registry  /  @h1veframework/cli  /  0.8.0

@h1veframework/cli@0.8.0

The CLI for H1VE — the governance & memory layer for teams building with AI. Drive your feature flow (start, status, move, spec, done) from the terminal. Works with Claude Code, Cursor and Copilot.

AI Security Review

scanned 23h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `h1ve serve` command starts a paired loopback agent. A paired dashboard can write/remove local environment values or apply/delete deployment-provider environment variables using credentials supplied in its request.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `h1ve serve` and shares the printed pairing code with the dashboard.
Impact
A compromised or mistakenly paired dashboard session could alter or delete deployment secrets/configuration.
Mechanism
Paired localhost agent performs local and cloud environment-variable mutations.
Rationale
No concrete malicious chain is present: there are no lifecycle hooks, stealth persistence, or unconsented execution. The package nevertheless provides a guarded, first-party local agent capable of consequential deployment-secret mutations, so it warrants a warning.
Evidence
package.jsonREADME.mddist/index.js.env.local~/.config/h1ve/credentials.json
Network endpoints6
app.h1ve.orgapi.vercel.comapi.netlify.comapi.fly.io/graphqlbackboard.railway.com/graphql/v2api.render.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` exposes explicit `h1ve serve` local-agent endpoints that write/remove environment variables and alter deployment-provider secrets.
  • `/apply-deploy` and `/remove-deploy` accept supplied provider tokens and can mutate Vercel, Netlify, Fly, Railway, and Render environments.
  • The local agent is invoked by a user command, but it is a consequential credential/deployment mutation capability.
Evidence against
  • `package.json` has no preinstall/install/postinstall or other lifecycle hook.
  • `dist/index.js` binds the agent only to `127.0.0.1`, checks Origin/Host, and requires a random pairing token.
  • Local `.env.local` writes require the target file to be git-ignored and reject path traversal.
  • No source evidence of stealthy harvesting, remote payload loading, or exfiltration outside declared H1VE/provider API requests.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 1 file(s), 54.8 KB of source, external domains: 127.0.0.1, api.fly.io, api.netlify.com, api.render.com, api.vercel.com, app.h1ve.org, backboard.railway.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
7// ../core/src/branch.ts L8: import { execFile } from "child_process"; L9: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L7
1188}); L1189: process.stdout.write( L1190: `Agente H1VE ouvindo em http://127.0.0.1:${port} L1191: Origem permitida: ${origin} ... L1203: import { randomBytes as randomBytes2 } from "crypto"; L1204: import { execFile as execFile2 } from "child_process"; L1205: var LOGIN_TIMEOUT_MS = 3 * 60 * 1e3;
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1188

Findings

3 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings