@powerhousedao/reactor-browser
This document contains all documentation comments for the hooks exported from `packages/reactor-browser/src/hooks/index.ts`.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index.d.ts | AI (source-diff): Bundled type declaration file from tsdown; long lines are normal for bundled .d.ts output. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): Standard tsdown/vite ESM bundle output with source maps; not malicious obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): SLSA provenance attestation confirms CI/CD build; new publisher has clean track record across 27 packages. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by active org-wide release (700 versions in registry); SLSA attestation confirms legitimate CI publish. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dep is @powerhousedao/reactor at matching version 5.3.2 — same org, same release train. | ai | |
| dependencies | unvetted-dep:document-drive | AI (dependencies): document-drive is a first-party Powerhouse monorepo dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@electric-sql/pglite-react | AI (phantom-deps): @electric-sql/pglite-react is declared in dependencies and used indirectly; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:did-jwt | AI (phantom-deps): did-jwt is declared in dependencies and used indirectly via bundled/re-exported code; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:did-jwt-vc | AI (phantom-deps): did-jwt-vc is declared in dependencies and used indirectly; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:uint8arrays | AI (phantom-deps): uint8arrays is declared in dependencies and used indirectly; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:did-key-creator | AI (phantom-deps): did-key-creator is declared in dependencies and used indirectly; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:@powerhousedao/config | AI (phantom-deps): Same-org package declared in dependencies; phantom-dep false positive for this monorepo-style package. | ai | |
| provenance | slsa-provenance | AI (provenance): Package consistently publishes with SLSA provenance attestation via CI/CD; this is a strong integrity signal that generalizes across versions. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 6.1.0 | 20 / 26 | |
| 6.0.0 | 19 / 24 | |
| 5.3.6 | 22 / 15 | |
| 5.3.5 | 22 / 15 | |
| 5.3.3 | 22 / 15 | |
| 5.3.2 | 22 / 15 | |
| 5.0.11 | 21 / 14 | |
| 5.0.9 | 21 / 14 | |
| 5.0.6 | 21 / 14 | |
| 5.0.5 | 21 / 14 | |
| 5.0.3 | 21 / 14 | |
| 5.0.2 | 21 / 14 | |
| 5.0.1 | 21 / 14 | |
| 5.0.0 | 21 / 14 |
v6.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.