registry  /  @kdtix-open/sdlca-bridge  /  0.1.21

@kdtix-open/sdlca-bridge@0.1.21

Local execution bridge CLI for SDLC Automated — npx-ready installer

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a local AI-agent execution bridge with supervisor persistence and authenticated loopback/MCP control. The risk is real but appears explicit and package-aligned rather than malicious install-time abuse.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs sdlca-bridge install, foreground, mcp serve, mcp stdio, or enables hosted work-claim polling.
Impact
Authenticated local or configured hosted callers can cause provider CLI execution in allowed project roots; install registers user-level services and writes bridge credentials/config.
Mechanism
first-party local bridge and MCP agent extension setup
Rationale
The package contains dangerous local execution and persistence capabilities, but they are documented, user-invoked, guarded by token/OIDC checks, and aligned with the bridge product. Per policy this fits a warn-level agent extension lifecycle risk, not a malicious publish block.
Evidence
package.jsonbin/sdlca-bridge.jsbridge/index.jsmcp/stdio.jstemplates/config.json.exampletemplates/SETUP.mdREADME.md~/.sdlca/bridge/config.json~/.sdlca/bridge/.env.credentials~/.sdlca/bridge/.env.credentials.example~/.sdlca/bridge/SETUP.md~/.sdlca/bridge/logs/bridge.log~/.sdlca/bridge/.oidc-token-cachelaunchd/systemd-user service entries
Network endpoints5
auth.projectit.ai/.well-known/openid-configurationdev.projectit.ai/tools/repo-orchestrator127.0.0.1:4318127.0.0.1:4319localhost:3456/mcp

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/sdlca-bridge.js exposes user commands that install launchd/systemd-user supervisor services for the bridge and MCP server.
  • bridge/index.js and bin/sdlca-bridge.js spawn local provider CLIs: claude, codex, copilot, cursor/agent.
  • bridge/index.js can poll a configured hosted control plane and execute leased tasks after explicit config/token setup.
  • mcp/stdio.js registers MCP tools including bridge.execute_local_provider_task and hosted repo_orchestrator wrappers.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build runs on publish.
  • README.md documents npx @kdtix-open/sdlca-bridge install as the activation path and describes generated files under ~/.sdlca/bridge.
  • Default templates/config.json.example keeps hostedWorkClaimPolling false.
  • MCP HTTP server binds to 127.0.0.1 and uses bearer/static token or OIDC validation.
  • Source includes secret redaction helpers and warns not to paste tokens; no credential harvesting/exfiltration flow was confirmed.
  • Hosted URLs are package-aligned with documented dev.projectit.ai/projectit.ai service behavior.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 436 KB of source, external domains: auth.projectit.ai, github.com, sdlca.invalid, www.apple.com

Source & flagged code

7 flagged · loading source
bin/sdlca-bridge.jsView file
2// SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

bin/sdlca-bridge.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> bin/sdlca-bridge.js L2: // SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.is…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/sdlca-bridge.jsView on unpkg · L2
5`;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Child Process

Package source references child process execution.

bin/sdlca-bridge.jsView on unpkg · L5
2// SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/sdlca-bridge.jsView on unpkg · L2
2// SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/sdlca-bridge.jsView on unpkg · L2
23`).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}function yg(e,r,t){return{.... L25: # No-op GUI launcher for headless worker environments (#983)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/sdlca-bridge.jsView on unpkg · L23
2// SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/sdlca-bridge.jsView on unpkg · L2

Findings

2 Critical3 High5 Medium6 Low
CriticalCredential Exfiltrationbin/sdlca-bridge.js
CriticalTrigger Reachable Dangerous Capabilitybin/sdlca-bridge.js
HighChild Processbin/sdlca-bridge.js
HighSame File Env Network Executionbin/sdlca-bridge.js
HighCommand Output Exfiltrationbin/sdlca-bridge.js
MediumDynamic Requirebin/sdlca-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/sdlca-bridge.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings