npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@roar-protocol/sdk

v0.3.2

Published

TypeScript SDK for the ROAR Protocol (Real-time Open Agent Runtime)

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

prowlrbotprowlrbot

Keywords

roarprotocolagentaisdkdididentitymcpa2a

Readme

@roar-protocol/sdk

Real-time Open Agent Runtime — TypeScript SDK

Conformance npm License Node Security

The TypeScript SDK for the ROAR Protocol. Build agents that can discover each other, exchange signed messages, stream events, and delegate capabilities — with zero external dependencies.

Features

  • Ed25519 identity + DID methods (did:roar, did:key, did:web)
  • W3C DID Documents
  • Cryptographic delegation tokens
  • Graduated autonomy (WATCHGUIDEDELEGATEAUTONOMOUS)
  • HTTP + WebSocket + SSE + stdio transports
  • AIMD backpressure event streaming
  • TTL+LRU discovery cache + SQLite directory
  • Protocol auto-detection (ROAR / MCP / A2A / ACP)
  • Rate limiting + replay protection
  • Zero external dependencies — Node.js 18+ built-ins only

Install

npm install @roar-protocol/sdk

Requires Node.js 18 or later. No peer dependencies.

Quick Start

import {
  createIdentity,
  createMessage,
  signMessage,
  verifyMessage,
  ROARClient,
  MessageIntent,
  defaultConnectionConfig,
} from "@roar-protocol/sdk";

// 1. Create two agent identities
const sender = createIdentity("Alice", { agentType: "agent", capabilities: ["summarize"] });
const receiver = createIdentity("Bob",  { agentType: "tool",  capabilities: ["search"] });

// 2. Build a message
const msg = createMessage(
  sender,
  receiver,
  MessageIntent.EXECUTE,
  { text: "Summarize the ROAR spec." },
);

// 3. Sign it (HMAC-SHA256, cross-language compatible with the Python SDK)
const secret = "my-shared-secret";
signMessage(msg, secret);

// 4. Verify on the receiving side
const ok = verifyMessage(msg, secret); // true

// 5. Send over HTTP
const client = new ROARClient({
  ...defaultConnectionConfig(),
  url: "http://localhost:8080",
});
const response = await client.send(msg);
console.log(response.payload);

Ed25519 Asymmetric Signing

import {
  generateEd25519KeyPair,
  signEd25519,
  verifyEd25519,
  createIdentity,
} from "@roar-protocol/sdk";

const { privateKeyHex, publicKeyHex } = generateEd25519KeyPair();

const identity = createIdentity("Carol", {
  agentType: "agent",
  publicKey: publicKeyHex,
});

Delegation Tokens

import {
  issueToken,
  verifyAndValidateToken,
  AutonomyLevel,
} from "@roar-protocol/sdk";

const token = issueToken(
  issuerDid,
  subjectDid,
  ["read", "summarize"],
  { ttlSeconds: 3600, autonomyLevel: AutonomyLevel.DELEGATE },
);

const result = verifyAndValidateToken(token, issuerPublicKeyHex);
// result.valid === true

Discovery Cache

import { DiscoveryCache } from "@roar-protocol/sdk";

const cache = new DiscoveryCache({ maxEntries: 500, ttlSeconds: 300 });
cache.set(entry.agent_card.identity.did, entry);

const hit = cache.get("did:roar:agent:alice-abc123");
const stats = cache.stats(); // { size, hits, misses, evictions }

Protocol Auto-Detection

import { detectProtocol, normalizeToROAR } from "@roar-protocol/sdk";

const detected = detectProtocol(incomingPayload);
// detected.protocol: "roar" | "mcp" | "a2a" | "acp" | "unknown"

const roarMsg = normalizeToROAR(incomingPayload, senderIdentity, receiverIdentity);

Protocol Layers

| Layer | Name | Exports | |-------|------|---------| | 1 | Identity | createIdentity, generateEd25519KeyPair, issueToken, AutonomyLevel, DIDDocument, publicKeyToDidKey | | 2 | Discovery | AgentDirectory, DiscoveryCache, SqliteAgentDirectory | | 3 | Connect | ROARClient, ROARServer, ROARWebSocket, stdioSend, createROARRouter | | 4 | Exchange | createMessage, signMessage, verifyMessage, detectProtocol, normalizeToROAR | | 5 | Stream | EventBus, Subscription, StreamFilter |

Server

import { createIdentity, ROARServer, MessageIntent } from "@roar-protocol/sdk";

const identity = createIdentity("MyAgent", { agentType: "agent", capabilities: ["search"] });
const server = new ROARServer(identity, {
  port: 8080,
  signingSecret: process.env.ROAR_SECRET,
});

// Register a handler per intent
server.on(MessageIntent.EXECUTE, async (msg) => {
  console.log("Task received:", msg.payload);
  return createMessage(identity, msg.from_identity, MessageIntent.RESPOND, { status: "ok" });
});

await server.start();

Idempotency / Replay Protection

import { IdempotencyGuard } from "@roar-protocol/sdk";

const guard = new IdempotencyGuard({ windowSeconds: 300, maxSize: 10_000 });

if (guard.is_duplicate(msg.id)) {
  // replay detected — discard
} else {
  // first time seen — process msg (key auto-recorded by is_duplicate)
}

Security

The SDK was independently audited (see SECURITY-AUDIT-FINAL.md at the repo root). Key guarantees:

  • All signature comparisons use timingSafeEqual from Node.js crypto — no timing oracle.
  • No key material appears in error messages or logs.
  • HMAC signing uses a canonical JSON serialization (pythonJsonDumps) that is byte-for-byte identical to the Python SDK, preventing cross-language signature mismatches.
  • Delegation tokens carry TTL and autonomy level; verifyAndValidateToken rejects expired or out-of-scope tokens.
  • IdempotencyGuard prevents replay attacks within a configurable time window.

License

MIT — see LICENSE.