@aikidosec/safe-chain 1.0.22 → 1.0.24

package/README.md

@@ -4,16 +4,20 @@ The Aikido Safe Chain **prevents developers from installing malware** on their w
 
 The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm or pnpx from downloading or running the malware.
 
-![demo](https://aikido-production-staticfiles-public.s3.eu-west-1.amazonaws.com/safe-pkg.gif)
+![demo](./docs/safe-package-manager-demo.png)
 
 Aikido Safe Chain works on Node.js version 18 and above and supports the following package managers:
 
-- ✅ **npm**
-- ✅ **npx**
-- ✅ **yarn**
-- ✅ **pnpm**
-- ✅ **pnpx**
-- 🚧 **bun** Coming soon
+- ✅ full coverage: **npm >= 10.4.0**:
+- ⚠️ limited to scanning the install command arguments (broader scanning coming soon):
+  - **npm < 10.4.0**
+  - **npx**
+  - **yarn**
+  - **pnpm**
+  - **pnpx**
+- 🚧 **bun**: coming soon
+
+Note on the limited support for npm < 10.4.0, npx, yarn, pnpm and pnpx: adding **full support for these package managers is a high priority**. In the meantime, we offer limited support already, which means that the Aikido Safe Chain will scan the package names passed as arguments to the install commands. However, it will not scan the full dependency tree of these packages.
 
 # Usage
 
@@ -84,4 +88,60 @@ npm install suspicious-package --safe-chain-malware-action=prompt
 
 # Usage in CI/CD
 
-🚧 Support for CI/CD environments is coming soon...
+You can protect your CI/CD pipelines from malicious packages by integrating Aikido Safe Chain into your build process. This ensures that any packages installed during your automated builds are checked for malware before installation.
+
+For optimal protection in CI/CD environments, we recommend using **npm >= 10.4.0** as it provides full dependency tree scanning. Other package managers currently offer limited scanning of install command arguments only.
+
+## Setup
+
+To use Aikido Safe Chain in CI/CD environments, run the following command after installing the package:
+
+```shell
+safe-chain setup-ci
+```
+
+This automatically configures your CI environment to use Aikido Safe Chain for all package manager commands.
+
+## Supported Platforms
+
+- ✅ **GitHub Actions**
+- ✅ **Azure Pipelines**
+
+## GitHub Actions Example
+
+```yaml
+- name: Setup Node.js
+  uses: actions/setup-node@v4
+  with:
+    node-version: "22"
+    cache: "npm"
+
+- name: Setup safe-chain
+  run: |
+    npm i -g @aikidosec/safe-chain
+    safe-chain setup-ci
+
+- name: Install dependencies
+  run: |
+    npm ci
+```
+
+## Azure DevOps Example
+
+```yaml
+- task: NodeTool@0
+  inputs:
+    versionSpec: "22.x"
+  displayName: "Install Node.js"
+
+- script: |
+    npm i -g @aikidosec/safe-chain
+    safe-chain setup-ci
+  displayName: "Install safe chain"
+
+- script: |
+    npm ci
+  displayName: "npm install and build"
+```
+
+After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.

package/bin/safe-chain.js

@@ -4,6 +4,7 @@ import chalk from "chalk";
 import { ui } from "../src/environment/userInteraction.js";
 import { setup } from "../src/shell-integration/setup.js";
 import { teardown } from "../src/shell-integration/teardown.js";
+import { setupCi } from "../src/shell-integration/setup-ci.js";
 
 if (process.argv.length < 3) {
   ui.writeError("No command provided. Please provide a command to execute.");
@@ -23,6 +24,8 @@ if (command === "setup") {
   setup();
 } else if (command === "teardown") {
   teardown();
+} else if (command === "setup-ci") {
+  setupCi();
 } else {
   ui.writeError(`Unknown command: ${command}.`);
   ui.emptyLine();
@@ -53,5 +56,10 @@ function writeHelp() {
       "safe-chain teardown"
     )}: This will remove safe-chain aliases from your shell configuration.`
   );
+  ui.writeInformation(
+    `- ${chalk.cyan(
+      "safe-chain setup-ci"
+    )}: This will setup safe-chain for CI environments by creating shims and modifying the PATH.`
+  );
   ui.emptyLine();
 }

package/docs/shell-integration.md

@@ -2,21 +2,21 @@
 
 ## Overview
 
-The shell integration automatically wraps common package manager commands (`npm`, `npx`, `yarn`, `pnpm`, `pnpx`) with Aikido's security scanning functionality. This is achieved by adding shell aliases that redirect these commands to their Aikido-wrapped equivalents.
+The shell integration automatically wraps common package manager commands (`npm`, `npx`, `yarn`, `pnpm`, `pnpx`) with Aikido's security scanning functionality. This is achieved by sourcing startup scripts that define shell functions to wrap these commands with their Aikido-protected equivalents.
 
 ## Supported Shells
 
 Aikido Safe Chain supports integration with the following shells.
 
-| Shell                  | Startup File                 | Alias Format               |
-| ---------------------- | ---------------------------- | -------------------------- |
-| **Bash**               | `~/.bashrc`                  | `alias npm='aikido-npm'`   |
-| **Zsh**                | `~/.zshrc`                   | `alias npm='aikido-npm'`   |
-| **Fish**               | `~/.config/fish/config.fish` | `alias npm "aikido-npm"`   |
-| **PowerShell Core**    | `$PROFILE`                   | `Set-Alias npm aikido-npm` |
-| **Windows PowerShell** | `$PROFILE`                   | `Set-Alias npm aikido-npm` |
+| Shell                  | Startup File                 |
+| ---------------------- | ---------------------------- |
+| **Bash**               | `~/.bashrc`                  |
+| **Zsh**                | `~/.zshrc`                   |
+| **Fish**               | `~/.config/fish/config.fish` |
+| **PowerShell Core**    | `$PROFILE`                   |
+| **Windows PowerShell** | `$PROFILE`                   |
 
-## Commands
+## Setup Commands
 
 ### Setup Shell Integration
 
@@ -26,10 +26,11 @@ safe-chain setup
 
 This command:
 
+- Copies necessary startup scripts to Safe Chain's installation directory (`~/.safe-chain/scripts`)
 - Detects all supported shells on your system
-- Adds aliases for `npm`, `npx`, `yarn`, `pnpm` and `pnpx` to each shell's startup file
+- Sources each shell's startup file to add Safe Chain functions for `npm`, `npx`, `yarn`, `pnpm`, and `pnpx`
 
-❗ After running this command, **you must restart your terminal** for the changes to take effect. This ensures that the aliases are loaded correctly.
+❗ After running this command, **you must restart your terminal** for the changes to take effect. This ensures that the startup scripts are sourced correctly.
 
 ### Remove Shell Integration
 
@@ -40,13 +41,13 @@ safe-chain teardown
 This command:
 
 - Detects all supported shells on your system
-- Removes Aikido aliases from each shell's startup file
+- Removes the Safe Chain scripts from each shell's startup file, restoring the original commands
 
 ❗ After running this command, **you must restart your terminal** to restore the original commands.
 
 ## File Locations
 
-The system modifies the following files based on your shell configuration:
+The system modifies the following files to source Safe Chain startup scripts:
 
 ### Unix/Linux/macOS
 
@@ -64,15 +65,16 @@ The system modifies the following files based on your shell configuration:
 
 ### Common Issues
 
-**Aliases not working after setup:**
+**Shell functions not working after setup:**
 
 - Make sure to restart your terminal
-- Check that the startup file was actually modified
+- Check that the startup file was modified to source Safe Chain scripts
+- Check the sourced file exists at `~/.safe-chain/scripts/`
 - Verify your shell is reading the correct startup file
 
 **Getting 'command not found: aikido-npm' error:**
 
-This means the aliases are working but the Aikido commands aren't installed or available in your PATH:
+This means the shell functions are working but the Aikido commands aren't installed or available in your PATH:
 
 - Make sure Aikido Safe Chain is properly installed on your system
 - Verify the `aikido-npm`, `aikido-npx`, `aikido-yarn`, `aikido-pnpm` and `aikido-pnpx` commands exist
@@ -82,27 +84,40 @@ This means the aliases are working but the Aikido commands aren't installed or a
 
 To verify the integration is working, follow these steps:
 
-1. **Check if aliases were added to your shell startup file:**
+1. **Check if startup scripts were sourced in your shell startup file:**
 
    - **For Bash**: Open `~/.bashrc` in your text editor
    - **For Zsh**: Open `~/.zshrc` in your text editor
    - **For Fish**: Open `~/.config/fish/config.fish` in your text editor
    - **For PowerShell**: Open your PowerShell profile file (run `$PROFILE` in PowerShell to see the path)
 
-   Look for lines like:
+   Look for lines that source the Safe Chain startup scripts from `~/.safe-chain/scripts/`
 
-   - `alias npm='aikido-npm'` (Bash/Zsh)
-   - `alias npm "aikido-npm"` (Fish)
-   - `Set-Alias npm aikido-npm` (PowerShell)
-
-2. **Test that aliases are active in your terminal:**
+2. **Test that shell functions are active in your terminal:**
 
    After restarting your terminal, run these commands:
 
-   - `which npm` - Should show the path to `aikido-npm` instead of the original npm
    - `npm --version` - Should show output from the Aikido-wrapped version
-   - `type npm` - Alternative way to check what command `npm` resolves to
+   - `type npm` - Should show that `npm` is a function
+
+3. **If you need to remove the integration manually:**
+
+   Edit the same startup file from step 1 and delete any lines that source Safe Chain scripts from `~/.safe-chain/scripts/`.
+
+## Manual Setup
 
-3. **If you need to remove aliases manually:**
+For advanced users who prefer manual configuration, you can create wrapper functions directly in your shell's startup file. Shell functions take precedence over commands in PATH, so defining an `npm` function will intercept all `npm` calls:
+
+```bash
+# Example for Bash/Zsh
+npm() {
+  if command -v aikido-npm > /dev/null 2>&1; then
+    aikido-npm "$@"
+  else
+    echo "Warning: safe-chain is not installed. npm will run without protection."
+    command npm "$@"
+  fi
+}
+```
 
-   Edit the same startup file from step 1 and delete any lines containing `aikido-npm`, `aikido-npx`, `aikido-yarn`, `aikido-pnpm` or `aikido-pnpx`.
+Repeat this pattern for `npx`, `yarn`, `pnpm`, and `pnpx` using their respective `aikido-*` commands. After adding these functions, restart your terminal to apply the changes.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.0.22",
+  "version": "1.0.24",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
@@ -28,12 +28,12 @@
   "license": "AGPL-3.0-or-later",
   "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), and [pnpx](https://pnpm.io/cli/dlx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, or pnpx from downloading or running the malware.",
   "dependencies": {
-    "abbrev": "^3.0.1",
-    "chalk": "^5.4.1",
-    "make-fetch-happen": "^14.0.3",
-    "npm-registry-fetch": "^18.0.2",
-    "ora": "^8.2.0",
-    "semver": "^7.7.2"
+    "abbrev": "3.0.1",
+    "chalk": "5.4.1",
+    "make-fetch-happen": "14.0.3",
+    "npm-registry-fetch": "18.0.2",
+    "ora": "8.2.0",
+    "semver": "7.7.2"
   },
   "main": "src/main.js",
   "bugs": {

package/src/main.js

@@ -15,6 +15,7 @@ export async function main(args) {
     }
   } catch (error) {
     ui.writeError("Failed to check for malicious packages:", error.message);
+    process.exit(1);
   }
 
   var result = getPackageManager().runCommand(args);

package/src/packagemanager/npm/dependencyScanner/dryRunScanner.js

@@ -1,4 +1,3 @@
-import { ui } from "../../../environment/userInteraction.js";
 import { parseDryRunOutput } from "../parsing/parseNpmInstallDryRunOutput.js";
 import { dryRunNpmCommandAndOutput } from "../runNpmCommand.js";
 import { hasDryRunArg } from "../utils/npmCommands.js";
@@ -37,10 +36,17 @@ function checkChangesWithDryRun(args) {
 
   // Dry-run can return a non-zero status code in some cases
   //  e.g., when running "npm audit fix --dry-run", it returns exit code 1
-  //  when there are vulnurabilities that can be fixed.
+  //  when there are vulnerabilities that can be fixed.
+  if (dryRunOutput.status !== 0 && !canCommandReturnNonZeroOnSuccess(args)) {
+    throw new Error(
+      `Dry-run command failed with exit code ${dryRunOutput.status} and output:\n${dryRunOutput.output}`
+    );
+  }
+
   if (dryRunOutput.status !== 0 && !dryRunOutput.output) {
-    ui.writeError("Detecting changes failed.");
-    return [];
+    throw new Error(
+      `Dry-run command failed with exit code ${dryRunOutput.status} and produced no output.`
+    );
   }
 
   const parsedOutput = parseDryRunOutput(dryRunOutput.output);
@@ -48,3 +54,13 @@ function checkChangesWithDryRun(args) {
   // reverse the array to have the top-level packages first
   return parsedOutput.reverse();
 }
+
+function canCommandReturnNonZeroOnSuccess(args) {
+  if (args.length < 2) {
+    return false;
+  }
+
+  // `npm audit fix --dry-run` can return exit code 1 when it succesfully ran and
+  // there were vulnerabilities that could be fixed
+  return args[0] === "audit" && args[1] === "fix";
+}

package/src/packagemanager/npm/runNpmCommand.js

@@ -18,7 +18,7 @@ export function runNpm(args) {
 
 export function dryRunNpmCommandAndOutput(args) {
   try {
-    const npmCommand = `npm ${args.join(" ")} --dry-run`;
+    const npmCommand = `npm ${args.join(" ")} --ignore-scripts --dry-run`;
     const output = execSync(npmCommand, { stdio: "pipe" });
     return { status: 0, output: output.toString() };
   } catch (error) {

package/src/packagemanager/pnpm/runPnpmCommand.js

@@ -1,24 +1,24 @@
-import { spawnSync } from "child_process";
 import { ui } from "../../environment/userInteraction.js";
+import { safeSpawnSync } from "../../utils/safeSpawn.js";
 
 export function runPnpmCommand(args, toolName = "pnpm") {
   try {
     let result;
-
     if (toolName === "pnpm") {
-      result = spawnSync("pnpm", args, { stdio: "inherit" });
+      result = safeSpawnSync("pnpm", args, { stdio: "inherit" });
     } else if (toolName === "pnpx") {
-      result = spawnSync("pnpx", args, { stdio: "inherit" });
+      result = safeSpawnSync("pnpx", args, { stdio: "inherit" });
     } else {
       throw new Error(`Unsupported tool name for aikido-pnpm: ${toolName}`);
     }
 
-    if (result.status !== null) {
-      return { status: result.status };
-    }
+    return { status: result.status };
   } catch (error) {
-    ui.writeError("Error executing command:", error.message);
-    return { status: 1 };
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError("Error executing command:", error.message);
+      return { status: 1 };
+    }
   }
-  return { status: 0 };
 }

package/src/scanning/index.js

@@ -21,7 +21,9 @@ export async function scanCommand(args) {
 
   let timedOut = false;
 
-  const spinner = ui.startProcess("Scanning for malicious packages...");
+  const spinner = ui.startProcess(
+    "Safe-chain: Scanning for malicious packages..."
+  );
   let audit;
 
   await Promise.race([
@@ -37,12 +39,14 @@ export async function scanCommand(args) {
         }
 
         if (changes.length > 0) {
-          spinner.setText(`Scanning ${changes.length} package(s)...`);
+          spinner.setText(
+            `Safe-chain: Scanning ${changes.length} package(s)...`
+          );
         }
 
         audit = await auditChanges(changes);
       } catch (error) {
-        spinner.fail(`Error while scanning: ${error.message}`);
+        spinner.fail(`Safe-chain: Error while scanning.`);
         throw error;
       }
     })(),
@@ -52,12 +56,12 @@ export async function scanCommand(args) {
   ]);
 
   if (timedOut) {
-    spinner.fail("Timeout exceeded while scanning.");
+    spinner.fail("Safe-chain: Timeout exceeded while scanning.");
     throw new Error("Timeout exceeded while scanning npm install command.");
   }
 
   if (!audit || audit.isAllowed) {
-    spinner.succeed("No malicious packages detected.");
+    spinner.succeed("Safe-chain: No malicious packages detected.");
   } else {
     printMaliciousChanges(audit.disallowedChanges, spinner);
     await onMalwareFound();
@@ -65,7 +69,7 @@ export async function scanCommand(args) {
 }
 
 function printMaliciousChanges(changes, spinner) {
-  spinner.fail(chalk.bold("Malicious changes detected:"));
+  spinner.fail("Safe-chain: " + chalk.bold("Malicious changes detected:"));
 
   for (const change of changes) {
     ui.writeInformation(` - ${change.name}@${change.version}`);

package/src/shell-integration/helpers.js

@@ -1,6 +1,7 @@
 import { spawnSync } from "child_process";
 import * as os from "os";
 import fs from "fs";
+import path from "path";
 
 export const knownAikidoTools = [
   { tool: "npm", aikidoCommand: "aikido-npm" },
@@ -12,6 +13,22 @@ export const knownAikidoTools = [
   // and add the documentation for the new tool in the README.md
 ];
 
+/**
+ * Returns a formatted string listing all supported package managers.
+ * Example: "npm, npx, yarn, pnpm, and pnpx commands"
+ */
+export function getPackageManagerList() {
+  const tools = knownAikidoTools.map(t => t.tool);
+  if (tools.length <= 1) {
+    return `${tools[0] || ''} commands`;
+  }
+  if (tools.length === 2) {
+    return `${tools[0]} and ${tools[1]} commands`;
+  }
+  const lastTool = tools.pop();
+  return `${tools.join(', ')}, and ${lastTool} commands`;
+}
+
 export function doesExecutableExistOnSystem(executableName) {
   if (os.platform() === "win32") {
     const result = spawnSync("where", [executableName], { stdio: "ignore" });
@@ -22,15 +39,17 @@ export function doesExecutableExistOnSystem(executableName) {
   }
 }
 
-export function removeLinesMatchingPattern(filePath, pattern) {
+export function removeLinesMatchingPattern(filePath, pattern, eol) {
   if (!fs.existsSync(filePath)) {
     return;
   }
 
+  eol = eol || os.EOL;
+
   const fileContent = fs.readFileSync(filePath, "utf-8");
-  const lines = fileContent.split(/[\r\n\u2028\u2029]+/);
+  const lines = fileContent.split(/[\r\n\u2028\u2029]/);
   const updatedLines = lines.filter((line) => !shouldRemoveLine(line, pattern));
-  fs.writeFileSync(filePath, updatedLines.join(os.EOL), "utf-8");
+  fs.writeFileSync(filePath, updatedLines.join(eol), "utf-8");
 }
 
 const maxLineLength = 100;
@@ -43,12 +62,17 @@ function shouldRemoveLine(line, pattern) {
 
   if (line.length > maxLineLength) {
     // safe-chain only adds lines shorter than maxLineLength
-    // so if the line is longer, it must be from a different 
+    // so if the line is longer, it must be from a different
     // source and could be dangerous to remove
     return false;
   }
 
-  if (line.includes("\n") || line.includes("\r") || line.includes("\u2028") || line.includes("\u2029")) {
+  if (
+    line.includes("\n") ||
+    line.includes("\r") ||
+    line.includes("\u2028") ||
+    line.includes("\u2029")
+  ) {
     // If the line contains newlines, something has gone wrong in splitting
     // \u2028 and \u2029 are Unicode line separator characters (line and paragraph separators)
     return false;
@@ -57,12 +81,25 @@ function shouldRemoveLine(line, pattern) {
   return true;
 }
 
-export function addLineToFile(filePath, line) {
-  if (!fs.existsSync(filePath)) {
-    fs.writeFileSync(filePath, "", "utf-8");
-  }
+export function addLineToFile(filePath, line, eol) {
+  createFileIfNotExists(filePath);
+
+  eol = eol || os.EOL;
 
   const fileContent = fs.readFileSync(filePath, "utf-8");
-  const updatedContent = fileContent + os.EOL + line;
+  const updatedContent = fileContent + eol + line + eol;
   fs.writeFileSync(filePath, updatedContent, "utf-8");
 }
+
+function createFileIfNotExists(filePath) {
+  if (fs.existsSync(filePath)) {
+    return;
+  }
+
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+
+  fs.writeFileSync(filePath, "", "utf-8");
+}

package/src/shell-integration/path-wrappers/templates/unix-wrapper.template.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+# Generated wrapper for {{PACKAGE_MANAGER}} by safe-chain
+# This wrapper intercepts {{PACKAGE_MANAGER}} calls for non-interactive environments
+
+# Function to remove shim from PATH (POSIX-compliant)
+remove_shim_from_path() {
+    echo "$PATH" | sed "s|$HOME/.safe-chain/shims:||g"
+}
+
+if command -v {{AIKIDO_COMMAND}} >/dev/null 2>&1; then
+  # Remove shim directory from PATH when calling {{AIKIDO_COMMAND}} to prevent infinite loops
+  PATH=$(remove_shim_from_path) exec {{AIKIDO_COMMAND}} "$@"
+else
+  # Dynamically find original {{PACKAGE_MANAGER}} (excluding this shim directory)
+  original_cmd=$(PATH=$(remove_shim_from_path) command -v {{PACKAGE_MANAGER}})
+  if [ -n "$original_cmd" ]; then
+    exec "$original_cmd" "$@"
+  else
+    echo "Error: Could not find original {{PACKAGE_MANAGER}}" >&2
+    exit 1
+  fi
+fi

package/src/shell-integration/path-wrappers/templates/windows-wrapper.template.cmd

@@ -0,0 +1,24 @@
+@echo off
+REM Generated wrapper for {{PACKAGE_MANAGER}} by safe-chain
+REM This wrapper intercepts {{PACKAGE_MANAGER}} calls for non-interactive environments
+
+REM Remove shim directory from PATH to prevent infinite loops
+set "SHIM_DIR=%USERPROFILE%\.safe-chain\shims"
+call set "CLEAN_PATH=%%PATH:%SHIM_DIR%;=%%"
+
+REM Check if aikido command is available with clean PATH
+set "PATH=%CLEAN_PATH%" & where {{AIKIDO_COMMAND}} >nul 2>&1
+if %errorlevel%==0 (
+    REM Call aikido command with clean PATH
+    set "PATH=%CLEAN_PATH%" & {{AIKIDO_COMMAND}} %*
+) else (
+    REM Find the original command with clean PATH
+    for /f "tokens=*" %%i in ('set "PATH=%CLEAN_PATH%" ^& where {{PACKAGE_MANAGER}} 2^>nul') do (
+        "%%i" %*
+        goto :eof
+    )
+    
+    REM If we get here, original command was not found
+    echo Error: Could not find original {{PACKAGE_MANAGER}} >&2
+    exit /b 1
+)

package/src/shell-integration/setup-ci.js

@@ -0,0 +1,123 @@
+import chalk from "chalk";
+import { ui } from "../environment/userInteraction.js";
+import { knownAikidoTools, getPackageManagerList } from "./helpers.js";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { fileURLToPath } from "url";
+
+/**
+ * Loops over the detected shells and calls the setup function for each.
+ */
+export async function setupCi() {
+  ui.writeInformation(
+    chalk.bold("Setting up shell aliases.") +
+      ` This will wrap safe-chain around ${getPackageManagerList()}.`
+  );
+  ui.emptyLine();
+
+  const shimsDir = path.join(os.homedir(), ".safe-chain", "shims");
+  // Create the shims directory if it doesn't exist
+  if (!fs.existsSync(shimsDir)) {
+    fs.mkdirSync(shimsDir, { recursive: true });
+  }
+
+  createShims(shimsDir);
+  ui.writeInformation(`Created shims in ${shimsDir}`);
+  modifyPathForCi(shimsDir);
+  ui.writeInformation(`Added shims directory to PATH for CI environments.`);
+}
+
+function createUnixShims(shimsDir) {
+  // Read the template file
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = path.dirname(__filename);
+  const templatePath = path.resolve(
+    __dirname,
+    "path-wrappers",
+    "templates",
+    "unix-wrapper.template.sh"
+  );
+
+  if (!fs.existsSync(templatePath)) {
+    ui.writeError(`Template file not found: ${templatePath}`);
+    return;
+  }
+
+  const template = fs.readFileSync(templatePath, "utf-8");
+
+  // Create a shim for each tool
+  for (const toolInfo of knownAikidoTools) {
+    const shimContent = template
+      .replaceAll("{{PACKAGE_MANAGER}}", toolInfo.tool)
+      .replaceAll("{{AIKIDO_COMMAND}}", toolInfo.aikidoCommand);
+
+    const shimPath = path.join(shimsDir, toolInfo.tool);
+    fs.writeFileSync(shimPath, shimContent, "utf-8");
+
+    // Make the shim executable on Unix systems
+    fs.chmodSync(shimPath, 0o755);
+  }
+
+  ui.writeInformation(
+    `Created ${knownAikidoTools.length} Unix shim(s) in ${shimsDir}`
+  );
+}
+
+function createWindowsShims(shimsDir) {
+  // Read the template file
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = path.dirname(__filename);
+  const templatePath = path.resolve(
+    __dirname,
+    "path-wrappers",
+    "templates",
+    "windows-wrapper.template.cmd"
+  );
+
+  if (!fs.existsSync(templatePath)) {
+    ui.writeError(`Windows template file not found: ${templatePath}`);
+    return;
+  }
+
+  const template = fs.readFileSync(templatePath, "utf-8");
+
+  // Create a shim for each tool
+  for (const toolInfo of knownAikidoTools) {
+    const shimContent = template
+      .replaceAll("{{PACKAGE_MANAGER}}", toolInfo.tool)
+      .replaceAll("{{AIKIDO_COMMAND}}", toolInfo.aikidoCommand);
+
+    const shimPath = path.join(shimsDir, `${toolInfo.tool}.cmd`);
+    fs.writeFileSync(shimPath, shimContent, "utf-8");
+  }
+
+  ui.writeInformation(
+    `Created ${knownAikidoTools.length} Windows shim(s) in ${shimsDir}`
+  );
+}
+
+function createShims(shimsDir) {
+  if (os.platform() === "win32") {
+    createWindowsShims(shimsDir);
+  } else {
+    createUnixShims(shimsDir);
+  }
+}
+
+function modifyPathForCi(shimsDir) {
+  if (process.env.GITHUB_PATH) {
+    // In GitHub Actions, append the shims directory to GITHUB_PATH
+    fs.appendFileSync(process.env.GITHUB_PATH, shimsDir + os.EOL, "utf-8");
+    ui.writeInformation(
+      `Added shims directory to GITHUB_PATH for GitHub Actions.`
+    );
+  }
+
+  if (process.env.TF_BUILD) {
+    // In Azure Pipelines, prepending the path is done via a logging command:
+    //  ##vso[task.prependpath]/path/to/add
+    // Logging this to stdout will cause the Azure Pipelines agent to pick it up
+    ui.writeInformation("##vso[task.prependpath]" + shimsDir);
+  }
+}

package/src/shell-integration/setup.js

@@ -1,7 +1,7 @@
 import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
 import { detectShells } from "./shellDetection.js";
-import { knownAikidoTools } from "./helpers.js";
+import { knownAikidoTools, getPackageManagerList } from "./helpers.js";
 import fs from "fs";
 import os from "os";
 import path from "path";
@@ -13,7 +13,7 @@ import { fileURLToPath } from "url";
 export async function setup() {
   ui.writeInformation(
     chalk.bold("Setting up shell aliases.") +
-      " This will wrap safe-chain around npm, npx, and yarn commands."
+      ` This will wrap safe-chain around ${getPackageManagerList()}.`
   );
   ui.emptyLine();
 
@@ -56,11 +56,13 @@ export async function setup() {
  */
 function setupShell(shell) {
   let success = false;
+  let error;
   try {
     shell.teardown(knownAikidoTools); // First, tear down to prevent duplicate aliases
     success = shell.setup(knownAikidoTools);
-  } catch {
+  } catch (err) {
     success = false;
+    error = err;
   }
 
   if (success) {
@@ -75,6 +77,13 @@ function setupShell(shell) {
         "Setup failed"
       )}. Please check your ${shell.name} configuration.`
     );
+    if (error) {
+      let message = `  Error: ${error.message}`;
+      if (error.code) {
+        message += ` (code: ${error.code})`;
+      }
+      ui.writeError(message);
+    }
   }
 
   return success;

package/src/shell-integration/startup-scripts/init-fish.fish

@@ -47,11 +47,15 @@ function pnpx
 end
 
 function npm
-    if test (count $argv) -eq 1 -a \( "$argv[1]" = "-v" -o "$argv[1]" = "--version" \)
-        # If args is just -v or --version and nothing else, just run the npm version command
-        # This is because nvm uses this to check the version of npm
-        command npm $argv
-        return
+    # If args is just -v or --version and nothing else, just run the `npm -v` command
+    # This is because nvm uses this to check the version of npm
+    set argc (count $argv)
+    if test $argc -eq 1
+        switch $argv[1]
+            case "-v" "--version"
+                command npm $argv
+                return
+        end
     end
 
     wrapSafeChainCommand "npm" "aikido-npm" $argv

package/src/shell-integration/supported-shells/bash.js

@@ -9,6 +9,7 @@ import * as os from "os";
 const shellName = "Bash";
 const executableName = "bash";
 const startupFileCommand = "echo ~/.bashrc";
+const eol = "\n"; // When bash runs on Windows (e.g., Git Bash or WSL), it expects LF line endings.
 
 function isInstalled() {
   return doesExecutableExistOnSystem(executableName);
@@ -19,13 +20,18 @@ function teardown(tools) {
 
   for (const { tool } of tools) {
     // Remove any existing alias for the tool
-    removeLinesMatchingPattern(startupFile, new RegExp(`^alias\\s+${tool}=`));
+    removeLinesMatchingPattern(
+      startupFile,
+      new RegExp(`^alias\\s+${tool}=`),
+      eol
+    );
   }
 
   // Removes the line that sources the safe-chain bash initialization script (~/.aikido/scripts/init-posix.sh)
   removeLinesMatchingPattern(
     startupFile,
-    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/
+    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/,
+    eol
   );
 
   return true;
@@ -36,7 +42,8 @@ function setup() {
 
   addLineToFile(
     startupFile,
-    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain bash initialization script`
+    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain bash initialization script`,
+    eol
   );
 
   return true;

package/src/shell-integration/supported-shells/fish.js

@@ -8,6 +8,7 @@ import { execSync } from "child_process";
 const shellName = "Fish";
 const executableName = "fish";
 const startupFileCommand = "echo ~/.config/fish/config.fish";
+const eol = "\n"; // When fish runs on Windows (e.g., Git Bash or WSL), it expects LF line endings.
 
