// 3. Verify against drs-verify (the verifier decides allow/deny).
const client = new VerifyClient({ baseUrl: "http://localhost:8080" });
const result = await client.verify(bundle, { body: { month: "2026-06" } });

if (!result.valid) {
  throw new Error(`denied: ${result.error?.code}`);
}

The verifier returns valid: true | false in the body. Never treat an HTTP 200 as success on its own — read result.valid.

API

Issuance

  • issueRootDelegation(params) — mint a root delegation receipt (JWT).
  • issueSubDelegation(params) — attenuate and re-delegate down the chain.
  • issueInvocation(params) — mint a leaf invocation receipt.
  • createInvocationBundle(params) — convenience: root + invocation → ready-to-send bundle.
  • derivePublicKey(signingKey) — Ed25519 public key from a 32-byte private key.
  • computeChainHash(...), buildJwt(...) — low-level chain/JWT primitives.

Bundle & canonicalization

  • buildBundle, serialiseBundle, parseBundle — assemble and (de)serialise a ChainBundle.
  • jcsSerialise(value) — RFC 8785 JCS canonical JSON. Use this, never JSON.stringify.

Policy

  • checkPolicyAttenuation(parent, child) — confirm a child policy only narrows the parent.
  • translatePolicy(...) — map a policy across representations.

Verification client

  • new VerifyClient({ baseUrl, timeoutMs? })
  • client.verify(bundle, { includeTimestamps?, body? })VerificationResult

WASM (optional)

  • initWasm(), getWasmModule(), isWasmReady() — load the drs-core Rust crypto core for canonicalization/signing parity with the verifier. Falls back to @noble/ed25519 when not initialised.

Operator config

  • validateOperatorConfig, parseOperatorConfig — machine-to-machine standing-delegation trust model.

All exported types (Policy, ChainBundle, VerificationResult, DrsError, …) are available from the package root.

CLI

The package ships a drs binary:

drs keygen                 # generate an Ed25519 keypair + did:key
drs verify <bundle.json>   # verify a bundle against a drs-verify endpoint
drs policy <...>           # inspect / attenuate policies
drs translate <...>        # translate policy representations
drs audit <...>            # audit a receipt chain

How it fits together

| Layer | Package | Role | |---|---|---| | Issuance | @okeyamy/drs-sdk (this) | mint receipts, assemble bundles, call the verifier | | Crypto core | drs-core (Rust/WASM) | JCS, SHA-256 chain hash, Ed25519 | | Verification | drs-verify (Go) | the /verify service + MCP/A2A middleware |

The Rust core compiles to both native and WASM, so issuance (SDK) and verification (drs-verify) share one canonicalization implementation — chains cannot diverge across languages.

License

Apache-2.0 © Okey Amy