AI review loop
source-aware reviewAI review looks at the source, scanner evidence, and package context before it can recommend a final action.
- Prioritize packages that need additional review.
- Download and inspect package source in a read-only review environment.
- Build focused source context plus scanner hints; AI returns verdict, action, rationale, and evidence.
- Finalize the decision into the internal catalog and publication layer.
- Retain confirmed malicious artifacts in a restricted evidence archive.
- Prepare public-safe report data and publish the client-facing verdict.
Feedback loop
learning without auto-blocksEvery malicious finding makes the next run smarter without making the system overconfident.
- OSV/GHSA exact identities become hard block records; AI-confirmed malicious packages become package-version blocks.
- Confirmed malicious artifacts are retained for restricted evidence review.
- Scanner source fingerprints and trusted malicious package archive signatures are kept as routing intelligence.
- Future packages matching those signatures are routed to source-first AI.
- Exact trusted identity → block.
- Source-fingerprint similarity → route to AI.
- AI confirms → block + archive + future evidence.
Similarity creates friction; AI or trusted intel creates final block authority — so the system never collapses into a dangerous "similarity says block."