npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pq-verifiable-archive

v1.0.0

Published

Post-quantum document anchoring to Algorand mainnet with ML-DSA-65 (NIST FIPS-204) signatures. MCP server for AI agents. Pay-per-anchor REST API via x402.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

m-reynaldo35m-reynaldo35

Keywords

mcpmodel-context-protocolalgorandpost-quantumml-dsafips-204document-signingblockchainx402tamper-evidentverifiableai-agents

Readme

PQ Verifiable Archive

Post-quantum tamper-evidence for any signed document. Anchor a SHA-256 hash to Algorand mainnet, get back a self-contained proof bundle signed with ML-DSA-65 (NIST FIPS-204) that anyone can verify offline — decades from now, without trusting any vendor.

Works with any signing tool: DocuSign, HelloSign, Adobe Sign, or a plain PDF. You bring the signed document; this adds the quantum-resistant notarization layer.

Live on Algorand mainnet. Real transactions, real ML-DSA-65 signatures, working offline verifier.

Why this exists

Today's e-signature platforms use RSA or ECDSA. Both are broken by a large-enough quantum computer. NIST finalized ML-DSA (FIPS-204) in 2024 and CNSA 2.0 mandates PQC migration in federal procurement by ~2030–2035. Documents signed today need to be verifiable in 2040.

What's different

| Property | DocuSign / Adobe Sign | PQ Verifiable Archive | |---|---|---| | Quantum-resistant | No (RSA / ECDSA) | Yes — ML-DSA-65 + Algorand Falcon-512 state proofs | | Offline-verifiable | No — requires vendor servers | Yes — 3 of 5 checks need no network at all | | Vendor-independent | No — trust the platform | Yes — verify against a public permissionless chain | | PII on-chain | n/a | None — only irreversible SHA-256 hashes are anchored | | Works with any signer | No | Yes — bring any signed PDF | | Standards | RSA / ECDSA | NIST FIPS-204, SHA-256, JCS (RFC 8785) |

Use as an MCP tool (AI agents)

Add to claude_desktop_config.json or .claude/settings.json:

{
  "mcpServers": {
    "pq-verifiable-archive": {
      "command": "npx",
      "args": ["tsx", "/path/to/pq-verifiable-archive/src/mcp-server.ts"],
      "env": {
        "ALGORAND_MNEMONIC": "your 25-word mnemonic",
        "DOCUSIGN_MLDSA_PUBLIC_KEY": "hex-encoded ML-DSA-65 public key",
        "DOCUSIGN_MLDSA_PRIVATE_KEY": "hex-encoded ML-DSA-65 private key",
        "DOCUSIGN_KEY_REGISTRATION_TXN_ID": "algorand txn id from npm run register-key"
      }
    }
  }
}

Claude (or any MCP-compatible agent) can then call:

  • anchor_document — anchor a SHA-256 hash to Algorand, receive a proof bundle
  • verify_bundle — run all 5 post-quantum verification checks on any bundle

Self-hosted MCP is free. You pay only Algorand's network fee (~$0.0002 per anchor).

Hosted API (pay-per-use)

If you don't want to run your own node, call the hosted REST endpoint:

# Without payment — returns 402 with payment instructions
curl -X POST https://pq-verifiable-archive-production.up.railway.app/api/anchor \
  -H "Content-Type: application/json" \
  -d '{"hash":"<sha256 hex>","envelope_id":"contract-001"}'

# With x402 payment ($0.01 USDC on Algorand)
curl -X POST https://pq-verifiable-archive-production.up.railway.app/api/anchor \
  -H "Content-Type: application/json" \
  -H "payment-signature: <x402 payment header>" \
  -d '{"hash":"<sha256 hex>","envelope_id":"contract-001"}'

Price: $0.01 per anchor. Verification is always free.

OpenAPI spec: /openapi.json — machine-readable for LLMs, tools, and code generators.

Self-hosted quick start

git clone https://github.com/m-reynaldo35/pq-verifiable-archive.git
cd pq-verifiable-archive
npm install
cp .env.example .env   # fill in ALGORAND_MNEMONIC + ML-DSA keys
npm run generate-wallet   # or use existing wallet
npm run register-key      # registers your ML-DSA-65 key on Algorand
npm start                 # HTTP server on :3000
npm run mcp               # MCP server (stdio) for AI agents

Generate a sample document and verify it:

npx tsx scripts/generate-sample-pdf.ts
npm run verify -- --bundle bundles/sample-contract-bundle.json --pdf assets/sample-contract.pdf

Required env vars (see .env.example): ALGORAND_MNEMONIC, DOCUSIGN_MLDSA_PUBLIC_KEY, DOCUSIGN_MLDSA_PRIVATE_KEY, DOCUSIGN_KEY_REGISTRATION_TXN_ID.

Optional: X402_TREASURY_ADDRESS to enable pay-per-anchor on /api/anchor.

How verification works

The verifier (npm run verify) exits 0 = VALID, 1 = INVALID, 2 = operational error.

| Step | Check | Offline? | |---|---|---| | 1 | ML-DSA-65 signature over bundle (NIST FIPS-204) | Yes | | 2 | SHA-256(PDF) matches bundle.documentHash | Yes | | 3 | Merkle proof walks from hash to root | Yes | | 4 | Algorand txn note contains merkle root | AlgoNode (not DocuSign) | | 5 | Falcon-512 state proof covers the anchor round | AlgoNode (not DocuSign) |

Who uses this

  • HR platforms — offer letters, NDAs, termination agreements with quantum-proof audit trail
  • Legal tech — tamper-evident contract archive that survives vendor shutdown
  • Healthcare — patient consent forms (no PII on-chain — HIPAA-compatible)
  • AI agents — autonomous agents executing agreements need immutable, verifiable receipts
  • Anyone signing documents today that need to be verifiable in 2040

Proof bundle (example)

{
  "protocol": "pqva/1",
  "envelopeId": "contract-2026-001",
  "documentHash": "0569e7cb...",
  "merkleRoot": "97d5d40b...",
  "merkleProof": ["9b1b4a3c...", "34b53407..."],
  "algorandTxnId": "QIS2LWKE...",
  "algorandRound": 62052659,
  "blockTimestamp": "2026-06-11T13:50:11.808Z",
  "stateProofRound": 62052864,
  "docusignSigners": [
    { "name": "Jordan Avery", "email": "[email protected]", "signedAt": "2026-06-11T13:48:02Z" }
  ],
  "algorithm": "ml-dsa-65",
  "mldsaPublicKey": "...",
  "signature": "75483d62..."
}

Full schema: docs/architecture.md

Tech stack

| Component | Choice | |---|---| | Post-quantum signatures | @noble/post-quantum — ML-DSA-65 (NIST FIPS-204) | | Blockchain | Algorand mainnet — Falcon-512 state proofs | | AI agent interface | @modelcontextprotocol/sdk — MCP stdio server | | Payments | @x402-avm/express — x402 on Algorand (GoPlausible) | | Merkle trees | merkletreejs — SHA-256 | | Canonical JSON | canonicalize — JCS, RFC 8785 | | Runtime | TypeScript + Node.js via tsx |

License

MIT — free to use, self-host, and fork.