@hasna/terminal 2.3.0 → 2.3.2

package/temp/rtk/ROADMAP.md

@@ -1,15 +0,0 @@
-# RTK Roadmap - 
-
-Stability & Reliability
-
-    Critical Fixes: Resolve bugs and stabilize Vitest/pnpm support.
-
-    Fork Strategy: Establish the fork as the new standard if upstream remains inactive.
-
-    Pro Tooling: Add a configuration file (TOML) and structured logging.
-
-    Easy Install: Launch a Homebrew formula and pre-compiled binaries for one-click setup.
-
-    Early Adoption: Prove token savings on real projects to onboard the first 5 teams.
-
----

package/temp/rtk/SECURITY.md

@@ -1,217 +0,0 @@
-# Security Policy
-
-## Reporting a Vulnerability
-
-If you discover a security vulnerability in RTK, please report it to the maintainers privately:
-
-- **Email**: security@rtk-ai.dev (or create a private security advisory on GitHub)
-- **Response time**: We aim to acknowledge reports within 48 hours
-- **Disclosure**: We follow responsible disclosure practices (90-day embargo)
-
-**Please do NOT:**
-- Open public GitHub issues for security vulnerabilities
-- Disclose vulnerabilities on social media or forums before we've had a chance to address them
-
----
-
-## Security Review Process for Pull Requests
-
-RTK is a CLI tool that executes shell commands and handles user input. PRs from external contributors undergo enhanced security review to protect against:
-
-- **Shell injection** (command execution vulnerabilities)
-- **Supply chain attacks** (malicious dependencies)
-- **Backdoors** (logic bombs, exfiltration code)
-- **Data leaks** (tracking.db exposure, telemetry abuse)
-
----
-
-## Automated Security Checks
-
-Every PR triggers our [`security-check.yml`](.github/workflows/security-check.yml) workflow:
-
-1. **Dependency audit** (`cargo audit`) - Detects known CVEs
-2. **Critical files alert** - Flags modifications to high-risk files
-3. **Dangerous pattern scan** - Regex-based detection of:
-   - Shell execution (`Command::new("sh")`)
-   - Environment manipulation (`.env("LD_PRELOAD")`)
-   - Network operations (`reqwest::`, `std::net::`)
-   - Unsafe code blocks
-   - Panic-inducing patterns (`.unwrap()` in production)
-4. **Clippy security lints** - Enforces Rust best practices
-
-Results are posted in the PR's GitHub Actions summary.
-
----
-
-## Critical Files Requiring Enhanced Review
-
-The following files are considered **high-risk** and trigger mandatory 2-reviewer approval:
-
-### Tier 1: Shell Execution & System Interaction
-- **`src/runner.rs`** - Shell command execution engine (primary injection vector)
-- **`src/summary.rs`** - Command output aggregation (data exfiltration risk)
-- **`src/tracking.rs`** - SQLite database operations (privacy/telemetry concerns)
-- **`src/discover/registry.rs`** - Rewrite logic for all commands (command injection risk via rewrite rules)
-- **`hooks/rtk-rewrite.sh`** / **`.claude/hooks/rtk-rewrite.sh`** - Thin delegator hook (executes in Claude Code context, intercepts all commands)
-
-### Tier 2: Input Validation
-- **`src/pnpm_cmd.rs`** - Package name validation (prevents injection via malicious names)
-- **`src/container.rs`** - Docker/container operations (privilege escalation risk)
-
-### Tier 3: Supply Chain & CI/CD
-- **`Cargo.toml`** - Dependency manifest (typosquatting, backdoored crates)
-- **`.github/workflows/*.yml`** - CI/CD pipelines (release tampering, secret exfiltration)
-
-**If your PR modifies ANY of these files**, expect:
-- Detailed manual security review
-- Request for clarification on design choices
-- Potentially slower merge timeline
-
----
-
-## Review Workflow
-
-### For External Contributors
-
-1. **Submit PR** → Automated `security-check.yml` runs
-2. **Review automated results** → Fix any flagged issues
-3. **Manual review** → Maintainer performs comprehensive security audit
-4. **Approval** → Merge (or request for changes)
-
-### For Maintainers
-
-Use the comprehensive security review process:
-
-```bash
-# If Claude Code available, run the dedicated skill:
-/rtk-pr-security <PR_NUMBER>
-
-# Manual review (without Claude):
-gh pr view <PR_NUMBER>
-gh pr diff <PR_NUMBER> > /tmp/pr.diff
-bash scripts/detect-dangerous-patterns.sh /tmp/pr.diff
