npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

auditreach-cli

v0.2.1

Published

Official-API-only, BYOK CLI for researching Reddit and YouTube with your own API keys and a tamper-evident, hash-chained audit log -- built for AI agents and compliance teams that can't rely on cookie-based scraping or shared credential pools.

Readme

auditreach

Research Reddit and YouTube from your AI agent using only official APIs, your own keys, and a log that proves exactly what you queried and why it was allowed.

CI npm version PyPI version License: Apache 2.0 Node

auditreach demo: running --help and a first-run auth --verify check with no credentials configured yet

Install

auditreach ships as two independent, equally first-class packages: an npm package (this repo, JavaScript/TypeScript) and a PyPI package (python/, Python). Both implement the same hash-chain algorithm and BYOK model against the same official Reddit/YouTube APIs. Pick whichever fits your toolchain, or install both.

npm:

npx auditreach-cli search --platform reddit --query "your query"

Or install it globally:

npm install -g auditreach-cli
auditreach search --platform reddit --query "your query"

pip:

pip install auditreach-cli
auditreach search --platform reddit --query "your query"

See python/README.md for Python-specific usage, including this distribution's added env-var BYOK credential path (useful for headless CI/agent sandboxes) -- the npm package stores credentials in the OS keychain only.

Building from source works the same way, if you want to read or modify the code first:

git clone https://github.com/RudrenduPaul/auditreach.git
cd auditreach
npm install
npm run build
node dist/cli.js search --platform reddit --query "your query"

Table of contents

Why auditreach exists

A consultancy we talked to had an AI research agent pulling social sentiment for a client report. It worked well until the client's legal team asked, in writing, what authority the data collection was under. The honest answer was "a browser cookie session," because the tool they were using authenticates by importing a logged-in session and scraping as if it were a real user. That works. It is also not an answer you can put in a compliance memo, and it is the exact pattern Reddit sued Anthropic and SerpApi over in 2025, and the same pattern that got Pushshift's public API access shut down by Reddit back in 2024.

Agent-Reach is not a bad tool. It has real traction (55k+ stars) because cookie-based scraping genuinely covers more ground than any official API does today, at zero API cost. But "covers more ground" and "an agency's client can pass a compliance review" are two different bars, and nothing was built specifically to clear the second one.

auditreach is the CLI we wished existed instead. It talks to Reddit and YouTube only through their official, documented APIs, using your own API keys -- never a shared pool -- and every single query writes a hash-chained entry to a local audit log: which platform, which endpoint, which scope, and a plain-language line explaining the consent/ToS basis for that specific call. No cookie import. No session-token reuse. No code path that could even pretend to be a logged-in human.

We are not trying to out-cover Agent-Reach's six platforms. auditreach is narrower on purpose, for the buyer who structurally can't use a cookie-based tool at all.

How it compares

| | auditreach | Agent-Reach | snoowrap | | ---------------------------- | ------------------------------ | ------------------------------------------------------- | --------------------------------------------------- | | Access model | Official API only, BYO-key | Cookie/session import, "zero API fees" | Official API, BYO-key | | Platform coverage (v0.1) | Reddit, YouTube | Twitter, Reddit, YouTube, GitHub, Bilibili, XiaoHongShu | Reddit only | | Consent/audit log | Hash-chained, per-query, local | None | None | | Maintenance status | Active (this release) | Active, 55k stars | Archived since Feb 2023 | | License | Apache 2.0 | MIT | MIT | | Runtime deps (Reddit client) | 0 -- native fetch | n/a (Python, browser-session based) | request, request-promise, ws (all deprecated) |

Numbers measured directly against each repo's public GitHub metadata and, for the dependency comparison, against snoowrap's own published package.json as of this writing -- reproducible by anyone with gh api repos/<owner>/<repo>.

We started building auditreach's Reddit client on top of snoowrap, the most-used Reddit API wrapper in the Node ecosystem. Installing it pulled in request, request-promise, form-data, and har-validator -- a dependency chain with 4 CRITICAL and multiple HIGH severity advisories, none of which snoowrap can fix because the project has been archived since 2023. We rewrote the Reddit client as a direct fetch-based OAuth2 client against Reddit's own documented REST endpoints instead: same functionality, zero of those CVEs, zero extra runtime dependencies. npm audit --audit-level=high on this repo returns clean.

