@cerefox/codefactory Apache-2.0 7 versions

@cerefox/codefactory

npm Repository Homepage

Cerefox Code Factory (cf²) -- deterministic orchestration harness for AI coding agents

7

Versions

Apache-2.0

License

Yes

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

fstamatelopoulos

Keywords

aiagentorchestrationclaudecodexcoding-agentclicfcfcode-factorycerefox

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:dist/cfcf.js	AI (source-diff): Encoded strings are base64 help/documentation content stored in HELP_TOPICS.contentBase64 fields, not obfuscated payloads.	ai	2026/05/10
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall installs shell completions via the package's own CLI binary; no network fetch or arbitrary code execution.	ai	2026/05/06
phantom-deps	phantom-dep:hono	AI (phantom-deps): hono is a declared runtime dependency; phantom-dep heuristic is a false positive for this package.	ai	2026/05/06
phantom-deps	phantom-dep:commander	AI (phantom-deps): commander is a declared runtime dependency; phantom-dep heuristic is a false positive for this package.	ai	2026/05/06

Versions (showing 7 of 7)

Version	Deps	Published
0.24.5	3 / 0	2026-05-19
0.24.1	3 / 0	2026-05-12
0.23.1	3 / 0	2026-05-10
0.23.0	3 / 0	2026-05-10
0.19.0	3 / 0	2026-05-05
0.16.4	3 / 0	2026-05-01
0.16.2	3 / 0	2026-05-01

v0.24.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.24.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.23.1

2 findings

HIGH Long encoded string in modified file: dist/cfcf.js source-diff

Modified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.23.0

2 findings

HIGH Long encoded string in modified file: dist/cfcf.js source-diff

Modified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: bun ./bin/cfcf.js completion install || true

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.16.4

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: bun ./bin/cfcf.js completion install || true

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.16.2

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: bun ./bin/cfcf.js completion install || true

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.