@aikidosec/safe-chain 0.0.1-immutable-releases-beta

package/src/shell-integration/setup.js

@@ -0,0 +1,129 @@
+import chalk from "chalk";
+import { ui } from "../environment/userInteraction.js";
+import { detectShells } from "./shellDetection.js";
+import {
+  knownAikidoTools,
+  getPackageManagerList,
+  getScriptsDir,
+} from "./helpers.js";
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+
+/** @type {string} */
+// This checks the current file's dirname in a way that's compatible with:
+//  - Modulejs (import.meta.url)
+//  - ES modules (__dirname)
+// This is needed because safe-chain's npm package is built using ES modules,
+// but building the binaries requires commonjs.
+let dirname;
+if (import.meta.url) {
+  const filename = fileURLToPath(import.meta.url);
+  dirname = path.dirname(filename);
+} else {
+  dirname = __dirname;
+}
+
+/**
+ * Loops over the detected shells and calls the setup function for each.
+ */
+export async function setup() {
+  ui.writeInformation(
+    chalk.bold("Setting up shell aliases.") +
+      ` This will wrap safe-chain around ${getPackageManagerList()}.`,
+  );
+  ui.emptyLine();
+
+  copyStartupFiles();
+
+  try {
+    const shells = detectShells();
+    if (shells.length === 0) {
+      ui.writeError("No supported shells detected. Cannot set up aliases.");
+      return;
+    }
+
+    ui.writeInformation(
+      `Detected ${shells.length} supported shell(s): ${shells
+        .map((shell) => chalk.bold(shell.name))
+        .join(", ")}.`,
+    );
+
+    let updatedCount = 0;
+    for (const shell of shells) {
+      if (await setupShell(shell)) {
+        updatedCount++;
+      }
+    }
+
+    if (updatedCount > 0) {
+      ui.emptyLine();
+      ui.writeInformation(`Please restart your terminal to apply the changes.`);
+    }
+  } catch (/** @type {any} */ error) {
+    ui.writeError(
+      `Failed to set up shell aliases: ${error.message}. Please check your shell configuration.`,
+    );
+    return;
+  }
+}
+
+/**
+ * Calls the setup function for the given shell and reports the result.
+ * @param {import("./shellDetection.js").Shell} shell
+ */
+async function setupShell(shell) {
+  let success = false;
+  let error;
+  try {
+    shell.teardown(knownAikidoTools); // First, tear down to prevent duplicate aliases
+    success = await shell.setup(knownAikidoTools);
+  } catch (/** @type {any} */ err) {
+    success = false;
+    error = err;
+  }
+
+  if (success) {
+    ui.writeInformation(
+      `${chalk.bold("- " + shell.name + ":")} ${chalk.green(
+        "Setup successful",
+      )}`,
+    );
+  } else {
+    ui.writeError(
+      `${chalk.bold("- " + shell.name + ":")} ${chalk.red("Setup failed")}`,
+    );
+    if (error) {
+      let message = `  Error: ${error.message}`;
+      if (error.code) {
+        message += ` (code: ${error.code})`;
+      }
+      ui.writeError(message);
+    }
+    ui.emptyLine();
+    ui.writeInformation(`  ${chalk.bold("To set up manually:")}`);
+    for (const instruction of shell.getManualSetupInstructions()) {
+      ui.writeInformation(`    ${instruction}`);
+    }
+    ui.emptyLine();
+  }
+
+  return success;
+}
+
+function copyStartupFiles() {
+  const startupFiles = ["init-posix.sh", "init-pwsh.ps1", "init-fish.fish"];
+  const targetDir = getScriptsDir();
+
+  for (const file of startupFiles) {
+    const targetPath = path.join(targetDir, file);
+
+    if (!fs.existsSync(targetDir)) {
+      fs.mkdirSync(targetDir, { recursive: true });
+    }
+
+    // Use absolute path for source
+    const sourcePath = path.join(dirname, "startup-scripts", file);
+    fs.copyFileSync(sourcePath, targetPath);
+  }
+}

