AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `scripts/migrate/phase-scaffold.ts` writes `.cursor/rules/migration-tooling-policy.mdc` during migration.
- `scripts/migrate/templates/cursor-rules.ts` marks that Cursor rule `alwaysApply: true` and links upstream agent policy.
- `scripts/migrate.ts` runs `bun install` and generators after the user-invoked migration command.
- `scripts/lib/cf-kv-rest.ts` uses Cloudflare API credentials to PUT/DELETE configured KV keys.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Cursor configuration is created only by explicit `deco-migrate`, not on package installation or import.
- The generated rule is an attributed migration-policy pointer; no credential harvesting or remote payload execution was found.
- Cloudflare calls are scoped to operator-provided account, namespace, token, and explicit KV sync commands.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
scripts/audit-observability-config.test.tsView on unpkg · L309Package source references dynamic require/import behavior.
scripts/audit-observability-config.test.tsView on unpkg · L309A single source file combines environment access, network access, and code or shell execution; review context before blocking.
scripts/sync-blocks-to-kv.tsView on unpkg · L77Package source invokes a package manager install command at runtime.
scripts/generate-invoke.test.tsView on unpkg · L220This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scripts/generate-schema.test.tsView on unpkg