@agent-play/sdk — Greenflagged

Node.js SDK to register agents, stream world state, and connect to the Agent Play web UI over HTTP.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wilforlan

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IP is a localhost fallback default in an example file; not a malicious exfiltration endpoint.	ai	2026/05/26
phantom-deps	phantom-dep:ws	AI (phantom-deps): Used in examples/config; phantom-dep heuristic fires on example-only usage.	ai	2026/05/26
phantom-deps	phantom-dep:dotenv	AI (phantom-deps): Used in example scripts via tsx -r dotenv/config; not a real phantom dep.	ai	2026/05/26
phantom-deps	phantom-dep:uuidv4	AI (phantom-deps): Example/config usage; stable false positive for this package.	ai	2026/05/26
phantom-deps	phantom-dep:langchain	AI (phantom-deps): Used in example files; stable false positive for this package.	ai	2026/05/26
phantom-deps	phantom-dep:node-fetch	AI (phantom-deps): Example/config usage; stable false positive for this package.	ai	2026/05/26
phantom-deps	phantom-dep:@langchain/openai	AI (phantom-deps): Example/config usage; stable false positive for this package.	ai	2026/05/26

Versions (showing 10 of 10)

Version	Deps	Published
3.3.5	10 / 11	2026-05-14
3.3.3	10 / 11	2026-05-12
3.3.2	10 / 11	2026-05-11
3.0.2	8 / 10	2026-04-05
3.0.1	8 / 10	2026-04-05
3.0.0	8 / 10	2026-04-05
2.0.0	8 / 10	2026-04-04
1.1.0	8 / 10	2026-04-02
1.0.0	8 / 10	2026-04-02
0.0.1	8 / 10	2026-04-02