# Decantr Security And Permissions Generated from `config/package-permissions.json`. Do not edit manually. Run `node scripts/sync-security-permissions.mjs` after permission-surface changes. This page describes the installed npm package surface, not every internal script, showcase app, fixture, or release helper in the monorepo. Static scanners that inspect the full repository can therefore report scary findings that do not ship in the packages users install. ## Quick Answers - Decantr does not collect telemetry by default. CLI telemetry requires explicit opt-in through `--telemetry`, `decantr telemetry link --enable`, or `.decantr/project.json` with `telemetry: true`. - Decantr browser evidence and screenshots are local artifacts under `.decantr/evidence/*`; the active Decantr 3.8 API does not accept source or screenshot uploads. - MCP write tools are explicitly annotated and are contained to the active workspace root. - Hosted critique/audit source upload fallbacks are retired in the active API. Compatibility flags such as `allow_hosted_upload` do not activate removed routes. - Published packages use package `files` allowlists and the release audit runs `npm pack --dry-run --json` to prove what ships. ## Package Permission Matrix | Package | Runtime | Filesystem | Network | Process | Telemetry | Hosted Upload | Local Artifacts | Ships | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | `@decantr/essence-spec` | library | read: Explicit essence/schema paths passed to validation helpers
write: none
delete: none | outbound: none
inbound: no | none | none | not-supported | none | dist, schema, README.md, package.json | | `@decantr/content` | content-corpus | read: Package-local official content JSON and schema files for local search, resolution, and validation helpers
write: none
delete: none | outbound: none
inbound: no | none | none | not-supported | none | dist, schemas, patterns, themes, blueprints, archetypes, shells, README.md, package.json | | `@decantr/registry` | library | read: Explicit local content JSON paths passed to resolver helpers
write: none
delete: none | outbound: Configured Decantr API base URL for 3.x compatibility content search, resolve, and content API pack helpers
inbound: no | none | none | caller-controlled | none | dist, schema, README.md, package.json | | `@decantr/css` | css-runtime | read: none
write: none
delete: none | outbound: none
inbound: no | none | none | not-supported | none | dist, README.md, package.json | | `@decantr/core` | library | read: none
write: none
delete: none | outbound: none
inbound: no | none | none | not-supported | none | dist, schema, README.md, package.json | | `@decantr/telemetry` | library | read: none
write: none
delete: none | outbound: Caller-configured telemetry sink endpoint
inbound: no | none | library-only; events are emitted only when a caller creates a client and captures an event | not-supported | none | dist, README.md, package.json | | `@decantr/verifier` | library | read: Selected project source and stylesheet files; Decantr context files; accepted .decantr/style-bridge.json when auditProject checks style bridge drift; read-only scan files for framework, route, styling, static-host, assistant-rule, source inventory, and Decantr presence signals; built dist/.next output when auditBuiltDist or auditProject needs runtime evidence
write: none
delete: none | outbound: Loopback fetches to the verifier-owned temporary static server during built-output runtime audit; Caller-provided published-site HTTP(S) URL when probePublishedSite is explicitly invoked
inbound: yes | none | none | not-supported | Evidence Bundle objects returned to callers; file writes are owned by the CLI/MCP caller | dist, schema, README.md, package.json | | `@decantr/mcp-server` | mcp-server | read: Active workspace Decantr files, including .decantr/graph typed graph artifacts; selected project files for critique/audit/evidence tools; git changed-file state for task context
write: decantr.essence.json through explicit write tools; .decantr/drift-log.json through explicit drift deferral
delete: none | outbound: Content API reads; content API pack compilation
inbound: no | git diff with fixed argv and shell disabled for changed-file/task impact discovery | none | not-supported in Decantr 3.8; allow_hosted_upload is retained only as a compatibility option and does not activate retired API routes | Read/write tools are contained to the active workspace root | dist, server.json, README.md, package.json | | `@decantr/cli` | cli | read: Selected project/workspace files, including project-local Playwright and axe-core packages when browser evidence is explicitly requested; package manifests; routing/style/config files; .decantr artifacts including .decantr/graph typed graph artifacts; Decantr cache/config files
