npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

proofkit-cli

v0.27.0

Published

AI development governance engine — prevent hallucinated completion and vanishing intent in agent-assisted software teams.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sebamar88sebamar88

Keywords

sddspec-driven-developmentagentsaiworkflow

Readme

ProofKit

Make AI prove it works.

ProofKit is a verification engine for AI-driven development.

It prevents agents from claiming work is complete without real execution evidence.

If a command didn’t run — or failed — the system blocks progress.

Why not existing SDD frameworks?

| Feature | ProofKit / ProofKit | Spec-Kit | OpenSpec | BMAD | Agent Teams | |----------------------------------|--------------------|----------|----------|------|-------------| | Spec-driven workflow | ✅ | ✅ | ✅ | ✅ | ⚠️ Partial | | Structured artifacts | ✅ | ✅ | ✅ | ✅ | ⚠️ Partial | | Persistent state (on disk) | ✅ | ❌ | ⚠️ Partial | ⚠️ Partial | ❌ | | Execution verification | ✅ | ❌ | ❌ | ❌ | ❌ | | Blocks fake completion | ✅ | ❌ | ❌ | ❌ | ❌ | | Command execution evidence | ✅ | ❌ | ❌ | ❌ | ❌ | | Checksum validation | ✅ | ❌ | ❌ | ❌ | ❌ | | Enforced workflow transitions | ✅ | ⚠️ Soft | ⚠️ Soft | ⚠️ Soft | ❌ | | CI / Git hook enforcement | ✅ | ❌ | ❌ | ❌ | ❌ | | Anti-hallucination guarantees | ✅ | ❌ | ❌ | ❌ | ❌ |

⚠️ Partial = supported conceptually but not enforced or persisted

🚫 The problem

AI says:

"Done"

Reality:

npm test
# FAIL

✅ With ProofKit

proofkit verify --require-execution-evidence

Result:

BLOCKED: command failed (exit_code=1)

The system forces real execution before accepting completion.

Why It Exists

AI coding agents are excellent at producing code. They are much weaker at:

  • remembering why a decision was made after the chat scrolls away
  • proving that tests ran, rather than saying they did
  • keeping specs in sync when behavior changes

ProofKit turns "the agent said it passed" into structured, checksummed evidence stored in your repository. No lock-in. No operating-system lock-in. The workflow state is explicit, versioned, and repository-native in .sdd/state.json.

Try It Now (30 seconds, no setup)

Runs the full Golden Path in a temp directory and cleans up after itself:

npx -y proofkit@latest demo

What you will see:

── Step 1/7: proofkit init
   ✓ Initialized .sdd/ (adapters, agents, profiles, schemas, skills, specs)
── Step 2/7: proofkit new demo-harden-login --profile quick
   ✓ Created .sdd/changes/demo-harden-login/ (proposal.md, tasks.md, verification.md)
   ✓ Phase automatically recorded → propose
── Step 3/7: Agent fills proposal.md → status: ready
── Step 4/7: Agent closes tasks.md → status: ready
── Step 5/7: proofkit transition demo-harden-login task
   ✓ Phase recorded in .sdd/state.json → task
── Step 6/7: proofkit verify --command 'echo all-tests-pass'
   ✓ Command executed; output checksummed → .sdd/evidence/
   ✓ verification.md updated automatically → status: verified
── Step 7/7: proofkit transition archive  &&  proofkit archive
   ✓ Change closed → .sdd/archive/2026-05-05-demo-harden-login/
── proofkit validate
   ✓ Repository governance passed — zero errors

Install

uv tool install proofkit-cli

Or with pipx:

pipx install proofkit-cli

Or via the Node wrapper:

npm install -g proofkit

Or one-shot:

npx -y proofkit@latest version

Or from source (requires Python 3.11+):

uv tool install proofkit-cli --from git+https://github.com/sebamar88/ProofKit.git

User Guide

Detailed bilingual user guides live in Notion:

The guide includes:

  • Quick Start for Engineers
  • Team Workflow Guide
  • Production Rollout Guide

Each guide is split into EN and ES subpages.

Golden Path: Guard A Real Change

1) Initialize your repository

proofkit init --root my-app
proofkit validate --root my-app

2) Open a governed change

proofkit run harden-login-rate-limit --profile standard --title "Harden login rate limits" --root my-app

Result: .sdd/changes/harden-login-rate-limit/ with six artifacts — proposal.md, delta-spec.md, design.md, tasks.md, verification.md, archive.md.

run creates the change if needed, reads the artifact state, names the current phase, and tells the agent the next allowed action.

3) Give the agent a repository contract

Instead of "fix login security", point the agent at the change folder:

Run `proofkit run harden-login-rate-limit --root .` before each handoff.
Follow the phase it reports.
After each completed artifact phase, record it with `proofkit transition`.
Do not archive until `proofkit run` reports `sync-specs` or `archive`.

