@aikidosec/safe-chain 1.2.1 → 1.2.4

package/src/registryProxy/certBundle.js

@@ -6,6 +6,7 @@ import certifi from "certifi";
 import tls from "node:tls";
 import { X509Certificate } from "node:crypto";
 import { getCaCertPath } from "./certUtils.js";
+import { ui } from "../environment/userInteraction.js";
 
 /**
  * Check if a PEM string contains only parsable cert blocks.
@@ -14,6 +15,7 @@ import { getCaCertPath } from "./certUtils.js";
  */
 function isParsable(pem) {
   if (!pem || typeof pem !== "string") return false;
+  pem = normalizeLineEndings(pem);
   const begin = "-----BEGIN CERTIFICATE-----";
   const end = "-----END CERTIFICATE-----";
   const blocks = [];
@@ -41,20 +43,17 @@ function isParsable(pem) {
   }
 }
 
-/** @type {string | null} */
-let cachedPath = null;
-
 /**
- * Build a combined CA bundle for Python and Node HTTPS flows.
- * - Includes Safe Chain CA (for MITM of known registries)
- * - Includes Mozilla roots via npm `certifi` (public HTTPS)
- * - Includes Node's built-in root certificates as a portable fallback
+ * Build a combined CA bundle.
+ * Automatically includes:
+ * - Safe Chain CA (for MITM of known registries)
+ * - Mozilla roots via certifi (for public HTTPS)
+ * - Node's built-in root certificates (fallback)
+ * - User's custom certificates (if NODE_EXTRA_CA_CERTS environment variable is set)
+ * 
  * @returns {string} Path to the combined CA bundle PEM file
  */
 export function getCombinedCaBundlePath() {
-  if (cachedPath && fs.existsSync(cachedPath)) return cachedPath;
-
-  // Concatenate PEM files
   const parts = [];
 
   // 1) Safe Chain CA (for MITM'd registries)
@@ -87,9 +86,96 @@ export function getCombinedCaBundlePath() {
     // Ignore if unavailable
   }
 
+  // 4) User's NODE_EXTRA_CA_CERTS (if set)
+  const userCertPath = process.env.NODE_EXTRA_CA_CERTS;
+  if (userCertPath) {
+    const userPem = readUserCertificateFile(userCertPath);
+    if (userPem) {
+      parts.push(userPem.trim());
+      ui.writeVerbose(`Safe-chain: Merging user's NODE_EXTRA_CA_CERTS from ${userCertPath}`);
+    } else {
+      ui.writeWarning(`Safe-chain: Could not read or parse user's NODE_EXTRA_CA_CERTS from ${userCertPath}`);
+    }
+  }
+
   const combined = parts.filter(Boolean).join("\n");
-  const target = path.join(os.tmpdir(), "safe-chain-ca-bundle.pem");
+  const target = path.join(os.tmpdir(), `safe-chain-ca-bundle-${Date.now()}.pem`);
   fs.writeFileSync(target, combined, { encoding: "utf8" });
-  cachedPath = target;
-  return cachedPath;
+  return target;
+}
+
+/**
+ * Normalize path
+ * @param {string} p - Path to normalize
+ * @returns {string}
+ */
+function normalizePathF(p) {
+  return p.replace(/\\/g, "/");
+}
+
+/**
+ * Normalize line endings to LF
+ * @param {string} text - Text with mixed line endings
+ * @returns {string}
+ */
+function normalizeLineEndings(text) {
+  return text.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+}
+
+/**
+ * Read and validate user certificate file
+ * @param {string} certPath - Path to certificate file
+ * @returns {string | null} Certificate PEM content or null if invalid/unreadable
+ */
+function readUserCertificateFile(certPath) {
+  try {
+    // 1) Basic validation
+    if (typeof certPath !== "string" || certPath.trim().length === 0) {
+      return null;
+    }
+
+    // 2) Reject path traversal attempts (normalize backslashes first for Windows paths)
+    const normalizedPath = normalizePathF(certPath);
+    if (normalizedPath.includes("..")) {
+      return null;
+    }
+
+    // 3) Check if file exists and is not a directory or symlink
+    let stats;
+    try {
+      stats = fs.lstatSync(certPath);
+    } catch {
+      // File doesn't exist or can't be accessed
+      return null;
+    }
+
+    if (!stats.isFile()) {
+      // Reject directories and symlinks
+      return null;
+    }
+
+    // 4) Read file content
+    let content;
+    try {
+      content = fs.readFileSync(certPath, "utf8");
+    } catch {
+      return null;
+    }
+
+    if (!content || typeof content !== "string") {
+      return null;
+    }
+
+    // 5) Validate PEM format
+    if (!isParsable(content)) {
+      return null;
+    }
+
+    return content;
+  } catch {
+    // Silently fail on any errors
+    return null;
+  }
 }
+
+

