@b402ai/sdk
Private on-chain execution for agents. Anonymous wallets, gasless transactions, ZK-proven privacy on Base, BSC, and Arbitrum.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall patches Railgun SDK exports — documented pattern for this wrapper SDK, stable across versions. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in patch script to modify Railgun SDK files post-install; consistent with the package's stated purpose. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 0.5.0 | 7 / 5 | |
| 0.3.10 | 7 / 5 | |
| 0.3.9 | 7 / 5 | |
| 0.3.6 | 7 / 5 | |
| 0.3.2 | 7 / 5 | |
| 0.3.1 | 7 / 5 | |
| 0.2.0 | 7 / 5 | |
| 0.1.2 | 7 / 5 | |
| 0.1.0 | 7 / 5 |
v0.5.0
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.10
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.9
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
2 findingsScript: node scripts/patch-exports.cjs && node scripts/patch-railgun-sdk.cjs
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.