npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

wiki-security-author

v0.2.0

Published

Federated wiki security: per-site authorization from a local identity file, with provenance-stamped journal actions. For local mirror farms ONLY - identity is asserted, not proven.

Readme

wiki-security-author

⚠️ LOCAL USE ONLY — identity is asserted, not proven. Do not face the internet.

This security module trusts a plain JSON file on the local machine to say who you are. That is exactly right for a personal mirror farm on 127.0.0.1, and exactly wrong for anything reachable by anyone else.

Per-site authorization for a local mirror farm of public Federated Wiki sites — the offline-authoring half of a two-farm setup where real DNS normally serves the public domains remotely and a local farm serves the same page folders when you toggle offline.

Who you are comes from a local identity file (the machine is the login):

// ~/.wiki/local-author.json
{
  "name":  "David Bovill",     // provenance display name
  "id":    "david",            // matched against owner.json oauth2.id/username
  "admin": true,               // optional: edit every site, wiki admin
  "sites": ["david.*"]         // optional: extra editable-site globs
}

What it does

  • Per-site authorization. A site is editable when identity.admin is set, when the site's status/owner.json oauth2 id/username equals identity.id, or when the domain matches one of the identity.sites globs. Everything else is readable, not writable. Unclaimed sites (no owner.json) are editable — fork-and-claim still works. No identity file → the whole farm is read-only.
  • Provenance stamping. Every journal action saved through this server is stamped with "author": {"name": ..., "id": ...} — an additive field that travels with the page through sync and forks, so offline edits stay attributable after they reach the live site.
  • Mirror cue. The client bundle marks every mirror-served wiki with a warm parchment background, an amber top stripe, and a small local mirror badge — so when /etc/hosts is diverting real domain names you always know you are looking at the local copy, not the live site.
  • window.isLocalMirror flag. The client also sets window.isLocalMirror = true at script load — the machine-readable form of the same fact. Local-first plugins (e.g. wiki-plugin-terminal) use it to offer live behaviour on mirror-served public domains, where the hostname alone says nothing about being local. Live sites never serve this client, so the flag never appears there.

Install

npm install wiki-security-author   # in the wiki install (same node_modules as wiki-server)

Then start the farm with:

wiki --security_type author --farm --data ~/path/to/mirror

wiki-server resolves --security_type author to this package by name (wiki-security-author), the same convention as wiki-security-friends and wiki-security-passportjs.

Design note

This module is the strangler seam for future p2p / trust-graph security (Proof of Understanding, human.tech): replace the identity file with key material and the two authorization functions with attestation checks; nothing else in the wiki needs to change.

License

MIT