write: decantr.essence.json; DECANTR.md; .decantr artifacts; .decantr/drift-log.json through explicit resolve drift-log actions; generated context packs; .decantr/graph typed graph artifacts including local snapshot history; optional CI workflows/snippets; optional Cursor MCP/rule files through decantr connect cursor; optional style/export files; Decantr config for auth/telemetry when explicitly enabled
delete: Generated Decantr artifacts or explicit command targets such as removed generated context/theme outputs | outbound: Content API reads; content API pack hydration; opt-in telemetry endpoints; user-provided browser/base-url checks
inbound: yes | git diff with fixed argv; package manager/bootstrap commands with argv arrays; local Studio/browser/dev-server helper flows | disabled by default; enabled only by --telemetry, decantr telemetry link --enable, or project.json telemetry=true | not-supported in Decantr 3.8; local verify/audit/scan do not upload source | .decantr/analysis.json; .decantr/context/*; .decantr/graph/*; .decantr/evidence/*; .decantr/drift-log.json; .decantr/local-patterns*.json; .decantr/rules*.json; .decantr/style-bridge*.json; .cursor/mcp.json; .cursor/rules/decantr.mdc | dist, src/templates, src/bundled, README.md, package.json | | `@decantr/vite-plugin` | experimental-dev-plugin | read: Vite project files during opt-in local development
write: none
delete: none | outbound: none
inbound: no | none | none | not-supported | none | dist, README.md, package.json | ## Scanner Notes ### `@decantr/essence-spec` - Filesystem reads are explicit helper behavior for local validation, not background scanning. ### `@decantr/content` - The package reads only its shipped corpus and schemas at runtime. - Validation helpers run locally and do not call the hosted API or upload project source. ### `@decantr/registry` - Network access is the package's 3.x compatibility API client surface; callers choose the base URL and operation. Retired critique/audit/publish methods remain legacy code paths but are no longer served by the active API. - New local official-corpus integrations should prefer @decantr/content. ### `@decantr/css` - The CSS package is a legacy optional atom runtime and does not inspect projects. - It is no longer the default Decantr greenfield adoption path. ### `@decantr/core` - Schema URLs in emitted packs are identifiers, not network calls by themselves. ### `@decantr/telemetry` - The package defines telemetry contracts and clients; it does not auto-start collection. ### `@decantr/verifier` - scanProject is read-only and returns relative evidence; it does not write artifacts, install dependencies, build projects, execute scripts, or open pull requests. - probePublishedSite fetches HTML metadata and asset hints over HTTP(S) only; it does not execute JavaScript or capture browser screenshots. - Runtime audit starts a local loopback server for already-built assets; it does not contact external hosts. ### `@decantr/mcp-server` - MCP write tools are annotated as write tools and use workspace-root path containment. - Hosted source upload fallbacks are retired in the active API. ### `@decantr/cli` - The CLI is intentionally a local project inspector and artifact writer. - decantr scan is local read-only reconnaissance; it writes no .decantr directory or report files and does not upload source. - Process execution is limited to fixed command/argv paths; shell execution is avoided in shipped workflow code. - Visual evidence screenshots remain local in Decantr 3.8. - Optional axe accessibility evidence loads only a project/workspace-local axe-core package and records local probe summaries. ### `@decantr/vite-plugin` - Experimental sidecar; not part of the default reliability layer or publish wave. ## Release Checks The normal package-surface audit now verifies both the support matrix and the permission surface: ```bash pnpm audit:package-surface ``` For permission-only work, run: ```bash pnpm audit:package-permissions ``` The audit checks every public package in `config/package-surface.json`, validates that the permissions manifest covers it, runs `npm pack --dry-run --json`, rejects install-time lifecycle scripts, and compares this generated document against the checked-in copy.