package/src/shell-integration/shellDetection.js

@@ -0,0 +1,39 @@
+import zsh from "./supported-shells/zsh.js";
+import bash from "./supported-shells/bash.js";
+import powershell from "./supported-shells/powershell.js";
+import windowsPowershell from "./supported-shells/windowsPowershell.js";
+import fish from "./supported-shells/fish.js";
+import { ui } from "../environment/userInteraction.js";
+
+/**
+ * @typedef {Object} Shell
+ * @property {string} name
+ * @property {() => boolean} isInstalled
+ * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean|Promise<boolean>} setup
+ * @property {(tools: import("./helpers.js").AikidoTool[]) => boolean} teardown
+ * @property {() => string[]} getManualSetupInstructions
+ * @property {() => string[]} getManualTeardownInstructions
+ */
+
+/**
+ * @returns {Shell[]}
+ */
+export function detectShells() {
+  let possibleShells = [zsh, bash, powershell, windowsPowershell, fish];
+  let availableShells = [];
+
+  try {
+    for (const shell of possibleShells) {
+      if (shell.isInstalled()) {
+        availableShells.push(shell);
+      }
+    }
+  } catch (/** @type {any} */ error) {
+    ui.writeError(
+      `We were not able to detect which shells are installed on your system. Please check your shell configuration. Error: ${error.message}`,
+    );
+    return [];
+  }
+
+  return availableShells;
+}

package/src/shell-integration/startup-scripts/init-fish.fish

@@ -0,0 +1,115 @@
+set -gx PATH $PATH $HOME/.safe-chain/bin
+
+function npx
+    wrapSafeChainCommand "npx" $argv
+end
+
+function yarn
+    wrapSafeChainCommand "yarn" $argv
+end
+
+function pnpm
+    wrapSafeChainCommand "pnpm" $argv
+end
+
+function pnpx
+    wrapSafeChainCommand "pnpx" $argv
+end
+
+function bun
+    wrapSafeChainCommand "bun" $argv
+end
+
+function bunx
+    wrapSafeChainCommand "bunx" $argv
+end
+
+function npm
+    # If args is just -v or --version and nothing else, just run the `npm -v` command
+    # This is because nvm uses this to check the version of npm
+    set argc (count $argv)
+    if test $argc -eq 1
+        switch $argv[1]
+            case "-v" "--version"
+                command npm $argv
+                return
+        end
+    end
+
+    wrapSafeChainCommand "npm" $argv
+end
+
+function pip
+    wrapSafeChainCommand "pip" $argv
+end
+
+function pip3
+    wrapSafeChainCommand "pip3" $argv
+end
+
+function uv
+    wrapSafeChainCommand "uv" $argv
+end
+
+function poetry
+    wrapSafeChainCommand "poetry" $argv
+end
+
+# `python -m pip`, `python -m pip3`.
+function python
+    wrapSafeChainCommand "python" $argv
+end
+
+# `python3 -m pip`, `python3 -m pip3'.
+function python3
+    wrapSafeChainCommand "python3" $argv
+end
+
+function pipx
+    wrapSafeChainCommand "pipx" $argv
+end
+
+function printSafeChainWarning
+    set original_cmd $argv[1]
+
+    # Fish equivalent of ANSI color codes: yellow background, black text for "Warning:"
+    set_color -b yellow black
+    printf "Warning:"
+    set_color normal
+    printf " safe-chain is not available to protect you from installing malware. %s will run without it.\n" $original_cmd
+
+    # Cyan text for the install command
+    printf "Install safe-chain by using "
+    set_color cyan
+    printf "npm install -g @aikidosec/safe-chain"
+    set_color normal
+    printf ".\n"
+end
+
+function wrapSafeChainCommand
+    set original_cmd $argv[1]
+    set cmd_args $argv[2..-1]
+
+    if not type -fq $original_cmd
+       # If the original command is not available, don't try to wrap it: invoke
+       # it transparently, so the shell can report errors as if this wrapper
+       # didn't exist. fish always adds extra debug information when executing
+       # missing commands from within a function, so after the "command not
+       # found" handler, there will be information about how the
+       # wrapSafeChainCommand function errored out. To avoid users assuming this
+       # is a safe-chain bug, display an explicit error message afterwards.
+       command $original_cmd $cmd_args
+       set oldstatus $status
+       echo "safe-chain tried to run $original_cmd but it doesn't seem to be installed in your \$PATH." >&2
+       return $oldstatus
+    end
+
+    if type -q safe-chain
+        # If the safe-chain command is available, just run it with the provided arguments
+        safe-chain $original_cmd $cmd_args
+    else
+        # If the safe-chain command is not available, print a warning and run the original command
+        printSafeChainWarning $original_cmd
+        command $original_cmd $cmd_args
+    end
+end

