Packages & SDKs

The monorepo ships eight TypeScript packages under @eep-dev/* and seven Python ports (install names vary: eep-signer, eep-validator, eep-gates, eep-discovery, eep-compliance-cli, eep-mcp-bridge, eep-middleware). Core libraries are framework-agnostic; @eep-dev/middleware / eep-middleware add Express, Fastify, Hono, Koa, FastAPI, Flask, and Django bindings. @eep-dev/setup-cli publishes the eep-setup binary (no Python counterpart — generate artifacts from Node). Node.js requirements are package-specific: @eep-dev/compliance-clirequires Node.js >= 22; other TS packages support Node.js >= 18.

@eep-dev/signer

HMAC-SHA256 webhook signing and verification per Standard Webhooks spec. Use it on the publisher side to sign outbound deliveries, and on the subscriber side to verify them.

Sign & Verify
import { EEPSigner, verifyEEPWebhook } from '@eep-dev/signer';


// Sign
const signer = new EEPSigner(secret);
const signature = signer.sign(webhookId, timestamp, body);


// Verify (one-liner)
const ok = verifyEEPWebhook(rawBody, req.headers, secret);

@eep-dev/validator

SSRF prevention (URL safety + DNS resolution against private IP ranges) and event type pattern validation. Use it before making any outbound HTTP request to a subscriber-provided URL.

SSRF & Event Patterns
import { validateSSRF, matchesAnyPattern } from '@eep-dev/validator';


await validateSSRF(deliveryUrl); // throws SSRFError if unsafe


const match = matchesAnyPattern(
  'com.example.entity.updated',
  ['com.example.entity.*']
); // true

@eep-dev/gates

General-purpose access control, commerce negotiation, and service discovery. The default resolver mode is strict fail-closed: if a semantic verifier is missing for a requirement type, access is denied unless explicitly configured otherwise.

Access Control
import { parseGateConfig, resolveAccess, build402Response, ProofVerifierRegistry } from '@eep-dev/gates';


// Parse and validate gate configuration
const config = parseGateConfig(entityGateJson);
const verifierRegistry = new ProofVerifierRegistry();
verifierRegistry.register({
  supportedTypes: ['payment'],
  verify: async (proof) => proof.type === 'payment' && proof.token.startsWith('pi_'),
});


// Check access
const result = await resolveAccess(agentProofs, config, 'content.papers.full_text', verifierRegistry);
if (!result.granted) {
  const body = await build402Response(config, 'content.papers.full_text', agentProofs);
  // Send HTTP 402 with body
}
Commerce State Machine
import { transition } from '@eep-dev/gates';


const t = transition('open', 'accept');
// { valid: true, to: 'accepted' }


const invalid = transition('open', 'complete');
// { valid: false, reason: 'Invalid transition' }

@eep-dev/discovery

Discovery utilities for agents: validate /.well-known/eep.json manifests, parse HTTP Link headers, and parse DNS TXT records. Implements Whitepaper §4. For manifest vs sitemap scope and GEO as informative publisher context (not a protocol test), see Discovery and the Whitepaper.

Discovery
import { validateManifest, parseLinkHeader, parseDnsTxtRecord } from '@eep-dev/discovery';


// 1. Validate manifest fetched from /.well-known/eep.json
const result = validateManifest(manifest);
if (!result.valid) console.error(result.errors);


// 2. Parse HTTP Link header
const links = parseLinkHeader('<https://example.com/eep.json>; rel="eep"');
// [{ url: 'https://...', rel: 'eep' }]


// 3. Parse DNS TXT record
const dns = parseDnsTxtRecord('v=eep1; manifest=https://example.com/.well-known/eep.json');
console.log(dns?.manifestUrl);

@eep-dev/compliance-cli

End-to-end conformance test runner for external platform audits. It reports pass/fail checks and can emit both machine-readable and human-readable reports with a score_100 summary.

Run Compliance
// TypeScript (npx)
npx @eep-dev/compliance-cli \
  --target https://api.yourplatform.com \
  --api-key sk_... \
  --entity u/test \
  --report-json ./eep-audit.json \
  --report-md ./eep-audit.md

@eep-dev/mcp-bridge

Runtime MCP↔EEP bridge that auto-synthesizes manifest/services/gates from MCP introspection and exposes a gated tool-call facade with fail-closed enforcement.

Bridge Quickstart
# Node
npx @eep-dev/mcp-bridge start --config ./bridge.config.json --port 3001


# Export manifest + gates without starting server
npx @eep-dev/mcp-bridge export-manifest --config ./bridge.config.json

@eep-dev/middleware

Mount generated EEP subscribe/stream/gate routes on an existing HTTP server. Provides EEPServer, framework routers (Express/Fastify/Hono/Koa), and adapter hooks for auth, persistence, and messaging.

Middleware
import { createEEPRouter } from '@eep-dev/middleware';


// See packages/@eep-dev/middleware/README.md for full Express/Fastify/Hono/Koa examples

@eep-dev/setup-cli

Configuration and artifact generator (binary: eep-setup). Commands include init, inject, apply (with --dry-run and --production), verify, doctor, status, upgrade, watch, rotate-secrets. Use --interactive / --answers for identity fields in CI vs TTY.

# After publish:
npx @eep-dev/setup-cli@latest init --preset exchange --out ./eep-setup.json

# From a built monorepo package:
node dist/index.js apply --config ./eep-setup.json --output ./eep-generated

# Binary name when installed:
eep-setup verify --output ./eep-generated