@bike4mind/cli 0.2.64-chore-7507-migrate-tsdown.21818 → 0.2.64-feat-devops-test.21820

package/bin/bike4mind-cli.mjs

@@ -149,7 +149,7 @@ if (argv['ollama-host']) {
 }
 
 // Auto-detect environment: prefer production mode when dist exists
-const distPath = join(__dirname, '../dist/index.mjs');
+const distPath = join(__dirname, '../dist/index.js');
 const srcPath = join(__dirname, '../src/index.tsx');
 const hasSource = existsSync(srcPath);
 const hasDist = existsSync(distPath);
@@ -176,7 +176,7 @@ if (argv.prompt !== undefined) {
       const module = await import('../src/commands/headlessCommand.ts');
       handleHeadlessCommand = module.handleHeadlessCommand;
     } else {
-      const module = await import('../dist/commands/headlessCommand.mjs');
+      const module = await import('../dist/commands/headlessCommand.js');
       handleHeadlessCommand = module.handleHeadlessCommand;
     }
 
@@ -211,7 +211,7 @@ if (argv._[0] === 'mcp') {
       handleMcpCommand = module.handleMcpCommand;
     } else {
       // Production: import compiled JavaScript
-      const module = await import('../dist/commands/mcpCommand.mjs');
+      const module = await import('../dist/commands/mcpCommand.js');
       handleMcpCommand = module.handleMcpCommand;
     }
 
@@ -234,7 +234,7 @@ if (argv._[0] === 'update') {
       const module = await import('../src/commands/updateCommand.ts');
       handleUpdateCommand = module.handleUpdateCommand;
     } else {
-      const module = await import('../dist/commands/updateCommand.mjs');
+      const module = await import('../dist/commands/updateCommand.js');
       handleUpdateCommand = module.handleUpdateCommand;
     }
 
@@ -257,7 +257,7 @@ if (argv._[0] === 'doctor') {
       const module = await import('../src/commands/doctorCommand.ts');
       handleDoctorCommand = module.handleDoctorCommand;
     } else {
-      const module = await import('../dist/commands/doctorCommand.mjs');
+      const module = await import('../dist/commands/doctorCommand.js');
       handleDoctorCommand = module.handleDoctorCommand;
     }
 
@@ -287,7 +287,7 @@ if (isDev) {
 } else {
   // Production: run compiled JavaScript
   try {
-    await import(join(__dirname, '../dist/index.mjs'));
+    await import(join(__dirname, '../dist/index.js'));
   } catch (error) {
     console.error('Failed to start CLI:', error);
     console.error('\nTry running: pnpm build');

package/dist/BubblewrapRuntime-PMIOLWKR.js

@@ -0,0 +1,71 @@
+#!/usr/bin/env node
+import {
+  expandPath,
+  isBinaryAvailable
+} from "./chunk-QWB6ZYY4.js";
+
+// src/sandbox/runtime/BubblewrapRuntime.ts
+import os from "os";
+var SYSTEM_RO_BINDS = ["/usr", "/bin", "/lib", "/lib64", "/sbin", "/etc"];
+var SPECIAL_MOUNTS = {
+  dev: "/dev",
+  proc: "/proc",
+  tmp: "/tmp"
+};
+var BubblewrapRuntime = class {
+  constructor() {
+    this.platform = "linux";
+    this.name = "bubblewrap";
+  }
+  isAvailable() {
+    return isBinaryAvailable("bwrap");
+  }
+  wrapCommand(options) {
+    const { command, cwd, filesystemConfig, env } = options;
+    const expandedDenied = filesystemConfig.deniedPaths.map(expandPath);
+    const expandedAllowed = filesystemConfig.allowedReadPaths.map(expandPath);
+    const args = [];
+    for (const sysPath of SYSTEM_RO_BINDS) {
+      args.push("--ro-bind-try", sysPath, sysPath);
+    }
+    args.push("--dev", SPECIAL_MOUNTS.dev);
+    args.push("--proc", SPECIAL_MOUNTS.proc);
+    args.push("--tmpfs", SPECIAL_MOUNTS.tmp);
+    args.push("--bind", cwd, cwd);
+    const homeDir = os.homedir();
+    args.push("--ro-bind", homeDir, homeDir);
+    for (const allowedPath of expandedAllowed) {
+      if (!allowedPath.startsWith(homeDir)) {
+        args.push("--ro-bind-try", allowedPath, allowedPath);
+      }
+    }
+    for (const deniedPath of expandedDenied) {
+      args.push("--tmpfs", deniedPath);
+    }
+    args.push("--unshare-all");
+    args.push("--share-net");
+    args.push("--die-with-parent");
+    if (options.seccompProfile) {
+      args.push("--seccomp", options.seccompProfile);
+    }
+    for (const [key, value] of Object.entries(env ?? {})) {
+      args.push("--setenv", key, value);
+    }
+    args.push("--chdir", cwd);
+    args.push("bash", "-c", command);
+    const commandString = ["bwrap", ...args.map(shellEscape)].join(" ");
+    return {
+      executable: "bwrap",
+      args,
+      env: env ?? {},
+      commandString
+    };
+  }
+};
+function shellEscape(str) {
+  if (/^[a-zA-Z0-9._/=:-]+$/.test(str)) return str;
+  return `'${str.replace(/'/g, "'\\''")}'`;
+}
+export {
+  BubblewrapRuntime
+};

package/dist/HydrationEngine-YL2HWJ3V.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+import {
+  HydrationEngine,
+  createHydrationEngine
+} from "./chunk-GQGOWACU.js";
+export {
+  HydrationEngine,
+  createHydrationEngine
+};

package/dist/ImageStore-MMUOUPI2.js

@@ -0,0 +1,224 @@
+#!/usr/bin/env node
+
+// src/storage/ImageStore.ts
+import { createHash } from "crypto";
+import { mkdirSync, writeFileSync, readFileSync, existsSync, unlinkSync } from "fs";
+import { join, extname, resolve } from "path";
+import { homedir } from "os";
+import Database from "better-sqlite3";
+import sharp from "sharp";
+var ImageStore = class _ImageStore {
+  static {
+    this.BASE_DIR = join(homedir(), ".bike4mind", "cli");
+  }
+  static {
+    this.IMAGES_DIR = join(_ImageStore.BASE_DIR, "images");
+  }
+  static {
+    this.DB_PATH = join(_ImageStore.BASE_DIR, "images.db");
+  }
+  static {
+    this.RETENTION_DAYS = 7;
+  }
+  static {
+    // Target max size before base64 encoding. Base64 adds ~33% overhead.
+    // To stay under 1MB after base64, we need images < 750KB
+    this.MAX_RAW_SIZE = 750 * 1024;
+  }
+  static {
+    // 750KB
+    // Maximum size before compression to prevent OOM with very large images
+    this.MAX_PRECOMPRESS_SIZE = 50 * 1024 * 1024;
+  }
+  constructor() {
+    this.ensureDirectories();
+    this.db = new Database(_ImageStore.DB_PATH);
+    this.initDatabase();
+    try {
+      this.cleanupOldImages();
+    } catch (err) {
+      console.warn("Failed to cleanup old images:", err);
+    }
+  }
+  ensureDirectories() {
+    mkdirSync(_ImageStore.BASE_DIR, { recursive: true });
+    mkdirSync(_ImageStore.IMAGES_DIR, { recursive: true });
+  }
+  initDatabase() {
+    this.db.exec(`
+			CREATE TABLE IF NOT EXISTS images (
+				hash TEXT PRIMARY KEY,
+				format TEXT NOT NULL,
+				size INTEGER NOT NULL,
+				timestamp INTEGER NOT NULL,
+				uploaded INTEGER NOT NULL DEFAULT 0,
+				s3_url TEXT,
+				original_filename TEXT
+			)
+		`);
+  }
+  /**
+   * Store an image locally with content-based hashing for deduplication
+   */
+  async store(imageData, originalFilename) {
+    const { buffer: processedData, format: processedFormat } = await this.processImage(imageData, originalFilename);
+    const hash = this.generateHash(processedData);
+    const format = processedFormat;
+    const ext = format.toLowerCase();
+    const localPath = join(_ImageStore.IMAGES_DIR, `${hash}.${ext}`);
+    const existing = this.getMetadata(hash);
+    if (existing) {
+      return {
+        hash,
+        placeholder: "",
+        // Will be set by caller
+        localPath,
+        metadata: existing
+      };
+    }
+    writeFileSync(localPath, processedData);
+    const metadata = {
+      hash,
+      format,
+      size: processedData.length,
+      timestamp: Date.now(),
+      uploaded: false,
+      originalFilename
+    };
+    this.db.prepare(
+      `INSERT INTO images (hash, format, size, timestamp, uploaded, original_filename)
+				 VALUES (?, ?, ?, ?, ?, ?)`
+    ).run(hash, format, metadata.size, metadata.timestamp, 0, originalFilename || null);
+    return {
+      hash,
+      placeholder: "",
+      localPath,
+      metadata
+    };
+  }
+  /**
+   * Get image metadata by hash
+   */
+  getMetadata(hash) {
+    const row = this.db.prepare("SELECT * FROM images WHERE hash = ?").get(hash);
+    if (!row) return null;
+    return {
+      hash: row.hash,
+      format: row.format,
+      size: row.size,
+      timestamp: row.timestamp,
+      uploaded: Boolean(row.uploaded),
+      s3Url: row.s3_url,
+      originalFilename: row.original_filename
+    };
+  }
+  /**
+   * Read image data from local cache
+   */
+  readImage(hash) {
+    const metadata = this.getMetadata(hash);
+    if (!metadata) return null;
+    const localPath = join(_ImageStore.IMAGES_DIR, `${hash}.${metadata.format.toLowerCase()}`);
+    const normalizedPath = resolve(localPath);
+    if (!normalizedPath.startsWith(resolve(_ImageStore.IMAGES_DIR))) {
+      throw new Error("Invalid image path");
+    }
+    if (!existsSync(localPath)) return null;
+    return readFileSync(localPath);
+  }
+  /**
+   * Generate content hash for deduplication
+   */
+  generateHash(data) {
+    return createHash("sha256").update(data).digest("hex").substring(0, 16);
+  }
+  /**
+   * Process image: compress if needed to stay under size limit
+   */
+  async processImage(data, originalFilename) {
+    if (data.length > _ImageStore.MAX_PRECOMPRESS_SIZE) {
+      throw new Error(
+        `Image too large to process (${Math.round(data.length / 1024 / 1024)}MB). Maximum size is ${_ImageStore.MAX_PRECOMPRESS_SIZE / 1024 / 1024}MB.`
+      );
+    }
+    const originalFormat = this.detectFormat(data, originalFilename);
+    if (data.length <= _ImageStore.MAX_RAW_SIZE) {
+      return { buffer: data, format: originalFormat };
+    }
+    let image = sharp(data);
+    const metadata = await image.metadata();
+    if (!metadata.width || !metadata.height) {
+      throw new Error("Unable to read image dimensions");
+    }
+    const maxDimension = 2048;
+    let width = metadata.width;
+    let height = metadata.height;
+    if (width > maxDimension || height > maxDimension) {
+      if (width > height) {
+        height = Math.round(height * maxDimension / width);
+        width = maxDimension;
+      } else {
+        width = Math.round(width * maxDimension / height);
+        height = maxDimension;
+      }
+    }
+    image = image.resize(width, height);
+    let quality = 85;
+    let buffer = await image.jpeg({ quality }).toBuffer();
+    while (buffer.length > _ImageStore.MAX_RAW_SIZE && quality > 30) {
+      quality -= 10;
+      buffer = await image.jpeg({ quality }).toBuffer();
+    }
+    if (buffer.length > _ImageStore.MAX_RAW_SIZE) {
+      throw new Error(`Unable to compress image below ${_ImageStore.MAX_RAW_SIZE / 1024}KB limit`);
+    }
+    return { buffer, format: "jpg" };
+  }
+  /**
+   * Detect image format from buffer or filename
+   */
+  detectFormat(data, filename) {
+    if (data[0] === 137 && data[1] === 80 && data[2] === 78 && data[3] === 71) {
+      return "png";
+    }
+    if (data[0] === 255 && data[1] === 216 && data[2] === 255) {
+      return "jpg";
+    }
+    if (data[0] === 71 && data[1] === 73 && data[2] === 70) {
+      return "gif";
+    }
+    if (data[0] === 82 && data[1] === 73 && data[2] === 70 && data[3] === 70) {
+      return "webp";
+    }
+    if (filename) {
+      const ext = extname(filename).substring(1).toLowerCase();
+      if (["png", "jpg", "jpeg", "gif", "webp"].includes(ext)) {
+        return ext === "jpeg" ? "jpg" : ext;
+      }
+    }
+    return "png";
+  }
+  /**
+   * Clean up images older than retention period
+   */
+  cleanupOldImages() {
+    const cutoffTime = Date.now() - _ImageStore.RETENTION_DAYS * 24 * 60 * 60 * 1e3;
+    const oldImages = this.db.prepare("SELECT hash, format FROM images WHERE timestamp < ?").all(cutoffTime);
+    for (const { hash, format } of oldImages) {
+      const localPath = join(_ImageStore.IMAGES_DIR, `${hash}.${format.toLowerCase()}`);
+      if (existsSync(localPath)) {
+        unlinkSync(localPath);
+      }
+    }
+    this.db.prepare("DELETE FROM images WHERE timestamp < ?").run(cutoffTime);
+  }
+  /**
+   * Close database connection
+   */
+  close() {
+    this.db.close();
+  }
+};
+export {
+  ImageStore
+};

package/dist/ProxyManager-HEB4TLVX.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import {
+  ProxyManager
+} from "./chunk-G4ZGEQFT.js";
+export {
+  ProxyManager
+};

package/dist/SandboxOrchestrator-UIJ5GYBB.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+import {
+  SandboxOrchestrator
+} from "./chunk-KQAMBXAW.js";
+import "./chunk-4BIBE3J7.js";
+export {
+  SandboxOrchestrator
+};

package/dist/SandboxRuntimeAdapter-FQ56MAB2.js

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+import {
+  createSandboxRuntime,
+  detectPlatform,
+  expandPath,
+  isBinaryAvailable
+} from "./chunk-QWB6ZYY4.js";
+export {
+  createSandboxRuntime,
+  detectPlatform,
+  expandPath,
+  isBinaryAvailable
+};

package/dist/SeatbeltRuntime-EE3TTLEP.js

@@ -0,0 +1,98 @@
+#!/usr/bin/env node
+import {
+  expandPath,
+  isBinaryAvailable
+} from "./chunk-QWB6ZYY4.js";
+
+// src/sandbox/runtime/SeatbeltRuntime.ts
+import { writeFileSync, mkdtempSync } from "fs";
+import path from "path";
+import os from "os";
+function escapeSeatbeltPath(p) {
+  return p.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}
+var SeatbeltRuntime = class {
+  constructor() {
+    this.platform = "darwin";
+    this.name = "seatbelt";
+  }
+  isAvailable() {
+    return isBinaryAvailable("sandbox-exec");
+  }
+  /**
+   * Generate a Seatbelt profile string from the filesystem config.
+   *
+   * Strategy:
+   * - Start with (allow default) to permit most operations
+   * - Deny all file writes globally
+   * - Allow file writes only to the working directory
+   * - Deny all access to explicitly denied paths
+   * - Allow read access to explicitly allowed paths
+   */
+  generateProfile(options) {
+    const { cwd, filesystemConfig } = options;
+    const expandedDenied = filesystemConfig.deniedPaths.map(expandPath);
+    const expandedAllowed = filesystemConfig.allowedReadPaths.map(expandPath);
+    const lines = [
+      "(version 1)",
+      "",
+      "; Start with permissive defaults (process exec, network, sysctl, etc.)",
+      "(allow default)",
+      ""
+    ];
+    if (filesystemConfig.writeOnlyToWorkingDir) {
+      lines.push("; Deny all file writes globally");
+      lines.push("(deny file-write*)");
+      lines.push("");
+      lines.push("; Allow writes to working directory");
+      lines.push(`(allow file-write* (subpath "${escapeSeatbeltPath(cwd)}"))`);
+      lines.push("");
+      lines.push("; Allow writes to temp directories");
+      lines.push(`(allow file-write* (subpath "/tmp"))`);
+      lines.push(`(allow file-write* (subpath "/private/tmp"))`);
+      lines.push(`(allow file-write* (subpath "${escapeSeatbeltPath(os.tmpdir())}"))`);
+      lines.push("");
+    }
+    if (expandedDenied.length > 0) {
+      lines.push("; Deny access to sensitive paths");
+      for (const deniedPath of expandedDenied) {
+        lines.push(`(deny file-read* file-write* (subpath "${escapeSeatbeltPath(deniedPath)}"))`);
+      }
+      lines.push("");
+    }
+    if (expandedAllowed.length > 0) {
+      lines.push("; Explicitly allowed read paths");
+      for (const allowedPath of expandedAllowed) {
+        lines.push(`(allow file-read* (subpath "${escapeSeatbeltPath(allowedPath)}"))`);
+      }
+      lines.push("");
+    }
+    return lines.join("\n");
+  }
+  wrapCommand(options) {
+    try {
+      const profile = this.generateProfile(options);
+      const tmpDir = mkdtempSync(path.join(os.tmpdir(), "b4m-sandbox-"));
+      const profilePath = path.join(tmpDir, "sandbox.sb");
+      writeFileSync(profilePath, profile, "utf-8");
+      const args = ["-f", profilePath, "bash", "-c", options.command];
+      const envEntries = Object.entries(options.env ?? {});
+      const envPrefix = envEntries.length > 0 ? envEntries.map(([k, v]) => `${k}=${shellEscape(v)}`).join(" ") + " " : "";
+      return {
+        executable: "sandbox-exec",
+        args,
+        env: options.env ?? {},
+        commandString: `${envPrefix}sandbox-exec -f ${profilePath} bash -c ${shellEscape(options.command)}`,
+        cleanupPaths: [profilePath, tmpDir]
+      };
+    } catch (err) {
+      throw new Error(`Failed to create sandbox profile: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+};
+function shellEscape(str) {
+  return `'${str.replace(/'/g, "'\\''")}'`;
+}
+export {
+  SeatbeltRuntime
+};

package/dist/StderrViolationParser-7OYPM2DJ.js

@@ -0,0 +1,59 @@
+#!/usr/bin/env node
+
+// src/sandbox/logging/StderrViolationParser.ts
+function parseSeatbeltStderr(stderr) {
+  const violations = [];
+  const regex = /sandbox-exec:\s*deny\(\d+\)\s+(\S+)\s+(.+)/g;
+  let match;
+  while ((match = regex.exec(stderr)) !== null) {
+    const operation = match[1];
+    const targetPath = match[2].trim();
+    const type = classifySeatbeltOperation(operation);
+    violations.push({
+      type,
+      operation,
+      path: type === "filesystem" ? targetPath : void 0,
+      detail: match[0]
+    });
+  }
+  return violations;
+}
+function parseBwrapStderr(stderr) {
+  const violations = [];
+  const regex = /bwrap:\s+(.+)/g;
+  let match;
+  while ((match = regex.exec(stderr)) !== null) {
+    const message = match[1].trim();
+    const pathMatch = message.match(/(?:Can't open file |Can't bind mount )(\S+)/);
+    const extractedPath = pathMatch?.[1]?.replace(/:$/, "");
+    violations.push({
+      type: "filesystem",
+      path: extractedPath,
+      detail: match[0]
+    });
+  }
+  return violations;
+}
+function parseSandboxStderr(stderr) {
+  return [...parseSeatbeltStderr(stderr), ...parseBwrapStderr(stderr)];
+}
+function toSandboxViolations(parsed, command) {
+  return parsed.map((p) => ({
+    type: p.type,
+    path: p.path,
+    command,
+    blockedBy: "sandbox",
+    timestamp: /* @__PURE__ */ new Date(),
+    detail: p.detail
+  }));
+}
+function classifySeatbeltOperation(operation) {
+  if (operation.startsWith("network")) return "network";
+  return "filesystem";
+}
+export {
+  parseBwrapStderr,
+  parseSandboxStderr,
+  parseSeatbeltStderr,
+  toSandboxViolations
+};

package/dist/ViolationLogStore-RIIUVURH.js

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+
+// src/sandbox/logging/ViolationLogStore.ts
+import { promises as fs } from "fs";
+import path from "path";
+import { homedir } from "os";
+var MAX_VIOLATIONS = 5e3;
+var DEFAULT_PATH = path.join(homedir(), ".bike4mind", "violations.jsonl");
+var ViolationLogStore = class {
+  constructor(storePath) {
+    this.cache = null;
+    this.storePath = storePath ?? DEFAULT_PATH;
+  }
+  /** Ensure parent directory exists */
+  async init() {
+    const dir = path.dirname(this.storePath);
+    await fs.mkdir(dir, { recursive: true });
+  }
+  /** Load all entries from disk (newest first) */
+  async load() {
+    if (this.cache) {
+      return this.cache;
+    }
+    try {
+      const data = await fs.readFile(this.storePath, "utf-8");
+      const lines = data.trim().split("\n").filter((line) => line.length > 0);
+      const entries = lines.map((line) => {
+        try {
+          return JSON.parse(line);
+        } catch {
+          return null;
+        }
+      }).filter((entry) => entry !== null);
+      entries.sort((a, b) => b.timestamp - a.timestamp);
+      this.cache = entries;
+      return this.cache;
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        this.cache = [];
+        return this.cache;
+      }
+      throw error;
+    }
+  }
+  /** Record a new violation (converts Date → epoch ms, appends JSONL) */
+  async record(violation) {
+    const entry = {
+      type: violation.type,
+      command: violation.command,
+      blockedBy: violation.blockedBy,
+      timestamp: violation.timestamp.getTime(),
+      ...violation.path && { path: violation.path },
+      ...violation.domain && { domain: violation.domain },
+      ...violation.detail && { detail: violation.detail }
+    };
+    await this.init();
+    const line = JSON.stringify(entry) + "\n";
+    await fs.appendFile(this.storePath, line, "utf-8");
+    this.cache = [entry, ...this.cache ?? []];
+    if (this.cache.length > MAX_VIOLATIONS) {
+      await this.trim();
+    }
+  }
+  /** Get recent violations (default 50) */
+  async getRecent(count = 50) {
+    const entries = await this.load();
+    return entries.slice(0, count);
+  }
+  /** Count violations by type */
+  async countByType() {
+    const entries = await this.load();
+    let filesystem = 0;
+    let network = 0;
+    for (const entry of entries) {
+      if (entry.type === "filesystem") filesystem++;
+      else if (entry.type === "network") network++;
+    }
+    return { filesystem, network };
+  }
+  /** Clear all violations */
+  async clear() {
+    try {
+      await fs.unlink(this.storePath);
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        throw error;
+      }
+    }
+    this.cache = [];
+  }
+  /** Trim to MAX_VIOLATIONS (rewrite file) */
+  async trim() {
+    if (!this.cache || this.cache.length <= MAX_VIOLATIONS) {
+      return;
+    }
+    const trimmed = this.cache.slice(0, MAX_VIOLATIONS);
+    const lines = [...trimmed].reverse().map((entry) => JSON.stringify(entry)).join("\n");
+    await fs.writeFile(this.storePath, lines + "\n", "utf-8");
+    this.cache = trimmed;
+  }
+};
+export {
+  ViolationLogStore
+};