npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

kxco-pq-cli

v1.2.1

Published

CLI for KXCO post-quantum institution key management: generate ML-DSA-65 keypairs, rotate keys with optional on-chain anchoring, sign files, and verify signatures without writing any code.

Downloads

2,407

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kxcokxco

Keywords

post-quantumpqcml-dsanistfips-204clikeygenkey-rotationkxcocommand-linekey-managementrotation-manifestwell-knownjson-canonicalizationjcsfingerprintdeterministic-keygen

Readme

kxco-pq-cli

npm Socket license node

CLI for KXCO post-quantum institution key management. Generates ML-DSA-65 keypairs, rotates institution keys with optional on-chain anchoring, signs files, and verifies signatures — without writing any code.

When to use this

  • Institutions managing their post-quantum identity from the command line
  • DevOps and infra teams who need key rotation without writing Node.js
  • Scripting identity operations in CI/CD pipelines

If you need to do any of this programmatically in your own application, use kxco-post-quantum or kxco-post-quantum-webhook instead.

Install

npm install -g kxco-pq-cli
kxco-pq --help

You also need kxco-post-quantum available as a peer dependency:

npm install -g kxco-post-quantum

Commands

kxco-pq keygen

Generate a deterministic ML-DSA-65 keypair from a 32-byte master secret and an info label. Writes hex files to --out-dir.

kxco-pq keygen \
  --master 'ab83...64 hex chars...e7' \
  --info   'my-institution-v1' \
  --out-dir ./keys

Outputs:

  • keys/secret-key.hex — 4032-byte secret key, hex-encoded. Store in a secrets manager, chmod 600. Never commit.
  • keys/public-key.hex — 1952-byte public key, hex-encoded.
  • keys/kid.txt — 16-character hex fingerprint. This is what receivers pin.

The keypair is deterministic: same --master + same --info always produces the same kid. Restore from master; never lose a key.

kxco-pq fingerprint

Compute the kid for a public key without spinning up any application code.

kxco-pq fingerprint @./keys/public-key.hex

Accepts a hex string directly or a @file reference. Prints the 16-char hex kid.

kxco-pq rotate

Rotate to a new keypair. Derives the new keypair, builds a signed rotation manifest (signed by the outgoing key so existing receivers can verify the handoff), and produces an updated .well-known/kxco-pq-pubkey document.

kxco-pq rotate \
  --old-secret @./current-keys/secret-key.hex \
  --old-kid    a1b2c3d4e5f60718 \
  --new-master '<32-byte master for the new key, hex>' \
  --info       'my-institution-v2' \
  --issuer     'chain.kxco.ai' \
  --out-dir    ./rotated-keys

Outputs (in --out-dir):

  • secret-key.hex, public-key.hex, kid.txt — new keypair
  • manifest.json — RFC 8785 JCS-canonical rotation manifest, signed by the old kid
  • well-known.json — ready to publish at https://<issuer>/.well-known/kxco-pq-pubkey

After running:

  1. Publish well-known.json at the well-known URL.
  2. Publish manifest.json at https://<issuer>/.well-known/kxco-pq-rotation/<new-kid>.json.
  3. Tell receivers to add the new kid to their pinnedKids[] alongside the old one.
  4. After the drain window, retire the old kid and discard its secret key.

kxco-pq attest sign

Sign any file with ML-DSA-65 and emit a self-contained JSON attestation envelope.

kxco-pq attest sign \
  --secret-key @./keys/secret-key.hex \
  --public-key @./keys/public-key.hex \
  --file       payload.json \
  --out        payload.attestation.json

The envelope contains algorithm, signerKid, issuedAt, payload (base64url), and signature (base64url ML-DSA-65). Any counterparty can verify it without trust delegation.

kxco-pq attest verify

Verify an attestation envelope against a known public key.

kxco-pq attest verify \
  --public-key  @./keys/public-key.hex \
  --attestation payload.attestation.json

Prints VALID with signer kid, issue timestamp, and payload size — or INVALID with a reason and exits 1.

Key rotation on-chain

Pass --relay and --identity-file to anchor the rotation to the KXCO chain in the same operation:

kxco-pq rotate \
  --old-secret    @./current-keys/secret-key.hex \
  --old-kid       a1b2c3d4e5f60718 \
  --new-master    '<new master hex>' \
  --info          'my-institution-v2' \
  --issuer        'chain.kxco.ai' \
  --out-dir       ./rotated-keys \
  --relay         https://relay.kxco.ai \
  --identity-file ./identity.json

--identity-file must be a JSON file containing { "kid": "<hex>", "secretKey": "<hex>" } — the institution identity used to sign the chain transaction. On success the command prints the transaction hash and block number alongside the standard rotation output.

What this does NOT do

  • It is not a wallet. It does not hold, transfer, or custody assets of any kind.
  • It is not for managing end-user credentials. If you need to issue or verify user-level post-quantum identities programmatically, use kxco-post-quantum.

Part of the KXCO stack

| Package | Purpose | |---------|---------| | kxco-post-quantum | Core ML-DSA-65 primitives (keygen, sign, verify, fingerprint) | | kxco-post-quantum-webhook | Runtime webhook signing and verification for Node.js frameworks | | kxco-pq-cli | Operator CLI — keygen, rotation, attestation; no application code required |

All cryptographic operations delegate to kxco-post-quantum, which wraps @noble/post-quantum — audited by Cure53 (2024). Private key bytes are never echoed to stdout.

To report a vulnerability, open a private security advisory or email [email protected].

License

Apache 2.0. See LICENSE.

Maintainers

Shayne Heffernan and John Heffernan — KXCO by Knightsbridge

Knightsbridge Law · target150.com · livetradingnews.com