npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@weave_protocol/ward

v0.1.0

Published

WARD.md — the agent security policy standard. Define what your agents can and cannot do, version-controlled alongside AGENTS.md and SKILL.md.

Downloads

69

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tyox-alltyox-all

Keywords

weave-protocolwardagent-securityai-securityai-agentsinfrastructure-as-codepolicyguardrailsagents-mdskill-mdantigravityclaude-codemdashharnessmcpmodel-context-protocol

Readme

🛡️ @weave_protocol/ward

npm version npm license

WARD.md — the agent security policy standard.

AGENTS.md tells your agent what to do. SKILL.md tells your agent how to do it. WARD.md tells your agent what it can't.

Part of the Weave Protocol security suite.

npm install @weave_protocol/ward

What is WARD.md?

Agents are now infrastructure-as-code. They're defined in markdown files (AGENTS.md, SKILL.md), version-controlled, and shared across registries.

If agent behavior is declared in a file, agent security should be too.

WARD.md is a standard format for declaring the security policy of an AI agent. It lives next to AGENTS.md and SKILL.md in the same repo, and is read by harnesses (Antigravity, Claude Code, MDASH) and runtime enforcers (Mund, Hundredmen, Dōmere) to keep the agent inside its lane.

my-agent-project/
├── AGENTS.md          # what the agent does
├── SKILL.md           # how the agent does it
├── WARD.md            # what the agent can't do  ← this package
└── .weave/
    └── attestations/  # cryptographic proofs that the policy held

Quick start

# Generate a starter WARD.md
npx @weave_protocol/ward init

# Validate it
npx @weave_protocol/ward validate WARD.md

# Show a human-readable summary
npx @weave_protocol/ward explain WARD.md

A minimal WARD.md

---
ward: "1.0"
agent: my-data-analyzer
---

# WARD.md

## Filesystem
allow:
  - read: /workspace/**
  - write: /workspace/output/**
deny:
  - read: /workspace/secrets/**
default: deny

## Network
deny:
  - url: "**"
default: deny

## Capabilities
allow:
  - file_read
  - file_write
deny:
  - shell_exec
default: deny

## Behavioral Limits
maxIterations: 50
maxRuntimeSeconds: 300
maxCostUSD: 5.00

## Verification
required: true
backend: domere
frequency: session_end

That's a complete policy. The agent can read inputs and write outputs, can't touch secrets, can't make network calls, can't shell out, can't burn more than $5 or run for more than 5 minutes — and every action is attested at session end.

Programmatic use

import { parseWard, checkFilesystem, checkNetwork, checkCapability } from "@weave_protocol/ward";
import { readFileSync } from "node:fs";

const policy = parseWard(readFileSync("./WARD.md", "utf8"));

// Before any filesystem action:
const fs = checkFilesystem(policy, "read", "/workspace/secrets/keys.txt");
if (fs.decision !== "allow") throw new Error(fs.reason);

// Before any network call:
const net = checkNetwork(policy, "https://api.evil.com/exfil", "POST");
if (net.decision !== "allow") throw new Error(net.reason);

// Before any tool invocation:
const cap = checkCapability(policy, "shell_exec");
if (cap.decision === "require_approval") {
  await promptHuman("shell_exec needs your approval");
} else if (cap.decision === "deny") {
  throw new Error(cap.reason);
}

Every check returns { decision: "allow" | "deny" | "require_approval", reason, severity } so hosts can decide whether to block, log, prompt, or attest.

Policy sections

WARD.md is markdown with YAML frontmatter. Each top-level section maps to a typed sub-policy:

| Section | Controls | |---------|----------| | ## Filesystem | Read/write/execute/delete/list rules with glob patterns | | ## Network | Outbound HTTP allowlist with optional method restrictions | | ## Capabilities | Tools the agent may invoke (with optional approval gating) | | ## Data Boundaries | Egress classifications (PII, PHI, credentials...) and redaction | | ## Behavioral Limits | Iterations, runtime, cost, tokens, tool calls, external services | | ## Multi-Agent | Trust chain, isolation level, semantic drift threshold | | ## Compliance | SOC2 / HIPAA / GDPR / CCPA / ISO27001 / PCI-DSS frameworks | | ## Verification | Attestation backend (Dōmere), blockchain, frequency | | ## Threat Model | Which threats this policy is designed against | | ## Incident Response | What to do when a violation occurs |

See SPEC.md for the full specification.

CLI

weave-ward init [--strict]    Create a starter WARD.md (basic or strict template)
weave-ward parse <file>       Print parsed policy as JSON
weave-ward validate <file>    Validate the file and report issues
weave-ward explain <file>     Human-readable summary
weave-ward help               Show help

Exit codes for validate: 0 = valid, 1 = invalid, 2 = usage error. Use in CI to gate PRs that change agent policies.

Examples

The package ships with three example WARD.md files:

Why a standard?

The harness wars are on. Google has Antigravity. Microsoft has MDASH. Anthropic has Claude Code. Every major platform is building its own orchestration layer. Their agent definition formats differ slightly, but they're all converging on the same idea: agents as files.

What's missing is a portable, declarative way to say what an agent isn't allowed to do. Today every harness rolls its own ad-hoc allowlist somewhere in a config file. That doesn't survive cross-platform agent sharing, doesn't gate at PR review time, and isn't cryptographically attestable.

WARD.md is the format that does all three.

Status

v0.1 (this release): parser, validator, type system, CLI, runtime check primitives (checkFilesystem, checkNetwork, checkCapability, checkDataEgress, checkBehavioral).

Coming next: platform adapters for Antigravity / Claude Code / MDASH, integration with Mund's scanner, Dōmere attestation hooks, MCP server.

License

Apache 2.0 — see LICENSE.