@adhdev/daemon-core
ADHDev daemon core — CDP, IDE detection, providers, command execution
46
Versions
AGPL-3.0-or-later
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
vilmire
Keywords
adhdevdaemoncdpide-detection
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:silent-process-exec | AI (semgrep): Spawns process.execPath with process.argv.slice(1) — a self-restart/daemon pattern, not a reverse shell or miner. Stable for this daemon tooling package. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same self-restart pattern as silent-process-exec; detached spawn of the same Node process is a standard daemon restart idiom. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into child process spawn config is standard for CLI tools that need to pass the current environment to subprocesses. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw IP references are 127.0.0.1 (localhost) for CDP protocol communication — expected behavior for a local browser debugger integration. | ai | |
| semgrep | semgrep:http-module-request | AI (semgrep): HTTP requests target 127.0.0.1 for CDP version endpoint — standard local CDP usage, not telemetry or exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of CDP protocol response data (e.g., screenshots) is standard CDP usage. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in validate.js loads provider plugin files for validation — a legitimate plugin loader pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used to run 'which' to check command availability — standard CLI tool pattern. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is common (~88% of npm packages); not a disqualifier on its own for this package. | ai |
Versions (showing 46 of 346)
| Version | Deps | Published |
|---|---|---|
| 0.5.61 | 4 / 4 | |
| 0.5.60 | 4 / 4 | |
| 0.5.58 | 4 / 4 | |
| 0.5.57 | 4 / 4 | |
| 0.5.56 | 4 / 4 | |
| 0.5.55 | 4 / 4 | |
| 0.5.54 | 4 / 4 | |
| 0.5.52 | 4 / 4 | |
| 0.5.51 | 4 / 4 | |
| 0.5.50 | 4 / 4 | |
| 0.5.49 | 4 / 4 | |
| 0.5.47 | 4 / 4 | |
| 0.5.46 | 4 / 4 | |
| 0.5.45 | 4 / 4 | |
| 0.5.44 | 4 / 4 | |
| 0.5.43 | 4 / 4 | |
| 0.5.42 | 4 / 4 | |
| 0.5.41 | 4 / 4 | |
| 0.5.40 | 4 / 4 | |
| 0.5.38 | 4 / 4 | |
| 0.5.37 | 4 / 4 | |
| 0.5.36 | 4 / 4 | |
| 0.5.35 | 4 / 4 | |
| 0.5.34 | 4 / 4 | |
| 0.5.33 | 4 / 4 | |
| 0.5.32 | 4 / 4 | |
| 0.5.31 | 4 / 4 | |
| 0.5.30 | 4 / 4 | |
| 0.5.29 | 4 / 4 | |
| 0.5.28 | 4 / 4 | |
| 0.5.27 | 4 / 4 | |
| 0.5.26 | 4 / 4 | |
| 0.5.25 | 4 / 4 | |
| 0.5.24 | 4 / 4 | |
| 0.5.23 | 4 / 4 | |
| 0.5.21 | 4 / 4 | |
| 0.5.20 | 4 / 4 | |
| 0.5.19 | 4 / 4 | |
| 0.5.18 | 4 / 4 | |
| 0.5.17 | 4 / 4 | |
| 0.5.16 | 4 / 4 | |
| 0.5.8 | 4 / 4 | |
| 0.5.7 | 4 / 4 | |
| 0.5.6 | 4 / 4 | |
| 0.5.5 | 4 / 4 | |
| 0.5.3 | 4 / 4 |