registry  /  @koda-sl/baker-bridge  /  0.43.1

@koda-sl/baker-bridge@0.43.1

HTTP server wrapping the Claude Agent SDK. Persists chat events to Convex; the dashboard subscribes via Convex realtime

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked local HTTP bridge that runs Claude Agent SDK sessions, persists chat state to a configured Convex backend, and bundles a first-party reports plugin.

Static reason
No blocking static signals were detected.
Trigger
Explicit CLI/programmatic start: `baker-bridge hono` or createServer().start()
Impact
Expected agent bridge capabilities: project file access through the SDK, local session/memory files, attachment downloads, and chat relay posts.
Mechanism
local Hono bridge to Claude Agent SDK with env-configured Convex relay and package-owned plugin
Rationale
Source inspection shows a documented, explicit-run bridge with broad but package-aligned AI-agent/server behavior and no install-time mutation or covert exfiltration. Suspicious primitives such as fetch, env vars, child_process git/hook recovery, and .claude memory are tied to the advertised sandbox bridge workflow.
Evidence
package.jsondist/cli.jsdist/hono/server.jsdist/hono/agent.jsdist/hono/bridge-job.jsdist/hono/convex.jsdist/hono/runtime-files.jsdist/hono/sandbox-content.jsdist/hono/attachments.jsdist/hono/model-router.jsdist/hono/plugins.jsplugins/reports/.claude-plugin/plugin.json~/.baker/sessions/*.json~/.baker/relay-errors.jsonl/tmp/attachments/*<project>/.claude/memory/*<project>/src/lib/flow-engine/flows/*/_data.json<project>/COMPANY.md<project>/src/brand/BRAND.md<project>/src/content/**<project>/src/documents/**<project>/__tooling__/hooks/base/recover-stalled-publish.mjs
Network endpoints5
${BAKER_CONVEX_SITE_URL}/api/chat/stream${BAKER_CONVEX_SITE_URL}/api/chat/event${BAKER_CONVEX_SITE_URL}/api/chat/complete${BAKER_CONVEX_SITE_URL}/api/chats/memoryapi.notdiamond.ai/v2/modelRouter/modelSelect

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked server can run Claude Agent SDK with project settings and bundled local plugin via dist/hono/bridge-job.js and dist/hono/plugins.js.
  • Runtime writes local state/attachments under ~/.baker, /tmp/attachments, and project .claude/memory via dist/hono/runtime-files.js.
  • Runtime posts chat events/memory to env-controlled BAKER_CONVEX_SITE_URL and optional NotDiamond router URL.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/cli.js only starts the Hono server for explicit `baker-bridge hono`; no import-time execution beyond definitions.
  • Plugin files under plugins/reports are package-owned Claude plugin metadata/skill, not an install-time mutation of a foreign agent config.
  • Network endpoints are documented and env/user configured except optional NotDiamond model routing.
  • File reads/writes are bounded to the project sandbox, ~/.baker state, and /tmp attachments for documented bridge behavior.
  • No credential harvesting, stealth persistence, destructive payload, native binary loading, or remote code download found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 51 file(s), 305 KB of source, external domains: api.example.com, api.notdiamond.ai, example.com, example.convex.site, hooks.zapier.com, same.url

Source & flagged code

1 flagged · loading source
dist/hono/plugins.test.jsView file
64it("keeps the vendored scaffold path contract in sync", async () => { L65: const pluginContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(skillRoot, "scripts", "report-paths.mjs")).href))); L66: const scaffoldContract = (await import(__rewriteRelativeImportExtension(pathToFileURL(join(repoRoot, "apps", "scaffold-template", "__tooling__", "watcher", "base", "report-contract...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/hono/plugins.test.jsView on unpkg · L64

Findings

3 Medium4 Low
MediumDynamic Requiredist/hono/plugins.test.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings