@aikidosec/safe-chain 1.4.8 → 1.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.4.8",
+  "version": "1.5.0",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
@@ -16,6 +16,7 @@
     "aikido-bun": "bin/aikido-bun.js",
     "aikido-bunx": "bin/aikido-bunx.js",
     "aikido-uv": "bin/aikido-uv.js",
+    "aikido-uvx": "bin/aikido-uvx.js",
     "aikido-pip": "bin/aikido-pip.js",
     "aikido-pip3": "bin/aikido-pip3.js",
     "aikido-python": "bin/aikido-python.js",
@@ -36,9 +37,8 @@
   "keywords": [],
   "author": "Aikido Security",
   "license": "AGPL-3.0-or-later",
-  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), [uv](https://docs.astral.sh/uv/) (Python), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, or pip/pip3 from downloading or running the malware.",
+  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), [uv](https://docs.astral.sh/uv/) (Python), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, uvx, or pip/pip3 from downloading or running the malware.",
   "dependencies": {
-    "archiver": "^7.0.1",
     "certifi": "14.5.15",
     "chalk": "5.4.1",
     "https-proxy-agent": "7.0.6",
@@ -49,7 +49,6 @@
     "semver": "7.7.2"
   },
   "devDependencies": {
-    "@types/archiver": "^7.0.0",
     "@types/ini": "^4.1.1",
     "@types/make-fetch-happen": "^10.0.4",
     "@types/node": "^18.19.130",

package/src/config/configFile.js

@@ -3,6 +3,7 @@ import path from "path";
 import os from "os";
 import { ui } from "../environment/userInteraction.js";
 import { getEcoSystem } from "./settings.js";
+import { getSafeChainBaseDir } from "./safeChainDir.js";
 
 /**
  * @typedef {Object} SafeChainConfig
@@ -304,8 +305,7 @@ function getConfigFilePath() {
  * @returns {string}
  */
 export function getSafeChainDirectory() {
-  const homeDir = os.homedir();
-  const safeChainDir = path.join(homeDir, ".safe-chain");
+  const safeChainDir = getSafeChainBaseDir();
 
   if (!fs.existsSync(safeChainDir)) {
     fs.mkdirSync(safeChainDir, { recursive: true });

package/src/config/safeChainDir.js

@@ -0,0 +1,71 @@
+import os from "os";
+import path from "path";
+import { fileURLToPath } from "url";
+import { getInstalledSafeChainDir } from "../installLocation.js";
+
+/**
+ * @returns {string}
+ */
+export function getSafeChainBaseDir() {
+  return getInstalledSafeChainDir() ?? path.join(os.homedir(), ".safe-chain");
+}
+
+/**
+ * @returns {string}
+ */
+export function getBinDir() {
+  return path.join(getSafeChainBaseDir(), "bin");
+}
+
+/**
+ * @returns {string}
+ */
+export function getShimsDir() {
+  return path.join(getSafeChainBaseDir(), "shims");
+}
+
+/**
+ * @returns {string}
+ */
+export function getScriptsDir() {
+  return path.join(getSafeChainBaseDir(), "scripts");
+}
+
+/**
+ * @returns {string}
+ */
+export function getCertsDir() {
+  return path.join(getSafeChainBaseDir(), "certs");
+}
+
+/**
+ * Resolves the directory of the calling module.
+ * Falls back to __dirname when import.meta.url is unavailable (pkg CJS binary).
+ * @param {string | undefined} moduleUrl
+ * @returns {string}
+ */
+function resolveModuleDir(moduleUrl) {
+  if (moduleUrl) {
+    return path.dirname(fileURLToPath(moduleUrl));
+  }
+  // eslint-disable-next-line no-undef
+  return __dirname;
+}
+
+/**
+ * @param {string | undefined} moduleUrl
+ * @param {string} fileName
+ * @returns {string}
+ */
+export function getStartupScriptSourcePath(moduleUrl, fileName) {
+  return path.join(resolveModuleDir(moduleUrl), "startup-scripts", fileName);
+}
+
+/**
+ * @param {string | undefined} moduleUrl
+ * @param {string} fileName
+ * @returns {string}
+ */
+export function getPathWrapperTemplatePath(moduleUrl, fileName) {
+  return path.join(resolveModuleDir(moduleUrl), "path-wrappers", "templates", fileName);
+}

package/src/installLocation.js

@@ -0,0 +1,42 @@
+import path from "path";
+
+/** @type {NodeJS.Process & { pkg?: unknown }} */
+const processWithPkg = process;
+
+/**
+ * @param {string} executablePath
+ * @returns {string | undefined}
+ */
+export function deriveInstallDirFromExecutablePath(executablePath) {
+  if (!executablePath) {
+    return undefined;
+  }
+
+  const pathLibrary = executablePath.includes("\\") ? path.win32 : path.posix;
+  const executableDir = pathLibrary.dirname(executablePath);
+  if (pathLibrary.basename(executableDir) !== "bin") {
+    return undefined;
+  }
+
+  return pathLibrary.dirname(executableDir);
+}
+
+/**
+ * Returns the install directory for a packaged safe-chain binary.
+ * Custom installation directories only apply to packaged binary installs.
+ * For npm/global/dev-script executions this intentionally returns undefined,
+ * which causes callers to fall back to the default ~/.safe-chain layout.
+ *
+ * @param {{ isPackaged?: boolean, executablePath?: string }} [options]
+ * @returns {string | undefined}
+ */
+export function getInstalledSafeChainDir(options = {}) {
+  const isPackaged = options.isPackaged ?? Boolean(processWithPkg.pkg);
+  if (!isPackaged) {
+    return undefined;
+  }
+
+  return deriveInstallDirFromExecutablePath(
+    options.executablePath ?? process.execPath,
+  );
+}

package/src/packagemanager/currentPackageManager.js

@@ -13,6 +13,7 @@ import { createPipPackageManager } from "./pip/createPackageManager.js";
 import { createUvPackageManager } from "./uv/createUvPackageManager.js";
 import { createPoetryPackageManager } from "./poetry/createPoetryPackageManager.js";
 import { createPipXPackageManager } from "./pipx/createPipXPackageManager.js";
+import { createUvxPackageManager } from "./uvx/createUvxPackageManager.js";
 
 /**
  * @type {{packageManagerName: PackageManager | null}}
@@ -60,6 +61,8 @@ export function initializePackageManager(packageManagerName, context) {
     state.packageManagerName = createPipPackageManager(context);
   } else if (packageManagerName === "uv") {
     state.packageManagerName = createUvPackageManager();
+  } else if (packageManagerName === "uvx") {
+    state.packageManagerName = createUvxPackageManager();
   } else if (packageManagerName === "poetry") {
     state.packageManagerName = createPoetryPackageManager();
   } else if (packageManagerName === "pipx") {

package/src/packagemanager/uvx/createUvxPackageManager.js

@@ -0,0 +1,18 @@
+import { runUv } from "../uv/runUvCommand.js";
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createUvxPackageManager() {
+  return {
+    /**
+     * @param {string[]} args
+     */
+    runCommand: (args) => {
+      return runUv("uvx", args);
+    },
+    // For uvx, rely solely on MITM
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}

package/src/registryProxy/certUtils.js

@@ -1,9 +1,8 @@
 import forge from "node-forge";
 import path from "path";
 import fs from "fs";
-import os from "os";
+import { getCertsDir } from "../config/safeChainDir.js";
 
-const certFolder = path.join(os.homedir(), ".safe-chain", "certs");
 const ca = loadCa();
 
 const certCache = new Map();
@@ -20,7 +19,7 @@ function createKeyIdentifier(publicKey) {
 }
 
 export function getCaCertPath() {
-  return path.join(certFolder, "ca-cert.pem");
+  return path.join(getCertsDir(), "ca-cert.pem");
 }
 
 /**
@@ -112,6 +111,7 @@ export function generateCertForHost(hostname) {
 }
 
 function loadCa() {
+  const certFolder = getCertsDir();
   const keyPath = path.join(certFolder, "ca-key.pem");
   const certPath = path.join(certFolder, "ca-cert.pem");
 

package/src/registryProxy/interceptors/pip/modifyPipInfo.js

@@ -6,6 +6,23 @@ export { parsePipMetadataUrl, isPipPackageInfoUrl } from "./parsePipPackageUrl.j
 import { getPipMetadataContentType, logSuppressedVersion } from "./pipMetadataResponseUtils.js";
 import { modifyPipJsonResponse } from "./modifyPipJsonResponse.js";
 
+/**
+ * Strip conditional GET headers so PyPI always returns a full 200 response
+ * with a body we can rewrite. Without this, pip sends If-None-Match /
+ * If-Modified-Since, PyPI responds 304 Not Modified (empty body), and
+ * safe-chain cannot rewrite it — leaving pip with a cached index that still
+ * lists too-young versions. Those versions are then blocked at direct-download
+ * time with a hard 403, preventing dependency resolution from completing.
+ *
+ * @param {NodeJS.Dict<string | string[]>} headers
+ * @returns {NodeJS.Dict<string | string[]>}
+ */
+export function modifyPipInfoRequestHeaders(headers) {
+  delete headers["if-none-match"];
+  delete headers["if-modified-since"];
+  return headers;
+}
+
 // Match simple-index anchor tags and capture their href so we can suppress
 // individual distribution links from PyPI HTML metadata responses.
 const HTML_ANCHOR_HREF_RE =

package/src/registryProxy/interceptors/pip/pipInterceptor.js

@@ -9,6 +9,7 @@ import { openNewPackagesDatabase } from "../../../scanning/newPackagesListCache.
 import { interceptRequests } from "../interceptorBuilder.js";
 import { isExcludedFromMinimumPackageAge } from "../minimumPackageAgeExclusions.js";
 import {
+  modifyPipInfoRequestHeaders,
   modifyPipInfoResponse,
   parsePipMetadataUrl,
 } from "./modifyPipInfo.js";
@@ -61,6 +62,7 @@ function createPipRequestHandler(registry) {
       !isExcludedFromMinimumPackageAge(metadataPackageName)
     ) {
       const newPackagesDatabase = await openNewPackagesDatabase();
+      reqContext.modifyRequestHeaders(modifyPipInfoRequestHeaders);
       reqContext.modifyBody((body, headers) =>
         modifyPipInfoResponse(
           body,

package/src/shell-integration/helpers.js

@@ -66,6 +66,12 @@ export const knownAikidoTools = [
     ecoSystem: ECOSYSTEM_PY,
     internalPackageManagerName: "uv",
   },
+  {
+    tool: "uvx",
+    aikidoCommand: "aikido-uvx",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "uvx",
+  },
   {
     tool: "pip",
     aikidoCommand: "aikido-pip",
@@ -121,20 +127,6 @@ export function getPackageManagerList() {
   return `${tools.join(", ")}, and ${lastTool} commands`;
 }
 
-/**
- * @returns {string}
- */
-export function getShimsDir() {
-  return path.join(os.homedir(), ".safe-chain", "shims");
-}
-
-/**
- * @returns {string}
- */
-export function getScriptsDir() {
-  return path.join(os.homedir(), ".safe-chain", "scripts");
-}
-
 /**
  * @param {string} executableName
  *

package/src/shell-integration/path-wrappers/templates/unix-wrapper.template.sh

@@ -4,13 +4,28 @@
 
 # Function to remove shim from PATH (POSIX-compliant)
 remove_shim_from_path() {
-    echo "$PATH" | sed "s|$HOME/.safe-chain/shims:||g"
+    _safe_chain_phys=$(CDPATH= cd -- "$(dirname -- "$0")" 2>/dev/null && pwd -P)
+    if [ -z "$_safe_chain_phys" ]; then
+        echo "$PATH"
+        return
+    fi
+    _path=$(echo "$PATH" | sed "s|${_safe_chain_phys}:||g")
+    # Also remove via dirname of $0 directly — on macOS /tmp is a symlink to /private/tmp,
+    # so pwd -P resolves to /private/tmp/… but PATH may still contain /tmp/….
+    _dir=$(dirname -- "$0")
+    case "$_dir" in
+        /*) [ "$_dir" != "$_safe_chain_phys" ] && _path=$(echo "$_path" | sed "s|${_dir}:||g") ;;
+    esac
+    echo "$_path"
 }
 
 if command -v safe-chain >/dev/null 2>&1; then
   # Remove shim directory from PATH when calling {{AIKIDO_COMMAND}} to prevent infinite loops
   PATH=$(remove_shim_from_path) exec safe-chain {{PACKAGE_MANAGER}} "$@"
 else
+  # safe-chain is not reachable — warn the user so they know protection is inactive
+  printf "\033[43;30mWarning:\033[0m safe-chain is not available to protect you from installing malware. {{PACKAGE_MANAGER}} will run without it.\n" >&2
+
   # Dynamically find original {{PACKAGE_MANAGER}} (excluding this shim directory)
   original_cmd=$(PATH=$(remove_shim_from_path) command -v {{PACKAGE_MANAGER}})
   if [ -n "$original_cmd" ]; then

package/src/shell-integration/path-wrappers/templates/windows-wrapper.template.cmd

@@ -3,7 +3,8 @@ REM Generated wrapper for {{PACKAGE_MANAGER}} by safe-chain
 REM This wrapper intercepts {{PACKAGE_MANAGER}} calls for non-interactive environments
 
 REM Remove shim directory from PATH to prevent infinite loops
-set "SHIM_DIR=%USERPROFILE%\.safe-chain\shims"
+set "SHIM_DIR=%~dp0"
+if "%SHIM_DIR:~-1%"=="\" set "SHIM_DIR=%SHIM_DIR:~0,-1%"
 call set "CLEAN_PATH=%%PATH:%SHIM_DIR%;=%%"
 
 REM Check if aikido command is available with clean PATH
@@ -21,4 +22,4 @@ if %errorlevel%==0 (
     REM If we get here, original command was not found
     echo Error: Could not find original {{PACKAGE_MANAGER}} >&2
     exit /b 1
-)
+)

package/src/shell-integration/setup-ci.js

@@ -1,24 +1,14 @@
 import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
-import { getPackageManagerList, knownAikidoTools, getShimsDir } from "./helpers.js";
+import { getPackageManagerList, knownAikidoTools } from "./helpers.js";
+import {
+  getShimsDir,
+  getBinDir,
+  getPathWrapperTemplatePath,
+} from "../config/safeChainDir.js";
 import fs from "fs";
 import os from "os";
 import path from "path";
-import { fileURLToPath } from "url";
-
-/** @type {string} */
-// This checks the current file's dirname in a way that's compatible with:
-//  - Modulejs (import.meta.url)
-//  - ES modules (__dirname)
-// This is needed because safe-chain's npm package is built using ES modules,
-// but building the binaries requires commonjs.
-let dirname;
-if (import.meta.url) {
-  const filename = fileURLToPath(import.meta.url);
-  dirname = path.dirname(filename);
-} else {
-  dirname = __dirname;
-}
 
 /**
  * Loops over the detected shells and calls the setup function for each.
@@ -31,7 +21,7 @@ export async function setupCi() {
   ui.emptyLine();
 
   const shimsDir = getShimsDir();
-  const binDir = path.join(os.homedir(), ".safe-chain", "bin");
+  const binDir = getBinDir();
   // Create the shims directory if it doesn't exist
   if (!fs.existsSync(shimsDir)) {
     fs.mkdirSync(shimsDir, { recursive: true });
@@ -50,12 +40,7 @@ export async function setupCi() {
  */
 function createUnixShims(shimsDir) {
   // Read the template file
-  const templatePath = path.resolve(
-    dirname,
-    "path-wrappers",
-    "templates",
-    "unix-wrapper.template.sh"
-  );
+  const templatePath = getPathWrapperTemplatePath(import.meta.url, "unix-wrapper.template.sh");
 
   if (!fs.existsSync(templatePath)) {
     ui.writeError(`Template file not found: ${templatePath}`);
@@ -89,12 +74,7 @@ function createUnixShims(shimsDir) {
  */
 function createWindowsShims(shimsDir) {
   // Read the template file
-  const templatePath = path.resolve(
-    dirname,
-    "path-wrappers",
-    "templates",
-    "windows-wrapper.template.cmd"
-  );
+  const templatePath = getPathWrapperTemplatePath(import.meta.url, "windows-wrapper.template.cmd");
 
   if (!fs.existsSync(templatePath)) {
     ui.writeError(`Windows template file not found: ${templatePath}`);

package/src/shell-integration/setup.js

@@ -1,28 +1,10 @@
 import chalk from "chalk";
 import { ui } from "../environment/userInteraction.js";
 import { detectShells } from "./shellDetection.js";
-import {
-  knownAikidoTools,
-  getPackageManagerList,
-  getScriptsDir,
-} from "./helpers.js";
+import { knownAikidoTools, getPackageManagerList } from "./helpers.js";
+import { getScriptsDir, getStartupScriptSourcePath } from "../config/safeChainDir.js";
 import fs from "fs";
 import path from "path";
-import { fileURLToPath } from "url";
-
-/** @type {string} */
-// This checks the current file's dirname in a way that's compatible with:
-//  - Modulejs (import.meta.url)
-//  - ES modules (__dirname)
-// This is needed because safe-chain's npm package is built using ES modules,
-// but building the binaries requires commonjs.
-let dirname;
-if (import.meta.url) {
-  const filename = fileURLToPath(import.meta.url);
-  dirname = path.dirname(filename);
-} else {
-  dirname = __dirname;
-}
 
 /**
  * Loops over the detected shells and calls the setup function for each.
@@ -122,8 +104,7 @@ function copyStartupFiles() {
       fs.mkdirSync(targetDir, { recursive: true });
     }
 
-    // Use absolute path for source
-    const sourcePath = path.join(dirname, "startup-scripts", file);
+    const sourcePath = getStartupScriptSourcePath(import.meta.url, file);
     fs.copyFileSync(sourcePath, targetPath);
   }
 }

package/src/shell-integration/startup-scripts/init-fish.fish

@@ -1,4 +1,7 @@
-set -gx PATH $PATH $HOME/.safe-chain/bin
+set -l safe_chain_script (status filename)
+set -l safe_chain_scripts_dir (dirname $safe_chain_script)
+set -l safe_chain_base (dirname $safe_chain_scripts_dir)
+set -gx PATH $PATH $safe_chain_base/bin
 
 function npx
     wrapSafeChainCommand "npx" $argv
@@ -51,6 +54,10 @@ function uv
     wrapSafeChainCommand "uv" $argv
 end
 
+function uvx
+    wrapSafeChainCommand "uvx" $argv
+end
+
 function poetry
     wrapSafeChainCommand "poetry" $argv
 end

package/src/shell-integration/startup-scripts/init-posix.sh

@@ -1,4 +1,16 @@
-export PATH="$PATH:$HOME/.safe-chain/bin"
+if [ -n "${BASH_SOURCE[0]:-}" ]; then
+    _sc_script_path="${BASH_SOURCE[0]}"
+elif [ -n "${ZSH_VERSION:-}" ]; then
+    # ${(%):-%x} uses Zsh prompt expansion to get the sourced file's path.
+    # eval is required so other shells don't try to parse the Zsh-specific syntax.
+    eval '_sc_script_path="${(%):-%x}"'
+else
+    _sc_script_path="$0"
+fi
+_sc_scripts_dir=$(CDPATH= cd -- "$(dirname -- "$_sc_script_path")" 2>/dev/null && pwd -P)
+_sc_base=$(dirname -- "$_sc_scripts_dir")
+export PATH="$PATH:${_sc_base}/bin"
+unset _sc_base _sc_script_path _sc_scripts_dir
 
 function npx() {
   wrapSafeChainCommand "npx" "$@"
@@ -47,6 +59,10 @@ function uv() {
   wrapSafeChainCommand "uv" "$@"
 }
 
+function uvx() {
+  wrapSafeChainCommand "uvx" "$@"
+}
+
 function poetry() {
   wrapSafeChainCommand "poetry" "$@"
 }

package/src/shell-integration/startup-scripts/init-pwsh.ps1

@@ -2,7 +2,8 @@
 # $IsWindows is only available in PowerShell Core 6.0+. If it doesn't exist, assume Windows PowerShell
 $isWindowsPlatform = if (Test-Path variable:IsWindows) { $IsWindows } else { $true }
 $pathSeparator = if ($isWindowsPlatform) { ';' } else { ':' }
-$safeChainBin = Join-Path (Join-Path $HOME '.safe-chain') 'bin'
+$safeChainBase = Split-Path -Parent $PSScriptRoot
+$safeChainBin = Join-Path $safeChainBase 'bin'
 $env:PATH = "$env:PATH$pathSeparator$safeChainBin"
 
 function npx {
@@ -52,6 +53,10 @@ function uv {
     Invoke-WrappedCommand "uv" $args $MyInvocation.Line $MyInvocation.OffsetInLine
 }
 
+function uvx {
+    Invoke-WrappedCommand "uvx" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
 function poetry {
     Invoke-WrappedCommand "poetry" $args $MyInvocation.Line $MyInvocation.OffsetInLine
 }

package/src/shell-integration/supported-shells/bash.js

@@ -3,8 +3,10 @@ import {
   doesExecutableExistOnSystem,
   removeLinesMatchingPattern,
 } from "../helpers.js";
+import { getScriptsDir } from "../../config/safeChainDir.js";
 import { execSync, spawnSync } from "child_process";
 import * as os from "os";
+import path from "path";
 
 const shellName = "Bash";
 const executableName = "bash";
@@ -32,10 +34,10 @@ function teardown(tools) {
     );
   }
 
-  // Removes the line that sources the safe-chain bash initialization script (~/.safe-chain/scripts/init-posix.sh)
+  // Remove sourcing line to disable safe-chain shell integration
   removeLinesMatchingPattern(
     startupFile,
-    /^source\s+~\/\.safe-chain\/scripts\/init-posix\.sh/,
+    /^source\s+.*init-posix\.sh.*#\s*Safe-chain/,
     eol
   );
 
@@ -44,10 +46,11 @@ function teardown(tools) {
 
 function setup() {
   const startupFile = getStartupFile();
+  const scriptsDir = getShellScriptsDir();
 
   addLineToFile(
     startupFile,
-    `source ~/.safe-chain/scripts/init-posix.sh # Safe-chain bash initialization script`,
+    `source ${path.posix.join(scriptsDir, "init-posix.sh")} # Safe-chain bash initialization script`,
     eol
   );
 
@@ -94,6 +97,51 @@ function windowsFixPath(path) {
   }
 }
 
+function getShellScriptsDir() {
+  return toBashPath(getScriptsDir());
+}
+
+/**
+ * @param {string} path
+ *
+ * @returns {string}
+ */
+function toBashPath(path) {
+  try {
+    if (os.platform() !== "win32") {
+      return path.replace(/\\/g, "/");
+    }
+
+    const directWindowsPath = windowsPathToBashPath(path);
+    if (directWindowsPath) {
+      return directWindowsPath;
+    }
+
+    if (hasCygpath()) {
+      return convertCygwinPathToUnix(path);
+    }
+
+    return path.replace(/\\/g, "/");
+  } catch {
+    return path.replace(/\\/g, "/");
+  }
+}
+
+/**
+ * @param {string} path
+ *
+ * @returns {string | undefined}
+ */
+function windowsPathToBashPath(path) {
+  const match = /^([A-Za-z]):[\\/](.*)$/.exec(path);
+  if (!match) {
+    return undefined;
+  }
+
+  const [, driveLetter, rest] = match;
+  return `/${driveLetter.toLowerCase()}/${rest.replace(/\\/g, "/")}`;
+}
+
 function hasCygpath() {
   try {
     var result = spawnSync("where", ["cygpath"], { shell: executableName });
@@ -123,18 +171,40 @@ function cygpathw(path) {
   }
 }
 
+/**
+ * @param {string} path
+ *
+ * @returns {string}
+ */
+function convertCygwinPathToUnix(path) {
+  try {
+    var result = spawnSync("cygpath", ["-u", path], {
+      encoding: "utf8",
+      shell: executableName,
+    });
+    if (result.status === 0) {
+      return result.stdout.trim();
+    }
+    return path.replace(/\\/g, "/");
+  } catch {
+    return path.replace(/\\/g, "/");
+  }
+}
+
 function getManualTeardownInstructions() {
+  const scriptsDir = getShellScriptsDir();
   return [
     `Remove the following line from your ~/.bashrc file:`,
-    `  source ~/.safe-chain/scripts/init-posix.sh`,
+    `  source ${path.posix.join(scriptsDir, "init-posix.sh")}`,
     `Then restart your terminal or run: source ~/.bashrc`,
   ];
 }
 
 function getManualSetupInstructions() {
+  const scriptsDir = getShellScriptsDir();
   return [
     `Add the following line to your ~/.bashrc file:`,
-    `  source ~/.safe-chain/scripts/init-posix.sh`,
+    `  source ${path.posix.join(scriptsDir, "init-posix.sh")}`,
     `Then restart your terminal or run: source ~/.bashrc`,
   ];
 }