registry  /  @david.zoufaly/noldor  /  1.0.1

@david.zoufaly/noldor@1.0.1

**A discipline framework for agent-driven software development.** One mandatory gate for every code change, features anchored in docs, and an autonomous queue that ships small work while you sleep — with a live dashboard watching the whole pipeline.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 586 file(s), 2.81 MB of source, external domains: 127.0.0.1, cdn.jsdelivr.net, cli.github.com, diataxis.fr, example.test, github.com, registry.npmjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = lefthook install || echo 'lefthook not found - skipping hook install (expected when installed as a dependency)'
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = lefthook install || echo 'lefthook not found - skipping hook install (expected when installed as a dependency)'
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/noldor-stub-gate.mjsView file
7const here = dirname(fileURLToPath(import.meta.url)); L8: const { main } = await import(resolve(here, '../src/testing/stub-gate.ts')); L9: process.exit(main(process.argv));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/noldor-stub-gate.mjsView on unpkg · L7
dist/cr/deep-review-spawn.jsView file
1import { execFile } from 'node:child_process'; L2: import { createHash } from 'node:crypto'; ... L11: return new Promise((resolveP, rejectP) => { L12: execFile(cmd, args, opts, (err, stdout, stderr) => { L13: if (err)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cr/deep-review-spawn.jsView on unpkg · L1

Findings

1 High5 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/noldor-stub-gate.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cr/deep-review-spawn.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License