npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

privateer-agent

v0.4.1

Published

Privateer — a provider-agnostic, safe-by-default terminal coding agent with TEE/Tinfoil attestation, rebuilt on the Pi toolkit. Bring your own model across 20 providers.

Downloads

1,451

Readme

curl -fsSL https://privateer.pro/install.sh | sh    # installs the `privateer` command
npx privateer-agent                                 # or run it instantly, nothing installed

Point it at a frontier model today and a local Ollama model tomorrow — OpenRouter, Anthropic, OpenAI, Google, xAI, Groq, Mistral, Z.ai (GLM), DeepSeek, Qwen, local Ollama, NEAR AI or Tinfoil (verifiable TEE inference), Venice / Fireworks (no-retention inference), and any custom OpenAI-compatible endpoint (LM Studio, vLLM, llama.cpp…) are interchangeable at /model time, including mid-session. No model lock-in, no separate code paths. MCP servers, sub-agents, scheduled routines, and one-tap approval from your phone are included — and every one of the agent's actions runs through a safe-by-default permission gate.

Why Privateer?

  • No lock-in. One agent, every provider. /model swaps mid-session and your config, commands, and agents come along for the ride. No vendor's models are privileged.
  • No API key required. Bring your own key from any supported provider, run keyless against a local Ollama — or /signin to bill a Privateer account instead.
  • Safe by default. Every edit, shell command, and network call is classified and gated before it runs; destructive commands are blocked even in unattended runs. You stay in control, whether you're watching or not.
  • Privacy you can verify, not just trust. Confidential-enclave (TEE) inference is cryptographically attested — not a policy promise — and an on-device PII gate warns before structured personal data ever leaves your machine for an unverified model.
  • It's Pi underneath. Privateer is a distribution of the Pi coding agent — every Pi extension, skill, and command works, and Privateer's own features are just extensions you can read, swap, or build on. Nothing to compile. See Built on Pi.

Built on Pi

Privateer is a distribution of the Pi coding agent (@earendil-works/pi-coding-agent): Pi is the runtime, the model routing, the interactive TUI, and the extension / skill / prompt discovery system — everything that works in Pi works here. What Privateer adds is a moat of Pi extensions layered on top:

| Extension | What it adds | |---|---| | privateer-gate | safe-by-default permission gate + destructive-command danger filter | | privateer-context | loads PRIVATEER.md project context (like AGENTS.md/CLAUDE.md) + the /init command | | privateer-privacy | pi-privacy — TEE attestation, ZDR routing, on-device PII gate — bound to the account tier resolver | | privateer-account | /signin billed inference against a Privateer account (device flow) | | privateer-posture, privateer-tools | live attestation shield + Privateer tool pack | | rpiv-web-tools | private-by-default web search (self-hosted SearXNG, no WebView) | | pi-mcp-adapter, pi-subagents | MCP servers · bounded parallel sub-agents |

They're ordinary Pi extensions — inspect them, replace them, or build your own alongside. Extend by discovery: drop an extension into ~/.privateer/agent/extensions/ (move the home with PRIVATEER_HOME), add a skill or prompt beside it, or list an npm/git package under packages in ~/.privateer/agent/settings.json — Pi auto-loads them on next launch, right next to Privateer's own. Any extension from the Pi ecosystem loads the same way. (There's no CLI flag for this — discovery is the entry point.)

The floor you can't lower is the safety gate. While it's loaded, its block on destructive shell commands, secret exfiltration, and plan-mode escapes sits above every relaxation — bypass mode, the approval allowlist, even a phone-approved remote turn can't fire them silently. The moat is swappable; the floor under it holds.

