Package Metadata

Author: Blake Morrison
Email: ALTER Meridian Pty Ltd <[email protected]>
PyPI: alter-runtime
Python: >=3.10
Versions: 3 releases
First release: 02 Jun 2026, 00:10 UTC
Analysed: 07 Jun 2026, 00:43 UTC
Source files: 62 .py files scanned

Project Links

Bug Tracker Documentation Homepage Repository

Classifiers

Development Status :: 3 - AlphaFramework :: AsyncIOIntended Audience :: DevelopersIntended Audience :: Information TechnologyIntended Audience :: System AdministratorsLicense :: OSI Approved :: Apache Software LicenseOperating System :: MacOS :: MacOS XOperating System :: Microsoft :: WindowsOperating System :: POSIX :: LinuxProgramming Language :: Python :: 3

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits elevated risks due to potential credential harvesting and insecure practices, making it suspicious.

High credential risk due to accessing '/etc/shadow'
Shell execution without proper sanitization

Per-check LLM notes

Network: The use of HTTPX for network calls is common and may be legitimate, but the absence of clear documentation or purpose can raise suspicion.
Shell: Executing shell commands can be risky if not properly sanitized or if used to perform unintended actions. The lack of input validation here increases the risk.
Obfuscation: No signs of code obfuscation detected.
Credentials: Code attempts to access sensitive file '/etc/shadow' and uses term 'backup_repo_paths', indicative of potential credential harvesting.
Metadata: Suspicious non-HTTPS link and missing repository suggest potential risk.

📦 Package Quality Overall: Low (4.8/10)

✦ High Test Suite 9.0

Test suite present — 12 test file(s) found

Test runner config found: pyproject.toml
12 test file(s) detected (e.g. test_adapter.py)

◈ Medium Documentation 7.0

Some documentation present

Documentation URL: "Documentation" -> https://truealter.com/docs/alter-runtime
Detailed PyPI description (9210 chars)

○ Low Contributing Guide 2.0

No contributing guide or governance files found

No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found

◈ Medium Type Annotations 5.0

Partial type annotation coverage

212 type-annotated function signatures detected in source

○ Low Multiple Contributors 1.0

Could not retrieve contributor data from GitHub

GitHub API error: 404

🔬 Heuristic Checks

⚠ Outbound Network Calls score 6.0

Found 4 network call pattern(s)

client = httpx_client or httpx.AsyncClient(timeout=FETCH_TIMEOUT_SECONDS) try: try:
ver - thin wrapper return httpx.AsyncClient(http2=False, follow_redirects=True) """Local adapters - amb
one: self._http = httpx.AsyncClient(timeout=30.0) return self._http async def close
one: self._http = httpx.AsyncClient( timeout=self.timeout, heade

✓ Code Obfuscation

No obfuscation patterns detected

⚠ Shell / Subprocess Execution score 4.0

Found 2 shell execution pattern(s)

try: completed = subprocess.run( # noqa: S603 - trusted args cmd_list,
try: completed = subprocess.run( # noqa: S603 list(cmd), check=Fals

⚠ Credential Harvesting score 10.0

Found 4 credential access pattern(s)

ce", target=Path("/etc/shadow"), bucket="backup_repo_paths", ) ms
= str(exc.value) assert "/etc/shadow" in msg assert "backup_repo_paths" in msg def test_ob
ce", target=Path("/etc/shadow"), bucket="backup_repo_paths", invo
by the same trust floor as ``~/.ssh/id_rsa`` but with an explicit audit boundary, an ``ingest`` ``kind

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: truealter.com>

⚠ Suspicious Page Links score 2.0

Found 1 suspicious link(s) on the package page

Non-HTTPS external link: http://127.0.0.1:

⚠ Git Repository History score 3.0

Repository not found (deleted or private)

Repository not found (deleted or private)

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

Author "Blake Morrison" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with alter-runtime

Create a mini-application named 'IdentityGuard' using Python and the 'alter-runtime' package. This application will serve as a personal identity manager, allowing users to manage their digital identities securely and efficiently. The app should allow users to subscribe to their own Cloudflare Durable Objects for continuous identity updates, expose these identities through a Unix socket, D-Bus, and CLI interfaces, and fall back to direct MCP polling if needed.

Steps to create the application:
1. Install the 'alter-runtime' package.
2. Set up a configuration file where users can input their handle information.
3. Implement a function to subscribe to the user's Cloudflare Durable Object for real-time identity updates.
4. Create a Unix socket interface for other applications to query the identity data.
5. Develop a D-Bus interface to allow system services to interact with the identity data.
6. Add a command-line interface (CLI) for manual interaction and management of the identity data.
7. Implement a fallback mechanism to directly poll the MCP (Machine Credential Protocol) for identity data if the primary methods fail.
8. Ensure all interactions are secure and follow best practices for handling sensitive identity information.

Suggested Features:
- Real-time updates of identity information.
- Secure storage and retrieval of identity data.
- Command-line options for common tasks like fetching current identity status, updating contact information, etc.
- Integration with other services via D-Bus and Unix sockets.
- Graceful degradation in case of network failures or other issues, ensuring identity data remains accessible.

The 'alter-runtime' package will be used to handle the subscription to the Cloudflare Durable Objects, expose the necessary interfaces, and manage the fallback mechanisms. It will provide the core functionality for managing and accessing the user's identity data.