# Kirke Labs Package Integrity Matrix

Snapshot: 2026-07-11 17:22 UTC

Machine-readable bundle: https://www.kirkelabs.com/proof/kirke-package-integrity.json

## What Changed

The local package repos now carry the metadata and release posture needed for visible, provenance-backed npm releases:

- public repository / homepage / bugs metadata where source exists
- npm/download/provenance badges on the visible packages
- `publishConfig.provenance` for public npm packages
- GitHub Actions release workflows with `id-token: write` and `npm publish --provenance --access public`
- docs, security, citation, and package files included where they were missing
- `conversion-readiness-scan` has its npm `private` blocker removed while remaining `UNLICENSED`

## Current Public Signals

| Package | Published | 30d downloads | Stars | Status |
| --- | --- | ---: | ---: | --- |
| `@kirkelabs/agent-readiness-scan` | yes | 457 | 0 | next-release provenance-ready |
| `@kirkelabs/ai-legibility-scan` | yes | 44 | 0 | next-release provenance-ready |
| `@kirkelabs/oaa-agent-kit` | yes | 202 | 0 | next-release provenance-ready |
| `@kirkelabs/walletless-kit` | yes | 492 | 0 | next-release provenance-ready |
| `@kirkelabs/oaa-mcp-governance` | no | n/a | 0 | first-release ready |
| `@kirkelabs/conversion-readiness-scan` | no | n/a | n/a | first-release ready |
| `@kirkelabs/open-agent-access-core` | yes | 732 | n/a | blocked: source repo/metadata missing |
| `@kirkelabs/open-agent-access-mcp` | yes | 171 | n/a | blocked: source repo/metadata missing |
| `@kirkelabs/open-agent-access-payments-algorand-x402` | yes | 646 | n/a | blocked: source repo/metadata missing |
| `@kirkelabs/open-agent-access-mandates` | yes | 473 | n/a | blocked: source repo/metadata missing |
| `@kirkelabs/open-agent-access` | yes | 432 | n/a | blocked: source repo/metadata missing |

## Interpretation

The packages are downloaded, but public adoption is still weak: no npm stars, no GitHub stars/forks on visible repos, no visible dependents, and no meaningful external code references.

The best next public-trust move is to locate the missing split Open Agent Access source repos, add repository/homepage/keywords/bugs metadata, and republish patch versions with provenance.

## Verification

After installing a package from npm, use:

```bash
npm audit signatures
```

Provenance appears only after a new package version is published from a supported GitHub Actions workflow or npm trusted publishing configuration.
