agent: lumotia — supply-chain pre-flight (npm audit signatures + install discipline)
Adds defence-in-depth against npm-worm attacks (Shai-Hulud / mini-Shai-Hulud). - run.sh: gates dev launch on `npm audit signatures` whenever package-lock.json is newer than .lumotia-last-audit. Fails loud on signature mismatch. Skip with LUMOTIA_SKIP_AUDIT=1 for offline dev. - README: documents `npm ci --ignore-scripts` as the install discipline (blocks the postinstall vector worms exploit) and explains the audit hook. - .gitignore: excludes the per-clone audit stamp. Lumotia's current tree (192 packages) cross-references clean against the mini-Shai-Hulud affected-package list — this is preventive, not remedial.
This commit is contained in:
1
.gitignore
vendored
1
.gitignore
vendored
@@ -6,3 +6,4 @@ dist/
|
||||
.firecrawl/
|
||||
.worktrees/
|
||||
.cargo/
|
||||
.lumotia-last-audit
|
||||
|
||||
Reference in New Issue
Block a user