← Home

@powerhousedao/reactor-api

npm Repository

A powerful API server implementation for the Powerhouse ecosystem that provides GraphQL capabilities, document processing, and package management.

17
Versions
AGPL-3.0-only
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

acaldas.powerhousememo.devryanwolhuterprometheus-phcallme-tfroidliberuum

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/index.d.mts AI (source-diff): Type declaration file with long lines from bundled types; not obfuscation. ai
phantom-deps phantom-dep:@as-integrations/express4 AI (phantom-deps): Listed in package.json dependencies; used via config/indirect reference, stable false positive for this package. ai
source-diff obfuscated-file:dist/index.mjs AI (source-diff): Standard tsdown-bundled ESM output; long lines are minified bundle, not obfuscation. Imports are readable and legitimate. ai
source-diff large-new-source-files AI (source-diff): 34 new files consistent with OpenTelemetry integration and feature expansion; SLSA provenance confirms CI build. ai
publish-pattern new-deps-added AI (publish-pattern): All 6 new deps are official @opentelemetry packages; no suspicious or unknown packages introduced. ai
phantom-deps phantom-dep:@types/ws AI (phantom-deps): @types/ws is a TypeScript type package legitimately listed as a runtime dep for downstream TypeScript consumers; stable pattern for this package. ai
dependencies unvetted-dep:@powerhousedao/document-engineering AI (dependencies): First-party Powerhouse org dependency; consistent with the package's ecosystem context. ai
dependencies unvetted-dep:@powerhousedao/analytics-engine-graphql AI (dependencies): First-party Powerhouse org dependency; consistent with the package's ecosystem context. ai
dependencies unvetted-dep:document-drive AI (dependencies): document-drive is a first-party Powerhouse ecosystem dependency pinned to the same version (5.0.1); not a third-party unknown. ai
phantom-deps phantom-dep:@graphql-typed-document-node/core AI (phantom-deps): @graphql-typed-document-node/core is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:wildcard-match AI (phantom-deps): wildcard-match is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:ms AI (phantom-deps): ms is declared as a runtime dependency in package.json; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:siwe AI (phantom-deps): siwe is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:uuid AI (phantom-deps): uuid is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:ethers AI (phantom-deps): ethers is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:nanoevents AI (phantom-deps): nanoevents is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:drizzle-kit AI (phantom-deps): drizzle-kit is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:drizzle-orm AI (phantom-deps): drizzle-orm is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
phantom-deps phantom-dep:jsonwebtoken AI (phantom-deps): jsonwebtoken is declared as a runtime dependency; phantom detection reflects config-file-only reference, not a security issue for this package. ai
provenance slsa-provenance AI (provenance): Package has SLSA provenance attestation via Sigstore CI/CD; strong supply chain integrity signal for this package. ai
license copyleft-license:AGPL-3.0-only AI (license): AGPL-3.0 is the declared license for this package; licensing concern, not a security issue. ai

Versions (showing 17 of 17)

Version Deps Published
6.1.0 38 / 22
6.0.0 44 / 16
5.3.6 50 / 27
5.3.5 50 / 27
5.3.4 50 / 27
5.3.3 50 / 27
5.3.2 50 / 27
5.3.1 50 / 27
5.1.0 45 / 24
5.0.11 45 / 24
5.0.9 45 / 24
5.0.7 41 / 24
5.0.4 41 / 24
5.0.3 40 / 24
5.0.2 40 / 24
5.0.1 40 / 24
5.0.0 40 / 24

v6.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

4 findings
HIGH Publisher changed: acaldas.powerhouse → memo.dev (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.