registry  /  @cendor/guardrails  /  0.6.0

@cendor/guardrails@0.6.0

A local-first gate for LLM apps: define a check — keyword, regex, URL, length, JSON-schema — attach it to a stage (input, tool call, tool output, output). Deterministic, microsecond, $0, and every decision is audit-grade evidence.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package performs local guardrail evaluation and optional, caller-configured integrations.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User imports the package and explicitly calls evaluation, install(), scoped(), or an optional adapter.
Impact
No unconsented persistence, exfiltration, install-time mutation, or remote execution identified.
Mechanism
Local rule evaluation with optional caller-supplied clients
Rationale
Source inspection contradicts the scanner's Trojan Source and reviewer-manipulation labels: the invisible characters implement a zero-width stripping guardrail, and the README phrase is a prompt-injection blocking example. No concrete malicious behavior was found.
Evidence
package.jsondist/index.jsdist/rules.jsdist/embeddings.jsdist/adapters.jsdist/policy.jsdist/redteam.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall scripts and exposes only dist/index.js.
    • dist/rules.js bidi-like characters are deliberate zero-width detection patterns and documentation examples.
    • dist/index.js registers only @cendor/core in-process interceptors after explicit install() or scoped() calls.
    • dist/embeddings.js dynamically imports a caller-selected local transformers module; no remote loader is present.
    • dist/adapters.js calls only caller-supplied moderation/cloud client methods.
    • No filesystem writes, shell execution, credential harvesting, or built-in network requests were found.
    Behavioral surface
    Source
    ChildProcessDynamicRequire
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 11 file(s), 112 KB of source, external domains: cendor.ai, json-schema.org

    Source & flagged code

    4 flagged · loading source
    README.mdView file
    rules.keywordDeny(['ignore previous instructions'], { action: 'block' }), // prompt-injection floor
    High
    Ai Reviewer Manipulation

    Package text addresses the security reviewer or scanner and tries to influence the review outcome.

    README.mdView on unpkg
    dist/rules.jsView file
    103contains invisible/control Unicode U+200B (zero width space) const ZERO_WIDTH_RE = /<U+200B>|<U+200C>|<U+200D>|<U+2060>|<U+FEFF>|­|<U+180E>/g;
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/rules.jsView on unpkg · L103
    Trigger-reachable chain: manifest.main -> dist/index.js -> dist/rules.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/rules.jsView on unpkg
    matchType = previous_version_dangerous_delta matchedPackage = @cendor/guardrails@0.4.0 matchedIdentity = npm:QGNlbmRvci9ndWFyZHJhaWxz:0.4.0 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/rules.jsView on unpkg

    Findings

    3 Critical1 High2 Medium2 Low
    CriticalTrojan Source Unicodedist/rules.js
    CriticalTrigger Reachable Dangerous Capabilitydist/rules.js
    CriticalPrevious Version Dangerous Deltadist/rules.js
    HighAi Reviewer ManipulationREADME.md
    MediumDynamic Require
    MediumStructural Risk Force Deep Review
    LowHigh Entropy Strings
    LowUrl Strings