@westbayberry/dg 1.3.2 → 2.0.0

package/dist/launcher/live-install.js

@@ -0,0 +1,50 @@
+import { createLaunchPlan, runWithProductionProxyLive } from "./run.js";
+import { isSupportedPackageManager } from "./classify.js";
+import { isCiEnv, resolvePresentation } from "../presentation/mode.js";
+const FALL_THROUGH = { handled: false };
+export async function maybeRunLiveInstall(args, options = {}) {
+    const env = options.env ?? process.env;
+    if (!process.stdout.isTTY || isCiEnv(env) || resolvePresentation().mode !== "rich") {
+        return FALL_THROUGH;
+    }
+    const [manager, ...rest] = args;
+    if (!manager || !isSupportedPackageManager(manager)) {
+        return FALL_THROUGH;
+    }
+    const { childArgs, forceOverride } = stripControlArgs(rest);
+    const plan = createLaunchPlan(manager, childArgs, env);
+    if (plan.classification.kind !== "protected" || !plan.realBinary.path) {
+        return FALL_THROUGH;
+    }
+    const runOptions = {
+        env,
+        ...(forceOverride ? { forceOverride } : {})
+    };
+    const { renderLiveInstall } = await import("../install-ui/live-install-app.js");
+    try {
+        const result = await renderLiveInstall((onView) => runWithProductionProxyLive(plan, childArgs, runOptions, onView));
+        return { handled: true, result };
+    }
+    catch (error) {
+        return {
+            handled: true,
+            result: {
+                exitCode: 1,
+                stdout: "",
+                stderr: `dg protection failed: ${error instanceof Error ? error.message : "unknown error"}\n`
+            }
+        };
+    }
+}
+function stripControlArgs(args) {
+    const childArgs = [];
+    let force = false;
+    for (const arg of args) {
+        if (arg === "--dg-force-install") {
+            force = true;
+            continue;
+        }
+        childArgs.push(arg);
+    }
+    return force ? { childArgs, forceOverride: { force: true } } : { childArgs };
+}

package/dist/launcher/output-redaction.js

@@ -0,0 +1,77 @@
+const credentialUrlPattern = /\b([a-z][a-z0-9+.-]{0,31}:\/\/)([^/\s:@]+):([^/\s@]+)@/gi;
+const authHeaderPattern = /\b(proxy-authorization|authorization):\s*[^\r\n]+/gi;
+const tokenAssignmentPattern = /\b((?:npm_|pypi_|dg_)?(?:token|authToken|password|secret))=([^\s]+)/gi;
+const npmrcAuthPattern = /(_authToken|_auth|_password)\s*=\s*("[^"]*"|[^\s;,]+)/gi;
+const bearerPattern = /\bBearer\s+[A-Za-z0-9._~+/=-]{8,}/g;
+const knownTokenShapePattern = /\b(npm_[A-Za-z0-9]{36}|gh[pousr]_[A-Za-z0-9]{36,255}|pypi-[A-Za-z0-9_-]{20,})\b/g;
+export function redactSecrets(text) {
+    return text
+        .replace(credentialUrlPattern, "$1<redacted>@")
+        .replace(authHeaderPattern, (_match, header) => `${header}: <redacted>`)
+        .replace(npmrcAuthPattern, "$1=<redacted>")
+        .replace(tokenAssignmentPattern, "$1=<redacted>")
+        .replace(bearerPattern, "Bearer <redacted>")
+        .replace(knownTokenShapePattern, "<redacted>");
+}
+const STREAM_FLUSH_QUIET_MS = 80;
+const SECRET_TAIL_SCAN_CHARS = 80;
+const secretTailPattern = /(Bearer\s+[\w.~+/=-]*|npm_[A-Za-z0-9]*|gh[pousr]_[A-Za-z0-9]*|pypi-[\w-]*|(?:_authToken|_auth|_password|token|authToken|password|secret)=\S*)$/i;
+export function createStreamRedactor(emit) {
+    let pending = "";
+    let timer;
+    let tailHeldOnce = false;
+    const clearTimer = () => {
+        if (timer) {
+            clearTimeout(timer);
+            timer = undefined;
+        }
+    };
+    const emitPending = () => {
+        clearTimer();
+        if (pending) {
+            emit(redactSecrets(pending));
+            pending = "";
+        }
+        tailHeldOnce = false;
+    };
+    const onQuietTimer = () => {
+        timer = undefined;
+        if (!pending) {
+            tailHeldOnce = false;
+            return;
+        }
+        const scanStart = Math.max(0, pending.length - SECRET_TAIL_SCAN_CHARS);
+        const tailMatch = secretTailPattern.exec(pending.slice(scanStart));
+        if (tailMatch && !tailHeldOnce) {
+            const matchStart = scanStart + tailMatch.index;
+            if (matchStart > 0) {
+                emit(redactSecrets(pending.slice(0, matchStart)));
+            }
+            pending = pending.slice(matchStart);
+            tailHeldOnce = true;
+            timer = setTimeout(onQuietTimer, STREAM_FLUSH_QUIET_MS);
+            timer.unref?.();
+            return;
+        }
+        emit(redactSecrets(pending));
+        pending = "";
+        tailHeldOnce = false;
+    };
+    return {
+        write(chunk) {
+            pending += chunk;
+            tailHeldOnce = false;
+            const boundary = Math.max(pending.lastIndexOf("\n"), pending.lastIndexOf("\r"));
+            if (boundary >= 0) {
+                emit(redactSecrets(pending.slice(0, boundary + 1)));
+                pending = pending.slice(boundary + 1);
+            }
+            clearTimer();
+            if (pending) {
+                timer = setTimeout(onQuietTimer, STREAM_FLUSH_QUIET_MS);
+                timer.unref?.();
+            }
+        },
+        flush: emitPending
+    };
+}

package/dist/launcher/preflight-prompt.js

@@ -0,0 +1,139 @@
+import { analyzePackages } from "../api/analyze.js";
+import { isCiEnv } from "../presentation/mode.js";
+import { renderInstallDecision } from "../install-ui/block-render.js";
+import { promptYesNo, defaultPromptIo } from "../install-ui/prompt.js";
+import { enforceProtectedInstall } from "../proxy/enforcement.js";
+import { classifyPackageManagerInvocation, isSupportedPackageManager } from "./classify.js";
+import { redactSecrets } from "./output-redaction.js";
+const ECOSYSTEM_BY_MANAGER = {
+    npm: "npm",
+    pnpm: "npm",
+    yarn: "npm",
+    pip: "pypi",
+    pipx: "pypi",
+    uv: "pypi"
+};
+const FALL_THROUGH = { handled: false };
+export async function maybePreflightInstallPrompt(args, options = {}) {
+    const env = options.env ?? process.env;
+    const io = options.io ?? defaultPromptIo();
+    if (!io.isTTY || isCiEnv(env)) {
+        return FALL_THROUGH;
+    }
+    const [manager, ...rest] = args;
+    if (!manager || !isSupportedPackageManager(manager)) {
+        return FALL_THROUGH;
+    }
+    const ecosystem = ECOSYSTEM_BY_MANAGER[manager];
+    if (!ecosystem) {
+        return FALL_THROUGH;
+    }
+    const { childArgs, forceOverride } = stripControlArgs(rest);
+    const classification = classifyPackageManagerInvocation(manager, childArgs);
+    if (classification.kind !== "protected") {
+        return FALL_THROUGH;
+    }
+    const specs = pinnedSpecs(childArgs, ecosystem);
+    if (specs.length === 0) {
+        return FALL_THROUGH;
+    }
+    let worst;
+    try {
+        const response = await (options.analyze ?? analyzePackages)(specs.map((spec) => ({ name: spec.name, version: spec.version })), { ecosystem, env });
+        for (const spec of specs) {
+            const pkg = response.packages.find((entry) => entry.name === spec.name && entry.version === spec.version);
+            const action = pkg?.action ?? "pass";
+            if (!worst || rank(action) > rank(worst.action)) {
+                worst = {
+                    action,
+                    spec,
+                    reason: pkg?.reasons[0] ?? pkg?.findings[0]?.title ?? "flagged by the scanner"
+                };
+            }
+        }
+    }
+    catch {
+        return FALL_THROUGH;
+    }
+    if (!worst || worst.action === "pass") {
+        return FALL_THROUGH;
+    }
+    if (worst.action === "block") {
+        const decision = enforceProtectedInstall({
+            classification,
+            env,
+            proxyVerdict: {
+                verdict: "block",
+                packageName: `${ecosystem}:${worst.spec.name}@${worst.spec.version}`,
+                cause: "malware",
+                reason: worst.reason,
+                ...(worst.dashboardUrl ? { dashboardUrl: worst.dashboardUrl } : {})
+            },
+            ...(forceOverride ? { forceOverride } : {})
+        });
+        if (decision.action === "block") {
+            return {
+                handled: true,
+                result: { exitCode: 2, stdout: "", stderr: redactSecrets(renderInstallDecision(decision)) }
+            };
+        }
+        return FALL_THROUGH;
+    }
+    const label = `${worst.spec.name}@${worst.spec.version}`;
+    const proceed = await promptYesNo(`⚠ DG flagged ${label} (warn) — ${worst.reason}. Proceed?`, io);
+    if (proceed) {
+        return FALL_THROUGH;
+    }
+    return {
+        handled: true,
+        result: { exitCode: 1, stdout: "", stderr: "Declined. Nothing was installed.\n" }
+    };
+}
+function rank(action) {
+    return { pass: 0, analysis_incomplete: 1, warn: 2, block: 3 }[action];
+}
+function stripControlArgs(args) {
+    const childArgs = [];
+    let force = false;
+    for (const arg of args) {
+        if (arg === "--dg-force-install") {
+            force = true;
+            continue;
+        }
+        childArgs.push(arg);
+    }
+    return force ? { childArgs, forceOverride: { force: true } } : { childArgs };
+}
+function pinnedSpecs(args, ecosystem) {
+    const specs = [];
+    for (const arg of args) {
+        if (arg.startsWith("-")) {
+            continue;
+        }
+        const spec = ecosystem === "npm" ? parseNpmSpec(arg) : parsePypiSpec(arg);
+        if (spec) {
+            specs.push(spec);
+        }
+    }
+    return specs;
+}
+function parseNpmSpec(token) {
+    const scoped = token.startsWith("@");
+    const at = token.indexOf("@", scoped ? 1 : 0);
+    if (at <= 0) {
+        return undefined;
+    }
+    const name = token.slice(0, at);
+    const version = token.slice(at + 1);
+    if (!name || !/^\d/.test(version)) {
+        return undefined;
+    }
+    return { name, version };
+}
+function parsePypiSpec(token) {
+    const match = /^([A-Za-z0-9._-]+)==([0-9][^\s;]*)$/.exec(token);
+    if (!match || !match[1] || !match[2]) {
+        return undefined;
+    }
+    return { name: match[1], version: match[2] };
+}

