@adhdev/daemon-core — Greenflagged

ADHDev daemon core — CDP, IDE detection, providers, command execution

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

vilmire

Keywords

adhdevdaemoncdpide-detection

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:silent-process-exec	AI (semgrep): Spawns process.execPath with process.argv.slice(1) — a self-restart/daemon pattern, not a reverse shell or miner. Stable for this daemon tooling package.	ai	2026/04/26
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same self-restart pattern as silent-process-exec; detached spawn of the same Node process is a standard daemon restart idiom.	ai	2026/04/26
semgrep	semgrep:env-spread	AI (semgrep): Spreading process.env into child process spawn config is standard for CLI tools that need to pass the current environment to subprocesses.	ai	2026/04/26
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): All raw IP references are 127.0.0.1 (localhost) for CDP protocol communication — expected behavior for a local browser debugger integration.	ai	2026/04/26
semgrep	semgrep:http-module-request	AI (semgrep): HTTP requests target 127.0.0.1 for CDP version endpoint — standard local CDP usage, not telemetry or exfiltration.	ai	2026/04/26
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding of CDP protocol response data (e.g., screenshots) is standard CDP usage.	ai	2026/04/26
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in validate.js loads provider plugin files for validation — a legitimate plugin loader pattern.	ai	2026/04/26
semgrep	semgrep:child-process-import	AI (semgrep): child_process used to run 'which' to check command availability — standard CLI tool pattern.	ai	2026/04/26
provenance	no-provenance	AI (provenance): No provenance is common (~88% of npm packages); not a disqualifier on its own for this package.	ai	2026/04/26

Versions (showing 51 of 346)

View all versions

Version	Deps	Published
0.9.81	9 / 6	2026-05-15
0.9.80	9 / 6	2026-05-15
0.9.79	9 / 6	2026-05-15
0.9.78	9 / 6	2026-05-15
0.9.77	9 / 6	2026-05-15
0.9.76	9 / 6	2026-05-10
0.9.75	8 / 5	2026-05-05
0.9.74	8 / 5	2026-05-05
0.9.73	8 / 5	2026-05-04
0.9.72	8 / 5	2026-05-04
0.9.71	8 / 5	2026-05-04
0.9.70	8 / 5	2026-05-04
0.9.69	8 / 5	2026-05-04
0.9.68	8 / 5	2026-05-04
0.9.67	8 / 5	2026-05-04
0.9.66	8 / 5	2026-05-04
0.9.65	8 / 5	2026-05-04
0.9.64	8 / 5	2026-05-03
0.9.63	8 / 5	2026-05-03
0.9.62	8 / 5	2026-05-02
0.9.61	8 / 5	2026-05-02
0.9.60	8 / 5	2026-05-02
0.9.59	8 / 5	2026-05-02
0.9.58	8 / 5	2026-05-02
0.9.57	8 / 5	2026-05-02
0.9.56	8 / 5	2026-05-02
0.9.55	8 / 5	2026-05-02
0.9.54	8 / 5	2026-05-01
0.9.53	8 / 5	2026-05-01
0.9.52	8 / 5	2026-05-01
0.9.51	8 / 5	2026-04-30
0.9.50	8 / 5	2026-04-30
0.9.49	8 / 5	2026-04-30
0.9.48	8 / 5	2026-04-30
0.9.47	8 / 5	2026-04-29
0.9.46	8 / 5	2026-04-29
0.9.45	8 / 5	2026-04-29
0.9.44	8 / 5	2026-04-28
0.9.43	8 / 5	2026-04-28
0.9.42	8 / 5	2026-04-28
0.9.41	8 / 5	2026-04-28
0.9.40	8 / 5	2026-04-28
0.9.39	8 / 5	2026-04-28
0.9.38	8 / 5	2026-04-27
0.9.37	8 / 5	2026-04-27
0.9.36	8 / 5	2026-04-27
0.9.35	8 / 5	2026-04-27
0.9.34	8 / 5	2026-04-27
0.9.33	8 / 5	2026-04-27
0.9.32	8 / 5	2026-04-27
0.9.31	8 / 5	2026-04-26