id: "js-express-guarded:004"
language: js
project: express-guarded
version: "1.0.0"
description: "Admin exec guarded by ALLOW_EXEC flag; unreachable by default"
entrypoints:
  - "POST /api/admin/exec"
sinks:
  - id: "ExpressGuarded::exec"
    path: "src/app.js::createServer"
    kind: "process"
    location:
      file: src/app.js
      line: 16
    notes: "eval(code) gated by ALLOW_EXEC"
environment:
  os_image: "node:20-alpine"
  runtime:
    node: "20.11.0"
  source_date_epoch: 1730000000
build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
  outputs:
    artifact_path: outputs/binary.tar.gz
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
test:
  command: "./tests/run-tests.sh"
  expected_coverage:
    - outputs/coverage.json
  expected_traces:
    - outputs/traces/traces.json
ground_truth:
  summary: "Guard prevents sink unless ALLOW_EXEC=true"
  evidence_files:
    - "../benchmark/truth/js-express-guarded.json"