@guardinstall/cli 0.1.5 → 0.1.8

package/dist/index.js

@@ -39,7 +39,7 @@ const program = new commander_1.Command();
 program
     .name('guardinstall')
     .description('A kernel-level behavioral sandbox for npm/pnpm/bun install scripts')
-    .version('0.1.4');
+    .version('0.1.7');
 program
     .command('install')
     .description('Run npm install with sandbox protection')

package/dist/installer.js

@@ -6,7 +6,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.runPackageManager = void 0;
 const child_process_1 = require("child_process");
 const chalk_1 = __importDefault(require("chalk"));
-const child_process_2 = require("child_process");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
 async function runPackageManager(pm, args) {
     const pmMap = {
         npm: 'npm',
@@ -14,19 +15,18 @@ async function runPackageManager(pm, args) {
         bun: 'bun',
     };
     const command = pmMap[pm] || 'npm';
-    // For install/add, we need to:
-    // 1. Run with --ignore-scripts to install packages
-    // 2. Then run scripts through sandbox
+    // For add, we need to manually add to package.json and run npm install
+    if (args.includes('add') && command === 'npm') {
+        return runNpmAddWithFallback(args);
+    }
+    // For install, just run with --ignore-scripts
     const hasIgnoreScripts = args.some(a => a.includes('ignore-scripts'));
     if (!hasIgnoreScripts && (args.includes('install') || args.includes('add'))) {
-        // Add --ignore-scripts flag
         args.push('--ignore-scripts');
     }
-    // Remove --ignore-scripts from display (it's expected)
     const displayArgs = args.filter(a => a !== '--ignore-scripts');
     console.log(chalk_1.default.gray(`\n📦 Running: ${command} ${displayArgs.join(' ')} (with --ignore-scripts)\n`));
     return new Promise((resolve) => {
-        // Use spawn without shell to avoid npm arborist bug triggered by shell escaping
         const proc = (0, child_process_1.spawn)(command, args, {
             stdio: 'inherit',
             shell: false
@@ -35,20 +35,6 @@ async function runPackageManager(pm, args) {
         proc.stdout?.on('data', (d) => { output += d.toString(); });
         proc.stderr?.on('data', (d) => { output += d.toString(); });
         proc.on('close', (code) => {
-            // If npm fails with arborist error, try alternative approach
-            if (code !== 0 && command === 'npm') {
-                console.log(chalk_1.default.yellow('\n⚠️  npm encountered an error, trying with --no-audit --no-fund...\n'));
-                try {
-                    // Try running npm without audit/fund which sometimes triggers arborist issues
-                    const fallbackArgs = ['install', '--ignore-scripts', '--no-audit', '--no-fund', ...args.filter(a => a !== 'install' && a !== 'add' && a !== '--ignore-scripts')];
-                    const result = (0, child_process_2.execSync)(`npm ${fallbackArgs.join(' ')}`, { stdio: 'inherit', encoding: 'utf-8' });
-                    resolve({ success: true, output: result || '' });
-                    return;
-                }
-                catch (e) {
-                    // Fallback failed too
-                }
-            }
             resolve({
                 success: code === 0,
                 output
@@ -57,3 +43,41 @@ async function runPackageManager(pm, args) {
     });
 }
 exports.runPackageManager = runPackageManager;
+// Workaround for npm arborist bug: manually add to package.json then run npm install
+async function runNpmAddWithFallback(args) {
+    const packages = args.filter(a => !a.startsWith('-') && a !== 'add');
+    if (packages.length === 0) {
+        return { success: false, output: 'No packages specified' };
+    }
+    console.log(chalk_1.default.gray(`\n📦 Adding packages: ${packages.join(', ')}\n`));
+    console.log(chalk_1.default.gray(`Step 1: Adding to package.json...\n`));
+    try {
+        // Read package.json
+        const pkgPath = path_1.default.join(process.cwd(), 'package.json');
+        const pkg = JSON.parse(fs_1.default.readFileSync(pkgPath, 'utf-8'));
+        // Add packages to dependencies
+        if (!pkg.dependencies)
+            pkg.dependencies = {};
+        for (const pkgName of packages) {
+            // Extract package@version if specified
+            const match = pkgName.match(/^(@?[^@]+)(@.+)?$/);
+            const name = match ? match[1] : pkgName;
+            const version = match && match[2] ? match[2] : 'latest';
+            pkg.dependencies[name] = version;
+        }
+        // Write back
+        fs_1.default.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+        console.log(chalk_1.default.gray(`Step 2: Running npm install --ignore-scripts...\n`));
+        // Run npm install with --ignore-scripts
+        const result = (0, child_process_1.execSync)('npm install --ignore-scripts --no-audit --no-fund', {
+            stdio: 'inherit',
+            encoding: 'utf-8'
+        });
+        return { success: true, output: result || '' };
+    }
+    catch (e) {
+        const errorMsg = e instanceof Error ? e.message : String(e);
+        console.error(chalk_1.default.red(`Error: ${errorMsg}`));
+        return { success: false, output: errorMsg };
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@guardinstall/cli",
-  "version": "0.1.5",
+  "version": "0.1.8",
   "description": "CLI wrapper for guardinstall - intercepts and sandboxes install scripts",
   "main": "dist/index.js",
   "bin": {
@@ -13,8 +13,8 @@
     "test": "jest"
   },
   "dependencies": {
-    "@guardinstall/policy-engine": "0.1.5",
-    "@guardinstall/sandbox": "0.1.5",
+    "@guardinstall/policy-engine": "0.1.8",
+    "@guardinstall/sandbox": "0.1.8",
     "@npmcli/arborist": "7.5.4",
     "chalk": "4.1.2",
     "commander": "12.1.0"

package/src/index.ts

@@ -13,7 +13,7 @@ const program = new Command()
 program
   .name('guardinstall')
   .description('A kernel-level behavioral sandbox for npm/pnpm/bun install scripts')
-  .version('0.1.4')
+  .version('0.1.7')
 
 program
   .command('install')

package/src/installer.ts

@@ -1,6 +1,7 @@
-import { spawn } from 'child_process'
+import { spawn, execSync } from 'child_process'
 import chalk from 'chalk'
-import { execSync } from 'child_process'
+import fs from 'fs'
+import path from 'path'
 
 export async function runPackageManager(
   pm: string,
@@ -14,22 +15,22 @@ export async function runPackageManager(
 
   const command = pmMap[pm] || 'npm'
 
-  // For install/add, we need to:
-  // 1. Run with --ignore-scripts to install packages
-  // 2. Then run scripts through sandbox
+  // For add, we need to manually add to package.json and run npm install
+  if (args.includes('add') && command === 'npm') {
+    return runNpmAddWithFallback(args)
+  }
+
+  // For install, just run with --ignore-scripts
   const hasIgnoreScripts = args.some(a => a.includes('ignore-scripts'))
   
   if (!hasIgnoreScripts && (args.includes('install') || args.includes('add'))) {
-    // Add --ignore-scripts flag
     args.push('--ignore-scripts')
   }
 
-  // Remove --ignore-scripts from display (it's expected)
   const displayArgs = args.filter(a => a !== '--ignore-scripts')
   console.log(chalk.gray(`\n📦 Running: ${command} ${displayArgs.join(' ')} (with --ignore-scripts)\n`))
 
   return new Promise((resolve) => {
-    // Use spawn without shell to avoid npm arborist bug triggered by shell escaping
     const proc = spawn(command, args, {
       stdio: 'inherit',
       shell: false
@@ -40,20 +41,6 @@ export async function runPackageManager(
     proc.stderr?.on('data', (d: Buffer) => { output += d.toString() })
 
     proc.on('close', (code) => {
-      // If npm fails with arborist error, try alternative approach
-      if (code !== 0 && command === 'npm') {
-        console.log(chalk.yellow('\n⚠️  npm encountered an error, trying with --no-audit --no-fund...\n'))
-        try {
-          // Try running npm without audit/fund which sometimes triggers arborist issues
-          const fallbackArgs = ['install', '--ignore-scripts', '--no-audit', '--no-fund', ...args.filter(a => a !== 'install' && a !== 'add' && a !== '--ignore-scripts')]
-          const result = execSync(`npm ${fallbackArgs.join(' ')}`, { stdio: 'inherit', encoding: 'utf-8' })
-          resolve({ success: true, output: result || '' })
-          return
-        } catch (e) {
-          // Fallback failed too
-        }
-      }
-      
       resolve({
         success: code === 0,
         output
@@ -61,3 +48,48 @@ export async function runPackageManager(
     })
   })
 }
+
+// Workaround for npm arborist bug: manually add to package.json then run npm install
+async function runNpmAddWithFallback(args: string[]): Promise<{ success: boolean; output: string }> {
+  const packages = args.filter(a => !a.startsWith('-') && a !== 'add')
+  
+  if (packages.length === 0) {
+    return { success: false, output: 'No packages specified' }
+  }
+
+  console.log(chalk.gray(`\n📦 Adding packages: ${packages.join(', ')}\n`))
+  console.log(chalk.gray(`Step 1: Adding to package.json...\n`))
+
+  try {
+    // Read package.json
+    const pkgPath = path.join(process.cwd(), 'package.json')
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'))
+
+    // Add packages to dependencies
+    if (!pkg.dependencies) pkg.dependencies = {}
+    for (const pkgName of packages) {
+      // Extract package@version if specified
+      const match = pkgName.match(/^(@?[^@]+)(@.+)?$/)
+      const name = match ? match[1] : pkgName
+      const version = match && match[2] ? match[2] : 'latest'
+      pkg.dependencies[name] = version
+    }
+
+    // Write back
+    fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n')
+
+    console.log(chalk.gray(`Step 2: Running npm install --ignore-scripts...\n`))
+    
+    // Run npm install with --ignore-scripts
+    const result = execSync('npm install --ignore-scripts --no-audit --no-fund', {
+      stdio: 'inherit',
+      encoding: 'utf-8'
+    })
+
+    return { success: true, output: result || '' }
+  } catch (e) {
+    const errorMsg = e instanceof Error ? e.message : String(e)
+    console.error(chalk.red(`Error: ${errorMsg}`))
+    return { success: false, output: errorMsg }
+  }
+}

package/dist/ink-reporter.js

@@ -1,49 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.InkReporter = void 0;
-const react_1 = __importDefault(require("react"));
-const ink_1 = require("ink");
-function InkReporter({ results, verdicts }) {
-    const blocked = verdicts.filter(v => v.severity === 'CRITICAL' || v.severity === 'HIGH');
-    const warned = verdicts.filter(v => v.severity === 'WARN');
-    const clean = results.filter(r => r.events.length === 0);
-    return (<ink_1.Box flexDirection="column">
-      <ink_1.Box borderStyle="bold" borderColor="blue">
-        <ink_1.Text bold blue>  guardinstall — Security Report  </ink_1.Text>
-      </ink_1.Box>
-
-      <ink_1.Newline />
-
-      {blocked.length > 0 && (<ink_1.Box flexDirection="column">
-          <ink_1.Text bold color="red">🚨 BLOCKED ({blocked.length} packages):</ink_1.Text>
-          {blocked.map(v => (<ink_1.Box flexDirection="column" key={v.package}>
-              <ink_1.Text color="red">  ⚠  {v.package}</ink_1.Text>
-              {v.findings.map((f, i) => (<ink_1.Text key={i} color="red">     [{f.severity}] {f.message}</ink_1.Text>))}
-            </ink_1.Box>))}
-          <ink_1.Newline />
-        </ink_1.Box>)}
-
-      {warned.length > 0 && (<ink_1.Box flexDirection="column">
-          <ink_1.Text bold color="yellow">⚠️  WARNINGS ({warned.length} packages):</ink_1.Text>
-          {warned.map(v => (<ink_1.Box flexDirection="column" key={v.package}>
-              <ink_1.Text color="yellow">  {v.package}</ink_1.Text>
-              {v.findings.map((f, i) => (<ink_1.Text key={i} color="yellow">     [{f.severity}] {f.message}</ink_1.Text>))}
-            </ink_1.Box>))}
-          <ink_1.Newline />
-        </ink_1.Box>)}
-
-      {clean.length > 0 && (<ink_1.Box flexDirection="column">
-          <ink_1.Text bold color="green">✓ CLEAN ({clean.length} packages):</ink_1.Text>
-          {clean.map(r => (<ink_1.Text key={r.package} color="green">  ✓ {r.package}</ink_1.Text>))}
-          <ink_1.Newline />
-        </ink_1.Box>)}
-
-      <ink_1.Box borderStyle="bold" borderColor="blue">
-        <ink_1.Text bold blue>  End of Report  </ink_1.Text>
-      </ink_1.Box>
-    </ink_1.Box>);
-}
-exports.InkReporter = InkReporter;