bugproof 0.1.1

package/dist/utils/paths.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Normalizes a path to consistently use forward slashes (/) across all platforms.
+ * This ensures artifact portability between Windows, Linux, and macOS.
+ */
+export declare function normalizeArtifactPath(p: string): string;
+/**
+ * Converts a portable artifact path back to the platform-specific path separator.
+ * Useful during replay on a host machine.
+ */
+export declare function toPlatformPath(artifactPath: string): string;
+/**
+ * Reconstructs the absolute path on the host during replay,
+ * mapping the original absolute path to a temporary replay directory.
+ *
+ * @param originalPath The absolute path captured in the artifact
+ * @param tempReplayRoot The root of the temporary replay environment
+ */
+export declare function mapToReplayEnvironment(originalPath: string, tempReplayRoot: string): string;
+//# sourceMappingURL=paths.d.ts.map

package/dist/utils/paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAGvD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAoB3F"}

package/dist/utils/paths.js

@@ -0,0 +1,43 @@
+import * as path from 'path';
+/**
+ * Normalizes a path to consistently use forward slashes (/) across all platforms.
+ * This ensures artifact portability between Windows, Linux, and macOS.
+ */
+export function normalizeArtifactPath(p) {
+    // Use posix-style normalization for the artifact internal representations
+    return p.split(path.sep).join(path.posix.sep);
+}
+/**
+ * Converts a portable artifact path back to the platform-specific path separator.
+ * Useful during replay on a host machine.
+ */
+export function toPlatformPath(artifactPath) {
+    return artifactPath.split(path.posix.sep).join(path.sep);
+}
+/**
+ * Reconstructs the absolute path on the host during replay,
+ * mapping the original absolute path to a temporary replay directory.
+ *
+ * @param originalPath The absolute path captured in the artifact
+ * @param tempReplayRoot The root of the temporary replay environment
+ */
+export function mapToReplayEnvironment(originalPath, tempReplayRoot) {
+    // Strip the leading root from the original path (e.g. C:\ or /)
+    // so it can be appended safely to the temp root.
+    // Handle Windows absolute paths (e.g., D:\path\to\file or C:/path/to/file)
+    // regardless of the current platform, since artifact paths may be cross-platform
+    const windowsAbsolutePattern = /^[A-Z]:[/\\]/i;
+    if (windowsAbsolutePattern.test(originalPath)) {
+        // Strip the drive letter and colon (e.g., "D:\" -> "")
+        const pathWithoutRoot = originalPath.slice(2);
+        // Normalize to forward slashes for cross-platform consistency
+        // Explicitly replace both forward and backward slashes with forward slashes
+        const normalized = pathWithoutRoot.replace(/\\/g, '/').replace(/\/+/g, '/');
+        return path.posix.join(tempReplayRoot, normalized);
+    }
+    // Handle Unix absolute paths
+    const parsed = path.parse(originalPath);
+    const pathWithoutRoot = originalPath.slice(parsed.root.length);
+    return path.join(tempReplayRoot, pathWithoutRoot);
+}
+//# sourceMappingURL=paths.js.map

package/dist/utils/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,CAAS;IAC7C,0EAA0E;IAC1E,OAAO,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,YAAoB;IACjD,OAAO,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC3D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,YAAoB,EAAE,cAAsB;IACjF,gEAAgE;IAChE,iDAAiD;IAEjD,2EAA2E;IAC3E,iFAAiF;IACjF,MAAM,sBAAsB,GAAG,eAAe,CAAC;IAC/C,IAAI,sBAAsB,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9C,uDAAuD;QACvD,MAAM,eAAe,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC9C,8DAA8D;QAC9D,4EAA4E;QAC5E,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;IACrD,CAAC;IAED,6BAA6B;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACxC,MAAM,eAAe,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/D,OAAO,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;AACpD,CAAC"}

package/dist/utils/secrets.d.ts

@@ -0,0 +1,13 @@
+export declare const SECRET_PATTERNS: RegExp[];
+export interface SecretScanResult {
+    hasSecrets: boolean;
+    detectedKeys: string[];
+}
+export declare function scanEnvironmentForSecrets(env: NodeJS.ProcessEnv): SecretScanResult;
+export declare function buildEnvironmentSchema(env: NodeJS.ProcessEnv, detectedSecrets: string[]): {
+    required: string[];
+    optional: string[];
+    secrets: string[];
+    captured_env_keys: string[];
+};
+//# sourceMappingURL=secrets.d.ts.map

package/dist/utils/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/utils/secrets.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,UAU3B,CAAC;AAEF,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,gBAAgB,CAwBlF;AAED,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG;IAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,iBAAiB,EAAE,MAAM,EAAE,CAAA;CAAE,CAkBpL"}

package/dist/utils/secrets.js

@@ -0,0 +1,52 @@
+export const SECRET_PATTERNS = [
+    /api_?key/i,
+    /secret/i,
+    /token/i,
+    /password/i,
+    /bearer/i,
+    /aws_secret_access_key/i,
+    /github_token/i,
+    /stripe_sk_/i,
+    /^[A-Z0-9]{20,128}$/ // Likely tokens (bounded to prevent excessive matching)
+];
+export function scanEnvironmentForSecrets(env) {
+    const detectedKeys = [];
+    for (const [key, value] of Object.entries(env)) {
+        if (!value)
+            continue;
+        // Check if key matches known secret patterns
+        let isSecret = false;
+        for (const pattern of SECRET_PATTERNS) {
+            if (pattern.test(key) || (pattern.test(value) && value.length > 15)) {
+                isSecret = true;
+                break;
+            }
+        }
+        if (isSecret) {
+            detectedKeys.push(key);
+        }
+    }
+    return {
+        hasSecrets: detectedKeys.length > 0,
+        detectedKeys
+    };
+}
+export function buildEnvironmentSchema(env, detectedSecrets) {
+    // In a real scenario, we'd determine which env vars are actually required by the app.
+    // For v0.1, we classify everything non-standard as 'optional' unless explicitly mapped,
+    // except secrets which are separated out.
+    const standardKeys = ['PATH', 'HOME', 'USER', 'SHELL', 'TEMP', 'TMPDIR', 'USERPROFILE'];
+    const optional = [];
+    const required = []; // We will let users specify required later, or infer
+    const secrets = [...detectedSecrets];
+    const captured_env_keys = Object.keys(env);
+    for (const key of Object.keys(env)) {
+        if (standardKeys.includes(key))
+            continue;
+        if (secrets.includes(key))
+            continue;
+        optional.push(key);
+    }
+    return { required, optional, secrets, captured_env_keys };
+}
+//# sourceMappingURL=secrets.js.map

package/dist/utils/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/utils/secrets.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,WAAW;IACX,SAAS;IACT,QAAQ;IACR,WAAW;IACX,SAAS;IACT,wBAAwB;IACxB,eAAe;IACf,aAAa;IACb,oBAAoB,CAAC,wDAAwD;CAC9E,CAAC;AAOF,MAAM,UAAU,yBAAyB,CAAC,GAAsB;IAC9D,MAAM,YAAY,GAAa,EAAE,CAAC;IAElC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,6CAA6C;QAC7C,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,EAAE,CAAC;gBACpE,QAAQ,GAAG,IAAI,CAAC;gBAChB,MAAM;YACR,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO;QACL,UAAU,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC;QACnC,YAAY;KACb,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,GAAsB,EAAE,eAAyB;IACtF,sFAAsF;IACtF,wFAAwF;IACxF,0CAA0C;IAC1C,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;IAExF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAa,EAAE,CAAC,CAAC,qDAAqD;IACpF,MAAM,OAAO,GAAG,CAAC,GAAG,eAAe,CAAC,CAAC;IACrC,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAE3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,SAAS;QACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,SAAS;QACpC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;AAC5D,CAAC"}

package/dist/utils/security.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Security validation utilities for BugProof.
+ * Prevents path traversal, command injection, git ref injection,
+ * and environment variable hijacking from untrusted artifact data.
+ */
+/**
+ * Validates that a resolved file path stays within the expected boundary directory.
+ * Prevents path traversal attacks via `../` sequences.
+ */
+export declare function isPathWithinBoundary(filePath: string, boundaryDir: string): boolean;
+/**
+ * Validates a git ref string to prevent flag injection.
+ * Git interprets arguments starting with `-` as flags, so we reject those.
+ * Accepts: hex commit SHAs, branch names (alphanumeric, dots, slashes, dashes, underscores).
+ */
+export declare function isValidGitRef(ref: string): boolean;
+/**
+ * Environment variable names that must NEVER be overridden from untrusted artifact data.
+ * These can be used to hijack process execution.
+ */
+export declare const DANGEROUS_ENV_VARS: Set<string>;
+/**
+ * Filters an environment record, removing keys that could hijack execution.
+ * Used during replay to prevent artifact environment from overriding critical host vars.
+ */
+export declare function sanitizeArtifactEnvironment(artifactEnv: Record<string, string>): Record<string, string>;
+//# sourceMappingURL=security.d.ts.map

package/dist/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAInF;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAOlD;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,aA0B7B,CAAC;AAEH;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAClC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQxB"}

package/dist/utils/security.js

@@ -0,0 +1,75 @@
+/**
+ * Security validation utilities for BugProof.
+ * Prevents path traversal, command injection, git ref injection,
+ * and environment variable hijacking from untrusted artifact data.
+ */
+import * as path from 'path';
+/**
+ * Validates that a resolved file path stays within the expected boundary directory.
+ * Prevents path traversal attacks via `../` sequences.
+ */
+export function isPathWithinBoundary(filePath, boundaryDir) {
+    const resolved = path.resolve(filePath);
+    const boundary = path.resolve(boundaryDir);
+    return resolved.startsWith(boundary + path.sep) || resolved === boundary;
+}
+/**
+ * Validates a git ref string to prevent flag injection.
+ * Git interprets arguments starting with `-` as flags, so we reject those.
+ * Accepts: hex commit SHAs, branch names (alphanumeric, dots, slashes, dashes, underscores).
+ */
+export function isValidGitRef(ref) {
+    if (!ref || ref.length === 0 || ref.length > 256)
+        return false;
+    // Must not start with a dash (flag injection)
+    if (ref.startsWith('-'))
+        return false;
+    // Allow hex SHAs or branch-like names
+    // Valid chars: a-z, A-Z, 0-9, /, ., _, -
+    return /^[a-zA-Z0-9._/-]+$/.test(ref);
+}
+/**
+ * Environment variable names that must NEVER be overridden from untrusted artifact data.
+ * These can be used to hijack process execution.
+ */
+export const DANGEROUS_ENV_VARS = new Set([
+    'PATH',
+    'LD_PRELOAD',
+    'LD_LIBRARY_PATH',
+    'DYLD_INSERT_LIBRARIES',
+    'DYLD_LIBRARY_PATH',
+    'NODE_OPTIONS',
+    'NODE_PATH',
+    'HOME',
+    'USERPROFILE',
+    'SHELL',
+    'COMSPEC',
+    'SYSTEMROOT',
+    'WINDIR',
+    'PYTHONPATH',
+    'RUBYLIB',
+    'PERL5LIB',
+    'TEMP',
+    'TMP',
+    'TMPDIR',
+    'APPDATA',
+    'LOCALAPPDATA',
+    'XDG_RUNTIME_DIR',
+    'NODE_EXTRA_CA_CERTS',
+    'SSL_CERT_FILE',
+    'CURL_CA_BUNDLE',
+]);
+/**
+ * Filters an environment record, removing keys that could hijack execution.
+ * Used during replay to prevent artifact environment from overriding critical host vars.
+ */
+export function sanitizeArtifactEnvironment(artifactEnv) {
+    const safe = {};
+    for (const [key, val] of Object.entries(artifactEnv)) {
+        if (!DANGEROUS_ENV_VARS.has(key.toUpperCase())) {
+            safe[key] = val;
+        }
+    }
+    return safe;
+}
+//# sourceMappingURL=security.js.map

package/dist/utils/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB,EAAE,WAAmB;IACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3C,OAAO,QAAQ,CAAC,UAAU,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,QAAQ,CAAC;AAC3E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IAC/D,8CAA8C;IAC9C,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,sCAAsC;IACtC,yCAAyC;IACzC,OAAO,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACxC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,MAAM;IACN,YAAY;IACZ,iBAAiB;IACjB,uBAAuB;IACvB,mBAAmB;IACnB,cAAc;IACd,WAAW;IACX,MAAM;IACN,aAAa;IACb,OAAO;IACP,SAAS;IACT,YAAY;IACZ,QAAQ;IACR,YAAY;IACZ,SAAS;IACT,UAAU;IACV,MAAM;IACN,KAAK;IACL,QAAQ;IACR,SAAS;IACT,cAAc;IACd,iBAAiB;IACjB,qBAAqB;IACrB,eAAe;IACf,gBAAgB;CACjB,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,WAAmC;IAEnC,MAAM,IAAI,GAA2B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QACrD,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/utils/ui.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Colored terminal output for BugProof CLI.
+ * Uses ANSI codes directly so we avoid ESM-only import issues with chalk v5.
+ */
+export declare const c: {
+    bold: (t: string) => string;
+    dim: (t: string) => string;
+    red: (t: string) => string;
+    green: (t: string) => string;
+    yellow: (t: string) => string;
+    blue: (t: string) => string;
+    magenta: (t: string) => string;
+    cyan: (t: string) => string;
+    gray: (t: string) => string;
+};
+export declare const icons: {
+    check: string;
+    cross: string;
+    warning: string;
+    arrow: string;
+    bug: string;
+    box: string;
+    dot: string;
+};
+export declare function banner(text: string): void;
+export declare function success(msg: string): void;
+export declare function warn(msg: string): void;
+export declare function error(msg: string): void;
+export declare function info(msg: string): void;
+export declare function kvLine(key: string, value: string): void;
+//# sourceMappingURL=ui.d.ts.map

package/dist/utils/ui.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ui.d.ts","sourceRoot":"","sources":["../../src/utils/ui.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,eAAO,MAAM,CAAC;cACC,MAAM;aACN,MAAM;aACN,MAAM;eACN,MAAM;gBACN,MAAM;cACN,MAAM;iBACN,MAAM;cACN,MAAM;cACN,MAAM;CACpB,CAAC;AAEF,eAAO,MAAM,KAAK;;;;;;;;CAQjB,CAAC;AAEF,wBAAgB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAOzC;AAED,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAEzC;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAEtC;AAED,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAEvC;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAEtC;AAED,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAEvD"}

package/dist/utils/ui.js

@@ -0,0 +1,54 @@
+/**
+ * Colored terminal output for BugProof CLI.
+ * Uses ANSI codes directly so we avoid ESM-only import issues with chalk v5.
+ */
+const isColorSupported = process.stdout.isTTY && !process.env['NO_COLOR'];
+function wrap(code, resetCode, text) {
+    if (!isColorSupported)
+        return text;
+    return `\x1b[${code}m${text}\x1b[${resetCode}m`;
+}
+export const c = {
+    bold: (t) => wrap(1, 22, t),
+    dim: (t) => wrap(2, 22, t),
+    red: (t) => wrap(31, 39, t),
+    green: (t) => wrap(32, 39, t),
+    yellow: (t) => wrap(33, 39, t),
+    blue: (t) => wrap(34, 39, t),
+    magenta: (t) => wrap(35, 39, t),
+    cyan: (t) => wrap(36, 39, t),
+    gray: (t) => wrap(90, 39, t),
+};
+export const icons = {
+    check: isColorSupported ? '\u2714' : '+',
+    cross: isColorSupported ? '\u2718' : 'x',
+    warning: isColorSupported ? '\u26A0' : '!',
+    arrow: isColorSupported ? '\u279C' : '>', // Sleeker arrow
+    bug: isColorSupported ? '\uD83E\uDEB2' : '*', // Beetle emoji for modern look
+    box: isColorSupported ? '\u25A0' : '#',
+    dot: isColorSupported ? '\u2022' : '-',
+};
+export function banner(text) {
+    const line = '\u2500'.repeat(Math.max(text.length + 4, 40));
+    console.log();
+    console.log(c.cyan(`\u256D${line}\u256E`));
+    console.log(c.cyan(`\u2502  ${c.bold(text.padEnd(line.length - 2))}\u2502`));
+    console.log(c.cyan(`\u2570${line}\u256F`));
+    console.log();
+}
+export function success(msg) {
+    console.log(`  ${c.green(icons.check)} ${msg}`);
+}
+export function warn(msg) {
+    console.log(`  ${c.yellow(icons.warning)} ${msg}`);
+}
+export function error(msg) {
+    console.log(`  ${c.red(icons.cross)} ${msg}`);
+}
+export function info(msg) {
+    console.log(`  ${c.blue(icons.arrow)} ${msg}`);
+}
+export function kvLine(key, value) {
+    console.log(`  ${c.dim(key.padEnd(16))} ${value}`);
+}
+//# sourceMappingURL=ui.js.map

package/dist/utils/ui.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ui.js","sourceRoot":"","sources":["../../src/utils/ui.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAE1E,SAAS,IAAI,CAAC,IAAY,EAAE,SAAiB,EAAE,IAAY;IACzD,IAAI,CAAC,gBAAgB;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,QAAQ,IAAI,IAAI,IAAI,QAAQ,SAAS,GAAG,CAAC;AAClD,CAAC;AAED,MAAM,CAAC,MAAM,CAAC,GAAG;IACf,IAAI,EAAK,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACtC,GAAG,EAAM,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACtC,GAAG,EAAM,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvC,KAAK,EAAI,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvC,MAAM,EAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvC,IAAI,EAAK,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvC,OAAO,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvC,IAAI,EAAK,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvC,IAAI,EAAK,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;CACxC,CAAC;AAEF,MAAM,CAAC,MAAM,KAAK,GAAG;IACnB,KAAK,EAAI,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG;IAC1C,KAAK,EAAI,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG;IAC1C,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG;IAC1C,KAAK,EAAI,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,gBAAgB;IAC5D,GAAG,EAAM,gBAAgB,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,EAAE,+BAA+B;IACjF,GAAG,EAAM,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG;IAC1C,GAAG,EAAM,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG;CAC3C,CAAC;AAEF,MAAM,UAAU,MAAM,CAAC,IAAY;IACjC,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,IAAI,QAAQ,CAAC,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC7E,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,IAAI,QAAQ,CAAC,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,EAAE,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,GAAW;IACjC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,GAAW;IAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,KAAK,CAAC,GAAW;IAC/B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,GAAW;IAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,GAAW,EAAE,KAAa;IAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC,CAAC;AACrD,CAAC"}

package/package.json

@@ -0,0 +1,80 @@
+{
+  "name": "bugproof",
+  "version": "0.1.1",
+  "description": "Executable bug artifacts — portable, reproducible bug reports",
+  "main": "dist/cli.js",
+  "type": "module",
+  "bin": {
+    "bugproof": "dist/cli.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "postinstall": "node scripts/postinstall.cjs",
+    "prepublishOnly": "npm run build && npm run test && npm run lint",
+    "dev": "tsx watch src/index.ts",
+    "test": "jest",
+    "test:watch": "jest --watch",
+    "test:coverage": "jest --coverage",
+    "lint": "eslint src --ext .ts",
+    "format": "prettier --write 'src/**/*.ts'",
+    "cli": "tsx src/cli.ts",
+    "test:e2e": "node scripts/e2e-matrix.js",
+    "test:comprehensive": "node scripts/comprehensive-test.js",
+    "release": "node scripts/release.cjs"
+  },
+  "keywords": [
+    "bug",
+    "reproducible",
+    "artifact",
+    "cli",
+    "debugging",
+    "issue-tracking",
+    "portable"
+  ],
+  "author": "BugProof Contributors",
+  "license": "MIT",
+  "devDependencies": {
+    "@types/archiver": "^7.0.0",
+    "@types/extract-zip": "^2.0.0",
+    "@types/jest": "^29.5.14",
+    "@types/node": "^20.0.0",
+    "@typescript-eslint/eslint-plugin": "^6.0.0",
+    "@typescript-eslint/parser": "^6.0.0",
+    "eslint": "^8.0.0",
+    "jest": "^29.7.0",
+    "node-ssh": "^13.2.1",
+    "prettier": "^3.0.0",
+    "ts-jest": "^29.4.9",
+    "tsx": "^4.0.0",
+    "typescript": "^5.0.0"
+  },
+  "dependencies": {
+    "archiver": "^7.0.1",
+    "commander": "^11.0.0",
+    "extract-zip": "^2.0.1"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "files": [
+    "dist",
+    "assets",
+    "scripts/bugproof-file-association-*.sh",
+    "scripts/bugproof-file-association-*.reg",
+    "scripts/postinstall.cjs",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "directories": {
+    "doc": "docs"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sidinsearch/BugProof.git"
+  },
+  "bugs": {
+    "url": "https://github.com/sidinsearch/BugProof/issues"
+  },
+  "homepage": "https://github.com/sidinsearch/BugProof#readme"
+}

