npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

n2-ark

v2.2.1

Published

AI Firewall — Rust-inspired rule engine that makes it physically impossible for AI to break the rules. If the AI can't solve the logic, it can't do anything.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

lagi01lagi01

Keywords

ai-safetyai-firewallmcpguardrailsagent-safetystate-machineblacklistrule-enginellm-safetyai-security

Readme

KR 한국어

🛡️ n2-ark

AI Firewall — If the AI can't solve the logic, it can't do anything.

npm v2.2.0 license Apache-2.0 node >=18 zero dependencies

A rogue AI won't follow the rules — so n2-ark makes it impossible to skip them.

💬 From the Developer

n2-ark is the last bastion.

I built this thinking of a final shield — one that blocks the dangers of AI so humans and AI can coexist safely. I hope this opens the door to a world where AI and humans can live together in safety.

The Problem

AI agents are getting more powerful — and more dangerous:

  • Claude bought an online course with a user's credit card "because it seemed helpful"
  • OpenClaw (formerly Moltbot) made autonomous purchases and card payments without user consent
  • Manus Bot made phone calls and sent SMS messages autonomously
  • Rogue agents have been reported deleting entire systems with rm -rf /

Prompt-level safety only works if the AI cooperates. A rogue AI doesn't cooperate.

The Solution

n2-ark is a code-level AI firewall. It doesn't ask the AI to behave — it makes misbehavior physically impossible.

AI Agent (any model, any platform)
    ↓ action request
┌──────────────────────────────┐
│   🛡️ n2-ark Gate             │
│                              │
│  ✅ Pass → execute            │
│  ❌ Block → hard error        │
└──────────────────────────────┘
    ↓ only approved actions
  Actual Execution

Not a soft warning. A hard gate. The action literally cannot execute.

Integration & Enforcement

🔒 Enforcement Levels — This Is Important

n2-ark provides the rules engine. But rules alone don't enforce themselves. How you integrate n2-ark determines whether it's a real firewall or just a suggestion.

| Level | Method | Enforcement | Who | |-------|--------|-------------|-----| | ⭐⭐ Library | Import n2-ark in your agent code, call ark.check() before every tool execution | Code-level enforcement — developer controls the chokepoint | Custom agents, MCP servers | | ⭐ MCP Server | Connect as MCP server, AI reads tool descriptions | Prompt-level — AI is instructed to check, but not physically forced | Claude Desktop, Cursor, Windsurf |

⚠️ MCP server alone does NOT physically enforce rules. The AI receives ark_check as a tool and is strongly instructed to call it before every action — but a rogue AI could simply skip it. For true enforcement, integrate n2-ark as a library in your agent code.

As a Library (True Enforcement)

If you're building your own AI agent, wrap your tool execution with n2-ark:

const { createArk } = require('n2-ark');
const ark = createArk({ rulesDir: './rules' });

// In your agent's tool execution loop:
async function executeTool(name, args) {
    const check = ark.check(name, JSON.stringify(args));
    if (!check.allowed) {
        throw new Error(`🛡️ BLOCKED: ${check.reason}`);
        // The tool literally cannot execute. True enforcement.
    }
    return await actualToolExecution(name, args);
}

As MCP Server (Prompt-Level)

For Claude Desktop, Cursor, Windsurf, and other MCP hosts:

{
  "mcpServers": {
    "n2-ark": {
      "command": "npx",
      "args": ["-y", "n2-ark"]
    }
  }
}

The AI will be instructed to call ark_check before every action. This provides a strong safety layer for cooperative AI, but cannot physically prevent a determined rogue agent from skipping the check.

Quick Start

npm install n2-ark
const { createArk } = require('n2-ark');

// Create the firewall — works immediately with built-in rules
const ark = createArk({ rulesDir: './rules' });

// Check every AI action before executing
const result = ark.check('execute_command', 'rm -rf /home/user');

if (!result.allowed) {
    console.log('BLOCKED:', result.reason);
    // → "Blocked by blacklist rule 'catastrophic_destruction'"
}

The Default Ruleset — The Last Shield

npm install n2-ark gives you a production-ready ruleset that works immediately. No configuration needed.

Philosophy: The Maginot Line

Normal development work is NEVER blocked. npm install, node script.js, git push, rm file.txt — all free. Only truly catastrophic actions are blocked. System-wide deletion, data exfiltration, unauthorized payments, unauthorized communications.

