@fjall/deploy-core 0.89.2

package/dist/src/util/securityHelpers.js

@@ -0,0 +1,124 @@
+/**
+ * Security helpers for spawn operations
+ *
+ * Provides environment variable filtering and credential masking
+ * to prevent command injection and credential leakage.
+ */
+/**
+ * Environment variables that MUST NOT be passed from user input to spawned processes.
+ * These can be exploited for:
+ * - Code execution hijacking (PATH, NODE_OPTIONS)
+ * - Dynamic linker injection (LD_PRELOAD, DYLD_INSERT_LIBRARIES)
+ * - Interpreter code injection (PYTHONPATH, RUBYLIB)
+ * - Credential/identity hijacking (HOME, AWS_CONFIG_FILE)
+ * - Shell injection (BASH_ENV, ENV)
+ */
+export const DANGEROUS_ENV_VARS = new Set([
+    // Execution hijacking
+    // NOTE: PATH is intentionally NOT included here - it's required for spawn() to find executables
+    // See: aiDocs/patterns/spawn-security-pattern.md for rationale
+    "NODE_OPTIONS",
+    "NODE_PATH",
+    "NODE_EXTRA_CA_CERTS",
+    "NODE_DEBUG",
+    "NODE_PRESERVE_SYMLINKS",
+    // Dynamic linker injection (Linux)
+    "LD_PRELOAD",
+    "LD_LIBRARY_PATH",
+    "LD_AUDIT",
+    "LD_BIND_NOW",
+    // Dynamic linker injection (macOS)
+    "DYLD_INSERT_LIBRARIES",
+    "DYLD_LIBRARY_PATH",
+    "DYLD_FRAMEWORK_PATH",
+    // Interpreter code injection
+    "PYTHONPATH",
+    "PYTHONSTARTUP",
+    "PERL5LIB",
+    "PERL5OPT",
+    "RUBYLIB",
+    "RUBYOPT",
+    // Credential/identity hijacking
+    "HOME",
+    "XDG_CONFIG_HOME",
+    "AWS_SHARED_CREDENTIALS_FILE",
+    "AWS_CONFIG_FILE",
+    // Shell injection
+    "SHELL",
+    "BASH_ENV",
+    "ENV",
+    "ZDOTDIR"
+]);
+/**
+ * Filter dangerous environment variables from a record.
+ * Returns a new object with only safe environment variables.
+ */
+export function filterDangerousEnvVars(env) {
+    return Object.fromEntries(Object.entries(env).filter(([key]) => !DANGEROUS_ENV_VARS.has(key.toUpperCase())));
+}
+/**
+ * Mask sensitive information in output strings to prevent credential leakage.
+ * Patterns: postgres://user:pass@host, password=xxx, secret=xxx, apikey=xxx
+ */
+export function maskSensitiveOutput(output) {
+    return (output
+        // Mask postgres/mysql connection strings with credentials
+        .replace(/(\w+:\/\/[^:]+:)[^@]+(@)/gi, "$1***$2")
+        // Mask common credential patterns
+        .replace(/(password|passwd|secret|api[_-]?key|token|auth|credential)[=:]["']?[^\s"']+/gi, "$1=***")
+        // Mask GitHub tokens (ghu_, ghs_, ghp_, github_pat_) appearing as bare values
+        .replace(/\b(ghu_|ghs_|ghp_|github_pat_)[A-Za-z0-9_]+/g, "***")
+        // Mask AWS secret access keys (40 chars, base64-ish) — only when preceded
+        // by a known credential context to avoid false-positive masking of ARNs,
+        // physical resource IDs, and other legitimate 40-char strings.
+        .replace(/(?<=AWS_SECRET_ACCESS_KEY=|SecretAccessKey[=:]\s*|"secretAccessKey":\s*")[A-Za-z0-9/+=]{40}/g, "***"));
+}
+/**
+ * Parse a shell command string into an array of arguments.
+ * Handles single quotes, double quotes, and escaped characters.
+ */
+export function parseShellArgs(command) {
+    const args = [];
+    let current = "";
+    let inSingleQuote = false;
+    let inDoubleQuote = false;
+    let escaped = false;
+    for (const char of command) {
+        if (escaped) {
+            current += char;
+            escaped = false;
+            continue;
+        }
+        if (char === "\\") {
+            escaped = true;
+            continue;
+        }
+        if (char === "'" && !inDoubleQuote) {
+            inSingleQuote = !inSingleQuote;
+            continue;
+        }
+        if (char === '"' && !inSingleQuote) {
+            inDoubleQuote = !inDoubleQuote;
+            continue;
+        }
+        if (char === " " && !inSingleQuote && !inDoubleQuote) {
+            if (current) {
+                args.push(current);
+                current = "";
+            }
+            continue;
+        }
+        current += char;
+    }
+    if (inSingleQuote || inDoubleQuote) {
+        // Unbalanced quotes — include the partial token. Callers should validate
+        // their input if quote-balancing is required.
+        if (current) {
+            args.push(current);
+        }
+    }
+    else if (current) {
+        args.push(current);
+    }
+    return args;
+}

package/dist/src/util/singleton.d.ts

@@ -0,0 +1,2 @@
+/** Lazily creates one instance per factory — shared singleton helper. */
+export declare function singleton<T>(factory: () => T): () => T;

package/dist/src/util/singleton.js

@@ -0,0 +1,9 @@
+/** Lazily creates one instance per factory — shared singleton helper. */
+export function singleton(factory) {
+    let instance;
+    return () => {
+        if (instance === undefined)
+            instance = factory();
+        return instance;
+    };
+}

package/dist/src/util/sleep.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Delay execution for the given number of milliseconds.
+ */
+export declare const sleep: (ms: number) => Promise<void>;

package/dist/src/util/sleep.js

@@ -0,0 +1,4 @@
+/**
+ * Delay execution for the given number of milliseconds.
+ */
+export const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));

package/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "@fjall/deploy-core",
+  "version": "0.89.2",
+  "description": "Shared deployment engine for Fjall — used by CLI and webapp worker",
+  "type": "module",
+  "main": "dist/src/index.js",
+  "types": "dist/src/index.d.ts",
+  "files": [
+    "dist/"
+  ],
+  "scripts": {
+    "clean": "rm -rf ./dist",
+    "build": "npm run clean && tsc",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "format": "prettier --write \"src/**/*.ts\"",
+    "format:check": "prettier --check \"src/**/*.ts\"",
+    "lint": "eslint src/"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "@aws-sdk/client-backup": "^3.1009.0",
+    "@aws-sdk/client-cloudformation": "^3.1009.0",
+    "@aws-sdk/client-cost-explorer": "^3.1009.0",
+    "@aws-sdk/client-ec2": "^3.1009.0",
+    "@aws-sdk/client-organizations": "^3.1009.0",
+    "@aws-sdk/client-ram": "^3.1009.0",
+    "@aws-sdk/client-sso-admin": "^3.1009.0",
+    "@aws-sdk/client-sts": "^3.1009.0",
+    "@fjall/generator": "^0.89.2",
+    "@fjall/util": "^0.89.2",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "vitest": "^3.2.3"
+  },
+  "gitHead": "5bb039ff669fbe96d656ae1467e9986cf4327e92"
+}