@granular-software/sdk
TypeScript SDK and CLI for Granular - define, build, and deploy AI sandboxes
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/client-BVvOMfln.d.mts | AI (source-diff): TypeScript declaration file with readable JSDoc comments; long lines are bundled type unions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/client-BVvOMfln.d.ts | AI (source-diff): TypeScript declaration file with readable JSDoc comments; long lines are bundled type unions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/client-iw76FL_8.d.mts | AI (source-diff): TypeScript declaration file (.d.mts); long lines are bundled type definitions, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/client-iw76FL_8.d.ts | AI (source-diff): TypeScript declaration file (.d.ts); long lines are bundled type definitions, not obfuscated code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by addition of two large 85KB declaration files. | ai | |
| source-diff | obfuscated-file:dist/client-Cq8onk2D.d.ts | AI (source-diff): Same file as .d.mts counterpart; declaration-only, no runtime code. | ai | |
| source-diff | obfuscated-file:dist/client-Cq8onk2D.d.mts | AI (source-diff): TypeScript declaration file with readable JSDoc; long lines are bundled type unions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/client-BQw_gUK3.d.mts | AI (source-diff): TypeScript declaration file with long lines from bundled type unions; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/client-BQw_gUK3.d.ts | AI (source-diff): TypeScript declaration file with long lines from bundled type unions; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/client-Zoo8YITZ.d.ts | AI (source-diff): TypeScript declaration file with long generated type lines; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/client-Zoo8YITZ.d.mts | AI (source-diff): TypeScript declaration file with long generated type lines; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/client-DLGC0mJk.d.ts | AI (source-diff): TypeScript declaration file with long lines from bundled type rollup; not executable, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/client-DLGC0mJk.d.mts | AI (source-diff): TypeScript declaration file with long lines from bundled type rollup; not executable, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/client-C2Gk641P.d.ts | AI (source-diff): TypeScript declaration file; long lines from bundled type unions, not obfuscated executable code. | ai | |
| source-diff | obfuscated-file:dist/client-C2Gk641P.d.mts | AI (source-diff): TypeScript declaration file; long lines from bundled type unions, not obfuscated executable code. | ai | |
| source-diff | obfuscated-file:dist/client-DWYdWpS-.d.ts | AI (source-diff): TypeScript declaration file with long lines from generated type unions; not executable obfuscation. | ai | |
| source-diff | obfuscated-file:dist/client-DWYdWpS-.d.mts | AI (source-diff): TypeScript declaration file with long lines from generated type unions; not executable obfuscation. | ai | |
| dependencies | unvetted-dep:@granular-software/policy-engine | AI (dependencies): First-party sibling package from same org; workspace:* constraint confirms monorepo origin. | ai | |
| source-diff | obfuscated-file:dist/client-eE9nTfvp.d.mts | AI (source-diff): TypeScript declaration file with readable JSDoc comments; long lines are generated type unions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/client-eE9nTfvp.d.ts | AI (source-diff): Same file as .d.mts counterpart; generated declaration, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/client-CigjaeO8.d.ts | AI (source-diff): TypeScript declaration file; long lines are bundled type definitions, not obfuscated executable code. | ai | |
| source-diff | obfuscated-file:dist/client-CigjaeO8.d.mts | AI (source-diff): TypeScript declaration file; long lines are bundled type definitions, not obfuscated executable code. | ai | |
| source-diff | obfuscated-file:dist/spend-rzS1rlFr.d.ts | AI (source-diff): TypeScript declaration file with JSDoc; long lines are generated type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/spend-rzS1rlFr.d.mts | AI (source-diff): TypeScript declaration file with JSDoc; long lines are generated type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/client-CQFKsCTd.d.mts | AI (source-diff): TypeScript declaration file with long lines from generated type unions; sample shows clean SDK type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/client-CQFKsCTd.d.ts | AI (source-diff): Same as .d.mts counterpart — generated type declaration file, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/spend-tAz2a16I.d.ts | AI (source-diff): Same file as .d.mts counterpart; readable type declarations, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/spend-tAz2a16I.d.mts | AI (source-diff): TypeScript declaration file with readable JSDoc comments; long lines are bundled type unions, not obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Published via GitHub Actions CI; no provenance attestation but no other risk signals present. | ai | |
| phantom-deps | phantom-dep:@granular-software/metamodel-core | AI (phantom-deps): Same-org workspace dependency; not directly imported in this package but part of the monorepo build. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): CLI dependency declared in package.json; used by CLI entry point, not main library index. | ai | |
| phantom-deps | phantom-dep:zod-to-json-schema | AI (phantom-deps): Declared runtime dependency; used in SDK internals, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): CLI dependency declared in package.json; used by CLI entry point, not main library index. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): CLI dependency declared in package.json; used by CLI entry point, not main library index. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): CLI dependency declared in package.json; used by CLI entry point, not main library index. | ai | |
| phantom-deps | phantom-dep:ora | AI (phantom-deps): CLI dependency declared in package.json; used by CLI entry point, not main library index. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 0.4.42 | 9 / 11 | |
| 0.4.41 | 9 / 10 | |
| 0.4.39 | 9 / 10 | |
| 0.4.37 | 8 / 10 | |
| 0.4.35 | 7 / 10 | |
| 0.4.34 | 7 / 10 | |
| 0.4.32 | 7 / 10 | |
| 0.4.30 | 7 / 10 | |
| 0.4.29 | 7 / 10 | |
| 0.4.28 | 7 / 10 | |
| 0.4.27 | 7 / 10 | |
| 0.4.26 | 7 / 10 | |
| 0.4.24 | 7 / 10 | |
| 0.4.23 | 7 / 10 | |
| 0.4.22 | 7 / 10 | |
| 0.4.21 | 7 / 10 | |
| 0.4.20 | 7 / 10 | |
| 0.4.19 | 7 / 10 | |
| 0.4.16 | 7 / 9 | |
| 0.4.15 | 10 / 6 | |
| 0.4.14 | 10 / 6 | |
| 0.1.0 | 3 / 7 |
v0.4.42
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.41
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.39
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.37
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.35
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.34
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.32
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.30
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.29
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.28
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.27
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.26
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.24
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.23
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.21
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.20
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.19
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.