npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@razroo/iso-capabilities

v0.1.0

Published

Deterministic role capability policies for AI-agent workflows: resolve, check, and render tool/MCP/filesystem permissions without model calls.

Downloads

480

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

razroorazroo

Keywords

agentcapabilitiespermissionspolicytoolsmcpworkflowharnessaicoding-agentclaude-codecursorcodexopencode

Readme

@razroo/iso-capabilities

Deterministic role capability policies for agent workflows.

Agents often receive broad tool access because capability boundaries live in prose. iso-capabilities moves those boundaries into local JSON policy: resolve role inheritance, check requested tool/MCP/command/filesystem/network access, and render compact target-specific guidance without model calls.

It is local-only, dependency-free, and MCP-free. Use it for roles such as orchestrators, browser subagents, verifiers, reviewers, or any other agent shape where "what this role may do" should be executable policy instead of prompt text.

Install

npm install -D @razroo/iso-capabilities

CLI

iso-capabilities list --policy capabilities.json
iso-capabilities explain applicant --policy capabilities.json

iso-capabilities check applicant \
  --policy capabilities.json \
  --tool browser \
  --mcp geometra \
  --command "npx job-forge merge" \
  --filesystem write \
  --network restricted

iso-capabilities render applicant \
  --policy capabilities.json \
  --target opencode

Every command accepts --json for machine-readable output.

Policy Shape

{
  "roles": [
    {
      "name": "base",
      "description": "Reads local state and runs safe verification commands.",
      "tools": ["read", "search", "shell"],
      "mcp": [],
      "commands": {
        "allow": ["npx job-forge verify", "rg *"],
        "deny": ["geometra_*", "rm -rf *"]
      },
      "filesystem": "read-only",
      "network": "off"
    },
    {
      "name": "applicant",
      "extends": "base",
      "tools": ["browser", "write"],
      "mcp": ["geometra", "gmail"],
      "filesystem": "project-write",
      "network": "restricted"
    }
  ]
}

Accepted top-level input can be { "roles": [...] }, an array of roles, or one role object.

Semantics

  • extends supports one parent or an array of parents.
  • Parent tools, MCP servers, command allowlists, command denylists, and notes are inherited before child values.
  • Child filesystem, network, and description values override inherited values.
  • commands.deny wins before commands.allow.
  • Command patterns support exact strings and trailing * prefix matches.
  • Tool and MCP lists support * as an allow-all entry.

Filesystem modes:

  • none
  • read-only
  • project-write
  • workspace-write
  • unrestricted

Network modes:

  • off
  • restricted
  • on

Library API

import {
  checkRoleCapability,
  loadCapabilityPolicy,
  resolveRole,
} from "@razroo/iso-capabilities";

const policy = loadCapabilityPolicy(JSON.parse(rawPolicy));
const applicant = resolveRole(policy, "applicant");
const result = checkRoleCapability(policy, "applicant", {
  tools: ["browser"],
  mcp: ["geometra"],
  commands: ["npx job-forge merge"],
  filesystem: ["write"],
  network: "restricted",
});

Fit With The iso Stack

  • iso-capabilities defines what a role may do.
  • iso-route defines which model a role should use.
  • iso-harness emits the harness files where roles run.
  • iso-contract defines artifact shape.
  • iso-ledger records domain events about those artifacts.
  • iso-orchestrator controls durable workflow execution.
  • iso-guard audits whether the actual run obeyed policy.

For JobForge, capabilities can represent the difference between an inline orchestrator, a browser application subagent, and a verifier without loading the full permission matrix into every prompt turn.