npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

nexus-al-mcp

v0.1.2

Published

Accountability Ledger MCP proxy — tamper-evident audit trail for AI agent tool calls (EU AI Act Art. 12)

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

veridion-nexusveridion-nexus

Keywords

mcpgdpreu-ai-actcomplianceauditveridionaccountability-ledger

Readme

nexus-al-mcp — Accountability Ledger MCP Proxy

Sits between your AI agent and any MCP server. Every tool call is intercepted, identity-verified, and logged as a tamper-evident compliance record.

Satisfies EU AI Act Art. 12 (logging) and GDPR Art. 30 (records of processing).

How it works

Agent → nexus-al-mcp proxy → upstream MCP server
                 ↓
         Rust API (/api/acm/*)
                 ↓
         PostgreSQL (tool_call_events, hash-chained)

Every tool call is logged before forwarding. Fail-closed: if logging fails, the call is blocked.

Quick start (dev mode — 30 minutes)

1. Get your credentials

Sign up at veridion-nexus.eu → register your agent → copy your Agent ID and Service Token.

2. Install

npx nexus-al-mcp

3. Configure Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "nexus-al": {
      "command": "npx",
      "args": ["-y", "nexus-al-mcp"],
      "env": {
        "AL_API_BASE_URL": "https://api.veridion-nexus.eu",
        "AL_SERVICE_TOKEN": "your_service_token",
        "AL_AUTH_MODE": "dev_bypass",
        "AL_DEV_CLIENT_ID": "agt_your_agent_id",
        "UPSTREAM_MCP_MODE": "stdio",
        "UPSTREAM_MCP_COMMAND": "npx -y your-upstream-mcp-server"
      }
    }
  }
}

4. View logs

Open app.veridion-nexus.eu → ACM Overview → see every tool call logged.

Environment variables

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | AL_API_BASE_URL | Yes | http://localhost:8080 | Rust API URL | | AL_SERVICE_TOKEN | Yes | — | Service token for /api/acm/* | | AL_AUTH_MODE | No | jwks | dev_bypass or jwks | | AL_DEV_CLIENT_ID | dev_bypass | — | Fixed agent client_id for testing | | UPSTREAM_MCP_MODE | No | stdio | stdio or sse | | UPSTREAM_MCP_COMMAND | stdio | — | Command to launch upstream MCP server | | UPSTREAM_MCP_ARGS | No | [] | JSON array of args for upstream command | | UPSTREAM_MCP_URL | sse | — | SSE endpoint for upstream server | | AL_ORIGIN_COUNTRY | No | DE | Origin country for transfer records | | AL_EEA_EXTRA_COUNTRIES | No | — | Comma-separated extra EEA codes |

Production (OAuth 2.1)

For production, set AL_AUTH_MODE=jwks and configure:

  • AL_OAUTH_ISSUER — your authorization server URL
  • AL_OAUTH_AUDIENCE — expected audience claim
  • AL_JWKS_URI — JWKS endpoint (defaults to {issuer}/.well-known/jwks.json)

Every agent must have a registered oauth_client_id in the agents table.

What gets logged

Each tool call creates a ToolCallEvent with:

  • Agent identity (from OAuth token, not self-reported)
  • Tool name and input field names (not values — data minimisation)
  • Context trust level (trusted / degraded / untrusted)
  • SHA-256 hash chain (tamper-evident)
  • OTel trace_id for delegation chain (when W3C traceparent header present)

Optional side-records:

  • DataTransferRecord — when tool call involves non-EEA transfer
  • HumanOversightRecord — when degraded trust + high-risk AI system

License

UNLICENSED — proprietary.