registry  /  @varveai/adit-core  /  0.5.7

@varveai/adit-core@0.5.7

Core types, database, and sync primitives for ADIT

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The install hook is a native dependency preflight check, and the secret-looking strings are redaction patterns used by exported security helpers.

Static reason
One or more suspicious static signals were detected.
Trigger
npm preinstall for environment check; user import/calls for library APIs
Impact
No exfiltration, remote payload execution, destructive behavior, persistence, or AI-agent control-surface mutation identified.
Mechanism
local SQLite/config/redaction utility code
Rationale
Static inspection shows a benign core library with an install-time compatibility check and user-invoked local database/config/redaction utilities. Scanner secret findings are regex patterns for redacting user content, not hardcoded credentials or exfiltration behavior.
Evidence
package.jsonscripts/check-native-install.jsdist/index.jsdist/security/content-redaction.jsdist/config/index.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json preinstall only runs scripts/check-native-install.js to validate better-sqlite3 prebuilt support and exits with guidance.
    • scripts/check-native-install.js reads local package.json and environment overrides; no network, shell, downloads, or project mutation.
    • dist/security/content-redaction.js contains regexes for detecting and redacting secrets, not embedded secret values or exfiltration logic.
    • dist/index.js only re-exports database/config/security/perf/sync modules.
    • rg found no fetch/http client, child_process, eval/Function, dynamic import/require, or AI-agent config mutation in inspected files.
    • Runtime writes are package-aligned local state/logging paths such as ~/.adit/client-id, project .adit database, and perf logs.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNativeBindings
    Supply chain
    HighEntropyStrings
    Manifest
    NoLicense
    scanned 23 file(s), 74.3 KB of source

    Source & flagged code

    6 flagged · loading source
    package.jsonView file
    scripts.preinstall = node ./scripts/check-native-install.js
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    dist/security/content-redaction.jsView file
    58patternName = private_key_rsa severity = critical line = 58 matchedText = { name: .../ },
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/security/content-redaction.jsView on unpkg · L58
    58patternName = private_key_rsa severity = critical line = 58 matchedText = { name: .../ },
    Critical
    Secret Pattern

    RSA private key in dist/security/content-redaction.js

    dist/security/content-redaction.jsView on unpkg · L58
    60patternName = private_key_ec severity = critical line = 60 matchedText = { name: .../ },
    Critical
    Secret Pattern

    EC private key in dist/security/content-redaction.js

    dist/security/content-redaction.jsView on unpkg · L60
    61patternName = private_key_openssh severity = critical line = 61 matchedText = { name: .../ },
    Critical
    Secret Pattern

    OpenSSH private key in dist/security/content-redaction.js

    dist/security/content-redaction.jsView on unpkg · L61
    63patternName = private_key_rsa severity = critical line = 63 matchedText = { name: .../ },
    Critical
    Secret Pattern

    RSA private key in dist/security/content-redaction.js

    dist/security/content-redaction.jsView on unpkg · L63

    Findings

    5 Critical1 High1 Medium4 Low
    CriticalCritical Secretdist/security/content-redaction.js
    CriticalSecret Patterndist/security/content-redaction.js
    CriticalSecret Patterndist/security/content-redaction.js
    CriticalSecret Patterndist/security/content-redaction.js
    CriticalSecret Patterndist/security/content-redaction.js
    HighInstall Time Lifecycle Scriptspackage.json
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowNo License