bashbros 0.1.0

package/dist/chunk-SG752FZC.js

@@ -0,0 +1,200 @@
+#!/usr/bin/env node
+import {
+  __require
+} from "./chunk-7OCVIDC7.js";
+
+// src/audit.ts
+import { appendFileSync, existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, statSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var MAX_LOG_SIZE = 10 * 1024 * 1024;
+var MAX_ROTATED_LOGS = 5;
+var AuditLogger = class {
+  constructor(policy) {
+    this.policy = policy;
+    const bashbrosDir = join(homedir(), ".bashbros");
+    if (!existsSync(bashbrosDir)) {
+      mkdirSync(bashbrosDir, { recursive: true, mode: 448 });
+    }
+    this.logPath = join(bashbrosDir, "audit.log");
+    this.lockPath = join(bashbrosDir, "audit.lock");
+  }
+  logPath;
+  lockPath;
+  log(entry) {
+    if (!this.policy.enabled) {
+      return;
+    }
+    const logLine = this.formatEntry(entry);
+    if (this.policy.destination === "local" || this.policy.destination === "both") {
+      this.writeLocal(logLine);
+    }
+    if (this.policy.destination === "remote" || this.policy.destination === "both") {
+      this.sendRemote(entry);
+    }
+  }
+  formatEntry(entry) {
+    const status = entry.allowed ? "ALLOWED" : "BLOCKED";
+    const violations = entry.violations.length > 0 ? ` [${entry.violations.map((v) => v.type).join(", ")}]` : "";
+    const sanitizedCommand = entry.command.replace(/[\x00-\x1f\x7f]/g, "").slice(0, 1e3);
+    return `[${entry.timestamp.toISOString()}] ${status}${violations} (${entry.duration}ms) ${sanitizedCommand}
+`;
+  }
+  /**
+   * SECURITY FIX: Write with file locking and rotation
+   */
+  writeLocal(logLine) {
+    try {
+      this.acquireLock();
+      try {
+        this.rotateIfNeeded();
+        appendFileSync(this.logPath, logLine, { mode: 384 });
+      } finally {
+        this.releaseLock();
+      }
+    } catch (error) {
+      console.error("Failed to write audit log:", error);
+    }
+  }
+  /**
+   * Simple file-based locking
+   */
+  acquireLock() {
+    const maxAttempts = 10;
+    const waitMs = 50;
+    for (let i = 0; i < maxAttempts; i++) {
+      try {
+        writeFileSync(this.lockPath, String(process.pid), { flag: "wx" });
+        return;
+      } catch (error) {
+        if (error.code === "EEXIST") {
+          try {
+            const stats = statSync(this.lockPath);
+            if (Date.now() - stats.mtimeMs > 5e3) {
+              try {
+                __require("fs").unlinkSync(this.lockPath);
+              } catch {
+              }
+            }
+          } catch {
+          }
+          this.sleep(waitMs);
+        } else {
+          throw error;
+        }
+      }
+    }
+    console.warn("Could not acquire audit log lock, proceeding without");
+  }
+  releaseLock() {
+    try {
+      __require("fs").unlinkSync(this.lockPath);
+    } catch {
+    }
+  }
+  sleep(ms) {
+    const end = Date.now() + ms;
+    while (Date.now() < end) {
+    }
+  }
+  /**
+   * Rotate log if it exceeds max size
+   */
+  rotateIfNeeded() {
+    try {
+      if (!existsSync(this.logPath)) return;
+      const stats = statSync(this.logPath);
+      if (stats.size < MAX_LOG_SIZE) return;
+      for (let i = MAX_ROTATED_LOGS - 1; i >= 0; i--) {
+        const oldPath = i === 0 ? this.logPath : `${this.logPath}.${i}`;
+        const newPath = `${this.logPath}.${i + 1}`;
+        if (existsSync(oldPath)) {
+          if (i === MAX_ROTATED_LOGS - 1) {
+            __require("fs").unlinkSync(oldPath);
+          } else {
+            renameSync(oldPath, newPath);
+          }
+        }
+      }
+    } catch (error) {
+      console.error("Failed to rotate audit log:", error);
+    }
+  }
+  /**
+   * SECURITY FIX: Secure remote transmission with HTTPS enforcement
+   */
+  async sendRemote(entry) {
+    if (!this.policy.remotePath) {
+      return;
+    }
+    let url;
+    try {
+      url = new URL(this.policy.remotePath);
+    } catch {
+      console.error("Invalid remote audit URL");
+      return;
+    }
+    if (url.protocol !== "https:") {
+      console.error("Remote audit path must use HTTPS");
+      return;
+    }
+    const sanitizedEntry = {
+      timestamp: entry.timestamp.toISOString(),
+      command: entry.command.slice(0, 1e3),
+      // Limit size
+      allowed: entry.allowed,
+      violations: entry.violations.map((v) => ({
+        type: v.type,
+        rule: v.rule.slice(0, 200),
+        message: v.message.slice(0, 500)
+      })),
+      duration: entry.duration,
+      agent: entry.agent
+    };
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 5e3);
+      await fetch(this.policy.remotePath, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "User-Agent": "BashBros/0.1.0"
+        },
+        body: JSON.stringify(sanitizedEntry),
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+    } catch (error) {
+    }
+  }
+  getLogPath() {
+    return this.logPath;
+  }
+};
+async function viewAudit(options) {
+  const logPath = join(homedir(), ".bashbros", "audit.log");
+  if (!existsSync(logPath)) {
+    console.log("No audit log found. Run some commands first.");
+    return;
+  }
+  const content = readFileSync(logPath, "utf-8");
+  let lines = content.trim().split("\n");
+  if (options.violations) {
+    lines = lines.filter((line) => line.includes("BLOCKED"));
+  }
+  const numLines = parseInt(options.lines, 10) || 50;
+  lines = lines.slice(-numLines);
+  for (const line of lines) {
+    if (line.includes("BLOCKED")) {
+      console.log("\x1B[31m" + line + "\x1B[0m");
+    } else {
+      console.log("\x1B[32m" + line + "\x1B[0m");
+    }
+  }
+}
+
+export {
+  AuditLogger,
+  viewAudit
+};
+//# sourceMappingURL=chunk-SG752FZC.js.map

package/dist/chunk-SG752FZC.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/audit.ts"],"sourcesContent":["import { appendFileSync, existsSync, mkdirSync, readFileSync, writeFileSync, renameSync, statSync } from 'fs'\nimport { join } from 'path'\nimport { homedir } from 'os'\nimport type { AuditPolicy, AuditEntry } from './types.js'\n\n// Maximum log file size before rotation (10MB)\nconst MAX_LOG_SIZE = 10 * 1024 * 1024\n// Number of rotated logs to keep\nconst MAX_ROTATED_LOGS = 5\n\nexport class AuditLogger {\n  private logPath: string\n  private lockPath: string\n\n  constructor(private policy: AuditPolicy) {\n    const bashbrosDir = join(homedir(), '.bashbros')\n\n    if (!existsSync(bashbrosDir)) {\n      mkdirSync(bashbrosDir, { recursive: true, mode: 0o700 })\n    }\n\n    this.logPath = join(bashbrosDir, 'audit.log')\n    this.lockPath = join(bashbrosDir, 'audit.lock')\n  }\n\n  log(entry: AuditEntry): void {\n    if (!this.policy.enabled) {\n      return\n    }\n\n    const logLine = this.formatEntry(entry)\n\n    if (this.policy.destination === 'local' || this.policy.destination === 'both') {\n      this.writeLocal(logLine)\n    }\n\n    if (this.policy.destination === 'remote' || this.policy.destination === 'both') {\n      this.sendRemote(entry)\n    }\n  }\n\n  private formatEntry(entry: AuditEntry): string {\n    const status = entry.allowed ? 'ALLOWED' : 'BLOCKED'\n    const violations = entry.violations.length > 0\n      ? ` [${entry.violations.map(v => v.type).join(', ')}]`\n      : ''\n\n    // SECURITY: Sanitize command output (remove control characters)\n    const sanitizedCommand = entry.command\n      .replace(/[\\x00-\\x1f\\x7f]/g, '')\n      .slice(0, 1000) // Limit command length in logs\n\n    return `[${entry.timestamp.toISOString()}] ${status}${violations} (${entry.duration}ms) ${sanitizedCommand}\\n`\n  }\n\n  /**\n   * SECURITY FIX: Write with file locking and rotation\n   */\n  private writeLocal(logLine: string): void {\n    try {\n      // Simple file-based locking\n      this.acquireLock()\n\n      try {\n        // Check if rotation needed\n        this.rotateIfNeeded()\n\n        // Append to log\n        appendFileSync(this.logPath, logLine, { mode: 0o600 })\n      } finally {\n        this.releaseLock()\n      }\n    } catch (error) {\n      console.error('Failed to write audit log:', error)\n    }\n  }\n\n  /**\n   * Simple file-based locking\n   */\n  private acquireLock(): void {\n    const maxAttempts = 10\n    const waitMs = 50\n\n    for (let i = 0; i < maxAttempts; i++) {\n      try {\n        // Try to create lock file exclusively\n        writeFileSync(this.lockPath, String(process.pid), { flag: 'wx' })\n        return\n      } catch (error: any) {\n        if (error.code === 'EEXIST') {\n          // Lock exists, check if stale (older than 5 seconds)\n          try {\n            const stats = statSync(this.lockPath)\n            if (Date.now() - stats.mtimeMs > 5000) {\n              // Stale lock, remove it\n              try {\n                require('fs').unlinkSync(this.lockPath)\n              } catch { /* ignore */ }\n            }\n          } catch { /* ignore */ }\n\n          // Wait and retry\n          this.sleep(waitMs)\n        } else {\n          throw error\n        }\n      }\n    }\n\n    // Fallback: proceed without lock (better than failing)\n    console.warn('Could not acquire audit log lock, proceeding without')\n  }\n\n  private releaseLock(): void {\n    try {\n      require('fs').unlinkSync(this.lockPath)\n    } catch { /* ignore */ }\n  }\n\n  private sleep(ms: number): void {\n    const end = Date.now() + ms\n    while (Date.now() < end) {\n      // Busy wait (synchronous)\n    }\n  }\n\n  /**\n   * Rotate log if it exceeds max size\n   */\n  private rotateIfNeeded(): void {\n    try {\n      if (!existsSync(this.logPath)) return\n\n      const stats = statSync(this.logPath)\n      if (stats.size < MAX_LOG_SIZE) return\n\n      // Rotate logs\n      for (let i = MAX_ROTATED_LOGS - 1; i >= 0; i--) {\n        const oldPath = i === 0 ? this.logPath : `${this.logPath}.${i}`\n        const newPath = `${this.logPath}.${i + 1}`\n\n        if (existsSync(oldPath)) {\n          if (i === MAX_ROTATED_LOGS - 1) {\n            // Delete oldest\n            require('fs').unlinkSync(oldPath)\n          } else {\n            renameSync(oldPath, newPath)\n          }\n        }\n      }\n    } catch (error) {\n      console.error('Failed to rotate audit log:', error)\n    }\n  }\n\n  /**\n   * SECURITY FIX: Secure remote transmission with HTTPS enforcement\n   */\n  private async sendRemote(entry: AuditEntry): Promise<void> {\n    if (!this.policy.remotePath) {\n      return\n    }\n\n    // SECURITY: Validate URL\n    let url: URL\n    try {\n      url = new URL(this.policy.remotePath)\n    } catch {\n      console.error('Invalid remote audit URL')\n      return\n    }\n\n    // SECURITY: Only allow HTTPS\n    if (url.protocol !== 'https:') {\n      console.error('Remote audit path must use HTTPS')\n      return\n    }\n\n    // SECURITY: Sanitize entry before sending\n    const sanitizedEntry = {\n      timestamp: entry.timestamp.toISOString(),\n      command: entry.command.slice(0, 1000), // Limit size\n      allowed: entry.allowed,\n      violations: entry.violations.map(v => ({\n        type: v.type,\n        rule: v.rule.slice(0, 200),\n        message: v.message.slice(0, 500)\n      })),\n      duration: entry.duration,\n      agent: entry.agent\n    }\n\n    try {\n      const controller = new AbortController()\n      const timeout = setTimeout(() => controller.abort(), 5000) // 5s timeout\n\n      await fetch(this.policy.remotePath, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          'User-Agent': 'BashBros/0.1.0'\n        },\n        body: JSON.stringify(sanitizedEntry),\n        signal: controller.signal\n      })\n\n      clearTimeout(timeout)\n    } catch (error) {\n      // Silently fail for remote - don't block main operation\n      // Could implement retry queue here\n    }\n  }\n\n  getLogPath(): string {\n    return this.logPath\n  }\n}\n\nexport async function viewAudit(options: { lines: string; violations: boolean }): Promise<void> {\n  const logPath = join(homedir(), '.bashbros', 'audit.log')\n\n  if (!existsSync(logPath)) {\n    console.log('No audit log found. Run some commands first.')\n    return\n  }\n\n  const content = readFileSync(logPath, 'utf-8')\n  let lines = content.trim().split('\\n')\n\n  if (options.violations) {\n    lines = lines.filter(line => line.includes('BLOCKED'))\n  }\n\n  const numLines = parseInt(options.lines, 10) || 50\n  lines = lines.slice(-numLines)\n\n  for (const line of lines) {\n    if (line.includes('BLOCKED')) {\n      console.log('\\x1b[31m' + line + '\\x1b[0m') // Red\n    } else {\n      console.log('\\x1b[32m' + line + '\\x1b[0m') // Green\n    }\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,gBAAgB,YAAY,WAAW,cAAc,eAAe,YAAY,gBAAgB;AACzG,SAAS,YAAY;AACrB,SAAS,eAAe;AAIxB,IAAM,eAAe,KAAK,OAAO;AAEjC,IAAM,mBAAmB;AAElB,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAoB,QAAqB;AAArB;AAClB,UAAM,cAAc,KAAK,QAAQ,GAAG,WAAW;AAE/C,QAAI,CAAC,WAAW,WAAW,GAAG;AAC5B,gBAAU,aAAa,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAAA,IACzD;AAEA,SAAK,UAAU,KAAK,aAAa,WAAW;AAC5C,SAAK,WAAW,KAAK,aAAa,YAAY;AAAA,EAChD;AAAA,EAZQ;AAAA,EACA;AAAA,EAaR,IAAI,OAAyB;AAC3B,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB;AAAA,IACF;AAEA,UAAM,UAAU,KAAK,YAAY,KAAK;AAEtC,QAAI,KAAK,OAAO,gBAAgB,WAAW,KAAK,OAAO,gBAAgB,QAAQ;AAC7E,WAAK,WAAW,OAAO;AAAA,IACzB;AAEA,QAAI,KAAK,OAAO,gBAAgB,YAAY,KAAK,OAAO,gBAAgB,QAAQ;AAC9E,WAAK,WAAW,KAAK;AAAA,IACvB;AAAA,EACF;AAAA,EAEQ,YAAY,OAA2B;AAC7C,UAAM,SAAS,MAAM,UAAU,YAAY;AAC3C,UAAM,aAAa,MAAM,WAAW,SAAS,IACzC,KAAK,MAAM,WAAW,IAAI,OAAK,EAAE,IAAI,EAAE,KAAK,IAAI,CAAC,MACjD;AAGJ,UAAM,mBAAmB,MAAM,QAC5B,QAAQ,oBAAoB,EAAE,EAC9B,MAAM,GAAG,GAAI;AAEhB,WAAO,IAAI,MAAM,UAAU,YAAY,CAAC,KAAK,MAAM,GAAG,UAAU,KAAK,MAAM,QAAQ,OAAO,gBAAgB;AAAA;AAAA,EAC5G;AAAA;AAAA;AAAA;AAAA,EAKQ,WAAW,SAAuB;AACxC,QAAI;AAEF,WAAK,YAAY;AAEjB,UAAI;AAEF,aAAK,eAAe;AAGpB,uBAAe,KAAK,SAAS,SAAS,EAAE,MAAM,IAAM,CAAC;AAAA,MACvD,UAAE;AACA,aAAK,YAAY;AAAA,MACnB;AAAA,IACF,SAAS,OAAO;AACd,cAAQ,MAAM,8BAA8B,KAAK;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAoB;AAC1B,UAAM,cAAc;AACpB,UAAM,SAAS;AAEf,aAAS,IAAI,GAAG,IAAI,aAAa,KAAK;AACpC,UAAI;AAEF,sBAAc,KAAK,UAAU,OAAO,QAAQ,GAAG,GAAG,EAAE,MAAM,KAAK,CAAC;AAChE;AAAA,MACF,SAAS,OAAY;AACnB,YAAI,MAAM,SAAS,UAAU;AAE3B,cAAI;AACF,kBAAM,QAAQ,SAAS,KAAK,QAAQ;AACpC,gBAAI,KAAK,IAAI,IAAI,MAAM,UAAU,KAAM;AAErC,kBAAI;AACF,0BAAQ,IAAI,EAAE,WAAW,KAAK,QAAQ;AAAA,cACxC,QAAQ;AAAA,cAAe;AAAA,YACzB;AAAA,UACF,QAAQ;AAAA,UAAe;AAGvB,eAAK,MAAM,MAAM;AAAA,QACnB,OAAO;AACL,gBAAM;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAGA,YAAQ,KAAK,sDAAsD;AAAA,EACrE;AAAA,EAEQ,cAAoB;AAC1B,QAAI;AACF,gBAAQ,IAAI,EAAE,WAAW,KAAK,QAAQ;AAAA,IACxC,QAAQ;AAAA,IAAe;AAAA,EACzB;AAAA,EAEQ,MAAM,IAAkB;AAC9B,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,IAEzB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAuB;AAC7B,QAAI;AACF,UAAI,CAAC,WAAW,KAAK,OAAO,EAAG;AAE/B,YAAM,QAAQ,SAAS,KAAK,OAAO;AACnC,UAAI,MAAM,OAAO,aAAc;AAG/B,eAAS,IAAI,mBAAmB,GAAG,KAAK,GAAG,KAAK;AAC9C,cAAM,UAAU,MAAM,IAAI,KAAK,UAAU,GAAG,KAAK,OAAO,IAAI,CAAC;AAC7D,cAAM,UAAU,GAAG,KAAK,OAAO,IAAI,IAAI,CAAC;AAExC,YAAI,WAAW,OAAO,GAAG;AACvB,cAAI,MAAM,mBAAmB,GAAG;AAE9B,sBAAQ,IAAI,EAAE,WAAW,OAAO;AAAA,UAClC,OAAO;AACL,uBAAW,SAAS,OAAO;AAAA,UAC7B;AAAA,QACF;AAAA,MACF;AAAA,IACF,SAAS,OAAO;AACd,cAAQ,MAAM,+BAA+B,KAAK;AAAA,IACpD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,WAAW,OAAkC;AACzD,QAAI,CAAC,KAAK,OAAO,YAAY;AAC3B;AAAA,IACF;AAGA,QAAI;AACJ,QAAI;AACF,YAAM,IAAI,IAAI,KAAK,OAAO,UAAU;AAAA,IACtC,QAAQ;AACN,cAAQ,MAAM,0BAA0B;AACxC;AAAA,IACF;AAGA,QAAI,IAAI,aAAa,UAAU;AAC7B,cAAQ,MAAM,kCAAkC;AAChD;AAAA,IACF;AAGA,UAAM,iBAAiB;AAAA,MACrB,WAAW,MAAM,UAAU,YAAY;AAAA,MACvC,SAAS,MAAM,QAAQ,MAAM,GAAG,GAAI;AAAA;AAAA,MACpC,SAAS,MAAM;AAAA,MACf,YAAY,MAAM,WAAW,IAAI,QAAM;AAAA,QACrC,MAAM,EAAE;AAAA,QACR,MAAM,EAAE,KAAK,MAAM,GAAG,GAAG;AAAA,QACzB,SAAS,EAAE,QAAQ,MAAM,GAAG,GAAG;AAAA,MACjC,EAAE;AAAA,MACF,UAAU,MAAM;AAAA,MAChB,OAAO,MAAM;AAAA,IACf;AAEA,QAAI;AACF,YAAM,aAAa,IAAI,gBAAgB;AACvC,YAAM,UAAU,WAAW,MAAM,WAAW,MAAM,GAAG,GAAI;AAEzD,YAAM,MAAM,KAAK,OAAO,YAAY;AAAA,QAClC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,cAAc;AAAA,QAChB;AAAA,QACA,MAAM,KAAK,UAAU,cAAc;AAAA,QACnC,QAAQ,WAAW;AAAA,MACrB,CAAC;AAED,mBAAa,OAAO;AAAA,IACtB,SAAS,OAAO;AAAA,IAGhB;AAAA,EACF;AAAA,EAEA,aAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AACF;AAEA,eAAsB,UAAU,SAAgE;AAC9F,QAAM,UAAU,KAAK,QAAQ,GAAG,aAAa,WAAW;AAExD,MAAI,CAAC,WAAW,OAAO,GAAG;AACxB,YAAQ,IAAI,8CAA8C;AAC1D;AAAA,EACF;AAEA,QAAM,UAAU,aAAa,SAAS,OAAO;AAC7C,MAAI,QAAQ,QAAQ,KAAK,EAAE,MAAM,IAAI;AAErC,MAAI,QAAQ,YAAY;AACtB,YAAQ,MAAM,OAAO,UAAQ,KAAK,SAAS,SAAS,CAAC;AAAA,EACvD;AAEA,QAAM,WAAW,SAAS,QAAQ,OAAO,EAAE,KAAK;AAChD,UAAQ,MAAM,MAAM,CAAC,QAAQ;AAE7B,aAAW,QAAQ,OAAO;AACxB,QAAI,KAAK,SAAS,SAAS,GAAG;AAC5B,cAAQ,IAAI,aAAa,OAAO,SAAS;AAAA,IAC3C,OAAO;AACL,cAAQ,IAAI,aAAa,OAAO,SAAS;AAAA,IAC3C;AAAA,EACF;AACF;","names":[]}

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+
+export {  }