@fiale-plus/pi-rogue-bundle 0.1.13 → 0.1.15

package/node_modules/@fiale-plus/pi-core/src/risk.test.ts

@@ -0,0 +1,129 @@
+import { describe, it, expect } from "vitest";
+import { scanShellCommand, type RiskScan } from "./risk.js";
+
+describe("scanShellCommand", () => {
+  it("returns safe for empty command", () => {
+    const result = scanShellCommand("");
+    expect(result.safe).toBe(true);
+    expect(result.severity).toBe("safe");
+  });
+
+  it("returns safe for a benign command", () => {
+    const result = scanShellCommand("echo hello world");
+    expect(result.safe).toBe(true);
+    expect(result.severity).toBe("safe");
+  });
+
+  it("detects rm as dangerous", () => {
+    const result = scanShellCommand("rm -rf /tmp/foo");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+    expect(result.findings.some((f) => f.id === "rm")).toBe(true);
+  });
+
+  it("detects rm only as a word boundary (not inside other words)", () => {
+    const result = scanShellCommand("program --remove-all");
+    expect(result.safe).toBe(true);
+  });
+
+  it("detects sudo as warning", () => {
+    const result = scanShellCommand("sudo apt update");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("warn");
+    expect(result.findings.some((f) => f.id === "sudo")).toBe(true);
+  });
+
+  it("detects chmod -R as dangerous", () => {
+    const result = scanShellCommand("chmod -R 777 /etc");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+    expect(result.findings.some((f) => f.id === "chmod-r")).toBe(true);
+  });
+
+  it("detects chown as dangerous", () => {
+    const result = scanShellCommand("chown root:root /var");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+  });
+
+  it("detects git push --force as dangerous", () => {
+    const result = scanShellCommand("git push --force origin main");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+    expect(result.findings.some((f) => f.id === "force-push")).toBe(true);
+  });
+
+  it("detects git push --force-with-lease as dangerous", () => {
+    const result = scanShellCommand("git push --force-with-lease origin main");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+    expect(result.findings.some((f) => f.id === "force-push")).toBe(true);
+  });
+
+  it("detects curl | sh as dangerous", () => {
+    const result = scanShellCommand("curl https://example.com/install.sh | sh");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+    expect(result.findings.some((f) => f.id === "curl-shell")).toBe(true);
+  });
+
+  it("detects curl | bash as dangerous", () => {
+    const result = scanShellCommand("curl -fsSL https://example.com/install.sh | bash");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+    expect(result.findings.some((f) => f.id === "curl-shell")).toBe(true);
+  });
+
+  it("detects mkfs as dangerous", () => {
+    const result = scanShellCommand("mkfs.ext4 /dev/sda1");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+  });
+
+  it("detects dd if= as dangerous", () => {
+    const result = scanShellCommand("dd if=/dev/zero of=/tmp/out bs=1M count=10");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+  });
+
+  it("detects shutdown as dangerous", () => {
+    const result = scanShellCommand("shutdown -h now");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+  });
+
+  it("detects reboot as dangerous", () => {
+    const result = scanShellCommand("reboot");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+  });
+
+  it("scans extra fragments", () => {
+    const result = scanShellCommand("docker exec -it container bash", ["docker exec"]);
+    expect(result.safe).toBe(false);
+    expect(result.findings.some((f) => f.id === "extra:docker exec")).toBe(true);
+  });
+
+  it("returns warn severity when only warnings are found", () => {
+    const result = scanShellCommand("sudo echo hello");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("warn");
+  });
+
+  it("returns danger severity when danger items are found even with warnings", () => {
+    const result = scanShellCommand("sudo rm /tmp/foo");
+    expect(result.safe).toBe(false);
+    expect(result.severity).toBe("danger");
+  });
+
+  it("handles case-insensitive matching", () => {
+    const result = scanShellCommand("RM -rf /");
+    expect(result.safe).toBe(false);
+    expect(result.findings.some((f) => f.id === "rm")).toBe(true);
+  });
+
+  it("ignores empty extra fragments", () => {
+    const result = scanShellCommand("echo foo", ["", "  "]);
+    expect(result.safe).toBe(true);
+  });
+});

package/node_modules/@fiale-plus/pi-core/src/risk.ts

@@ -0,0 +1,97 @@
+export interface RiskFinding {
+  id: string;
+  label: string;
+  severity: "warn" | "danger";
+}
+
+export interface RiskScan {
+  safe: boolean;
+  severity: "safe" | "warn" | "danger";
+  findings: RiskFinding[];
+  reason: string;
+}
+
+const DEFAULT_PATTERNS: RiskFinding[] = [
+  { id: "rm", label: "rm", severity: "danger" },
+  { id: "sudo", label: "sudo", severity: "warn" },
+  { id: "chmod-r", label: "chmod -R", severity: "danger" },
+  { id: "chown", label: "chown", severity: "danger" },
+  { id: "mkfs", label: "mkfs", severity: "danger" },
+  { id: "dd", label: "dd if=", severity: "danger" },
+  { id: "shutdown", label: "shutdown", severity: "danger" },
+  { id: "reboot", label: "reboot", severity: "danger" },
+  { id: "force-push", label: "git push --force", severity: "danger" },
+  { id: "curl-shell", label: "curl | sh", severity: "danger" },
+  { id: "wget-shell", label: "wget | sh", severity: "danger" },
+];
+
+function contains(command: string, fragment: string): boolean {
+  return command.toLowerCase().includes(fragment.toLowerCase());
+}
+
+export function scanShellCommand(command: string, extraFragments: string[] = []): RiskScan {
+  const findings: RiskFinding[] = [];
+  const text = command.trim();
+
+  if (!text) {
+    return { safe: true, severity: "safe", findings, reason: "Empty command." };
+  }
+
+  for (const pattern of DEFAULT_PATTERNS) {
+    switch (pattern.id) {
+      case "rm":
+        if (/\brm\b/i.test(text)) findings.push(pattern);
+        break;
+      case "sudo":
+        if (/\bsudo\b/i.test(text)) findings.push(pattern);
+        break;
+      case "chmod-r":
+        if (/\bchmod\s+-R\b/i.test(text)) findings.push(pattern);
+        break;
+      case "chown":
+        if (/\bchown\b/i.test(text)) findings.push(pattern);
+        break;
+      case "mkfs":
+        if (/\bmkfs(?:\.[\w-]+)?\b/i.test(text)) findings.push(pattern);
+        break;
+      case "dd":
+        if (/\bdd\s+if=/i.test(text)) findings.push(pattern);
+        break;
+      case "shutdown":
+        if (/\bshutdown\b/i.test(text)) findings.push(pattern);
+        break;
+      case "reboot":
+        if (/\breboot\b/i.test(text)) findings.push(pattern);
+        break;
+      case "force-push":
+        if (/\bgit\s+push\b[\s\S]*--force(?:-with-lease)?/i.test(text)) findings.push(pattern);
+        break;
+      case "curl-shell":
+        if (/\bcurl\b[\s\S]*\|\s*(sh|bash)\b/i.test(text)) findings.push(pattern);
+        break;
+      case "wget-shell":
+        if (/\bwget\b[\s\S]*\|\s*(sh|bash)\b/i.test(text)) findings.push(pattern);
+        break;
+    }
+  }
+
+  for (const fragment of extraFragments) {
+    if (!fragment.trim()) continue;
+    if (contains(text, fragment)) {
+      findings.push({ id: `extra:${fragment}`, label: fragment, severity: "danger" });
+    }
+  }
+
+  if (findings.length === 0) {
+    return { safe: true, severity: "safe", findings, reason: "No risky shell fragments found." };
+  }
+
+  const severity = findings.some((finding) => finding.severity === "danger") ? "danger" : "warn";
+  const labels = findings.map((finding) => finding.label).join(", ");
+  return {
+    safe: false,
+    severity,
+    findings,
+    reason: `Detected risky shell fragment(s): ${labels}`,
+  };
+}

package/node_modules/@fiale-plus/pi-core/src/storage.ts

@@ -0,0 +1,39 @@
+import { appendFileSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname } from "node:path";
+
+export function ensureParent(filePath: string): string {
+  mkdirSync(dirname(filePath), { recursive: true });
+  return filePath;
+}
+
+export function readText(filePath: string, fallback = ""): string {
+  try {
+    return readFileSync(filePath, "utf8");
+  } catch {
+    return fallback;
+  }
+}
+
+export function writeText(filePath: string, text: string): void {
+  ensureParent(filePath);
+  writeFileSync(filePath, text, "utf8");
+}
+
+export function appendText(filePath: string, text: string): void {
+  ensureParent(filePath);
+  appendFileSync(filePath, text, "utf8");
+}
+
+export function readJson<T>(filePath: string, fallback: T): T {
+  try {
+    const raw = readText(filePath).trim();
+    if (!raw) return fallback;
+    return JSON.parse(raw) as T;
+  } catch {
+    return fallback;
+  }
+}
+
+export function writeJson(filePath: string, value: unknown): void {
+  writeText(filePath, `${JSON.stringify(value, null, 2)}\n`);
+}

package/node_modules/@fiale-plus/pi-core/src/text.test.ts

@@ -0,0 +1,36 @@
+import { describe, it, expect } from "vitest";
+import { truncate, safeName } from "./text.js";
+
+describe("truncate", () => {
+  it("returns full text when within limit", () => {
+    expect(truncate("hello", 10)).toBe("hello");
+  });
+
+  it("truncates and appends ellipsis when over limit", () => {
+    const result = truncate("hello world this is long", 12);
+    expect(result).toHaveLength(12);
+    expect(result.endsWith("…")).toBe(true);
+  });
+
+  it("handles empty string", () => {
+    expect(truncate("", 10)).toBe("");
+  });
+});
+
+describe("safeName", () => {
+  it("lowercases and replaces spaces with hyphens", () => {
+    expect(safeName("My Feature Branch")).toBe("my-feature-branch");
+  });
+
+  it("replaces special characters with hyphens", () => {
+    expect(safeName("feature/auth!!@#")).toBe("feature-auth");
+  });
+
+  it("strips leading/trailing hyphens", () => {
+    expect(safeName("--main--")).toBe("main");
+  });
+
+  it("falls back to 'main' for empty input", () => {
+    expect(safeName("")).toBe("main");
+  });
+});

package/node_modules/@fiale-plus/pi-core/src/text.ts

@@ -0,0 +1,14 @@
+export function truncate(text: string, max: number): string {
+  if (text.length <= max) return text;
+  return `${text.slice(0, Math.max(0, max - 1))}…`;
+}
+
+export function safeName(text: string): string {
+  return (
+    text
+      .trim()
+      .toLowerCase()
+      .replace(/[^a-z0-9._-]+/g, "-")
+      .replace(/^-+|-+$/g, "") || "main"
+  );
+}