Highlights

  • Private, verifiable inference via NEAR AI and Tinfoil: every model runs inside a Trusted Execution Environment, a live status shield reflects the attestation, and /verify fetches and checks the cryptographic report on demand — genuine proof the inference ran on real confidential hardware, not a terms-of-service page.
  • On-device PII gate. Before a prompt goes to an unverified channel, Privateer scans it locally for structured personal data (emails, phone numbers, SSNs, cards, IBANs, IPs…) and offers to redact or hold it — detection never leaves your machine, and an attested TEE channel skips the check because it provably can't read your data anyway.
  • Honest privacy posture, graded. A verified TEE and a "we promise not to retain" policy are never rendered the same — the badge tells you exactly how strong the guarantee is (cryptographically verified → observable → policy → none).
  • Approve it from your phone. Link the terminal to the Privateer app with /remote-access (off by default) and Allow/Deny every action remotely while execution stays on your machine — supervise long agent runs from anywhere.
  • Scheduled routines. A background daemon runs approved tasks unattended — cron or one-off — and the agent can schedule its own follow-up work. Results deliver to a file, the next session, your phone, email, or a webhook.
  • MCP servers, sub-agents & skills. Connect Model Context Protocol servers (local stdio or remote HTTP with OAuth), delegate work to bounded parallel sub-agents, and drop in skills — all gated like everything else.
  • Zero-Data-Retention surfacing for OpenRouter — see the selected model's retention posture before you send, and pin routing to zero-retention endpoints.
  • Plan mode, checkpoint/rewind, session branching, a modal prompt with / command and @ file autocomplete, ! shell passthrough, background shells, and image attachment for vision-capable models.

Quickstart

curl -fsSL https://privateer.pro/install.sh | sh    # or: npm install -g privateer-agent
export OPENROUTER_API_KEY=sk-or-...                 # one provider is enough — or skip and /signin
privateer                                           # launches the interactive agent

First run walks you through picking a provider and default model. From there, just type. No install at all: npx privateer-agent.

Install

npm install -g privateer-agent          # installs the `privateer` command
# or run it without installing:
npx privateer-agent
# or the one-liner installer (verifies Node, then installs globally):
curl -fsSL https://privateer.pro/install.sh | sh

Requirements: macOS or Linux, Node.js ≥ 22.19.0.

From source:

git clone https://github.com/privateer-agent/privateer-agent.git
cd privateer-agent
npm install
npm start            # launches the interactive agent

Configure a provider

Privateer reads credentials from environment variables (or sign in to an account and skip keys entirely). One provider is enough to start:

export OPENROUTER_API_KEY=sk-or-...      # gateway to ~everything
export ANTHROPIC_API_KEY=sk-ant-...
export OPENAI_API_KEY=sk-...
export GEMINI_API_KEY=AIza...            # Google
export XAI_API_KEY=xai-...               # xAI (Grok)
export GROQ_API_KEY=gsk_...              # Groq
export DEEPSEEK_API_KEY=sk-...           # DeepSeek
export OLLAMA_BASE_URL=http://localhost:11434/v1   # local, keyless
export NEAR_AI_API_KEY=...               # verifiable TEE inference (cloud.near.ai)
export TINFOIL_API_KEY=...               # verifiable TEE inference (tinfoil.sh)
export VENICE_API_KEY=vapi_...           # no-retention inference
export PRIVATEER_API_KEY=sk-priv-...      # Privateer developer API (privateer.pro); or /signin instead

Pick a model with /model (browse each configured provider's live catalog) or pass one directly as provider/model — e.g. openrouter/anthropic/claude-opus-4.8, ollama/qwen3-coder, nearai/zai-org/GLM-5.1-FP8. Any OpenAI-compatible server (LM Studio, vLLM, llama.cpp) works as a custom provider — just give it a base URL.

Override the config location with PRIVATEER_HOME.

Context files — PRIVATEER.md

Give the agent standing knowledge about your project — conventions, common commands, domain notes — by dropping a PRIVATEER.md in the directory. Privateer loads it automatically at the start of every turn and prepends it to the model's system prompt, exactly the way Pi loads AGENTS.md / CLAUDE.md (all three are recognized, and all matching files are concatenated).

Run /init to scaffold a starter PRIVATEER.md in the current directory, then edit it. The startup banner shows a line with the loaded file's path (and a +N count when ancestor files also apply), or a /init hint when none is found.

