← Home

@kuzo-mcp/core

npm Repository Homepage

Core MCP server, plugin registry, loader, IPC, and plugin-host for Kuzo MCP.

3
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

seantokuzo

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
typosquat typosquat.levenshtein:cors AI (typosquat): Scoped package @kuzo-mcp/core; 'core' is a generic word in its own namespace, not impersonating 'cors'. ai
phantom-deps phantom-dep:zod AI (phantom-deps): zod is a declared runtime dependency; phantom-dep heuristic misfired on config-only references. ai
phantom-deps phantom-dep:@kuzo-mcp/plugin-git-context AI (phantom-deps): Same-org plugin dep; likely loaded dynamically at runtime rather than statically imported. ai

Versions (showing 3 of 3)

Version Deps Published
0.0.3 12 / 1
0.0.2 11 / 1
0.0.1 11 / 1

v0.0.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.2

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@kuzo-mcp/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@kuzo-mcp/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.