@cleocode/core — Greenflagged

CLEO core business logic kernel — tasks, sessions, memory, orchestration, lifecycle, with bundled SQLite store

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kryptobaseddev

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:env-paths	AI (phantom-deps): env-paths is a declared runtime dep used via config files, not direct import; stable false positive for this package.	ai	2026/06/12
source-diff	obfuscated-file:dist/gateway-client/generated/index.js	AI (source-diff): Auto-generated OpenAPI barrel export from @hey-api/openapi-ts; long lines are export lists, not obfuscation.	ai	2026/06/11
source-diff	obfuscated-file:dist/gateway-client/generated/namespaces.gen.js	AI (source-diff): Auto-generated SDK namespace grouping file; header comment confirms codegen origin.	ai	2026/06/11
source-diff	obfuscated-file:dist/internal.js	AI (source-diff): Standard esbuild bundle boilerplate with source comments; not obfuscated malware.	ai	2026/06/08
source-diff	net-exec-file:dist/internal.js	AI (source-diff): Network+exec pattern is bundler runtime shim, not dropper behavior; SLSA provenance confirms CI build.	ai	2026/06/08
install-scripts	install-script:postinstall	AI (install-scripts): Named script file shipped in package files; consistent with prebuilt binary fetch for a native supervisor component.	ai	2026/06/07
phantom-deps	phantom-dep:@cleocode/agents	AI (phantom-deps): Same-org scoped package in a monorepo; phantom dep pattern is consistent with the other accepted @cleocode phantom deps in this package.	ai	2026/04/26
phantom-deps	phantom-dep:tree-sitter-javascript	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports.	ai	2026/04/25
phantom-deps	phantom-dep:tree-sitter-python	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports.	ai	2026/04/25
phantom-deps	phantom-dep:tree-sitter-ruby	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports.	ai	2026/04/25
phantom-deps	phantom-dep:tree-sitter-typescript	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports.	ai	2026/04/25
phantom-deps	phantom-dep:pino-roll	AI (phantom-deps): pino-roll is a pino transport loaded by name in config rather than via direct import — standard pino transport pattern.	ai	2026/04/25
phantom-deps	phantom-dep:@cleocode/skills	AI (phantom-deps): Same-org package likely loaded dynamically or referenced indirectly; phantom-dep false positive for intra-monorepo dependencies.	ai	2026/04/25
phantom-deps	phantom-dep:@cleocode/adapters	AI (phantom-deps): Same-org package likely loaded dynamically or referenced indirectly; phantom-dep false positive for intra-monorepo dependencies.	ai	2026/04/25
phantom-deps	phantom-dep:tree-sitter-rust	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports.	ai	2026/04/25
semgrep	semgrep:hex-decode	AI (semgrep): Fires on test files using hardcoded zero-byte test vectors — standard unit test pattern for crypto KDF testing, not a malicious payload.	ai	2026/04/25
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Fires on 127.0.0.1 in a unit test for HTTP gate validation — localhost address in test code, not a real network exfiltration endpoint.	ai	2026/04/25
phantom-deps	phantom-dep:tree-sitter-c	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports — phantom-dep detection is a known false positive for this pattern.	ai	2026/04/25
phantom-deps	phantom-dep:tree-sitter-cpp	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports.	ai	2026/04/25
phantom-deps	phantom-dep:tree-sitter-go	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports.	ai	2026/04/25
phantom-deps	phantom-dep:tree-sitter-java	AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports.	ai	2026/04/25
typosquat	typosquat.levenshtein:cors	AI (typosquat): @cleocode/core is a scoped package in the @cleocode org ecosystem, not a typosquat of 'cors'. The name reflects its role as the core library; no impersonation intent.	ai	2026/04/25
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decode is used in a standard AES-GCM decryption function in credentials.ts — legitimate cryptographic code, not obfuscated payload.	ai	2026/04/25
semgrep	semgrep:env-spread	AI (semgrep): env-spread occurs in test files passing process.env to child git processes with specific overrides — standard test pattern, not credential exfiltration.	ai	2026/04/25

Versions (showing 8 of 132)

Version	Deps	Published
2026.3.43	14 / 2	2026-03-20
2026.3.42	14 / 2	2026-03-19
2026.3.41	14 / 2	2026-03-19
2026.3.40	14 / 2	2026-03-19
2026.3.39	14 / 2	2026-03-19
2026.3.38	14 / 2	2026-03-19
2026.3.37	14 / 2	2026-03-19
2.0.0	14 / 2	2026-03-19