stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules

Browse Source 
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
This commit is contained in:
master
2025-10-30 00:09:39 +02:00
parent 3154c67978
commit 7b5bdcf4d3
503 changed files with 16136 additions and 54638 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/modules/scanner/operations/entrypoint-lang-node.md Normal file
View File

@@ -0,0 +1,24 @@
# Entry-Point Runtime — Node.js
## Signals to gather
- `argv0` equals `node`, `nodejs`, or path ends with `/bin/node`.
- Scripts launched via package runners (`npm`, `yarn`, `pnpm node …`, `npx`).
- Presence of `package.json` with `"main"` or `"scripts":{"start":…}` entries.
- `NODE_ENV`, `NODE_OPTIONS`, or `NPM_PACKAGE_NAME` environment hints.
- Bundler/PM2 scenarios: `pm2-runtime`, `pm2-docker`, `forever`, `nodemon`.
## Implementation notes
- Resolve script arguments (e.g., `node server.js`) relative to the working dir.
- If invoked through `npm start`/`yarn run`, parse `package.json` to expand the actual script.
- Support TypeScript loaders (`ts-node`, `node --loader`, `.mjs`) by inspecting extensions and flags.
- Normalise shebang-based Node scripts (ShellFlow ensures `#!/usr/bin/env node` collapses to Node).
## Evidence & scoring
- Boost confidence when a concrete JS/TS entry file exists.
- Add evidence for `package.json` metadata, PM2 ecosystem files, or `NODE_ENV` values.
- Penalise when the entry file is missing or only package runners are present without scripts.
## Edge cases
- Multi-service supervisors (e.g., `pm2` managing multiple apps): treat as `Supervisor` and list programmes as children.
- Serverless shims (e.g., Google Functions) wrap Node; prefer the user-provided handler script if detectable.
- Distroless snapshots may omit package managers; rely on Node binary + script presence.