registry  /  @hachej/boring-core  /  0.1.79

@hachej/boring-core@0.1.79

Foundation package for boring-ui-v2 apps: DB, auth, config, HTTP app factory, and frontend app shell.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior is present. Explicit runtime use of the exported workspace-agent server can provision package-aligned agent runtime resources and create a validated workspace directory.

Static reason
No blocking static signals were detected.
Trigger
A host application imports and calls `createCoreWorkspaceAgentServer`, then invokes its agent routes.
Impact
Agent runtime setup may affect the configured application workspace; no secret harvesting, foreign AI-agent mutation, or exfiltration is confirmed.
Mechanism
User-invoked workspace agent runtime provisioning
Rationale
The package is not malicious by the inspected source, but its explicit server path provides first-party agent runtime provisioning with filesystem effects. Warn rather than block so this capability receives review in the upstream firewall.
Evidence
package.jsondist/app/server/index.jsdist/chunk-VB2N2DG5.jsdist/server/index.jsREADME.md./boring.app.toml

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/app/server/index.js` provisions workspace agent runtimes and registers agent routes.
  • The exported server factory can create workspace directories at runtime.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or bin hook.
  • No child-process, shell, eval, or VM execution was found in `dist`.
  • Config/env reads in `dist/chunk-VB2N2DG5.js` configure auth, database, and mail services.
  • Network calls target declared application services such as Resend, Stripe, and Lemon Squeezy.
  • Dynamic import in `dist/app/server/index.js` only loads the host app's Vite dependency for its explicit dev-server helper.
Behavioral surface
Source
CryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 594 KB of source, external domains: 127.0.0.1, api.lemonsqueezy.com, api.resend.com, api.stripe.com, calendly.com, fonts.googleapis.com, fonts.gstatic.com

Source & flagged code

1 flagged · loading source
dist/app/server/index.jsView file
994const apiTarget = `http://127.0.0.1:${apiPort}`; L995: const requireFromApp = createRequire(path3.join(appRoot, "package.json")); L996: const viteEntry = requireFromApp.resolve("vite");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/app/server/index.jsView on unpkg · L994

Findings

3 Medium4 Low
MediumDynamic Requiredist/app/server/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings