bashbros 0.1.0

package/dist/chunk-GD5VNHIN.js

@@ -0,0 +1,519 @@
+#!/usr/bin/env node
+
+// src/policy/command-filter.ts
+var CommandFilter = class {
+  constructor(policy) {
+    this.policy = policy;
+    this.allowPatterns = policy.allow.map((p) => this.globToRegex(p));
+    this.blockPatterns = policy.block.map((p) => this.globToRegex(p));
+  }
+  allowPatterns;
+  blockPatterns;
+  check(command) {
+    for (let i = 0; i < this.blockPatterns.length; i++) {
+      if (this.blockPatterns[i].test(command)) {
+        return {
+          type: "command",
+          rule: `block[${i}]: ${this.policy.block[i]}`,
+          message: `Command matches blocked pattern: ${this.policy.block[i]}`
+        };
+      }
+    }
+    if (this.policy.allow.length === 0 || this.policy.allow.includes("*")) {
+      return null;
+    }
+    const allowed = this.allowPatterns.some((pattern) => pattern.test(command));
+    if (!allowed) {
+      return {
+        type: "command",
+        rule: "allow (no match)",
+        message: "Command not in allowlist"
+      };
+    }
+    return null;
+  }
+  globToRegex(glob) {
+    const escaped = glob.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    return new RegExp(`^${escaped}$`, "i");
+  }
+};
+
+// src/policy/path-sandbox.ts
+import { resolve } from "path";
+import { homedir } from "os";
+import { realpathSync, lstatSync, existsSync } from "fs";
+var PathSandbox = class {
+  constructor(policy) {
+    this.policy = policy;
+    this.allowedPaths = policy.allow.map((p) => this.normalizePath(p));
+    this.blockedPaths = policy.block.map((p) => this.normalizePath(p));
+  }
+  allowedPaths;
+  blockedPaths;
+  check(path) {
+    const { realPath, isSymlink } = this.resolvePath(path);
+    if (isSymlink) {
+      const originalNormalized = this.normalizePath(path);
+      if (!realPath.startsWith(originalNormalized.split("/")[0])) {
+        return {
+          type: "path",
+          rule: "symlink_escape",
+          message: `Symlink escape detected: ${path} -> ${realPath}`
+        };
+      }
+    }
+    for (const blocked of this.blockedPaths) {
+      if (realPath.startsWith(blocked) || realPath === blocked) {
+        return {
+          type: "path",
+          rule: `block: ${blocked}`,
+          message: `Access to path is blocked: ${path}`
+        };
+      }
+    }
+    if (this.policy.allow.includes("*")) {
+      return null;
+    }
+    const allowed = this.allowedPaths.some(
+      (allowedPath) => realPath.startsWith(allowedPath) || realPath === allowedPath
+    );
+    if (!allowed) {
+      return {
+        type: "path",
+        rule: "allow (outside sandbox)",
+        message: `Path is outside allowed directories: ${path}`
+      };
+    }
+    return null;
+  }
+  /**
+   * SECURITY FIX: Resolve symlinks to detect escape attempts
+   */
+  resolvePath(path) {
+    const normalizedPath = this.normalizePath(path);
+    try {
+      if (existsSync(normalizedPath)) {
+        const stats = lstatSync(normalizedPath);
+        const isSymlink = stats.isSymbolicLink();
+        const realPath = realpathSync(normalizedPath);
+        return { realPath, isSymlink };
+      }
+    } catch {
+    }
+    return { realPath: normalizedPath, isSymlink: false };
+  }
+  normalizePath(path) {
+    if (path.startsWith("~")) {
+      path = path.replace("~", homedir());
+    }
+    if (path === ".") {
+      return process.cwd();
+    }
+    return resolve(path);
+  }
+  /**
+   * Check if a path would escape the sandbox via symlink
+   */
+  isSymlinkEscape(path) {
+    const { realPath, isSymlink } = this.resolvePath(path);
+    if (!isSymlink) return false;
+    for (const blocked of this.blockedPaths) {
+      if (realPath.startsWith(blocked)) {
+        return true;
+      }
+    }
+    if (!this.policy.allow.includes("*")) {
+      const inAllowed = this.allowedPaths.some(
+        (allowedPath) => realPath.startsWith(allowedPath)
+      );
+      if (!inAllowed) {
+        return true;
+      }
+    }
+    return false;
+  }
+};
+
+// src/policy/secrets-guard.ts
+var SecretsGuard = class {
+  constructor(policy) {
+    this.policy = policy;
+    this.patterns = policy.patterns.map((p) => this.globToRegex(p));
+  }
+  patterns;
+  check(command, paths) {
+    if (!this.policy.enabled) {
+      return null;
+    }
+    for (const path of paths) {
+      if (this.isSecretPath(path)) {
+        return {
+          type: "secrets",
+          rule: `pattern match: ${path}`,
+          message: `Attempted access to sensitive file: ${path}`
+        };
+      }
+    }
+    const dangerousPatterns = [
+      // Direct file access (multiple readers)
+      /(cat|head|tail|less|more|bat)\s+.*\.env/i,
+      /(cat|head|tail|less|more|bat)\s+.*\.pem/i,
+      /(cat|head|tail|less|more|bat)\s+.*\.key/i,
+      /(cat|head|tail|less|more|bat)\s+.*credentials/i,
+      /(cat|head|tail|less|more|bat)\s+.*secret/i,
+      /(cat|head|tail|less|more|bat)\s+.*password/i,
+      /(cat|head|tail|less|more|bat)\s+.*token/i,
+      // Python/Perl/Ruby file readers
+      /python.*open\s*\(.*\.(env|pem|key)/i,
+      /python.*-c.*open/i,
+      /perl.*-[pne].*\.(env|pem|key)/i,
+      /ruby.*-e.*File\.(read|open)/i,
+      // Environment variable exposure
+      /echo\s+\$\w*(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|API)/i,
+      /printenv.*(KEY|SECRET|TOKEN|PASSWORD)/i,
+      /env\s*\|\s*grep.*(KEY|SECRET|TOKEN|PASSWORD)/i,
+      // Curl/wget with secrets
+      /curl.*-d.*\$\w*(KEY|SECRET|TOKEN)/i,
+      /curl.*-H.*Authorization/i,
+      /wget.*--header.*Authorization/i,
+      // Base64 encoding (obfuscation attempt)
+      /base64.*\.env/i,
+      /base64.*\.pem/i,
+      /base64.*\.key/i,
+      /base64\s+-d/i,
+      // Decoding could reveal secrets
+      // SECURITY FIX: Command substitution bypass attempts
+      /cat\s+\$\(/i,
+      // cat $(...)
+      /cat\s+`/i,
+      // cat `...`
+      /cat\s+\$\{/i,
+      // cat ${...}
+      // SECURITY FIX: Variable indirection
+      /\w+=.*\.env.*;\s*cat\s+\$/i,
+      // VAR=.env; cat $VAR
+      /\w+=.*secret.*;\s*cat\s+\$/i,
+      // SECURITY FIX: Glob expansion bypass
+      /cat\s+\*env/i,
+      // cat *env
+      /cat\s+\.\*env/i,
+      // cat .*env
+      /cat\s+\?\?env/i,
+      // cat ??env
+      // SECURITY FIX: Printf/echo tricks
+      /printf\s+.*\\x/i,
+      // Hex encoding
+      /echo\s+-e.*\\x/i,
+      // Echo with hex
+      /echo\s+-e.*\\[0-7]/i,
+      // Octal encoding
+      // SECURITY FIX: Here-doc/here-string
+      /cat\s*<<.*\.env/i,
+      /cat\s*<<<.*secret/i,
+      // Process substitution
+      /cat\s+<\(/i,
+      // cat <(...)
+      // History/log access
+      /cat.*\.bash_history/i,
+      /cat.*\.zsh_history/i,
+      /cat.*history/i,
+      // AWS/cloud credentials
+      /cat.*\.aws\/credentials/i,
+      /cat.*\.aws\/config/i,
+      /cat.*\.kube\/config/i,
+      /cat.*\.docker\/config/i,
+      // SSH keys
+      /cat.*id_rsa/i,
+      /cat.*id_ed25519/i,
+      /cat.*id_ecdsa/i,
+      /cat.*known_hosts/i,
+      /cat.*authorized_keys/i,
+      // GPG
+      /cat.*\.gnupg/i,
+      /gpg.*--export-secret/i,
+      // Git credentials
+      /cat.*\.git-credentials/i,
+      /cat.*\.netrc/i,
+      // Database files
+      /cat.*\.pgpass/i,
+      /cat.*\.my\.cnf/i
+    ];
+    for (const pattern of dangerousPatterns) {
+      if (pattern.test(command)) {
+        return {
+          type: "secrets",
+          rule: "dangerous pattern",
+          message: "Command may expose secrets"
+        };
+      }
+    }
+    if (this.containsEncodedSecretAccess(command)) {
+      return {
+        type: "secrets",
+        rule: "encoded command",
+        message: "Command contains encoded secret access attempt"
+      };
+    }
+    return null;
+  }
+  /**
+   * SECURITY FIX: Detect base64/hex encoded secret access
+   */
+  containsEncodedSecretAccess(command) {
+    const sensitiveBase64 = [
+      "LmVudg==",
+      // .env
+      "LnBlbQ==",
+      // .pem
+      "LmtleQ==",
+      // .key
+      "aWRfcnNh",
+      // id_rsa
+      "Y3JlZGVudGlhbHM=",
+      // credentials
+      "c2VjcmV0"
+      // secret
+    ];
+    for (const encoded of sensitiveBase64) {
+      if (command.includes(encoded)) {
+        return true;
+      }
+    }
+    const sensitiveHex = [
+      "2e656e76",
+      // .env
+      "2e70656d",
+      // .pem
+      "2e6b6579",
+      // .key
+      "69645f727361"
+      // id_rsa
+    ];
+    for (const hex of sensitiveHex) {
+      if (command.toLowerCase().includes(hex)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  isSecretPath(path) {
+    const lowerPath = path.toLowerCase();
+    return this.patterns.some((pattern) => pattern.test(lowerPath));
+  }
+  globToRegex(glob) {
+    const escaped = glob.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    return new RegExp(escaped, "i");
+  }
+};
+
+// src/policy/rate-limiter.ts
+var RateLimiter = class {
+  constructor(policy) {
+    this.policy = policy;
+  }
+  minuteWindow = [];
+  hourWindow = [];
+  check() {
+    if (!this.policy.enabled) {
+      return null;
+    }
+    const now = Date.now();
+    this.cleanup(now);
+    if (this.minuteWindow.length >= this.policy.maxPerMinute) {
+      return {
+        type: "rate_limit",
+        rule: `maxPerMinute: ${this.policy.maxPerMinute}`,
+        message: `Rate limit exceeded: ${this.minuteWindow.length}/${this.policy.maxPerMinute} commands per minute`
+      };
+    }
+    if (this.hourWindow.length >= this.policy.maxPerHour) {
+      return {
+        type: "rate_limit",
+        rule: `maxPerHour: ${this.policy.maxPerHour}`,
+        message: `Rate limit exceeded: ${this.hourWindow.length}/${this.policy.maxPerHour} commands per hour`
+      };
+    }
+    return null;
+  }
+  record() {
+    const now = Date.now();
+    this.minuteWindow.push(now);
+    this.hourWindow.push(now);
+  }
+  cleanup(now) {
+    const oneMinuteAgo = now - 60 * 1e3;
+    const oneHourAgo = now - 60 * 60 * 1e3;
+    this.minuteWindow = this.minuteWindow.filter((t) => t > oneMinuteAgo);
+    this.hourWindow = this.hourWindow.filter((t) => t > oneHourAgo);
+  }
+  getStats() {
+    const now = Date.now();
+    this.cleanup(now);
+    return {
+      minute: this.minuteWindow.length,
+      hour: this.hourWindow.length
+    };
+  }
+};
+
+// src/session.ts
+import { existsSync as existsSync2, readFileSync, writeFileSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir as homedir2 } from "os";
+var SESSION_FILE = join(homedir2(), ".bashbros", "session-allow.json");
+function ensureDir() {
+  const dir = join(homedir2(), ".bashbros");
+  if (!existsSync2(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+}
+function loadSession() {
+  try {
+    if (!existsSync2(SESSION_FILE)) {
+      return null;
+    }
+    const data = JSON.parse(readFileSync(SESSION_FILE, "utf-8"));
+    if (data.pid !== process.pid) {
+      const age = Date.now() - data.startTime;
+      if (age > 24 * 60 * 60 * 1e3) {
+        return null;
+      }
+    }
+    return data;
+  } catch {
+    return null;
+  }
+}
+function saveSession(data) {
+  ensureDir();
+  writeFileSync(SESSION_FILE, JSON.stringify(data, null, 2), { mode: 384 });
+}
+function getOrCreateSession() {
+  const existing = loadSession();
+  if (existing) {
+    return existing;
+  }
+  const newSession = {
+    pid: process.pid,
+    startTime: Date.now(),
+    allowedCommands: []
+  };
+  saveSession(newSession);
+  return newSession;
+}
+function allowForSession(command) {
+  const session = getOrCreateSession();
+  if (!session.allowedCommands.includes(command)) {
+    session.allowedCommands.push(command);
+    saveSession(session);
+  }
+}
+function isAllowedForSession(command) {
+  const session = loadSession();
+  if (!session) {
+    return false;
+  }
+  if (session.allowedCommands.includes(command)) {
+    return true;
+  }
+  for (const allowed of session.allowedCommands) {
+    if (allowed.endsWith("*")) {
+      const prefix = allowed.slice(0, -1);
+      if (command.startsWith(prefix)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function getSessionAllowlist() {
+  const session = loadSession();
+  return session?.allowedCommands || [];
+}
+function clearSessionAllowlist() {
+  const session = getOrCreateSession();
+  session.allowedCommands = [];
+  saveSession(session);
+}
+
+// src/policy/engine.ts
+var PolicyEngine = class {
+  constructor(config) {
+    this.config = config;
+    this.commandFilter = new CommandFilter(config.commands);
+    this.pathSandbox = new PathSandbox(config.paths);
+    this.secretsGuard = new SecretsGuard(config.secrets);
+    this.rateLimiter = new RateLimiter(config.rateLimit);
+  }
+  commandFilter;
+  pathSandbox;
+  secretsGuard;
+  rateLimiter;
+  validate(command) {
+    const violations = [];
+    const rateViolation = this.rateLimiter.check();
+    if (rateViolation) {
+      violations.push(rateViolation);
+      return violations;
+    }
+    if (isAllowedForSession(command)) {
+      this.rateLimiter.record();
+      return [];
+    }
+    const commandViolation = this.commandFilter.check(command);
+    if (commandViolation) {
+      violations.push(commandViolation);
+    }
+    const paths = this.extractPaths(command);
+    for (const path of paths) {
+      const pathViolation = this.pathSandbox.check(path);
+      if (pathViolation) {
+        violations.push(pathViolation);
+      }
+    }
+    if (this.config.secrets.enabled) {
+      const secretsViolation = this.secretsGuard.check(command, paths);
+      if (secretsViolation) {
+        violations.push(secretsViolation);
+      }
+    }
+    this.rateLimiter.record();
+    return violations;
+  }
+  extractPaths(command) {
+    const paths = [];
+    const unquoted = command.replace(/["']/g, " ");
+    const tokens = unquoted.split(/\s+/);
+    for (const token of tokens) {
+      if (token.startsWith("-") || !token) continue;
+      if (token.startsWith("/") || token.startsWith("./") || token.startsWith("../") || token.startsWith("~/") || token.startsWith("$HOME") || token.startsWith("${HOME}") || token.includes(".env") || token.includes(".pem") || token.includes(".key") || token.includes(".ssh") || token.includes(".aws") || token.includes(".gnupg") || token.includes(".kube") || token.includes("credentials") || token.includes("secret") || token.includes("password") || token.includes("id_rsa") || token.includes("id_ed25519") || // Files with extensions that might be sensitive
+      /\.(env|pem|key|crt|pfx|p12|jks|keystore)$/i.test(token)) {
+        paths.push(token);
+      }
+    }
+    const varAssignments = command.match(/\w+=[^\s;]+/g) || [];
+    for (const assignment of varAssignments) {
+      const value = assignment.split("=")[1];
+      if (value && (value.includes("/") || value.includes("."))) {
+        paths.push(value);
+      }
+    }
+    return paths;
+  }
+  isAllowed(command) {
+    return this.validate(command).length === 0;
+  }
+};
+
+export {
+  CommandFilter,
+  PathSandbox,
+  SecretsGuard,
+  RateLimiter,
+  allowForSession,
+  isAllowedForSession,
+  getSessionAllowlist,
+  clearSessionAllowlist,
+  PolicyEngine
+};
+//# sourceMappingURL=chunk-GD5VNHIN.js.map

package/dist/chunk-GD5VNHIN.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/policy/command-filter.ts","../src/policy/path-sandbox.ts","../src/policy/secrets-guard.ts","../src/policy/rate-limiter.ts","../src/session.ts","../src/policy/engine.ts"],"sourcesContent":["import type { CommandPolicy, PolicyViolation } from '../types.js'\r\n\r\nexport class CommandFilter {\r\n  private allowPatterns: RegExp[]\r\n  private blockPatterns: RegExp[]\r\n\r\n  constructor(private policy: CommandPolicy) {\r\n    this.allowPatterns = policy.allow.map(p => this.globToRegex(p))\r\n    this.blockPatterns = policy.block.map(p => this.globToRegex(p))\r\n  }\r\n\r\n  check(command: string): PolicyViolation | null {\r\n    // Check block list first (higher priority)\r\n    for (let i = 0; i < this.blockPatterns.length; i++) {\r\n      if (this.blockPatterns[i].test(command)) {\r\n        return {\r\n          type: 'command',\r\n          rule: `block[${i}]: ${this.policy.block[i]}`,\r\n          message: `Command matches blocked pattern: ${this.policy.block[i]}`\r\n        }\r\n      }\r\n    }\r\n\r\n    // If allow list is empty or contains '*', allow by default\r\n    if (this.policy.allow.length === 0 || this.policy.allow.includes('*')) {\r\n      return null\r\n    }\r\n\r\n    // Check if command matches any allow pattern\r\n    const allowed = this.allowPatterns.some(pattern => pattern.test(command))\r\n\r\n    if (!allowed) {\r\n      return {\r\n        type: 'command',\r\n        rule: 'allow (no match)',\r\n        message: 'Command not in allowlist'\r\n      }\r\n    }\r\n\r\n    return null\r\n  }\r\n\r\n  private globToRegex(glob: string): RegExp {\r\n    // Escape special regex chars except *\r\n    const escaped = glob\r\n      .replace(/[.+?^${}()|[\\]\\\\]/g, '\\\\$&')\r\n      .replace(/\\*/g, '.*')\r\n\r\n    return new RegExp(`^${escaped}$`, 'i')\r\n  }\r\n}\r\n","import { resolve } from 'path'\nimport { homedir } from 'os'\nimport { realpathSync, lstatSync, existsSync } from 'fs'\nimport type { PathPolicy, PolicyViolation } from '../types.js'\n\nexport class PathSandbox {\n  private allowedPaths: string[]\n  private blockedPaths: string[]\n\n  constructor(private policy: PathPolicy) {\n    this.allowedPaths = policy.allow.map(p => this.normalizePath(p))\n    this.blockedPaths = policy.block.map(p => this.normalizePath(p))\n  }\n\n  check(path: string): PolicyViolation | null {\n    // SECURITY: Resolve symlinks to get real path\n    const { realPath, isSymlink } = this.resolvePath(path)\n\n    // Check for symlink attacks\n    if (isSymlink) {\n      const originalNormalized = this.normalizePath(path)\n      // If symlink points outside of where it appears to be, block it\n      if (!realPath.startsWith(originalNormalized.split('/')[0])) {\n        return {\n          type: 'path',\n          rule: 'symlink_escape',\n          message: `Symlink escape detected: ${path} -> ${realPath}`\n        }\n      }\n    }\n\n    // Check block list first (use real path)\n    for (const blocked of this.blockedPaths) {\n      if (realPath.startsWith(blocked) || realPath === blocked) {\n        return {\n          type: 'path',\n          rule: `block: ${blocked}`,\n          message: `Access to path is blocked: ${path}`\n        }\n      }\n    }\n\n    // If allow list contains '*', allow anything not blocked\n    if (this.policy.allow.includes('*')) {\n      return null\n    }\n\n    // Check if real path is within allowed directories\n    const allowed = this.allowedPaths.some(\n      allowedPath =>\n        realPath.startsWith(allowedPath) || realPath === allowedPath\n    )\n\n    if (!allowed) {\n      return {\n        type: 'path',\n        rule: 'allow (outside sandbox)',\n        message: `Path is outside allowed directories: ${path}`\n      }\n    }\n\n    return null\n  }\n\n  /**\n   * SECURITY FIX: Resolve symlinks to detect escape attempts\n   */\n  private resolvePath(path: string): { realPath: string; isSymlink: boolean } {\n    const normalizedPath = this.normalizePath(path)\n\n    try {\n      // Check if path exists and is a symlink\n      if (existsSync(normalizedPath)) {\n        const stats = lstatSync(normalizedPath)\n        const isSymlink = stats.isSymbolicLink()\n\n        // Get real path (follows symlinks)\n        const realPath = realpathSync(normalizedPath)\n\n        return { realPath, isSymlink }\n      }\n    } catch {\n      // Path doesn't exist yet or can't be accessed\n    }\n\n    return { realPath: normalizedPath, isSymlink: false }\n  }\n\n  private normalizePath(path: string): string {\n    // Expand ~ to home directory\n    if (path.startsWith('~')) {\n      path = path.replace('~', homedir())\n    }\n\n    // Handle . as current directory\n    if (path === '.') {\n      return process.cwd()\n    }\n\n    return resolve(path)\n  }\n\n  /**\n   * Check if a path would escape the sandbox via symlink\n   */\n  isSymlinkEscape(path: string): boolean {\n    const { realPath, isSymlink } = this.resolvePath(path)\n\n    if (!isSymlink) return false\n\n    // Check if real path is in blocked list\n    for (const blocked of this.blockedPaths) {\n      if (realPath.startsWith(blocked)) {\n        return true\n      }\n    }\n\n    // Check if real path escapes allowed directories\n    if (!this.policy.allow.includes('*')) {\n      const inAllowed = this.allowedPaths.some(\n        allowedPath => realPath.startsWith(allowedPath)\n      )\n      if (!inAllowed) {\n        return true\n      }\n    }\n\n    return false\n  }\n}\n","import type { SecretsPolicy, PolicyViolation } from '../types.js'\n\nexport class SecretsGuard {\n  private patterns: RegExp[]\n\n  constructor(private policy: SecretsPolicy) {\n    this.patterns = policy.patterns.map(p => this.globToRegex(p))\n  }\n\n  check(command: string, paths: string[]): PolicyViolation | null {\n    if (!this.policy.enabled) {\n      return null\n    }\n\n    // Check command for secret file access\n    for (const path of paths) {\n      if (this.isSecretPath(path)) {\n        return {\n          type: 'secrets',\n          rule: `pattern match: ${path}`,\n          message: `Attempted access to sensitive file: ${path}`\n        }\n      }\n    }\n\n    // Check for common secret-leaking patterns in commands\n    // SECURITY FIX: Enhanced patterns to catch bypass attempts\n    const dangerousPatterns = [\n      // Direct file access (multiple readers)\n      /(cat|head|tail|less|more|bat)\\s+.*\\.env/i,\n      /(cat|head|tail|less|more|bat)\\s+.*\\.pem/i,\n      /(cat|head|tail|less|more|bat)\\s+.*\\.key/i,\n      /(cat|head|tail|less|more|bat)\\s+.*credentials/i,\n      /(cat|head|tail|less|more|bat)\\s+.*secret/i,\n      /(cat|head|tail|less|more|bat)\\s+.*password/i,\n      /(cat|head|tail|less|more|bat)\\s+.*token/i,\n\n      // Python/Perl/Ruby file readers\n      /python.*open\\s*\\(.*\\.(env|pem|key)/i,\n      /python.*-c.*open/i,\n      /perl.*-[pne].*\\.(env|pem|key)/i,\n      /ruby.*-e.*File\\.(read|open)/i,\n\n      // Environment variable exposure\n      /echo\\s+\\$\\w*(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|API)/i,\n      /printenv.*(KEY|SECRET|TOKEN|PASSWORD)/i,\n      /env\\s*\\|\\s*grep.*(KEY|SECRET|TOKEN|PASSWORD)/i,\n\n      // Curl/wget with secrets\n      /curl.*-d.*\\$\\w*(KEY|SECRET|TOKEN)/i,\n      /curl.*-H.*Authorization/i,\n      /wget.*--header.*Authorization/i,\n\n      // Base64 encoding (obfuscation attempt)\n      /base64.*\\.env/i,\n      /base64.*\\.pem/i,\n      /base64.*\\.key/i,\n      /base64\\s+-d/i, // Decoding could reveal secrets\n\n      // SECURITY FIX: Command substitution bypass attempts\n      /cat\\s+\\$\\(/i,     // cat $(...)\n      /cat\\s+`/i,        // cat `...`\n      /cat\\s+\\$\\{/i,     // cat ${...}\n\n      // SECURITY FIX: Variable indirection\n      /\\w+=.*\\.env.*;\\s*cat\\s+\\$/i,  // VAR=.env; cat $VAR\n      /\\w+=.*secret.*;\\s*cat\\s+\\$/i,\n\n      // SECURITY FIX: Glob expansion bypass\n      /cat\\s+\\*env/i,    // cat *env\n      /cat\\s+\\.\\*env/i,  // cat .*env\n      /cat\\s+\\?\\?env/i,  // cat ??env\n\n      // SECURITY FIX: Printf/echo tricks\n      /printf\\s+.*\\\\x/i,   // Hex encoding\n      /echo\\s+-e.*\\\\x/i,   // Echo with hex\n      /echo\\s+-e.*\\\\[0-7]/i, // Octal encoding\n\n      // SECURITY FIX: Here-doc/here-string\n      /cat\\s*<<.*\\.env/i,\n      /cat\\s*<<<.*secret/i,\n\n      // Process substitution\n      /cat\\s+<\\(/i,      // cat <(...)\n\n      // History/log access\n      /cat.*\\.bash_history/i,\n      /cat.*\\.zsh_history/i,\n      /cat.*history/i,\n\n      // AWS/cloud credentials\n      /cat.*\\.aws\\/credentials/i,\n      /cat.*\\.aws\\/config/i,\n      /cat.*\\.kube\\/config/i,\n      /cat.*\\.docker\\/config/i,\n\n      // SSH keys\n      /cat.*id_rsa/i,\n      /cat.*id_ed25519/i,\n      /cat.*id_ecdsa/i,\n      /cat.*known_hosts/i,\n      /cat.*authorized_keys/i,\n\n      // GPG\n      /cat.*\\.gnupg/i,\n      /gpg.*--export-secret/i,\n\n      // Git credentials\n      /cat.*\\.git-credentials/i,\n      /cat.*\\.netrc/i,\n\n      // Database files\n      /cat.*\\.pgpass/i,\n      /cat.*\\.my\\.cnf/i,\n    ]\n\n    for (const pattern of dangerousPatterns) {\n      if (pattern.test(command)) {\n        return {\n          type: 'secrets',\n          rule: 'dangerous pattern',\n          message: 'Command may expose secrets'\n        }\n      }\n    }\n\n    // SECURITY FIX: Check for encoded commands\n    if (this.containsEncodedSecretAccess(command)) {\n      return {\n        type: 'secrets',\n        rule: 'encoded command',\n        message: 'Command contains encoded secret access attempt'\n      }\n    }\n\n    return null\n  }\n\n  /**\n   * SECURITY FIX: Detect base64/hex encoded secret access\n   */\n  private containsEncodedSecretAccess(command: string): boolean {\n    // Check for base64 encoded sensitive paths\n    const sensitiveBase64 = [\n      'LmVudg==',      // .env\n      'LnBlbQ==',      // .pem\n      'LmtleQ==',      // .key\n      'aWRfcnNh',      // id_rsa\n      'Y3JlZGVudGlhbHM=', // credentials\n      'c2VjcmV0',      // secret\n    ]\n\n    for (const encoded of sensitiveBase64) {\n      if (command.includes(encoded)) {\n        return true\n      }\n    }\n\n    // Check for hex encoded paths\n    const sensitiveHex = [\n      '2e656e76',      // .env\n      '2e70656d',      // .pem\n      '2e6b6579',      // .key\n      '69645f727361',  // id_rsa\n    ]\n\n    for (const hex of sensitiveHex) {\n      if (command.toLowerCase().includes(hex)) {\n        return true\n      }\n    }\n\n    return false\n  }\n\n  private isSecretPath(path: string): boolean {\n    const lowerPath = path.toLowerCase()\n\n    return this.patterns.some(pattern => pattern.test(lowerPath))\n  }\n\n  private globToRegex(glob: string): RegExp {\n    const escaped = glob\n      .replace(/[.+?^${}()|[\\]\\\\]/g, '\\\\$&')\n      .replace(/\\*/g, '.*')\n\n    return new RegExp(escaped, 'i')\n  }\n}\n","import type { RateLimitPolicy, PolicyViolation } from '../types.js'\r\n\r\nexport class RateLimiter {\r\n  private minuteWindow: number[] = []\r\n  private hourWindow: number[] = []\r\n\r\n  constructor(private policy: RateLimitPolicy) {}\r\n\r\n  check(): PolicyViolation | null {\r\n    if (!this.policy.enabled) {\r\n      return null\r\n    }\r\n\r\n    const now = Date.now()\r\n    this.cleanup(now)\r\n\r\n    // Check per-minute limit\r\n    if (this.minuteWindow.length >= this.policy.maxPerMinute) {\r\n      return {\r\n        type: 'rate_limit',\r\n        rule: `maxPerMinute: ${this.policy.maxPerMinute}`,\r\n        message: `Rate limit exceeded: ${this.minuteWindow.length}/${this.policy.maxPerMinute} commands per minute`\r\n      }\r\n    }\r\n\r\n    // Check per-hour limit\r\n    if (this.hourWindow.length >= this.policy.maxPerHour) {\r\n      return {\r\n        type: 'rate_limit',\r\n        rule: `maxPerHour: ${this.policy.maxPerHour}`,\r\n        message: `Rate limit exceeded: ${this.hourWindow.length}/${this.policy.maxPerHour} commands per hour`\r\n      }\r\n    }\r\n\r\n    return null\r\n  }\r\n\r\n  record(): void {\r\n    const now = Date.now()\r\n    this.minuteWindow.push(now)\r\n    this.hourWindow.push(now)\r\n  }\r\n\r\n  private cleanup(now: number): void {\r\n    const oneMinuteAgo = now - 60 * 1000\r\n    const oneHourAgo = now - 60 * 60 * 1000\r\n\r\n    this.minuteWindow = this.minuteWindow.filter(t => t > oneMinuteAgo)\r\n    this.hourWindow = this.hourWindow.filter(t => t > oneHourAgo)\r\n  }\r\n\r\n  getStats(): { minute: number; hour: number } {\r\n    const now = Date.now()\r\n    this.cleanup(now)\r\n\r\n    return {\r\n      minute: this.minuteWindow.length,\r\n      hour: this.hourWindow.length\r\n    }\r\n  }\r\n}\r\n","import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs'\r\nimport { join } from 'path'\r\nimport { homedir } from 'os'\r\n\r\n/**\r\n * Session-based allowlist for temporary command permissions.\r\n * Stored in a temp file that gets cleared on restart.\r\n */\r\n\r\nconst SESSION_FILE = join(homedir(), '.bashbros', 'session-allow.json')\r\n\r\ninterface SessionData {\r\n  pid: number\r\n  startTime: number\r\n  allowedCommands: string[]\r\n}\r\n\r\nfunction ensureDir(): void {\r\n  const dir = join(homedir(), '.bashbros')\r\n  if (!existsSync(dir)) {\r\n    mkdirSync(dir, { recursive: true, mode: 0o700 })\r\n  }\r\n}\r\n\r\nfunction loadSession(): SessionData | null {\r\n  try {\r\n    if (!existsSync(SESSION_FILE)) {\r\n      return null\r\n    }\r\n\r\n    const data = JSON.parse(readFileSync(SESSION_FILE, 'utf-8'))\r\n\r\n    // Check if session is from current process\r\n    if (data.pid !== process.pid) {\r\n      // Different process - check if it's stale (older than 24 hours)\r\n      const age = Date.now() - data.startTime\r\n      if (age > 24 * 60 * 60 * 1000) {\r\n        return null\r\n      }\r\n    }\r\n\r\n    return data\r\n  } catch {\r\n    return null\r\n  }\r\n}\r\n\r\nfunction saveSession(data: SessionData): void {\r\n  ensureDir()\r\n  writeFileSync(SESSION_FILE, JSON.stringify(data, null, 2), { mode: 0o600 })\r\n}\r\n\r\nfunction getOrCreateSession(): SessionData {\r\n  const existing = loadSession()\r\n\r\n  if (existing) {\r\n    return existing\r\n  }\r\n\r\n  const newSession: SessionData = {\r\n    pid: process.pid,\r\n    startTime: Date.now(),\r\n    allowedCommands: []\r\n  }\r\n\r\n  saveSession(newSession)\r\n  return newSession\r\n}\r\n\r\n/**\r\n * Add a command to the session allowlist\r\n */\r\nexport function allowForSession(command: string): void {\r\n  const session = getOrCreateSession()\r\n\r\n  if (!session.allowedCommands.includes(command)) {\r\n    session.allowedCommands.push(command)\r\n    saveSession(session)\r\n  }\r\n}\r\n\r\n/**\r\n * Check if a command is allowed for this session\r\n */\r\nexport function isAllowedForSession(command: string): boolean {\r\n  const session = loadSession()\r\n\r\n  if (!session) {\r\n    return false\r\n  }\r\n\r\n  // Check exact match\r\n  if (session.allowedCommands.includes(command)) {\r\n    return true\r\n  }\r\n\r\n  // Check pattern match (command starts with allowed pattern)\r\n  for (const allowed of session.allowedCommands) {\r\n    if (allowed.endsWith('*')) {\r\n      const prefix = allowed.slice(0, -1)\r\n      if (command.startsWith(prefix)) {\r\n        return true\r\n      }\r\n    }\r\n  }\r\n\r\n  return false\r\n}\r\n\r\n/**\r\n * Get all commands allowed for this session\r\n */\r\nexport function getSessionAllowlist(): string[] {\r\n  const session = loadSession()\r\n  return session?.allowedCommands || []\r\n}\r\n\r\n/**\r\n * Clear the session allowlist\r\n */\r\nexport function clearSessionAllowlist(): void {\r\n  const session = getOrCreateSession()\r\n  session.allowedCommands = []\r\n  saveSession(session)\r\n}\r\n","import type { BashBrosConfig, PolicyViolation } from '../types.js'\r\nimport { CommandFilter } from './command-filter.js'\r\nimport { PathSandbox } from './path-sandbox.js'\r\nimport { SecretsGuard } from './secrets-guard.js'\r\nimport { RateLimiter } from './rate-limiter.js'\r\nimport { isAllowedForSession } from '../session.js'\r\n\r\nexport class PolicyEngine {\r\n  private commandFilter: CommandFilter\r\n  private pathSandbox: PathSandbox\r\n  private secretsGuard: SecretsGuard\r\n  private rateLimiter: RateLimiter\r\n\r\n  constructor(private config: BashBrosConfig) {\r\n    this.commandFilter = new CommandFilter(config.commands)\r\n    this.pathSandbox = new PathSandbox(config.paths)\r\n    this.secretsGuard = new SecretsGuard(config.secrets)\r\n    this.rateLimiter = new RateLimiter(config.rateLimit)\r\n  }\r\n\r\n  validate(command: string): PolicyViolation[] {\r\n    const violations: PolicyViolation[] = []\r\n\r\n    // Check rate limit first\r\n    const rateViolation = this.rateLimiter.check()\r\n    if (rateViolation) {\r\n      violations.push(rateViolation)\r\n      return violations // Early exit on rate limit\r\n    }\r\n\r\n    // Check session allowlist first (temporary permissions)\r\n    if (isAllowedForSession(command)) {\r\n      this.rateLimiter.record()\r\n      return [] // Allowed for this session\r\n    }\r\n\r\n    // Check command against allow/block lists\r\n    const commandViolation = this.commandFilter.check(command)\r\n    if (commandViolation) {\r\n      violations.push(commandViolation)\r\n    }\r\n\r\n    // Extract paths from command and check sandbox\r\n    const paths = this.extractPaths(command)\r\n    for (const path of paths) {\r\n      const pathViolation = this.pathSandbox.check(path)\r\n      if (pathViolation) {\r\n        violations.push(pathViolation)\r\n      }\r\n    }\r\n\r\n    // Check for secrets access\r\n    if (this.config.secrets.enabled) {\r\n      const secretsViolation = this.secretsGuard.check(command, paths)\r\n      if (secretsViolation) {\r\n        violations.push(secretsViolation)\r\n      }\r\n    }\r\n\r\n    // Record for rate limiting\r\n    this.rateLimiter.record()\r\n\r\n    return violations\r\n  }\r\n\r\n  private extractPaths(command: string): string[] {\r\n    const paths: string[] = []\r\n\r\n    // Remove quotes for analysis but preserve content\r\n    const unquoted = command.replace(/[\"']/g, ' ')\r\n\r\n    // Simple path extraction - look for file-like arguments\r\n    const tokens = unquoted.split(/\\s+/)\r\n\r\n    for (const token of tokens) {\r\n      // Skip flags and empty tokens\r\n      if (token.startsWith('-') || !token) continue\r\n\r\n      // Check if it looks like a path\r\n      if (\r\n        token.startsWith('/') ||\r\n        token.startsWith('./') ||\r\n        token.startsWith('../') ||\r\n        token.startsWith('~/') ||\r\n        token.startsWith('$HOME') ||\r\n        token.startsWith('${HOME}') ||\r\n        token.includes('.env') ||\r\n        token.includes('.pem') ||\r\n        token.includes('.key') ||\r\n        token.includes('.ssh') ||\r\n        token.includes('.aws') ||\r\n        token.includes('.gnupg') ||\r\n        token.includes('.kube') ||\r\n        token.includes('credentials') ||\r\n        token.includes('secret') ||\r\n        token.includes('password') ||\r\n        token.includes('id_rsa') ||\r\n        token.includes('id_ed25519') ||\r\n        // Files with extensions that might be sensitive\r\n        /\\.(env|pem|key|crt|pfx|p12|jks|keystore)$/i.test(token)\r\n      ) {\r\n        paths.push(token)\r\n      }\r\n    }\r\n\r\n    // Also extract paths from variable assignments\r\n    const varAssignments = command.match(/\\w+=[^\\s;]+/g) || []\r\n    for (const assignment of varAssignments) {\r\n      const value = assignment.split('=')[1]\r\n      if (value && (value.includes('/') || value.includes('.'))) {\r\n        paths.push(value)\r\n      }\r\n    }\r\n\r\n    return paths\r\n  }\r\n\r\n  isAllowed(command: string): boolean {\r\n    return this.validate(command).length === 0\r\n  }\r\n}\r\n"],"mappings":";;;AAEO,IAAM,gBAAN,MAAoB;AAAA,EAIzB,YAAoB,QAAuB;AAAvB;AAClB,SAAK,gBAAgB,OAAO,MAAM,IAAI,OAAK,KAAK,YAAY,CAAC,CAAC;AAC9D,SAAK,gBAAgB,OAAO,MAAM,IAAI,OAAK,KAAK,YAAY,CAAC,CAAC;AAAA,EAChE;AAAA,EANQ;AAAA,EACA;AAAA,EAOR,MAAM,SAAyC;AAE7C,aAAS,IAAI,GAAG,IAAI,KAAK,cAAc,QAAQ,KAAK;AAClD,UAAI,KAAK,cAAc,CAAC,EAAE,KAAK,OAAO,GAAG;AACvC,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM,SAAS,CAAC,MAAM,KAAK,OAAO,MAAM,CAAC,CAAC;AAAA,UAC1C,SAAS,oCAAoC,KAAK,OAAO,MAAM,CAAC,CAAC;AAAA,QACnE;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,MAAM,WAAW,KAAK,KAAK,OAAO,MAAM,SAAS,GAAG,GAAG;AACrE,aAAO;AAAA,IACT;AAGA,UAAM,UAAU,KAAK,cAAc,KAAK,aAAW,QAAQ,KAAK,OAAO,CAAC;AAExE,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,YAAY,MAAsB;AAExC,UAAM,UAAU,KACb,QAAQ,sBAAsB,MAAM,EACpC,QAAQ,OAAO,IAAI;AAEtB,WAAO,IAAI,OAAO,IAAI,OAAO,KAAK,GAAG;AAAA,EACvC;AACF;;;AClDA,SAAS,eAAe;AACxB,SAAS,eAAe;AACxB,SAAS,cAAc,WAAW,kBAAkB;AAG7C,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAoB,QAAoB;AAApB;AAClB,SAAK,eAAe,OAAO,MAAM,IAAI,OAAK,KAAK,cAAc,CAAC,CAAC;AAC/D,SAAK,eAAe,OAAO,MAAM,IAAI,OAAK,KAAK,cAAc,CAAC,CAAC;AAAA,EACjE;AAAA,EANQ;AAAA,EACA;AAAA,EAOR,MAAM,MAAsC;AAE1C,UAAM,EAAE,UAAU,UAAU,IAAI,KAAK,YAAY,IAAI;AAGrD,QAAI,WAAW;AACb,YAAM,qBAAqB,KAAK,cAAc,IAAI;AAElD,UAAI,CAAC,SAAS,WAAW,mBAAmB,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG;AAC1D,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,SAAS,4BAA4B,IAAI,OAAO,QAAQ;AAAA,QAC1D;AAAA,MACF;AAAA,IACF;AAGA,eAAW,WAAW,KAAK,cAAc;AACvC,UAAI,SAAS,WAAW,OAAO,KAAK,aAAa,SAAS;AACxD,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM,UAAU,OAAO;AAAA,UACvB,SAAS,8BAA8B,IAAI;AAAA,QAC7C;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,MAAM,SAAS,GAAG,GAAG;AACnC,aAAO;AAAA,IACT;AAGA,UAAM,UAAU,KAAK,aAAa;AAAA,MAChC,iBACE,SAAS,WAAW,WAAW,KAAK,aAAa;AAAA,IACrD;AAEA,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS,wCAAwC,IAAI;AAAA,MACvD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAwD;AAC1E,UAAM,iBAAiB,KAAK,cAAc,IAAI;AAE9C,QAAI;AAEF,UAAI,WAAW,cAAc,GAAG;AAC9B,cAAM,QAAQ,UAAU,cAAc;AACtC,cAAM,YAAY,MAAM,eAAe;AAGvC,cAAM,WAAW,aAAa,cAAc;AAE5C,eAAO,EAAE,UAAU,UAAU;AAAA,MAC/B;AAAA,IACF,QAAQ;AAAA,IAER;AAEA,WAAO,EAAE,UAAU,gBAAgB,WAAW,MAAM;AAAA,EACtD;AAAA,EAEQ,cAAc,MAAsB;AAE1C,QAAI,KAAK,WAAW,GAAG,GAAG;AACxB,aAAO,KAAK,QAAQ,KAAK,QAAQ,CAAC;AAAA,IACpC;AAGA,QAAI,SAAS,KAAK;AAChB,aAAO,QAAQ,IAAI;AAAA,IACrB;AAEA,WAAO,QAAQ,IAAI;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAgB,MAAuB;AACrC,UAAM,EAAE,UAAU,UAAU,IAAI,KAAK,YAAY,IAAI;AAErD,QAAI,CAAC,UAAW,QAAO;AAGvB,eAAW,WAAW,KAAK,cAAc;AACvC,UAAI,SAAS,WAAW,OAAO,GAAG;AAChC,eAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,CAAC,KAAK,OAAO,MAAM,SAAS,GAAG,GAAG;AACpC,YAAM,YAAY,KAAK,aAAa;AAAA,QAClC,iBAAe,SAAS,WAAW,WAAW;AAAA,MAChD;AACA,UAAI,CAAC,WAAW;AACd,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;AC/HO,IAAM,eAAN,MAAmB;AAAA,EAGxB,YAAoB,QAAuB;AAAvB;AAClB,SAAK,WAAW,OAAO,SAAS,IAAI,OAAK,KAAK,YAAY,CAAC,CAAC;AAAA,EAC9D;AAAA,EAJQ;AAAA,EAMR,MAAM,SAAiB,OAAyC;AAC9D,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB,aAAO;AAAA,IACT;AAGA,eAAW,QAAQ,OAAO;AACxB,UAAI,KAAK,aAAa,IAAI,GAAG;AAC3B,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM,kBAAkB,IAAI;AAAA,UAC5B,SAAS,uCAAuC,IAAI;AAAA,QACtD;AAAA,MACF;AAAA,IACF;AAIA,UAAM,oBAAoB;AAAA;AAAA,MAExB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA;AAAA,MAGA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA;AAAA,MAGA;AAAA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA;AAAA,MAGA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA;AAAA,MAGA;AAAA,MACA;AAAA,IACF;AAEA,eAAW,WAAW,mBAAmB;AACvC,UAAI,QAAQ,KAAK,OAAO,GAAG;AACzB,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,4BAA4B,OAAO,GAAG;AAC7C,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,4BAA4B,SAA0B;AAE5D,UAAM,kBAAkB;AAAA,MACtB;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,IACF;AAEA,eAAW,WAAW,iBAAiB;AACrC,UAAI,QAAQ,SAAS,OAAO,GAAG;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAGA,UAAM,eAAe;AAAA,MACnB;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA;AAAA,IACF;AAEA,eAAW,OAAO,cAAc;AAC9B,UAAI,QAAQ,YAAY,EAAE,SAAS,GAAG,GAAG;AACvC,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,aAAa,MAAuB;AAC1C,UAAM,YAAY,KAAK,YAAY;AAEnC,WAAO,KAAK,SAAS,KAAK,aAAW,QAAQ,KAAK,SAAS,CAAC;AAAA,EAC9D;AAAA,EAEQ,YAAY,MAAsB;AACxC,UAAM,UAAU,KACb,QAAQ,sBAAsB,MAAM,EACpC,QAAQ,OAAO,IAAI;AAEtB,WAAO,IAAI,OAAO,SAAS,GAAG;AAAA,EAChC;AACF;;;AC1LO,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAoB,QAAyB;AAAzB;AAAA,EAA0B;AAAA,EAHtC,eAAyB,CAAC;AAAA,EAC1B,aAAuB,CAAC;AAAA,EAIhC,QAAgC;AAC9B,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB,aAAO;AAAA,IACT;AAEA,UAAM,MAAM,KAAK,IAAI;AACrB,SAAK,QAAQ,GAAG;AAGhB,QAAI,KAAK,aAAa,UAAU,KAAK,OAAO,cAAc;AACxD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM,iBAAiB,KAAK,OAAO,YAAY;AAAA,QAC/C,SAAS,wBAAwB,KAAK,aAAa,MAAM,IAAI,KAAK,OAAO,YAAY;AAAA,MACvF;AAAA,IACF;AAGA,QAAI,KAAK,WAAW,UAAU,KAAK,OAAO,YAAY;AACpD,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM,eAAe,KAAK,OAAO,UAAU;AAAA,QAC3C,SAAS,wBAAwB,KAAK,WAAW,MAAM,IAAI,KAAK,OAAO,UAAU;AAAA,MACnF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,SAAe;AACb,UAAM,MAAM,KAAK,IAAI;AACrB,SAAK,aAAa,KAAK,GAAG;AAC1B,SAAK,WAAW,KAAK,GAAG;AAAA,EAC1B;AAAA,EAEQ,QAAQ,KAAmB;AACjC,UAAM,eAAe,MAAM,KAAK;AAChC,UAAM,aAAa,MAAM,KAAK,KAAK;AAEnC,SAAK,eAAe,KAAK,aAAa,OAAO,OAAK,IAAI,YAAY;AAClE,SAAK,aAAa,KAAK,WAAW,OAAO,OAAK,IAAI,UAAU;AAAA,EAC9D;AAAA,EAEA,WAA6C;AAC3C,UAAM,MAAM,KAAK,IAAI;AACrB,SAAK,QAAQ,GAAG;AAEhB,WAAO;AAAA,MACL,QAAQ,KAAK,aAAa;AAAA,MAC1B,MAAM,KAAK,WAAW;AAAA,IACxB;AAAA,EACF;AACF;;;AC5DA,SAAS,cAAAA,aAAY,cAAc,eAAe,iBAAiB;AACnE,SAAS,YAAY;AACrB,SAAS,WAAAC,gBAAe;AAOxB,IAAM,eAAe,KAAKA,SAAQ,GAAG,aAAa,oBAAoB;AAQtE,SAAS,YAAkB;AACzB,QAAM,MAAM,KAAKA,SAAQ,GAAG,WAAW;AACvC,MAAI,CAACD,YAAW,GAAG,GAAG;AACpB,cAAU,KAAK,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAAA,EACjD;AACF;AAEA,SAAS,cAAkC;AACzC,MAAI;AACF,QAAI,CAACA,YAAW,YAAY,GAAG;AAC7B,aAAO;AAAA,IACT;AAEA,UAAM,OAAO,KAAK,MAAM,aAAa,cAAc,OAAO,CAAC;AAG3D,QAAI,KAAK,QAAQ,QAAQ,KAAK;AAE5B,YAAM,MAAM,KAAK,IAAI,IAAI,KAAK;AAC9B,UAAI,MAAM,KAAK,KAAK,KAAK,KAAM;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,YAAY,MAAyB;AAC5C,YAAU;AACV,gBAAc,cAAc,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AAC5E;AAEA,SAAS,qBAAkC;AACzC,QAAM,WAAW,YAAY;AAE7B,MAAI,UAAU;AACZ,WAAO;AAAA,EACT;AAEA,QAAM,aAA0B;AAAA,IAC9B,KAAK,QAAQ;AAAA,IACb,WAAW,KAAK,IAAI;AAAA,IACpB,iBAAiB,CAAC;AAAA,EACpB;AAEA,cAAY,UAAU;AACtB,SAAO;AACT;AAKO,SAAS,gBAAgB,SAAuB;AACrD,QAAM,UAAU,mBAAmB;AAEnC,MAAI,CAAC,QAAQ,gBAAgB,SAAS,OAAO,GAAG;AAC9C,YAAQ,gBAAgB,KAAK,OAAO;AACpC,gBAAY,OAAO;AAAA,EACrB;AACF;AAKO,SAAS,oBAAoB,SAA0B;AAC5D,QAAM,UAAU,YAAY;AAE5B,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,EACT;AAGA,MAAI,QAAQ,gBAAgB,SAAS,OAAO,GAAG;AAC7C,WAAO;AAAA,EACT;AAGA,aAAW,WAAW,QAAQ,iBAAiB;AAC7C,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,YAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,UAAI,QAAQ,WAAW,MAAM,GAAG;AAC9B,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,sBAAgC;AAC9C,QAAM,UAAU,YAAY;AAC5B,SAAO,SAAS,mBAAmB,CAAC;AACtC;AAKO,SAAS,wBAA8B;AAC5C,QAAM,UAAU,mBAAmB;AACnC,UAAQ,kBAAkB,CAAC;AAC3B,cAAY,OAAO;AACrB;;;ACrHO,IAAM,eAAN,MAAmB;AAAA,EAMxB,YAAoB,QAAwB;AAAxB;AAClB,SAAK,gBAAgB,IAAI,cAAc,OAAO,QAAQ;AACtD,SAAK,cAAc,IAAI,YAAY,OAAO,KAAK;AAC/C,SAAK,eAAe,IAAI,aAAa,OAAO,OAAO;AACnD,SAAK,cAAc,IAAI,YAAY,OAAO,SAAS;AAAA,EACrD;AAAA,EAVQ;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EASR,SAAS,SAAoC;AAC3C,UAAM,aAAgC,CAAC;AAGvC,UAAM,gBAAgB,KAAK,YAAY,MAAM;AAC7C,QAAI,eAAe;AACjB,iBAAW,KAAK,aAAa;AAC7B,aAAO;AAAA,IACT;AAGA,QAAI,oBAAoB,OAAO,GAAG;AAChC,WAAK,YAAY,OAAO;AACxB,aAAO,CAAC;AAAA,IACV;AAGA,UAAM,mBAAmB,KAAK,cAAc,MAAM,OAAO;AACzD,QAAI,kBAAkB;AACpB,iBAAW,KAAK,gBAAgB;AAAA,IAClC;AAGA,UAAM,QAAQ,KAAK,aAAa,OAAO;AACvC,eAAW,QAAQ,OAAO;AACxB,YAAM,gBAAgB,KAAK,YAAY,MAAM,IAAI;AACjD,UAAI,eAAe;AACjB,mBAAW,KAAK,aAAa;AAAA,MAC/B;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,QAAQ,SAAS;AAC/B,YAAM,mBAAmB,KAAK,aAAa,MAAM,SAAS,KAAK;AAC/D,UAAI,kBAAkB;AACpB,mBAAW,KAAK,gBAAgB;AAAA,MAClC;AAAA,IACF;AAGA,SAAK,YAAY,OAAO;AAExB,WAAO;AAAA,EACT;AAAA,EAEQ,aAAa,SAA2B;AAC9C,UAAM,QAAkB,CAAC;AAGzB,UAAM,WAAW,QAAQ,QAAQ,SAAS,GAAG;AAG7C,UAAM,SAAS,SAAS,MAAM,KAAK;AAEnC,eAAW,SAAS,QAAQ;AAE1B,UAAI,MAAM,WAAW,GAAG,KAAK,CAAC,MAAO;AAGrC,UACE,MAAM,WAAW,GAAG,KACpB,MAAM,WAAW,IAAI,KACrB,MAAM,WAAW,KAAK,KACtB,MAAM,WAAW,IAAI,KACrB,MAAM,WAAW,OAAO,KACxB,MAAM,WAAW,SAAS,KAC1B,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,MAAM,KACrB,MAAM,SAAS,QAAQ,KACvB,MAAM,SAAS,OAAO,KACtB,MAAM,SAAS,aAAa,KAC5B,MAAM,SAAS,QAAQ,KACvB,MAAM,SAAS,UAAU,KACzB,MAAM,SAAS,QAAQ,KACvB,MAAM,SAAS,YAAY;AAAA,MAE3B,6CAA6C,KAAK,KAAK,GACvD;AACA,cAAM,KAAK,KAAK;AAAA,MAClB;AAAA,IACF;AAGA,UAAM,iBAAiB,QAAQ,MAAM,cAAc,KAAK,CAAC;AACzD,eAAW,cAAc,gBAAgB;AACvC,YAAM,QAAQ,WAAW,MAAM,GAAG,EAAE,CAAC;AACrC,UAAI,UAAU,MAAM,SAAS,GAAG,KAAK,MAAM,SAAS,GAAG,IAAI;AACzD,cAAM,KAAK,KAAK;AAAA,MAClB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,UAAU,SAA0B;AAClC,WAAO,KAAK,SAAS,OAAO,EAAE,WAAW;AAAA,EAC3C;AACF;","names":["existsSync","homedir"]}