@aikidosec/safe-chain 1.4.4 → 1.4.8

package/src/shell-integration/supported-shells/windowsPowershell.js

@@ -71,6 +71,22 @@ function getStartupFile() {
   }
 }
 
+function getManualTeardownInstructions() {
+  return [
+    `Remove the following line from your PowerShell profile (run "echo $PROFILE" to find its location):`,
+    `  . "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"`,
+    `Then restart your terminal or run: . $PROFILE`,
+  ];
+}
+
+function getManualSetupInstructions() {
+  return [
+    `Add the following line to your PowerShell profile (run "echo $PROFILE" to find its location):`,
+    `  . "$HOME\\.safe-chain\\scripts\\init-pwsh.ps1"`,
+    `Then restart your terminal or run: . $PROFILE`,
+  ];
+}
+
 /**
  * @type {import("../shellDetection.js").Shell}
  */
@@ -79,4 +95,6 @@ export default {
   isInstalled,
   setup,
   teardown,
+  getManualSetupInstructions,
+  getManualTeardownInstructions,
 };

package/src/shell-integration/supported-shells/zsh.js

@@ -31,7 +31,7 @@ function teardown(tools) {
     );
   }
 
-  // Removes the line that sources the safe-chain zsh initialization script (~/.aikido/scripts/init-posix.sh)
+  // Removes the line that sources the safe-chain zsh initialization script (~/.safe-chain/scripts/init-posix.sh)
   removeLinesMatchingPattern(
     startupFile,
     /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/,
@@ -66,9 +66,27 @@ function getStartupFile() {
   }
 }
 
+function getManualTeardownInstructions() {
+  return [
+    `Remove the following line from your ~/.zshrc file:`,
+    `  source ~/.safe-chain/scripts/init-posix.sh`,
+    `Then restart your terminal or run: source ~/.zshrc`,
+  ];
+}
+
+function getManualSetupInstructions() {
+  return [
+    `Add the following line to your ~/.zshrc file:`,
+    `  source ~/.safe-chain/scripts/init-posix.sh`,
+    `Then restart your terminal or run: source ~/.zshrc`,
+  ];
+}
+
 export default {
   name: shellName,
   isInstalled,
   setup,
   teardown,
+  getManualSetupInstructions,
+  getManualTeardownInstructions,
 };

package/src/shell-integration/teardown.js

@@ -47,8 +47,14 @@ export async function teardown() {
         ui.writeError(
           `${chalk.bold("- " + shell.name + ":")} ${chalk.red(
             "Teardown failed"
-          )}. Please check your ${shell.name} configuration.`
+          )}`
         );
+        ui.emptyLine();
+        ui.writeInformation(`  ${chalk.bold("To tear down manually:")}`);
+        for (const instruction of shell.getManualTeardownInstructions()) {
+          ui.writeInformation(`    ${instruction}`);
+        }
+        ui.emptyLine();
       }
     }
 

package/src/ultimate/ultimateTroubleshooting.js

@@ -42,7 +42,7 @@ export async function troubleshootingExport() {
       resolve(zipFileName);
     });
 
-    archive.on('error', (err) => {
+    archive.on('error', (/** @type {Error} */ err) => {
       ui.writeError(`Failed to zip logs: ${err.message}`);
       reject(err);
     });

package/src/installation/downloadAgent.js

@@ -1,125 +0,0 @@
-import { createWriteStream, createReadStream } from "fs";
-import { createHash } from "crypto";
-import { pipeline } from "stream/promises";
-import fetch from "make-fetch-happen";
-
-const ULTIMATE_VERSION = "v1.0.0";
-
-export const DOWNLOAD_URLS = {
-  win32: {
-    x64: {
-      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-windows-amd64.msi`,
-      checksum:
-        "sha256:c6a36f9b8e55ab6b7e8742cbabc4469d85809237c0f5e6c21af20b36c416ee1d",
-    },
-    arm64: {
-      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-windows-arm64.msi`,
-      checksum:
-        "sha256:46acd1af6a9938ea194c8ee8b34ca9b47c8de22e088a0791f3c0751dd6239c90",
-    },
-  },
-  darwin: {
-    x64: {
-      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-darwin-amd64.pkg`,
-      checksum:
-        "sha256:bb1829e8ca422e885baf37bef08dcbe7df7a30f248e2e89c4071564f7d4f3396",
-    },
-    arm64: {
-      url: `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/SafeChainUltimate-darwin-arm64.pkg`,
-      checksum:
-        "sha256:7fe4a785709911cc366d8224b4c290677573b8c4833bd9054768299e55c5f0ed",
-    },
-  },
-};
-
-/**
- * Builds the download URL for the SafeChain Agent installer.
- * @param {string} fileName
- */
-export function getAgentDownloadUrl(fileName) {
-  return `https://github.com/AikidoSec/safechain-internals/releases/download/${ULTIMATE_VERSION}/${fileName}`;
-}
-
-/**
- * Downloads a file from a URL to a local path.
- * @param {string} url
- * @param {string} destPath
- */
-export async function downloadFile(url, destPath) {
-  const response = await fetch(url);
-  if (!response.ok) {
-    throw new Error(`Download failed: ${response.statusText}`);
-  }
-  await pipeline(response.body, createWriteStream(destPath));
-}
-
-/**
- * Returns the current agent version.
- */
-export function getAgentVersion() {
-  return ULTIMATE_VERSION;
-}
-
-/**
- * Returns download info (url, checksum) for the current OS and architecture.
- * @returns {{ url: string, checksum: string } | null}
- */
-export function getDownloadInfoForCurrentPlatform() {
-  const platform = process.platform;
-  const arch = process.arch;
-
-  if (!Object.hasOwn(DOWNLOAD_URLS, platform)) {
-    return null;
-  }
-  const platformUrls =
-    DOWNLOAD_URLS[/** @type {keyof typeof DOWNLOAD_URLS} */ (platform)];
-
-  if (!Object.hasOwn(platformUrls, arch)) {
-    return null;
-  }
-
-  return platformUrls[/** @type {keyof typeof platformUrls} */ (arch)];
-}
-
-/**
- * Verifies the checksum of a file.
- * @param {string} filePath
- * @param {string} expectedChecksum - Format: "algorithm:hash" (e.g., "sha256:abc123...")
- * @returns {Promise<boolean>}
- */
-export async function verifyChecksum(filePath, expectedChecksum) {
-  const [algorithm, expected] = expectedChecksum.split(":");
-
-  const hash = createHash(algorithm);
-
-  if (filePath.includes("..")) throw new Error("Invalid file path");
-  const stream = createReadStream(filePath);
-
-  for await (const chunk of stream) {
-    hash.update(chunk);
-  }
-
-  const actual = hash.digest("hex");
-  return actual === expected;
-}
-
-/**
- * Downloads the SafeChain agent for the current OS/arch and verifies its checksum.
- * @param {string} fileName - Destination file path
- * @returns {Promise<string | null>} The file path if successful, null if no download URL for current platform
- */
-export async function downloadAgentToFile(fileName) {
-  const info = getDownloadInfoForCurrentPlatform();
-  if (!info) {
-    return null;
-  }
-
-  await downloadFile(info.url, fileName);
-
-  const isValid = await verifyChecksum(fileName, info.checksum);
-  if (!isValid) {
-    throw new Error("Checksum verification failed");
-  }
-
-  return fileName;
-}

package/src/installation/installOnMacOS.js

@@ -1,155 +0,0 @@
-import { tmpdir } from "os";
-import { unlinkSync } from "fs";
-import { join } from "path";
-import { execSync, spawnSync } from "child_process";
-import { ui } from "../environment/userInteraction.js";
-import { printVerboseAndSafeSpawn } from "../utils/safeSpawn.js";
-import { downloadAgentToFile, getAgentVersion } from "./downloadAgent.js";
-import chalk from "chalk";
-
-const MACOS_PKG_IDENTIFIER = "com.aikidosecurity.safechainultimate";
-
-/**
- * Checks if root privileges are available and displays error message if not.
- * @param {string} command - The sudo command to show in the error message
- * @returns {boolean} True if running as root, false otherwise.
- */
-function requireRootPrivileges(command) {
-  if (isRunningAsRoot()) {
-    return true;
-  }
-
-  ui.writeError("Root privileges required.");
-  ui.writeInformation("Please run this command with sudo:");
-  ui.writeInformation(`  ${command}`);
-  return false;
-}
-
-function isRunningAsRoot() {
-  const rootUserUid = 0;
-  return process.getuid?.() === rootUserUid;
-}
-
-export async function installOnMacOS() {
-  if (!requireRootPrivileges("sudo safe-chain ultimate")) {
-    return;
-  }
-
-  const pkgPath = join(tmpdir(), `SafeChainUltimate-${Date.now()}.pkg`);
-
-  ui.emptyLine();
-  ui.writeInformation(`📥 Downloading SafeChain Ultimate ${getAgentVersion()}`);
-  ui.writeVerbose(`Destination: ${pkgPath}`);
-
-  const result = await downloadAgentToFile(pkgPath);
-  if (!result) {
-    ui.writeError("No download available for this platform/architecture.");
-    return;
-  }
-
-  try {
-    ui.writeInformation("⚙️  Installing SafeChain Ultimate...");
-    await runPkgInstaller(pkgPath);
-
-    ui.emptyLine();
-    ui.writeInformation(
-      "✅ SafeChain Ultimate installed and started successfully!",
-    );
-    ui.emptyLine();
-    ui.writeInformation(
-      chalk.cyan("🔐 ") +
-        chalk.bold("ACTION REQUIRED: ") +
-        "macOS will show a popup to install our certificate.",
-    );
-    ui.writeInformation(
-      "   " +
-        chalk.bold("Please accept the certificate") +
-        " to complete the installation.",
-    );
-    ui.emptyLine();
-  } finally {
-    ui.writeVerbose(`Cleaning up temporary file: ${pkgPath}`);
-    cleanup(pkgPath);
-  }
-}
-
-const MACOS_UNINSTALL_SCRIPT =
-  "/Library/Application\\ Support/AikidoSecurity/SafeChainUltimate/scripts/uninstall";
-
-export async function uninstallOnMacOS() {
-  if (!requireRootPrivileges("sudo safe-chain ultimate uninstall")) {
-    return;
-  }
-
-  ui.emptyLine();
-
-  if (!isPackageInstalled()) {
-    ui.writeInformation("SafeChain Ultimate is not installed.");
-    return;
-  }
-
-  ui.writeInformation("🗑️  Uninstalling SafeChain Ultimate...");
-  ui.writeVerbose(`Running: ${MACOS_UNINSTALL_SCRIPT}`);
-
-  const result = spawnSync(MACOS_UNINSTALL_SCRIPT, {
-    stdio: "inherit",
-    shell: true,
-  });
-
-  if (result.status !== 0) {
-    ui.writeError(
-      `Uninstall script failed (exit code: ${result.status}). Please try again or remove manually.`,
-    );
-    return;
-  }
-
-  ui.emptyLine();
-  ui.writeInformation("✅ SafeChain Ultimate has been uninstalled.");
-  ui.emptyLine();
-}
-
-function isPackageInstalled() {
-  try {
-    const output = execSync(`pkgutil --pkg-info ${MACOS_PKG_IDENTIFIER}`, {
-      encoding: "utf8",
-      stdio: "pipe",
-    });
-    return output.includes(MACOS_PKG_IDENTIFIER);
-  } catch {
-    return false;
-  }
-}
-
-/**
- * @param {string} pkgPath
- */
-async function runPkgInstaller(pkgPath) {
-  // Uses installer to install the package (https://ss64.com/mac/installer.html)
-  // Options:
-  //  -pkg (required):    The package to be installed.
-  //  -target (required): The target volume is specified with the -target parameter.
-  //                       --> "-target /" installs to the current boot volume.
-
-  const result = await printVerboseAndSafeSpawn(
-    "installer",
-    ["-pkg", pkgPath, "-target", "/"],
-    {
-      stdio: "inherit",
-    },
-  );
-
-  if (result.status !== 0) {
-    throw new Error(`PKG installer failed (exit code: ${result.status})`);
-  }
-}
-
-/**
- * @param {string} pkgPath
- */
-function cleanup(pkgPath) {
-  try {
-    unlinkSync(pkgPath);
-  } catch {
-    ui.writeVerbose("Failed to clean up temporary installer file.");
-  }
-}

