npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@opsimathically/networkprocedurecall

v0.0.1

Published

Provides a certificate-authenticated network interface for @opsimathically/workerprocedurecall using private-CA mTLS.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

opsimathicallyopsimathically

Keywords

set_keywords

Readme

networkprocedurecall

networkprocedurecall provides a certificate-authenticated network interface for @opsimathically/workerprocedurecall using private-CA mTLS.

Security Model

  • Mutual TLS transport (tls.createServer / tls.connect)
  • Private-CA trust (no public CA required)
  • API-key authentication inside the mTLS channel
  • Privilege-aware operations:
    • invoke_functions
    • define_functions
    • undefine_functions
    • define_constants
    • undefine_constants
    • define_dependencies
    • undefine_dependencies
    • admin_privileges
    • all_privileges

Install

npm install

Run Tests

npm test

Minimal Usage (mTLS)

import { WorkerProcedureCall } from '@opsimathically/workerprocedurecall';
import { NetworkProcedureCall, NetworkProcedureCallClient } from '@opsimathically/networkprocedurecall';

(async function () {
  const workerprocedurecall = new WorkerProcedureCall();

  await workerprocedurecall.defineWorkerFunction({
    name: 'WPCFunction2',
    worker_func: async function (): Promise<string> {
      return 'ok';
    }
  });

  await workerprocedurecall.startWorkers({ count: 2 });

  const server_key_pem = process.env.SERVER_KEY_PEM as string;
  const server_cert_pem = process.env.SERVER_CERT_PEM as string;
  const server_ca_pem = process.env.SERVER_CA_PEM as string;

  const client_key_pem = process.env.CLIENT_KEY_PEM as string;
  const client_cert_pem = process.env.CLIENT_CERT_PEM as string;
  const client_ca_pem = process.env.CLIENT_CA_PEM as string;

  const networkprocedurecall = new NetworkProcedureCall({ workerprocedurecall });

  await networkprocedurecall.start({
    information: { server_name: 'server_1' },
    network: { bind_addr: '127.0.0.1', tcp_listen_port: 6767 },
    tls_mtls: {
      key_pem: server_key_pem,
      cert_pem: server_cert_pem,
      ca_pem: server_ca_pem,
      min_version: 'TLSv1.3'
    },
    auth_callback: async function (params) {
      if (params.api_key === 'test_api_key_1') {
        return {
          state: 'authenticated',
          privileges: ['all_privileges']
        };
      }
      return 'failed';
    }
  });

  const networkprocedurecallclient = new NetworkProcedureCallClient({
    servers: {
      server_1: {
        network: { host: '127.0.0.1', tcp_remote_port: 6767 },
        tls_mtls: {
          key_pem: client_key_pem,
          cert_pem: client_cert_pem,
          ca_pem: client_ca_pem,
          servername: 'localhost',
          min_version: 'TLSv1.3'
        },
        authentication: { api_key: 'test_api_key_1' }
      }
    }
  });

  const function_return_value = await networkprocedurecallclient.server_1.call.WPCFunction2();
  console.log(function_return_value);
})();

all_servers Aggregate Operations

NetworkProcedureCallClient reserves the member name all_servers. It runs an operation against every configured server and returns a per-server result map.

const define_result = await networkprocedurecallclient.all_servers.defineFunction({
  name: 'SomeFunctionDefinedOnAllServers',
  worker_func: async function (something: string): Promise<string> {
    return `hello: ${something}`;
  }
});

const invoke_result =
  await networkprocedurecallclient.all_servers.call.SomeFunctionDefinedOnAllServers('world');

console.log(define_result);
console.log(invoke_result);

Aggregate result shape:

type all_servers_operation_result_t<result_t> =
  | { state: 'ok'; result: result_t }
  | { state: 'error'; error: { code: string; message: string; details?: unknown } };

type all_servers_operation_result_map_t<result_t> = Record<
  string,
  all_servers_operation_result_t<result_t>
>;

Notes:

  • Single-server calls are unchanged (networkprocedurecallclient.server_1.call.X()).
  • all_servers does not fail-fast; each server gets an ok or error entry.
  • servers config cannot contain a key named all_servers (reserved).

Abuse Controls (Rate Limiting + DoS Guards)

NetworkProcedureCall.start(...) accepts an optional abuse_controls block. If omitted, safe defaults are applied automatically.

await networkprocedurecall.start({
  information: { server_name: 'server_1' },
  network: { bind_addr: '127.0.0.1', tcp_listen_port: 6767 },
  tls_mtls: {
    key_pem: server_key_pem,
    cert_pem: server_cert_pem,
    ca_pem: server_ca_pem,
    min_version: 'TLSv1.3'
  },
  abuse_controls: {
    connection_controls: {
      max_concurrent_sockets: 1024,
      max_concurrent_handshakes: 256,
      max_unauthenticated_sessions: 256,
      global_connection_window_ms: 1000,
      global_max_new_connections_per_window: 512,
      per_ip_max_new_connections_per_window: 64,
      tls_handshake_timeout_ms: 5000,
      auth_message_timeout_ms: 5000,
      max_pre_auth_frame_bytes: 64 * 1024,
      max_post_auth_frame_bytes: 1024 * 1024
    },
    auth_controls: {
      pending_auth_window_ms: 10_000,
      max_pending_auth_attempts_per_ip_per_window: 100,
      failed_auth_window_ms: 60_000,
      max_failed_auth_per_ip_per_window: 20,
      max_failed_auth_per_api_key_per_window: 20,
      block_duration_ms: 60_000,
      enable_blocklist: true
    },
    request_controls: {
      max_in_flight_requests_per_connection: 128,
      per_connection: {
        enabled: true,
        tokens_per_interval: 200,
        interval_ms: 1000,
        burst_tokens: 400
      },
      per_api_key: {
        enabled: true,
        tokens_per_interval: 1000,
        interval_ms: 1000,
        burst_tokens: 2000
      },
      per_ip: {
        enabled: true,
        tokens_per_interval: 500,
        interval_ms: 1000,
        burst_tokens: 1000
      }
    }
  },
  auth_callback: async function (params) {
    if (params.api_key === 'test_api_key_1') {
      return { state: 'authenticated', privileges: ['all_privileges'] };
    }
    return 'failed';
  }
});

Behavior:

  • Connection admission limits enforce global and per-IP new-connection windows.
  • Pre-auth sockets are dropped on timeout if auth is not sent promptly.
  • Requests are rate-limited per connection, per API key, and per IP.
  • Failures use structured error codes including:
    • rate_limited
    • connection_limited
    • handshake_limited
    • auth_throttled

You can inspect counters via networkprocedurecall.getAbuseMetrics().

Tuning guidance:

  • Internet-facing deployments:
    • Keep lower per_ip_max_new_connections_per_window.
    • Keep auth_message_timeout_ms short (1-5s).
    • Keep per-key and per-IP request limiters enabled.
  • Internal trusted networks:
    • You can raise burst limits and in-flight limits.
    • Keep pre-auth timeout and handshake caps enabled.
  • Tradeoff:
    • Aggressive limits reduce abuse impact but can create false positives for bursty legitimate clients.

Security Checklist

  • Never disable certificate verification.
  • Always set the client servername to match server certificate SAN/CN.
  • Use short-lived certificates and rotate automatically.
  • Rotate API keys independently from certificates.
  • Bind API keys to cert identity (fingerprint/SAN) in auth_callback where possible.
  • Restrict define_function to tightly trusted operators.

Test Coverage

See:

  • test/networkprocedurecall/networkprocedurecall.tls_mtls.test.ts