-```
-
-**Review checklist:**
-- [ ] No critical files modified OR changes justified + reviewed by 2 maintainers
-- [ ] No dangerous patterns OR patterns explained + safe
-- [ ] No new dependencies OR deps audited on crates.io (downloads, maintainer, license)
-- [ ] PR description matches actual code changes (intent vs reality)
-- [ ] No logic bombs (time-based triggers, conditional backdoors)
-- [ ] Code quality acceptable (no unexplained complexity spikes)
-
----
-
-## Dangerous Patterns We Check For
-
-| Pattern | Risk | Example |
-|---------|------|---------|
-| `Command::new("sh")` | Shell injection | Spawns shell with user input |
-| `.env("LD_PRELOAD")` | Library hijacking | Preloads malicious shared libraries |
-| `reqwest::`, `std::net::` | Data exfiltration | Unexpected network operations |
-| `unsafe {` | Memory safety | Bypasses Rust's guarantees |
-| `.unwrap()` in `src/` | DoS via panic | Crashes on invalid input |
-| `SystemTime::now() > ...` | Logic bombs | Delayed malicious behavior |
-| Base64/hex strings | Obfuscation | Hides malicious URLs/commands |
-
-See [Dangerous Patterns Reference](https://github.com/rtk-ai/rtk/wiki/Dangerous-Patterns) for exploitation examples.
-
----
-
-## Dependency Security
-
-New dependencies added to `Cargo.toml` must meet these criteria:
-
-- **Downloads**: >10,000 on crates.io (or strong justification if lower)
-- **Maintainer**: Verified GitHub profile + track record of other crates
-- **License**: MIT or Apache-2.0 compatible
-- **Activity**: Recent commits (within 6 months)
-- **No typosquatting**: Manual verification against similar crate names
-
-**Red flags:**
-- Brand new crate (<1 month old) with low downloads
-- Anonymous maintainer with no GitHub history
-- Crate name suspiciously similar to popular crate (e.g., `serid` vs `serde`)
-- License change in recent versions
-
----
-
-## Security Best Practices for Contributors
-
-### Avoid These Anti-Patterns
-
-**❌ DON'T:**
-```rust
-// Shell injection risk
-let user_input = get_arg();
-Command::new("sh").arg("-c").arg(format!("echo {}", user_input)).output();
-
-// Panic on invalid input
-let path = std::env::args().nth(1).unwrap();
-
-// Hardcoded secrets
-const API_KEY: &str = "sk_live_1234567890abcdef";
-```
-
-**✅ DO:**
-```rust
-// No shell, direct binary execution
-let user_input = get_arg();
-Command::new("echo").arg(user_input).output();
-
-// Graceful error handling
-let path = std::env::args().nth(1).context("Missing path argument")?;
-
-// Env vars or config files for secrets
-let api_key = std::env::var("API_KEY").context("API_KEY not set")?;
-```
-
-### Error Handling Guidelines
-
-- Use `anyhow::Result<T>` with `.context()` for all error propagation
-- NEVER use `.unwrap()` in `src/` (tests are OK)
-- Prefer `.expect("descriptive message")` over `.unwrap()` if unavoidable
-- Use `?` operator instead of `unwrap()` for propagation
-
-### Input Validation
-
-- Validate all user input before passing to `Command`
-- Use allowlists for command flags (not denylists)
-- Canonicalize file paths to prevent traversal attacks
-- Sanitize package names with strict regex patterns
-
----
-
-## Disclosure Timeline
-
-When vulnerabilities are reported:
-
-1. **Day 0**: Acknowledgment sent to reporter
-2. **Day 7**: Maintainers assess severity and impact
-3. **Day 14**: Patch development begins
-4. **Day 30**: Patch released + CVE filed (if applicable)
-5. **Day 90**: Public disclosure (or earlier if patch is deployed)
-
-Critical vulnerabilities (remote code execution, data exfiltration) may be fast-tracked.
-
----
-
-## Security Tooling
-
-- **`cargo audit`** - Automated CVE scanning (runs in CI)
-- **`cargo deny`** - License compliance + banned dependencies
-- **`cargo clippy`** - Lints for unsafe patterns
-- **GitHub Dependabot** - Automated dependency updates
-- **GitHub Code Scanning** - Static analysis via CodeQL (planned)
-
----
-
-## Contact
-
-- **Security issues**: security@rtk-ai.dev
-- **General questions**: https://github.com/rtk-ai/rtk/discussions
-- **Maintainers**: @FlorianBruniaux (active fork maintainer)
-
----
-
-**Last updated**: 2026-03-05

package/temp/rtk/TEST_EXEC_TIME.md

@@ -1,102 +0,0 @@
-# Testing Execution Time Tracking
-
-## Quick Test
-
-```bash
-# 1. Install latest version
-cargo install --path .
-
-# 2. Run a few commands to populate data
-rtk git status
-rtk ls .
-rtk grep "tracking" src/
-
-# 3. Check gain stats (should show execution times)
-rtk gain
-
-# Expected output:
-# Total exec time:   XX.Xs (avg XXms)
-# By Command table should show Time column
-```
-
-## Detailed Test Scenarios
-
-### 1. Basic Time Tracking
-```bash
-# Run commands with different execution times
-rtk git log -10          # Fast (~10ms)
-rtk cargo test           # Slow (~300ms)
-rtk vitest run           # Very slow (seconds)
-
-# Verify times are recorded
-rtk gain
-# Should show different avg times per command
-```
-
-### 2. Daily Breakdown
-```bash
-rtk gain --daily
-
-# Expected:
-# Date column + Time column showing avg time per day
-# Today should have non-zero times
-# Historical data shows 0ms (no time recorded)
-```
-
-### 3. Export Formats
-
-**JSON Export:**
-```bash
-rtk gain --daily --format json | jq '.summary'
-
-# Should include:
-# "total_time_ms": 12345,
-# "avg_time_ms": 67
-```
-
-**CSV Export:**
-```bash
-rtk gain --daily --format csv
-
-# Headers should include:
-# date,commands,input_tokens,...,total_time_ms,avg_time_ms
-```
-
-### 4. Multiple Commands
-```bash
-# Run 10 commands and measure total time
-for i in {1..10}; do rtk git status; done
-
-rtk gain
-# Total exec time should be ~10-50ms (10 × 1-5ms)
-```
-
-## Verification Checklist
-
-- [ ] `rtk gain` shows "Total exec time: X (avg Yms)"
-- [ ] By Command table has "Time" column
-- [ ] `rtk gain --daily` shows time per day
-- [ ] JSON export includes `total_time_ms` and `avg_time_ms`
-- [ ] CSV export has time columns
-- [ ] New commands show realistic times (not 0ms)
-- [ ] Historical data preserved (old entries show 0ms)
-
-## Database Schema Verification
-
-```bash
-# Check SQLite schema includes exec_time_ms
-sqlite3 ~/.local/share/rtk/history.db "PRAGMA table_info(commands);"
-
-# Should show:
-# ...
-# 7|exec_time_ms|INTEGER|0|0|0
-```
-
-## Performance Impact
-
-The timer adds negligible overhead:
-- `Instant::now()` → ~10-50ns
-- `elapsed()` → ~10-50ns
-- SQLite insert with extra column → ~1-5µs
-
-Total overhead: **< 0.1ms per command**

package/temp/rtk/build.rs

@@ -1,57 +0,0 @@
-use std::collections::HashSet;
-use std::fs;
-use std::path::Path;
-
-fn main() {
-    let filters_dir = Path::new("src/filters");
-    let out_dir = std::env::var("OUT_DIR").expect("OUT_DIR must be set by Cargo");
-    let dest = Path::new(&out_dir).join("builtin_filters.toml");
-
-    // Rebuild when any file in src/filters/ changes
-    println!("cargo:rerun-if-changed=src/filters");
-
-    let mut files: Vec<_> = fs::read_dir(filters_dir)
-        .expect("src/filters/ directory must exist")
-        .filter_map(|e| e.ok())
-        .filter(|e| e.path().extension().is_some_and(|ext| ext == "toml"))
-        .collect();
-
-    // Sort alphabetically for deterministic filter ordering
-    files.sort_by_key(|e| e.file_name());
-
-    let mut combined = String::from("schema_version = 1\n\n");
-
-    for entry in &files {
-        let content = fs::read_to_string(entry.path())
-            .unwrap_or_else(|e| panic!("Failed to read {:?}: {}", entry.path(), e));
-        combined.push_str(&format!(
-            "# --- {} ---\n",
-            entry.file_name().to_string_lossy()
-        ));
-        combined.push_str(&content);
-        combined.push_str("\n\n");
-    }
-
-    // Validate: parse the combined TOML to catch errors at build time
-    let parsed: toml::Value = combined.parse().unwrap_or_else(|e| {
-        panic!(
-            "TOML validation failed for combined filters:\n{}\n\nCheck src/filters/*.toml files",
-            e
-        )
-    });
-
-    // Detect duplicate filter names across files
-    if let Some(filters) = parsed.get("filters").and_then(|f| f.as_table()) {
-        let mut seen: HashSet<String> = HashSet::new();
-        for key in filters.keys() {
-            if !seen.insert(key.clone()) {
-                panic!(
-                    "Duplicate filter name '{}' found across src/filters/*.toml files",
-                    key
-                );
-            }
-        }
-    }
-
-    fs::write(&dest, combined).expect("Failed to write combined builtin_filters.toml");
-}