npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@tomako/connect

v0.1.0

Published

Machine-verifiable Tomako goal metric connection CLI for coding agents

Readme

@tomako/connect (0.1.0 development package)

Machine-oriented device-flow CLI for connecting one deployed, read-only goal metric endpoint to Tomako. This package is not published yet.

npx --yes @tomako/[email protected] install \
  --device PUBLIC_DEVICE_CODE \
  --goal GOAL_ID \
  --digest sha256:v1:GOAL_DIGEST

The first invocation fetches a non-sensitive goal brief and outputs WAITING_AGENT, briefHash, and the canonical proposal-file schema. The coding agent must inspect the repository and create .tomako/metric-proposal.json; the CLI never guesses the metric definition. The file is a generated envelope, not a raw metric object:

If the repository supports materially different valid interpretations (for example, account created vs. email verified vs. first workspace entry), metric.semanticDecision may include one bounded question and 2-4 complete options. The recommended option must exactly match the proposal's default fields. Tomako requires the signed-in owner to choose one option in the existing confirmation card, then signs only the selected semantics into the immutable contract. Do not invent alternatives when repository facts do not create a real count difference.

{
  "schemaVersion": 1,
  "generatedBy": "@tomako/connect",
  "goalBinding": {
    "goalId": "copy from goalBrief",
    "goalVersion": 1,
    "goalDigest": "copy from goalBrief"
  },
  "briefHash": "copy the WAITING_AGENT briefHash",
  "metric": { "strategy": "SIGNED_PULL_SNAPSHOT", "...": "canonical metric fields" }
}

The CLI rejects stale proposal files unless all three goal-binding fields and the exact generated brief hash match. Only the inner canonical metric is sent to the backend.

Every stdout event is one machine-readable JSON line containing a version-pinned nextCommand (or an explicit manual/no-op instruction), required inputs, and acceptance checks. The agent does not need to infer the next protocol step from this README.

npx --yes @tomako/[email protected] install \
  --device PUBLIC_DEVICE_CODE \
  --goal GOAL_ID \
  --digest sha256:v1:GOAL_DIGEST \
  --proposal .tomako/metric-proposal.json \
  --endpoint https://product.example/api/tomako/metric

The proposal is submitted before owner confirmation. resume polls the authorization state, verifies the server-signed immutable contract and exact goal/proposal binding, then writes .tomako/connection.json read-only. Private Ed25519 installation identity stays under .git/tomako-connect with mode 0600.

Before owner confirmation, the CLI also derives a small project-identity summary so the owner can verify that the agent connected the intended codebase. The canonical client object contains only agent, projectFingerprint, cliVersion, repository, framework, deploymentDomain, and device. The project directory basename and package name are embedded only in the human-readable repository label. Git usernames, passwords, tokens, query strings, fragments, local absolute paths, and endpoint paths are never sent. Remote URLs that cannot be safely reduced are reported only as a local Git project.

Automatic runtime installation currently supports Node 20+ projects where a Next.js App Router directory is detected. Java, Python, Go, other runtimes, and unknown repositories fail closed with PROJECT_RUNTIME_UNSUPPORTED and USE_MANUAL_PROGRESS; the CLI never submits a claim that the published runtime cannot fulfill.

Starting a different device flow or goal safely generates a new installation ID, Ed25519 identity, and idempotency key after the new public goal brief has been validated. Previous confirmed .tomako/connection.json and the exact claimed proposal are moved unchanged to .tomako/history/ and reported in the JSON event. Generated goal briefs are replaced only when their stored ownership hash is intact and the goal binding changes; user-owned or changed files fail closed. Server-confirmed REJECTED, STALE, EXPIRED, and REVOKED states converge to an explicit rotation or cleanup command.

Before the claim request, the CLI persists a CLAIM_SUBMITTING recovery record. If the server accepted the claim but the response was lost, rerunning the same install command reads the signed installation status first and, only when the server reports INSTALLATION_NOT_FOUND, resubmits the byte-equivalent idempotent claim data. It never fetches a new one-time brief during this recovery path.

In a monorepo, public .tomako files are scoped to the nearest package containing package.json, while private credentials remain in the repository's real Git directory. The project fingerprint binds both real paths, so running the same command in a different workspace rotates identity instead of silently reusing it.

Commands after confirmation:

  • auth-check: verifies only the CLI installation identity (AUTH_VERIFIED).
  • test: asks Tomako's backend to perform a real signed pull against the deployed HTTPS endpoint. It accepts only RUNTIME_TEST_PASSED plus a backend proof.
  • activate: requires the runtime proof.
  • status, resume, revoke, cleanup-local.

Production control origin is compiled as https://tomako.ai; there is no --api. Only TOMAKO_DEV=1 with a loopback TOMAKO_DEV_API enables local protocol tests. Redirects are rejected and symlinked state paths fail closed.

Release blocker: the production contract-signing Ed25519 root key is intentionally absent from src/trust.mjs; the package must not be published until it is inserted and pinned.