Skip to content

Security: forafekt/devintrospect

Security

docs/security.md

Security

Packs may execute TypeScript code. Treat them like dependencies.

Trust levels:

  • official
  • user
  • workspace
  • community
  • untrusted

Safeguards:

  • Remote executable pack install requires explicit --trust.
  • Normal analysis does not require network access.
  • Workspace packs are not auto-installed.
  • User configs are never overwritten by update commands.
  • Installed pack state is tracked in packs.lock.json.

Conflict policy defaults:

{
  "conflicts": {
    "detectors": "warn",
    "extractors": "error",
    "rules": "allow",
    "schemas": "error"
  }
}

The current loader fails fast on duplicate ids so unexpected overrides cannot happen silently.

There aren't any published security advisories