master
7b5bdcf4d3
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes. - Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes. - Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables. - Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
1.4 KiB
1.4 KiB
Entry-Point Runtime — Node.js
Signals to gather
argv0equalsnode,nodejs, or path ends with/bin/node.- Scripts launched via package runners (
npm,yarn,pnpm node …,npx). - Presence of
package.jsonwith"main"or"scripts":{"start":…}entries. NODE_ENV,NODE_OPTIONS, orNPM_PACKAGE_NAMEenvironment hints.- Bundler/PM2 scenarios:
pm2-runtime,pm2-docker,forever,nodemon.
Implementation notes
- Resolve script arguments (e.g.,
node server.js) relative to the working dir. - If invoked through
npm start/yarn run, parsepackage.jsonto expand the actual script. - Support TypeScript loaders (
ts-node,node --loader,.mjs) by inspecting extensions and flags. - Normalise shebang-based Node scripts (ShellFlow ensures
#!/usr/bin/env nodecollapses to Node).
Evidence & scoring
- Boost confidence when a concrete JS/TS entry file exists.
- Add evidence for
package.jsonmetadata, PM2 ecosystem files, orNODE_ENVvalues. - Penalise when the entry file is missing or only package runners are present without scripts.
Edge cases
- Multi-service supervisors (e.g.,
pm2managing multiple apps): treat asSupervisorand list programmes as children. - Serverless shims (e.g., Google Functions) wrap Node; prefer the user-provided handler script if detectable.
- Distroless snapshots may omit package managers; rely on Node binary + script presence.