npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

liceat

v0.5.0

Published

Liceat — 'let it be permitted.' The authority control plane for AI agents: issue verifiable, attenuable, revocable warrants; enforce them at the point of action; prove every decision.

Readme

◈ Liceat

Liceat (Latin: "let it be permitted" — the jussive of licet*, the root of license and licit)* — the authority control plane for AI agents. Issue verifiable, attenuable, revocable warrants; enforce them at the point of action; prove every decision. Every authorization the gateway makes is the old question answered cryptographically: licet, or non licet.

As AI moves from chat to action — agents that call tools, spend money, and delegate to other agents — every action must pass one point that answers: is this agent authorized, by whom, within what scope and limits, and can we prove it afterward? Liceat is the neutral, protocol-agnostic layer that owns that point — as imprimatur ("let it be printed") once licensed publication, Liceat licenses agent action.

What's here

A working, tested implementation of the hard core — zero runtime dependencies, only Node's built-in crypto (native Ed25519). Minimal supply-chain surface is a feature for an authority product.

  • Warrant (src/core) — an attenuable, offline-verifiable, revocable capability token (public-key Macaroon/Biscuit lineage). Solves safe multi-hop agent delegation: authority provably only narrows down the chain.
  • Caveat engine (src/core/caveats.ts) — scope, action, expiry, holder-binding (proof-of-possession), and stateful cumulative spend caps & rate limits.
  • Gateway (src/gateway) — the enforcement point: verify → evaluate → check revocation → audit → forward. Drop it in front of any tool, MCP server, API, or payment rail.
  • chokepoint-mcp (src/mcp) — warrant enforcement for any MCP server in one line, no server modification, fail-closed.
  • Tamper-evident audit ledger (src/audit) — hash-chained, independently verifiable; doubles as the state backing spend/rate limits; self-repairing disk mirror.
  • The Sentinel (src/sentinel) — continuous adversarial self-maintenance: attacks the system's cryptographic invariants (thousands of checks per cycle, zero-false-positive oracles), probes the live deployment, and self-corrects along provably safe lines (fail-closed quarantine, verified ledger repair, supervised restart).
  • Warrant Inspector (/inspect) — the public verifier every shared warrant points its recipient at. CLI, dashboard, revocation registry, issuer keystore + JWKS, and a full end-to-end demo.

Quickstart

npm install
npm test              # 28 unit + integration + conformance tests
npm run demo          # full lifecycle end-to-end over HTTP
npm run sentinel      # the adversarial battery, once (CI mode)
npm run gateway       # gateway + dashboard + inspector on :3000

Or, once published: npx liceat serve. Python: pip install liceat (sdk/python) — wire-compatible by construction: both languages verify the same frozen vectors.

Open http://localhost:3000 and click Run live demo scenario: issuance, in-scope authorization, sub-agent attenuation, out-of-scope denial, cumulative spend-cap enforcement, and revocation — each written to the tamper-evident audit chain.

Protect an MCP server in one line

liceat-mcp --gateway http://localhost:3000 --token CW1~... --label github \
  -- npx -y @modelcontextprotocol/server-github

Every tools/call is verified, caveat-checked (scope/spend/rate), revocation-checked, and audited before it reaches the server. Denials return structured JSON-RPC errors with reasons and an inspector link. Unreachable gateway ⇒ deny (fail-closed).

Use as an SDK

import { issue, attenuate, verifyWarrant, generateKeypair } from 'liceat';

const root = generateKeypair();
const { warrant, attenuationKey } = issue(root.sec, 'root-1', {
  principal: 'org:acme',
  agent: 'agent:booker',
  caveats: [
    { type: 'resource', patterns: ['pay:*'] },
    { type: 'action', actions: ['pay'] },
    { type: 'spend_limit', currency: 'USD', max: 5000 },
  ],
});
// hand a narrower warrant to a sub-agent — it provably cannot escalate
const sub = attenuate(warrant, attenuationKey, [{ type: 'action', actions: ['read'] }]);

The 60-second mental model

principal ──issue──▶  Warrant(agent, caveats)
                          │  agent can attenuate → narrower Warrant for a sub-agent
                          ▼
agent ──request + Warrant──▶  Gateway  ──verify (offline, chain)
                                        ──evaluate caveats (scope, spend, rate, pop)
                                        ──check revocation
                                        ──append to tamper-evident ledger
                                        ──forward to tool / MCP / payment rail
                          ▲
        Sentinel ── attacks invariants + probes + self-corrects, continuously

API (gateway)

| Method | Path | Purpose | |---|---|---| | POST | /issue | mint a root Warrant (admin) | | POST | /attenuate | narrow a Warrant for a sub-agent | | POST | /verify | check a Warrant against a request (no side effects) | | POST | /call | enforced + audited action through the gateway | | POST | /authorize | enforced + audited decision, no forwarding (for sidecars) | | POST | /inspect | decode + structurally verify a Warrant | | POST | /revoke | revoke by root jti (admin) | | POST | /repair-ledger | rewrite disk mirror from verified memory (admin) | | GET | /inspect | public Warrant Inspector | | GET | /audit | audit chain + integrity proof | | GET | /sentinel | latest adversarial self-check report | | GET | /.well-known/chokepoint-jwks | issuer public keys | | GET | /stats, /health, /revocations | dashboard summary, liveness, revocation list |

Continuous assurance

CI/CD is sandbox-native — no GitHub Actions required. ops/ci.sh is the full release gate (build, TypeScript suite, 300-iteration adversarial battery, and the Python SDK against the frozen conformance vectors); production runs it daily, and ops/release.sh gates every publish (npm → PyPI → MCP registry) on it. In production the Sentinel additionally re-attacks the core and probes the live gateway every 10 minutes, quarantining (fail-closed) on any proven flaw. Details and honest limits: docs/FLYWHEEL.md.

License

Business Source License 1.1 — see LICENSE.