AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime behavior is a local authentication provider with optional SMTP password recovery and file-backed auth state.
Decision evidence
public snapshot- package.descriptor.mjs declares explicit app config mutations for .env and .gitignore, but no npm lifecycle hook applies them automatically.
- src/server/providers/AuthLocalServiceProvider.js reads process.env and can create .jskit/auth/session.secret at provider boot when selected.
- src/server/lib/service.js can send password recovery email through configured SMTP.
- package.json has no preinstall/install/postinstall hooks and only exports server provider/lib entrypoints.
- src/server/lib/service.js implements local auth flows: register, login, sessions, password reset, cookies, and SMTP recovery.
- src/server/lib/fileBackend.js writes only configured local auth store files users.passwd, sessions.passwd, recovery.passwd, lock, and journal.
- No child_process, eval, remote payload loading, credential harvesting, or hardcoded exfiltration endpoint found.
- Network use is nodemailer to user-configured SMTP, package-aligned for password recovery.
Source & flagged code
19 flagged · loading sourcePackage contains a possible secret pattern.
src/server/lib/service.jsView on unpkg · L148Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L106Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L167Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L173Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L260Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L347Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L353Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L370Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L383Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L415Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L423Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L429Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L439Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L464Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L483Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L513Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L519Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L551Hardcoded password in test/providerRuntime.test.js
test/providerRuntime.test.jsView on unpkg · L579