AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `scripts/migrate/phase-scaffold.ts` writes `.cursor/rules/migration-tooling-policy.mdc` during migration.
- `scripts/migrate/templates/cursor-rules.ts` creates an always-applied Cursor policy pointer with upstream links.
- `scripts/migrate.ts` runs `bun install` only during the user-invoked migration bootstrap.
- `scripts/sync-blocks-to-kv.ts` can send configured content to Cloudflare KV only with explicit `--write` and CF credentials.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `scripts/generate.ts` guards execution as a CLI and only spawns packaged generator scripts.
- KV and cache-purge networking is tied to explicit CLI flags and supplied Cloudflare/purge credentials.
- No source evidence of credential harvesting, covert exfiltration, remote payload loading, or destructive install-time behavior.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
scripts/audit-observability-config.test.tsView on unpkg · L309Package source references dynamic require/import behavior.
scripts/audit-observability-config.test.tsView on unpkg · L309A single source file combines environment access, network access, and code or shell execution; review context before blocking.
scripts/sync-blocks-to-kv.tsView on unpkg · L77Package source invokes a package manager install command at runtime.
scripts/generate-invoke.test.tsView on unpkg · L220This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scripts/generate.tsView on unpkg