registry  /  principles-disciple  /  1.197.0

principles-disciple@1.197.0

⚠ Under review

Teach your AI once. PD turns your corrections into reviewable behavior principles — so the AI never repeats the same mistake.

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.11 MB of source, external domains: api.anthropic.com, api.cerebras.ai, api.cloudflare.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.individual.githubcopilot.com, api.kimi.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, bedrock-runtime.eu-central-1.amazonaws.com, bedrock-runtime.us-east-1.amazonaws.com, gateway.ai.cloudflare.com, generativelanguage.googleapis.com, github.com, jimmy.warting.se, principles-disciple.dev, router.huggingface.co
Oversized source lightweight scan
dist/bundle.js3.80 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsShellDynamicRequireHighEntropyStringsMinifiedUrlStringsapi.anthropic.comapi.cerebras.aiapi.cloudflare.comapi.deepseek.comapi.fireworks.aiapi.groq.comapi.individual.githubcopilot.comapi.kimi.comapi.minimax.ioapi.minimaxi.comapi.mistral.aiapi.moonshot.aibedrock-runtime.eu-central-1.amazonaws.combedrock-runtime.us-east-1.amazonaws.comgateway.ai.cloudflare.comgenerativelanguage.googleapis.comprinciples-disciple.devrouter.huggingface.co
dist/core/bootstrap-rules.js6.67 MB file, sampled 256 KB
EnvironmentVarsDynamicRequireHighEntropyStringsUrlStringsapi.anthropic.comapi.cerebras.aiapi.cloudflare.comapi.deepseek.comapi.fireworks.aiapi.individual.githubcopilot.combedrock-runtime.eu-central-1.amazonaws.combedrock-runtime.us-east-1.amazonaws.comgateway.ai.cloudflare.comgithub.comjimmy.warting.se
dist/core/principle-compiler/index.js6.70 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsUrlStringsapi.anthropic.comapi.cerebras.aiapi.cloudflare.comapi.deepseek.comapi.fireworks.aiapi.individual.githubcopilot.combedrock-runtime.eu-central-1.amazonaws.combedrock-runtime.us-east-1.amazonaws.comgateway.ai.cloudflare.comgithub.comjimmy.warting.se
dist/core/trajectory/index.js6.72 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoDynamicRequireHighEntropyStringsUrlStringsapi.anthropic.comapi.cerebras.aiapi.cloudflare.comapi.deepseek.comapi.fireworks.aiapi.individual.githubcopilot.combedrock-runtime.eu-central-1.amazonaws.combedrock-runtime.us-east-1.amazonaws.comgateway.ai.cloudflare.comgithub.comjimmy.warting.se

Source & flagged code

9 flagged · loading source
scripts/install-dependencies.cjsView file
2L3: const { execFileSync } = require('child_process'); L4: const { existsSync, readFileSync } = require('fs');
High
Child Process

Package source references child process execution.

scripts/install-dependencies.cjsView on unpkg · L2
2L3: const { execFileSync } = require('child_process'); L4: const { existsSync, readFileSync } = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/install-dependencies.cjsView on unpkg · L2
scripts/sync-plugin.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = principles-disciple@1.187.0 matchedIdentity = npm:cHJpbmNpcGxlcy1kaXNjaXBsZQ:1.187.0 similarity = 0.625 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/sync-plugin.mjsView on unpkg
860try { L861: execSync(`"${localShim}" --version`, { stdio: 'pipe', shell: true }); L862: console.log(`✅ PD CLI shim verified: ${localShim}`);
High
Shell

Package source references shell execution.

scripts/sync-plugin.mjsView on unpkg · L860
1341package = principles-disciple; repositoryIdentity = principles; dependency = better-sqlite3 L1341: try { L1342: execSync(`node -e "require('better-sqlite3')"`, { cwd: INSTALL_DIR, stdio: 'pipe' }); L1343: console.log('✅ Native dependencies verified');
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

scripts/sync-plugin.mjsView on unpkg · L1341
389try { L390: execSync('npx tsc --emitDeclarationOnly', { L391: cwd: SOURCE_DIR,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/sync-plugin.mjsView on unpkg · L389
23import { fileURLToPath } from 'url'; L24: import { execSync } from 'child_process'; L25: L26: const __filename = fileURLToPath(import.meta.url); L27: const __dirname = dirname(__filename); L28: ... L38: function getHomeDir() { L39: return process.env.HOME L40: || process.env.USERPROFILE ... L52: const raw = readFileSync(configPath, 'utf-8'); L53: const config = JSON.parse(raw); L54: const workspace = config?.agents?.defaults?.workspace;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/sync-plugin.mjsView on unpkg · L23
23import { fileURLToPath } from 'url'; L24: import { execSync } from 'child_process'; L25: L26: const __filename = fileURLToPath(import.meta.url); L27: const __dirname = dirname(__filename); L28: ... L38: function getHomeDir() { L39: return process.env.HOME L40: || process.env.USERPROFILE ... L52: const raw = readFileSync(configPath, 'utf-8'); L53: const config = JSON.parse(raw); L54: const workspace = config?.agents?.defaults?.workspace;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/sync-plugin.mjsView on unpkg · L23
dist/core/principle-compiler/index.jsView file
path = dist/core/principle-compiler/index.js kind = oversized_source_file sizeBytes = 7024799 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/core/principle-compiler/index.jsView on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltascripts/sync-plugin.mjs
HighChild Processscripts/install-dependencies.cjs
HighShellscripts/sync-plugin.mjs
HighCopied Package Dependency Bridgescripts/sync-plugin.mjs
HighRuntime Package Installscripts/sync-plugin.mjs
HighOversized Source Filedist/core/principle-compiler/index.js
MediumDynamic Requirescripts/install-dependencies.cjs
MediumEnvironment Vars
MediumInstall Persistencescripts/sync-plugin.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoscripts/sync-plugin.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings