npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mailproof

v0.8.0

Published

Email-native multi-party coordination kernel: turns a promise made over email into proof. DKIM/DMARC-verified replies, a tamper-evident git ledger, workflow sequencing, and email triggers. Extracted from gitdone.

Downloads

376

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hamr0hamr0

Keywords

emaildkimdmarcgitledgeraudit-trailtamper-evidentworkflowcoordinationmulti-partyverificationvanilla-jsnodejs

Readme

mailproof

Email-native multi-party coordination kernel. Verify a reply, sequence it through a workflow, commit it to a tamper-evident git ledger, trigger the next email.

Status — P1 (lift) + m7c (verification) + m7d (triggers) are COMPLETE. Being extracted from gitdone. A consumer can create() a bound instance and ingest() inbound replies end to end: verify + the inbound decoder (DKIM/DMARC auth + MIME parse), sequence routing, inbound preprocessing, outbound, the full git-ledger storage, both sequencing engines (events workflow + crypto sign-off), the document notary with inbound auto-hash capture, the offline verify()/reverify() primitives + their public email endpoints, and the trigger pillar (12 neutral-templated occasion kinds). 307 node --test tests pass with 2 runtime deps; the public surface ships JSDoc-generated, checkJs-gated TypeScript declarations. Next is P2 — validate by rebuilding gitdone on mailproof. See docs/ (PRD, DESIGN, SPEC).

The idea

A lot of coordination is just: ask some named people to confirm something, in an order, and prove they did. mailproof does that entirely over emailno app, no login for participants. They reply from their normal inbox; that's it.

  • Verify — each inbound reply is graded by DKIM/DMARC trust level (via mailauth); the signer's public key is archived so the reply still verifies after key rotation.
  • Sequence — replies advance one of two generic modes: an events workflow (ordered / parallel steps among named participants) or a crypto sign-off (verified signers — one, several named, or open via a shared address — counted toward a threshold, optionally bound to a hashed document).
  • Git ledger — every reply is committed to a per-event git repo. The commit chain is the tamper-evident, offline-verifiable proof: clone it and check it with stock git, forever, even if the service disappears.
  • Email triggers — composes and sends the next notification / reminder through your own MTA (Postfix + opendkim). Self-hosted: more config, full control, no third-party mail dependency.

Accept-with-flag

Every inbound reply is committed — even rejected ones (wrong sender, failed DKIM, out of order). A counted flag records whether it advanced state. The audit trail stays complete; trust gates the transition, never the record.

Status

| Phase | State | |---|---| | P0 — composition proof (POC) | ✅ npm run poc | | P1 — lift real modules + tests | ✅ COMPLETE — verify + inbound decoder (DKIM/DMARC auth + MIME parse), sequence routing, inbound preprocessing, outbound, git-ledger storage, workflow + crypto sign-off engines, document notary (incl. auto-hash capture), and the create()/ingest() assembly | | m7c — verification surface | ✅ COMPLETE — durable DKIM-key archive, offline verify()/reverify(), OTS-proof anchoring, public verify+/reverify+ email endpoints | | m7d — trigger pillar | ✅ COMPLETE — every kernel-derivable occasion (state/time/bounce/verify) as one of 12 neutral-templated kinds over one composeNotification hook | | P2 — gitdone depends on mailproof | ⬜ next — validate by rebuilding gitdone on mailproof (non-merging branch) |

Install

npm i mailproof   # 2 runtime deps (mailauth, mailparser); Node ≥ 22.5

Pure ESM (import, "type": "module") + JSDoc, no consumer build step. The public surface ships JSDoc-generated, strictNullChecks checkJs-gated TypeScript declarations, so import … from 'mailproof' gives TS consumers a checked surface. The git ledger shells out to the git binary directly (no simple-git), so storage stays dependency-free.

Pre-1.0: the API can still change shape between 0.x minors (SemVer 0.x). P2 (rebuilding gitdone on it) is the surface-validation phase.

Try the POC

npm run poc   # stdlib + git only: runs a 2-step workflow, prints the ledger + outbox, self-asserts

Requires Node ≥ 22.5. The POC has no dependencies; the lifted library has 2 runtime depsmailauth (DKIM/DMARC/ARC) and mailparser (MIME), both required because verifying/parsing untrusted mail is security-critical (a vetted library, never hand-rolled). Budget: ≤3.

Docs

Start at docs/README.md. The PRD covers what mailproof is, who adopts it, and the NO-GO table; DESIGN covers the extraction boundary (what's in mailproof vs. what stays gitdone policy), the planned public API, and the phasing; the decisions log records the design forks with rationale.

License

Apache-2.0 © hamr0