package/src/shell-integration/startup-scripts/init-posix.sh

@@ -0,0 +1,96 @@
+export PATH="$PATH:$HOME/.safe-chain/bin"
+
+function npx() {
+  wrapSafeChainCommand "npx" "$@"
+}
+
+function yarn() {
+  wrapSafeChainCommand "yarn" "$@"
+}
+
+function pnpm() {
+  wrapSafeChainCommand "pnpm" "$@"
+}
+
+function pnpx() {
+  wrapSafeChainCommand "pnpx" "$@"
+}
+
+function bun() {
+  wrapSafeChainCommand "bun" "$@"
+}
+
+function bunx() {
+  wrapSafeChainCommand "bunx" "$@"
+}
+
+function npm() {
+  if [[ "$1" == "-v" || "$1" == "--version" ]] && [[ $# -eq 1 ]]; then
+    # If args is just -v or --version and nothing else, just run the npm version command
+    # This is because nvm uses this to check the version of npm
+    command npm "$@"
+    return
+  fi
+
+  wrapSafeChainCommand "npm" "$@"
+}
+
+function pip() {
+  wrapSafeChainCommand "pip" "$@"
+}
+
+function pip3() {
+  wrapSafeChainCommand "pip3" "$@"
+}
+
+function uv() {
+  wrapSafeChainCommand "uv" "$@"
+}
+
+function poetry() {
+  wrapSafeChainCommand "poetry" "$@"
+}
+
+# `python -m pip`, `python -m pip3`.
+function python() {
+  wrapSafeChainCommand "python" "$@"
+}
+
+# `python3 -m pip`, `python3 -m pip3'.
+function python3() {
+  wrapSafeChainCommand "python3" "$@"
+}
+
+function pipx() {
+  wrapSafeChainCommand "pipx" "$@"
+}
+
+function printSafeChainWarning() {
+  # \033[43;30m is used to set the background color to yellow and text color to black
+  # \033[0m is used to reset the text formatting
+  printf "\033[43;30mWarning:\033[0m safe-chain is not available to protect you from installing malware. %s will run without it.\n" "$1"
+  # \033[36m is used to set the text color to cyan
+  printf "Install safe-chain by using \033[36mnpm install -g @aikidosec/safe-chain\033[0m.\n"
+}
+
+function wrapSafeChainCommand() {
+  local original_cmd="$1"
+
+  if ! type -f "${original_cmd}" > /dev/null 2>&1; then
+    # If the original command is not available, don't try to wrap it: invoke it
+    # transparently, so the shell can report errors as if this wrapper didn't
+    # exist.
+    command "$@"
+    return $?
+  fi
+
+  if command -v safe-chain > /dev/null 2>&1; then
+    # If the aikido command is available, just run it with the provided arguments
+    safe-chain "$@"
+  else
+    # If the aikido command is not available, print a warning and run the original command
+    printSafeChainWarning "$original_cmd"
+
+    command "$@"
+  fi
+}

package/src/shell-integration/startup-scripts/init-pwsh.ps1

@@ -0,0 +1,171 @@
+# Use cross-platform path separator (: on Unix, ; on Windows)
+# $IsWindows is only available in PowerShell Core 6.0+. If it doesn't exist, assume Windows PowerShell
+$isWindowsPlatform = if (Test-Path variable:IsWindows) { $IsWindows } else { $true }
+$pathSeparator = if ($isWindowsPlatform) { ';' } else { ':' }
+$safeChainBin = Join-Path (Join-Path $HOME '.safe-chain') 'bin'
+$env:PATH = "$env:PATH$pathSeparator$safeChainBin"
+
+function npx {
+    Invoke-WrappedCommand "npx" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function yarn {
+    Invoke-WrappedCommand "yarn" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function pnpm {
+    Invoke-WrappedCommand "pnpm" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function pnpx {
+    Invoke-WrappedCommand "pnpx" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function bun {
+    Invoke-WrappedCommand "bun" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function bunx {
+    Invoke-WrappedCommand "bunx" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function npm {
+    # If args is just -v or --version and nothing else, just run the npm version command
+    # This is because nvm uses this to check the version of npm
+    if (($args.Length -eq 1) -and (($args[0] -eq "-v") -or ($args[0] -eq "--version"))) {
+        Invoke-RealCommand "npm" $args
+        return
+    }
+
+    Invoke-WrappedCommand "npm" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function pip {
+    Invoke-WrappedCommand "pip" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function pip3 {
+    Invoke-WrappedCommand "pip3" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function uv {
+    Invoke-WrappedCommand "uv" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function poetry {
+    Invoke-WrappedCommand "poetry" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+# `python -m pip`, `python -m pip3`.
+function python {
+    Invoke-WrappedCommand 'python' $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+# `python3 -m pip`, `python3 -m pip3'.
+function python3 {
+    Invoke-WrappedCommand 'python3' $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function pipx {
+    Invoke-WrappedCommand "pipx" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function Write-SafeChainWarning {
+    param([string]$Command)
+    
+    # PowerShell equivalent of ANSI color codes: yellow background, black text for "Warning:"
+    Write-Host "Warning:" -BackgroundColor Yellow -ForegroundColor Black -NoNewline
+    Write-Host " safe-chain is not available to protect you from installing malware. $Command will run without it."
+    
+    # Cyan text for the install command
+    Write-Host "Install safe-chain by using " -NoNewline
+    Write-Host "npm install -g @aikidosec/safe-chain" -ForegroundColor Cyan -NoNewline
+    Write-Host "."
+}
+
+function Test-CommandAvailable {
+    param([string]$Command)
+    
+    try {
+        Get-Command $Command -ErrorAction Stop | Out-Null
+        return $true
+    }
+    catch {
+        return $false
+    }
+}
+
+function Invoke-RealCommand {
+    param(
+        [string]$Command,
+        [string[]]$Arguments
+    )
+    
+    # Find the real executable to avoid calling our wrapped functions
+    $realCommand = Get-Command -Name $Command -CommandType Application | Select-Object -First 1
+    if ($realCommand) {
+        & $realCommand.Source @Arguments
+    }
+}
+
+function Get-ReconstructedArguments {
+    param(
+        [string]$RawLine,
+        [int]$RawOffset
+    )
+
+    if (-not $RawLine) { return $null }
+
+    $tokens = [System.Management.Automation.PSParser]::Tokenize($RawLine, [ref]$null)
+    $newArgs = @()
+    $foundCommand = $false
+
+    foreach ($t in $tokens) {
+        if (-not $foundCommand) {
+            if ($t.Start -eq ($RawOffset - 1)) { $foundCommand = $true }
+            continue
+        }
+        
+        if ($t.Type -eq 'Operator' -and $t.Content -match '[|;&]') { break }
+        
+        # Stop if complex variable expansion is used
+        if ($t.Type -eq 'Variable' -or $t.Type -eq 'Group' -or $t.Type -eq 'SubExpression') {
+            return $null
+        }
+        
+        $newArgs += $t.Content
+    }
+
+    if ($foundCommand) {
+        return ,$newArgs
+    }
+    return $null
+}
+
+function Invoke-WrappedCommand {
+    param(
+        [string]$OriginalCmd,
+        [string[]]$Arguments,
+        [string]$RawLine = $null,
+        [int]$RawOffset = 0
+    )
+
+    # Use raw line parsing to recover arguments like '--' that PowerShell consumes
+    if ($RawLine) {
+        $reconstructedArgs = Get-ReconstructedArguments $RawLine $RawOffset
+        if ($null -ne $reconstructedArgs) {
+            $Arguments = $reconstructedArgs
+        }
+    }
+
+    if ($isWindowsPlatform -and (Test-CommandAvailable "safe-chain.cmd")) {
+        & safe-chain.cmd $OriginalCmd @Arguments
+    }
+    elseif (Test-CommandAvailable "safe-chain") {
+        & safe-chain $OriginalCmd @Arguments
+    }
+    else {
+        Write-SafeChainWarning $OriginalCmd
+        Invoke-RealCommand $OriginalCmd $Arguments
+    }
+}

