@wrongstack/tools 0.5.7 → 0.6.1

package/dist/index.js

@@ -1,4 +1,5 @@
 import * as fs4 from 'fs/promises';
+import { stat } from 'fs/promises';
 import * as path from 'path';
 import { dirname } from 'path';
 import { atomicWrite, unifiedDiff, detectNewlineStyle, normalizeToLf, toStyle, compileGlob, buildChildEnv, stripAnsi, loadPlan, emptyPlan, clearPlan, savePlan, getPlanTemplate, addPlanItem, deriveTodosFromPlanItem, removePlanItem, setPlanItemStatus, formatPlan } from '@wrongstack/core';
@@ -8,12 +9,7 @@ import * as dns from 'dns/promises';
 import * as net from 'net';
 import { statSync } from 'fs';
 
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
+// src/read.ts
 function resolvePath(input, ctx) {
   return path.isAbsolute(input) ? path.normalize(input) : path.resolve(ctx.cwd, input);
 }
@@ -67,17 +63,17 @@ var readTool = {
   async execute(input, ctx) {
     if (!input?.path) throw new Error("read: path is required");
     const absPath = safeResolve(input.path, ctx);
-    let stat9;
+    let stat10;
     try {
-      stat9 = await fs4.stat(absPath);
+      stat10 = await fs4.stat(absPath);
     } catch (err) {
       const code = err.code;
       if (code === "ENOENT") throw new Error(`read: file not found "${input.path}"`);
       throw new Error(`read: failed to stat "${input.path}": ${err instanceof Error ? err.message : String(err)}`);
     }
-    if (!stat9.isFile()) throw new Error(`read: "${input.path}" is not a regular file`);
-    if (stat9.size > MAX_BYTES) {
-      throw new Error(`read: file too large (${stat9.size} bytes, limit ${MAX_BYTES})`);
+    if (!stat10.isFile()) throw new Error(`read: "${input.path}" is not a regular file`);
+    if (stat10.size > MAX_BYTES) {
+      throw new Error(`read: file too large (${stat10.size} bytes, limit ${MAX_BYTES})`);
     }
     const buf = await fs4.readFile(absPath);
     if (isBinaryBuffer(buf)) {
@@ -89,14 +85,14 @@ var readTool = {
     const offset = Math.max(1, input.offset ?? 1);
     const limit = Math.max(0, Math.min(input.limit ?? 2e3, 5e3));
     if (limit === 0) {
-      ctx.recordRead(absPath, stat9.mtimeMs);
+      ctx.recordRead(absPath, stat10.mtimeMs);
       return { text: "", total_lines: total, encoding: "utf8", truncated: total > 0 };
     }
     const slice = allLines.slice(offset - 1, offset - 1 + limit);
     const truncated = offset - 1 + slice.length < total;
     const width = String(offset + slice.length - 1).length;
     const numbered = slice.map((line, i) => `${String(offset + i).padStart(width, " ")}\u2192${line}`).join("\n");
-    ctx.recordRead(absPath, stat9.mtimeMs);
+    ctx.recordRead(absPath, stat10.mtimeMs);
     return {
       text: numbered,
       total_lines: total,
@@ -128,12 +124,12 @@ var writeTool = {
     let existed = false;
     let prev = "";
     try {
-      const stat10 = await fs4.stat(absPath);
-      existed = stat10.isFile();
+      const stat11 = await fs4.stat(absPath);
+      existed = stat11.isFile();
       if (existed) {
         if (!ctx.hasRead(absPath)) {
           prev = await fs4.readFile(absPath, "utf8");
-          ctx.recordRead(absPath, stat10.mtimeMs);
+          ctx.recordRead(absPath, stat11.mtimeMs);
         } else {
           prev = await fs4.readFile(absPath, "utf8");
         }
@@ -146,8 +142,8 @@ var writeTool = {
     await atomicWrite(absPath, input.content);
     const diff = existed ? unifiedDiff(prev, input.content, { fromFile: input.path, toFile: input.path }) : `+++ ${input.path}
 + (new file, ${input.content.split("\n").length} lines)`;