package/src/registryProxy/certUtils.js

@@ -8,6 +8,17 @@ const ca = loadCa();
 
 const certCache = new Map();
 
+/**
+ * @param {forge.pki.PublicKey} publicKey
+ * @returns {string}
+ */
+function createKeyIdentifier(publicKey) {
+  return forge.pki.getPublicKeyFingerprint(publicKey, {
+    encoding: "binary",
+    md: forge.md.sha1.create(),
+  });
+}
+
 export function getCaCertPath() {
   return path.join(certFolder, "ca-cert.pem");
 }
@@ -33,6 +44,7 @@ export function generateCertForHost(hostname) {
   const attrs = [{ name: "commonName", value: hostname }];
   cert.setSubject(attrs);
   cert.setIssuer(ca.certificate.subject.attributes);
+  const authorityKeyIdentifier = createKeyIdentifier(ca.certificate.publicKey);
   cert.setExtensions([
     {
       name: "subjectAltName",
@@ -50,14 +62,42 @@ export function generateCertForHost(hostname) {
     },
     {
       /*
-        extKeyUsage serverAuth is required for TLS server authentication.
-        This is especially important for Python venv environments, which use their own
-        certificate validation logic and will reject certificates lacking the serverAuth EKU.
-        Adding serverAuth does not impact other usages
+        Extended Key Usage (EKU) serverAuth extension
+
+        Needed for TLS server authentication. This extension indicates the certificate's
+        public key may be used for TLS WWW server authentication.
+        Python virtualenv environments (like pipx-installed Poetry) enforce this strictly
+        https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12
       */
       name: "extKeyUsage",
       serverAuth: true,
     },
+    {
+      /*
+        Subject Key Identifier (SKI)
+        
+        Needed for Python virtualenv SSL validation and certificate chain building.
+        This extension provides a means of identifying certificates containing a particular public key.
+        Python virtualenv environments require this for proper certificate chain validation.
+        System Python installations may be more lenient.
+        https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
+      */
+      name: "subjectKeyIdentifier",
+      subjectKeyIdentifier: createKeyIdentifier(cert.publicKey),
+    },
+    {
+      /*
+        Authority Key Identifier (AKI)
+        
+        Needed for Python virtualenv SSL validation and certificate path validation.
+        This extension identifies the public key corresponding to the private key used to sign
+        this certificate. It links this certificate to its issuing CA certificate.
+        Without this, Python virtualenv certificate validation might fail (for instance for Poetry)
+        https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
+      */
+      name: "authorityKeyIdentifier",
+      keyIdentifier: authorityKeyIdentifier,
+    },
   ]);
   cert.sign(ca.privateKey, forge.md.sha256.create());
 
@@ -106,11 +146,13 @@ function generateCa() {
 
   const attrs = [{ name: "commonName", value: "safe-chain proxy" }];
   cert.setSubject(attrs);
-  cert.setIssuer(attrs);
+  cert.setIssuer(attrs); // Self-signed: issuer === subject
+  const keyIdentifier = createKeyIdentifier(cert.publicKey);
   cert.setExtensions([
     {
       name: "basicConstraints",
       cA: true,
+      critical: true, // Marking basicConstraints as critical is required for CA certificates so clients must process it to trust the cert as a CA
     },
     {
       name: "keyUsage",
@@ -118,6 +160,14 @@ function generateCa() {
       digitalSignature: true,
       keyEncipherment: true,
     },
+    {
+      name: "subjectKeyIdentifier",
+      subjectKeyIdentifier: keyIdentifier,
+    },
+    {
+      name: "authorityKeyIdentifier",
+      keyIdentifier,
+    },
   ]);
   cert.sign(keys.privateKey, forge.md.sha256.create());
 

package/src/registryProxy/getConnectTimeout.js

@@ -0,0 +1,13 @@
+import { isImdsEndpoint } from "./isImdsEndpoint.js";
+
+/**
+ * Returns appropriate connection timeout for a host.
+ * - IMDS endpoints: 3s (fail fast when outside cloud, reduce 5min delay to ~20s)
+ * - Other endpoints: 30s (allow for slow networks while preventing indefinite hangs)
+ */
+export function getConnectTimeout(/** @type {string} */ host) {
+  if (isImdsEndpoint(host)) {
+    return 3000;
+  }
+  return 30000;
+}

package/src/registryProxy/interceptors/interceptorBuilder.js

@@ -20,6 +20,12 @@ import { EventEmitter } from "events";
  * @property {(headers: NodeJS.Dict<string | string[]> | undefined) => NodeJS.Dict<string | string[]> | undefined} modifyRequestHeaders
  * @property {() => boolean} modifiesResponse
  * @property {(body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer} modifyBody
+ *
+ * @typedef {Object} MalwareBlockedEvent
+ * @property {string} packageName
+ * @property {string} version
+ * @property {string} targetUrl
+ * @property {number} timestamp
  */
 
 /**

package/src/registryProxy/interceptors/pipInterceptor.js

@@ -32,7 +32,16 @@ function buildPipInterceptor(registry) {
       reqContext.targetUrl,
       registry
     );
-    if (await isMalwarePackage(packageName, version)) {
+
+    // Normalize underscores to hyphens for DB matching, as PyPI allows underscores in distribution names.
+    // Per python, packages that differ only by hyphen vs underscore are considered the same.
+    const hyphenName = packageName?.includes("_") ? packageName.replace(/_/g, "-") : packageName;
+
+    const isMalicious = 
+       await isMalwarePackage(packageName, version) 
+    || await isMalwarePackage(hyphenName, version);
+
+    if (isMalicious) {
       reqContext.blockMalware(packageName, version);
     }
   });
@@ -71,16 +80,21 @@ function parsePipPackageFromUrl(url, registry) {
   // Example wheel: https://files.pythonhosted.org/packages/xx/yy/requests-2.28.1-py3-none-any.whl
   // Example sdist: https://files.pythonhosted.org/packages/xx/yy/requests-2.28.1.tar.gz
 
-  // Wheel (.whl)
-  if (filename.endsWith(".whl")) {
-    const base = filename.slice(0, -4); // remove ".whl"
+  // Wheel (.whl) and Poetry's preflight metadata (.whl.metadata)
+  // Examples:
+  //   foo_bar-2.0.0-py3-none-any.whl
+  //   foo_bar-2.0.0-py3-none-any.whl.metadata
+  const wheelExtRe = /\.whl(?:\.metadata)?$/;
+  const wheelExtMatch = filename.match(wheelExtRe);
+  if (wheelExtMatch) {
+    const base = filename.replace(wheelExtRe, "");
     const firstDash = base.indexOf("-");
     if (firstDash > 0) {
       const dist = base.slice(0, firstDash); // may contain underscores
       const rest = base.slice(firstDash + 1); // version + the rest of tags
       const secondDash = rest.indexOf("-");
       const rawVersion = secondDash >= 0 ? rest.slice(0, secondDash) : rest;
-      packageName = dist; // preserve underscores
+      packageName = dist;
       version = rawVersion;
       // Reject "latest" as it's a placeholder, not a real version
       // When version is "latest", this signals the URL doesn't contain actual version info
@@ -92,10 +106,11 @@ function parsePipPackageFromUrl(url, registry) {
     }
   }
 
-  // Source dist (sdist)
-  const sdistExtMatch = filename.match(/\.(tar\.gz|zip|tar\.bz2|tar\.xz)$/i);
+  // Source dist (sdist) and potential metadata sidecars (e.g., .tar.gz.metadata)
+  const sdistExtWithMetadataRe = /\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i;
+  const sdistExtMatch = filename.match(sdistExtWithMetadataRe);
   if (sdistExtMatch) {
-    const base = filename.slice(0, -sdistExtMatch[0].length);
+    const base = filename.replace(sdistExtWithMetadataRe, "");
     const lastDash = base.lastIndexOf("-");
     if (lastDash > 0 && lastDash < base.length - 1) {
       packageName = base.slice(0, lastDash);
@@ -109,7 +124,6 @@ function parsePipPackageFromUrl(url, registry) {
       return { packageName, version };
     }
   }
-
   // Unknown file type or invalid
   return { packageName: undefined, version: undefined };
 }

package/src/registryProxy/isImdsEndpoint.js

@@ -0,0 +1,13 @@
+// Instance Metadata Service (IMDS) endpoints used by cloud providers.
+// Cloud SDK tools probe these to detect environment and retrieve credentials.
+// When outside cloud environments, connections timeout - we reduce timeout (3s vs 30s)
+// and suppress error logging since this is expected behavior.
+const imdsEndpoints = [
+  "metadata.google.internal",
+  "metadata.goog",
+  "169.254.169.254", // AWS, Azure, Oracle Cloud, GCP
+];
+
+export function isImdsEndpoint(/** @type {string} */ host) {
+  return imdsEndpoints.includes(host);
+}

package/src/registryProxy/registryProxy.js

@@ -2,7 +2,7 @@ import * as http from "http";
 import { tunnelRequest } from "./tunnelRequestHandler.js";
 import { mitmConnect } from "./mitmRequestHandler.js";
 import { handleHttpProxyRequest } from "./plainHttpProxy.js";
-import { getCaCertPath } from "./certUtils.js";
+import { getCombinedCaBundlePath } from "./certBundle.js";
 import { ui } from "../environment/userInteraction.js";
 import chalk from "chalk";
 import { createInterceptorForUrl } from "./interceptors/createInterceptorForEcoSystem.js";
@@ -36,10 +36,13 @@ function getSafeChainProxyEnvironmentVariables() {
     return {};
   }
 
+  const proxyUrl = `http://localhost:${state.port}`;
+  const caCertPath = getCombinedCaBundlePath();
+
   return {
-    HTTPS_PROXY: `http://localhost:${state.port}`,
-    GLOBAL_AGENT_HTTP_PROXY: `http://localhost:${state.port}`,
-    NODE_EXTRA_CA_CERTS: getCaCertPath(),
+    HTTPS_PROXY: proxyUrl,
+    GLOBAL_AGENT_HTTP_PROXY: proxyUrl,
+    NODE_EXTRA_CA_CERTS: caCertPath,
   };
 }
 
@@ -136,9 +139,14 @@ function handleConnect(req, clientSocket, head) {
 
   if (interceptor) {
     // Subscribe to malware blocked events
-    interceptor.on("malwareBlocked", (event) => {
-      onMalwareBlocked(event.packageName, event.version, event.url);
-    });
+    interceptor.on(
+      "malwareBlocked",
+      (
+        /** @type {import("./interceptors/interceptorBuilder.js").MalwareBlockedEvent} */ event
+      ) => {
+        onMalwareBlocked(event.packageName, event.version, event.targetUrl);
+      }
+    );
 
     mitmConnect(req, clientSocket, interceptor);
   } else {

package/src/registryProxy/tunnelRequestHandler.js

@@ -1,5 +1,10 @@
 import * as net from "net";
 import { ui } from "../environment/userInteraction.js";
+import { isImdsEndpoint } from "./isImdsEndpoint.js";
+import { getConnectTimeout } from "./getConnectTimeout.js";
+
+/** @type {string[]} */
+let timedoutImdsEndpoints = [];
 
 /**
  * @param {import("http").IncomingMessage} req
@@ -37,6 +42,21 @@ export function tunnelRequest(req, clientSocket, head) {
  */
 function tunnelRequestToDestination(req, clientSocket, head) {
   const { port, hostname } = new URL(`http://${req.url}`);
+  const isImds = isImdsEndpoint(hostname);
+
+  if (timedoutImdsEndpoints.includes(hostname)) {
+    clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+    if (isImds) {
+      ui.writeVerbose(
+        `Safe-chain: Closing connection because previously timedout connect to ${hostname}`
+      );
+    } else {
+      ui.writeError(
+        `Safe-chain: Closing connection because previously timedout connect to ${hostname}`
+      );
+    }
+    return;
+  }
 
   const serverSocket = net.connect(
     Number.parseInt(port) || 443,
@@ -49,6 +69,31 @@ function tunnelRequestToDestination(req, clientSocket, head) {
     }
   );
 
+  // Set explicit connection timeout to avoid waiting for OS default (~2 minutes).
+  // IMDS endpoints get shorter timeout (3s) since they're commonly unreachable outside cloud environments.
+  const connectTimeout = getConnectTimeout(hostname);
+  serverSocket.setTimeout(connectTimeout);
+
+  serverSocket.on("timeout", () => {
+    // Suppress error logging for IMDS endpoints - timeouts are expected when not in cloud
+    if (isImds) {
+      timedoutImdsEndpoints.push(hostname);
+      ui.writeVerbose(
+        `Safe-chain: connect to ${hostname}:${
+          port || 443
+        } timed out after ${connectTimeout}ms`
+      );
+    } else {
+      ui.writeError(
+        `Safe-chain: connect to ${hostname}:${
+          port || 443
+        } timed out after ${connectTimeout}ms`
+      );
+    }
+    serverSocket.destroy(); // Clean up socket to prevent event loop hanging
+    clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+  });
+
   clientSocket.on("error", () => {
     // This can happen if the client TCP socket sends RST instead of FIN.
     // Not subscribing to 'error' event will cause node to throw and crash.
@@ -58,9 +103,15 @@ function tunnelRequestToDestination(req, clientSocket, head) {
   });
 
   serverSocket.on("error", (err) => {
-    ui.writeError(
-      `Safe-chain: error connecting to ${hostname}:${port} - ${err.message}`
-    );
+    if (isImds) {
+      ui.writeVerbose(
+        `Safe-chain: error connecting to ${hostname}:${port} - ${err.message}`
+      );
+    } else {
+      ui.writeError(
+        `Safe-chain: error connecting to ${hostname}:${port} - ${err.message}`
+      );
+    }
     if (clientSocket.writable) {
       clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
     }
@@ -145,3 +196,4 @@ function tunnelRequestViaProxy(req, clientSocket, head, proxyUrl) {
     }
   });
 }
+

package/src/shell-integration/helpers.js

@@ -76,6 +76,12 @@ export const knownAikidoTools = [
     ecoSystem: ECOSYSTEM_PY,
     internalPackageManagerName: "pip",
   },
+  {
+    tool: "poetry",
+    aikidoCommand: "aikido-poetry",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "poetry",
+  },
   {
     tool: "python",
     aikidoCommand: "aikido-python",
@@ -107,6 +113,20 @@ export function getPackageManagerList() {
   return `${tools.join(", ")}, and ${lastTool} commands`;
 }
 
+/**
+ * @returns {string}
+ */
+export function getShimsDir() {
+  return path.join(os.homedir(), ".safe-chain", "shims");
+}
+
+/**
+ * @returns {string}
+ */
+export function getScriptsDir() {
+  return path.join(os.homedir(), ".safe-chain", "scripts");
+}
+
 /**
  * @param {string} executableName
  *

package/src/shell-integration/setup-ci.js

@@ -1,6 +1,6 @@
 import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
-import { getPackageManagerList, knownAikidoTools } from "./helpers.js";
+import { getPackageManagerList, knownAikidoTools, getShimsDir } from "./helpers.js";
 import fs from "fs";
 import os from "os";
 import path from "path";
@@ -32,7 +32,7 @@ export async function setupCi() {
   );
   ui.emptyLine();
 
-  const shimsDir = path.join(os.homedir(), ".safe-chain", "shims");
+  const shimsDir = getShimsDir();
   const binDir = path.join(os.homedir(), ".safe-chain", "bin");
   // Create the shims directory if it doesn't exist
   if (!fs.existsSync(shimsDir)) {

package/src/shell-integration/setup.js

@@ -1,9 +1,8 @@
 import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
 import { detectShells } from "./shellDetection.js";
-import { knownAikidoTools, getPackageManagerList } from "./helpers.js";
+import { knownAikidoTools, getPackageManagerList, getScriptsDir } from "./helpers.js";
 import fs from "fs";
-import os from "os";
 import path from "path";
 import { includePython } from "../config/cliArguments.js";
 import { fileURLToPath } from "url";
@@ -107,10 +106,10 @@ function setupShell(shell) {
 
 function copyStartupFiles() {
   const startupFiles = ["init-posix.sh", "init-pwsh.ps1", "init-fish.fish"];
+  const targetDir = getScriptsDir();
 