package/src/shell-integration/supported-shells/bash.js

@@ -0,0 +1,152 @@
+import {
+  addLineToFile,
+  doesExecutableExistOnSystem,
+  removeLinesMatchingPattern,
+} from "../helpers.js";
+import { execSync, spawnSync } from "child_process";
+import * as os from "os";
+
+const shellName = "Bash";
+const executableName = "bash";
+const startupFileCommand = "echo ~/.bashrc";
+const eol = "\n"; // When bash runs on Windows (e.g., Git Bash or WSL), it expects LF line endings.
+
+function isInstalled() {
+  return doesExecutableExistOnSystem(executableName);
+}
+
+/**
+ * @param {import("../helpers.js").AikidoTool[]} tools
+ *
+ * @returns {boolean}
+ */
+function teardown(tools) {
+  const startupFile = getStartupFile();
+
+  for (const { tool } of tools) {
+    // Remove any existing alias for the tool
+    removeLinesMatchingPattern(
+      startupFile,
+      new RegExp(`^alias\\s+${tool}=`),
+      eol
+    );
+  }
+
+  // Removes the line that sources the safe-chain bash initialization script (~/.safe-chain/scripts/init-posix.sh)
+  removeLinesMatchingPattern(
+    startupFile,
+    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/,
+    eol
+  );
+
+  return true;
+}
+
+function setup() {
+  const startupFile = getStartupFile();
+
+  addLineToFile(
+    startupFile,
+    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain bash initialization script`,
+    eol
+  );
+
+  return true;
+}
+
+function getStartupFile() {
+  try {
+    var path = execSync(startupFileCommand, {
+      encoding: "utf8",
+      shell: executableName,
+    }).trim();
+
+    return windowsFixPath(path);
+  } catch (/** @type {any} */ error) {
+    throw new Error(
+      `Command failed: ${startupFileCommand}. Error: ${error.message}`
+    );
+  }
+}
+
+/**
+ * @param {string} path
+ *
+ * @returns {string}
+ */
+function windowsFixPath(path) {
+  try {
+    if (os.platform() !== "win32") {
+      return path;
+    }
+
+    // On windows cygwin bash, paths are returned in format /c/user/..., but we need it in format C:\user\...
+    // To convert, the cygpath -w command can be used to convert to the desired format.
+    // Cygpath only exists on Cygwin, so we first check if the command is available.
+    // If it is, we use it to convert the path.
+    if (hasCygpath()) {
+      return cygpathw(path);
+    }
+
+    return path;
+  } catch {
+    return path;
+  }
+}
+
+function hasCygpath() {
+  try {
+    var result = spawnSync("where", ["cygpath"], { shell: executableName });
+    return result.status === 0;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * @param {string} path
+ *
+ * @returns {string}
+ */
+function cygpathw(path) {
+  try {
+    var result = spawnSync("cygpath", ["-w", path], {
+      encoding: "utf8",
+      shell: executableName,
+    });
+    if (result.status === 0) {
+      return result.stdout.trim();
+    }
+    return path;
+  } catch {
+    return path;
+  }
+}
+
+function getManualTeardownInstructions() {
+  return [
+    `Remove the following line from your ~/.bashrc file:`,
+    `  source ~/.safe-chain/scripts/init-posix.sh`,
+    `Then restart your terminal or run: source ~/.bashrc`,
+  ];
+}
+
+function getManualSetupInstructions() {
+  return [
+    `Add the following line to your ~/.bashrc file:`,
+    `  source ~/.safe-chain/scripts/init-posix.sh`,
+    `Then restart your terminal or run: source ~/.bashrc`,
+  ];
+}
+
+/**
+ * @type {import("../shellDetection.js").Shell}
+ */
+export default {
+  name: shellName,
+  isInstalled,
+  setup,
+  teardown,
+  getManualSetupInstructions,
+  getManualTeardownInstructions,
+};