npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@synoi/verify-core

v0.1.0

Published

The ONE offline evidence-bundle verifier for SynOI (ADR_019 STEP 8). Depends on @synoi/sraid for RFC 8785 JCS canonicalize + cdroContentCore + hybrid DSSE verifyAttestation. The @synoi/verify CLI and the gateway self-verify both import this single functio

Readme

@synoi/verify-core

The ONE offline evidence-bundle verifier for SynOI (ADR_019 STEP 8).

Before this package there were two verifyEvidenceBundle implementations: the gateway self-verify and the third-party @synoi/verify copy. They had drifted - the gateway copy was strictly weaker (no signed-tenant binding, no vacuous fail-closed, no key-fingerprint surfacing), so "a green here means a green there" was false in code. This package collapses both onto ONE function. @synoi/verify re-exports it; the gateway self-verify imports it. Two copies cannot mechanically disagree when there is only one.

Contract

  • Depends on @synoi/sraid for RFC 8785 JCS canonicalize, the cdroContentCore content-core projection, and hybrid DSSE verifyAttestation (Ed25519 AND ML-DSA-65, both required). No divergent canonicalizer is defined here. This keeps @synoi/sraid a pure L0 package - the verifier lives one layer up.
  • Accepts ONLY synoi-evidence-bundle-v2. A v1 bundle is HARD-REJECTED with reason unsupported-bundle-version (fail-closed, no back-compat window).

Bundle v2: signed completeness

The v1 content_digest committed only { receipts, absence_statements }. It did NOT commit the completeness flags, so a truncated bundle could be relabeled truncated: false and still verify green - it could lie about completeness under a green check. v2 folds the completeness flags plus the declared scope INTO the signed digest preimage:

content_digest = 'sha256:' + sha256(canonicalize({
  bundle_version, tenant_id, receipt_count, absence_count,
  truncated, body_filtered_omission, filter, receipts, absence_statements
}))

Flipping truncated true->false, relabeling body_filtered_omission, dropping a receipt, or changing the declared tenant now BREAKS the digest.

Checks

  1. structural shape (arrays + manifest + honesty present),
  2. bundle_version === v2, else hard-reject,
  3. v2 content_digest recomputes and matches (JCS integrity anchor over the completeness-committing preimage),
  4. manifest counts match the enclosed arrays,
  5. every receipt: signed tenant_id == bundle.tenant_id, then payload-bound + hybrid both-required signature under one enclosed key,
  6. every absence statement: same,
  7. vacuous fail-closed: a bundle that attests to nothing is not valid.

Trust anchor

A verified bundle proves the enclosed contents were signed by the key(s) named in verifying_key_fingerprints and not altered since, that every item is bound to the declared tenant, and that the completeness flags are the ones that were signed. It does NOT prove those keys are legitimate SynOI gateway keys - the recipient must anchor the fingerprints OUT OF BAND. It is NOT court-admissible and NOT regulator-accepted.