registry  /  @cendor/guardrails  /  0.6.2

@cendor/guardrails@0.6.2

A local-first gate for LLM apps: define a check — keyword, regex, URL, length, JSON-schema — attach it to a stage (input, tool call, tool output, output). Deterministic, microsecond, $0, and every decision is audit-grade evidence.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Import-time behavior is limited to a best-effort node:async_hooks import for request scoping; guardrail interception requires an explicit consumer call.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Consumer imports the package or explicitly calls install(), scoped(), localEmbedder(), or a caller-configured hosted adapter.
Impact
No package-initiated persistence, exfiltration, remote payload execution, or destructive action established.
Mechanism
Local guardrail evaluation with optional peer loading and caller-supplied service adapters.
Rationale
Direct inspection shows a guardrail library with explicit runtime APIs and optional, user-invoked integrations. Scanner hits are explained by legitimate zero-width normalization and a dynamic import of its declared optional peer.
Evidence
package.jsondist/index.jsdist/rules.jsdist/embeddings.jsdist/policy.jsdist/adapters.jsREADME.mdINTEGRATION.md

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall or bin hook.
    • dist/index.js only registers interceptors when install() or scoped() is called by the consumer.
    • dist/rules.js uses zero-width Unicode deliberately in a sanitizer regex, not to conceal control flow.
    • dist/embeddings.js dynamically imports only the declared optional @huggingface/transformers peer when localEmbedder() is invoked.
    • No child-process, filesystem, environment-harvesting, eval, or outbound-network primitive is present in executable source.
    • Hosted-client adapters invoke caller-supplied clients; no package-controlled endpoint or credential handling was found.
    Behavioral surface
    Source
    ChildProcessDynamicRequire
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 11 file(s), 116 KB of source, external domains: cendor.ai, json-schema.org

    Source & flagged code

    4 flagged · loading source
    README.mdView file
    rules.keywordDeny(['ignore previous instructions'], { action: 'block' }), // prompt-injection floor
    High
    Ai Reviewer Manipulation

    Package text addresses the security reviewer or scanner and tries to influence the review outcome.

    README.mdView on unpkg
    dist/rules.jsView file
    103contains invisible/control Unicode U+200B (zero width space) const ZERO_WIDTH_RE = /<U+200B>|<U+200C>|<U+200D>|<U+2060>|<U+FEFF>|­|<U+180E>/g;
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/rules.jsView on unpkg · L103
    Trigger-reachable chain: manifest.main -> dist/index.js -> dist/rules.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/rules.jsView on unpkg
    matchType = previous_version_dangerous_delta matchedPackage = @cendor/guardrails@0.6.0 matchedIdentity = npm:QGNlbmRvci9ndWFyZHJhaWxz:0.6.0 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/rules.jsView on unpkg

    Findings

    3 Critical1 High2 Medium2 Low
    CriticalTrojan Source Unicodedist/rules.js
    CriticalTrigger Reachable Dangerous Capabilitydist/rules.js
    CriticalPrevious Version Dangerous Deltadist/rules.js
    HighAi Reviewer ManipulationREADME.md
    MediumDynamic Require
    MediumStructural Risk Force Deep Review
    LowHigh Entropy Strings
    LowUrl Strings