@earendil-works/pi-coding-agent No license 10 versions

@earendil-works/pi-coding-agent

npm Repository Homepage

10

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mitsuhikobadlogicrwachtler

Keywords

coding-agentaillmclituiagent

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:steganography-image-eval	AI (semgrep): WAD file loader in examples/doom-overlay — not runtime code, no eval of image pixel data.	ai	2026/05/18
semgrep	semgrep:new-function-constructor	AI (semgrep): Standard CJS module wrapper pattern in doom example; input is a bundled JS file, not user data.	ai	2026/05/18
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 127.0.0.1 localhost OAuth redirect URI in example code — not a C2 or exfiltration endpoint.	ai	2026/05/18
semgrep	semgrep:child-process-import	AI (semgrep): Windows toast notification helper in examples/notify.ts; execFile with fixed powershell args.	ai	2026/05/18
phantom-deps	phantom-dep:marked	AI (phantom-deps): marked is a declared runtime dependency; phantom-dep heuristic false positive for this package.	ai	2026/05/18

Versions (showing 10 of 10)

Version	Deps	Published
0.76.0	17 / 9	2026-05-27
0.75.5	17 / 9	2026-05-23
0.75.4	17 / 9	2026-05-20
0.75.3	17 / 9	2026-05-18
0.75.2	17 / 9	2026-05-18
0.75.1	16 / 8	2026-05-18
0.75.0	16 / 8	2026-05-17
0.74.2	16 / 8	2026-05-21
0.74.1	16 / 8	2026-05-16
0.74.0	21 / 8	2026-05-07

v0.76.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: badlogic → mitsuhiko (on 2026-05-27, known maintainer) provenance

This version was published by a different npm account (mitsuhiko) than the most recent previously approved version (badlogic) on 2026-05-27, but mitsuhiko is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.75.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.1

2 findings

HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/earendil-works/pi-mono/blob/73a61654af52f8b02439d697a3b74126fa6b6782/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.75.0

2 findings

HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/earendil-works/pi-mono/blob/12f5c00cc1332e04d18e2120b71731627174bcc7/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.74.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.74.1

2 findings

HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/earendil-works/pi-mono/blob/a015c15f5f1b572bbe8cdc00eda907193f986b53/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.74.0

2 findings

HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/earendil-works/pi-mono/blob/1eee081e29c1323c40b98db11d0a62b919831881/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.