@cortexkit/aft-opencode

OpenCode plugin for Agent File Tools (AFT) — tree-sitter and lsp powered code analysis

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ismeth

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher changed to GitHub Actions CI/CD with SLSA provenance attestation — legitimate automation transition for this package.	ai	2026/05/30
source-diff	encoded-string-file:dist/index.js	AI (source-diff): Long base64 string is the llhttp WASM binary inside bundled undici — standard and benign.	ai	2026/05/30
phantom-deps	phantom-dep:undici	AI (phantom-deps): undici is a declared runtime dep bundled by bun; phantom-dep heuristic is a false positive here.	ai	2026/05/30
source-diff	obfuscated-file:dist/cli.js	AI (source-diff): Standard bun/esbuild bundle output; boilerplate is clearly visible in the sample, not malicious obfuscation.	ai	2026/05/26
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 127.0.0.1 localhost RPC call to a local daemon; not an exfiltration endpoint. Stable pattern for this plugin package.	ai	2026/04/29
phantom-deps	phantom-dep:@clack/prompts	AI (phantom-deps): @clack/prompts is declared as a dependency and likely used indirectly via TUI components; stable false positive for this package.	ai	2026/04/29

Versions (showing 5 of 108)

Version	Deps	Published
0.5.0	3 / 2	2026-03-24
0.4.2	3 / 2	2026-03-24
0.4.1	3 / 2	2026-03-24
0.3.0	3 / 2	2026-03-16
0.2.0	3 / 2	2026-03-15

v0.5.0

2 findings

HIGH Publisher changed: ismeth → GitHub Actions (on 2026-03-24) provenance

This version was published by a different npm account than previous versions on 2026-03-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance