@keystrokehq/cli 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (236) hide show
  1. package/dist/alias-RTYYYW3D-CLFgrowj.mjs +98 -0
  2. package/dist/alias-RTYYYW3D-CLFgrowj.mjs.map +1 -0
  3. package/dist/awk2-LA3USKJP-BbsfXVlR.mjs +2737 -0
  4. package/dist/awk2-LA3USKJP-BbsfXVlR.mjs.map +1 -0
  5. package/dist/base64-C2AIWVNC-C0WIgu5V.mjs +123 -0
  6. package/dist/base64-C2AIWVNC-C0WIgu5V.mjs.map +1 -0
  7. package/dist/basename-UB3CIYNI-BgNN3bGm.mjs +53 -0
  8. package/dist/basename-UB3CIYNI-BgNN3bGm.mjs.map +1 -0
  9. package/dist/bash-YZ33HQZQ-N6YyKtUH.mjs +118 -0
  10. package/dist/bash-YZ33HQZQ-N6YyKtUH.mjs.map +1 -0
  11. package/dist/cat-TSFMZVYS-Dz3-oHsV.mjs +63 -0
  12. package/dist/cat-TSFMZVYS-Dz3-oHsV.mjs.map +1 -0
  13. package/dist/chmod-TFEPA42X-YF02QJUv.mjs +125 -0
  14. package/dist/chmod-TFEPA42X-YF02QJUv.mjs.map +1 -0
  15. package/dist/chunk-27JIFWUR-B6ZjjMMI.mjs +100 -0
  16. package/dist/chunk-27JIFWUR-B6ZjjMMI.mjs.map +1 -0
  17. package/dist/chunk-4I3HOE5Z-BixWWVkW.mjs +719 -0
  18. package/dist/chunk-4I3HOE5Z-BixWWVkW.mjs.map +1 -0
  19. package/dist/chunk-4RUAZWKT-D60fyWAB.mjs +22543 -0
  20. package/dist/chunk-4RUAZWKT-D60fyWAB.mjs.map +1 -0
  21. package/dist/chunk-4WKZNNJK-CiwxAWRf.mjs +69 -0
  22. package/dist/chunk-4WKZNNJK-CiwxAWRf.mjs.map +1 -0
  23. package/dist/chunk-5H5SCKJM-BvfXlL01.mjs +606 -0
  24. package/dist/chunk-5H5SCKJM-BvfXlL01.mjs.map +1 -0
  25. package/dist/chunk-AQ6FYS2X-CkVetjym.mjs +37 -0
  26. package/dist/chunk-AQ6FYS2X-CkVetjym.mjs.map +1 -0
  27. package/dist/chunk-BZUGFHVS-CPWRFwK8.mjs +34 -0
  28. package/dist/chunk-BZUGFHVS-CPWRFwK8.mjs.map +1 -0
  29. package/dist/chunk-CHFEPBH4-BUdgjFtD.mjs +594 -0
  30. package/dist/chunk-CHFEPBH4-BUdgjFtD.mjs.map +1 -0
  31. package/dist/chunk-DLL7UR66-BUYgzxnR.mjs +14 -0
  32. package/dist/chunk-DLL7UR66-BUYgzxnR.mjs.map +1 -0
  33. package/dist/chunk-DiodbrVj.mjs +27 -0
  34. package/dist/chunk-EBAPSGAO-Ctfslw2R.mjs +247 -0
  35. package/dist/chunk-EBAPSGAO-Ctfslw2R.mjs.map +1 -0
  36. package/dist/chunk-FOCWZZDE-BIntqBh2.mjs +19 -0
  37. package/dist/chunk-FOCWZZDE-BIntqBh2.mjs.map +1 -0
  38. package/dist/chunk-HBVMHTO5-CJyD-QZX.mjs +10 -0
  39. package/dist/chunk-HBVMHTO5-CJyD-QZX.mjs.map +1 -0
  40. package/dist/chunk-L2UW7DWF-B3tEHhPF.mjs +14 -0
  41. package/dist/chunk-L2UW7DWF-B3tEHhPF.mjs.map +1 -0
  42. package/dist/chunk-L64BMZUV-CyR7RKok.mjs +30 -0
  43. package/dist/chunk-L64BMZUV-CyR7RKok.mjs.map +1 -0
  44. package/dist/chunk-LEKBROJD-CJMrAyu9.mjs +3113 -0
  45. package/dist/chunk-LEKBROJD-CJMrAyu9.mjs.map +1 -0
  46. package/dist/chunk-NRSASXYY-CuWyREpD.mjs +41 -0
  47. package/dist/chunk-NRSASXYY-CuWyREpD.mjs.map +1 -0
  48. package/dist/chunk-QAYAQNCG-Bl0Kbd53.mjs +63 -0
  49. package/dist/chunk-QAYAQNCG-Bl0Kbd53.mjs.map +1 -0
  50. package/dist/chunk-QIQMJJZ4-BwKdslXs.mjs +93 -0
  51. package/dist/chunk-QIQMJJZ4-BwKdslXs.mjs.map +1 -0
  52. package/dist/chunk-SAI2SPQQ-CVRoDNs9.mjs +26 -0
  53. package/dist/chunk-SAI2SPQQ-CVRoDNs9.mjs.map +1 -0
  54. package/dist/chunk-SO6R3ZKN-tTw_RMDX.mjs +140 -0
  55. package/dist/chunk-SO6R3ZKN-tTw_RMDX.mjs.map +1 -0
  56. package/dist/chunk-STHBFACM-lyj-j2a-.mjs +8 -0
  57. package/dist/chunk-STHBFACM-lyj-j2a-.mjs.map +1 -0
  58. package/dist/chunk-SX2HC7SO-Cc4Hpis1.mjs +20 -0
  59. package/dist/chunk-SX2HC7SO-Cc4Hpis1.mjs.map +1 -0
  60. package/dist/chunk-TDD4NFYE-wsWW75MX.mjs +21 -0
  61. package/dist/chunk-TDD4NFYE-wsWW75MX.mjs.map +1 -0
  62. package/dist/chunk-TN7HHBQW-CSB_R-XD.mjs +1137 -0
  63. package/dist/chunk-TN7HHBQW-CSB_R-XD.mjs.map +1 -0
  64. package/dist/chunk-VPADYNBD-BKlA28GJ.mjs +122 -0
  65. package/dist/chunk-VPADYNBD-BKlA28GJ.mjs.map +1 -0
  66. package/dist/chunk-W5DWRFSU-lCyWk0ph.mjs +11 -0
  67. package/dist/chunk-W5DWRFSU-lCyWk0ph.mjs.map +1 -0
  68. package/dist/chunk-WNH3HOQA-BCZUOjCJ.mjs +34 -0
  69. package/dist/chunk-WNH3HOQA-BCZUOjCJ.mjs.map +1 -0
  70. package/dist/chunk-XRFHFXFP-BGxzVZgK.mjs +16 -0
  71. package/dist/chunk-XRFHFXFP-BGxzVZgK.mjs.map +1 -0
  72. package/dist/chunk-YCLFEX4T-COc1AThz.mjs +77 -0
  73. package/dist/chunk-YCLFEX4T-COc1AThz.mjs.map +1 -0
  74. package/dist/clear-HKGFEOF6-CekN2x-O.mjs +28 -0
  75. package/dist/clear-HKGFEOF6-CekN2x-O.mjs.map +1 -0
  76. package/dist/column-XT6UFXNQ-DHENV9D2.mjs +143 -0
  77. package/dist/column-XT6UFXNQ-DHENV9D2.mjs.map +1 -0
  78. package/dist/comm-VV2LDX2J-ppxDJFkY.mjs +87 -0
  79. package/dist/comm-VV2LDX2J-ppxDJFkY.mjs.map +1 -0
  80. package/dist/cp-BISAAS7A-CMWayU4n.mjs +106 -0
  81. package/dist/cp-BISAAS7A-CMWayU4n.mjs.map +1 -0
  82. package/dist/cut-OKARJCCV-Bt8b58eI.mjs +119 -0
  83. package/dist/cut-OKARJCCV-Bt8b58eI.mjs.map +1 -0
  84. package/dist/date-UUUPW43J-B7T5OTZZ.mjs +188 -0
  85. package/dist/date-UUUPW43J-B7T5OTZZ.mjs.map +1 -0
  86. package/dist/diff-MWJFIG7X-DhnPc_5r.mjs +755 -0
  87. package/dist/diff-MWJFIG7X-DhnPc_5r.mjs.map +1 -0
  88. package/dist/dirname-MPHRFUTI-Dkb3S4OX.mjs +43 -0
  89. package/dist/dirname-MPHRFUTI-Dkb3S4OX.mjs.map +1 -0
  90. package/dist/{dist-DjfxlOWX.mjs → dist-C47GdlWY.mjs} +18 -93
  91. package/dist/{dist-DjfxlOWX.mjs.map → dist-C47GdlWY.mjs.map} +1 -1
  92. package/dist/{dist-DWcRd4Se.mjs → dist-CJL2zYbP.mjs} +4 -71
  93. package/dist/dist-CJL2zYbP.mjs.map +1 -0
  94. package/dist/dist-Ch53z2P3.mjs +3 -0
  95. package/dist/dist-CwR72_PS.mjs +1887 -0
  96. package/dist/dist-CwR72_PS.mjs.map +1 -0
  97. package/dist/du-572XNP42-ClP4jXB1.mjs +176 -0
  98. package/dist/du-572XNP42-ClP4jXB1.mjs.map +1 -0
  99. package/dist/echo-NDWZZHPO-CCp_-MxA.mjs +137 -0
  100. package/dist/echo-NDWZZHPO-CCp_-MxA.mjs.map +1 -0
  101. package/dist/env-36M5BO7M-CsP_aiWr.mjs +119 -0
  102. package/dist/env-36M5BO7M-CsP_aiWr.mjs.map +1 -0
  103. package/dist/expand-JSPG6VOP-B-YUvYpu.mjs +145 -0
  104. package/dist/expand-JSPG6VOP-B-YUvYpu.mjs.map +1 -0
  105. package/dist/expr-5JAACS4X-1TBq84gG.mjs +153 -0
  106. package/dist/expr-5JAACS4X-1TBq84gG.mjs.map +1 -0
  107. package/dist/file-IPZJC3FQ-DcZNOWyY.mjs +4201 -0
  108. package/dist/file-IPZJC3FQ-DcZNOWyY.mjs.map +1 -0
  109. package/dist/find-INTH3OLC-6p47KeeT.mjs +1332 -0
  110. package/dist/find-INTH3OLC-6p47KeeT.mjs.map +1 -0
  111. package/dist/fold-4TQNYMSW-C54bHzLd.mjs +138 -0
  112. package/dist/fold-4TQNYMSW-C54bHzLd.mjs.map +1 -0
  113. package/dist/grep-V3LQVMRQ-D99Bq7Kj.mjs +335 -0
  114. package/dist/grep-V3LQVMRQ-D99Bq7Kj.mjs.map +1 -0
  115. package/dist/gzip-O5ASJAFY-CZDRROqP.mjs +592 -0
  116. package/dist/gzip-O5ASJAFY-CZDRROqP.mjs.map +1 -0
  117. package/dist/head-442HYESI-D96RMdki.mjs +36 -0
  118. package/dist/head-442HYESI-D96RMdki.mjs.map +1 -0
  119. package/dist/help-HZ6M2CKN--DK8mY2L.mjs +123 -0
