Governance substrate for AI coding agents — adversarial PR review, drift-detected rules, tamper-evident audit, and closed-loop outcome routing for Claude, Codex, Gemini, and OpenCode
LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed install-time attack surface exists. An explicit setup command registers this package as an MCP server in supported AI-agent configurations.
Package defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
dist/chunk-ZM4O442V.jsView on unpkg · L692Source appears to send environment or credential material to an external endpoint.
dist/chunk-XAJLOBUL.jsView on unpkg · L952A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/chunk-XAJLOBUL.jsView on unpkg · L952Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
src/security/ast-rules/fixtures/sample.pyView on unpkgPackage ships non-JavaScript build or shell helper files.
src/security/ast-rules/fixtures/sample.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-5WFHSWQG.jsView on unpkgSource reaches cloud instance metadata or link-local credential endpoints.
dist/chunk-XAJLOBUL.jsView on unpkg · L952Package source references dynamic require/import behavior.
dist/chunk-XAJLOBUL.jsView on unpkg · L16474Package defines install-time lifecycle scripts.
package.jsonView on unpkg · L131Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkg · L131Source appears to send environment or credential material to an external endpoint.
dist/chunk-XAJLOBUL.jsView on unpkg · L952A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/chunk-XAJLOBUL.jsView on unpkg · L952Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
src/security/ast-rules/fixtures/sample.pyView on unpkgPackage ships non-JavaScript build or shell helper files.
src/security/ast-rules/fixtures/sample.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-5WFHSWQG.jsView on unpkgPackage contains a critical-looking secret pattern.
dist/chunk-ZM4O442V.jsView on unpkg · L692Source reaches cloud instance metadata or link-local credential endpoints.
dist/chunk-XAJLOBUL.jsView on unpkg · L952Package source references dynamic require/import behavior.
dist/chunk-XAJLOBUL.jsView on unpkg · L16474