registry  /  @neurcode-ai/cli  /  0.20.21

@neurcode-ai/cli@0.20.21

⚠ Under review

Neurcode CLI — deterministic operational governance runtime for AI-assisted engineering (intent contracts, import-edge governance, replay continuity)

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 339 file(s), 5.33 MB of source, external domains: api.anthropic.com, api.neurcode.com, api.openai.com, app.neurcode.com, dashboard.neurcode.com, docs.neurcode.com, example.invalid, github.com, neurcode.com, www.neurcode.com

Source & flagged code

6 flagged · loading source
dist/utils/governance-decisions.jsView file
16exports.[redacted] = [redacted]; L17: const child_process_1 = require("child_process"); L18: const crypto_1 = require("crypto");
High
Child Process

Package source references child process execution.

dist/utils/governance-decisions.jsView on unpkg · L16
dist/utils/policy-packs.jsView file
187type: 'suspicious-keywords', L188: keywords: ['debugger', 'eval(', 'child_process.exec('], L189: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/utils/policy-packs.jsView on unpkg · L187
dist/rules.jsView file
8exports.evaluateRules = evaluateRules; L9: const policy_engine_1 = require("@neurcode-ai/policy-engine"); L10: var policy_engine_2 = require("@neurcode-ai/policy-engine");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/rules.jsView on unpkg · L8
dist/commands/verify.jsView file
5034try { L5035: context.branch = (0, child_process_1.execSync)('git branch --show-current', { L5036: maxBuffer: 1024 * 1024 * 1024, ... L5045: // Try GitHub Actions repository L5046: if (process.env.GITHUB_REPOSITORY) { L5047: // GITHUB_REPOSITORY is like "owner/repo" L5048: context.repoUrl = `https://github.com/${process.env.GITHUB_REPOSITORY}`; L5049: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/verify.jsView on unpkg · L5034
dist/index.jsView file
6package = @neurcode-ai/cli; repositoryIdentity = neurcode; dependency = @neurcode-ai/contracts L6: const path_1 = require("path"); L7: const contracts_1 = require("@neurcode-ai/contracts"); L8: // Import chalk with fallback
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/index.jsView on unpkg · L6
dist/commands/login.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @neurcode-ai/cli@0.20.18 matchedIdentity = npm:QG5ldXJjb2RlLWFpL2NsaQ:0.20.18 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/commands/login.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/commands/login.js
HighChild Processdist/utils/governance-decisions.js
HighShell
HighSame File Env Network Executiondist/commands/verify.js
HighCopied Package Dependency Bridgedist/index.js
MediumDynamic Requiredist/rules.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/utils/policy-packs.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings