@aikidosec/safe-chain 1.5.2 → 1.5.3

package/README.md

@@ -25,6 +25,8 @@ Aikido Safe Chain supports the following package managers:
 - 📦 **yarn**
 - 📦 **pnpm**
 - 📦 **pnpx**
+- 📦 **rush**
+- 📦 **rushx**
 - 📦 **bun**
 - 📦 **bunx**
 - 📦 **pip**
@@ -75,7 +77,7 @@ You can find all available versions on the [releases page](https://github.com/Ai
 ### Verify the installation
 
 1. **❗Restart your terminal** to start using the Aikido Safe Chain.
-   - This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm, pnpx, bun, bunx, pip, pip3, poetry, uv, uvx and pipx are loaded correctly. If you do not restart your terminal, the aliases will not be available.
+   - This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm, pnpx, rush, rushx, bun, bunx, pip, pip3, poetry, uv, uvx and pipx are loaded correctly. If you do not restart your terminal, the aliases will not be available.
 
 2. **Verify the installation** by running the verification command:
 
@@ -106,7 +108,7 @@ You can find all available versions on the [releases page](https://github.com/Ai
 
    - The output should show that Aikido Safe Chain is blocking the installation of these test packages as they are flagged as malware.
 
-When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry` and `pipx` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.
+When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `rush`, `rushx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry` and `pipx` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.
 
 You can check the installed version by running:
 
@@ -118,7 +120,7 @@ safe-chain --version
 
 ### Malware Blocking
 
-The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, bun, bunx, pip, pip3, uv, uvx, poetry or pipx commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
+The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, rush, rushx, bun, bunx, pip, pip3, uv, uvx, poetry or pipx commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
 
 ### Minimum package age
 
@@ -137,7 +139,7 @@ By default, the minimum package age is 48 hours. This provides an additional sec
 
 ### Shell Integration
 
-The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, bun, bunx, and Python package managers (pip, uv, uvx, poetry, pipx). It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:
+The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, rush, rushx, bun, bunx, and Python package managers (pip, uv, uvx, poetry, pipx). It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:
 
 - ✅ **Bash**
 - ✅ **Zsh**
@@ -548,4 +550,16 @@ npm-ci:
 
 # Troubleshooting
 
-Having issues? See the [Troubleshooting Guide](https://help.aikido.dev/code-scanning/aikido-malware-scanning/safe-chain-troubleshooting) for help with common problems.
+Having issues? See the [Troubleshooting Guide](./docs/troubleshooting) for help with common problems.
+
+# Report Issues
+
+If you encounter problems:
+
+1. Visit [GitHub Issues](https://github.com/AikidoSec/safe-chain/issues)
+2. Include:
+   * Operating system and version
+   * Shell type and version
+   * `safe-chain --version` output
+   * Output from verification commands
+   * Verbose logs of the failing command (add the `--safe-chain-logging=verbose` argument)

package/bin/aikido-rush.js

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
+
+setEcoSystem(ECOSYSTEM_JS);
+const packageManagerName = "rush";
+initializePackageManager(packageManagerName);
+
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/aikido-rushx.js

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+import { setEcoSystem, ECOSYSTEM_JS } from "../src/config/settings.js";
+
+setEcoSystem(ECOSYSTEM_JS);
+const packageManagerName = "rushx";
+initializePackageManager(packageManagerName);
+
+(async () => {
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

package/bin/safe-chain.js

@@ -108,7 +108,7 @@ function writeHelp() {
   ui.writeInformation(
     `- ${chalk.cyan(
       "safe-chain setup",
-    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm, pnpx, bun, bunx, pip and pip3.`,
+    )}: This will setup your shell to wrap safe-chain around npm, npx, yarn, pnpm, pnpx, rush, rushx, bun, bunx, pip and pip3.`,
   );
   ui.writeInformation(
     `- ${chalk.cyan(

package/docs/shell-integration.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-The shell integration automatically wraps common package manager commands (`npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry`, `pipx`) with Aikido's security scanning functionality. It also intercepts Python module invocations for pip when available: `python -m pip`, `python -m pip3`, `python3 -m pip`, `python3 -m pip3`. This is achieved by sourcing startup scripts that define shell functions to wrap these commands with their Aikido-protected equivalents.
+The shell integration automatically wraps common package manager commands (`npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `rush`, `rushx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry`, `pipx`) with Aikido's security scanning functionality. It also intercepts Python module invocations for pip when available: `python -m pip`, `python -m pip3`, `python3 -m pip`, `python3 -m pip3`. This is achieved by sourcing startup scripts that define shell functions to wrap these commands with their Aikido-protected equivalents.
 
 ## Supported Shells
 
@@ -28,7 +28,7 @@ This command:
 
 - Copies necessary startup scripts to Safe Chain's installation directory (`~/.safe-chain/scripts`)
 - Detects all supported shells on your system
-- Sources each shell's startup file to add Safe Chain functions for `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry` and `pipx`
+- Sources each shell's startup file to add Safe Chain functions for `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `rush`, `rushx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry` and `pipx`
 - Adds lightweight interceptors so `python -m pip[...]` and `python3 -m pip[...]` route through Safe Chain when invoked by name
 
 ❗ After running this command, **you must restart your terminal** for the changes to take effect. This ensures that the startup scripts are sourced correctly.
@@ -78,7 +78,7 @@ The system modifies the following files to source Safe Chain startup scripts:
 This means the shell functions are working but the Aikido commands aren't installed or available in your PATH:
 
 - Make sure Aikido Safe Chain is properly installed on your system
-- Verify the `aikido-npm`, `aikido-npx`, `aikido-yarn`, `aikido-pnpm`, `aikido-pnpx`, `aikido-bun`, `aikido-bunx`, `aikido-pip`, `aikido-pip3`, `aikido-uv`, `aikido-uvx`, `aikido-poetry` and `aikido-pipx` commands exist
+- Verify the `aikido-npm`, `aikido-npx`, `aikido-yarn`, `aikido-pnpm`, `aikido-pnpx`, `aikido-rush`, `aikido-rushx`, `aikido-bun`, `aikido-bunx`, `aikido-pip`, `aikido-pip3`, `aikido-uv`, `aikido-uvx`, `aikido-poetry` and `aikido-pipx` commands exist
 - Check that these commands are in your system's PATH
 
 ### Manual Verification
@@ -121,7 +121,7 @@ npm() {
 }
 ```
 
-Repeat this pattern for `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry` and `pipx` using their respective `aikido-*` commands. After adding these functions, restart your terminal to apply the changes.
+Repeat this pattern for `npx`, `yarn`, `pnpm`, `pnpx`, `rush`, `rushx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `uvx`, `poetry` and `pipx` using their respective `aikido-*` commands. After adding these functions, restart your terminal to apply the changes.
 
 To intercept Python module invocations for pip without altering Python itself, you can add small forwarding functions:
 

package/docs/troubleshooting.md

@@ -4,49 +4,38 @@ This guide helps you diagnose and resolve common issues with Aikido Safe Chain.
 
 ## Verification & Diagnostics
 
-### Check Installation
+**Check Installation**
 
 ```bash
 # Check version
 safe-chain --version
 ```
 
-### Verify Shell Integration
+**Verify Shell Integration**
 
 Run the verification command for your package manager:
 
 ```bash
 npm safe-chain-verify
 pnpm safe-chain-verify
-pip safe-chain-verify
-uv safe-chain-verify
-
-# Any other supported package manager: {packagemanager} safe-chain-verify
 ```
 
+```
 Expected output: `OK: Safe-chain works!`
+```
 
-### Test Malware Blocking
+**Test Malware Blocking**
 
 Verify that malware detection is working:
-
-**For JavaScript/Node.js:**
-
-```bash
-npm install safe-chain-test
 ```
-
-**For Python:**
-
-```bash
-pip3 install safe-chain-pi-test
+npm install safe-chain-test
 ```
 
 These test packages are flagged as malware and should be blocked by Safe Chain.
 
-**If the test package installs successfully instead of being blocked**, see [Malware Not Being Blocked](#malware-not-being-blocked) below.
+**If the test package installs successfully instead of being blocked**, see Malware Not Being Blocked below.
 
-### Logging Options
+## Logging Options
 
 Use logging flags or environment variables to get more information:
 
@@ -74,41 +63,39 @@ Safe-chain blocks malicious packages by intercepting network requests to package
 
 When a package is already cached locally, the package manager skips downloading it from the registry, which bypasses the proxy.
 
-**Resolution Steps:**
-
-1. **Clear your package manager's cache:**
+**Resolution Steps**
 
-   ```bash
-   # For npm
-   npm cache clean --force
+1) Clear your package manager's cache
 
-   # For pnpm
-   pnpm store prune
+```bash
+# For npm
+npm cache clean --force
 
-   # For yarn (classic)
-   yarn cache clean
+# For pnpm
+pnpm store prune
 
-   # For yarn (berry/v2+)
-   yarn cache clean --all
+# For yarn (classic)
+yarn cache clean
 
-   # For bun
-   bun pm cache rm
-   ```
+# For yarn (berry/v2+)
+yarn cache clean --all
 
-   > **⚠️ Warning:** Cache clearing is safe but will remove all cached packages. Subsequent installations will need to re-download packages. In CI/CD environments or monorepos, this may affect build times.
+# For bun
+bun pm cache rm
+```
 
-2. **Clean local installation artifacts:**
+2) Clean local installation artifacts:
 
-   ```bash
-   # Remove node_modules if you want a completely fresh install
-   rm -rf node_modules
-   ```
+```bash
+# Remove node_modules if you want a completely fresh install
+rm -rf node_modules
+```
 
-3. **Re-test malware blocking:**
+3) Re-test malware blocking:
 
-   ```bash
-   npm install safe-chain-test    # Should be blocked
-   ```
+```bash
+npm install safe-chain-test    # Should be blocked
+```
 
 ### Shell Aliases Not Working After Installation
 
@@ -128,10 +115,10 @@ Should show: `npm is a function`
 
 Check that your startup file sources safe-chain scripts from `~/.safe-chain/scripts/`:
 
-- Bash: `~/.bashrc`
-- Zsh: `~/.zshrc`
-- Fish: `~/.config/fish/config.fish`
-- PowerShell: `$PROFILE`
+* Bash: `~/.bashrc`
+* Zsh: `~/.zshrc`
+* Fish: `~/.config/fish/config.fish`
+* PowerShell: `$PROFILE`
 
 ### "Command Not Found: safe-chain"
 
@@ -162,37 +149,39 @@ FullyQualifiedErrorId : UnauthorizedAccess
 
 **Cause:** Windows PowerShell's default execution policy (`Restricted`) blocks all script execution, including safe-chain's initialization script that's sourced from your PowerShell profile.
 
-**Resolution:**
+**Resolution**
 
-1. **Set the execution policy to allow local scripts:**
+1) Set the execution policy to allow local scripts
 
-   Open PowerShell as Administrator and run:
+Open PowerShell as Administrator and run:
 
-   ```powershell
-   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
-   ```
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
+```
+
+This allows:
 
-   This allows:
-   - Local scripts (like safe-chain's) to run without signing
-   - Downloaded scripts to run only if signed by a trusted publisher
+* Local scripts (like safe-chain's) to run without signing
+* Downloaded scripts to run only if signed by a trusted publisher
 
-2. **Restart PowerShell** and verify the error is resolved.
+2) Restart PowerShell and verify the error is resolved.
 
-> **Note:** `RemoteSigned` is Microsoft's recommended execution policy for client computers. It provides a good balance between security and usability.
+> [!IMPORTANT]
+> `RemoteSigned` is Microsoft's recommended execution policy for client computers. It provides a good balance between security and usability.
 
 ### Shell Aliases Persist After Uninstallation
 
 **Symptom:** safe-chain commands still active after running uninstall script
 
-**Steps:**
+**Steps**
 
 1. Run `safe-chain teardown` (if binary still exists)
 2. Restart your terminal
 3. If still present, manually edit shell config files:
-   - Bash: `~/.bashrc`
-   - Zsh: `~/.zshrc`
-   - Fish: `~/.config/fish/config.fish`
-   - PowerShell: `$PROFILE`
+   * Bash: `~/.bashrc`
+   * Zsh: `~/.zshrc`
+   * Fish: `~/.config/fish/config.fish`
+   * PowerShell: `$PROFILE`
 4. Remove lines that source scripts from `~/.safe-chain/scripts/`
 5. Restart terminal again
 
@@ -217,10 +206,10 @@ type pip
 
 **Expected `which` output:**
 
-- Standalone binary (correct): `~/.safe-chain/bin/safe-chain` or `/Users/<username>/.safe-chain/bin/safe-chain`
-- npm global (outdated): path containing `node_modules` or nvm version paths
+* Standalone binary (correct): `~/.safe-chain/bin/safe-chain` or `/Users/<username>/.safe-chain/bin/safe-chain`
+* npm global (outdated): path containing `node_modules` or nvm version paths
 
-If `which` shows an npm installation, see [Check for Conflicting Installations](#check-for-conflicting-installations).
+If `which` shows an npm installation, see Check for Conflicting Installations.
 
 ### Check Shell Integration
 
@@ -259,23 +248,23 @@ for version in $(nvm list | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+'); do
 done
 ```
 
-## Manual Cleanup
+### Manual Cleanup
 
 > **Note:** The install and uninstall scripts automatically handle these cleanup steps. Use these manual commands only if automatic cleanup fails.
 
-### Remove npm Global Installation
+#### Remove npm Global Installation
 
 ```bash
 npm uninstall -g @aikidosec/safe-chain
 ```
 
-### Remove Volta Installation
+#### Remove Volta Installation
 
 ```bash
 volta uninstall @aikidosec/safe-chain
 ```
 
-### Remove nvm Installations (All Versions)
+#### Remove nvm Installations (All Versions)
 
 ```bash
 # Automated approach
@@ -288,34 +277,22 @@ nvm use <version>
 npm uninstall -g @aikidosec/safe-chain
 ```
 
-### Clean Shell Configuration Files
+#### Clean Shell Configuration Files
 
 Manually remove safe-chain entries from:
 
-- Bash: `~/.bashrc`
-- Zsh: `~/.zshrc`
-- Fish: `~/.config/fish/config.fish`
-- PowerShell: `$PROFILE`
+* Bash: `~/.bashrc`
+* Zsh: `~/.zshrc`
+* Fish: `~/.config/fish/config.fish`
+* PowerShell: `$PROFILE`
 
 Look for and remove:
 
-- Lines sourcing from `~/.safe-chain/scripts/`
-- Any safe-chain related function definitions
+* Lines sourcing from `~/.safe-chain/scripts/`
+* Any safe-chain related function definitions
 
-### Remove Installation Directory
+#### Remove Installation Directory
 
 ```bash
 rm -rf ~/.safe-chain
 ```
-
-### Report Issues
-
-If you encounter problems:
-
-1. Visit [GitHub Issues](https://github.com/AikidoSec/safe-chain/issues)
-2. Include:
-   - Operating system and version
-   - Shell type and version
-   - `safe-chain --version` output
-   - Output from verification commands
-   - Verbose logs of the failing command (add the `--safe-chain-logging=verbose` argument)

package/npm-shrinkwrap.json

@@ -3112,7 +3112,7 @@
     },
     "packages/safe-chain": {
       "name": "@aikidosec/safe-chain",
-      "version": "1.5.2",
+      "version": "1.5.3",
       "license": "AGPL-3.0-or-later",
       "dependencies": {
         "certifi": "14.5.15",
@@ -3137,6 +3137,8 @@
         "aikido-poetry": "bin/aikido-poetry.js",
         "aikido-python": "bin/aikido-python.js",
         "aikido-python3": "bin/aikido-python3.js",
+        "aikido-rush": "bin/aikido-rush.js",
+        "aikido-rushx": "bin/aikido-rushx.js",
         "aikido-uv": "bin/aikido-uv.js",
         "aikido-uvx": "bin/aikido-uvx.js",
         "aikido-yarn": "bin/aikido-yarn.js",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.5.2",
+  "version": "1.5.3",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",
@@ -13,6 +13,8 @@
     "aikido-yarn": "bin/aikido-yarn.js",
     "aikido-pnpm": "bin/aikido-pnpm.js",
     "aikido-pnpx": "bin/aikido-pnpx.js",
+    "aikido-rush": "bin/aikido-rush.js",
+    "aikido-rushx": "bin/aikido-rushx.js",
     "aikido-bun": "bin/aikido-bun.js",
     "aikido-bunx": "bin/aikido-bunx.js",
     "aikido-uv": "bin/aikido-uv.js",
@@ -37,7 +39,7 @@
   "keywords": [],
   "author": "Aikido Security",
   "license": "AGPL-3.0-or-later",
-  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), [uv](https://docs.astral.sh/uv/) (Python), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, uvx, or pip/pip3 from downloading or running the malware.",
+  "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [rush](https://rushjs.io/), [rushx](https://rushjs.io/pages/commands/rushx/), [bun](https://bun.sh/), [bunx](https://bun.sh/docs/cli/bunx), [uv](https://docs.astral.sh/uv/) (Python), and [pip](https://pip.pypa.io/) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, rush, rushx, bun, bunx, uv, uvx, or pip/pip3 from downloading or running the malware.",
   "dependencies": {
     "certifi": "14.5.15",
     "chalk": "5.4.1",

package/src/packagemanager/currentPackageManager.js

@@ -13,6 +13,8 @@ import { createPipPackageManager } from "./pip/createPackageManager.js";
 import { createUvPackageManager } from "./uv/createUvPackageManager.js";
 import { createPoetryPackageManager } from "./poetry/createPoetryPackageManager.js";
 import { createPipXPackageManager } from "./pipx/createPipXPackageManager.js";
+import { createRushPackageManager } from "./rush/createRushPackageManager.js";
+import { createRushxPackageManager } from "./rushx/createRushxPackageManager.js";
 import { createUvxPackageManager } from "./uvx/createUvxPackageManager.js";
 
 /**
@@ -67,6 +69,10 @@ export function initializePackageManager(packageManagerName, context) {
     state.packageManagerName = createPoetryPackageManager();
   } else if (packageManagerName === "pipx") {
     state.packageManagerName = createPipXPackageManager();
+  } else if (packageManagerName === "rush") {
+    state.packageManagerName = createRushPackageManager();
+  } else if (packageManagerName === "rushx") {
+    state.packageManagerName = createRushxPackageManager();
   } else {
     throw new Error("Unsupported package manager: " + packageManagerName);
   }

package/src/packagemanager/rush/createRushPackageManager.js

@@ -0,0 +1,64 @@
+import { runRushCommand } from "./runRushCommand.js";
+import { resolvePackageVersion } from "../../api/npmApi.js";
+import { parsePackagesFromRushAddArgs } from "./parsing/parsePackagesFromRushAddArgs.js";
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createRushPackageManager() {
+  return {
+    runCommand: (args) => runRushCommand("rush", args),
+    // We pre-scan rush add commands and rely on MITM for install/update flows.
+    isSupportedCommand: (args) => getRushCommand(args) === "add",
+    getDependencyUpdatesForCommand: scanRushAddCommand,
+  };
+}
+
+/**
+ * @param {string[]} args
+ * @returns {Promise<import("../currentPackageManager.js").GetDependencyUpdatesResult[]>}
+ */
+async function scanRushAddCommand(args) {
+  if (getRushCommand(args) !== "add") {
+    return [];
+  }
+
+  const parsedSpecs = parsePackagesFromRushAddArgs(args.slice(1));
+
+  const resolvedVersions = await Promise.all(
+    parsedSpecs.map(async (parsed) => {
+      const exactVersion = await resolvePackageVersion(parsed.name, parsed.version);
+      return {
+        parsed,
+        exactVersion,
+      };
+    }),
+  );
+
+  const changes = [];
+  for (const resolved of resolvedVersions) {
+    if (!resolved.exactVersion) {
+      continue;
+    }
+
+    changes.push({
+      name: resolved.parsed.name,
+      version: resolved.exactVersion,
+      type: "add",
+    });
+  }
+
+  return changes;
+}
+
+/**
+ * @param {string[]} args
+ * @returns {string | undefined}
+ */
+function getRushCommand(args) {
+  if (!args || args.length === 0) {
+    return undefined;
+  }
+
+  return args[0]?.toLowerCase();
+}

package/src/packagemanager/rush/parsing/parsePackagesFromRushAddArgs.js

@@ -0,0 +1,71 @@
+/**
+ * @param {string[]} args
+ * @returns {{name: string, version: string | null}[]}
+ */
+export function parsePackagesFromRushAddArgs(args) {
+  const packageSpecs = [];
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (!arg) {
+      continue;
+    }
+
+    if (arg === "--package" || arg === "-p") {
+      const next = args[i + 1];
+      if (next && !next.startsWith("-")) {
+        packageSpecs.push(next);
+        i += 1;
+      }
+      continue;
+    }
+
+    if (arg.startsWith("--package=")) {
+      const value = arg.slice("--package=".length);
+      if (value) {
+        packageSpecs.push(value);
+      }
+    }
+  }
+
+  return packageSpecs
+    .map((spec) => parsePackageSpec(spec))
+    .filter((spec) => spec !== null);
+}
+
+/**
+ * @param {string} spec
+ * @returns {{name: string, version: string | null} | null}
+ */
+function parsePackageSpec(spec) {
+  const value = removeAlias(spec.trim());
+  if (!value) {
+    return null;
+  }
+
+  const lastAtIndex = value.lastIndexOf("@");
+  if (lastAtIndex > 0) {
+    return {
+      name: value.slice(0, lastAtIndex),
+      version: value.slice(lastAtIndex + 1),
+    };
+  }
+
+  return {
+    name: value,
+    version: null,
+  };
+}
+
+/**
+ * @param {string} spec
+ * @returns {string}
+ */
+function removeAlias(spec) {
+  const aliasIndex = spec.indexOf("@npm:");
+  if (aliasIndex !== -1) {
+    return spec.slice(aliasIndex + 5);
+  }
+
+  return spec;
+}

package/src/packagemanager/rush/runRushCommand.js

@@ -0,0 +1,21 @@
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
+
+/**
+ * @param {"rush" | "rushx"} executableName
+ * @param {string[]} args
+ * @returns {Promise<{status: number}>}
+ */
+export async function runRushCommand(executableName, args) {
+  try {
+    const result = await safeSpawn(executableName, args, {
+      stdio: "inherit",
+      env: mergeSafeChainProxyEnvironmentVariables(process.env),
+    });
+
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    return reportCommandExecutionFailure(error, executableName);
+  }
+}

package/src/packagemanager/rushx/createRushxPackageManager.js

@@ -0,0 +1,18 @@
+import { runRushCommand } from "../rush/runRushCommand.js";
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createRushxPackageManager() {
+  return {
+    /**
+     * @param {string[]} args
+     */
+    runCommand: (args) => {
+      return runRushCommand("rushx", args);
+    },
+    // For rushx, rely solely on MITM.
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}

package/src/shell-integration/helpers.js

@@ -48,6 +48,18 @@ export const knownAikidoTools = [
     ecoSystem: ECOSYSTEM_JS,
     internalPackageManagerName: "pnpx",
   },
+  {
+    tool: "rush",
+    aikidoCommand: "aikido-rush",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "rush",
+  },
+  {
+    tool: "rushx",
+    aikidoCommand: "aikido-rushx",
+    ecoSystem: ECOSYSTEM_JS,
+    internalPackageManagerName: "rushx",
+  },
   {
     tool: "bun",
     aikidoCommand: "aikido-bun",

package/src/shell-integration/startup-scripts/init-fish.fish

@@ -19,6 +19,14 @@ function pnpx
     wrapSafeChainCommand "pnpx" $argv
 end
 
+function rush
+    wrapSafeChainCommand "rush" $argv
+end
+
+function rushx
+    wrapSafeChainCommand "rushx" $argv
+end
+
 function bun
     wrapSafeChainCommand "bun" $argv
 end

package/src/shell-integration/startup-scripts/init-posix.sh

@@ -28,6 +28,14 @@ function pnpx() {
   wrapSafeChainCommand "pnpx" "$@"
 }
 
+function rush() {
+  wrapSafeChainCommand "rush" "$@"
+}
+
+function rushx() {
+  wrapSafeChainCommand "rushx" "$@"
+}
+
 function bun() {
   wrapSafeChainCommand "bun" "$@"
 }

package/src/shell-integration/startup-scripts/init-pwsh.ps1

@@ -22,6 +22,14 @@ function pnpx {
     Invoke-WrappedCommand "pnpx" $args $MyInvocation.Line $MyInvocation.OffsetInLine
 }
 
+function rush {
+    Invoke-WrappedCommand "rush" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
+function rushx {
+    Invoke-WrappedCommand "rushx" $args $MyInvocation.Line $MyInvocation.OffsetInLine
+}
+
 function bun {
     Invoke-WrappedCommand "bun" $args $MyInvocation.Line $MyInvocation.OffsetInLine
 }