registry  /  @kdtix-open/sdlca-bridge  /  0.1.20

@kdtix-open/sdlca-bridge@0.1.20

Local execution bridge CLI for SDLC Automated — npx-ready installer

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time behavior, but the package is a local AI execution bridge with persistent user service setup and remote work-claim execution when explicitly configured. Risk is package-aligned and user/operator-invoked.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs sdlca-bridge install, mcp serve, foreground, or enables hosted work-claim polling.
Impact
Can run local AI provider commands inside configured project roots and report results to the configured control plane when authenticated and enabled.
Mechanism
Explicit local bridge service and scoped MCP/hosted execution of provider CLIs.
Rationale
The dangerous primitives are real but match the package's documented bridge purpose and require explicit user/operator activation; no unconsented npm install-time mutation or hidden exfiltration was found. Warn is appropriate for agent extension lifecycle and local execution capability risk, not publish block.
Evidence
package.jsonbin/sdlca-bridge.jsbridge/index.jsmcp/stdio.jsREADME.mdtemplates/config.json.exampletemplates/SETUP.md~/.sdlca/bridge/config.json~/.sdlca/bridge/.env.credentials~/.sdlca/bridge/logs/bridge.log~/Library/LaunchAgents/com.kdtix.sdlca-bridge*.plist~/.config/systemd/user/sdlca-bridge*.service
Network endpoints4
auth.projectit.ai/.well-known/openid-configurationdev.projectit.ai/tools/repo-orchestrator127.0.0.1:4318127.0.0.1:4319

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/sdlca-bridge.js exposes user-invoked install/uninstall/start commands that register launchd/systemd-user services.
  • bin/sdlca-bridge.js and bridge/index.js can execute local provider CLIs: claude, codex, copilot, cursor.
  • bridge/index.js supports hosted work-claim polling and posts lease results/failures to configured hosted control plane.
  • mcp/stdio.js exposes MCP tools including bridge.execute_local_provider_task gated by token/scopes/read-only checks.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build script.
  • README.md documents explicit npx install flow, service registration, credentials, and hosted polling opt-in.
  • templates/config.json.example defaults hostedWorkClaimPolling to false.
  • Credential and command-output handling includes redaction helpers and local/hosted tokens are configuration inputs, not harvested broadly.
  • Network destinations are package-aligned OIDC/control-plane or loopback bridge endpoints, not hidden exfiltration endpoints.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 435 KB of source, external domains: auth.projectit.ai, github.com, sdlca.invalid, www.apple.com

Source & flagged code

7 flagged · loading source
bin/sdlca-bridge.jsView file
2// SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

bin/sdlca-bridge.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> bin/sdlca-bridge.js L2: // SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.is…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/sdlca-bridge.jsView on unpkg · L2
5`;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Child Process

Package source references child process execution.

bin/sdlca-bridge.jsView on unpkg · L5
2// SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/sdlca-bridge.jsView on unpkg · L2
2// SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/sdlca-bridge.jsView on unpkg · L2
23`).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}function yg(e,r,t){return{.... L25: # No-op GUI launcher for headless worker environments (#983)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/sdlca-bridge.jsView on unpkg · L23
2// SPDX-License-Identifier: BSL-1.1 L3: var Pd=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Ad=(e,r)=>{for(var t in r)Pd(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Ud(a.trimEnd())])}return r}function Hd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Ud(e){return e.length>=2&&(e.starts... L5: `;u===Ye.error?process.stderr.write(l):process.stdout.write(l),u<=Ye.info&&eo(t,l),e.debug>=1&&u<=Ye.debug&&eo(o,l),(e.verbose>=Ye.trace||e.debug>=Ye.trace)&&eo(n,l)})}function eo(... L6: `)}catch{}}function yc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function Ss(e){try{let t=zu.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(lp(t))}catch{return{}}}function lp(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/sdlca-bridge.jsView on unpkg · L2

Findings

2 Critical3 High5 Medium6 Low
CriticalCredential Exfiltrationbin/sdlca-bridge.js
CriticalTrigger Reachable Dangerous Capabilitybin/sdlca-bridge.js
HighChild Processbin/sdlca-bridge.js
HighSame File Env Network Executionbin/sdlca-bridge.js
HighCommand Output Exfiltrationbin/sdlca-bridge.js
MediumDynamic Requirebin/sdlca-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/sdlca-bridge.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings