Security posture

Security controls built around governed package workflows.

Package Ninja is designed to stop risky package behavior before command execution starts, then keep the resulting decision trail visible for operators. This page explains the main trust boundaries: policy enforcement, workspace identity, session handling, data handling, billing integrity, and disclosure.

Pre-execution enforcement boundary

Package Ninja resolves package policy before install, test, run, and publish side effects begin. The package-manager command path is governed before local state changes, which reduces blast radius compared to purely post-install review.

Identity and session controls

Device login uses browser-mediated approval. Access tokens are short-lived, refresh state is rotated, and the control plane treats organization and workspace authority as server-side state rather than trusting client claims.

Workspace and billing integrity

Workspace state, plan selection, and billing transitions are handled from control-plane records and verified webhook outcomes. Pending or missing billing state is not treated as active entitlement.

What this means operationally

Package Ninja is not a promise that package risk disappears. It is a control model that makes risky package actions easier to prevent, easier to review, and harder to explain away after the fact.

The hosted control plane owns workspace membership, policy state, billing state, and audit visibility. The CLI and runtime layer enforce those decisions in the command path so the safe behavior can happen before local side effects start.

That combination matters for both search and trust: Package Ninja is a governed package workflow product, not just a registry scanner or a passive vulnerability feed.

Responsible disclosure

Report security issues directly.

Contact security@packageninja.online with reproduction steps, expected behavior, observed impact, and any affected routes or CLI commands. For product support, use support@packageninja.online.

  • Include the package manager, command, and workspace state involved
  • Note whether the issue affects the hosted dashboard, CLI, or both
  • Attach relevant logs or screenshots when possible

What runs locally

The CLI and runtime evaluate the active command path on the developer machine or CI runner. Package managers still execute locally after Package Ninja allows the command.

What the control plane owns

Firebase-backed services manage identity, workspace membership, policy state, billing state, device authorization, token refresh, and audit ingestion.

What is recorded

Governed executions can record command intent, package set, policy source, allow/block/warn/bypass decision, device context, timing, and failure status for audit review.

What to avoid sending

Package Ninja should not be used to intentionally upload secrets or private source artifacts. Publish and deploy checks are built to stop accidental leakage before it ships.

Related trust material

For architecture details, use the proof page. For operational onboarding and CLI behavior, use the docs.