package/dist/launcher/resolve-real-binary.js

@@ -0,0 +1,73 @@
+import { accessSync, constants, readFileSync } from "node:fs";
+import { delimiter, join, resolve, sep } from "node:path";
+import { resolveDgPaths } from "../state/index.js";
+// Many systems (homebrew/macOS, some Linux) ship only the version-suffixed
+// pip3/python3, not a bare pip/python. Fall back to those instead of reporting
+// "real pip binary was not found".
+const BINARY_FALLBACKS = {
+    pip: ["pip3"],
+    python: ["python3"]
+};
+export function resolveRealBinary(options) {
+    const env = options.env ?? process.env;
+    const shimDir = join(resolveDgPaths(env).homeDir, ".dg", "shims");
+    const skipDirs = new Set([resolve(shimDir), ...(options.extraSkipDirs ?? []).map((dir) => resolve(dir))]);
+    const searched = [];
+    const skipped = [];
+    const extensions = process.platform === "win32" ? ["", ".cmd", ".exe", ".bat"] : [""];
+    const pathDirs = (env.PATH ?? "").split(delimiter).filter(Boolean);
+    const candidateNames = [options.name, ...(BINARY_FALLBACKS[options.name] ?? [])].filter((name, index, all) => all.indexOf(name) === index);
+    for (const name of candidateNames) {
+        for (const rawDir of pathDirs) {
+            const dir = resolve(rawDir);
+            if (isSkippedDir(dir, skipDirs)) {
+                skipped.push(rawDir);
+                continue;
+            }
+            for (const extension of extensions) {
+                const candidate = join(rawDir, `${name}${extension}`);
+                searched.push(candidate);
+                if (isExecutable(candidate) && !isDgShim(candidate)) {
+                    return {
+                        path: candidate,
+                        skipped,
+                        searched
+                    };
+                }
+                if (isDgShim(candidate)) {
+                    skipped.push(candidate);
+                }
+            }
+        }
+    }
+    return {
+        path: null,
+        skipped,
+        searched
+    };
+}
+function isSkippedDir(dir, skipDirs) {
+    for (const skipped of skipDirs) {
+        if (dir === skipped || dir.startsWith(`${skipped}${sep}`)) {
+            return true;
+        }
+    }
+    return false;
+}
+function isExecutable(path) {
+    try {
+        accessSync(path, constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function isDgShim(path) {
+    try {
+        return readFileSync(path, "utf8").slice(0, 160).includes("dg-shim-v1");
+    }
+    catch {
+        return false;
+    }
+}