@powerhousedao/reactor-mcp

MCP server for document model operations in the Powerhouse ecosystem. For document model creation tasks, consider using the document-model-creator agent which provides a more guided experience.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

acaldas.powerhousememo.devryanwolhuterprometheus-phcallme-tfroidliberuum

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:document-drive	AI (dependencies): document-drive is a first-party Powerhouse monorepo dependency, pinned to the same version as this package (5.0.0). Not a third-party risk.	ai	2026/04/27
license	copyleft-license:AGPL-3.0-only	AI (license): AGPL-3.0-only is the declared license for the entire Powerhouse ecosystem; this is a licensing concern, not a security issue.	ai	2026/04/27
phantom-deps	phantom-dep:@openfeature/core	AI (phantom-deps): @openfeature/core is a peer/transitive dep referenced in config; phantom finding is a stable false positive for this package.	ai	2026/04/25
phantom-deps	phantom-dep:@powerhousedao/config	AI (phantom-deps): Same-org internal package used indirectly; phantom finding is a stable false positive for this Powerhouse monorepo package.	ai	2026/04/25
phantom-deps	phantom-dep:@powerhousedao/codegen	AI (phantom-deps): Same-org internal package used indirectly; phantom finding is a stable false positive for this Powerhouse monorepo package.	ai	2026/04/25

Versions (showing 13 of 13)

Version	Deps	Published
6.1.0	10 / 4	2026-06-03
6.0.0	10 / 4	2026-05-21
5.3.6	14 / 3	2026-03-23
5.3.5	14 / 3	2026-03-06
5.3.2	14 / 3	2026-02-12
5.3.0	14 / 3	2026-02-04
5.0.12	14 / 3	2025-11-24
5.0.10	14 / 3	2025-11-19
5.0.9	14 / 3	2025-11-19
5.0.8	14 / 3	2025-11-19
5.0.5	14 / 3	2025-11-18
5.0.1	14 / 3	2025-11-03
5.0.0	14 / 3	2025-10-31

v6.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: acaldas.powerhouse → memo.dev (on 2026-05-21, known maintainer) provenance

This version was published by a different npm account (memo.dev) than the most recent previously approved version (acaldas.powerhouse) on 2026-05-21, but memo.dev is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v5.3.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.