Observation: heavy transitive dependency tree via @predicatesystems/runtime

[Kaspre]

Brief note from a deployment evaluation:

@predicatesystems/runtime pulls in canvas, sharp, playwright, node-llama-cpp, and koffi as transitive dependencies. For a security-focused tool, this is a large supply chain surface — especially the native addons.

We understand this likely supports the dashboard and advanced features. For our deployment, we opted for the shell hook + Rust sidecar approach (zero npm dependencies) which works well for the core authorize-or-deny use case.

Not necessarily actionable — just flagging in case it's useful context for packaging decisions. The sidecar-only path could be more prominently documented as a lightweight alternative for users who only need policy enforcement.

[rcholic]

Brief note from a deployment evaluation:

@predicatesystems/runtime pulls in canvas, sharp, playwright, node-llama-cpp, and koffi as transitive dependencies. For a security-focused tool, this is a large supply chain surface — especially the native addons.

We understand this likely supports the dashboard and advanced features. For our deployment, we opted for the shell hook + Rust sidecar approach (zero npm dependencies) which works well for the core authorize-or-deny use case.

Not necessarily actionable — just flagging in case it's useful context for packaging decisions. The sidecar-only path could be more prominently documented as a lightweight alternative for users who only need policy enforcement.

Thanks for flagging this. You hit the exact architectural tradeoff we navigated.

The @predicatesystems/runtime pulls in those heavy native addons (playwright, sharp, node-llama-cpp) specifically to support the post-execution DOM snapshotting, local trace evaluation, and built-in browser automation.

However, for strict security deployments, your approach — using the shell hook directly to the Rust sidecar — is exactly the intended "Zero-Trust / Zero-Dependency" path. The sidecar acts as a standalone Policy Decision Point (PDP) and requires zero NPM dependencies.

This is a great callout. we'll update the README this week to make the "Sidecar-Only (Zero NPM Dependencies)" deployment path a first-class, documented alternative for enterprise security teams.

I appreciate the audit and the context. @Kaspre