@frumu/tandem-panel
Full web control center for Tandem Engine (chat, routines, swarm, memory, channels, and ops)
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:preact | AI (phantom-deps): Bundled frontend dep in Vite build; not directly imported in Node source by design. | ai | |
| phantom-deps | phantom-dep:preact-router | AI (phantom-deps): Bundled frontend dep in Vite build; not directly imported in Node source by design. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Bundled frontend dep in Vite build; not directly imported in Node source by design. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Bundled frontend dep in Vite build; not directly imported in Node source by design. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): Bundled frontend dep in Vite build; not directly imported in Node source by design. | ai | |
| phantom-deps | phantom-dep:motion | AI (phantom-deps): motion is a declared dep used in a built frontend bundle; phantom-dep heuristic misses bundled usage. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into child process spawn options is standard; no exfiltration path present. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw IPs are 127.0.0.1 (localhost) for local service configuration; not external network calls. | ai | |
| phantom-deps | phantom-dep:@frumu/tandem-client | AI (phantom-deps): Same-org dependency declared in package.json; likely used in bundled dist output rather than direct import. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 0.4.5 | 9 / 9 | |
| 0.4.3 | 9 / 9 | |
| 0.4.0 | 4 / 5 | |
| 0.3.28 | 4 / 5 | |
| 0.3.27 | 3 / 5 |
v0.4.5
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/frumu-ai/tandem/blob/e71e4ecf844ae871b00bd0d7bfec993522998aa9/bin/setup.js#L1065 1063 | ], 1064 | { > 1065 | env: { 1066 | ...process.env, 1067 | TANDEM_API_TOKEN: managedEngineToken,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/frumu-ai/tandem/blob/5a5f65a38726b4bf6d88e2a224da5329cfe111a1/bin/setup.js#L1065 1063 | ], 1064 | { > 1065 | env: { 1066 | ...process.env, 1067 | TANDEM_API_TOKEN: managedEngineToken,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/frumu-ai/tandem/blob/67aefa4b88425fb44a37e50b4a5c661fc5c8684d/bin/setup.js#L620 618 | [engineEntrypoint, "serve", "--hostname", url.hostname, "--port", String(url.port || ENGINE_PORT)], 619 | { > 620 | env: { 621 | ...process.env, 622 | TANDEM_API_TOKEN: managedEngineToken,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/frumu-ai/tandem/blob/67aefa4b88425fb44a37e50b4a5c661fc5c8684d/bin/setup.js#L1089 1087 | const child = spawn(process.execPath, [managerPath, objective], { 1088 | cwd: workspaceRoot, > 1089 | env: { 1090 | ...process.env, 1091 | TANDEM_BASE_URL: ENGINE_URL,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.28
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/frumu-ai/tandem/blob/ba9c1c36965083d462700d66756cc5ed5175d83a/bin/setup.js#L620 618 | [engineEntrypoint, "serve", "--hostname", url.hostname, "--port", String(url.port || ENGINE_PORT)], 619 | { > 620 | env: { 621 | ...process.env, 622 | TANDEM_API_TOKEN: managedEngineToken,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/frumu-ai/tandem/blob/ba9c1c36965083d462700d66756cc5ed5175d83a/bin/setup.js#L1089 1087 | const child = spawn(process.execPath, [managerPath, objective], { 1088 | cwd: workspaceRoot, > 1089 | env: { 1090 | ...process.env, 1091 | TANDEM_BASE_URL: ENGINE_URL,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.27
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/frumu-ai/tandem/blob/3964ffe880b281705e2181ae73ed66b72f1a5509/bin/setup.js#L620 618 | [engineEntrypoint, "serve", "--hostname", url.hostname, "--port", String(url.port || ENGINE_PORT)], 619 | { > 620 | env: { 621 | ...process.env, 622 | TANDEM_API_TOKEN: managedEngineToken,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/frumu-ai/tandem/blob/3964ffe880b281705e2181ae73ed66b72f1a5509/bin/setup.js#L1089 1087 | const child = spawn(process.execPath, [managerPath, objective], { 1088 | cwd: workspaceRoot, > 1089 | env: { 1090 | ...process.env, 1091 | TANDEM_BASE_URL: ENGINE_URL,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.