Discovery mirrors Pi's context-file lookup: the global agent dir (~/.privateer/agent/PRIVATEER.md) first, then every directory from the filesystem root down to the current one — so a repo-root PRIVATEER.md applies to every subdirectory, and a deeper file can refine it. AGENTS.md and CLAUDE.md continue to work unchanged; use --no-context-files (-nc) to disable context-file loading entirely.

Private & verifiable inference

NEAR AI Cloud and Tinfoil run every model inside a Trusted Execution Environment — a confidential VM where TLS terminates inside the enclave, so your prompt's inputs, weights, and outputs are invisible to the infrastructure provider, the model provider, and the host itself. It isn't "trust us": each request can produce a cryptographic attestation proving the inference ran on genuine TEE hardware.

  • A status shield colors the selected model's live posture — 🟢 verified, 🟡 returned but unconfirmed, 🔴 no attestation material.
  • /verify fetches the attestation on demand and prints the evidence. Privateer does a pragmatic terminal-suited check; take the printed report to the NEAR AI Cloud Verifier or the Tinfoil verifier for full quote-chain validation.
  • The posture is graded honestly. A verified enclave (cryptographic), a pinned zero-retention route (observable), and a provider's retention promise (policy) are labeled distinctly — a claim never gets to read like a proof.

The PII gate

Before any prompt is sent to a channel that isn't verified-private, Privateer scans it locally for structured personal data — emails, phone numbers, SSNs, credit-card numbers (Luhn-checked), IBANs (mod-97), IP and MAC addresses. If it finds any, it warns and offers to redact or send as-is (or remember your choice for the session). Detection is deterministic and on-device — no model ever sees the data in order to find it — and it's skipped entirely on an attested TEE or on-device channel, which provably can't read your prompt anyway. It's best-effort structured-PII detection, labeled as such — a safety net, not a guarantee.

Privateer account (billed inference)

Instead of bringing your own key, run /signin to sign into a Privateer account — an app-brokered device flow where you approve a short code in the Privateer app, so wallet and email accounts work identically and no password or key ever touches the terminal. Inference is then billed to your subscription and defaults to a NEAR TEE model. Sign out any time with /signout; manage linked terminals from the app.

Only approve a sign-in code you generated yourself. The code authorizes this terminal to spend on your account. If someone sends you a code and asks you to approve it, don't — that hands them a billed session on your account.

Approve from your phone

Turn on /remote-access (off by default) to link this terminal to the Privateer app. The app can then drive the terminal — prompts come down, and each proposed action goes up for Allow/Deny — while execution stays on your machine. The relay is live-only (nothing is archived), carries no keys, and output is size-truncated and run through a best-effort secret redactor before it leaves.

Permission modes

| Mode | Behavior | |---|---| | default | prompt before edits and shell commands | | acceptEdits | auto-approve file edits; still prompt for shell commands | | bypass | no prompts (destructive commands are still blocked) | | plan | read-only; the agent presents a plan, then you approve to proceed |

Switch with /mode. Even in bypass, a danger filter blocks destructive shell commands, and protected files (.env, shell rc files…) are guarded — the gate is never fully off.

Extend it

Everything below is a Pi extension loaded by discovery (see Built on Pi) — drop your own into ~/.privateer/agent/extensions/ and it loads the same way, gated like the rest.

  • MCP servers (pi-mcp-adapter) — declare them and their tools become first-class, gated like the rest (local stdio, or remote HTTP with interactive OAuth).
  • Sub-agents (pi-subagents) — delegate investigations to bounded parallel agents that run under the same permission gate.
  • Routines — saved tasks the daemon runs unattended; ask the agent to schedule work and approve it once.
  • Web tools (rpiv-web-tools) — private-by-default web search/fetch with pluggable backends (self-hosted SearXNG for fully private search).

Develop

npm run typecheck
npm test

Changelog

Release notes and what's new in each version live on the GitHub releases page. Privateer keeps its startup clean — the app won't dump a changelog into your terminal.

License

MIT © Patrick