package/src/installation/installOnWindows.js

@@ -1,203 +0,0 @@
-import { tmpdir } from "os";
-import { unlinkSync } from "fs";
-import { join } from "path";
-import { execSync } from "child_process";
-import { ui } from "../environment/userInteraction.js";
-import { printVerboseAndSafeSpawn, safeSpawn } from "../utils/safeSpawn.js";
-import { downloadAgentToFile, getAgentVersion } from "./downloadAgent.js";
-
-const WINDOWS_SERVICE_NAME = "SafeChainUltimate";
-const WINDOWS_APP_NAME = "SafeChain Ultimate";
-
-export async function uninstallOnWindows() {
-  if (!(await requireAdminPrivileges())) {
-    return;
-  }
-
-  ui.emptyLine();
-
-  const productCode = getInstalledProductCode();
-  if (!productCode) {
-    ui.writeInformation("SafeChain Ultimate is not installed.");
-    return;
-  }
-
-  await stopServiceIfRunning();
-
-  ui.writeInformation("🗑️  Uninstalling SafeChain Ultimate...");
-  await uninstallByProductCode(productCode);
-
-  ui.emptyLine();
-  ui.writeInformation("✅ SafeChain Ultimate has been uninstalled.");
-  ui.emptyLine();
-}
-
-export async function installOnWindows() {
-  if (!(await requireAdminPrivileges())) {
-    return;
-  }
-
-  const msiPath = join(tmpdir(), `SafeChainUltimate-${Date.now()}.msi`);
-
-  ui.emptyLine();
-  ui.writeInformation(`📥 Downloading SafeChain Ultimate ${getAgentVersion()}`);
-  ui.writeVerbose(`Destination: ${msiPath}`);
-
-  const result = await downloadAgentToFile(msiPath);
-  if (!result) {
-    ui.writeError("No download available for this platform/architecture.");
-    return;
-  }
-
-  try {
-    ui.emptyLine();
-    await stopServiceIfRunning();
-    await uninstallIfInstalled();
-
-    ui.writeInformation("⚙️  Installing SafeChain Ultimate...");
-    await runMsiInstaller(msiPath);
-
-    ui.emptyLine();
-    ui.writeInformation(
-      "✅ SafeChain Ultimate installed and started successfully!",
-    );
-    ui.emptyLine();
-  } finally {
-    ui.writeVerbose(`Cleaning up temporary file: ${msiPath}`);
-    cleanup(msiPath);
-  }
-}
-
-/**
- * Checks if admin privileges are available and displays error message if not.
- * @returns {Promise<boolean>} True if running as admin, false otherwise.
- */
-async function requireAdminPrivileges() {
-  if (await isRunningAsAdmin()) {
-    return true;
-  }
-
-  ui.writeError("Administrator privileges required.");
-  ui.writeInformation(
-    "Please run this command in an elevated terminal (Run as Administrator).",
-  );
-  return false;
-}
-
-async function isRunningAsAdmin() {
-  // Uses Windows Security API to check if current process has admin privileges.
-  // Returns "True" or "False" as a string.
-  const result = await safeSpawn(
-    "powershell",
-    [
-      "-Command",
-      "([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)",
-    ],
-    { stdio: "pipe" },
-  );
-
-  return result.status === 0 && result.stdout.trim() === "True";
-}
-
-/**
- * Returns the MSI product code for SafeChain Ultimate, or null if not installed.
- * @returns {string | null}
- */
-function getInstalledProductCode() {
-  // Query Win32_Product via WMI to find the installed SafeChain Agent.
-  // If found, outputs the product GUID (e.g., "{12345678-1234-...}") needed for msiexec uninstall.
-  ui.writeVerbose(`Finding product code with PowerShell`);
-
-  let productCode;
-  try {
-    productCode = execSync(
-      `powershell -Command "$app = Get-WmiObject -Class Win32_Product -Filter \\"Name='${WINDOWS_APP_NAME}'\\"; if ($app) { Write-Output $app.IdentifyingNumber }"`,