 function isInstalled() {
   return doesExecutableExistOnSystem(executableName);
@@ -20,14 +21,16 @@ function teardown(tools) {
     // Remove any existing alias for the tool
     removeLinesMatchingPattern(
       startupFile,
-      new RegExp(`^alias\\s+${tool}\\s+`)
+      new RegExp(`^alias\\s+${tool}\\s+`),
+      eol
     );
   }
 
   // Removes the line that sources the safe-chain fish initialization script (~/.safe-chain/scripts/init-fish.fish)
   removeLinesMatchingPattern(
     startupFile,
-    /^source\s+~\/\.safe-chain\/scripts\/init-fish\.fish/
+    /^source\s+~\/\.safe-chain\/scripts\/init-fish\.fish/,
+    eol
   );
 
   return true;
@@ -38,7 +41,8 @@ function setup() {
 
   addLineToFile(
     startupFile,
-    `source ~/.safe-chain/scripts/init-fish.fish # Safe-chain Fish initialization script`
+    `source ~/.safe-chain/scripts/init-fish.fish # Safe-chain Fish initialization script`,
+    eol
   );
 
   return true;

package/src/shell-integration/supported-shells/zsh.js

@@ -8,6 +8,7 @@ import { execSync } from "child_process";
 const shellName = "Zsh";
 const executableName = "zsh";
 const startupFileCommand = "echo ${ZDOTDIR:-$HOME}/.zshrc";
+const eol = "\n"; // When zsh runs on Windows (e.g., Git Bash or WSL), it expects LF line endings.
 
 function isInstalled() {
   return doesExecutableExistOnSystem(executableName);
@@ -18,13 +19,18 @@ function teardown(tools) {
 
   for (const { tool } of tools) {
     // Remove any existing alias for the tool
-    removeLinesMatchingPattern(startupFile, new RegExp(`^alias\\s+${tool}=`));
+    removeLinesMatchingPattern(
+      startupFile,
+      new RegExp(`^alias\\s+${tool}=`),
+      eol
+    );
   }
 
   // Removes the line that sources the safe-chain zsh initialization script (~/.aikido/scripts/init-posix.sh)
   removeLinesMatchingPattern(
     startupFile,
-    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/
+    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/,
+    eol
   );
 
   return true;
@@ -35,7 +41,8 @@ function setup() {
 
   addLineToFile(
     startupFile,
-    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain Zsh initialization script`
+    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain Zsh initialization script`,
+    eol
   );
 
   return true;

package/src/shell-integration/teardown.js

@@ -1,12 +1,12 @@
 import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
 import { detectShells } from "./shellDetection.js";
-import { knownAikidoTools } from "./helpers.js";
+import { knownAikidoTools, getPackageManagerList } from "./helpers.js";
 
 export async function teardown() {
   ui.writeInformation(
     chalk.bold("Removing shell aliases.") +
-      " This will remove safe-chain aliases for npm, npx, and yarn commands."
+      ` This will remove safe-chain aliases for ${getPackageManagerList()}.`
   );
   ui.emptyLine();
 

package/src/utils/safeSpawn.js

@@ -0,0 +1,38 @@
+import { spawnSync, spawn } from "child_process";
+
+function escapeArg(arg) {
+  // If argument contains spaces or quotes, wrap in double quotes and escape double quotes
+  if (arg.includes(" ") || arg.includes('"') || arg.includes("'")) {
+    return '"' + arg.replaceAll('"', '\\"') + '"';
+  }
+  return arg;
+}
+
+function buildCommand(command, args) {
+  const escapedArgs = args.map(escapeArg);
+  return `${command} ${escapedArgs.join(" ")}`;
+}
+
+export function safeSpawnSync(command, args, options = {}) {
+  const fullCommand = buildCommand(command, args);
+  return spawnSync(fullCommand, { ...options, shell: true });
+}
+
+export async function safeSpawn(command, args, options = {}) {
+  const fullCommand = buildCommand(command, args);
+  return new Promise((resolve, reject) => {
+    const child = spawn(fullCommand, { ...options, shell: true });
+
+    child.on("close", (code) => {
+      resolve({
+        status: code,
+        stdout: Buffer.from(""),
+        stderr: Buffer.from(""),
+      });
+    });
+
+    child.on("error", (error) => {
+      reject(error);
+    });
+  });
+}