@westbayberry/dg 1.3.2 → 2.0.0

package/dist/launcher/run.js

@@ -0,0 +1,417 @@
+import { spawn } from "node:child_process";
+import { existsSync, writeFileSync } from "node:fs";
+import { constants as osConstants } from "node:os";
+import { fileURLToPath } from "node:url";
+import { EXIT_UNAVAILABLE } from "../commands/types.js";
+import { loadUserConfig } from "../config/settings.js";
+import { describeBlockedInstall, renderInstallDecision } from "../install-ui/block-render.js";
+import { enforceProtectedInstall } from "../proxy/enforcement.js";
+import { isCiEnv } from "../presentation/mode.js";
+import { readProxySessionState } from "../proxy/server.js";
+import { cleanupSessionSync, createSessionSync, resolveDgPaths } from "../state/index.js";
+import { classifyPackageManagerInvocation } from "./classify.js";
+import { buildProxyChildEnv } from "./env.js";
+import { createStreamRedactor, redactSecrets } from "./output-redaction.js";
+import { resolveRealBinary } from "./resolve-real-binary.js";
+export const EXIT_INSTALL_BLOCKED = 2;
+export function createLaunchPlan(manager, args, env = process.env) {
+    const classification = classifyPackageManagerInvocation(manager, args);
+    const realBinary = resolveRealBinary({
+        name: classification.realBinaryName,
+        env
+    });
+    return {
+        classification,
+        realBinary,
+        startsProxy: classification.kind === "protected",
+        childEnv: {
+            ...env,
+            DG_SHIM_ACTIVE: shimNonce(manager, env)
+        }
+    };
+}
+export async function runPackageManager(manager, args, options = {}) {
+    const plan = createLaunchPlan(manager, args, options.env ?? process.env);
+    const invoked = ["dg", manager, ...args].join(" ");
+    if (plan.classification.kind === "unsupported") {
+        return unavailable(invoked, plan.classification.reason);
+    }
+    if (!plan.realBinary.path) {
+        return unavailable(invoked, `real ${plan.classification.realBinaryName} binary was not found outside dg shims`);
+    }
+    if (plan.startsProxy) {
+        if (!options.proxyVerdict) {
+            return runWithProductionProxy(plan, args, options);
+        }
+        const decision = enforceProtectedInstall({
+            classification: plan.classification,
+            env: options.env ?? process.env,
+            proxyVerdict: options.proxyVerdict,
+            ...(options.forceOverride ? { forceOverride: options.forceOverride } : {}),
+            ...(options.now ? { now: options.now } : {})
+        });
+        const rendered = renderDecisions([decision], options.env ?? process.env);
+        if (decision.action === "block") {
+            return {
+                exitCode: EXIT_INSTALL_BLOCKED,
+                stdout: "",
+                stderr: rendered
+            };
+        }
+        const child = await spawnPackageManager(plan, args, options);
+        return {
+            exitCode: child.exitCode,
+            stdout: streamedOut(child.stdout, options),
+            stderr: `${rendered}${streamedErr(child.stderr, options)}`
+        };
+    }
+    const child = await spawnPackageManager(plan, args, options);
+    return {
+        exitCode: child.exitCode,
+        stdout: streamedOut(child.stdout, options),
+        stderr: streamedErr(child.stderr, options)
+    };
+}
+async function runWithProductionProxy(plan, args, options) {
+    const env = options.env ?? process.env;
+    const proxy = await startProxyWorker(plan.classification, env, options.forceOverride);
+    if ("decision" in proxy) {
+        return {
+            exitCode: EXIT_INSTALL_BLOCKED,
+            stdout: "",
+            stderr: redactSecrets(renderInstallDecision(proxy.decision))
+        };
+    }
+    const restoreSignalHandlers = installProxySignalHandlers(proxy);
+    try {
+        const proxiedPlan = {
+            ...plan,
+            childEnv: buildProxyChildEnv({
+                manager: plan.classification.manager,
+                baseEnv: plan.childEnv,
+                proxyUrl: proxy.proxyUrl,
+                caBundlePath: proxy.session.files.ca,
+                cacheDir: `${proxy.session.dir}/pm-cache`
+            })
+        };
+        const child = await spawnPackageManager(proxiedPlan, args, options);
+        const proxyState = readProxySessionState(proxy.session);
+        const rendered = renderDecisions(proxyState.decisions, env);
+        const blocked = proxyState.decisions.find((decision) => decision.action === "block");
+        if (blocked) {
+            return {
+                exitCode: EXIT_INSTALL_BLOCKED,
+                stdout: streamedOut(child.stdout, options),
+                stderr: `${rendered}${streamedErr(child.stderr, options)}`
+            };
+        }
+        if (proxyState.decisions.length === 0) {
+            // The proxy saw no artifact verdicts. If the wrapped command itself exited
+            // with an error (e.g. pip's PEP 668 externally-managed error, a resolution
+            // error, a crash before fetch), it failed for its own reasons — nothing was
+            // installed, so there is nothing to verify. Keep its non-zero exit (still
+            // fail-closed: no unverified install can SUCCEED) but propagate the
+            // command's own error instead of a misleading "block / override" decision.