What it does

node dist/cli.js search --platform reddit --query "agent memory poisoning" --subreddit MachineLearning

AuditReach v0.1 -- Official-API Research CLI
Platform: Reddit  |  Auth: OAuth script-app grant, read-only, public-subreddit scope

Fetching... (official API, rate-limit aware)
✓ 14 results returned (Reddit API Terms -- public content, official API, read-only script-app credentials)

RESULTS (14)
[1] "How are people testing for memory poisoning in long-running agents?"
    u/some_researcher · 2026-07-05T14:22:00.000Z
    https://reddit.com/r/MachineLearning/comments/...
...

Audit log entry written: ar_2026-07-12_9f3c2a
Consent basis: Reddit API Terms -- public content, official API, read-only script-app credentials
Full results: ./auditreach-results-2026-07-12.json
Full audit trail: ./auditreach.log.jsonl

Every entry in auditreach.log.jsonl is hash-chained -- each entry's hash is computed from its own content, and the next entry references it. Editing, deleting, or reordering an entry breaks the chain:

$ node dist/cli.js verify-log
Verifying ./auditreach.log.jsonl...
✓ Chain intact: 14 entries, no gaps, no tampering detected.

# after someone hand-edits a line in the log file:
$ node dist/cli.js verify-log
Verifying ./auditreach.log.jsonl...
✗ Chain broken at entry 3 (ar_2026-07-12_9f3c2a): entry ar_2026-07-12_9f3c2a hash does not
  match its own content -- entry was edited after being written

Getting started

1. Install: see Install above -- npx auditreach-cli, npm install -g auditreach-cli, or clone and build from source.

2. Set up credentials for the platform you want to search (BYO-key -- your own, never ours):

node dist/cli.js auth --platform reddit
# Prompts for Client ID, Client secret, username, password.
# Create a script-app at https://www.reddit.com/prefs/apps first.

node dist/cli.js auth --platform youtube
# Prompts for an API key.
# Create one at https://console.cloud.google.com/apis/credentials

All credentials are stored in your OS keychain (@napi-rs/keyring), never in a config file, never transmitted anywhere except the platform's own official auth endpoint. Once credentials are set, verify them without running a real search:

node dist/cli.js auth --platform reddit --verify

3. Search:

node dist/cli.js search --platform reddit --query "your query" --subreddit some_subreddit
node dist/cli.js search --platform youtube --query "your query" --channel @SomeChannel

Honest note on setup time: getting your own API credentials from Reddit and Google takes a few minutes the first time -- this is slower than Agent-Reach's cookie-import flow (which just reuses a browser session you already have) by design. BYOK means the setup cost is real, not hidden.

Commands

auditreach has four subcommands. Every flag below is pulled directly from the CLI's own --help output, not from memory of what it used to support.

auditreach search

Search a platform using its official API only.

| Flag | Description | | ------------------------- | ----------------------------------------------------------------------------------------------- | | --platform <platform> | reddit | youtube (required) | | --query <query> | search query (required) | | --subreddit <subreddit> | restrict search to one subreddit (Reddit only) | | --channel <handle> | restrict search to one channel, e.g. @AnthropicAI (YouTube only) | | --since <date> | only results published after this date, e.g. 2026-06-01 (YouTube only) | | --max-results <n> | maximum results to return (default: 25; platform caps: 100 Reddit / 50 YouTube) | | --before <fullname> | page results before this Reddit fullname cursor, e.g. t3_abc123 (Reddit only) | | --after <fullname> | page results after this Reddit fullname cursor, e.g. t3_abc123 (Reddit only) | | --output <path> | write full results JSON to this path | | --json | print structured JSON to stdout instead of human-readable output, for scripts and agent callers |

node dist/cli.js search --platform reddit --query "agent memory poisoning" --subreddit MachineLearning --max-results 50
node dist/cli.js search --platform reddit --query "agent memory poisoning" --json | jq '.results | length'

auditreach auth

Set up, verify, or clear BYOK credentials for a platform (stored in your OS keychain).

| Flag | Description | | ----------------------- | -------------------------------------------------------------------------------------------------- | | --platform <platform> | reddit | youtube (required) | | --clear | delete stored credentials for this platform | | --verify | verify stored credentials are valid without running a search (no results file, no audit-log entry) | | --json | print structured JSON to stdout instead of human-readable output |

node dist/cli.js auth --platform reddit --verify

auditreach verify-log

Verify the local hash-chained audit log has not been tampered with.

| Flag | Description | | --------------- | ---------------------------------------------------------------------------- | | --path <path> | path to the audit log file (defaults to ./auditreach.log.jsonl if omitted) |

node dist/cli.js verify-log --path ./auditreach.log.jsonl

auditreach mcp

Run a Model Context Protocol server over stdio (built on the official @modelcontextprotocol/sdk), exposing exactly 3 tools so an AI agent can call this CLI directly instead of shelling out and parsing stdout:

| Tool | Equivalent to | Notes | | ------------- | ------------------------------------------------ | -------------------------------------------------------------------------------------- | | search | auditreach search --json | Same parameters: platform, query, subreddit/channel, since, maxResults, before/after | | auth_status | auditreach auth --platform <p> --verify --json | Read-only. Checks whether stored credentials are valid -- cannot set or clear them | | verify_log | auditreach verify-log --json | Same parameters: path |

node dist/cli.js mcp
# or, once published: npx auditreach-cli mcp

Setting up or clearing BYOK credentials (auditreach auth --platform <p> / --clear) is deliberately not exposed over MCP -- that stays a local-CLI-only, human-driven action, so a calling agent can check whether credentials work but can never provision or wipe them itself. See .well-known/agent.json for the machine-readable manifest (auth requirements, tool schemas, invocation commands) that an agent or agent registry can read to discover this server without a human reading the README first.

auditreach usage: sending a raw MCP initialize + tools/list JSON-RPC request over stdio to auditreach mcp and getting back the three registered tools

Run auditreach <command> --help any time to see the exact flags your installed version supports.

Library API reference

auditreach-cli is also importable as a library, not just a CLI. Every export below comes straight from dist/index.d.ts in the published package.

import {
  RedditClient,
  YoutubeClient,
  getCredential,
  setCredential,
  deleteCredential,
  getRedditCredentials,
  getYoutubeCredentials,
  appendAuditLogEntry,
  getLastEntryHash,
  computeEntryHash,
  verifyAuditLogChain,
  credentialFingerprint,
  canonicalJson,
  sha256Hex,
  DEFAULT_AUDIT_LOG_PATH,
  executeSearch,
  checkAuthStatus,
  executeVerifyLog,
  buildMcpServer,
  runMcpServerCommand,
} from "auditreach-cli";

Clients

  • new RedditClient(credentials: RedditCredentials) -- talks to Reddit's official OAuth API only, using the password grant ("script app" flow). .search(options: RedditSearchOptions): Promise<SearchOutcome>, .verifyCredentials(): Promise<void>.
  • new YoutubeClient(credentials: YoutubeCredentials) -- wraps the official YouTube Data API v3. .search(options: YoutubeSearchOptions): Promise<SearchOutcome>, .verifyCredentials(): Promise<void> (a 1-quota-unit call, no query needed).
const credentials = getRedditCredentials();
if (!credentials) throw new Error("run `auditreach auth --platform reddit` first");

const client = new RedditClient(credentials);
const outcome = await client.search({
  query: "agent memory poisoning",
  subreddit: "MachineLearning",
});

Credentials (setCredential / getCredential / deleteCredential / getRedditCredentials / getYoutubeCredentials) -- all credential I/O goes through this module. It's the one place allowed to touch a raw secret; values come back only to hand directly to a client's constructor, never to log or print.

Audit log

  • appendAuditLogEntry(entryWithoutHash: UnhashedAuditLogEntry, logPath?: string): Promise<AuditLogEntry> -- the only write path into the log; entries are never edited or deleted in place.
  • getLastEntryHash(logPath?: string): Promise<string | null>
  • computeEntryHash(entry: UnhashedAuditLogEntry): string
  • verifyAuditLogChain(logPath?: string): Promise<ChainVerificationResult> -- re-derives every entry's hash and checks the chain end to end.
  • DEFAULT_AUDIT_LOG_PATH -- "./auditreach.log.jsonl"
const result = await verifyAuditLogChain();
if (!result.valid) {
  console.error(`Chain broken at entry ${result.brokenAtIndex}: ${result.reason}`);
}

Crypto utilities

  • canonicalJson(value: unknown): string -- recursively sorts object keys so the same logical entry always serializes to the same bytes, which the hash chain depends on to verify deterministically.
  • sha256Hex(input: string): string
  • credentialFingerprint(secret: string): string -- keeps only the last 6 hex characters of the hash, enough to distinguish rotated keys in a local audit log, never enough to be a partial credential leak.

Command cores and MCP

  • executeSearch(args), checkAuthStatus(platform), executeVerifyLog(path?) -- the same programmatic cores the search / auth --verify / verify-log CLI commands and the MCP tools both call into; none of them write to console/stdout, so they're safe to call from any host, including one sharing stdout with an MCP transport.
  • buildMcpServer({ version }): McpServer -- constructs the MCP server (from @modelcontextprotocol/sdk) with the search / auth_status / verify_log tools registered, without starting a transport -- useful for testing or embedding in a larger MCP server.
  • runMcpServerCommand({ version }) -- what auditreach mcp runs: builds the server and connects it over stdio. Never returns while the server is running.

