@desplega.ai/agent-swarm
Multi-agent orchestration for Claude Code, Codex, Gemini CLI, and other AI coding assistants
1
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
tarasyarema3z3
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@earendil-works/pi-agent-core | AI (phantom-deps): Referenced in config/re-exported; common for plugin-style deps. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Used in secret-scrubber utility that filters keys by sensitivity — expected pattern. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): AES key parsing from hex/base64 input in crypto bootstrap — legitimate cryptographic use. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): AES key parsing from base64 input in crypto bootstrap — legitimate cryptographic use. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 localhost loopback for OAuth callback binding — not exfiltration. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreads process.env only to add a single override key for a subprocess; not exfiltration. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Type-only package; framework-scoped, not directly imported at runtime. | ai | |
| phantom-deps | phantom-dep:zod-to-json-schema | AI (phantom-deps): Referenced in config/build files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-devtools-core | AI (phantom-deps): Dev tooling dependency; loaded by convention not direct import. | ai | |
| phantom-deps | phantom-dep:@mariozechner/pi-agent-core | AI (phantom-deps): Plugin/config reference; stable false positive for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in sandboxed code-match executor with explicit SANDBOX_KEYS scoping — documented pattern. | ai |
Versions (showing 1 of 111)
| Version | Deps | Published |
|---|---|---|
| 1.0.1 | 7 / 2 |
v1.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.