The agent now has a repository contract, not just a chat instruction.

4) Block fake completion

proofkit check harden-login-rate-limit --root my-app

Open tasks or missing evidence will surface here. The change cannot close cleanly.

5) Record state, verify, sync, and archive

proofkit transition harden-login-rate-limit specify --root my-app
proofkit transition harden-login-rate-limit design --root my-app
proofkit transition harden-login-rate-limit task --root my-app
proofkit verify harden-login-rate-limit --command "pytest -q" --root my-app
proofkit transition harden-login-rate-limit archive-record --root my-app
proofkit transition harden-login-rate-limit sync-specs --root my-app
proofkit sync-specs harden-login-rate-limit --root my-app
proofkit archive harden-login-rate-limit --root my-app
proofkit validate --root my-app

Outcome: the code change, specs, executed verification evidence, state transitions, checksums, and archive record all stay in the repo.

Orchestrator API (Python)

The CLI is not the only binding layer. The Python core exposes a strict workflow object for tools, adapters, and IDE integrations:

from proofkit import SDDWorkflow, WorkflowPhase

workflow = SDDWorkflow("my-app")

result = workflow.run(
    "harden-login-rate-limit",
    profile="standard",
    title="Harden login rate limits",
)

if result.state.phase == WorkflowPhase.PROPOSE:
    print(result.state.next_action)

transitioned = workflow.transition("harden-login-rate-limit", WorkflowPhase.SPECIFY)
verified = workflow.verify(
    "harden-login-rate-limit",
    commands=["pytest -q"],
    require_command=True,
)

transition(), verify(), sync_specs(), and archive() refuse invalid phase order. verify executes commands and stores reproducible logs under .sdd/evidence/ with SHA-256 checksums. That is the difference between SDD helpers and SDD enforcement.

WorkflowEngine — Agent Execution Loop

WorkflowEngine.next_step() gives agent integrations everything they need in a single call — no N+1 lookups:

from proofkit import WorkflowEngine

engine = WorkflowEngine("my-repo")
step = engine.next_step("harden-login-rate-limit")

# EngineStep(
#   phase=WorkflowPhase.TASK,
#   next_action="Complete tasks.md, close all task checkboxes, and set status to ready.",
#   suggested_command="proofkit transition harden-login-rate-limit task",
#   allowed_commands=[],
#   blocking_findings=[],
# )

# Agent-driven loop:
while not step.is_complete and not step.is_blocked:
    agent_do_work(step.next_action)
    run_command(step.suggested_command)
    step = engine.next_step("harden-login-rate-limit")

engine.guard(change_id, "archive") checks the phase gate only. engine.execute(change_id, "archive") checks the gate and executes. engine.allowed_commands(change_id) returns the gated commands that would pass right now.

Hard Enforcement

ProofKit can enforce governance at git/CI boundaries:

proofkit guard --root my-app --require-active-change --strict-state
proofkit guard --root my-app --require-execution-evidence
proofkit install-hooks --root my-app

guard fails when:

  • the repository foundation is invalid
  • a workflow is blocked
  • an archived delta was not synced into living specs
  • the policy requires an active .sdd/changes/* record and none exists
  • strict state finds stale artifact checksums
  • execution evidence is required but missing

install-hooks writes a pre-commit hook that runs:

proofkit guard --require-active-change --strict-state

That makes ungoverned commits fail locally. CI can run the same guard command server-side.

Reference

Command Guide

proofkit version
proofkit demo
proofkit init --root <path>
proofkit validate --root <path>
proofkit status --root <path>
proofkit new <change-id> --profile <profile> --title "Human intent" --root <path>
proofkit run <change-id> --profile <profile> --title "Human intent" --root <path>
proofkit transition <change-id> <phase> --root <path>
proofkit verify <change-id> --command "pytest -q" --root <path>
proofkit guard --require-active-change --strict-state --root <path>
proofkit install-hooks --root <path>
proofkit check <change-id> --root <path>
proofkit sync-specs <change-id> --root <path>
proofkit archive <change-id> --root <path>
proofkit phase <change-id> --root <path>
proofkit log <change-id> --root <path>

Add --trace to any command for component-level diagnostic output:

proofkit --trace transition my-change specify --root .
# [TRACE] REGISTRY     → transition my-change → specify
# [TRACE] REGISTRY     → require_phase my-change expected=propose
# [TRACE] INFERENCE    → workflow_state my-change

Current Status

Current release: v0.27.0

Production-ready:

  • contract-tested modular architecture
  • execution-verified workflows with checksummed evidence
  • strict guard enforcement for CI and git hooks
  • --trace mode for component-level debugging
  • Golden Path demo and CLI tooling

Influences And Attribution

ProofKit is original work, informed by MIT-licensed workflow ideas from:

Attribution and compatibility notes are in NOTICE.md.

License

ProofKit is released under the MIT License.