@draht/ai
Unified LLM API with automatic model discovery and provider configuration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:proxy-agent | AI (phantom-deps): proxy-agent is a declared runtime dep used transitively; phantom-dep heuristic fires but it's a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@smithy/types | AI (phantom-deps): Framework-scoped type package; not directly imported but legitimately declared as a peer/runtime dep. | ai | |
| phantom-deps | phantom-dep:proxy-from-env | AI (phantom-deps): Proxy utility used transitively; stable false positive for this package. | ai | |
| provenance | missing-githead | AI (provenance): Likely a one-off publish environment change; no other risk signals present and no code/dep changes from prior approved version. | ai | |
| phantom-deps | phantom-dep:@mistralai/mistralai | AI (phantom-deps): Declared runtime dep used via config/indirect import; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): chalk is a declared runtime dep used in CLI output; phantom-dep heuristic false positive. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of hapi; Levenshtein match is coincidental. | ai | |
| phantom-deps | phantom-dep:zod-to-json-schema | AI (phantom-deps): zod-to-json-schema is a declared runtime dep; phantom-dep heuristic false positive for config-referenced deps. | ai | |
| phantom-deps | phantom-dep:undici | AI (phantom-deps): undici is a declared runtime dep; known implicit/indirect usage pattern for HTTP clients. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of pg; Levenshtein match is coincidental. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of qs; Levenshtein match is coincidental. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of joi; Levenshtein match is coincidental. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): @draht/ai is a scoped LLM SDK, not a typosquat of ajv; Levenshtein match is coincidental. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 2026.6.11 | 16 / 3 | |
| 2026.5.12 | 14 / 3 | |
| 2026.4.26 | 14 / 3 | |
| 2026.4.25 | 14 / 3 | |
| 2026.4.23 | 14 / 3 | |
| 2026.4.5 | 14 / 3 | |
| 2026.3.25 | 14 / 3 | |
| 2026.3.14 | 14 / 3 | |
| 2026.3.6 | 13 / 3 | |
| 2026.3.5 | 13 / 3 | |
| 2026.3.4 | 13 / 3 | |
| 2026.3.3 | 13 / 3 | |
| 2026.3.2 | 13 / 3 |
v2026.6.11
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.
v2026.5.12
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.4.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.4.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.3.25
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: execute008.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.