-    const stat9 = await fs4.stat(absPath);
-    ctx.recordRead(absPath, stat9.mtimeMs);
+    const stat10 = await fs4.stat(absPath);
+    ctx.recordRead(absPath, stat10.mtimeMs);
     ctx.session.recordFileChange({
       path: absPath,
       action: existed ? "modified" : "created",
@@ -186,13 +182,13 @@ var editTool = {
     if (input.new_string === void 0) throw new Error("edit: new_string is required");
     if (input.old_string === "") throw new Error("edit: old_string cannot be empty");
     const absPath = safeResolve(input.path, ctx);
-    const stat9 = await fs4.stat(absPath).catch((err) => {
+    const stat10 = await fs4.stat(absPath).catch((err) => {
       if (err.code === "ENOENT") {
         throw new Error(`edit: file "${input.path}" does not exist. Use \`write\` instead.`);
       }
       throw err;
     });
-    if (!stat9.isFile()) throw new Error(`edit: "${input.path}" is not a regular file`);
+    if (!stat10.isFile()) throw new Error(`edit: "${input.path}" is not a regular file`);
     if (!ctx.hasRead(absPath)) {
       throw new Error(`edit: file "${input.path}" was not read in this session. Read it first.`);
     }
@@ -281,12 +277,17 @@ function findSimilarity(haystack, needle) {
 }
 
 // src/_regex.ts
-var MAX_PATTERN_LEN = 512;
+var MAX_PATTERN_LEN = 256;
 var DANGEROUS_PATTERNS = [
-  /(\([^)]*[+*][^)]*\))[+*]/,
   // (a+)+, (.*)+, etc — nested quantifier on a group with internal quantifier
-  /(\(\?:[^)]*[+*][^)]*\))[+*]/
-  // same, with non-capturing group
+  /(\([^)]*[+*][^)]*\))[+*]/,
+  /(\(\?:[^)]*[+*][^)]*\))[+*]/,
+  // Adjacent quantifiers: a++ a*+
+  /[+*]{2,}/,
+  // Quantifier on alternation with length 2+
+  /\([^|)]+\|[^)]+\)[+*][+*]/,
+  // Greedy quantifier inside lookahead/lookbehind — (?!.*a+)
+  /[\(\[][^)\]]*[+*][^)\]]*[\)\]][^)]*\?\??/
 ];
 function compileUserRegex(pattern, flags) {
   if (typeof pattern !== "string") {
@@ -379,8 +380,8 @@ var replaceTool = {
       }
       const rel = path.relative(ctx.projectRoot, realPath);
       if (rel.startsWith("..") || path.isAbsolute(rel)) continue;
-      const stat9 = await fs4.stat(realPath).catch(() => null);
-      if (!stat9 || !stat9.isFile()) continue;
+      const stat10 = await fs4.stat(realPath).catch(() => null);
+      if (!stat10 || !stat10.isFile()) continue;
       let content;
       try {
         const buf = await fs4.readFile(realPath);
@@ -405,7 +406,7 @@ var replaceTool = {
       totalReplacements += count;
       if (!dryRun) {
         const newContent = toStyle(newContentLf, style);
-        await atomicWrite(realPath, newContent, { mode: stat9.mode & 511 });
+        await atomicWrite(realPath, newContent, { mode: stat10.mode & 511 });
       }
       const diff = dryRun || matches.length > 0 ? unifiedDiff(content, toStyle(newContentLf, style), {
         fromFile: absPath,
@@ -435,8 +436,8 @@ async function resolveFiles(filesInput, ctx, extraGlob) {
   const resolved = [];
   for (const p of parts) {
     const absPath = safeResolve(p, ctx);
-    const stat9 = await fs4.stat(absPath).catch(() => null);
-    if (stat9?.isFile()) {
+    const stat10 = await fs4.stat(absPath).catch(() => null);
+    if (stat10?.isFile()) {
       resolved.push(absPath);
     }
   }
@@ -495,8 +496,8 @@ async function globNative(pattern, base, extraGlob) {
       if (DEFAULT_IGNORE.includes(e.name)) continue;
       const full = path.join(dir, e.name);
       try {
-        const stat9 = await fs4.lstat(full);
-        if (stat9.isSymbolicLink()) continue;
+        const stat10 = await fs4.lstat(full);
