@wrongstack/tools 0.5.7 → 0.6.1

package/dist/builtin.js

@@ -5,15 +5,11 @@ import { dirname } from 'path';
 import * as os from 'os';
 import { statSync } from 'fs';
 import * as fs9 from 'fs/promises';
+import { stat } from 'fs/promises';
 import * as dns from 'dns/promises';
 import * as net from 'net';
 
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
+// src/_spawn-stream.ts
 async function* spawnStream(opts) {
   const max = opts.maxBytes ?? 2e5;
   const flushAt = opts.flushBytes ?? 4 * 1024;
@@ -173,14 +169,14 @@ var auditTool = {
   }
 };
 async function detectManager(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   try {
-    await stat9(`${cwd}/pnpm-lock.yaml`);
+    await stat10(`${cwd}/pnpm-lock.yaml`);
     return "pnpm";
   } catch {
   }
   try {
-    await stat9(`${cwd}/yarn.lock`);
+    await stat10(`${cwd}/yarn.lock`);
     return "yarn";
   } catch {
   }
@@ -966,8 +962,8 @@ function findGitDir(cwd) {
   let dir = cwd;
   for (let i = 0; i < 20; i++) {
     try {
-      const stat9 = statSync(path.join(dir, ".git"));
-      if (stat9.isDirectory()) return dir;
+      const stat10 = statSync(path.join(dir, ".git"));
+      if (stat10.isDirectory()) return dir;
     } catch {
     }
     const parent = path.dirname(dir);
@@ -1006,8 +1002,8 @@ async function fileDiff(input, ctx, signal) {
   const results = [];
   for (const file of files) {
     const absPath = safeResolve(file, ctx);
-    const stat9 = await fs9.stat(absPath).catch(() => null);
-    if (!stat9?.isFile()) continue;
+    const stat10 = await fs9.stat(absPath).catch(() => null);
+    if (!stat10?.isFile()) continue;
     const content = await fs9.readFile(absPath, "utf8");
     const lines = content.split(/\r?\n/);
     results.push(`--- ${file}
@@ -1105,8 +1101,8 @@ async function resolveFiles(filesInput, cwd) {
   for (const f of files) {
     const absPath = f.trim().startsWith("/") ? f.trim() : `${cwd}/${f.trim()}`;
     try {
-      const stat9 = await fs9.stat(absPath);
-      if (stat9.isFile()) resolved.push(absPath);
+      const stat10 = await fs9.stat(absPath);
+      if (stat10.isFile()) resolved.push(absPath);
     } catch {
     }
   }
@@ -1197,13 +1193,13 @@ var editTool = {
     if (input.new_string === void 0) throw new Error("edit: new_string is required");
     if (input.old_string === "") throw new Error("edit: old_string cannot be empty");
     const absPath = safeResolve(input.path, ctx);
-    const stat9 = await fs9.stat(absPath).catch((err) => {
+    const stat10 = await fs9.stat(absPath).catch((err) => {
       if (err.code === "ENOENT") {
         throw new Error(`edit: file "${input.path}" does not exist. Use \`write\` instead.`);
       }
       throw err;
     });
-    if (!stat9.isFile()) throw new Error(`edit: "${input.path}" is not a regular file`);
+    if (!stat10.isFile()) throw new Error(`edit: "${input.path}" is not a regular file`);
     if (!ctx.hasRead(absPath)) {
       throw new Error(`edit: file "${input.path}" was not read in this session. Read it first.`);
     }
@@ -1347,14 +1343,21 @@ var BLOCKED_ARG_PATTERNS = {
   // go run could execute arbitrary .go files; -ldflags could inject build-time code
   go: [/^-ldflags$/],
   // bun --preload is similar to node --require
-  bun: [/^--preload$/],
+  bun: [/^--preload$/, /^run$/, /^bunx$/, /^create$/, /^init$/],
   // docker build/run can create containers with host access;
   // only allow read-only commands (ps, images, version)
   docker: [/^build$/, /^run$/, /^exec$/, /^push$/, /^pull$/],
   // find -exec/-ok/-execdir execute arbitrary commands
   find: [/^-exec$/, /^-exec;$/, /^-ok$/, /^-ok;$/, /^-execdir$/, /^-execdir;$/, /^-exec=/, /^-ok=/, /^-execdir=/],
   // rm -rf / is catastrophic — block root and home targets
-  rm: [/^\/$/, /^\/\*$/, /^~$/]
+  rm: [/^\/$/, /^\/\*$/, /^~$/],
+  // npm run/exec/create/pack/publish can execute arbitrary scripts or publish malware
+  npm: [/^run$/, /^exec$/, /^create$/, /^init$/, /^pack$/, /^publish$/, /^deploy$/],
+  // pnpm run/dlx/exec/create can execute arbitrary scripts
+  pnpm: [/^run$/, /^dlx$/, /^exec$/, /^create$/, /^init$/, /^pack$/, /^publish$/, /^deploy$/],
+  // npx should only be used for --version; any package name is a vector for
+  // malicious package execution (typosquatting, dependency confusion)
+  npx: [/^[^\s]+$/]
 };
 function validateArgs(cmd, args) {
   const blocked = BLOCKED_ARG_PATTERNS[cmd];
@@ -1888,13 +1891,13 @@ var formatTool = {
   }
 };
 async function detectFixer(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   try {
-    await stat9(`${cwd}/biome.json`);
+    await stat10(`${cwd}/biome.json`);
     return "biome";
   } catch {
     try {
-      await stat9(`${cwd}/.prettierrc`);
+      await stat10(`${cwd}/.prettierrc`);
       return "prettier";
     } catch {
       return "biome";
@@ -1971,8 +1974,8 @@ function findGitDir2(cwd, projectRoot) {
   let dir = cwd;
   for (let i = 0; i < 20; i++) {
     try {
-      const stat9 = statSync(`${dir}/.git`);
-      if (stat9.isDirectory()) return dir;
+      const stat10 = statSync(`${dir}/.git`);
+      if (stat10.isDirectory()) return dir;
     } catch {
     }
     if (dir === root) break;
@@ -2145,12 +2148,17 @@ async function readGitignore(dir) {
 }
 
 // src/_regex.ts
-var MAX_PATTERN_LEN = 512;
+var MAX_PATTERN_LEN = 256;
 var DANGEROUS_PATTERNS = [
-  /(\([^)]*[+*][^)]*\))[+*]/,
   // (a+)+, (.*)+, etc — nested quantifier on a group with internal quantifier
-  /(\(\?:[^)]*[+*][^)]*\))[+*]/
-  // same, with non-capturing group
+  /(\([^)]*[+*][^)]*\))[+*]/,
+  /(\(\?:[^)]*[+*][^)]*\))[+*]/,
+  // Adjacent quantifiers: a++ a*+
+  /[+*]{2,}/,
+  // Quantifier on alternation with length 2+
+  /\([^|)]+\|[^)]+\)[+*][+*]/,
+  // Greedy quantifier inside lookahead/lookbehind — (?!.*a+)
+  /[\(\[][^)\]]*[+*][^)\]]*[\)\]][^)]*\?\??/
 ];
 function compileUserRegex(pattern, flags) {
   if (typeof pattern !== "string") {
@@ -2406,8 +2414,8 @@ async function runNative(input, base, mode, limit, signal) {
         if (globRe && !globRe.test(e.name) && !globRe.test(full)) continue;
         if (globRe) globRe.lastIndex = 0;
         try {
-          const stat9 = await fs9.stat(full);
-          if (stat9.size > 1e6) continue;
+          const stat10 = await fs9.stat(full);
+          if (stat10.size > 1e6) continue;
           const head = await fs9.readFile(full);
           if (isBinaryBuffer(head)) continue;
           const text = head.toString("utf8");
@@ -2546,13 +2554,13 @@ var installTool = {
   }
 };
 async function detectPackageManager(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   try {
-    await stat9(`${cwd}/pnpm-lock.yaml`);
+    await stat10(`${cwd}/pnpm-lock.yaml`);
     return "pnpm";
   } catch {
     try {
-      await stat9(`${cwd}/yarn.lock`);
+      await stat10(`${cwd}/yarn.lock`);
       return "yarn";
     } catch {
       return "npm";
@@ -2759,11 +2767,11 @@ var lintTool = {
   }
 };
 async function detectLinter(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   const checks = ["biome.json", ".eslintrc.json", "tslint.json", ".eslintrc.js", "tsconfig.json"];
   for (const f of checks) {
     try {
-      await stat9(`${cwd}/${f}`);
+      await stat10(`${cwd}/${f}`);
       if (f.includes("biome")) return "biome";
       if (f.includes("eslint")) return "eslint";
       if (f.includes("tslint")) return "tslint";
@@ -2996,14 +3004,13 @@ var outdatedTool = {
   }
 };
 async function detectManager2(cwd) {
-  const { stat: stat9 } = __require("fs/promises");
   try {
-    await stat9(`${cwd}/pnpm-lock.yaml`);
+    await stat(`${cwd}/pnpm-lock.yaml`);
     return "pnpm";
   } catch {
   }
   try {
-    await stat9(`${cwd}/yarn.lock`);
+    await stat(`${cwd}/yarn.lock`);
     return "yarn";
   } catch {
   }
@@ -3339,17 +3346,17 @@ var readTool = {
   async execute(input, ctx) {
     if (!input?.path) throw new Error("read: path is required");
     const absPath = safeResolve(input.path, ctx);
-    let stat9;
+    let stat10;
     try {
-      stat9 = await fs9.stat(absPath);
+      stat10 = await fs9.stat(absPath);
     } catch (err) {
       const code = err.code;
       if (code === "ENOENT") throw new Error(`read: file not found "${input.path}"`);
       throw new Error(`read: failed to stat "${input.path}": ${err instanceof Error ? err.message : String(err)}`);
     }
-    if (!stat9.isFile()) throw new Error(`read: "${input.path}" is not a regular file`);
-    if (stat9.size > MAX_BYTES2) {
-      throw new Error(`read: file too large (${stat9.size} bytes, limit ${MAX_BYTES2})`);
+    if (!stat10.isFile()) throw new Error(`read: "${input.path}" is not a regular file`);
+    if (stat10.size > MAX_BYTES2) {
+      throw new Error(`read: file too large (${stat10.size} bytes, limit ${MAX_BYTES2})`);
     }
     const buf = await fs9.readFile(absPath);
     if (isBinaryBuffer(buf)) {
@@ -3361,14 +3368,14 @@ var readTool = {
     const offset = Math.max(1, input.offset ?? 1);
     const limit = Math.max(0, Math.min(input.limit ?? 2e3, 5e3));
     if (limit === 0) {
-      ctx.recordRead(absPath, stat9.mtimeMs);
+      ctx.recordRead(absPath, stat10.mtimeMs);
       return { text: "", total_lines: total, encoding: "utf8", truncated: total > 0 };
     }
     const slice = allLines.slice(offset - 1, offset - 1 + limit);
     const truncated = offset - 1 + slice.length < total;
     const width = String(offset + slice.length - 1).length;
     const numbered = slice.map((line, i) => `${String(offset + i).padStart(width, " ")}\u2192${line}`).join("\n");
-    ctx.recordRead(absPath, stat9.mtimeMs);
+    ctx.recordRead(absPath, stat10.mtimeMs);
     return {
       text: numbered,
       total_lines: total,
@@ -3435,8 +3442,8 @@ var replaceTool = {
       }
       const rel = path.relative(ctx.projectRoot, realPath);
       if (rel.startsWith("..") || path.isAbsolute(rel)) continue;
-      const stat9 = await fs9.stat(realPath).catch(() => null);
-      if (!stat9 || !stat9.isFile()) continue;
+      const stat10 = await fs9.stat(realPath).catch(() => null);
+      if (!stat10 || !stat10.isFile()) continue;
       let content;
       try {
         const buf = await fs9.readFile(realPath);
@@ -3461,7 +3468,7 @@ var replaceTool = {
       totalReplacements += count;
       if (!dryRun) {
         const newContent = toStyle(newContentLf, style);
-        await atomicWrite(realPath, newContent, { mode: stat9.mode & 511 });
+        await atomicWrite(realPath, newContent, { mode: stat10.mode & 511 });
       }
       const diff = dryRun || matches.length > 0 ? unifiedDiff(content, toStyle(newContentLf, style), {
         fromFile: absPath,
@@ -3491,8 +3498,8 @@ async function resolveFiles2(filesInput, ctx, extraGlob) {
   const resolved = [];
   for (const p of parts) {
     const absPath = safeResolve(p, ctx);
-    const stat9 = await fs9.stat(absPath).catch(() => null);
-    if (stat9?.isFile()) {
+    const stat10 = await fs9.stat(absPath).catch(() => null);
+    if (stat10?.isFile()) {
       resolved.push(absPath);
     }
   }
@@ -3551,8 +3558,8 @@ async function globNative(pattern, base, extraGlob) {
       if (DEFAULT_IGNORE3.includes(e.name)) continue;
       const full = path.join(dir, e.name);
       try {
-        const stat9 = await fs9.lstat(full);
-        if (stat9.isSymbolicLink()) continue;
+        const stat10 = await fs9.lstat(full);
+        if (stat10.isSymbolicLink()) continue;
       } catch {
         continue;
       }
@@ -3728,7 +3735,7 @@ async function handleBuiltIn(name, templateFiles, cwd, ctx, dryRun, vars) {
     const fullPath = target;
     if (!dryRun) {
       await fs9.mkdir(path.dirname(fullPath), { recursive: true });
-      await fs9.writeFile(fullPath, substituteVars(content, name, vars), "utf8");
+      await atomicWrite(fullPath, substituteVars(content, name, vars));
     }
     files.push(resolvedPath);
     filesCreated++;
@@ -4038,11 +4045,11 @@ var testTool = {
   }
 };
 async function detectRunner(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   const candidates = ["vitest.config.ts", "jest.config.js", ".mocharc.json"];
   for (const f of candidates) {
     try {
-      await stat9(path.join(cwd, f));
+      await stat10(path.join(cwd, f));
       if (f.includes("vitest")) return "vitest";
       if (f.includes("jest")) return "jest";
       if (f.includes("mocha")) return "mocha";
@@ -4661,11 +4668,11 @@ var typecheckTool = {
   }
 };
 async function findTsConfig(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   const candidates = ["tsconfig.json", "tsconfig.base.json"];
   for (const f of candidates) {
     try {
-      const s = await stat9(path.join(cwd, f));
+      const s = await stat10(path.join(cwd, f));
       if (s.isFile()) return path.join(cwd, f);
     } catch {
     }
@@ -4695,12 +4702,12 @@ var writeTool = {
     let existed = false;
     let prev = "";
     try {
-      const stat10 = await fs9.stat(absPath);
-      existed = stat10.isFile();
+      const stat11 = await fs9.stat(absPath);
+      existed = stat11.isFile();
       if (existed) {
         if (!ctx.hasRead(absPath)) {
           prev = await fs9.readFile(absPath, "utf8");
-          ctx.recordRead(absPath, stat10.mtimeMs);
+          ctx.recordRead(absPath, stat11.mtimeMs);
         } else {
           prev = await fs9.readFile(absPath, "utf8");
         }
@@ -4713,8 +4720,8 @@ var writeTool = {
     await atomicWrite(absPath, input.content);
     const diff = existed ? unifiedDiff(prev, input.content, { fromFile: input.path, toFile: input.path }) : `+++ ${input.path}
 + (new file, ${input.content.split("\n").length} lines)`;
-    const stat9 = await fs9.stat(absPath);
-    ctx.recordRead(absPath, stat9.mtimeMs);
+    const stat10 = await fs9.stat(absPath);
+    ctx.recordRead(absPath, stat10.mtimeMs);
     ctx.session.recordFileChange({
       path: absPath,
       action: existed ? "modified" : "created",