npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@omegaengine/verify

v0.2.0

Published

Offline, zero-dependency verifier for OmegaEngine Agent Security Attestations — checks the Ed25519 signature against the published JWKS and the content hash, with no trust in OmegaEngine.

Downloads

131

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

arkhitectnexusarkhitectnexus

Keywords

ai-securityattestationverificationjwsed25519jwksred-teamomegaengine

Readme

@omegaengine/verify

Offline, zero-dependency verifier for OmegaEngine Agent Security Attestations.

It confirms two things, entirely on your machine, with no trust in (and no call to) OmegaEngine:

  1. Authenticity — the attestation's signatureV2 is a standard EdDSA JWS (RFC 8037) signed by the key published at OmegaEngine's JWKS (/.well-known/jwks.json, RFC 7517).
  2. Integrity — the attestationId equals the SHA-256 of the canonical attestation body, so nothing was altered.

Built only on Node's built-in crypto — no third-party dependencies to trust.

CLI

npx @omegaengine/verify attestation.json
# ✓ VERIFIED — issued by https://omegaengine.ai (key 9f3a…)

Custom key set (e.g. self-hosted): --jwks=https://your-host/.well-known/jwks.json. Exit codes: 0 verified · 1 not verified · 2 usage error.

Library

import { verifyAttestation, verifyAttestationRemote } from "@omegaengine/verify";

// fetch the published JWKS and verify
const r = await verifyAttestationRemote(att);
if (r.valid) console.log("issued by", r.issuer);

// or verify against a JWKS you already hold (fully offline)
const r2 = verifyAttestation(att, jwks);

Transparency log (inclusion + consistency)

Beyond authenticity, confirm an attestation was recorded in OmegaEngine's public, append-only transparency log (RFC 6962) — so a proof can't have been forged or backdated:

import { verifyInclusion, verifyInclusionRemote, verifyConsistency } from "@omegaengine/verify";

// fetch the inclusion proof + JWKS from a running instance and verify offline
const r = await verifyInclusionRemote(att);
if (r.valid) console.log("publicly logged:", r.reason);

// or verify a proof bundle you already hold (fully offline, no network)
const r2 = verifyInclusion(att, inclusion, jwks);

// monitors: prove the log was never rewritten between two tree sizes
const r3 = verifyConsistency(first, second, firstRoot, secondRoot, proof);

verifyInclusion folds the audit path to the signed tree head root (RFC 6962) and checks the tree head's EdDSA signature against the JWKS — the same key that signs attestations. Proof bundles come from GET /api/transparency/proof/<id>; the signed head from GET /api/transparency/sth.

Why a separate package?

The whole point of an attestation is that you don't have to trust the issuer. The old v1 watermark was an HMAC — only OmegaEngine could check it. v2 is asymmetric: the public key is published, so anyone can verify with this tool, with their own JOSE library, or with openssl. This package is just the convenient path.

Attestations are automated red-team evidence, not a third-party certification. See docs/ATTESTATION_VERIFICATION.md for the full method (including the raw path).

Apache-2.0.