+        if (stat10.isSymbolicLink()) continue;
       } catch {
         continue;
       }
@@ -812,8 +813,8 @@ async function runNative(input, base, mode, limit, signal) {
         if (globRe && !globRe.test(e.name) && !globRe.test(full)) continue;
         if (globRe) globRe.lastIndex = 0;
         try {
-          const stat9 = await fs4.stat(full);
-          if (stat9.size > 1e6) continue;
+          const stat10 = await fs4.stat(full);
+          if (stat10.size > 1e6) continue;
           const head = await fs4.readFile(full);
           if (isBinaryBuffer(head)) continue;
           const text = head.toString("utf8");
@@ -1485,14 +1486,21 @@ var BLOCKED_ARG_PATTERNS = {
   // go run could execute arbitrary .go files; -ldflags could inject build-time code
   go: [/^-ldflags$/],
   // bun --preload is similar to node --require
-  bun: [/^--preload$/],
+  bun: [/^--preload$/, /^run$/, /^bunx$/, /^create$/, /^init$/],
   // docker build/run can create containers with host access;
   // only allow read-only commands (ps, images, version)
   docker: [/^build$/, /^run$/, /^exec$/, /^push$/, /^pull$/],
   // find -exec/-ok/-execdir execute arbitrary commands
   find: [/^-exec$/, /^-exec;$/, /^-ok$/, /^-ok;$/, /^-execdir$/, /^-execdir;$/, /^-exec=/, /^-ok=/, /^-execdir=/],
   // rm -rf / is catastrophic — block root and home targets
-  rm: [/^\/$/, /^\/\*$/, /^~$/]
+  rm: [/^\/$/, /^\/\*$/, /^~$/],
+  // npm run/exec/create/pack/publish can execute arbitrary scripts or publish malware
+  npm: [/^run$/, /^exec$/, /^create$/, /^init$/, /^pack$/, /^publish$/, /^deploy$/],
+  // pnpm run/dlx/exec/create can execute arbitrary scripts
+  pnpm: [/^run$/, /^dlx$/, /^exec$/, /^create$/, /^init$/, /^pack$/, /^publish$/, /^deploy$/],
+  // npx should only be used for --version; any package name is a vector for
+  // malicious package execution (typosquatting, dependency confusion)
+  npx: [/^[^\s]+$/]
 };
 function validateArgs(cmd, args) {
   const blocked = BLOCKED_ARG_PATTERNS[cmd];
@@ -2412,8 +2420,8 @@ function findGitDir(cwd, projectRoot) {
   let dir = cwd;
   for (let i = 0; i < 20; i++) {
     try {
-      const stat9 = statSync(`${dir}/.git`);
-      if (stat9.isDirectory()) return dir;
+      const stat10 = statSync(`${dir}/.git`);
+      if (stat10.isDirectory()) return dir;
     } catch {
     }
     if (dir === root) break;
@@ -2798,8 +2806,8 @@ function findGitDir2(cwd) {
   let dir = cwd;
   for (let i = 0; i < 20; i++) {
     try {
-      const stat9 = statSync(path.join(dir, ".git"));
-      if (stat9.isDirectory()) return dir;
+      const stat10 = statSync(path.join(dir, ".git"));
+      if (stat10.isDirectory()) return dir;
     } catch {
     }
     const parent = path.dirname(dir);
@@ -2838,8 +2846,8 @@ async function fileDiff(input, ctx, signal) {
   const results = [];
   for (const file of files) {
     const absPath = safeResolve(file, ctx);
-    const stat9 = await fs4.stat(absPath).catch(() => null);
-    if (!stat9?.isFile()) continue;
+    const stat10 = await fs4.stat(absPath).catch(() => null);
+    if (!stat10?.isFile()) continue;
     const content = await fs4.readFile(absPath, "utf8");
     const lines = content.split(/\r?\n/);
     results.push(`--- ${file}
@@ -3181,11 +3189,11 @@ var lintTool = {
   }
 };
 async function detectLinter(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   const checks = ["biome.json", ".eslintrc.json", "tslint.json", ".eslintrc.js", "tsconfig.json"];
   for (const f of checks) {
     try {
-      await stat9(`${cwd}/${f}`);
+      await stat10(`${cwd}/${f}`);
