AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `scripts/migrate/phase-scaffold.ts` writes `.cursor/rules/migration-tooling-policy.mdc` during migration.
- `scripts/migrate/templates/cursor-rules.ts` marks that Cursor rule `alwaysApply: true` and points agents to upstream policy.
- `scripts/migrate.ts` runs the scaffold after an explicit `deco-migrate` invocation; default mode writes project files.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- The Cursor rule is created only by the user-invoked migration CLI and supports `--dry-run`.
- No credential harvesting, remote payload loading, eval/vm use, or unconsented package-install execution was found.
- KV and purge networking in `scripts/sync-blocks-to-kv.ts` requires explicit CLI options and configured credentials.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
scripts/audit-observability-config.test.tsView on unpkg · L309Package source references dynamic require/import behavior.
scripts/audit-observability-config.test.tsView on unpkg · L309A single source file combines environment access, network access, and code or shell execution; review context before blocking.
scripts/sync-blocks-to-kv.tsView on unpkg · L77Package source invokes a package manager install command at runtime.
scripts/generate-invoke.test.tsView on unpkg · L220This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scripts/generate-schema.test.tsView on unpkg