  120. package/dist/help-HZ6M2CKN--DK8mY2L.mjs.map +1 -0
  121. package/dist/history-WYYKSLSZ-ACNQVupn.mjs +48 -0
  122. package/dist/history-WYYKSLSZ-ACNQVupn.mjs.map +1 -0
  123. package/dist/hostname-C4HQXXUP-CXVVFkUK.mjs +24 -0
  124. package/dist/hostname-C4HQXXUP-CXVVFkUK.mjs.map +1 -0
  125. package/dist/html-to-markdown-JW4MSQZO-DQOxFIvF.mjs +15890 -0
  126. package/dist/html-to-markdown-JW4MSQZO-DQOxFIvF.mjs.map +1 -0
  127. package/dist/index.mjs +9 -9
  128. package/dist/join-TBRGI3LQ-B8I9tkJ5.mjs +198 -0
  129. package/dist/join-TBRGI3LQ-B8I9tkJ5.mjs.map +1 -0
  130. package/dist/jq-4XLYLOS5-wFZYfsfJ.mjs +257 -0
  131. package/dist/jq-4XLYLOS5-wFZYfsfJ.mjs.map +1 -0
  132. package/dist/js-exec-N5KEZBH7-CgtG-I6s.mjs +333 -0
  133. package/dist/js-exec-N5KEZBH7-CgtG-I6s.mjs.map +1 -0
  134. package/dist/lib-D4GpdNNK.mjs +45 -0
  135. package/dist/lib-D4GpdNNK.mjs.map +1 -0
  136. package/dist/ln-4LGSXXGD-Dg0R9i5G.mjs +101 -0
  137. package/dist/ln-4LGSXXGD-Dg0R9i5G.mjs.map +1 -0
  138. package/dist/ls-ZJGQER7M-DLDSfI4x.mjs +1891 -0
  139. package/dist/ls-ZJGQER7M-DLDSfI4x.mjs.map +1 -0
  140. package/dist/lzma-CTMDi254.mjs +1135 -0
  141. package/dist/lzma-CTMDi254.mjs.map +1 -0
  142. package/dist/{maybe-auto-update-Ou7H6dXT.mjs → maybe-auto-update-B0kal2FM.mjs} +2 -2
  143. package/dist/{maybe-auto-update-Ou7H6dXT.mjs.map → maybe-auto-update-B0kal2FM.mjs.map} +1 -1
  144. package/dist/md5sum-SPU24VSG-DQc8sqXO.mjs +16 -0
  145. package/dist/md5sum-SPU24VSG-DQc8sqXO.mjs.map +1 -0
  146. package/dist/mkdir-MEPGZOB6-BjUKzhdL.mjs +58 -0
  147. package/dist/mkdir-MEPGZOB6-BjUKzhdL.mjs.map +1 -0
  148. package/dist/mv-W5BIQ646-CdSIyY-U.mjs +93 -0
  149. package/dist/mv-W5BIQ646-CdSIyY-U.mjs.map +1 -0
  150. package/dist/nl-WSDW7I4O-DmtCnyKU.mjs +208 -0
  151. package/dist/nl-WSDW7I4O-DmtCnyKU.mjs.map +1 -0
  152. package/dist/od-WOKFDJTP-DZ2nxQNJ.mjs +73 -0
  153. package/dist/od-WOKFDJTP-DZ2nxQNJ.mjs.map +1 -0
  154. package/dist/paste-7JC6S4DX-CtmM5Qy8.mjs +113 -0
  155. package/dist/paste-7JC6S4DX-CtmM5Qy8.mjs.map +1 -0
  156. package/dist/printf-TWGXF445-B7cTysaa.mjs +880 -0
  157. package/dist/printf-TWGXF445-B7cTysaa.mjs.map +1 -0
  158. package/dist/pwd-WE6EN5AV-CO8o2WQS.mjs +34 -0
  159. package/dist/pwd-WE6EN5AV-CO8o2WQS.mjs.map +1 -0
  160. package/dist/python3-POMOR4OA-CKy80mpF.mjs +299 -0
  161. package/dist/python3-POMOR4OA-CKy80mpF.mjs.map +1 -0
  162. package/dist/readlink-OPJF4DL5-Rc1Mz_Xx.mjs +76 -0
  163. package/dist/readlink-OPJF4DL5-Rc1Mz_Xx.mjs.map +1 -0
  164. package/dist/rev-5EHFX4EJ-3dd9vwHW.mjs +66 -0
  165. package/dist/rev-5EHFX4EJ-3dd9vwHW.mjs.map +1 -0
  166. package/dist/rg-S4FXYXWB-BbXVo6JX.mjs +1539 -0
  167. package/dist/rg-S4FXYXWB-BbXVo6JX.mjs.map +1 -0
  168. package/dist/rm-SSGETQVQ-Ch53Rmrr.mjs +81 -0
  169. package/dist/rm-SSGETQVQ-Ch53Rmrr.mjs.map +1 -0
  170. package/dist/rmdir-OC4ZLPYA-D3QCHlIB.mjs +132 -0
  171. package/dist/rmdir-OC4ZLPYA-D3QCHlIB.mjs.map +1 -0
  172. package/dist/sed-S5UIK574-DE1KeTk3.mjs +1722 -0
  173. package/dist/sed-S5UIK574-DE1KeTk3.mjs.map +1 -0
  174. package/dist/seq-M5EC7Q57-BHfGjQvK.mjs +85 -0
  175. package/dist/seq-M5EC7Q57-BHfGjQvK.mjs.map +1 -0
  176. package/dist/sha1sum-2PTOAFR6-DNjSNcYK.mjs +16 -0
  177. package/dist/sha1sum-2PTOAFR6-DNjSNcYK.mjs.map +1 -0
  178. package/dist/sha256sum-NS7D3IXX-BMaCKkT5.mjs +16 -0
  179. package/dist/sha256sum-NS7D3IXX-BMaCKkT5.mjs.map +1 -0
  180. package/dist/sleep-X22JJINO-Do5hEQQW.mjs +67 -0
  181. package/dist/sleep-X22JJINO-Do5hEQQW.mjs.map +1 -0
  182. package/dist/sort-SW2YEO5B-B7j1zw8k.mjs +320 -0
  183. package/dist/sort-SW2YEO5B-B7j1zw8k.mjs.map +1 -0
  184. package/dist/split-4KKZZXXE-h8GD4HP4.mjs +248 -0
  185. package/dist/split-4KKZZXXE-h8GD4HP4.mjs.map +1 -0
  186. package/dist/sqlite3-CGOEFJAO-DvzzghDg.mjs +2879 -0
  187. package/dist/sqlite3-CGOEFJAO-DvzzghDg.mjs.map +1 -0
  188. package/dist/stat-CD34IZ4P-B5ZOJh4J.mjs +65 -0
  189. package/dist/stat-CD34IZ4P-B5ZOJh4J.mjs.map +1 -0
  190. package/dist/strings-6WDHLGMX-DdiEdoL-.mjs +179 -0
  191. package/dist/strings-6WDHLGMX-DdiEdoL-.mjs.map +1 -0
  192. package/dist/tac-2STMMJYW-DPyeWM9R.mjs +53 -0
  193. package/dist/tac-2STMMJYW-DPyeWM9R.mjs.map +1 -0
  194. package/dist/tail-R4PCA2C4-CUfroNeu.mjs +37 -0
  195. package/dist/tail-R4PCA2C4-CUfroNeu.mjs.map +1 -0
  196. package/dist/tar-STHHZTZ6-DRf60e-G.mjs +2838 -0
  197. package/dist/tar-STHHZTZ6-DRf60e-G.mjs.map +1 -0
  198. package/dist/tee-YUZ2FKCJ-po_dfyc_.mjs +46 -0
  199. package/dist/tee-YUZ2FKCJ-po_dfyc_.mjs.map +1 -0
  200. package/dist/time-D4LNBSWX-DVWhAldK.mjs +112 -0
  201. package/dist/time-D4LNBSWX-DVWhAldK.mjs.map +1 -0
  202. package/dist/timeout-YDCRSLPQ-B_yntmXU.mjs +113 -0
  203. package/dist/timeout-YDCRSLPQ-B_yntmXU.mjs.map +1 -0
  204. package/dist/touch-UA33VN3N-oW1SBT1r.mjs +104 -0
  205. package/dist/touch-UA33VN3N-oW1SBT1r.mjs.map +1 -0
  206. package/dist/tr-36LHWFRQ-CTq3z6wq.mjs +167 -0
  207. package/dist/tr-36LHWFRQ-CTq3z6wq.mjs.map +1 -0
  208. package/dist/tree-YLD52CNT-CIozNsLQ.mjs +186 -0
  209. package/dist/tree-YLD52CNT-CIozNsLQ.mjs.map +1 -0
  210. package/dist/true-FHQXJXBE-DsJOznSp.mjs +31 -0
  211. package/dist/true-FHQXJXBE-DsJOznSp.mjs.map +1 -0
  212. package/dist/unexpand-CADSA4VO-Cq9DTcUg.mjs +155 -0
  213. package/dist/unexpand-CADSA4VO-Cq9DTcUg.mjs.map +1 -0
  214. package/dist/uniq-XSIZR6PB-D5lt-IXF.mjs +92 -0
  215. package/dist/uniq-XSIZR6PB-D5lt-IXF.mjs.map +1 -0
  216. package/dist/{version-n-JpPeUF.mjs → version-Dxl3y5p6.mjs} +2 -2
  217. package/dist/{version-n-JpPeUF.mjs.map → version-Dxl3y5p6.mjs.map} +1 -1
  218. package/dist/wc-LF7NU4LA-BFPabrwD.mjs +111 -0
  219. package/dist/wc-LF7NU4LA-BFPabrwD.mjs.map +1 -0
  220. package/dist/which-XEM24D5D-2LvlkpUo.mjs +62 -0
  221. package/dist/which-XEM24D5D-2LvlkpUo.mjs.map +1 -0
  222. package/dist/whoami-XMTX52VE-24Kwqrk6.mjs +24 -0
  223. package/dist/whoami-XMTX52VE-24Kwqrk6.mjs.map +1 -0
  224. package/dist/xan-Y6WF3IRG-DjKO96Pj.mjs +2832 -0
  225. package/dist/xan-Y6WF3IRG-DjKO96Pj.mjs.map +1 -0
  226. package/dist/xan-view-HDVKHFC2-DhDNVE_V.mjs +12 -0
  227. package/dist/xan-view-HDVKHFC2-DhDNVE_V.mjs.map +1 -0
  228. package/dist/xargs-MGZPH7AX-D2bIgrdg.mjs +112 -0
  229. package/dist/xargs-MGZPH7AX-D2bIgrdg.mjs.map +1 -0
  230. package/dist/yq-4QJW3EQG-XhB3aACo.mjs +8610 -0
  231. package/dist/yq-4QJW3EQG-XhB3aACo.mjs.map +1 -0
  232. package/package.json +1 -1
  233. package/dist/dist-DWcRd4Se.mjs.map +0 -1
  234. package/dist/dist-DitNZUHA.mjs +0 -3
  235. package/dist/dist-vwoMCz6d.mjs +0 -775
  236. package/dist/dist-vwoMCz6d.mjs.map +0 -1
@@ -0,0 +1,1137 @@
1
+ #!/usr/bin/env node
2
+ import { t as m$1 } from "./chunk-BZUGFHVS-CPWRFwK8.mjs";
3
+ import { createRequire } from "node:module";
4
+ //#region ../../node_modules/.pnpm/just-bash@3.0.1/node_modules/just-bash/dist/bundle/chunks/chunk-TN7HHBQW.js
5
+ createRequire(import.meta.url);
6
+ function v() {
7
+ let a = [
8
+ {
9
+ prop: "Function",
10
+ target: globalThis,
11
+ violationType: "function_constructor",
12
+ strategy: "throw",
13
+ reason: "Function constructor allows arbitrary code execution"
14
+ },
15
+ {
16
+ prop: "eval",
17
+ target: globalThis,
18
+ violationType: "eval",
19
+ strategy: "throw",
20
+ reason: "eval() allows arbitrary code execution"
21
+ },
22
+ {
23
+ prop: "setTimeout",
24
+ target: globalThis,
25
+ violationType: "setTimeout",
26
+ strategy: "throw",
27
+ reason: "setTimeout with string argument allows code execution"
28
+ },
29
+ {
30
+ prop: "setInterval",
31
+ target: globalThis,
32
+ violationType: "setInterval",
33
+ strategy: "throw",
34
+ reason: "setInterval with string argument allows code execution"
35
+ },
36
+ {
37
+ prop: "setImmediate",
38
+ target: globalThis,
39
+ violationType: "setImmediate",
40
+ strategy: "throw",
41
+ reason: "setImmediate could be used to escape sandbox context"
42
+ },
43
+ {
44
+ prop: "env",
45
+ target: process,
46
+ violationType: "process_env",
47
+ strategy: "throw",
48
+ reason: "process.env could leak sensitive environment variables",
49
+ allowedKeys: new Set([
50
+ "NODE_V8_COVERAGE",
51
+ "NODE_DEBUG",
52
+ "NODE_DEBUG_NATIVE",
53
+ "NODE_COMPILE_CACHE",
54
+ "WATCH_REPORT_DEPENDENCIES",
55
+ "FORCE_COLOR",
56
+ "DEBUG",
57
+ "UNDICI_NO_FG",
58
+ "JEST_WORKER_ID",
59
+ "__MINIMATCH_TESTING_PLATFORM__",
60
+ "LOG_TOKENS",
61
+ "LOG_STREAM"
62
+ ])
63
+ },
64
+ {
65
+ prop: "binding",
66
+ target: process,
67
+ violationType: "process_binding",
68
+ strategy: "throw",
69
+ reason: "process.binding provides access to native Node.js modules"
70
+ },
71
+ {
72
+ prop: "_linkedBinding",
73
+ target: process,
74
+ violationType: "process_binding",
75
+ strategy: "throw",
76
+ reason: "process._linkedBinding provides access to native Node.js modules"
77
+ },
78
+ {
79
+ prop: "dlopen",
80
+ target: process,
81
+ violationType: "process_dlopen",
82
+ strategy: "throw",
83
+ reason: "process.dlopen allows loading native addons"
84
+ },
85
+ {
86
+ prop: "getBuiltinModule",
87
+ target: process,
88
+ violationType: "process_get_builtin_module",
89
+ strategy: "throw",
90
+ reason: "process.getBuiltinModule allows loading native Node.js modules (fs, child_process, vm)"
91
+ },
92
+ {
93
+ prop: "exit",
94
+ target: process,
95
+ violationType: "process_exit",
96
+ strategy: "throw",
97
+ reason: "process.exit could terminate the interpreter"
98
+ },
99
+ {
100
+ prop: "abort",
101
+ target: process,
102
+ violationType: "process_exit",
103
+ strategy: "throw",
104
+ reason: "process.abort could crash the interpreter"
105
+ },
106
+ {
107
+ prop: "kill",
108
+ target: process,
109
+ violationType: "process_kill",
110
+ strategy: "throw",
111
+ reason: "process.kill could signal other processes"
112
+ },
113
+ {
114
+ prop: "setuid",
115
+ target: process,
116
+ violationType: "process_setuid",
117
+ strategy: "throw",
118
+ reason: "process.setuid could escalate privileges"
119
+ },
120
+ {
121
+ prop: "setgid",
122
+ target: process,
123
+ violationType: "process_setuid",
124
+ strategy: "throw",
125
+ reason: "process.setgid could escalate privileges"
126
+ },
127
+ {
128
+ prop: "seteuid",
129
+ target: process,
130
+ violationType: "process_setuid",
131
+ strategy: "throw",
132
+ reason: "process.seteuid could escalate effective user privileges"
133
+ },
134
+ {
135
+ prop: "setegid",
136
+ target: process,
137
+ violationType: "process_setuid",
138
+ strategy: "throw",
139
+ reason: "process.setegid could escalate effective group privileges"
140
+ },
141
+ {
142
+ prop: "initgroups",
143
+ target: process,
144
+ violationType: "process_setuid",
145
+ strategy: "throw",
146
+ reason: "process.initgroups could modify supplementary group IDs"
147
+ },
148
+ {
149
+ prop: "setgroups",
150
+ target: process,
151
+ violationType: "process_setuid",
152
+ strategy: "throw",
153
+ reason: "process.setgroups could modify supplementary group IDs"
154
+ },
155
+ {
156
+ prop: "umask",
157
+ target: process,
158
+ violationType: "process_umask",
159
+ strategy: "throw",
160
+ reason: "process.umask could modify file creation permissions"
161
+ },
162
+ {
163
+ prop: "argv",
164
+ target: process,
165
+ violationType: "process_argv",
166
+ strategy: "throw",
167
+ reason: "process.argv may contain secrets in CLI arguments"
168
+ },
169
+ {
170
+ prop: "cwd",
171
+ target: process,
172
+ violationType: "process_chdir",
173
+ strategy: "throw",
174
+ reason: "process.cwd could disclose real host working directory path"
175
+ },
176
+ {
177
+ prop: "chdir",
178
+ target: process,
179
+ violationType: "process_chdir",
180
+ strategy: "throw",
181
+ reason: "process.chdir could confuse the interpreter's CWD tracking"
182
+ },
183
+ {
184
+ prop: "report",
185
+ target: process,
186
+ violationType: "process_report",
187
+ strategy: "throw",
188
+ reason: "process.report could disclose full environment, host paths, and system info"
189
+ },
190
+ {
191
+ prop: "loadEnvFile",
192
+ target: process,
193
+ violationType: "process_env",
194
+ strategy: "throw",
195
+ reason: "process.loadEnvFile could load env files bypassing env proxy"
196
+ },
197
+ {
198
+ prop: "setUncaughtExceptionCaptureCallback",
199
+ target: process,
200
+ violationType: "process_exception_handler",
201
+ strategy: "throw",
202
+ reason: "setUncaughtExceptionCaptureCallback could intercept security errors"
203
+ },
204
+ {
205
+ prop: "send",
206
+ target: process,
207
+ violationType: "process_send",
208
+ strategy: "throw",
209
+ reason: "process.send could communicate with parent process in IPC contexts"
210
+ },
211
+ {
212
+ prop: "channel",
213
+ target: process,
214
+ violationType: "process_channel",
215
+ strategy: "throw",
216
+ reason: "process.channel could access IPC channel to parent process"
217
+ },
218
+ {
219
+ prop: "cpuUsage",
220
+ target: process,
221
+ violationType: "process_timing",
222
+ strategy: "throw",
223
+ reason: "process.cpuUsage could enable timing side-channel attacks"
224
+ },
225
+ {
226
+ prop: "memoryUsage",
227
+ target: process,
228
+ violationType: "process_timing",
229
+ strategy: "throw",
230
+ reason: "process.memoryUsage could enable timing side-channel attacks"
231
+ },
232
+ {
233
+ prop: "hrtime",
234
+ target: process,
235
+ violationType: "process_timing",
236
+ strategy: "throw",
237
+ reason: "process.hrtime could enable timing side-channel attacks"
238
+ },
239
+ {
240
+ prop: "WeakRef",
241
+ target: globalThis,
242
+ violationType: "weak_ref",
243
+ strategy: "throw",
244
+ reason: "WeakRef could be used to leak references outside sandbox"
245
+ },
246
+ {
247
+ prop: "FinalizationRegistry",
248
+ target: globalThis,
249
+ violationType: "finalization_registry",
250
+ strategy: "throw",
251
+ reason: "FinalizationRegistry could be used to leak references outside sandbox"
252
+ },
253
+ {
254
+ prop: "Reflect",
255
+ target: globalThis,
256
+ violationType: "reflect",
257
+ strategy: "freeze",
258
+ reason: "Reflect provides introspection capabilities"
259
+ },
260
+ {
261
+ prop: "Proxy",
262
+ target: globalThis,
263
+ violationType: "proxy",
264
+ strategy: "throw",
265
+ reason: "Proxy allows intercepting and modifying object behavior"
266
+ },
267
+ {
268
+ prop: "WebAssembly",
269
+ target: globalThis,
270
+ violationType: "webassembly",
271
+ strategy: "throw",
272
+ reason: "WebAssembly allows executing arbitrary compiled code"
273
+ },
274
+ {
275
+ prop: "SharedArrayBuffer",
276
+ target: globalThis,
277
+ violationType: "shared_array_buffer",
278
+ strategy: "throw",
279
+ reason: "SharedArrayBuffer could enable side-channel communication or timing attacks"
280
+ },
281
+ {
282
+ prop: "Atomics",
283
+ target: globalThis,
284
+ violationType: "atomics",
285
+ strategy: "throw",
286
+ reason: "Atomics could enable side-channel communication or timing attacks"
287
+ },
288
+ {
289
+ prop: "performance",
290
+ target: globalThis,
291
+ violationType: "performance_timing",
292
+ strategy: "throw",
293
+ reason: "performance.now() provides sub-millisecond timing for side-channel attacks"
294
+ },
295
+ {
296
+ prop: "stdout",
297
+ target: process,
298
+ violationType: "process_stdout",
299
+ strategy: "throw",
300
+ reason: "process.stdout could bypass interpreter output to write to host stdout"
301
+ },
302
+ {
303
+ prop: "stderr",
304
+ target: process,
305
+ violationType: "process_stderr",
306
+ strategy: "throw",
307
+ reason: "process.stderr could bypass interpreter output to write to host stderr"
308
+ },
309
+ {
310
+ prop: "__defineGetter__",
311
+ target: Object.prototype,
312
+ violationType: "prototype_mutation",
313
+ strategy: "throw",
314
+ reason: "__defineGetter__ allows prototype pollution via getter injection"
315
+ },
316
+ {
317
+ prop: "__defineSetter__",
318
+ target: Object.prototype,
319
+ violationType: "prototype_mutation",
320
+ strategy: "throw",
321
+ reason: "__defineSetter__ allows prototype pollution via setter injection"
322
+ },
323
+ {
324
+ prop: "__lookupGetter__",
325
+ target: Object.prototype,
326
+ violationType: "prototype_mutation",
327
+ strategy: "throw",
328
+ reason: "__lookupGetter__ enables introspection for prototype pollution attacks"
329
+ },
330
+ {
331
+ prop: "__lookupSetter__",
332
+ target: Object.prototype,
333
+ violationType: "prototype_mutation",
334
+ strategy: "throw",
335
+ reason: "__lookupSetter__ enables introspection for prototype pollution attacks"
336
+ },
337
+ {
338
+ prop: "JSON",
339
+ target: globalThis,
340
+ violationType: "json_mutation",
341
+ strategy: "freeze",
342
+ reason: "Freeze JSON to prevent mutation of parsing/serialization"
343
+ },
344
+ {
345
+ prop: "Math",
346
+ target: globalThis,
347
+ violationType: "math_mutation",
348
+ strategy: "freeze",
349
+ reason: "Freeze Math to prevent mutation of math utilities"
350
+ }
351
+ ];
352
+ try {
353
+ let e = Object.getPrototypeOf(async () => {}).constructor;
354
+ e && e !== Function && a.push({
355
+ prop: "constructor",
356
+ target: Object.getPrototypeOf(async () => {}),
357
+ violationType: "async_function_constructor",
358
+ strategy: "throw",
359
+ reason: "AsyncFunction constructor allows arbitrary async code execution"
360
+ });
361
+ } catch {}
362
+ try {
363
+ let e = Object.getPrototypeOf(function* () {}).constructor;
364
+ e && e !== Function && a.push({
365
+ prop: "constructor",
366
+ target: Object.getPrototypeOf(function* () {}),
367
+ violationType: "generator_function_constructor",
368
+ strategy: "throw",
369
+ reason: "GeneratorFunction constructor allows arbitrary generator code execution"
370
+ });
371
+ } catch {}
372
+ try {
373
+ let e = Object.getPrototypeOf(async function* () {}).constructor;
374
+ e && e !== Function && e !== Object.getPrototypeOf(async () => {}).constructor && a.push({
375
+ prop: "constructor",
376
+ target: Object.getPrototypeOf(async function* () {}),
377
+ violationType: "async_generator_function_constructor",
378
+ strategy: "throw",
379
+ reason: "AsyncGeneratorFunction constructor allows arbitrary async generator code execution"
380
+ });
381
+ } catch {}
382
+ return a.filter((e) => {
383
+ try {
384
+ return e.target[e.prop] !== void 0;
385
+ } catch {
386
+ return !1;
387
+ }
388
+ });
389
+ }
390
+ var f = typeof __BROWSER__ < "u" && __BROWSER__;
391
+ function w() {
392
+ return typeof crypto < "u" && crypto.randomUUID ? crypto.randomUUID() : "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (a) => {
393
+ let e = Math.random() * 16 | 0;
394
+ return (a === "x" ? e : e & 3 | 8).toString(16);
395
+ });
396
+ }
397
+ var x = null;
398
+ if (!f) try {
399
+ let { AsyncLocalStorage: a } = m$1("node:async_hooks");
400
+ x = a;
401
+ } catch {}
402
+ var k = `
403
+
404
+ This is a defense-in-depth measure and indicates a bug in just-bash. Please report this at security@vercel.com`, d = class extends Error {
405
+ violation;
406
+ constructor(e, t) {
407
+ super(e + k), this.violation = t, this.name = "SecurityViolationError";
408
+ }
409
+ }, u = !f && x ? new x() : null, T = 1e3;
410
+ function D(a, e, ...t) {
411
+ return u.run(a, () => e(...t));
412
+ }
413
+ var m = {
414
+ enabled: !0,
415
+ auditMode: !1
416
+ };
417
+ function E(a) {
418
+ return a === void 0 ? {
419
+ ...m,
420
+ enabled: !1
421
+ } : typeof a == "boolean" ? {
422
+ ...m,
423
+ enabled: a
424
+ } : {
425
+ ...m,
426
+ ...a
427
+ };
428
+ }
429
+ var _ = class a {
430
+ static instance = null;
431
+ static importHooksRegistered = !1;
432
+ static trustedExecutionDepth = /* @__PURE__ */ new Map();
433
+ config;
434
+ refCount = 0;
435
+ patchFailures = [];
436
+ activeExecutionIds = /* @__PURE__ */ new Set();
437
+ contextCache = /* @__PURE__ */ new Map();
438
+ originalDescriptors = [];
439
+ violations = [];
440
+ activationTime = 0;
441
+ totalActiveTimeMs = 0;
442
+ constructor(e) {
443
+ this.config = e;
444
+ }
445
+ static getInstance(e) {
446
+ let t = E(e);
447
+ if (!a.instance) a.instance = new a(t);
448
+ else {
449
+ let r = a.instance.config;
450
+ if (t.enabled !== r.enabled || t.auditMode !== r.auditMode) throw new Error(`DefenseInDepthBox config conflict: requested {enabled: ${t.enabled}, auditMode: ${t.auditMode}} but singleton already has {enabled: ${r.enabled}, auditMode: ${r.auditMode}}. All Bash instances must use the same defense-in-depth security settings, or call DefenseInDepthBox.resetInstance() between incompatible configurations.`);
451
+ }
452
+ return a.instance;
453
+ }
454
+ static resetInstance() {
455
+ a.instance && (a.instance.forceDeactivate(), a.instance = null), a.trustedExecutionDepth.clear();
456
+ }
457
+ static isInSandboxedContext() {
458
+ return u ? u?.getStore()?.sandboxActive === !0 : !1;
459
+ }
460
+ static getCurrentExecutionId() {
461
+ if (u) return u?.getStore()?.executionId;
462
+ }
463
+ static enterTrustedScope(e) {
464
+ let t = a.trustedExecutionDepth.get(e) ?? 0;
465
+ a.trustedExecutionDepth.set(e, t + 1);
466
+ }
467
+ static leaveTrustedScope(e) {
468
+ let t = a.trustedExecutionDepth.get(e);
469
+ if (t) {
470
+ if (t === 1) {
471
+ a.trustedExecutionDepth.delete(e);
472
+ return;
473
+ }
474
+ a.trustedExecutionDepth.set(e, t - 1);
475
+ }
476
+ }
477
+ static isTrustedScopeActive(e) {
478
+ return e ? (a.trustedExecutionDepth.get(e) ?? 0) > 0 : !1;
479
+ }
480
+ isExecutionIdActive(e) {
481
+ return this.activeExecutionIds.has(e);
482
+ }
483
+ getCachedContext(e) {
484
+ let t = this.contextCache.get(e);
485
+ return t || (t = {
486
+ sandboxActive: !0,
487
+ executionId: e
488
+ }, this.contextCache.set(e, t)), t;
489
+ }
490
+ getPreferredActiveExecutionId() {
491
+ if (this.activeExecutionIds.size !== 0) for (let e of this.activeExecutionIds) return e;
492
+ }
493
+ static bindCurrentContext(e) {
494
+ if (!u) return e;
495
+ let t = a.instance, r = u.getStore(), s = r?.sandboxActive === !0 ? r.executionId : t?.getPreferredActiveExecutionId();
496
+ if (!s) return e;
497
+ let n = t?.getCachedContext(s) ?? {
498
+ sandboxActive: !0,
499
+ executionId: s
500
+ };
501
+ return ((...o) => {
502
+ let i = a.instance;
503
+ if (!(i && !i.isExecutionIdActive(s) && (i.recordViolation("bound_callback_after_deactivate", "bound callback", "Bound callback blocked after originating execution was deactivated"), !i.config.auditMode))) return D(n, e, ...o);
504
+ });
505
+ }
506
+ isEnabled() {
507
+ return this.config.enabled === !0 && u !== null && !f;
508
+ }
509
+ updateConfig(e) {
510
+ this.config = {
511
+ ...this.config,
512
+ ...e
513
+ };
514
+ }
515
+ activate() {
516
+ if (f || !this.config.enabled || !u) {
517
+ let r = w(), s = !1;
518
+ return {
519
+ run: (n) => s ? Promise.reject(/* @__PURE__ */ new Error("DefenseInDepthBox handle is deactivated and cannot run new work")) : n(),
520
+ deactivate: () => {
521
+ s = !0;
522
+ },
523
+ executionId: r
524
+ };
525
+ }
526
+ this.refCount++, this.refCount === 1 && (this.applyPatches(), this.activationTime = Date.now());
527
+ let e = w(), t = !1;
528
+ return {
529
+ run: (r) => t ? Promise.reject(/* @__PURE__ */ new Error("DefenseInDepthBox handle is deactivated and cannot run new work")) : (this.activeExecutionIds.add(e), u.run({
530
+ sandboxActive: !0,
531
+ executionId: e
532
+ }, r)),
533
+ deactivate: () => {
534
+ t || (t = !0, this.activeExecutionIds.delete(e), this.contextCache.delete(e), this.refCount--, this.refCount === 0 && (this.restorePatches(), this.totalActiveTimeMs += Date.now() - this.activationTime), this.refCount < 0 && (this.refCount = 0));
535
+ },
536
+ executionId: e
537
+ };
538
+ }
539
+ forceDeactivate() {
540
+ this.refCount > 0 && (this.restorePatches(), this.totalActiveTimeMs += Date.now() - this.activationTime), this.activeExecutionIds.clear(), this.contextCache.clear(), this.refCount = 0;
541
+ }
542
+ isActive() {
543
+ return this.refCount > 0;
544
+ }
545
+ getStats() {
546
+ return {
547
+ violationsBlocked: this.violations.length,
548
+ violations: [...this.violations],
549
+ activeTimeMs: this.totalActiveTimeMs + (this.refCount > 0 ? Date.now() - this.activationTime : 0),
550
+ refCount: this.refCount
551
+ };
552
+ }
553
+ getPatchFailures() {
554
+ return [...this.patchFailures];
555
+ }
556
+ clearViolations() {
557
+ this.violations = [];
558
+ }
559
+ getPathForTarget(e, t) {
560
+ return e === globalThis ? `globalThis.${t}` : e === process ? `process.${t}` : e === Error ? `Error.${t}` : e === Function.prototype ? `Function.prototype.${t}` : e === Object.prototype ? `Object.prototype.${t}` : `<object>.${t}`;
561
+ }
562
+ static runTrusted(e) {
563
+ if (!u) return e();
564
+ let t = u.getStore();
565
+ if (!t) return e();
566
+ let { executionId: r } = t;
567
+ return u.run({
568
+ ...t,
569
+ trusted: !0
570
+ }, () => {
571
+ a.enterTrustedScope(r);
572
+ try {
573
+ let s = e();
574
+ return typeof s == "object" && s !== null && "finally" in s && typeof s.finally == "function" ? s.finally(() => {
575
+ a.leaveTrustedScope(r);
576
+ }) : (a.leaveTrustedScope(r), s);
577
+ } catch (s) {
578
+ throw a.leaveTrustedScope(r), s;
579
+ }
580
+ });
581
+ }
582
+ static async runTrustedAsync(e) {
583
+ if (!u) return e();
584
+ let t = u.getStore();
585
+ if (!t) return e();
586
+ let { executionId: r } = t;
587
+ return u.run({
588
+ ...t,
589
+ trusted: !0
590
+ }, async () => {
591
+ a.enterTrustedScope(r);
592
+ try {
593
+ return await e();
594
+ } finally {
595
+ a.leaveTrustedScope(r);
596
+ }
597
+ });
598
+ }
599
+ shouldBlock() {
600
+ if (f || this.config.auditMode || !u) return !1;
601
+ let e = u?.getStore();
602
+ return !(e?.sandboxActive !== !0 || e.trusted || a.isTrustedScopeActive(e.executionId));
603
+ }
604
+ recordViolation(e, t, r) {
605
+ let s = {
606
+ timestamp: Date.now(),
607
+ type: e,
608
+ message: r,
609
+ path: t,
610
+ stack: (/* @__PURE__ */ new Error()).stack,
611
+ executionId: u?.getStore()?.executionId
612
+ };
613
+ if (this.violations.length < T && this.violations.push(s), this.config.onViolation) try {
614
+ this.config.onViolation(s);
615
+ } catch (n) {
616
+ console.debug("[DefenseInDepthBox] onViolation callback threw:", n instanceof Error ? n.message : n);
617
+ }
618
+ return s;
619
+ }
620
+ createBlockingProxy(e, t, r) {
621
+ let s = this;
622
+ return new Proxy(e, {
623
+ apply(n, o, i) {
624
+ if (s.shouldBlock()) {
625
+ let c = `${t} is blocked during script execution`;
626
+ throw new d(c, s.recordViolation(r, t, c));
627
+ }
628
+ return s.config.auditMode && u?.getStore()?.sandboxActive === !0 && s.recordViolation(r, t, `${t} called (audit mode)`), Reflect.apply(n, o, i);
629
+ },
630
+ construct(n, o, i) {
631
+ if (s.shouldBlock()) {
632
+ let c = `${t} constructor is blocked during script execution`;
633
+ throw new d(c, s.recordViolation(r, t, c));
634
+ }
635
+ return s.config.auditMode && u?.getStore()?.sandboxActive === !0 && s.recordViolation(r, t, `${t} constructor called (audit mode)`), Reflect.construct(n, o, i);
636
+ }
637
+ });
638
+ }
639
+ createBlockingObjectProxy(e, t, r, s) {
640
+ let n = this;
641
+ return new Proxy(e, {
642
+ get(o, i, c) {
643
+ if (n.shouldBlock()) {
644
+ if (s && typeof i == "string" && s.has(i)) return Reflect.get(o, i, c);
645
+ let l = `${t}.${String(i)}`, p = `${l} is blocked during script execution`;
646
+ throw new d(p, n.recordViolation(r, l, p));
647
+ }
648
+ if (n.config.auditMode && u?.getStore()?.sandboxActive === !0) {
649
+ let l = `${t}.${String(i)}`;
650
+ n.recordViolation(r, l, `${l} accessed (audit mode)`);
651
+ }
652
+ return Reflect.get(o, i, c);
653
+ },
654
+ set(o, i, c, l) {
655
+ if (n.shouldBlock()) {
656
+ let p = `${t}.${String(i)}`, h = `${p} modification is blocked during script execution`;
657
+ throw new d(h, n.recordViolation(r, p, h));
658
+ }
659
+ return Reflect.set(o, i, c, l);
660
+ },
661
+ ownKeys(o) {
662
+ if (n.shouldBlock()) {
663
+ let i = `${t} enumeration is blocked during script execution`;
664
+ throw new d(i, n.recordViolation(r, t, i));
665
+ }
666
+ return Reflect.ownKeys(o);
667
+ },
668
+ getOwnPropertyDescriptor(o, i) {
669
+ if (n.shouldBlock()) {
670
+ let c = `${t}.${String(i)}`, l = `${c} descriptor access is blocked during script execution`;
671
+ throw new d(l, n.recordViolation(r, c, l));
672
+ }
673
+ return Reflect.getOwnPropertyDescriptor(o, i);
674
+ },
675
+ has(o, i) {
676
+ if (n.shouldBlock()) {
677
+ let c = `${t}.${String(i)}`, l = `${c} existence check is blocked during script execution`;
678
+ throw new d(l, n.recordViolation(r, c, l));
679
+ }
680
+ return Reflect.has(o, i);
681
+ },
682
+ deleteProperty(o, i) {
683
+ if (n.shouldBlock()) {
684
+ let c = `${t}.${String(i)}`, l = `${c} deletion is blocked during script execution`;
685
+ throw new d(l, n.recordViolation(r, c, l));
686
+ }
687
+ return Reflect.deleteProperty(o, i);
688
+ },
689
+ setPrototypeOf(o, i) {
690
+ if (n.shouldBlock()) {
691
+ let c = `${t} setPrototypeOf is blocked during script execution`;
692
+ throw new d(c, n.recordViolation(r, t, c));
693
+ }
694
+ return Reflect.setPrototypeOf(o, i);
695
+ },
696
+ defineProperty(o, i, c) {
697
+ if (n.shouldBlock()) {
698
+ let l = `${t}.${String(i)}`, p = `${l} defineProperty is blocked during script execution`;
699
+ throw new d(p, n.recordViolation(r, l, p));
700
+ }
701
+ return Reflect.defineProperty(o, i, c);
702
+ }
703
+ });
704
+ }
705
+ applyPatches() {
706
+ this.patchFailures = [];
707
+ let e = v(), t = new Set([
708
+ "process_send",
709
+ "process_channel",
710
+ "process_stdout",
711
+ "process_stderr"
712
+ ]);
713
+ for (let n of e) t.has(n.violationType) || this.applyPatch(n);
714
+ this.protectConstructorChain(), this.protectErrorPrepareStackTrace(), this.protectPromiseThen(), this.protectDynamicImport(), this.protectModuleLoad(), this.protectModuleResolveFilename(), this.protectProcessMainModule(), this.protectProcessExecPath(), this.lockWellKnownSymbols(), this.protectProxyRevocable();
715
+ let r = ["Function.prototype.constructor", "Module._load"], s = this.patchFailures.filter((n) => r.includes(n));
716
+ if (s.length > 0) throw this.restorePatches(), /* @__PURE__ */ new Error(`DefenseInDepthBox: critical patches failed: ${s.join(", ")}`);
717
+ }
718
+ protectConstructorChain() {
719
+ this.patchPrototypeConstructor(Function.prototype, "Function.prototype.constructor", "function_constructor");
720
+ try {
721
+ let e = Object.getPrototypeOf(async () => {}).constructor;
722
+ e && e !== Function && this.patchPrototypeConstructor(e.prototype, "AsyncFunction.prototype.constructor", "async_function_constructor");
723
+ } catch (e) {
724
+ this.patchFailures.push("AsyncFunction.prototype.constructor"), console.debug("[DefenseInDepthBox] Could not patch AsyncFunction.prototype.constructor:", e instanceof Error ? e.message : e);
725
+ }
726
+ try {
727
+ let e = Object.getPrototypeOf(function* () {}).constructor;
728
+ e && e !== Function && this.patchPrototypeConstructor(e.prototype, "GeneratorFunction.prototype.constructor", "generator_function_constructor");
729
+ } catch (e) {
730
+ this.patchFailures.push("GeneratorFunction.prototype.constructor"), console.debug("[DefenseInDepthBox] Could not patch GeneratorFunction.prototype.constructor:", e instanceof Error ? e.message : e);
731
+ }
732
+ try {
733
+ let e = Object.getPrototypeOf(async function* () {}).constructor, t = Object.getPrototypeOf(async () => {}).constructor;
734
+ e && e !== Function && e !== t && this.patchPrototypeConstructor(e.prototype, "AsyncGeneratorFunction.prototype.constructor", "async_generator_function_constructor");
735
+ } catch (e) {
736
+ this.patchFailures.push("AsyncGeneratorFunction.prototype.constructor"), console.debug("[DefenseInDepthBox] Could not patch AsyncGeneratorFunction.prototype.constructor:", e instanceof Error ? e.message : e);
737
+ }
738
+ }
739
+ protectErrorPrepareStackTrace() {
740
+ let e = this;
741
+ try {
742
+ let t = Object.getOwnPropertyDescriptor(Error, "prepareStackTrace");
743
+ this.originalDescriptors.push({
744
+ target: Error,
745
+ prop: "prepareStackTrace",
746
+ descriptor: t
747
+ });
748
+ let r = t?.value;
749
+ Object.defineProperty(Error, "prepareStackTrace", {
750
+ get() {
751
+ return r;
752
+ },
753
+ set(s) {
754
+ if (e.shouldBlock()) {
755
+ let n = "Error.prepareStackTrace modification is blocked during script execution";
756
+ throw new d(n, e.recordViolation("error_prepare_stack_trace", "Error.prepareStackTrace", n));
757
+ }
758
+ e.config.auditMode && u?.getStore()?.sandboxActive === !0 && e.recordViolation("error_prepare_stack_trace", "Error.prepareStackTrace", "Error.prepareStackTrace set (audit mode)"), r = s;
759
+ },
760
+ configurable: !0
761
+ });
762
+ } catch (t) {
763
+ this.patchFailures.push("Error.prepareStackTrace"), console.debug("[DefenseInDepthBox] Could not protect Error.prepareStackTrace:", t instanceof Error ? t.message : t);
764
+ }
765
+ }
766
+ protectPromiseThen() {
767
+ let e = this;
768
+ try {
769
+ let n = function(...o) {
770
+ return u.run(this.captured, () => {
771
+ if (!this.box.isExecutionIdActive(this.executionId)) {
772
+ if (this.box.recordViolation("promise_then_after_deactivate", "Promise.then", "Promise.then callback is blocked after defense deactivation"), this.box.config.auditMode) return Reflect.apply(this.cb, void 0, o);
773
+ if (this.kind === "fulfilled") return o[0];
774
+ throw o[0];
775
+ }
776
+ return Reflect.apply(this.cb, void 0, o);
777
+ });
778
+ };
779
+ let r = Object.getOwnPropertyDescriptor(Promise.prototype, "then");
780
+ this.originalDescriptors.push({
781
+ target: Promise.prototype,
782
+ prop: "then",
783
+ descriptor: r
784
+ });
785
+ let s = r?.value;
786
+ if (typeof s != "function") return;
787
+ Object.defineProperty(Promise.prototype, "then", {
788
+ value: function(i, c) {
789
+ if (!u) return Reflect.apply(s, this, [i, c]);
790
+ let l = u.getStore(), p = l?.sandboxActive === !0 && l.trusted !== !0 ? l.executionId : void 0;
791
+ if (!p) return Reflect.apply(s, this, [i, c]);
792
+ let h = e.getCachedContext(p), y = (b, P) => typeof b != "function" ? b : n.bind({
793
+ box: e,
794
+ executionId: p,
795
+ captured: h,
796
+ cb: b,
797
+ kind: P
798
+ });
799
+ return Reflect.apply(s, this, [y(i, "fulfilled"), y(c, "rejected")]);
800
+ },
801
+ writable: !0,
802
+ configurable: !0
803
+ });
804
+ } catch (r) {
805
+ this.patchFailures.push("Promise.prototype.then"), console.debug("[DefenseInDepthBox] Could not protect Promise.prototype.then:", r instanceof Error ? r.message : r);
806
+ }
807
+ }
808
+ patchPrototypeConstructor(e, t, r) {
809
+ let s = this;
810
+ try {
811
+ let n = Object.getOwnPropertyDescriptor(e, "constructor");
812
+ this.originalDescriptors.push({
813
+ target: e,
814
+ prop: "constructor",
815
+ descriptor: n
816
+ });
817
+ let o = n?.value;
818
+ Object.defineProperty(e, "constructor", {
819
+ get() {
820
+ if (s.shouldBlock()) {
821
+ let i = `${t} access is blocked during script execution`;
822
+ throw new d(i, s.recordViolation(r, t, i));
823
+ }
824
+ return s.config.auditMode && u?.getStore()?.sandboxActive === !0 && s.recordViolation(r, t, `${t} accessed (audit mode)`), o;
825
+ },
826
+ set(i) {
827
+ if (s.shouldBlock()) {
828
+ let c = `${t} modification is blocked during script execution`;
829
+ throw new d(c, s.recordViolation(r, t, c));
830
+ }
831
+ Object.defineProperty(this, "constructor", {
832
+ value: i,
833
+ writable: !0,
834
+ configurable: !0
835
+ });
836
+ },
837
+ configurable: !0
838
+ });
839
+ } catch (n) {
840
+ this.patchFailures.push(t), console.debug(`[DefenseInDepthBox] Could not patch ${t}:`, n instanceof Error ? n.message : n);
841
+ }
842
+ }
843
+ protectProcessMainModule() {
844
+ if (typeof process > "u") return;
845
+ let e = this;
846
+ try {
847
+ let t = Object.getOwnPropertyDescriptor(process, "mainModule");
848
+ this.originalDescriptors.push({
849
+ target: process,
850
+ prop: "mainModule",
851
+ descriptor: t
852
+ });
853
+ let r = t?.value;
854
+ r !== void 0 && Object.defineProperty(process, "mainModule", {
855
+ get() {
856
+ if (e.shouldBlock()) {
857
+ let s = "process.mainModule access is blocked during script execution";
858
+ throw new d(s, e.recordViolation("process_main_module", "process.mainModule", s));
859
+ }
860
+ return e.config.auditMode && u?.getStore()?.sandboxActive === !0 && e.recordViolation("process_main_module", "process.mainModule", "process.mainModule accessed (audit mode)"), r;
861
+ },
862
+ set(s) {
863
+ if (e.shouldBlock()) {
864
+ let n = "process.mainModule modification is blocked during script execution";
865
+ throw new d(n, e.recordViolation("process_main_module", "process.mainModule", n));
866
+ }
867
+ Object.defineProperty(process, "mainModule", {
868
+ value: s,
869
+ writable: !0,
870
+ configurable: !0
871
+ });
872
+ },
873
+ configurable: !0
874
+ });
875
+ } catch (t) {
876
+ this.patchFailures.push("process.mainModule"), console.debug("[DefenseInDepthBox] Could not protect process.mainModule:", t instanceof Error ? t.message : t);
877
+ }
878
+ }
879
+ protectProcessExecPath() {
880
+ if (typeof process > "u") return;
881
+ let e = this;
882
+ try {
883
+ let t = Object.getOwnPropertyDescriptor(process, "execPath");
884
+ this.originalDescriptors.push({
885
+ target: process,
886
+ prop: "execPath",
887
+ descriptor: t
888
+ });
889
+ let r = t?.value ?? process.execPath;
890
+ Object.defineProperty(process, "execPath", {
891
+ get() {
892
+ if (e.shouldBlock()) {
893
+ let s = "process.execPath access is blocked during script execution";
894
+ throw new d(s, e.recordViolation("process_exec_path", "process.execPath", s));
895
+ }
896
+ return e.config.auditMode && u?.getStore()?.sandboxActive === !0 && e.recordViolation("process_exec_path", "process.execPath", "process.execPath accessed (audit mode)"), r;
897
+ },
898
+ set(s) {
899
+ if (e.shouldBlock()) {
900
+ let n = "process.execPath modification is blocked during script execution";
901
+ throw new d(n, e.recordViolation("process_exec_path", "process.execPath", n));
902
+ }
903
+ Object.defineProperty(process, "execPath", {
904
+ value: s,
905
+ writable: !0,
906
+ configurable: !0
907
+ });
908
+ },
909
+ configurable: !0
910
+ });
911
+ } catch (t) {
912
+ this.patchFailures.push("process.execPath"), console.debug("[DefenseInDepthBox] Could not protect process.execPath:", t instanceof Error ? t.message : t);
913
+ }
914
+ }
915
+ lockWellKnownSymbols() {
916
+ let e = (t, r) => {
917
+ try {
918
+ let s = Object.getOwnPropertyDescriptor(t, r);
919
+ if (s?.configurable) {
920
+ if ("value" in s) {
921
+ Object.defineProperty(t, r, {
922
+ ...s,
923
+ configurable: !1,
924
+ writable: !1
925
+ });
926
+ return;
927
+ }
928
+ Object.defineProperty(t, r, {
929
+ ...s,
930
+ configurable: !1
931
+ });
932
+ }
933
+ } catch {}
934
+ };
935
+ for (let t of [
936
+ Array,
937
+ Map,
938
+ Set,
939
+ RegExp,
940
+ Promise
941
+ ]) e(t, Symbol.species);
942
+ for (let t of [
943
+ Array.prototype,
944
+ String.prototype,
945
+ Map.prototype,
946
+ Set.prototype
947
+ ]) e(t, Symbol.iterator);
948
+ e(Symbol.prototype, Symbol.toPrimitive), e(Date.prototype, Symbol.toPrimitive);
949
+ for (let t of [
950
+ Symbol.match,
951
+ Symbol.matchAll,
952
+ Symbol.replace,
953
+ Symbol.search,
954
+ Symbol.split
955
+ ]) e(RegExp.prototype, t);
956
+ e(Function.prototype, Symbol.hasInstance), e(Array.prototype, Symbol.unscopables);
957
+ for (let t of [
958
+ Map.prototype,
959
+ Set.prototype,
960
+ Promise.prototype,
961
+ ArrayBuffer.prototype
962
+ ]) e(t, Symbol.toStringTag);
963
+ try {
964
+ let t = Object.getOwnPropertyDescriptor(Error, "stackTraceLimit");
965
+ this.originalDescriptors.push({
966
+ target: Error,
967
+ prop: "stackTraceLimit",
968
+ descriptor: t
969
+ }), Object.defineProperty(Error, "stackTraceLimit", {
970
+ value: Error.stackTraceLimit,
971
+ writable: !1,
972
+ configurable: !0
973
+ });
974
+ } catch {}
975
+ }
976
+ protectProxyRevocable() {
977
+ let e = this;
978
+ try {
979
+ let t = Proxy.revocable;
980
+ if (typeof t != "function") return;
981
+ let r = Object.getOwnPropertyDescriptor(Proxy, "revocable");
982
+ this.originalDescriptors.push({
983
+ target: Proxy,
984
+ prop: "revocable",
985
+ descriptor: r
986
+ }), Object.defineProperty(Proxy, "revocable", {
987
+ value: function(n, o) {
988
+ if (e.shouldBlock()) {
989
+ let i = "Proxy.revocable is blocked during script execution";
990
+ throw new d(i, e.recordViolation("proxy", "Proxy.revocable", i));
991
+ }
992
+ return e.config.auditMode && u?.getStore()?.sandboxActive === !0 && e.recordViolation("proxy", "Proxy.revocable", "Proxy.revocable called (audit mode)"), t(n, o);
993
+ },
994
+ writable: !1,
995
+ configurable: !0
996
+ });
997
+ } catch (t) {
998
+ this.patchFailures.push("Proxy.revocable"), console.debug("[DefenseInDepthBox] Could not protect Proxy.revocable:", t instanceof Error ? t.message : t);
999
+ }
1000
+ }
1001
+ protectDynamicImport() {
1002
+ if (!(f || a.importHooksRegistered)) try {
1003
+ let e = this, t = m$1("node:module"), r = /* @__PURE__ */ new Set();
1004
+ for (let o of t.builtinModules ?? []) {
1005
+ let i = o.startsWith("node:") ? o.slice(5) : o;
1006
+ r.add(i);
1007
+ let c = i.indexOf("/");
1008
+ c > 0 && r.add(i.slice(0, c));
1009
+ }
1010
+ let s = (o) => {
1011
+ if (o.startsWith("./") || o.startsWith("../") || o.startsWith("/") || o.startsWith("file:") || o.startsWith("data:") || o.startsWith("blob:") || o.startsWith("http:") || o.startsWith("https:")) return !1;
1012
+ let i = o.startsWith("node:") ? o.slice(5) : o;
1013
+ if (!i) return !1;
1014
+ if (typeof t.isBuiltin == "function" && t.isBuiltin(i) || r.has(i)) return !0;
1015
+ let c = i.indexOf("/");
1016
+ return c > 0 && r.has(i.slice(0, c));
1017
+ }, n = () => {
1018
+ let o = u?.getStore();
1019
+ return e.config.auditMode === !0 && o?.sandboxActive === !0 && o.trusted !== !0 && !a.isTrustedScopeActive(o.executionId);
1020
+ };
1021
+ if (typeof t.registerHooks == "function") {
1022
+ t.registerHooks({ resolve(o, i, c) {
1023
+ if (o.startsWith("data:") || o.startsWith("blob:")) throw new Error(`dynamic import of ${o.startsWith("data:") ? "data:" : "blob:"} URLs is blocked by defense-in-depth`);
1024
+ if (s(o)) {
1025
+ let l = `import(${o})`, p = `dynamic import of Node.js builtin '${o}' is blocked during script execution`;
1026
+ if (e.shouldBlock()) throw new d(p, e.recordViolation("dynamic_import_builtin", l, p));
1027
+ n() && e.recordViolation("dynamic_import_builtin", l, `dynamic import of Node.js builtin '${o}' called (audit mode)`);
1028
+ }
1029
+ return c(o, i);
1030
+ } }), a.importHooksRegistered = !0;
1031
+ return;
1032
+ }
1033
+ if (typeof t.register == "function") {
1034
+ let o = [
1035
+ "export async function resolve(specifier, context, nextResolve) {",
1036
+ " if (specifier.startsWith(\"data:\") || specifier.startsWith(\"blob:\")) {",
1037
+ " throw new Error(\"dynamic import of \" + (specifier.startsWith(\"data:\") ? \"data:\" : \"blob:\") + \" URLs is blocked by defense-in-depth\");",
1038
+ " }",
1039
+ " return nextResolve(specifier, context);",
1040
+ "}"
1041
+ ].join(`
1042
+ `);
1043
+ t.register(`data:text/javascript,${encodeURIComponent(o)}`), a.importHooksRegistered = !0;
1044
+ }
1045
+ } catch (e) {
1046
+ console.debug("[DefenseInDepthBox] Could not register import() hooks:", e instanceof Error ? e.message : e);
1047
+ }
1048
+ }
1049
+ protectModuleLoad() {
1050
+ if (!f) try {
1051
+ let e = null;
1052
+ if (typeof process < "u") {
1053
+ let o = process.mainModule;
1054
+ o && typeof o == "object" && (e = o.constructor);
1055
+ }
1056
+ if (!e && typeof m$1 < "u" && typeof m$1.main < "u" && (e = m$1.main.constructor), !e || typeof e._load != "function") return;
1057
+ let t = e._load, r = Object.getOwnPropertyDescriptor(e, "_load");
1058
+ this.originalDescriptors.push({
1059
+ target: e,
1060
+ prop: "_load",
1061
+ descriptor: r
1062
+ });
1063
+ let n = this.createBlockingProxy(t, "Module._load", "module_load");
1064
+ Object.defineProperty(e, "_load", {
1065
+ value: n,
1066
+ writable: !0,
1067
+ configurable: !0
1068
+ });
1069
+ } catch (e) {
1070
+ this.patchFailures.push("Module._load"), console.debug("[DefenseInDepthBox] Could not protect Module._load:", e instanceof Error ? e.message : e);
1071
+ }
1072
+ }
1073
+ protectModuleResolveFilename() {
1074
+ if (!f) try {
1075
+ let e = null;
1076
+ if (typeof process < "u") {
1077
+ let o = process.mainModule;
1078
+ o && typeof o == "object" && (e = o.constructor);
1079
+ }
1080
+ if (!e && typeof m$1 < "u" && typeof m$1.main < "u" && (e = m$1.main.constructor), !e || typeof e._resolveFilename != "function") return;
1081
+ let t = e._resolveFilename, r = Object.getOwnPropertyDescriptor(e, "_resolveFilename");
1082
+ this.originalDescriptors.push({
1083
+ target: e,
1084
+ prop: "_resolveFilename",
1085
+ descriptor: r
1086
+ });
1087
+ let n = this.createBlockingProxy(t, "Module._resolveFilename", "module_resolve_filename");
1088
+ Object.defineProperty(e, "_resolveFilename", {
1089
+ value: n,
1090
+ writable: !0,
1091
+ configurable: !0
1092
+ });
1093
+ } catch (e) {
1094
+ this.patchFailures.push("Module._resolveFilename"), console.debug("[DefenseInDepthBox] Could not protect Module._resolveFilename:", e instanceof Error ? e.message : e);
1095
+ }
1096
+ }
1097
+ applyPatch(e) {
1098
+ let { target: t, prop: r, violationType: s, strategy: n } = e;
1099
+ try {
1100
+ let o = t[r];
1101
+ if (o === void 0) return;
1102
+ let i = Object.getOwnPropertyDescriptor(t, r);
1103
+ if (this.originalDescriptors.push({
1104
+ target: t,
1105
+ prop: r,
1106
+ descriptor: i
1107
+ }), n === "freeze") typeof o == "object" && o !== null && Object.freeze(o);
1108
+ else {
1109
+ let c = this.getPathForTarget(t, r), l = typeof o == "function" ? this.createBlockingProxy(o, c, s) : this.createBlockingObjectProxy(o, c, s, e.allowedKeys);
1110
+ Object.defineProperty(t, r, {
1111
+ value: l,
1112
+ writable: !0,
1113
+ configurable: !0
1114
+ });
1115
+ }
1116
+ } catch (o) {
1117
+ let i = this.getPathForTarget(t, r);
1118
+ this.patchFailures.push(i), console.debug(`[DefenseInDepthBox] Could not patch ${i}:`, o instanceof Error ? o.message : o);
1119
+ }
1120
+ }
1121
+ restorePatches() {
1122
+ for (let e = this.originalDescriptors.length - 1; e >= 0; e--) {
1123
+ let { target: t, prop: r, descriptor: s } = this.originalDescriptors[e];
1124
+ try {
1125
+ s ? Object.defineProperty(t, r, s) : delete t[r];
1126
+ } catch (n) {
1127
+ let o = this.getPathForTarget(t, r);
1128
+ console.debug(`[DefenseInDepthBox] Could not restore ${o}:`, n instanceof Error ? n.message : n);
1129
+ }
1130
+ }
1131
+ this.originalDescriptors = [];
1132
+ }
1133
+ };
1134
+ //#endregion
1135
+ export { d as n, _ as t };
1136
+
1137
+ //# sourceMappingURL=chunk-TN7HHBQW-CSB_R-XD.mjs.map