registry  /  @hachej/boring-core  /  0.1.65

@hachej/boring-core@0.1.65

Foundation package for boring-ui-v2 apps: DB, auth, config, HTTP app factory, and frontend app shell.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a foundation library for auth, DB, workspace/agent server composition, frontend shell, billing, mail, and migrations.

Static reason
No blocking static signals were detected.
Trigger
Consumer imports exported modules and explicitly starts/configures server, mail, billing, provisioning, or workspace-agent features.
Impact
Expected application behavior only; no unconsented install-time mutation, exfiltration, or persistence found.
Mechanism
User-configured server framework and workspace-agent integration
Rationale
Static inspection found ordinary library functionality with explicit runtime activation and package-aligned network/filesystem behavior. There are no lifecycle hooks, import-time side effects, credential exfiltration, remote payload execution, or unconsented AI-agent control-surface writes.
Evidence
package.jsonREADME.mddist/app/server/index.jsdist/server/index.jsdist/chunk-CIRY3ZLU.jsdist/chunk-3B7LU76T.jsdist/server/db/index.jsdist/shared/index.jsconfigured workspace root directoriesconfigured frontend dist files/tmp/test-mail-${process.pid}.log or console-capture configured path
Network endpoints3
api.resend.com/emailsapi.lemonsqueezy.com/v1/checkoutsapi.stripe.com/v1/checkout/sessions

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/server/index.js exposes createFsProvisioner.destroy that recursively removes a validated workspace directory when explicitly called.
  • dist/chunk-CIRY3ZLU.js includes optional email transports to Resend/SMTP and test-only console capture file append.
  • dist/app/server/index.js can load workspace plugins and runtime bridge handlers through user-provided server options.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and no bin entries.
  • Exported entrypoints are library/server/frontend modules; no install-time or import-time attack path found.
  • Network calls are package-aligned: auth/frontend APIs, configured SMTP/Resend email, Stripe/Lemon Squeezy checkout, and optional worker base URL.
  • Filesystem operations are bounded to configured workspace/frontend/test-mail paths with path validation or explicit options.
  • No credential harvesting, broad env/file enumeration, AI-agent config mutation, encoded payloads, native binaries, or shell execution found.
Behavioral surface
Source
CryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 579 KB of source, external domains: 127.0.0.1, api.lemonsqueezy.com, api.resend.com, api.stripe.com, calendly.com, fonts.googleapis.com, fonts.gstatic.com

Source & flagged code

1 flagged · loading source
dist/app/server/index.jsView file
975const apiTarget = `http://127.0.0.1:${apiPort}`; L976: const requireFromApp = createRequire(path3.join(appRoot, "package.json")); L977: const viteEntry = requireFromApp.resolve("vite");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/app/server/index.jsView on unpkg · L975

Findings

3 Medium4 Low
MediumDynamic Requiredist/app/server/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings