npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

capos

v0.1.2

Published

Host-side JavaScript/TypeScript client for capOS, the capability operating system: a Node client over the remote-session loopback bridge (https://cap-os.dev).

Readme

capos (JavaScript / TypeScript)

Host-side JavaScript/TypeScript client for capOS, a research capability operating system where every resource is a typed Cap'n Proto capability.

This package is the working base for the host-side capOS SDK in JS/TS: a pure, dependency-free Node client that speaks the same loopback HTTP protocol capOS serves to its own browser remote-session UI. Today it covers connecting, authenticating, listing the forwarded CapSet, and reading session metadata; more of the typed capability surface follows.

Install

npm install capos

Pure TypeScript compiled to ESM with bundled type declarations. Requires Node 20 or newer (uses the built-in global fetch); zero runtime dependencies.

Quickstart against a live capOS

Boot a live capOS from the repo root. make run-cloud-prod-remote-session-web-ui-l4 builds the Phase C userspace network-stack image and serves the remote-session web UI from inside the guest, reached on a host-forwarded port (guest :8080). That self-served UI keeps all authority server-side and requires a password login; the L4 proof provisions operator / capos. Point the client at the forwarded port:

import { Client } from "capos";

const client = new Client({ baseUrl: "http://127.0.0.1:<PORT>" });
await client.connect();

const { capCount, profile } = await client.loginPassword({
  account: "operator",
  password: "capos",
});
console.log(`logged in as ${profile} (${capCount} caps)`);

for (const cap of await client.listCapset()) {
  console.log(cap.name, cap.interfaceIdHex, cap.transferPolicy);
}

console.log(await client.sessionInfo());
console.log(await client.systemMotd());

Running examples/hello.mjs against that live capOS:

capos hello.mjs driving a live capOS remote session

capos 0.1.2
logged in as operator — profile operator (4 caps)

--- MOTD ---
backend SystemInfo call returned 2215 MOTD bytes (kept server-side)

--- session ---
principal: operator (operator)
profile:   operator   auth: password

--- CapSet (4) ---
  session            0x80b87169c39aaf1c  backend-held
  system_info        0xfbbdc602980cb986  backend-held
  adventure          0xd5dc40d973e75b84  backend-held
  chat               0xd5dc40d973e75b84  backend-held

Using the client

import { Client } from "capos";

const client = new Client({ baseUrl: "http://127.0.0.1:8080" });
await client.connect();               // GET; picks up any minted cookies

await client.loginPassword({ account: "operator", password: "capos" });
// Some deployments (the host-side bridge) also allow anonymous login:
// await client.loginAnonymous({ profile: "operator" });

const caps = await client.listCapset();     // Cap[] from the authoritative view
const session = await client.sessionInfo();  // redacted SessionInfo
const motd = await client.systemMotd();      // { text } or redacted { motdBytes }

Behavior notes

loginAnonymous() defaults its profile to anonymous (least privilege, matching the server's own default). Pass { profile: "operator" } explicitly when you want the operator console.

Protocol notes

capOS's remote-session web surface is a loopback-only, same-origin HTTP API. Every state-changing POST is guarded by an Origin allowlist and a CSRF double-submit token that mirrors the capos_csrf_token cookie. Browsers satisfy these implicitly; this client reproduces them for a headless caller — it keeps a cookie jar of whatever the server mints (the session cookie is capos_remote_session on the self-served capOS UI and capos_browser_session on the host bridge) and attaches the Origin, Cookie, and X-CSRF-Token header to each POST.

All authority stays server-side. The response envelope's view is the authoritative browser-safe snapshot, so caps and session metadata are read from it; per-route payloads are redacted (a CapSet list carries no interface owners, and the self-served MOTD call returns only the banner's byte length, not its contents). The client only exchanges DTOs and never holds an invokable capability. Why that boundary holds — capability forwarding versus this data bridge — is documented in the capOS capability model.

Links

Licensed under either of MIT or Apache-2.0 at your option.