npm analyzed 7.11.2

@adcp/sdk

v7.11.2

npm

AdCP SDK — client, server, and compliance harnesses for the AdContext Protocol (MCP + A2A)

maintainer: elmulitz
license: Apache-2.0
first seen: 2026-05-30
last seen: 2026-06-16
releases · 30d: 37
short id

Drift inferred · capture-to-capture

No drift recorded — single capability capture; advisories appear once its surface changes.

capabilities 0 tools

transport stdio · streamable-http · http counts 0 tools · 0 res · 0 prompts permission surface via code analysis

no tools enumerated yet for this server.

skills & danger signals npm-tarball

prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed v7.11.2 · analyzer v18 · 11h ago

skills & prompt files 29

code evidence v7.11.2 · npm-tarball

evidence-backed findings quoted directly from the published source artifact — not inferred

filesystem 21

fs package/bin/adcp-config.js :7 const fs = require('fs');
fs package/bin/adcp-registry.js :8 const { readFileSync } = require('fs');
fs package/bin/adcp-signing.js :4 const { readFileSync, writeFileSync, existsSync } = require('node:fs');
fs package/bin/adcp-storyboard-summary.js :18 const { writeFileSync } = require('node:fs');
fs package/bin/adcp-version-check.js :16 const fs = require('fs');
fs package/bin/adcp.js :26 const { readFileSync, statSync } = require('fs');
fs package/dist/lib/auth/oauth/file-storage.js :19 const fs_1 = require("fs");
fs package/dist/lib/conformance/schemaLoader.js :40 const fs = __importStar(require("fs"));
fs package/dist/lib/core/ConfigurationManager.js :5 const fs_1 = require("fs");
fs package/dist/lib/registry/cursor-store.js :37 const promises_1 = require("node:fs/promises");
fs package/dist/lib/server/error-arm-tools.js :31 const fs_1 = require("fs");
fs package/dist/lib/testing/storyboard/compliance.js :24 const fs_1 = require("fs");
fs package/dist/lib/testing/storyboard/loader.js :14 const fs_1 = require("fs");
fs package/dist/lib/testing/storyboard/request-signing/vector-loader.js :6 const fs_1 = require("fs");
fs package/dist/lib/testing/storyboard/sandbox-entities.js :17 const fs_1 = require("fs");
fs package/dist/lib/testing/storyboard/signer-grader/grader.js :4 const promises_1 = require("node:fs/promises");
fs package/dist/lib/testing/stubs/governance-agent-stub.js :23 const fs_1 = require("fs");
fs package/dist/lib/v2/projection/canonical-properties.js :27 const fs_1 = require("fs");
fs package/dist/lib/v2/projection/catalog.js :31 const fs_1 = require("fs");
fs package/dist/lib/v2/projection/registry.js :37 const fs_1 = require("fs");
fs package/dist/lib/validation/schema-loader.js :32 const fs_1 = require("fs");

shell / exec 4

shell package/bin/adcp-async-handler.js :13 const { spawn } = require('child_process');
shell package/bin/adcp.js :30 const { spawn } = require('child_process');
shell package/dist/lib/auth/oauth/CLIFlowHandler.js :11 const child_process_1 = require("child_process");
shell package/dist/lib/testing/stubs/governance-agent-stub.js :20 const child_process_1 = require("child_process");

network 35

net package/bin/adcp-async-handler.js :12 const http = require('http');
net package/bin/adcp-version-check.js :19 const https = require('https');
net package/bin/adcp.js :29 const net = require('net');
net package/dist/lib/auth/index.js :74 return fetch(url, {
net package/dist/lib/auth/oauth/CLIFlowHandler.js :10 const http_1 = require("http");
net package/dist/lib/core/SingleAgentClient.js :288 const sizeLimitedFetch = wrapFetchWithSizeLimit((input, init) => fetch(input, init));
net package/dist/lib/core/TaskExecutor.js :1114 // synchronously from `fetch(...)` before the promise chain catches
net package/dist/lib/mock-server/creative-ad-server/server.js :29 const node_http_1 = require("node:http");
net package/dist/lib/mock-server/creative-template/server.js :4 const node_http_1 = require("node:http");
net package/dist/lib/mock-server/sales-guaranteed/server.js :4 const node_http_1 = require("node:http");
net package/dist/lib/mock-server/sales-non-guaranteed/server.js :23 const node_http_1 = require("node:http");
net package/dist/lib/mock-server/sales-social/server.js :4 const node_http_1 = require("node:http");
net package/dist/lib/mock-server/signal-marketplace/server.js :4 const node_http_1 = require("node:http");
net package/dist/lib/mock-server/sponsored-intelligence/server.js :4 const node_http_1 = require("node:http");
net package/dist/lib/net/address-guards.js :28 const net_1 = require("net");
net package/dist/lib/net/ssrf-fetch.js :7 const undici_1 = require("undici");
net package/dist/lib/protocols/a2a.js :196 const upstream = (input, ini) => fetch(input, ini);
net package/dist/lib/protocols/mcp.js :279 const sizeLimited = (0, responseSizeLimit_1.wrapFetchWithSizeLimit)((input, init) => fetch(input, init));
net package/dist/lib/registry/index.js :636 const res = await fetch(url, { headers: this.getHeaders() });
net package/dist/lib/server/auth-introspection.js :221 const res = await fetch(args.introspectionUrl, {
net package/dist/lib/server/decisioning/tenant-registry.js :98 // reach `fetch('')` and produce an opaque error. Treat empty as
net package/dist/lib/server/pin-and-bind-fetch.js :33 const undici_1 = require("undici");
net package/dist/lib/server/serve.js :27 const http_1 = require("http");
net package/dist/lib/server/webhook-emitter.js :166 const response = await args.fetch(args.url, {
net package/dist/lib/substitution/observer/SubstitutionObserver.js :18 * Usage — preview URL fetch (applies SSRF policy):
net package/dist/lib/substitution/observer/ssrf.js :11 const node_net_1 = require("node:net");
net package/dist/lib/testing/compliance/comply.js :1237 const probe = await fetch(agentUrl, {
net package/dist/lib/testing/local-agent-runner.js :41 const node_net_1 = require("node:net");
net package/dist/lib/testing/storyboard/request-signing/grader.js :90 // fetch() and the Node URL parser normalize U-labels to A-labels before
net package/dist/lib/testing/storyboard/request-signing/probe.js :6 const undici_1 = require("undici");
net package/dist/lib/testing/storyboard/signer-grader/grader.js :230 // `fetch()` would re-introduce the SSRF / redirect-leak surface
net package/dist/lib/testing/storyboard/webhook-receiver.js :21 const node_http_1 = require("node:http");
net package/dist/lib/testing/stubs/governance-agent-stub.js :17 const http_1 = require("http");
net package/dist/lib/upstream-recorder/index.js :32 * await syncAudienceUpstream(...); // every fetch() inside is recorded
net package/dist/lib/utils/probe-policy.js :44 const node_net_1 = require("node:net");

secrets 9

secrets package/bin/adcp-fuzz.js :222 if (!options.authToken && process.env.ADCP_AUTH_TOKEN) {
secrets package/bin/adcp-registry.js :321 const apiKey = flags.auth || process.env.ADCP_REGISTRY_API_KEY;
secrets package/bin/adcp.js :591 let authToken = process.env.ADCP_AUTH_TOKEN;
secrets package/dist/lib/core/ConfigurationManager.js :172 auth_token: process.env.PREMIUM_AGENT_TOKEN,
secrets package/dist/lib/registry/index.js :36 this.apiKey = config?.apiKey ?? process.env.ADCP_REGISTRY_API_KEY;
secrets package/dist/lib/server/socket-mode/conformance-client.js :20 * token: process.env.ADCP_CONFORMANCE_TOKEN!,
secrets package/dist/lib/server/upstream-helpers.js :108 * auth: { kind: 'static_bearer', token: process.env.UPSTREAM_TOKEN! },
secrets package/dist/lib/signing/agent-fetch.js :235 * private_key: JSON.parse(process.env.ADCP_PRIV_KEY!),
secrets package/dist/lib/utils/idempotency.js :124 const value = process.env.ADCP_LOG_IDEMPOTENCY_KEYS;

database 8

db package/dist/lib/server/ctx-metadata/backends/pg.js :26 * import { Pool } from 'pg';
db package/dist/lib/server/ctx-metadata/backends/redis.js :32 * import { createClient } from 'redis';
db package/dist/lib/server/decisioning/runtime/postgres-task-registry.js :14 * import { Pool } from 'pg';
db package/dist/lib/server/idempotency/backends/redis.js :32 * import { createClient } from 'redis';
db package/dist/lib/server/postgres-state-store.js :12 * import { Pool } from 'pg';
db package/dist/lib/server/postgres-task-store.js :12 * import { Pool } from 'pg';
db package/dist/lib/signing/postgres-replay-store.js :14 * import { Pool } from 'pg';
db package/dist/lib/signing/redis-replay-store.js :63 * import { createClient } from 'redis';

tool registrations 8

get_adcp_capabilities package/dist/lib/server/create-adcp-server.js :3209
get_products package/dist/lib/server/errors.js :43
get_signals package/dist/lib/server/serve.js :14
get_adcp_capabilities package/dist/lib/testing/stubs/governance-agent-stub.js :199
sync_plans package/dist/lib/testing/stubs/governance-agent-stub.js :214
check_governance package/dist/lib/testing/stubs/governance-agent-stub.js :234
report_plan_outcome package/dist/lib/testing/stubs/governance-agent-stub.js :256
get_plan_audit_logs package/dist/lib/testing/stubs/governance-agent-stub.js :273

declared dependencies 36

@types/ws@^8.18.1
ajv@^8.18.0
ajv-formats@^3.0.1
fast-check@^3.23.2
jose@^6.2.2
secure-json-parse@^4.1.0
structured-headers@^2.0.2
tldts@^7.0.29
undici@^6.25.0
ws@^8.20.0
yaml@^2.7.1
@a2a-js/sdk@^0.3.4
@changesets/cli@^2.29.7
@commitlint/cli@^19.6.0
@commitlint/config-conventional@^19.6.0
@modelcontextprotocol/sdk@^1.29.0
@opentelemetry/api@^1.9.0
@types/express@4.17.25
@types/node@^20.19.39
@types/pg@^8.20.0
@types/tar@^6.1.13
eslint@^10.0.3
json-schema-to-typescript@^15.0.4
json-schema-to-zod@^2.6.1
openapi-typescript@^7.13.0
pg@^8.20.0
prettier@^3.6.2
redis@^4.7.0
tar@^7.5.13
ts-to-zod@^5.0.1
tsx@^4.6.0
typedoc@^0.28.13
typedoc-plugin-markdown@^4.9.0
typescript@^5.3.0
typescript-eslint@^8.57.1
zod@^4.1.12