       if (f.includes("biome")) return "biome";
       if (f.includes("eslint")) return "eslint";
       if (f.includes("tslint")) return "tslint";
@@ -3280,13 +3288,13 @@ var formatTool = {
   }
 };
 async function detectFixer(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   try {
-    await stat9(`${cwd}/biome.json`);
+    await stat10(`${cwd}/biome.json`);
     return "biome";
   } catch {
     try {
-      await stat9(`${cwd}/.prettierrc`);
+      await stat10(`${cwd}/.prettierrc`);
       return "prettier";
     } catch {
       return "biome";
@@ -3362,11 +3370,11 @@ var typecheckTool = {
   }
 };
 async function findTsConfig(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   const candidates = ["tsconfig.json", "tsconfig.base.json"];
   for (const f of candidates) {
     try {
-      const s = await stat9(path.join(cwd, f));
+      const s = await stat10(path.join(cwd, f));
       if (s.isFile()) return path.join(cwd, f);
     } catch {
     }
@@ -3443,11 +3451,11 @@ var testTool = {
   }
 };
 async function detectRunner(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   const candidates = ["vitest.config.ts", "jest.config.js", ".mocharc.json"];
   for (const f of candidates) {
     try {
-      await stat9(path.join(cwd, f));
+      await stat10(path.join(cwd, f));
       if (f.includes("vitest")) return "vitest";
       if (f.includes("jest")) return "jest";
       if (f.includes("mocha")) return "mocha";
@@ -3618,13 +3626,13 @@ var installTool = {
   }
 };
 async function detectPackageManager(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   try {
-    await stat9(`${cwd}/pnpm-lock.yaml`);
+    await stat10(`${cwd}/pnpm-lock.yaml`);
     return "pnpm";
   } catch {
     try {
-      await stat9(`${cwd}/yarn.lock`);
+      await stat10(`${cwd}/yarn.lock`);
       return "yarn";
     } catch {
       return "npm";
@@ -3683,14 +3691,14 @@ var auditTool = {
   }
 };
 async function detectManager(cwd) {
-  const { stat: stat9 } = await import('fs/promises');
+  const { stat: stat10 } = await import('fs/promises');
   try {
-    await stat9(`${cwd}/pnpm-lock.yaml`);
+    await stat10(`${cwd}/pnpm-lock.yaml`);
     return "pnpm";
   } catch {
   }
   try {
-    await stat9(`${cwd}/yarn.lock`);
+    await stat10(`${cwd}/yarn.lock`);
     return "yarn";
   } catch {
   }
@@ -3778,14 +3786,13 @@ var outdatedTool = {
   }
 };
 async function detectManager2(cwd) {
-  const { stat: stat9 } = __require("fs/promises");
   try {
-    await stat9(`${cwd}/pnpm-lock.yaml`);
+    await stat(`${cwd}/pnpm-lock.yaml`);
     return "pnpm";
   } catch {
   }
   try {
-    await stat9(`${cwd}/yarn.lock`);
+    await stat(`${cwd}/yarn.lock`);
     return "yarn";
   } catch {
   }
@@ -4121,8 +4128,8 @@ async function resolveFiles2(filesInput, cwd) {
   for (const f of files) {
     const absPath = f.trim().startsWith("/") ? f.trim() : `${cwd}/${f.trim()}`;
     try {
-      const stat9 = await fs4.stat(absPath);
-      if (stat9.isFile()) resolved.push(absPath);
+      const stat10 = await fs4.stat(absPath);
+      if (stat10.isFile()) resolved.push(absPath);
     } catch {
     }
   }
@@ -4345,7 +4352,7 @@ async function handleBuiltIn(name, templateFiles, cwd, ctx, dryRun, vars) {
     const fullPath = target;
     if (!dryRun) {
       await fs4.mkdir(path.dirname(fullPath), { recursive: true });
-      await fs4.writeFile(fullPath, substituteVars(content, name, vars), "utf8");
+      await atomicWrite(fullPath, substituteVars(content, name, vars));
     }
     files.push(resolvedPath);
     filesCreated++;