   for (const file of startupFiles) {
-    const targetDir = path.join(os.homedir(), ".safe-chain", "scripts");
-    const targetPath = path.join(os.homedir(), ".safe-chain", "scripts", file);
+    const targetPath = path.join(targetDir, file);
 
     if (!fs.existsSync(targetDir)) {
       fs.mkdirSync(targetDir, { recursive: true });

package/src/shell-integration/startup-scripts/include-python/init-fish.fish

@@ -52,6 +52,10 @@ function uv
     wrapSafeChainCommand "uv" $argv
 end
 
+function poetry
+    wrapSafeChainCommand "poetry" $argv
+end
+
 # `python -m pip`, `python -m pip3`.
 function python
     wrapSafeChainCommand "python" $argv

package/src/shell-integration/startup-scripts/include-python/init-posix.sh

@@ -48,6 +48,10 @@ function uv() {
   wrapSafeChainCommand "uv" "$@"
 }
 
+function poetry() {
+  wrapSafeChainCommand "poetry" "$@"
+}
+
 # `python -m pip`, `python -m pip3`.
 function python() {
   wrapSafeChainCommand "python" "$@"

package/src/shell-integration/startup-scripts/include-python/init-pwsh.ps1

@@ -1,6 +1,6 @@
 # Use cross-platform path separator (: on Unix, ; on Windows)
 $pathSeparator = if ($IsWindows) { ';' } else { ':' }
-$safeChainBin = Join-Path $HOME '.safe-chain' 'bin'
+$safeChainBin = Join-Path (Join-Path $HOME '.safe-chain') 'bin'
 $env:PATH = "$env:PATH$pathSeparator$safeChainBin"
 
 function npx {
@@ -50,6 +50,10 @@ function uv {
     Invoke-WrappedCommand "uv" $args
 }
 
+function poetry {
+    Invoke-WrappedCommand "poetry" $args
+}
+
 # `python -m pip`, `python -m pip3`.
 function python {
     Invoke-WrappedCommand 'python' $args

package/src/shell-integration/startup-scripts/init-pwsh.ps1

@@ -1,6 +1,6 @@
 # Use cross-platform path separator (: on Unix, ; on Windows)
 $pathSeparator = if ($IsWindows) { ';' } else { ':' }
-$safeChainBin = Join-Path $HOME '.safe-chain' 'bin'
+$safeChainBin = Join-Path (Join-Path $HOME '.safe-chain') 'bin'
 $env:PATH = "$env:PATH$pathSeparator$safeChainBin"
 
 function npx {

package/src/shell-integration/teardown.js

@@ -1,7 +1,8 @@
 import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
 import { detectShells } from "./shellDetection.js";
-import { knownAikidoTools, getPackageManagerList } from "./helpers.js";
+import { knownAikidoTools, getPackageManagerList, getShimsDir, getScriptsDir } from "./helpers.js";
+import fs from "fs";
 
 /**
  * @returns {Promise<void>}
@@ -62,3 +63,44 @@ export async function teardown() {
     return;
   }
 }
+
+/**
+ * Removes directories created by setup-ci and setup commands
+ * @returns {Promise<void>}
+ */
+export async function teardownDirectories() {
+  const shimsDir = getShimsDir();
+  const scriptsDir = getScriptsDir();
+
+  // Remove CI shims directory
+  if (fs.existsSync(shimsDir)) {
+    try {
+      fs.rmSync(shimsDir, { recursive: true, force: true });
+      ui.writeInformation(
+        `${chalk.bold("- CI Shims:")} ${chalk.green("Removed successfully")}`
+      );
+    } catch (/** @type {any} */ error) {
+      ui.writeError(
+        `${chalk.bold("- CI Shims:")} ${chalk.red(
+          "Failed to remove"
+        )}. Error: ${error.message}`
+      );
+    }
+  }
+
+  // Remove scripts directory
+  if (fs.existsSync(scriptsDir)) {
+    try {
+      fs.rmSync(scriptsDir, { recursive: true, force: true });
+      ui.writeInformation(
+        `${chalk.bold("- Scripts:")} ${chalk.green("Removed successfully")}`
+      );
+    } catch (/** @type {any} */ error) {
+      ui.writeError(
+        `${chalk.bold("- Scripts:")} ${chalk.red(
+          "Failed to remove"
+        )}. Error: ${error.message}`
+      );
+    }
+  }
+}