npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@yobekasbah/receipts

v1.0.1

Published

Signed, portable, offline-verifiable receipts for AI agent actions. Implements the Kasbah Receipt Spec (v2/v3): Ed25519 + ML-DSA post-quantum signatures, receipt chaining, Merkle batch verification. Zero dependencies.

Readme

@yobekasbah/receipts

Signed, portable, offline-verifiable receipts for AI agent actions.

Your AI agents do hundreds of things a day — tool calls, file writes, API requests, payments. When something goes wrong (a dispute, an audit, a billing fight), you need to prove what the agent did, when, and what policy allowed it. A Kasbah receipt is that proof:

  • Signed — Ed25519 (RFC 8032) or post-quantum ML-DSA (FIPS 204)
  • Portable — a short string + a base64 payload; goes in a header, a log line, a database column
  • Offline-verifiable — anyone with the issuer's public key can verify it forever, with no API call and no trust in the issuer's continued existence
  • Model-agnostic — the same receipt format whether the action came from GPT, Claude, Grok, Qwen, or a local model
  • Chainable — receipts link parent→child to form verifiable multi-agent decision trees, and batch into Merkle trees for high-throughput audit

Zero runtime dependencies. Pure Node ≥ 16 crypto. Post-quantum signing is an optional peer dependency (@noble/post-quantum).

Install

npm install @yobekasbah/receipts

Sign

const { sign, generateKeyPair } = require('@yobekasbah/receipts');

const keys = generateKeyPair(); // or load your own Ed25519 key

const { receipt, payload } = sign({
  verdict: 'ALLOW',          // ALLOW | WARN | DENY
  risk: 0.12,                // 0.0–1.0
  requestId: 'req_8f3a',     // your correlation id
  subject: sha256OfInput,    // hash of the governed input (or null)
  passportId: null,          // agent identity, if any
  action: 'tool_call',
  surface: 'mcp',
}, { privateKey: keys.privateKeyPem });

// receipt → "kasbah_receipt:v3:ed25519:5f9b247e2a654719:Hk7q…"
// payload → base64url(canonical JSON) — store or transmit both

Verify — no network, no SDK lock-in

const { verify } = require('@yobekasbah/receipts');

const result = verify(receipt, payload, publicKeyPem);
// { valid: true, decoded: { verdict: 'ALLOW', risk: 0.12, ts: …, … }, keyId, algorithm }

Or from the command line:

npx kasbah-verify "kasbah_receipt:v3:ed25519:…" "<payloadB64>" --key public.pem
npx kasbah-verify "…" "…" --issuer https://your-gateway.example.com   # fetches /.well-known/kasbah-keys.json

Tampering with a single byte of the payload — the verdict, the risk score, the timestamp — invalidates the signature.

Multi-agent chains

When a parent agent spawns children, link their receipts into a verifiable tree:

const root  = sign({ …, chainId: 'wf_abc' }, keys);
const child = sign({ …, chainId: 'wf_abc', parentReceipt: root.receipt }, keys);

const { verifyChain } = require('@yobekasbah/receipts');
verifyChain([child, root], publicKeyPem);
// { valid: true, depth: 2, chainId: 'wf_abc' }

Tampering with any receipt invalidates it and every descendant.

High-throughput batches

Verify any receipt in a batch of thousands against one published root hash:

const { merkleBatch, verifyMerkleProof } = require('@yobekasbah/receipts');

const { root, proofs } = merkleBatch(receipts); // [{ receipt, payload }, …]
verifyMerkleProof(r.receipt, r.payload, proofs.get(r.receipt), root);
// { valid: true }

Post-quantum signing

npm install @noble/post-quantum
const { ml_dsa65 } = require('@noble/post-quantum/ml-dsa.js');
const kp = ml_dsa65.keygen();

sign(payload, { secretKey: kp.secretKey, publicKey: kp.publicKey },
     { algorithm: 'dilithium3' });   // ML-DSA-65, FIPS 204

The spec

The full wire format, canonical JSON rules, key distribution, chaining, and Merkle construction are specified in SPEC.md. The spec is implementation-independent: anyone can build a verifier from the document alone — that's the point. Receipts must remain verifiable even if this package, or its issuer, disappears.

Why this exists

Gateways, observability tools, and agent frameworks all log what AI does. Logs are mutable, vendor-locked, and worthless in a dispute. A receipt is a log line you can hand to the other side. As agents start delegating to other agents and spending real money, "show me the signed receipt" becomes the ground truth for liability — whichever vendor, model, or framework was involved.

License

MIT