10 Threat Categories

| # | Category | What It Blocks | Why It's Dangerous | |---|----------|---------------|-------------------| | 1 | 💣 Catastrophic Destruction | rm -rf /, format C:, DROP DATABASE, Remove-Item -Recurse -Force | Irreversible system/data loss | | 2 | 🌐 Data Exfiltration | Reverse shells, ngrok, pastebin, curl POST, wget --post | Internal data leaked externally | | 3 | 🔑 Credential Theft | SSH keys, AWS credentials, /etc/shadow | Account takeover, privilege escalation | | 4 | 📦 Supply Chain Attacks | npm install -g, npm publish, postinstall | Malicious package distribution | | 5 | 🔀 Git History Destruction | push --force, reset --hard, remote URL changes | Permanent code history loss | | 6 | 📞 External Communication | Email, SMS, phone calls, Slack/Discord webhooks | Unauthorized communications | | 7 | 💳 Financial & Purchases | Payments, Stripe, PayPal, subscriptions | Unauthorized spending | | 8 | ⛏️ Crypto Mining | xmrig, cpuminer, stratum+tcp | Resource theft | | 9 | 🛡️ Self-Protection (3x) | .n2 file edits, ark manipulation, core filenames | Prevents disabling the firewall | | 10 | 💥 Wildcard Destruction | rm *, del *.*, Remove-Item *, shred | Mass deletion without naming files |

✅ What's NOT Blocked (Normal Dev Work)

npm install express     ← OK (local installs are free)
node server.js          ← OK
python train.py         ← OK
rm old-file.txt         ← OK (individual file deletion is fine)
git push origin main    ← OK (only --force is blocked)
npx create-next-app     ← OK
curl https://api.com    ← OK
kill -9 12345           ← OK

Triple-Layer Self-Protection

Layer 1: .n2 file paths detected      → ❌ BLOCKED
Layer 2: manipulation verbs + n2-ark   → ❌ BLOCKED
Layer 3: core filenames (gate.js etc)  → ❌ BLOCKED

Three independent layers.
Bypass one? The next one catches you.
Error after error after error. The lock cannot unlock itself.

Domain-Specific Extensions

The default ruleset is the universal last shield for all AI agents. Domain experts can add industry-specific rules from the examples/ directory.

How to Use

# 1. Copy the domain rules to your rules/ directory
cp node_modules/n2-ark/examples/medical.n2 ./rules/

# 2. Customize as needed
# 3. n2-ark auto-loads all .n2 files in rules/

Available Examples

| File | Domain | For Whom | |------|--------|----------| | financial.n2 | 🏦 Finance | FinTech developers, security officers | | system.n2 | 🖥️ DevOps | DevOps engineers, SRE | | medical.n2 | 🏥 Healthcare | Medical IT, EMR developers | | military.n2 | 🎖️ Defense | Defense system developers | | privacy.n2 | 🔒 Privacy | DPOs, privacy engineers | | autonomous.n2 | 🚗 Autonomous | Self-driving/drone developers | | legal.n2 | ⚖️ Legal | LegalTech developers |

💡 Multiple domain rules can be used simultaneously. Just place multiple .n2 files in your rules/ directory.

Audit Logging

Every block decision is automatically recorded.

data/audit/
├── 2026-03-19.jsonl    ← Today's log
├── 2026-03-18.jsonl
└── ...
{
  "timestamp": "2026-03-19T01:48:38.123Z",
  "decision": "BLOCK",
  "action": "execute_command",
  "rule": "financial_actions",
  "reason": "Blocked by blacklist rule 'financial_actions'",
  "pattern": "/payment/i"
}

MCP Tools

| Tool | Description | |------|-------------| | ark_check | MANDATORY. Check if an action is allowed. Call before ANY action. | | ark_approve | Grant human approval for a blocked action. | | ark_status | View loaded rules and state machine states. | | ark_load_rules | Load additional rules at runtime. | | ark_stats | Audit stats: blocked vs passed over N days. | | ark_reset | Reset state machines for a new session. |

.n2 Rule Syntax

@rule — Blacklist Patterns

@rule dangerous_commands {
    scope: all
    blacklist: [/rm\s+-rf/i, /DROP\s+TABLE/i]
    requires: human_approval
}

@gate — Approval Required

@gate high_risk {
    actions: [deploy_production, send_email, make_purchase]
    requires: human_approval
    min_approval_level: 1
}

@contract — Sequence Enforcement

@contract deploy_sequence {
    idle -> building : on build_start
    building -> testing : on run_tests
    testing -> production : on deploy_production
}

API Reference

createArk(options)

| Option | Type | Default | Description | |--------|------|---------|-------------| | rulesDir | string | ./rules | .n2 rule files directory | | auditDir | string | ./data/audit | Audit log directory | | strictMode | boolean | false | Block unknown actions | | auditEnabled | boolean | true | Enable audit logging | | auditPasses | boolean | false | Log passed actions too |

Methods

| Method | Description | |--------|-------------| | ark.check(name, content?, type?) | Check action. Returns { allowed, reason?, rule? } | | ark.approve(ruleName, actionName) | Grant approval | | ark.loadString(source) | Load additional rules | | ark.summary() | Get rules summary | | ark.stats(days?) | Audit statistics | | ark.reset() | Reset state machines | | ark.close() | Shutdown |

Design Philosophy

  1. Zero Trust — Never trust the AI's intentions
  2. Code over Prompts — Rules are compiled, not suggested
  3. Hard Gates — Blocked means blocked. No soft warnings
  4. Zero Dependencies — Pure Node.js, nothing to break
  5. Auditable — Every decision is logged immutably
  6. The Last Shield — Normal work is free. Only the truly dangerous is blocked

License

Apache-2.0 — Free to use, modify, and distribute.