+            if (child.exitCode !== 0) {
+                return {
+                    exitCode: child.exitCode,
+                    stdout: streamedOut(child.stdout, options),
+                    stderr: `${streamedErr(child.stderr, options)}\n  ? dg did not check this install — ${plan.classification.manager} exited with an error before any package was fetched.\n`
+                };
+            }
+            return {
+                exitCode: EXIT_INSTALL_BLOCKED,
+                stdout: streamedOut(child.stdout, options),
+                stderr: `${streamedErr(child.stderr, options)}${cacheOnlyNotice(plan.classification.manager)}`
+            };
+        }
+        return {
+            exitCode: child.exitCode,
+            stdout: streamedOut(child.stdout, options),
+            stderr: `${rendered}${streamedErr(child.stderr, options)}`
+        };
+    }
+    finally {
+        restoreSignalHandlers();
+        stopProxyWorker(proxy);
+    }
+}
+export function deriveLiveView(state, phase) {
+    const verified = state.decisions.filter((decision) => decision.action === "pass").length;
+    const flagged = state.decisions.filter((decision) => decision.action === "warn").length;
+    const blocked = state.decisions.find((decision) => decision.action === "block");
+    const current = state.inflight[state.inflight.length - 1];
+    return {
+        phase,
+        total: state.decisions.length + state.inflight.length,
+        verified,
+        flagged,
+        ...(current ? { current } : {}),
+        ...(blocked ? { blocked: describeBlockedInstall(blocked) } : {})
+    };
+}
+export async function runWithProductionProxyLive(plan, args, options, onView) {
+    if (options.onStdout || options.onStderr) {
+        throw new Error("live install mode renders its own UI and owns the terminal; streaming output callbacks are not supported");
+    }
+    const env = options.env ?? process.env;
+    const proxy = await startProxyWorker(plan.classification, env, options.forceOverride);
+    if ("decision" in proxy) {
+        return { exitCode: EXIT_INSTALL_BLOCKED, stdout: "", stderr: redactSecrets(renderInstallDecision(proxy.decision)) };
+    }
+    const restoreSignalHandlers = installProxySignalHandlers(proxy);
+    try {
+        const childEnv = buildProxyChildEnv({
+            manager: plan.classification.manager,
+            baseEnv: plan.childEnv,
+            proxyUrl: proxy.proxyUrl,
+            caBundlePath: proxy.session.files.ca,
+            cacheDir: `${proxy.session.dir}/pm-cache`
+        });
+        const spawner = options.spawner ?? defaultSpawner;
+        const poll = setInterval(() => {
+            onView(deriveLiveView(readProxySessionState(proxy.session), "scanning"));
+        }, 90);
+        let finished;
+        try {
+            finished = await spawner({
+                binary: plan.realBinary.path ?? "",
+                args,
+                env: childEnv
+            });
+        }
+        finally {
+            clearInterval(poll);
+        }
+        const proxyState = readProxySessionState(proxy.session);
+        onView(deriveLiveView(proxyState, "done"));
+        if (proxyState.decisions.some((decision) => decision.action === "block")) {
+            return { exitCode: EXIT_INSTALL_BLOCKED, stdout: "", stderr: "" };
+        }
+        if (proxyState.decisions.length === 0) {
+            if (finished.exitCode !== 0) {
+                return {
+                    exitCode: finished.exitCode,
+                    stdout: finished.stdout,
+                    stderr: `${finished.stderr}\n  ? dg did not check this install — ${plan.classification.manager} exited with an error before any package was fetched.\n`
+                };
+            }
+            return { exitCode: EXIT_INSTALL_BLOCKED, stdout: installOutcome(finished.stdout), stderr: cacheOnlyNotice(plan.classification.manager) };
+        }
+        return { exitCode: finished.exitCode, stdout: installOutcome(finished.stdout), stderr: "" };
+    }
+    finally {
+        restoreSignalHandlers();
+        stopProxyWorker(proxy);
+    }
+}
+function cacheOnlyNotice(manager) {
+    return `  ? dg could not verify this install — no download reached the firewall.\n  ${manager} used a local cache or file, or the packages were already installed, so nothing was fetched to check. The install itself ran; these are not covered by per-command protection. Run 'dg scan' to verify your installed packages.\n`;
+}
+function installOutcome(stdout) {
+    const lines = stdout.split("\n").filter((line) => /^Successfully installed /.test(line) ||
+        /^(added|changed|removed|updated) \d/.test(line.trim()));
+    return lines.length > 0 ? `${lines.join("\n")}\n` : "";
+}
+async function spawnPackageManager(plan, args, options) {
+    if (!plan.realBinary.path) {
+        return {
+            exitCode: EXIT_UNAVAILABLE,
+            stdout: "",
+            stderr: `real ${plan.classification.realBinaryName} binary was not found outside dg shims\n`
+        };
+    }
+    const spawner = options.spawner ?? defaultSpawner;
+    return spawner({
+        binary: plan.realBinary.path,
+        args,
+        env: plan.childEnv,
+        onStdout: options.onStdout,
+        onStderr: options.onStderr
+    });
+}
+const defaultSpawner = (request) => new Promise((resolve) => {
+    const child = spawn(request.binary, [...request.args], {
+        env: request.env,
+        stdio: ["inherit", "pipe", "pipe"]
+    });
+    const stdout = [];
+    const stderr = [];
+    const stdoutRedactor = createStreamRedactor((chunk) => {
+        stdout.push(chunk);
+        request.onStdout?.(chunk);
+    });
+    const stderrRedactor = createStreamRedactor((chunk) => {
+        stderr.push(chunk);
+        request.onStderr?.(chunk);
+    });
+    child.stdout?.on("data", (chunk) => stdoutRedactor.write(chunk.toString("utf8")));
+    child.stderr?.on("data", (chunk) => stderrRedactor.write(chunk.toString("utf8")));
+    const settle = (exitCode, extraStderr) => {
+        stdoutRedactor.flush();
+        stderrRedactor.flush();
+        if (extraStderr) {
+            const redacted = redactSecrets(extraStderr);
+            stderr.push(redacted);
+            request.onStderr?.(redacted);
+        }
+        resolve({
+            exitCode,
+            stdout: redactSecrets(stdout.join("")),
+            stderr: redactSecrets(stderr.join(""))
+        });
+    };
+    child.on("error", (error) => settle(EXIT_UNAVAILABLE, `${error.message}\n`));
+    child.on("close", (code, signal) => settle(code ?? signalExitCode(signal)));
+});
+function signalExitCode(signal) {
+    if (!signal) {
+        return EXIT_UNAVAILABLE;
+    }
+    const signalNumber = osConstants.signals[signal];
+    return signalNumber ? 128 + signalNumber : EXIT_UNAVAILABLE;
+}
+function streamedOut(captured, options) {
+    return options.onStdout ? "" : captured;
+}
+function streamedErr(captured, options) {
+    return options.onStderr ? "" : captured;
+}
+function unavailable(invoked, reason) {
+    return {
+        exitCode: EXIT_UNAVAILABLE,
+        stdout: "",
+        stderr: `${redactSecrets(invoked)} cannot run yet: ${redactSecrets(reason)}.\n`
+    };
+}
+function renderDecisions(decisions, env) {
+    const visible = isCiEnv(env) ? decisions.filter((decision) => decision.action !== "pass") : decisions;
+    return visible.map((decision) => redactSecrets(renderInstallDecision(decision))).join("");
+}
+async function startProxyWorker(classification, env, forceOverride) {
+    const paths = resolveDgPaths(env);
+    const session = createSessionSync(paths);
+    const sessionBootstrapPath = `${session.dir}/session.json`;
+    const workerPath = fileURLToPath(new URL("../proxy/worker.js", import.meta.url));
+    try {
+        writeFileSync(sessionBootstrapPath, `${JSON.stringify(session)}\n`, {
+            encoding: "utf8",
+            mode: 0o600
+        });
+        if (!existsSync(workerPath)) {
+            throw new Error("production proxy worker is not built");
+        }
+        const config = loadUserConfig(env);
+        const child = spawn(process.execPath, [workerPath, sessionBootstrapPath, config.api.baseUrl], {
+            env: {
+                ...env,
+                DG_PROXY_CLASSIFICATION: JSON.stringify(classification),
+                ...(forceOverride ? { DG_FORCE_OVERRIDE_REQUEST: JSON.stringify(forceOverride) } : {})
+            },
+            stdio: ["pipe", "pipe", "pipe"]
+        });
+        const ready = await waitForProxyReady(session);
+        if (!ready.ready || ready.port <= 0) {
+            terminateProxyProcess(child);
+            throw new Error("production proxy did not become ready");
+        }
+        return {
+            process: child,
+            session,
+            proxyUrl: `http://127.0.0.1:${ready.port}`
+        };
+    }
+    catch (error) {
+        cleanupSessionSync(session);
+        return {
+            decision: enforceProtectedInstall({
+                classification,
+                env,
+                proxyVerdict: {
+                    verdict: "block",
+                    cause: "proxy-setup-failure",
+                    reason: error instanceof Error ? error.message : "production proxy startup failed"
+                }
+            })
+        };
+    }
+}
+async function waitForProxyReady(session) {
+    const deadline = Date.now() + 2_000;
+    while (Date.now() < deadline) {
+        const state = readProxySessionState(session);
+        if (state.ready && state.port > 0) {
+            return state;
+        }
+        await delay(25);
+    }
+    return readProxySessionState(session);
+}
+function stopProxyWorker(proxy) {
+    try {
+        proxy.process.stdin.end();
+    }
+    catch {
+        // The worker may already be gone after a package-manager crash or signal.
+    }
+    terminateProxyProcess(proxy.process);
+    cleanupSessionSync(proxy.session);
+}
+function installProxySignalHandlers(proxy) {
+    const registrations = ["SIGINT", "SIGTERM"].map((signal) => {
+        const handler = () => {
+            stopProxyWorker(proxy);
+            process.exit(signal === "SIGINT" ? 130 : 143);
+        };
+        process.once(signal, handler);
+        return {
+            handler,
+            signal
+        };
+    });
+    return () => {
+        for (const registration of registrations) {
+            process.off(registration.signal, registration.handler);
+        }
+    };
+}
+function terminateProxyProcess(child) {
+    if (!isProcessAlive(child)) {
+        return;
+    }
+    child.kill("SIGTERM");
+    waitForProcessExitSync(child, 500);
+    if (isProcessAlive(child)) {
+        child.kill("SIGKILL");
+        waitForProcessExitSync(child, 500);
+    }
+}
+function waitForProcessExitSync(child, timeoutMs) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline && isProcessAlive(child)) {
+        sleepSync(25);
+    }
+}
+function isProcessAlive(child) {
+    if (!child.pid || child.exitCode !== null || child.signalCode !== null) {
+        return false;
+    }
+    try {
+        process.kill(child.pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function sleepSync(ms) {
+    Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
+}
+function shimNonce(manager, env) {
+    const existing = env.DG_SHIM_ACTIVE;
+    const next = `${manager}:${process.pid}`;
+    return existing ? `${existing},${next}` : next;
+}

package/dist/policy/evaluate.js

@@ -0,0 +1,128 @@
+import { emitWebhookEvent, recordAuditEvent } from "../audit/events.js";
+import { DEFAULT_CONFIG } from "../config/settings.js";
+export function resolveEffectivePolicy(options) {
+    if (options.orgPolicy) {
+        return {
+            mode: options.orgPolicy.mode ?? "strict",
+            trustProjectAllowlists: options.orgPolicy.trustProjectAllowlists ?? false,
+            allowForceOverride: options.orgPolicy.allowForceOverride ?? false,
+            scriptHardening: options.orgPolicy.scriptHardening ?? true,
+            source: "org"
+        };
+    }
+    if (options.userConfig) {
+        return {
+            ...options.userConfig.policy,
+            source: "user"
+        };
+    }
+    return {
+        ...DEFAULT_CONFIG.policy,
+        source: "built-in"
+    };
+}
+export function evaluatePackagePolicy(options) {
+    const trustedAllowlist = findTrustedAllowlist(options.packageName, options.policy, options.allowlists ?? []);
+    if (trustedAllowlist) {
+        return {
+            action: "pass",
+            source: "allowlist",
+            reason: `${trustedAllowlist.trustedBy} allowlist: ${trustedAllowlist.reason}`
+        };
+    }
+    if (options.policy.mode === "off") {
+        return {
+            action: "pass",
+            source: options.policy.source,
+            reason: "policy mode off"
+        };
+    }
+    if (options.verdict === "pass") {
+        return {
+            action: "pass",
+            source: options.policy.source,
+            reason: "verdict pass"
+        };
+    }
+    if (options.policy.mode === "warn") {
+        return {
+            action: "warn",
+            source: options.policy.source,
+            reason: `policy warn mode for ${options.verdict} verdict`
+        };
+    }
+    if (options.policy.mode === "strict" && options.verdict === "warn") {
+        return {
+            action: "block",
+            source: options.policy.source,
+            reason: "strict mode upgrades warn verdicts to blocks"
+        };
+    }
+    return {
+        action: options.verdict,
+        source: options.policy.source,
+        reason: `${options.policy.mode} mode keeps ${options.verdict} verdict`
+    };
+}
+export function applyForceOverride(options, env = process.env) {
+    if (!options.force) {
+        return {
+            allowed: false,
+            reason: "force override was not requested",
+            webhookQueued: false
+        };
+    }
+    if (options.currentAction !== "block") {
+        return {
+            allowed: false,
+            reason: "force override is only valid for block decisions",
+            webhookQueued: false
+        };
+    }
+    if (!options.policy.allowForceOverride) {
+        return {
+            allowed: false,
+            reason: "force override is disabled by policy",
+            webhookQueued: false
+        };
+    }
+    const event = {
+        type: "install.force_override",
+        packageName: options.packageName,
+        reason: "developer override via --dg-force-install",
+        policyMode: options.policy.mode,
+        createdAt: (options.now ?? new Date()).toISOString()
+    };
+    recordAuditEvent(event, env);
+    return {
+        allowed: true,
+        reason: event.reason,
+        webhookQueued: emitWebhookEvent(event, env)
+    };
+}
+export function scriptPolicyArgs(options) {
+    if (!options.policy.scriptHardening && options.policy.mode !== "strict") {
+        return options.existingArgs;
+    }
+    if (hasScriptDisableFlag(options.existingArgs)) {
+        return options.existingArgs;
+    }
+    if (options.manager === "yarn") {
+        return [...options.existingArgs, "--ignore-scripts"];
+    }
+    return [...options.existingArgs, "--ignore-scripts"];
+}
+function findTrustedAllowlist(packageName, policy, allowlists) {
+    return allowlists.find((entry) => {
+        if (entry.packageName !== packageName) {
+            return false;
+        }
+        if (entry.trustedBy === "project") {
+            return policy.trustProjectAllowlists;
+        }
+        return true;
+    });
+}
+function hasScriptDisableFlag(args) {
+    return args.some((arg) => arg === "--ignore-scripts" || arg === "--ignore-scripts=true");
+}

package/dist/presentation/mode.js

@@ -0,0 +1,52 @@
+export const CI_MARKERS = [
+    "GITHUB_ACTIONS",
+    "GITLAB_CI",
+    "BUILDKITE",
+    "CIRCLECI",
+    "TRAVIS",
+    "TEAMCITY_VERSION"
+];
+function truthyEnv(value) {
+    return value !== undefined && value !== "" && value !== "0" && value !== "false";
+}
+export function isCiEnv(env = process.env) {
+    if (truthyEnv(env.CI)) {
+        return true;
+    }
+    return CI_MARKERS.some((marker) => env[marker] !== undefined && env[marker] !== "");
+}
+export function colorEnabled(input) {
+    if (input.forceColorFlag) {
+        return true;
+    }
+    if (truthyEnv(input.env.FORCE_COLOR)) {
+        return true;
+    }
+    if (input.noColorFlag) {
+        return false;
+    }
+    if (input.env.NO_COLOR !== undefined && input.env.NO_COLOR !== "") {
+        return false;
+    }
+    if (input.env.DG_NO_COLOR !== undefined && input.env.DG_NO_COLOR !== "") {
+        return false;
+    }
+    if (input.env.TERM === "dumb") {
+        return false;
+    }
+    return Boolean(input.stream.isTTY);
+}
+export function resolvePresentation(options) {
+    const env = options?.env ?? process.env;
+    const stream = options?.stream ?? process.stdout;
+    const isTTY = Boolean(stream.isTTY);
+    const isCI = isCiEnv(env);
+    const color = colorEnabled({
+        stream,
+        env,
+        noColorFlag: options?.noColorFlag,
+        forceColorFlag: options?.forceColorFlag
+    });
+    const mode = isTTY && !isCI ? "rich" : "plain";
+    return { mode, color, isTTY, isCI };
+}

package/dist/presentation/theme.js

@@ -0,0 +1,29 @@
+const ANSI = {
+    block: "",
+    warn: "",
+    pass: "",
+    unknown: "",
+    muted: "",
+    accent: ""
+};
+const RESET = "";
+const BADGES = {
+    block: { word: "BLOCK", glyph: "✘", role: "block" },
+    warn: { word: "WARN", glyph: "⚠", role: "warn" },
+    pass: { word: "PASS", glyph: "✓", role: "pass" },
+    analysis_incomplete: { word: "UNKNOWN", glyph: "?", role: "unknown" }
+};
+export function severityBadge(action) {
+    return BADGES[action];
+}
+export function createTheme(color) {
+    const paint = (role, text) => color ? `${ANSI[role]}${text}${RESET}` : text;
+    return {
+        color,
+        paint,
+        badge(action) {
+            const { word, glyph, role } = BADGES[action];
+            return paint(role, `${glyph} ${word}`);
+        }
+    };
+}

package/dist/proxy/buffer-budget.js

@@ -0,0 +1,64 @@
+export class BufferBudgetError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "BufferBudgetError";
+    }
+}
+const DEFAULT_MAX_ARTIFACT_BYTES = 1024 * 1024 * 1024;
+const DEFAULT_MAX_TOTAL_BUFFERED_BYTES = 2 * 1024 * 1024 * 1024;
+let totalBufferedBytes = 0;
+export function maxArtifactBytes(env = process.env) {
+    return parseLimit(env.DG_PROXY_MAX_ARTIFACT_BYTES, DEFAULT_MAX_ARTIFACT_BYTES);
+}
+export function maxTotalBufferedBytes(env = process.env) {
+    return parseLimit(env.DG_PROXY_MAX_BUFFERED_BYTES, DEFAULT_MAX_TOTAL_BUFFERED_BYTES);
+}
+export function currentBufferedBytes() {
+    return totalBufferedBytes;
+}
+export function collectBounded(stream, options) {
+    const env = options.env ?? process.env;
+    const limit = options.limitBytes ?? maxArtifactBytes(env);
+    const totalLimit = maxTotalBufferedBytes(env);
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        let settled = false;
+        const settle = (finish) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            totalBufferedBytes -= size;
+            finish();
+        };
+        stream.on("data", (chunk) => {
+            if (settled) {
+                return;
+            }
+            size += chunk.length;
+            totalBufferedBytes += chunk.length;
+            if (size > limit) {
+                settle(() => reject(new BufferBudgetError(`${options.label} exceeded the ${limit}-byte artifact buffer limit`)));
+                stream.destroy();
+                return;
+            }
+            if (totalBufferedBytes > totalLimit) {
+                settle(() => reject(new BufferBudgetError(`proxy buffered-bytes budget exhausted while fetching ${options.label}`)));
+                stream.destroy();
+                return;
+            }
+            chunks.push(chunk);
+        });
+        stream.once("end", () => settle(() => resolve(Buffer.concat(chunks))));
+        stream.once("error", (error) => settle(() => reject(error)));
+        stream.once("close", () => settle(() => reject(new BufferBudgetError(`${options.label} connection closed before the response completed`))));
+    });
+}
+function parseLimit(raw, fallback) {
+    if (!raw) {
+        return fallback;
+    }
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}