registry  /  @suveren/gateway  /  0.3.9

@suveren/gateway@0.3.9

Suveren gateway — local agent gateway built in compliance with the Human Agency Protocol (HAP). Runs the UI, control plane, and MCP server in one Node process.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time behavior. The package is an MCP/AI gateway that can install and run configured downstream integrations inside its own ~/.suveren namespace after the gateway is started.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall for banner; explicit suveren-gateway start for runtime gateway and integrations
Impact
Agent-facing capability surface may execute configured integrations and store service credentials, but no unconsented foreign agent control-surface hijack was found.
Mechanism
first-party gateway with on-demand integration npm installs and MCP stdio process spawning
Policy narrative
The package is a local Suveren gateway. Install-time code is limited to a guarded banner. Runtime code, once the user starts the gateway, can auto-register package-bundled personal integrations, install their npm packages into ~/.suveren/integrations, and spawn MCP servers with configured credentials. This is a real agent-extension lifecycle risk but remains in the package-owned namespace and does not mutate foreign AI-agent control surfaces.
Rationale
Source inspection supports a warn-level agent extension lifecycle risk rather than malware: risky runtime MCP integration installation/spawning exists, but it is package-aligned and not lifecycle-triggered control hijacking. No credential exfiltration, destructive behavior, persistence outside the CLI's own pid/log files, or foreign AI-agent configuration mutation was found.
Evidence
package.jsonscripts/postinstall.jsbin/suveren-gateway.jsserver.jsdist/mcp-server/http.mjsdist/control-plane/index.mjscontent/integrations/mollie.jsoncontent/integrations/records.jsoncontent/integrations/crm.json~/.suveren/gateway.pid~/.suveren/gateway.log~/.suveren/integrations/package.json~/.suveren/integrations/node_modules
Network endpoints11
www.suveren.airegistry.npmjs.org/@suveren%2Fgateway/latestghcr.io/token?scope=repository:suverenai/suveren-gateway:pullmcp.mollie.com/mcpaccounts.google.com/o/oauth2/v2/authoauth2.googleapis.com/tokenapi.github.com/userapi.openai.com/v1api.groq.com/openai/v1api.together.xyz/v1openrouter.ai/api/v1

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall script scripts/postinstall.js
  • dist/mcp-server/http.mjs auto-registers personalDefault integrations from bundled manifests
  • dist/mcp-server/http.mjs installs configured npmPackage with npm install under ~/.suveren/integrations
  • dist/mcp-server/http.mjs spawns configured MCP commands via StdioClientTransport
  • content/integrations/mollie.json uses sh -c to run mcp-remote https://mcp.mollie.com/mcp
Evidence against
  • scripts/postinstall.js only prints a TTY/global-install banner and probes ~/.suveren/gateway.pid; no agent config writes
  • No writes to .mcp.json, CLAUDE.md, Claude/Codex/Cursor settings, shell startup, VCS hooks, or autostart files found
  • bin/suveren-gateway.js start --detach writes only ~/.suveren/gateway.pid and gateway.log after explicit CLI use
  • server.js only supervises bundled control-plane and MCP server child processes
  • Network endpoints are product/integration aligned: suveren.ai, registry.npmjs.org, OAuth/API providers, local ports
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 571 KB of source, external domains: 0.0.0.0, 127.0.0.1, api.github.com, api.groq.com, api.openai.com, api.together.xyz, ghcr.io, openrouter.ai, reactjs.org, registry.npmjs.org, www.humanagencyprotocol.org, www.suveren.ai, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/suveren-gateway.jsView file
12L13: import { spawn } from 'node:child_process'; L14: import { existsSync, mkdirSync, openSync, readFileSync, writeFileSync, unlinkSync, statSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/suveren-gateway.jsView on unpkg · L12
187// Stream new lines as they arrive. L188: const proc = spawn(platform() === 'win32' ? 'powershell' : 'tail', L189: platform() === 'win32'
High
Shell

Package source references shell execution.

bin/suveren-gateway.jsView on unpkg · L187
74const out = openSync(LOG_FILE, 'a'); L75: const child = spawn(process.execPath, [SERVER_ENTRY], { L76: detached: true, L77: stdio: ['ignore', out, out], L78: env: process.env, L79: }); ... L83: console.log(``); L84: console.log(` → Open in your browser: http://localhost:${SUVEREN_PORT}`); L85: console.log(``);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/suveren-gateway.jsView on unpkg · L74
dist/mcp-server/http.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @suveren/gateway@0.3.3 matchedIdentity = npm:QHN1dmVyZW4vZ2F0ZXdheQ:0.3.3 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/mcp-server/http.mjsView on unpkg
2068try { L2069: execSync(`npm install --no-fund --no-audit ${npmPackage}`, { L2070: cwd: INTEGRATIONS_DIR,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/mcp-server/http.mjsView on unpkg · L2068
dist/ui/fonts/Inter-Medium.woff2View file
path = dist/ui/fonts/Inter-Medium.woff2 kind = high_entropy_blob sizeBytes = 114348 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/ui/fonts/Inter-Medium.woff2View on unpkg

Findings

2 Critical6 High4 Medium4 Low
CriticalManifest Confusionpackage.json
CriticalPrevious Version Dangerous Deltadist/mcp-server/http.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/suveren-gateway.js
HighShellbin/suveren-gateway.js
HighSame File Env Network Executionbin/suveren-gateway.js
HighRuntime Package Installdist/mcp-server/http.mjs
HighShips High Entropy Blobdist/ui/fonts/Inter-Medium.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings