registry  /  @lesto/cli  /  0.1.2

@lesto/cli@0.1.2

Broken under plain Node before 0.1.7; upgrade to ^0.1.7.

Lesto's `lesto` command-line tool — load a project's lesto.app.ts and run, serve, migrate, or inspect routes.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a framework CLI with user-invoked dev, build, deploy, MCP, eval, and scaffolding commands; risky primitives are aligned with those commands and gated by explicit CLI actions.

Static reason
No blocking static signals were detected.
Trigger
User runs the lesto CLI command such as dev, serve, deploy, mcp, eval, generate, add, or openapi.
Impact
No unconsented install-time execution, credential harvesting, exfiltration, persistence, or AI-agent control hijack identified.
Mechanism
Framework CLI orchestration with dynamic project imports, filesystem generation, local servers, and deploy tooling.
Rationale
Static inspection shows a legitimate CLI whose dynamic imports, child process use, env reads, network calls, and file writes are tied to explicit framework commands rather than install/import-time behavior. No source evidence shows stealth persistence, credential exfiltration, destructive behavior, or unconsented mutation of a broad AI-agent control surface.
Evidence
package.jsonbin/lesto.mjssrc/bin.tssrc/eval.tssrc/mcp.tssrc/ai-bridge.tssrc/ai-redact.tssrc/add.tslesto.app.tsapp/routessrc/routes.gen.tsenv.client.tslesto.sites.tslesto.build.tslesto.evals.tslesto.content.tsapp/mcp/config.tsapp/mcp/verify.tsapp/mcp/governance.ts
Network endpoints6
lesto.rungithub.com/lesto-run/lesto.gitgithub.com/lesto-run/lesto/issuesissuer.example.comissuer.example.com/.well-known/jwks.jsonmcp.example.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/bin.ts spawns external wrangler only for explicit deploy/rollback commands.
  • src/bin.ts reads AWS_/LESTO_DEPLOY_ env credentials for user-requested remote release store publishing.
  • src/bin.ts dynamically imports project files such as lesto.app.ts, routes, sites, content, evals during CLI commands.
  • src/mcp.ts exposes operator-mode MCP mutations only when user passes --operator.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/lesto.mjs only registers jiti and imports ../src/bin.ts as the CLI entrypoint.
  • src/ai-bridge.ts uses a positive read-only allowlist for dev AI overlay tools.
  • src/ai-redact.ts redacts paths/secrets before AI overlay context forwarding.
  • Network activity is command-aligned: local dev servers, deploy health checks, Wrangler/remote release stores, optional eval judge.
  • Project file writes are user-invoked CLI outputs such as generated routes, OpenAPI, scaffolding, build artifacts, and release stores.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 330 KB of source, external domains: 127.0.0.1, auth.example.com, issuer.example.com, mcp.example.com

Source & flagged code

2 flagged · loading source
src/eval.tsView file
177L178: throw new CliError("CLI_EVAL_FAILED", `${failures} eval(s) failed.`, { L179: failed: failures,
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/eval.tsView on unpkg · L177
src/bin.tsView file
239L240: // Auto-wire file-based routes onto the loaded app: scan `app/routes/`, `import()` L241: // each page/layout, and register them via `@lesto/web`'s applier. The scan and
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/bin.tsView on unpkg · L239

Findings

3 Medium5 Low
MediumDynamic Requiresrc/bin.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvalsrc/eval.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings