@fitlab-ai/agent-infra 0.5.10 → 0.6.0

package/lib/sandbox/{credentials.js → credentials.ts}

@@ -2,7 +2,103 @@ import { execFileSync } from 'node:child_process';
 import { randomBytes } from 'node:crypto';
 import fs from 'node:fs';
 import path from 'node:path';
-import { hostJoin } from './engines/wsl2-paths.js';
+import { hostJoin } from './engines/wsl2-paths.ts';
+
+type ExecFn = (file: string, args: string[], options?: Record<string, unknown>) => string | Buffer | void;
+type ReadFn = (targetPath: string) => string;
+type ExistsFn = (targetPath: string) => boolean;
+type EnvFn = () => NodeJS.ProcessEnv;
+
+type SecurityClassification = 'OK' | 'LOCKED' | 'NOT_FOUND' | 'OTHER';
+
+type SecurityResult =
+  | { ok: true; stdout: string; stderr: ''; classification: 'OK' }
+  | { ok: false; stdout: ''; stderr: string; classification: Exclude<SecurityClassification, 'OK'> };
+
+type CredentialStatus = 'OK'
+  | 'MISSING'
+  | 'STALE_ACCESS'
+  | 'KEYCHAIN_LOCKED'
+  | 'KEYCHAIN_ERROR'
+  | 'KEYCHAIN_WRITE_FAILED';
+
+type CredentialInspection =
+  | { status: 'OK'; blob: string; expiresAt: unknown }
+  | { status: Exclude<CredentialStatus, 'OK' | 'KEYCHAIN_WRITE_FAILED'>; blob?: undefined; expiresAt?: unknown; detail?: string };
+
+type CredentialEndpoint = CredentialInspection & {
+  name: string;
+  project?: string;
+};
+
+type OkCredentialEndpoint = CredentialEndpoint & {
+  status: 'OK';
+  blob: string;
+};
+type ExpiringOkCredentialEndpoint = OkCredentialEndpoint & {
+  expiresAt: number;
+};
+
+type Warning = {
+  source?: string;
+  classification?: string;
+  message?: string;
+};
+
+type WriteResult =
+  | { ok: true; classification?: undefined; error?: undefined }
+  | { ok: false; classification: Exclude<SecurityClassification, 'OK'>; error: string };
+
+type InspectOptions = {
+  readFn?: ReadFn;
+  existsFn?: ExistsFn;
+  envFn?: EnvFn;
+};
+
+type WriteHostOptions = {
+  execFn?: ExecFn;
+  mkdirFn?: typeof fs.mkdirSync;
+  chmodFn?: typeof fs.chmodSync;
+  writeFileFn?: typeof fs.writeFileSync;
+  renameFn?: typeof fs.renameSync;
+  rmFn?: typeof fs.rmSync;
+  randomFn?: () => string;
+  envFn?: EnvFn;
+};
+
+type ReconcileOptions = InspectOptions & {
+  execFn?: ExecFn;
+  writeFn?: (home: string, project: string, blob: string) => void;
+  writeHostFn?: (home: string, blob: string, options?: WriteHostOptions) => WriteResult;
+  discoverFn?: (home: string) => string[];
+  projects?: string[] | null;
+  singleProject?: string | null;
+  inspection?: CredentialInspection | null;
+};
+type ReconcileResult = {
+  status: CredentialStatus;
+  authoritative: string | null;
+  expiresAt: unknown;
+  hostWritten: boolean;
+  filesWritten: string[];
+  fileErrors: Array<{ project: string; error: string }>;
+  warnings: Warning[];
+  detail?: string | null;
+};
+
+type ResolvedTool = {
+  tool: {
+    id: string;
+  };
+};
+
+type CredentialPayload = {
+  claudeAiOauth?: CredentialPayload;
+  scopes?: unknown;
+  accessToken?: unknown;
+  refreshToken?: unknown;
+  expiresAt?: unknown;
+};
 
 const LOCKED_PATTERN = /errSecInteractionNotAllowed|User interaction is not allowed/i;
 const NOT_FOUND_PATTERN = /errSecItemNotFound|specified item could not be found/i;
@@ -13,7 +109,11 @@ const REDACTION_PATTERNS = [
   { pattern: /Bearer\s+[A-Za-z0-9._~+/=-]{20,}/gi, replacement: 'Bearer [REDACTED]' }
 ];
 
-export function redactCommandError(text) {
+function errorMessage(error: unknown): string {
+  return error instanceof Error ? error.message : 'unknown error';
+}
+
+export function redactCommandError(text: unknown): string {
   if (!text || typeof text !== 'string') {
     return '';
   }
@@ -26,8 +126,10 @@ export function redactCommandError(text) {
 
 export const redactSecurityOutput = redactCommandError;
 
-function extractStderrSafely(error) {
-  const stderr = error?.stderr;
+function extractStderrSafely(error: unknown): string {
+  const stderr = typeof error === 'object' && error !== null && 'stderr' in error
+    ? error.stderr
+    : undefined;
   if (Buffer.isBuffer(stderr)) {
     return stderr.toString('utf8');
   }
@@ -37,7 +139,7 @@ function extractStderrSafely(error) {
   return '';
 }
 
-function classifySecurityFailure(text) {
+function classifySecurityFailure(text: string): Exclude<SecurityClassification, 'OK'> {
   if (LOCKED_PATTERN.test(text)) {
     return 'LOCKED';
   }
@@ -47,14 +149,16 @@ function classifySecurityFailure(text) {
   return 'OTHER';
 }
 
-function runSecurity(args, options = {}, execFn = execFileSync) {
+function runSecurity(args: string[], options: Record<string, unknown> = {}, execFn: ExecFn = execFileSync): SecurityResult {
   try {
     const stdout = execFn('security', args, {
       encoding: 'utf8',
       stdio: ['ignore', 'pipe', 'pipe'],
       ...options
     });
-    const text = typeof stdout === 'string' ? stdout : (stdout?.toString?.('utf8') ?? '');
+    const text = typeof stdout === 'string'
+      ? stdout
+      : (Buffer.isBuffer(stdout) ? stdout.toString('utf8') : '');
     return { ok: true, stdout: text, stderr: '', classification: 'OK' };
   } catch (error) {
     const stderr = redactCommandError(extractStderrSafely(error));
@@ -67,7 +171,7 @@ function runSecurity(args, options = {}, execFn = execFileSync) {
   }
 }
 
-export function buildLockedGuidance() {
+export function buildLockedGuidance(): string {
   return [
     'macOS keychain is locked (errSecInteractionNotAllowed).',
     'Options to recover:',
@@ -90,7 +194,7 @@ export function buildLockedGuidance() {
   ].join('\n');
 }
 
-export function claudeCredentialsEnvOverride(env = process.env) {
+export function claudeCredentialsEnvOverride(env: NodeJS.ProcessEnv = process.env): { path: string; source: string } | null {
   const raw = env?.AGENT_INFRA_CLAUDE_CREDENTIALS_FILE;
   if (!raw || typeof raw !== 'string') {
     return null;
@@ -98,7 +202,7 @@ export function claudeCredentialsEnvOverride(env = process.env) {
   return { path: raw, source: 'AGENT_INFRA_CLAUDE_CREDENTIALS_FILE' };
 }
 
-export function validateClaudeCredentialsEnvOverride(env = process.env) {
+export function validateClaudeCredentialsEnvOverride(env: NodeJS.ProcessEnv = process.env): void {
   const raw = env?.AGENT_INFRA_CLAUDE_CREDENTIALS_FILE;
   if (raw === undefined || raw === '') {
     return;
@@ -112,15 +216,15 @@ export function validateClaudeCredentialsEnvOverride(env = process.env) {
 
 // Reconcile treats the freshest valid endpoint as authoritative so sandbox
 // token rotations can flow back to the host credential store.
-function validateClaudeCredentialsBlob(raw, blob = null) {
+function validateClaudeCredentialsBlob(raw: unknown, blob: string | null = null): CredentialInspection {
   const trimmed = typeof raw === 'string' ? raw.trim() : '';
   if (!trimmed) {
     return { status: 'MISSING' };
   }
 
-  let parsed;
+  let parsed: CredentialPayload;
   try {
-    parsed = JSON.parse(trimmed);
+    parsed = JSON.parse(trimmed) as CredentialPayload;
   } catch {
     return { status: 'STALE_ACCESS' };
   }
@@ -140,7 +244,11 @@ function validateClaudeCredentialsBlob(raw, blob = null) {
   };
 }
 
-export function readClaudeCredentialsFile(filePath, readFn = (targetPath) => fs.readFileSync(targetPath, 'utf8'), existsFn = fs.existsSync) {
+export function readClaudeCredentialsFile(
+  filePath: string,
+  readFn: ReadFn = (targetPath) => fs.readFileSync(targetPath, 'utf8'),
+  existsFn: ExistsFn = fs.existsSync
+): CredentialInspection {
   if (!existsFn(filePath)) {
     return { status: 'MISSING' };
   }
@@ -153,7 +261,11 @@ export function readClaudeCredentialsFile(filePath, readFn = (targetPath) => fs.
   }
 }
 
-export function inspectClaudeKeychainStatus(home, execFn = execFileSync, options = {}) {
+export function inspectClaudeKeychainStatus(
+  home: string,
+  execFn: ExecFn = execFileSync,
+  options: InspectOptions = {}
+): CredentialInspection {
   const {
     readFn,
     existsFn,
@@ -191,7 +303,7 @@ export function inspectClaudeKeychainStatus(home, execFn = execFileSync, options
   return readClaudeCredentialsFile(credentialsPath, readFn, existsFn);
 }
 
-export function inspectClaudeMountFile(home, project, options = {}) {
+export function inspectClaudeMountFile(home: string, project: string, options: InspectOptions = {}): CredentialInspection {
   return readClaudeCredentialsFile(
     claudeCredentialsPath(home, project),
     options.readFn,
@@ -199,20 +311,20 @@ export function inspectClaudeMountFile(home, project, options = {}) {
   );
 }
 
-export function extractClaudeCredentialsBlob(home, execFn = execFileSync) {
+export function extractClaudeCredentialsBlob(home: string, execFn: ExecFn = execFileSync): string | null {
   const inspection = inspectClaudeKeychainStatus(home, execFn);
   return inspection.status === 'OK' ? inspection.blob : null;
 }
 
-export function claudeCredentialsDir(home, project) {
+export function claudeCredentialsDir(home: string, project: string): string {
   return hostJoin(home, '.agent-infra', 'credentials', project, 'claude-code');
 }
 
-export function claudeCredentialsPath(home, project) {
+export function claudeCredentialsPath(home: string, project: string): string {
   return hostJoin(claudeCredentialsDir(home, project), '.credentials.json');
 }
 
-export function writeClaudeCredentialsFile(home, project, blob) {
+export function writeClaudeCredentialsFile(home: string, project: string, blob: string): void {
   const dir = claudeCredentialsDir(home, project);
   const filePath = claudeCredentialsPath(home, project);
 
@@ -222,7 +334,7 @@ export function writeClaudeCredentialsFile(home, project, blob) {
   fs.chmodSync(filePath, 0o600);
 }
 
-export function discoverProjects(home) {
+export function discoverProjects(home: string): string[] {
   const credentialsRoot = hostJoin(home, '.agent-infra', 'credentials');
   if (!fs.existsSync(credentialsRoot)) {
     return [];
@@ -234,7 +346,7 @@ export function discoverProjects(home) {
     .filter((project) => fs.existsSync(claudeCredentialsPath(home, project)));
 }
 
-export function writeClaudeCredentialsToHost(home, blob, options = {}) {
+export function writeClaudeCredentialsToHost(home: string, blob: string, options: WriteHostOptions = {}): WriteResult {
   const {
     execFn = execFileSync,
     mkdirFn = fs.mkdirSync,
@@ -293,24 +405,24 @@ export function writeClaudeCredentialsToHost(home, blob, options = {}) {
     return {
       ok: false,
       classification: 'OTHER',
-      error: redactCommandError(error?.message ?? 'unknown error')
+      error: redactCommandError(errorMessage(error))
     };
   }
 }
 
-export function formatCredentialWarnings(warnings = []) {
+export function formatCredentialWarnings(warnings: Array<string | Warning> = []): string {
   return warnings
     .map((warning) => (typeof warning === 'string' ? warning : warning?.message))
     .filter(Boolean)
     .join('; ');
 }
 
-function endpointNameForFile(project) {
+function endpointNameForFile(project: string): string {
   return `file:${project}`;
 }
 
-function chooseAuthoritativeEndpoint(endpoints) {
-  const okEndpoints = endpoints.filter((endpoint) => endpoint.status === 'OK');
+function chooseAuthoritativeEndpoint(endpoints: CredentialEndpoint[]): OkCredentialEndpoint | null {
+  const okEndpoints = endpoints.filter((endpoint): endpoint is OkCredentialEndpoint => endpoint.status === 'OK');
   if (okEndpoints.length === 0) {
     return null;
   }
@@ -320,17 +432,19 @@ function chooseAuthoritativeEndpoint(endpoints) {
     return hostEndpoint;
   }
 
-  const withExpiresAt = okEndpoints.filter((endpoint) => typeof endpoint.expiresAt === 'number');
+  const withExpiresAt = okEndpoints.filter(
+    (endpoint): endpoint is ExpiringOkCredentialEndpoint => typeof endpoint.expiresAt === 'number'
+  );
   if (withExpiresAt.length > 0) {
     return withExpiresAt.reduce((best, endpoint) => (
       endpoint.expiresAt > best.expiresAt ? endpoint : best
     ));
   }
 
-  return okEndpoints.find((endpoint) => endpoint.name === 'host') ?? okEndpoints[0];
+  return okEndpoints.find((endpoint) => endpoint.name === 'host') ?? okEndpoints[0] ?? null;
 }
 
-function shouldWriteEndpoint(authoritative, target) {
+function shouldWriteEndpoint(authoritative: OkCredentialEndpoint, target: CredentialEndpoint): boolean {
   if (target.status !== 'OK') {
     return true;
   }
@@ -347,7 +461,7 @@ function shouldWriteEndpoint(authoritative, target) {
   return false;
 }
 
-export function reconcileClaudeCredentials(home, options = {}) {
+export function reconcileClaudeCredentials(home: string, options: ReconcileOptions = {}): ReconcileResult {
   const {
     execFn = execFileSync,
     writeFn = writeClaudeCredentialsFile,
@@ -387,13 +501,13 @@ export function reconcileClaudeCredentials(home, options = {}) {
       filesWritten: [],
       fileErrors: [],
       warnings: [],
-      detail: hostEndpoint.detail ?? null
+      detail: 'detail' in hostEndpoint ? hostEndpoint.detail ?? null : null
     };
   }
 
-  const warnings = [];
-  const filesWritten = [];
-  const fileErrors = [];
+  const warnings: Warning[] = [];
+  const filesWritten: string[] = [];
+  const fileErrors: Array<{ project: string; error: string }> = [];
   let hostWritten = false;
   let hostWriteFailed = false;
 
@@ -420,7 +534,7 @@ export function reconcileClaudeCredentials(home, options = {}) {
       writeFn(home, endpoint.project, authoritative.blob);
       filesWritten.push(endpoint.project);
     } catch (error) {
-      fileErrors.push({ project: endpoint.project, error: error.message });
+      fileErrors.push({ project: endpoint.project, error: errorMessage(error) });
     }
   }
 
@@ -435,7 +549,7 @@ export function reconcileClaudeCredentials(home, options = {}) {
   };
 }
 
-export function syncClaudeCredentialsFromKeychain(home, project, options = {}) {
+export function syncClaudeCredentialsFromKeychain(home: string, project: string, options: ReconcileOptions = {}) {
   const result = reconcileClaudeCredentials(home, {
     ...options,
     singleProject: project
@@ -454,7 +568,7 @@ export function syncClaudeCredentialsFromKeychain(home, project, options = {}) {
   };
 }
 
-export function formatRemaining(expiresAt) {
+export function formatRemaining(expiresAt: unknown): string {
   if (typeof expiresAt !== 'number') {
     return 'unknown';
   }
@@ -471,19 +585,19 @@ export function formatRemaining(expiresAt) {
 }
 
 export function assertClaudeCredentialsAvailable(
-  home,
-  project,
-  resolvedTools,
-  extractFn = extractClaudeCredentialsBlob,
-  writeFn = writeClaudeCredentialsFile,
-  inspectFn = inspectClaudeKeychainStatus
-) {
+  home: string,
+  project: string,
+  resolvedTools: ResolvedTool[],
+  extractFn: (home: string) => string | null = extractClaudeCredentialsBlob,
+  writeFn: (home: string, project: string, blob: string) => void = writeClaudeCredentialsFile,
+  inspectFn: (home: string) => CredentialInspection = inspectClaudeKeychainStatus
+): void {
   const claudeCodeEntry = resolvedTools.find(({ tool }) => tool.id === 'claude-code');
   if (!claudeCodeEntry) {
     return;
   }
 
-  let blob = null;
+  let blob: string | null = null;
   const hasCustomInspectFn = inspectFn !== inspectClaudeKeychainStatus;
   const hasCustomExtractFn = extractFn !== extractClaudeCredentialsBlob;
   if (hasCustomInspectFn || !hasCustomExtractFn) {

package/lib/sandbox/{dockerfile.js → dockerfile.ts}

@@ -9,19 +9,26 @@ const RUNTIMES_DIR = path.join(
   'runtimes'
 );
 
-function listRuntimeFragments() {
+type DockerfileConfig = {
+  repoRoot: string;
+  project: string;
+  dockerfile: string | null;
+  runtimes: string[];
+};
+
+function listRuntimeFragments(): string[] {
   return fs.readdirSync(RUNTIMES_DIR)
     .filter((file) => file.endsWith('.dockerfile'))
     .map((file) => file.replace(/\.dockerfile$/, ''));
 }
 
-export function availableRuntimes() {
+export function availableRuntimes(): string[] {
   return listRuntimeFragments()
     .filter((name) => name !== 'base' && name !== 'ai-tools')
     .sort();
 }
 
-function dockerfileContent(config) {
+function dockerfileContent(config: DockerfileConfig): string {
   if (config.dockerfile) {
     const customPath = path.resolve(config.repoRoot, config.dockerfile);
     if (!fs.existsSync(customPath)) {
@@ -52,14 +59,14 @@ function dockerfileContent(config) {
   return `${content}\n`;
 }
 
-export function dockerfileSignature(config) {
+export function dockerfileSignature(config: DockerfileConfig): string {
   return createHash('sha256')
     .update(dockerfileContent(config))
     .digest('hex')
     .slice(0, 12);
 }
 
-export function prepareDockerfile(config) {
+export function prepareDockerfile(config: DockerfileConfig): { path: string; signature: string; cleanup: () => void } {
   if (config.dockerfile) {
     const customPath = path.resolve(config.repoRoot, config.dockerfile);
     if (!fs.existsSync(customPath)) {
@@ -86,7 +93,7 @@ export function prepareDockerfile(config) {
   };
 }
 
-export function composeDockerfile(config) {
+export function composeDockerfile(config: DockerfileConfig): string {
   const content = dockerfileContent(config);
 
   const tempPath = path.join(os.tmpdir(), `${config.project}-sandbox.Dockerfile`);

package/lib/sandbox/{dotfiles.js → dotfiles.ts}

@@ -1,13 +1,45 @@
 import fs from 'node:fs';
 import path from 'node:path';
-import { hostJoin } from './engines/wsl2-paths.js';
-
-export function dotfilesCacheDir(home, project) {
+import { hostJoin } from './engines/wsl2-paths.ts';
+
+type DotfilesWarning = {
+  rel: string;
+  reason: string;
+  detail?: string;
+};
+
+type DotfilesFs = Pick<typeof fs, 'copyFileSync' | 'existsSync' | 'mkdirSync' | 'readdirSync' | 'realpathSync' | 'rmSync' | 'statSync'>;
+
+type MaterializeOptions = {
+  writeStderr?: (message: string) => void;
+  maxDepth?: number;
+  fsModule?: DotfilesFs;
+};
+
+type WalkContext = {
+  srcDir: string;
+  dstDir: string;
+  relParts: string[];
+  depth: number;
+  maxDepth: number;
+  activeDirs: Set<string>;
+  warnings: DotfilesWarning[];
+  writeStderr: (message: string) => void;
+  fsModule: DotfilesFs;
+};
+
+export function dotfilesCacheDir(home: string, project: string): string {
   return hostJoin(home, '.agent-infra', '.cache', 'dotfiles-resolved', project);
 }
 
-function dotfilesWarning(warnings, writeStderr, relPath, reason, detail = '') {
-  const warning = { rel: relPath, reason };
+function dotfilesWarning(
+  warnings: DotfilesWarning[],
+  writeStderr: (message: string) => void,
+  relPath: string,
+  reason: string,
+  detail = ''
+): void {
+  const warning: DotfilesWarning = { rel: relPath, reason };
   if (detail) {
     warning.detail = detail;
   }
@@ -17,17 +49,31 @@ function dotfilesWarning(warnings, writeStderr, relPath, reason, detail = '') {
   writeStderr(`sandbox-dotfiles (host): skipping ${relPath} (${reason}${suffix})\n`);
 }
 
-function copyDotfile(srcPath, dstPath, context) {
+function errorDetail(error: unknown): string {
+  return error instanceof Error ? error.message : 'unknown error';
+}
+
+function errorCodeOrDetail(error: unknown): string {
+  return typeof error === 'object' && error !== null && 'code' in error
+    ? String(error.code)
+    : errorDetail(error);
+}
+
+function copyDotfile(
+  srcPath: string,
+  dstPath: string,
+  context: Pick<WalkContext, 'fsModule' | 'warnings' | 'writeStderr'> & { relPath: string }
+): void {
   const { fsModule, relPath, warnings, writeStderr } = context;
   try {
     fsModule.mkdirSync(path.dirname(dstPath), { recursive: true });
     fsModule.copyFileSync(srcPath, dstPath);
   } catch (error) {
-    dotfilesWarning(warnings, writeStderr, relPath, 'copy failed', error?.code ?? error?.message ?? 'unknown error');
+    dotfilesWarning(warnings, writeStderr, relPath, 'copy failed', errorCodeOrDetail(error));
   }
 }
 
-function walkAndMaterializeDotfiles(context) {
+function walkAndMaterializeDotfiles(context: WalkContext): void {
   const {
     srcDir,
     dstDir,
@@ -46,11 +92,11 @@ function walkAndMaterializeDotfiles(context) {
     return;
   }
 
-  let entries;
+  let entries: fs.Dirent[];
   try {
     entries = fsModule.readdirSync(srcDir, { withFileTypes: true });
   } catch (error) {
-    dotfilesWarning(warnings, writeStderr, relPath, 'read failed', error?.code ?? error?.message ?? 'unknown error');
+    dotfilesWarning(warnings, writeStderr, relPath, 'read failed', errorCodeOrDetail(error));
     return;
   }
 
@@ -61,20 +107,21 @@ function walkAndMaterializeDotfiles(context) {
     const childRelPath = childRelParts.join('/');
 
     if (entry.isSymbolicLink()) {
-      let resolvedTarget;
+      let resolvedTarget: string;
       try {
         resolvedTarget = fsModule.realpathSync(childSrc);
       } catch (error) {
-        const reason = error?.code === 'ELOOP' ? 'symlink loop' : 'dangling symlink';
-        dotfilesWarning(warnings, writeStderr, childRelPath, reason, error?.code ?? 'unresolved');
+        const code = errorCodeOrDetail(error);
+        const reason = code === 'ELOOP' ? 'symlink loop' : 'dangling symlink';
+        dotfilesWarning(warnings, writeStderr, childRelPath, reason, code || 'unresolved');
         continue;
       }
 
-      let targetStat;
+      let targetStat: fs.Stats;
       try {
         targetStat = fsModule.statSync(resolvedTarget);
       } catch (error) {
-        dotfilesWarning(warnings, writeStderr, childRelPath, 'target stat failed', error?.code ?? error?.message ?? 'unknown error');
+        dotfilesWarning(warnings, writeStderr, childRelPath, 'target stat failed', errorCodeOrDetail(error));
         continue;
       }
 
@@ -112,7 +159,7 @@ function walkAndMaterializeDotfiles(context) {
     }
 
     if (entry.isDirectory()) {
-      let childRealPath = null;
+      let childRealPath: string | null = null;
       try {
         childRealPath = fsModule.realpathSync(childSrc);
       } catch {
@@ -149,7 +196,7 @@ function walkAndMaterializeDotfiles(context) {
   }
 }
 
-export function materializeDotfiles(srcDir, cacheDir, options = {}) {
+export function materializeDotfiles(srcDir: string, cacheDir: string, options: MaterializeOptions = {}) {
   const {
     writeStderr = (message) => process.stderr.write(message),
     maxDepth = 32,
@@ -165,8 +212,8 @@ export function materializeDotfiles(srcDir, cacheDir, options = {}) {
     fsModule.rmSync(path.join(cacheDir, entry), { recursive: true, force: true });
   }
 
-  const warnings = [];
-  const activeDirs = new Set();
+  const warnings: DotfilesWarning[] = [];
+  const activeDirs = new Set<string>();
   try {
     activeDirs.add(fsModule.realpathSync(srcDir));
   } catch {