@agentc7/server
Node HTTP broker for ac7 — self-hostable agent control plane (Hono + SQLite).
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:public/assets/index-BFZJiDOW.js | AI (source-diff): Network calls are Workbox service-worker registration and modulepreload fetches; no arbitrary code execution. | ai | |
| source-diff | obfuscated-file:public/assets/index-BFZJiDOW.js | AI (source-diff): Vite-bundled frontend entry point; minification is expected. | ai | |
| source-diff | obfuscated-file:public/assets/common-DlXhUo7M.js | AI (source-diff): Vite-bundled frontend asset (highlight.js); minification is expected. | ai | |
| source-diff | net-exec-file:public/assets/index-DHw-G7L4.js | AI (source-diff): Network calls and dynamic script loading are normal browser bundle patterns (modulepreload polyfill, fetch); not dropper behavior. | ai | |
| source-diff | obfuscated-file:public/assets/index-DHw-G7L4.js | AI (source-diff): Standard Vite-minified frontend bundle with sourcemap; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:public/assets/common-DzJqOV7s.js | AI (source-diff): Vite-minified highlight.js bundle; well-known library. | ai | |
| source-diff | obfuscated-file:public/assets/index-BT8zYk-Z.js | AI (source-diff): Vite-minified app entry; standard PWA/Workbox pattern. | ai | |
| source-diff | net-exec-file:public/assets/index-BT8zYk-Z.js | AI (source-diff): Workbox SW registration uses fetch+dynamic import; expected PWA pattern. | ai | |
| source-diff | obfuscated-file:public/assets/workbox-window.prod.es5-DAuf_HpY.js | AI (source-diff): Workbox production bundle; minification is standard and expected. | ai | |
| source-diff | obfuscated-file:public/assets/common-BUMVzbk-.js | AI (source-diff): Vite-bundled highlight.js frontend asset; minification is expected. | ai | |
| source-diff | obfuscated-file:public/assets/index-D0XyimLQ.js | AI (source-diff): Vite app bundle; minification is expected for frontend assets. | ai | |
| source-diff | net-exec-file:public/assets/index-D0XyimLQ.js | AI (source-diff): fetch() call is Vite's modulepreload polyfill, not a dropper. | ai | |
| source-diff | obfuscated-file:public/assets/marked.esm-DlZS6SDL.js | AI (source-diff): Bundled marked.js markdown parser; minification expected. | ai | |
| source-diff | obfuscated-file:public/assets/purify.es-B7xcIeU4.js | AI (source-diff): Bundled DOMPurify; minification expected. | ai | |
| source-diff | obfuscated-file:public/assets/workbox-window.prod.es5-moKUNATN.js | AI (source-diff): Bundled workbox-window PWA library; standard minified output with source map. | ai | |
| source-diff | obfuscated-file:public/assets/client-DWauEnMw.js | AI (source-diff): Vite-bundled Preact/UI frontend asset with source map; standard minified output, not obfuscation. | ai | |
| source-diff | net-exec-file:public/assets/index-DFcJ6J6V.js | AI (source-diff): Network calls are fetch() for module preloading and service worker registration — standard Vite PWA pattern, not dropper behavior. | ai | |
| source-diff | obfuscated-file:public/assets/marked.esm-d6uq5Mo2.js | AI (source-diff): Bundled marked.js markdown parser; standard minified output with source map. | ai | |
| source-diff | obfuscated-file:public/assets/purify.es-BZ-8_tV6.js | AI (source-diff): Bundled DOMPurify sanitizer; standard minified output with source map. | ai | |
| source-diff | obfuscated-file:public/assets/index-DFcJ6J6V.js | AI (source-diff): Vite-bundled main app entry with source map; standard minified output. | ai | |
| source-diff | obfuscated-file:public/assets/common-BmodZq9c.js | AI (source-diff): Vite-bundled highlight.js asset with source map; standard minified output. | ai | |
| source-diff | net-exec-file:public/assets/index-8QTBEsxx.js | AI (source-diff): Network calls and dynamic script loading are standard Vite modulepreload polyfill patterns, not malware. | ai | |
| source-diff | obfuscated-file:public/assets/index-8QTBEsxx.js | AI (source-diff): Vite-bundled frontend asset; minification is expected for a server package shipping a web UI. | ai | |
| source-diff | net-exec-file:public/assets/index-DMqpBvB5.js | AI (source-diff): Network calls and dynamic DOM manipulation are normal browser-side Vite bundle behavior, not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:public/assets/index-DMqpBvB5.js | AI (source-diff): Standard Vite-bundled frontend asset; minification triggers the rule but no obfuscation or malicious payload present. | ai | |
| typosquat | typosquat.levenshtein:semver | AI (typosquat): Scoped @agentc7 package; name similarity to semver is coincidental, not impersonation. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 0.0.9 | 12 / 9 | |
| 0.0.8 | 12 / 9 | |
| 0.0.7 | 12 / 9 | |
| 0.0.6 | 12 / 9 | |
| 0.0.5 | 12 / 9 | |
| 0.0.4 | 12 / 7 | |
| 0.0.3 | 12 / 7 | |
| 0.0.2 | 10 / 7 | |
| 0.0.1 | 10 / 7 |
v0.0.9
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.8
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.7
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.6
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
2 findingsPackage name '@agentc7/server' is 1 edit(s) away from popular package 'semver'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.