-      { encoding: "utf8" },
-    ).trim();
-  } catch {
-    return null;
-  }
-  return productCode || null;
-}
-
-/**
- * @param {string} productCode
- */
-async function uninstallByProductCode(productCode) {
-  ui.writeVerbose(`Found product code: ${productCode}`);
-
-  // Use msiexec to run the msi installer quitely (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec)
-  // Options:
-  //  - /x:         Uninstalls the package.
-  //  - /qn:        Specifies there's no UI during the installation process.
-  //  - /norestart: Stops the device from restarting after the installation completes.
-  const uninstallResult = await printVerboseAndSafeSpawn(
-    "msiexec",
-    ["/x", productCode, "/qn", "/norestart"],
-    { stdio: "inherit" },
-  );
-
-  if (uninstallResult.status !== 0) {
-    throw new Error(`Uninstall failed (exit code: ${uninstallResult.status})`);
-  }
-}
-
-async function uninstallIfInstalled() {
-  const productCode = getInstalledProductCode();
-  if (!productCode) {
-    ui.writeVerbose("No existing installation found (fresh install).");
-    return;
-  }
-
-  ui.writeInformation("🗑️  Removing previous installation...");
-  await uninstallByProductCode(productCode);
-}
-
-/**
- * @param {string} msiPath
- */
-async function runMsiInstaller(msiPath) {
-  // Use msiexec to run the msi installer quitely (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec)
-  // Options:
-  //  - /i:  Specifies normal installation
-  //  - /qn: Specifies there's no UI during the installation process.
-
-  const result = await printVerboseAndSafeSpawn(
-    "msiexec",
-    ["/i", msiPath, "/qn"],
-    {
-      stdio: "inherit",
-    },
-  );
-
-  if (result.status !== 0) {
-    throw new Error(`MSI installer failed (exit code: ${result.status})`);
-  }
-}
-
-async function stopServiceIfRunning() {
-  ui.writeInformation("⏹️  Stopping running service...");
-
-  const result = await printVerboseAndSafeSpawn(
-    "net",
-    ["stop", WINDOWS_SERVICE_NAME],
-    {
-      stdio: "pipe",
-    },
-  );
-
-  if (result.status !== 0) {
-    ui.writeVerbose("Service not running (will start after installation).");
-  }
-}
-
-/**
- * @param {string} msiPath
- */
-function cleanup(msiPath) {
-  try {
-    unlinkSync(msiPath);
-  } catch {
-    ui.writeVerbose("Failed to clean up temporary installer file.");
-  }
-}

package/src/installation/installUltimate.js

@@ -1,35 +0,0 @@
-import { platform } from "os";
-import { ui } from "../environment/userInteraction.js";
-import { initializeCliArguments } from "../config/cliArguments.js";
-import { installOnWindows, uninstallOnWindows } from "./installOnWindows.js";
-import { installOnMacOS, uninstallOnMacOS } from "./installOnMacOS.js";
-
-export async function uninstallUltimate() {
-  initializeCliArguments(process.argv);
-
-  const operatingSystem = platform();
-
-  if (operatingSystem === "win32") {
-    await uninstallOnWindows();
-  } else if (operatingSystem === "darwin") {
-    await uninstallOnMacOS();
-  } else {
-    ui.writeInformation(
-      `Uninstall is not yet supported on ${operatingSystem}.`,
-    );
-  }
-}
-
-export async function installUltimate() {
-  const operatingSystem = platform();
-
-  if (operatingSystem === "win32") {
-    await installOnWindows();
-  } else if (operatingSystem === "darwin") {
-    await installOnMacOS();
-  } else {
-    ui.writeInformation(
-      `${operatingSystem} is not supported yet by SafeChain's ultimate version.`,
-    );
-  }
-}