registry  /  @reventlessdev/reventless-local  /  3.0.0-alpha.118

@reventlessdev/reventless-local@3.0.0-alpha.118

Local platform for Reventless (in-memory or SQLite backend, for development and testing without AWS)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Observed network, environment, and filesystem primitives are package-aligned local development platform behavior and require runtime API calls or configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/calls platform/server/backend APIs at runtime
Impact
Local development services and configured local files only; no credential harvesting, remote payload execution, install-time mutation, or exfiltration found
Mechanism
local GraphQL/MCP servers, local auth, and optional SQLite storage
Rationale
Static source inspection found no install-time execution, foreign control-surface mutation, data exfiltration, credential harvesting, shell execution, or remote payload loading. Scanner hits are explained by local dev server, auth fixture, environment configuration, and local storage code.
Evidence
package.jsonsrc/Platform.res.mjssrc/adapter/Auth/UserStore.res.mjssrc/adapter/Auth/LocalAuth.res.mjssrc/adapter/DomainGraphQL_Server.res.mjssrc/adapter/MCP_ServerInstance.res.mjssrc/adapter/Backend.res.mjssrc/adapter/SqliteDriver.res.mjstests/adapter/LocalAuthUserStoreTest.res.mjs.reventless/users.yamlREVENTLESS_LOCAL_BACKEND sqlite:<path>
Network endpoints5
localhost:4000/graphqllocalhost:4001/graphqllocalhost:3001/mcplocalhost:3002/mcpws://localhost:4000/graphql

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks or bin entrypoints.
    • src/adapter/Auth/UserStore.res.mjs reads explicit/default .reventless/users.yaml for local auth; no exfiltration.
    • src/adapter/Auth/LocalAuth.res.mjs uses REVENTLESS_INMEMORY_TOKEN_SECRET only for local HMAC token signing.
    • src/adapter/DomainGraphQL_Server.res.mjs and MCP_ServerInstance.res.mjs start local HTTP/MCP servers only when start() is called.
    • src/adapter/SqliteDriver.res.mjs and Backend.res.mjs perform user-configured SQLite/local backend storage operations.
    • tests/adapter/LocalAuthUserStoreTest.res.mjs contains fixture passwords in tests, not real secrets.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 173 file(s), 927 KB of source, external domains: cdn.example.com

    Source & flagged code

    2 flagged · loading source
    tests/adapter/LocalAuthUserStoreTest.res.mjsView file
    65patternName = generic_password severity = medium line = 65 matchedText = password...pw",
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    tests/adapter/LocalAuthUserStoreTest.res.mjsView on unpkg · L65
    161patternName = generic_password severity = medium line = 161 matchedText = password...pw",
    Medium
    Secret Pattern

    Hardcoded password in tests/adapter/LocalAuthUserStoreTest.res.mjs

    tests/adapter/LocalAuthUserStoreTest.res.mjsView on unpkg · L161

    Findings

    4 Medium4 Low
    MediumSecret Patterntests/adapter/LocalAuthUserStoreTest.res.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterntests/adapter/LocalAuthUserStoreTest.res.mjs
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings