@defai.digital/ax-cli 3.5.4 → 3.6.1

package/dist/utils/path-security.js

@@ -0,0 +1,328 @@
+/**
+ * Path Security Utilities
+ *
+ * Provides comprehensive path validation to prevent path traversal,
+ * symlink attacks, and access to dangerous system directories (REQ-SEC-002).
+ *
+ * @module path-security
+ */
+import path from 'path';
+import fs from 'fs-extra';
+import os from 'os';
+/**
+ * Get OS-specific dangerous paths that should never be accessed.
+ *
+ * @returns Array of dangerous path prefixes
+ */
+export function getDangerousPathsForOS() {
+    const platform = process.platform;
+    // Common dangerous paths (Unix-like)
+    const commonPaths = [
+        '/etc',
+        '/sys',
+        '/proc',
+        '/dev',
+        '/root',
+        '/boot',
+        '/var',
+        '/lib',
+        '/lib64',
+        '/usr/lib',
+        '/usr/local/lib',
+        '/bin',
+        '/sbin',
+        '/usr/bin',
+        '/usr/sbin',
+    ];
+    if (platform === 'darwin') {
+        // macOS-specific
+        return [
+            ...commonPaths,
+            '/System',
+            '/Library',
+            '/private/etc',
+            '/private/var',
+            '/Volumes',
+            '/Applications',
+        ];
+    }
+    else if (platform === 'win32') {
+        // Windows-specific
+        return [
+            'C:\\Windows',
+            'C:\\Program Files',
+            'C:\\Program Files (x86)',
+            'C:\\ProgramData',
+            'C:\\System Volume Information',
+            'C:\\$Recycle.Bin',
+        ];
+    }
+    // Linux/Unix
+    return [
+        ...commonPaths,
+        '/snap',
+        '/mnt',
+        '/media',
+        '/run',
+    ];
+}
+/**
+ * Get dangerous file patterns that should be blocked.
+ *
+ * @returns Array of dangerous file patterns (strings or regexes)
+ */
+export function getDangerousFilePatterns() {
+    return [
+        // SSH keys
+        /\.ssh\/id_rsa$/,
+        /\.ssh\/id_ed25519$/,
+        /\.ssh\/id_ecdsa$/,
+        /\.ssh\/authorized_keys$/,
+        /\.ssh\/known_hosts$/,
+        // AWS credentials
+        /\.aws\/credentials$/,
+        /\.aws\/config$/,
+        // Other credentials
+        '.npmrc',
+        '.gitconfig',
+        '.docker/config.json',
+        // Shell history
+        /\.bash_history$/,
+        /\.zsh_history$/,
+        /\.sh_history$/,
+        // Environment files
+        /\.env$/,
+        /\.env\.local$/,
+        /\.env\.production$/,
+        // System files (Unix)
+        '/etc/passwd',
+        '/etc/shadow',
+        '/etc/sudoers',
+        '/etc/hosts',
+        '/etc/ssh/sshd_config',
+    ];
+}
+/**
+ * Check if a path matches a dangerous file pattern.
+ *
+ * @param filePath - Path to check
+ * @returns True if file matches dangerous pattern
+ */
+export function isDangerousFile(filePath) {
+    const normalized = filePath.replace(/\\/g, '/');
+    const patterns = getDangerousFilePatterns();
+    return patterns.some(pattern => {
+        if (typeof pattern === 'string') {
+            return normalized.includes(pattern) || normalized.endsWith(pattern);
+        }
+        else {
+            return pattern.test(normalized);
+        }
+    });
+}
+/**
+ * Canonicalize a path by resolving symlinks and normalizing.
+ *
+ * @param filePath - Path to canonicalize
+ * @returns Canonicalized path or original if canonicalization fails
+ */
+export async function canonicalizePath(filePath) {
+    try {
+        // Use fs.realpath to resolve symlinks
+        const canonical = await fs.realpath(filePath);
+        return canonical;
+    }
+    catch (error) {
+        // If realpath fails (e.g., file doesn't exist), just resolve
+        return path.resolve(filePath);
+    }
+}
+/**
+ * Check if a path contains symlinks in any component.
+ *
+ * @param filePath - Path to check
+ * @returns True if any component is a symlink
+ */
+export async function containsSymlinks(filePath) {
+    const resolved = path.resolve(filePath);
+    const components = resolved.split(path.sep).filter(c => c);
+    let currentPath = path.isAbsolute(filePath) ? path.sep : '.';
+    for (const component of components) {
+        currentPath = path.join(currentPath, component);
+        try {
+            const stats = await fs.lstat(currentPath);
+            if (stats.isSymbolicLink()) {
+                return true;
+            }
+        }
+        catch (error) {
+            // If stat fails, path doesn't exist yet - not a symlink
+            continue;
+        }
+    }
+    return false;
+}
+/**
+ * Validate a file path for security.
+ *
+ * Performs comprehensive checks:
+ * 1. Canonicalization (resolve symlinks)
+ * 2. Allowed root validation
+ * 3. Dangerous path blocking
+ * 4. Symlink detection
+ * 5. Dangerous file detection
+ *
+ * @param filePath - Path to validate
+ * @param options - Validation options
+ * @returns Validation result with success status and validated path
+ */
+export async function validatePathSecure(filePath, options = {}) {
+    try {
+        // 1. Canonicalize path (resolves symlinks)
+        const canonical = await canonicalizePath(filePath);
+        // 2. Resolve to absolute path
+        const resolved = path.resolve(canonical);
+        // 3. Check if within allowed directory roots
+        const allowedRoots = options.allowedRoots || [
+            process.cwd(),
+            path.join(os.homedir(), '.ax-cli'),
+        ];
+        const isAllowed = allowedRoots.some(root => {
+            const normalizedRoot = path.resolve(root);
+            return (resolved === normalizedRoot ||
+                resolved.startsWith(normalizedRoot + path.sep));
+        });
+        if (!isAllowed) {
+            return {
+                success: false,
+                error: `Path "${filePath}" is outside allowed directories. Allowed roots: ${allowedRoots.join(', ')}`,
+            };
+        }
+        // 4. Check for dangerous paths (OS-specific)
+        const dangerousPaths = getDangerousPathsForOS();
+        for (const dangerous of dangerousPaths) {
+            const normalizedDangerous = path.resolve(dangerous);
+            if (resolved.startsWith(normalizedDangerous + path.sep) ||
+                resolved === normalizedDangerous) {
+                return {
+                    success: false,
+                    error: `Access to system directory "${dangerous}" denied`,
+                };
+            }
+        }
+        // 5. Check for dangerous files
+        if (isDangerousFile(resolved)) {
+            return {
+                success: false,
+                error: `Access to sensitive file denied: "${filePath}"`,
+            };
+        }
+        // 6. Check for symlinks (if not allowed)
+        if (!options.allowSymlinks) {
+            const hasSymlinks = await containsSymlinks(filePath);
+            if (hasSymlinks) {
+                return {
+                    success: false,
+                    error: `Path contains symlinks: "${filePath}". Symlinks are not allowed for security.`,
+                };
+            }
+        }
+        // 7. Optionally check if path exists
+        if (options.checkExists) {
+            const exists = await fs.pathExists(resolved);
+            if (!exists) {
+                return {
+                    success: false,
+                    error: `Path does not exist: "${filePath}"`,
+                };
+            }
+        }
+        // All checks passed
+        return {
+            success: true,
+            path: resolved,
+        };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: `Path validation error: ${error.message}`,
+        };
+    }
+}
+/**
+ * Synchronous version of validatePathSecure.
+ * Less secure (doesn't resolve symlinks), use async version when possible.
+ *
+ * @param filePath - Path to validate
+ * @param options - Validation options
+ * @returns Validation result
+ */
+export function validatePathSecureSync(filePath, options = {}) {
+    try {
+        // Resolve to absolute path (no symlink resolution in sync version)
+        const resolved = path.resolve(filePath);
+        // Check allowed roots
+        const allowedRoots = options.allowedRoots || [
+            process.cwd(),
+            path.join(os.homedir(), '.ax-cli'),
+        ];
+        const isAllowed = allowedRoots.some(root => {
+            const normalizedRoot = path.resolve(root);
+            return (resolved === normalizedRoot ||
+                resolved.startsWith(normalizedRoot + path.sep));
+        });
+        if (!isAllowed) {
+            return {
+                success: false,
+                error: `Path outside allowed directories`,
+            };
+        }
+        // Check dangerous paths
+        const dangerousPaths = getDangerousPathsForOS();
+        for (const dangerous of dangerousPaths) {
+            const normalizedDangerous = path.resolve(dangerous);
+            if (resolved.startsWith(normalizedDangerous + path.sep) ||
+                resolved === normalizedDangerous) {
+                return {
+                    success: false,
+                    error: `Access to system directory denied`,
+                };
+            }
+        }
+        // Check dangerous files
+        if (isDangerousFile(resolved)) {
+            return {
+                success: false,
+                error: `Access to sensitive file denied`,
+            };
+        }
+        return {
+            success: true,
+            path: resolved,
+        };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: error.message,
+        };
+    }
+}
+/**
+ * Create a safe path joiner that validates the result.
+ *
+ * @param basePath - Base directory path
+ * @param relativePath - Relative path to join
+ * @param options - Validation options
+ * @returns Validated joined path or null if invalid
+ */
+export async function safePathJoin(basePath, relativePath, options = {}) {
+    const joined = path.join(basePath, relativePath);
+    const validation = await validatePathSecure(joined, options);
+    if (!validation.success) {
+        return null;
+    }
+    return validation.path;
+}
+//# sourceMappingURL=path-security.js.map

package/dist/utils/path-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-security.js","sourceRoot":"","sources":["../../src/utils/path-security.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,UAAU,CAAC;AAC1B,OAAO,EAAE,MAAM,IAAI,CAAC;AAoBpB;;;;GAIG;AACH,MAAM,UAAU,sBAAsB;IACpC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,qCAAqC;IACrC,MAAM,WAAW,GAAG;QAClB,MAAM;QACN,MAAM;QACN,OAAO;QACP,MAAM;QACN,OAAO;QACP,OAAO;QACP,MAAM;QACN,MAAM;QACN,QAAQ;QACR,UAAU;QACV,gBAAgB;QAChB,MAAM;QACN,OAAO;QACP,UAAU;QACV,WAAW;KACZ,CAAC;IAEF,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,iBAAiB;QACjB,OAAO;YACL,GAAG,WAAW;YACd,SAAS;YACT,UAAU;YACV,cAAc;YACd,cAAc;YACd,UAAU;YACV,eAAe;SAChB,CAAC;IACJ,CAAC;SAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,mBAAmB;QACnB,OAAO;YACL,aAAa;YACb,mBAAmB;YACnB,yBAAyB;YACzB,iBAAiB;YACjB,+BAA+B;YAC/B,kBAAkB;SACnB,CAAC;IACJ,CAAC;IAED,aAAa;IACb,OAAO;QACL,GAAG,WAAW;QACd,OAAO;QACP,MAAM;QACN,QAAQ;QACR,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO;QACL,WAAW;QACX,gBAAgB;QAChB,oBAAoB;QACpB,kBAAkB;QAClB,yBAAyB;QACzB,qBAAqB;QAErB,kBAAkB;QAClB,qBAAqB;QACrB,gBAAgB;QAEhB,oBAAoB;QACpB,QAAQ;QACR,YAAY;QACZ,qBAAqB;QAErB,gBAAgB;QAChB,iBAAiB;QACjB,gBAAgB;QAChB,eAAe;QAEf,oBAAoB;QACpB,QAAQ;QACR,eAAe;QACf,oBAAoB;QAEpB,sBAAsB;QACtB,aAAa;QACb,aAAa;QACb,cAAc;QACd,YAAY;QACZ,sBAAsB;KACvB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,wBAAwB,EAAE,CAAC;IAE5C,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC7B,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACtE,CAAC;aAAM,CAAC;YACN,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,QAAgB;IACrD,IAAI,CAAC;QACH,sCAAsC;QACtC,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC9C,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,6DAA6D;QAC7D,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,QAAgB;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,IAAI,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IAE7D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAEhD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC1C,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;gBAC3B,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,wDAAwD;YACxD,SAAS;QACX,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,QAAgB,EAChB,UAAiC,EAAE;IAEnC,IAAI,CAAC;QACH,2CAA2C;QAC3C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAEnD,8BAA8B;QAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEzC,6CAA6C;QAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI;YAC3C,OAAO,CAAC,GAAG,EAAE;YACb,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC;SACnC,CAAC;QAEF,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACzC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC1C,OAAO,CACL,QAAQ,KAAK,cAAc;gBAC3B,QAAQ,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,CAC/C,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,SAAS,QAAQ,oDAAoD,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aACtG,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;YACvC,MAAM,mBAAmB,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACpD,IACE,QAAQ,CAAC,UAAU,CAAC,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC;gBACnD,QAAQ,KAAK,mBAAmB,EAChC,CAAC;gBACD,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,+BAA+B,SAAS,UAAU;iBAC1D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,qCAAqC,QAAQ,GAAG;aACxD,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;YAC3B,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YACrD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,4BAA4B,QAAQ,2CAA2C;iBACvF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,yBAAyB,QAAQ,GAAG;iBAC5C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,0BAA0B,KAAK,CAAC,OAAO,EAAE;SACjD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,UAAiC,EAAE;IAEnC,IAAI,CAAC;QACH,mEAAmE;QACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAExC,sBAAsB;QACtB,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI;YAC3C,OAAO,CAAC,GAAG,EAAE;YACb,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC;SACnC,CAAC;QAEF,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACzC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC1C,OAAO,CACL,QAAQ,KAAK,cAAc;gBAC3B,QAAQ,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,CAC/C,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,kCAAkC;aAC1C,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;YACvC,MAAM,mBAAmB,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACpD,IACE,QAAQ,CAAC,UAAU,CAAC,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC;gBACnD,QAAQ,KAAK,mBAAmB,EAChC,CAAC;gBACD,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,mCAAmC;iBAC3C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,iCAAiC;aACzC,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,YAAoB,EACpB,UAAiC,EAAE;IAEnC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE7D,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,UAAU,CAAC,IAAK,CAAC;AAC1B,CAAC"}

package/dist/utils/process-pool.d.ts

@@ -0,0 +1,105 @@
+/**
+ * Process Pool Manager
+ *
+ * Manages a pool of reusable child processes to prevent memory leaks
+ * and resource exhaustion (REQ-ARCH-002).
+ *
+ * Key features:
+ * - Limits concurrent processes to prevent resource exhaustion
+ * - Queues requests when pool is full
+ * - Automatic cleanup of idle processes
+ * - Graceful shutdown with proper cleanup
+ * - Memory leak prevention through proper event listener management
+ *
+ * @module process-pool
+ */
+import { EventEmitter } from 'events';
+/**
+ * Options for process execution
+ */
+export interface ProcessExecutionOptions {
+    command: string;
+    args: string[];
+    timeout?: number;
+    cwd?: string;
+}
+/**
+ * Result of process execution
+ */
+export interface ProcessExecutionResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number | null;
+    signal: string | null;
+}
+/**
+ * Process pool configuration
+ */
+export interface ProcessPoolConfig {
+    maxProcesses?: number;
+    processTimeout?: number;
+    idleTimeout?: number;
+    maxQueueSize?: number;
+}
+/**
+ * Process pool manager for efficient process reuse
+ */
+export declare class ProcessPool extends EventEmitter {
+    private readonly maxProcesses;
+    private readonly processTimeout;
+    private readonly maxQueueSize;
+    private activeProcesses;
+    private taskQueue;
+    private shuttingDown;
+    private idleTimers;
+    constructor(config?: ProcessPoolConfig);
+    /**
+     * Execute a command using the process pool
+     */
+    execute(options: ProcessExecutionOptions): Promise<ProcessExecutionResult>;
+    /**
+     * Process the task queue
+     */
+    private processQueue;
+    /**
+     * Execute a single task
+     */
+    private executeTask;
+    /**
+     * Spawn a process and manage its lifecycle
+     */
+    private spawnProcess;
+    /**
+     * Cleanup process and associated resources
+     */
+    private cleanupProcess;
+    /**
+     * Get pool statistics
+     */
+    getStats(): {
+        activeProcesses: number;
+        queuedTasks: number;
+        maxProcesses: number;
+        maxQueueSize: number;
+    };
+    /**
+     * Shutdown the pool gracefully
+     */
+    shutdown(force?: boolean): Promise<void>;
+    /**
+     * Check if pool is idle (no active processes or queued tasks)
+     */
+    isIdle(): boolean;
+    /**
+     * Check if pool is at capacity
+     */
+    isAtCapacity(): boolean;
+}
+/**
+ * Get or create the ripgrep process pool
+ */
+export declare function getRipgrepPool(): ProcessPool;
+/**
+ * Shutdown the ripgrep pool (for testing)
+ */
+export declare function shutdownRipgrepPool(): Promise<void>;