No generated API docs site exists yet (no TypeDoc build wired into CI) -- the exports above are the complete public surface. Check dist/index.d.ts in the published package for exact types.

The Python package (auditreach-cli on PyPI) exposes the same surface with snake_case names -- from auditreach import RedditClient, YoutubeClient, get_reddit_credentials, verify_audit_log_chain, ... -- see python/README.md for the full Python API reference.

Platform coverage

| Platform | API used | Status | Known constraint | | ----------- | ----------------------------------------------- | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Reddit | Reddit API (OAuth2 password grant, direct REST) | Shipped | Rate limits are generally workable for real research volumes | | YouTube | YouTube Data API v3 (googleapis) | Shipped | Quota-based (10,000 units/day default), generally workable | | X (Twitter) | X API v2 | Not yet shipped | X's official API pricing and post-volume caps have been widely reported as prohibitive for small teams doing meaningful research since the 2023 pricing changes. Deferred until a real user needs it enough to fund working around that constraint -- shipping it half-working would undercut the entire "honest about what official APIs can and can't do" premise this tool is built on. |

Result limits

--max-results <n> controls how many items a single search call returns. Leave it off and auditreach silently applies a default of 25 -- the same shape of surprise PRAW's get_comments() had for years (praw#119): a caller who does not already know to pass the flag gets a quietly truncated result set.

| Platform | Default (flag omitted) | Maximum (--max-results) | | -------- | ---------------------- | ------------------------- | | Reddit | 25 | 100 | | YouTube | 25 | 50 |

Values above the cap are silently clamped to it. For Reddit, --before/--after let you page through a search's result set using the real cursor Reddit's own response returns, up to Reddit's own ~1,000-item search cap (see Success stories for why cursor pagination alone can't go further than that); YouTube has no equivalent yet. Whenever the number of items returned equals the limit that was actually applied, whether that is the silent default or an explicit --max-results value, auditreach prints a warning to stderr telling you more results may exist and how to raise --max-results (up to the platform cap).

What is a "consent basis," honestly

The consent_basis field on every audit-log entry names the specific platform API terms and auth mechanism used for that query. It certifies that the request went through the platform's official, documented API surface under the credentials you supplied. It does not certify that your specific use case is legally sufficient for your jurisdiction or contract -- that determination is yours to make, informed by an accurate, complete, tamper-evident record of what actually happened.

Self-hosting / local-only by default

Nothing about auditreach requires a hosted account or server. Every command runs entirely on your machine; the audit log is a plain file you own. This is the same flow as Install above:

git clone https://github.com/RudrenduPaul/auditreach.git
cd auditreach
npm install
npm run build
node dist/cli.js search --platform reddit --query "..."

Development

TypeScript (this package):

npm install
npm run lint          # ESLint
npm run format        # Prettier check
npm run typecheck     # tsc --noEmit --strict
npm run test:coverage # vitest, 66 tests, 95.4% statement coverage

Python (python/):

cd python
python3 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest                # 82 tests

See CONTRIBUTING.md for the rules on adding a new platform client -- the short version: official API only, honest rate-limit disclosure, tests that mock the network boundary, never anything that reads or writes a raw credential outside src/auth/credential-store.ts (or python/src/auditreach/auth/credential_store.py on the Python side).

Security

See SECURITY.md for the vulnerability disclosure policy. A pre-launch OWASP/STRIDE review found zero CRITICAL/HIGH findings and one moderate, non-directly-reachable supply-chain advisory that has since been resolved -- npm audit on this repo currently returns zero vulnerabilities. GitHub secret scanning and push protection are enabled on this repo.

Success stories

Four real issues reported against praw-dev/praw -- PRAW, Reddit's official Python API wrapper, and the closest thing this project has to prior art -- root-caused against auditreach's own source and used to close genuine gaps in this tool before it had a single outside user. Each line below is tied to the actual report that prompted it.

  • praw#614 (@mananwason) -- asked how to page past Reddit's ~1,000-result search cap. The real fix is narrower than that: Reddit's own API returns no before/after cursor at all once you're past that cap, cursor-based paging or not -- confirmed directly in the issue thread. What search() actually does now is extract the real cursor from Reddit's response (SearchOutcome.nextCursor) and expose --before/--after flags so you can page through the results within a single search's capped result set, instead of only ever seeing the first page. Going past the 1,000-item cap itself needs cloudsearch timestamp-window re-querying, which isn't built yet.
  • praw#1939 (@Auditormadness9) -- hit an undiagnosed 400 error caused by a subreddit name that still carried a leading r/ prefix. Search errors now name that specific cause when it's the likely culprit: previously the CLI just returned a bare status code and left the guessing to you.
  • praw#984 (@MaxMatti) -- asked for a simple way to check whether Reddit bot credentials were still valid, without PRAW's confusing getMe()-recursion workaround. auditreach auth --platform reddit --verify does exactly that now: one lightweight check, no search required, nothing written to disk.
  • praw#119 (@nsp) -- hit PRAW's historic silent 25-result default, discoverable only by reading an unrelated base class's docstring; PRAW's own maintainer admitted he "wasn't sure the best way to make this clear." --help and this README now state the real default and per-platform caps, and a runtime warning fires whenever a search actually got truncated.

