agenteval-cli 0.8.3 → 0.8.5

package/bin/agenteval.js

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 
-const { execFileSync, execSync } = require("child_process");
-const { existsSync, mkdirSync, chmodSync, renameSync, unlinkSync } = require("fs");
+const { execFileSync } = require("child_process");
+const { createHash } = require("crypto");
+const { existsSync, mkdirSync, chmodSync, renameSync, unlinkSync, readFileSync, writeFileSync } = require("fs");
 const { join } = require("path");
 const https = require("https");
 
@@ -10,41 +11,52 @@ const CACHE_DIR = join(require("os").homedir(), ".agenteval", "bin");
 const BIN_PATH = join(CACHE_DIR, "agenteval");
 const VERSION_PATH = join(CACHE_DIR, ".version");
 
+// SHA256 checksums injected by the release workflow.
+// If all zeros, integrity check is skipped (dev/unreleased builds).
+const CHECKSUMS = {
+	"agenteval-linux-x64": "59729b785863d678fe80a97a728c95d557890c571eea66d8d2c8239630c0248b",
+	"agenteval-darwin-arm64": "b4d7d81a0be0cb7075cb651f2d5f0d365d8603b529839d4e158bda8007618718",
+	"agenteval-darwin-x64": "3712af2cfe0edb7de629da2a475d5903e4475eb3b828d1778ed83331bf7af4a5",
+};
+
 function getPlatformKey() {
-	const platform = process.platform;
-	const arch = process.arch;
-	if (platform === "darwin" && arch === "arm64") return "agenteval-darwin-arm64";
-	if (platform === "darwin" && arch === "x64") return "agenteval-darwin-x64";
-	if (platform === "linux" && arch === "x64") return "agenteval-linux-x64";
+	if (process.platform === "darwin" && process.arch === "arm64") return "agenteval-darwin-arm64";
+	if (process.platform === "darwin" && process.arch === "x64") return "agenteval-darwin-x64";
+	if (process.platform === "linux" && process.arch === "x64") return "agenteval-linux-x64";
 	return null;
 }
 
 function getPackageVersion() {
-	try {
-		return require("../package.json").version;
-	} catch {
-		return null;
-	}
+	try { return require("../package.json").version; } catch { return null; }
 }
 
 function getCachedVersion() {
-	try {
-		return require("fs").readFileSync(VERSION_PATH, "utf8").trim();
-	} catch {
-		return null;
-	}
+	try { return readFileSync(VERSION_PATH, "utf8").trim(); } catch { return null; }
+}
+
+function verifySHA256(data, expected) {
+	// Skip verification if checksums are placeholder zeros
+	if (expected.startsWith("0000000000")) return true;
+	const actual = createHash("sha256").update(data).digest("hex");
+	return actual === expected;
 }
 
-function download(url) {
+function download(url, maxRedirects) {
+	if (maxRedirects === undefined) maxRedirects = 5;
+	if (maxRedirects <= 0) return Promise.reject(new Error("Too many redirects"));
 	return new Promise((resolve, reject) => {
-		https.get(url, (res) => {
+		const parsedUrl = new URL(url);
+		const options = { hostname: parsedUrl.hostname, path: parsedUrl.pathname + parsedUrl.search, headers: { "User-Agent": "agenteval-cli" } };
+		https.get(options, (res) => {
 			if (res.statusCode === 301 || res.statusCode === 302) {
-				return download(res.headers.location).then(resolve, reject);
-			}
-			if (res.statusCode !== 200) {
-				reject(new Error(`HTTP ${res.statusCode}`));
-				return;
+				const location = res.headers.location;
+				if (!location || (!location.startsWith("https://") && !location.startsWith("https://github.com"))) {
+					reject(new Error(`Unsafe redirect to ${location}`));
+					return;
+				}
+				return download(location, maxRedirects - 1).then(resolve, reject);
 			}
+			if (res.statusCode !== 200) { reject(new Error(`HTTP ${res.statusCode}`)); return; }
 			const chunks = [];
 			res.on("data", (chunk) => chunks.push(chunk));
 			res.on("end", () => resolve(Buffer.concat(chunks)));
@@ -57,7 +69,6 @@ async function ensureBinary() {
 	const pkgVersion = getPackageVersion();
 	const cachedVersion = getCachedVersion();
 
-	// Binary exists and matches current package version
 	if (existsSync(BIN_PATH) && cachedVersion === pkgVersion) {
 		return BIN_PATH;
 	}
@@ -66,7 +77,6 @@ async function ensureBinary() {
 	if (!binary) {
 		console.error(`agenteval: unsupported platform ${process.platform}-${process.arch}`);
 		console.error("Supported: linux-x64, darwin-arm64, darwin-x64");
-		console.error("Install manually: https://github.com/lukasmetzler/agenteval/releases");
 		process.exit(1);
 	}
 
@@ -74,22 +84,23 @@ async function ensureBinary() {
 	const url = `https://github.com/${REPO}/releases/download/${version}/${binary}`;
 
 	console.error(`Downloading agenteval ${version} (${binary})...`);
-
 	mkdirSync(CACHE_DIR, { recursive: true });
 
 	const tmpPath = `${BIN_PATH}.tmp.${Date.now()}`;
 	try {
 		const data = await download(url);
-		require("fs").writeFileSync(tmpPath, data);
-		chmodSync(tmpPath, 0o755);
 
-		// Atomic replace
-		if (existsSync(BIN_PATH)) {
-			try { unlinkSync(BIN_PATH); } catch {}
+		// Verify integrity
+		const expectedHash = CHECKSUMS[binary];
+		if (!verifySHA256(data, expectedHash)) {
+			throw new Error("SHA256 checksum mismatch — download may be corrupted or tampered with");
 		}
-		renameSync(tmpPath, BIN_PATH);
-		require("fs").writeFileSync(VERSION_PATH, pkgVersion || version);
 
+		writeFileSync(tmpPath, data);
+		chmodSync(tmpPath, 0o755);
+		if (existsSync(BIN_PATH)) { try { unlinkSync(BIN_PATH); } catch {} }
+		renameSync(tmpPath, BIN_PATH);
+		writeFileSync(VERSION_PATH, pkgVersion || version);
 		console.error("Done.");
 	} catch (err) {
 		try { unlinkSync(tmpPath); } catch {}
@@ -103,7 +114,7 @@ async function ensureBinary() {
 
 ensureBinary().then((binPath) => {
 	try {
-		const result = execFileSync(binPath, process.argv.slice(2), { stdio: "inherit" });
+		execFileSync(binPath, process.argv.slice(2), { stdio: "inherit" });
 	} catch (err) {
 		process.exit(err && typeof err === "object" && "status" in err ? err.status : 1);
 	}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "agenteval-cli",
-	"version": "0.8.3",
+	"version": "0.8.5",
 	"description": "Lint, benchmark, and CI gate for AI coding instructions",
 	"keywords": [
 		"cli",