npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@the-ai-company/cbio-node-runtime

v1.76.1

Published

Node.js runtime for cbio identity and credential vault. Library only, no CLI or TUI.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

vinciartsvinciarts

Keywords

claw-biometricagentidentityvaultsecretsnode-runtime

Readme

cbio Vault Runtime (v1.72.0)

Node.js vault runtime with a Vault architecture: authority is rooted in a master password, and agent identities are fully managed within the vault's encrypted storage.

Key Features

  • No CLI / No TUI: Pure library for integration into Node.js applications.
  • Authority-centric: Administrative control is tied to the vault's master password.
  • Unified ID Architecture: All identifiers (VaultId, SecretId, AgentId) are managed as native strings.
  • Grant-Based Authorization: Simplified, domain-level white-listing.
  • Zero-Configuration Discovery: Agents can self-introspect to discover their identity, grants, and toolset.
  • Managed Agent Custody: Generate and store agent private keys securely inside the vault.
  • Process Resilience: Native support for memory-only fallback when SQLite is unavailable.

Install

Requires Node >= 18.

npm install @the-ai-company/cbio-node-runtime

Usage

1. Bootstrap and Recover

import { createVault, recoverVault, FsStorageProvider } from '@the-ai-company/cbio-node-runtime';

const storage = new FsStorageProvider('./my-vaults');

// Create
const myVault = await createVault(storage, {
  password: 'your-secure-password',
  nickname: 'Production Vault'
});

// Recover
const vault = await recoverVault(storage, {
  vault_id: myVault.vault_id,
  password: 'your-secure-password'
});

2. Manage Agents and Grants (Owner)

import { createOwnerClient } from '@the-ai-company/cbio-node-runtime';

const client = await createOwnerClient({
  vault: vault.vault,
  password_verifier: (pwd) => pwd === 'your-secure-password'
});

// 1. Create an agent
const { agent, session_token } = await client.ownerCreateAgent({ nickname: 'Bot' });

// 2. Create a secret (Strict Create: fails if alias exists)
const secret = await client.ownerCreateSecret({ alias: 'api-key', plaintext: 'sk-...' });

// 3. Grant access (Whitelist)
// Note: Grants are bound to the internal stable ID, so renames are resilient.
await client.ownerGrantAgentSecret({ root_agent_id: agent.root_agent_id, secret_alias: 'api-key' });
await client.ownerGrantSecretDestination({ secret_alias: 'api-key', site_id: 'api.openai.com' });

3. Dispatch Secrets (Agent)

Agents use a "Zero-Configuration" workflow. They don't need to know their permissions up front; the system guides them.

import { createAgentClient } from '@the-ai-company/cbio-node-runtime';

const agentClient = createAgentClient({
  agentRecord: agent,
  token: session_token.token,
  vault: vault.vault
});

// Dispatch request
const result = await agentClient.agentDispatch({
  target_url: 'https://api.openai.com/v1/chat/completions',
  method: 'POST',
  secret_alias: 'api-key',
  reason: 'Processing user request'
});

if (result.status === 'PENDING') {
  console.log("Stalled for HITL approval. Request ID:", result.request_id);
}

4. Human-in-the-Loop (Owner Approval)

If a dispatch is blocked (status AWAITING_APPROVAL), the owner can review stored request records or subscribe to pending-dispatch events:

const unsubscribe = client.ownerOnPendingDispatch({
  onEvent: (event) => {
    console.log("pending dispatch", event.event_id, event.record.request_id);
  },
});

const pending = await client.ownerListRequests();
const awaitingApproval = pending.filter((record) => record.execution.status === "AWAITING_APPROVAL");

// Approve with the "Allow & Grant" shortcut
if (awaitingApproval.length > 0) {
  await client.ownerApproveDispatch({
    request_id: awaitingApproval[0].request_id,
    decision: "allow_and_grant",
  });
}

unsubscribe();

5. Fact-Based Audit Log

The audit log records objective facts about function calls and results. You can stream the log over SSE:

import { handleVaultAuditSse } from '@the-ai-company/cbio-node-runtime';

app.get('/api/events', (req, res) => {
  const response = handleVaultAuditSse(vaultService, {
    afterEventId: req.header('Last-Event-ID') ?? undefined,
    signal: req.signal,
  });
  // ... bridge to SSE response
});

Decisions can be:

  • allow_once: Execute once, no permanent whitelist update.
  • allow_and_grant: Execute and add to the permanent whitelist (Zero-Config).
  • deny: Reject the request.

Documentation