FAQ

What is auditreach, and what makes it different from other Reddit/YouTube research tools? It is a BYOK CLI (and MCP server) that talks to Reddit and YouTube only through their official, documented APIs, using your own API keys, and writes a hash-chained audit-log entry for every query -- platform, endpoint, scope, and the specific consent/ToS basis for that call. The differentiator is what it refuses to do: no cookie import, no shared-session scraping, no code path that pretends to be a logged-in human. See Why auditreach exists for the full reasoning and How it compares for the table against named alternatives.

What platforms and versions does auditreach run on? The npm package (auditreach-cli) requires Node.js 20 or newer (engines field in package.json). The PyPI package (also auditreach-cli) requires Python 3.10+ (requires-python in python/pyproject.toml), which also carries the Operating System :: OS Independent classifier. Credentials go into your OS keychain through @napi-rs/keyring (npm) or keyring (PyPI) instead of a config file, so there is no platform-specific setup beyond having Node or Python installed.

Does auditreach store my Reddit or YouTube credentials anywhere? No. Credentials go straight into your OS keychain through @napi-rs/keyring (src/auth/credential-store.ts). There is no config file, no environment variable, and no code path that writes a raw credential to disk.

How many results does a search return by default, and can I get more? 25, silently, unless you pass --max-results -- see Result limits. The hard cap is 100 for Reddit and 50 for YouTube. A stderr warning fires whenever a search actually hits the applied limit, whether that's the silent default or an explicit value you passed.

How do I check my credentials are still valid without running a real search? node dist/cli.js auth --platform reddit --verify (or --platform youtube). It performs the minimal authenticated check and reports pass or fail, with no --query needed, no results file written, and no audit-log entry appended.

Is the audit log actually tamper-evident, or just a log file? Tamper-evident: each entry's hash is computed from its own content and the next entry references it, so verify-log can point to the exact entry a hand-edit broke. See the demo under What it does.

What are auditreach's current limitations? Two worth knowing up front. First, X (Twitter) is not shipped -- X API v2's pricing and post-volume caps have been prohibitive for small teams doing real research since the 2023 changes; see Platform coverage. Second, Reddit paging: search() reads the real after/before cursor out of Reddit's own response and exposes --before/--after flags to page through a single search's result set, but that does not get you past Reddit's own ~1,000-item search cap -- see the praw#614 success story for what the fix covers and doesn't.

How does the MCP server mode work? auditreach mcp (npm) or pipx run auditreach-cli mcp (PyPI) starts a Model Context Protocol server over stdio, built on the official @modelcontextprotocol/sdk / mcp SDKs. It exposes exactly 3 tools -- search, auth_status (read-only, cannot set or clear credentials), and verify_log -- each a thin wrapper around the same programmatic core the CLI commands use, so nothing is reimplemented for the agent path. See auditreach mcp above for the full tool table and .well-known/agent.json for the machine-readable manifest an agent registry can read directly.

How does auditreach compare to Agent-Reach specifically? Agent-Reach covers more platforms (six, versus auditreach's two) by importing a logged-in browser session and scraping as that user, at zero API cost. auditreach only calls official, documented APIs with your own keys and writes a hash-chained consent/audit entry per query; it has no session-import code path at all. Neither approach is strictly better -- they're built for different buyers. See How it compares for the full side-by-side.

Is auditreach free to use commercially, and what does the license actually require? Yes. auditreach is Apache 2.0 (see LICENSE), which permits commercial use, modification, and redistribution, including as part of a closed-source product. The conditions are: include a copy of the license with anything you redistribute, mark any files you modified, and keep the existing copyright/attribution notices. It does not grant rights to auditreach's name or trademarks.

Contributing

See CONTRIBUTING.md for the rules on adding a new platform client. Short version: official API only, honest rate-limit disclosure, tests that mock the network boundary, never a code path that reads or writes a raw credential outside src/auth/credential-store.ts.

License

Apache 2.0. See LICENSE.