package/scripts/bugproof-file-association-linux.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+# BugProof Linux file association setup
+# Registers .bug files and creates MIME type association
+
+set -e
+
+echo "🐧 Setting up BugProof file associations on Linux..."
+
+# Create MIME type file
+MIME_FILE="/usr/share/mime/packages/bugproof-bug.xml"
+if [ -f "$MIME_FILE" ]; then
+  echo "✓ MIME type already registered"
+else
+  sudo tee "$MIME_FILE" > /dev/null <<'EOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info">
+  <mime-type type="application/x-bugproof">
+    <comment>BugProof Bug Artifact</comment>
+    <glob pattern="*.bug"/>
+    <magic priority="50">
+      <match type="string" value="PK\x03\x04" offset="0"/>
+    </magic>
+  </mime-type>
+</mime-info>
+EOF
+  echo "✓ MIME type registered at $MIME_FILE"
+fi
+
+# Update MIME database
+if command -v update-mime-database &> /dev/null; then
+  sudo update-mime-database /usr/share/mime
+  echo "✓ MIME database updated"
+fi
+
+# Create .desktop file for replay action
+DESKTOP_REPLAY="/usr/share/applications/bugproof-replay.desktop"
+sudo tee "$DESKTOP_REPLAY" > /dev/null <<'EOF'
+[Desktop Entry]
+Type=Application
+Name=BugProof Replay
+Exec=bugproof replay %F
+MimeType=application/x-bugproof
+Icon=bugproof
+NoDisplay=true
+EOF
+echo "✓ Desktop entry created for replay"
+
+# Create .desktop file for inspect action
+DESKTOP_INSPECT="/usr/share/applications/bugproof-inspect.desktop"
+sudo tee "$DESKTOP_INSPECT" > /dev/null <<'EOF'
+[Desktop Entry]
+Type=Application
+Name=BugProof Inspect
+Exec=bugproof inspect %F
+MimeType=application/x-bugproof
+Icon=bugproof
+NoDisplay=true
+EOF
+echo "✓ Desktop entry created for inspect"
+
+# Install icon
+ICON_DIR="/usr/share/icons/hicolor/512x512/apps"
+if [ -d "$ICON_DIR" ]; then
+  sudo cp assets/icon-512x512.png "$ICON_DIR/bugproof.png" 2>/dev/null || true
+  echo "✓ Icon installed to $ICON_DIR"
+fi
+
+# Set default handler for .bug files
+if command -v xdg-mime &> /dev/null; then
+  xdg-mime default bugproof-replay.desktop application/x-bugproof
+  echo "✓ Set default handler to BugProof Replay"
+fi
+
+echo ""
+echo "✅ BugProof file association setup complete!"
+echo ""
+echo "🎯 You can now:"
+echo "  • Double-click .bug files to replay them"
+echo "  • Right-click → Open With → BugProof Replay"
+echo "  • Command: bugproof replay artifact.bug"

package/scripts/bugproof-file-association-macos.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# BugProof macOS file association setup
+# Registers .bug files for macOS
+
+set -e
+
+echo "🍎 Setting up BugProof file associations on macOS..."
+
+# Create UTType definition
+PLIST_FILE="$HOME/Library/LaunchAgents/com.bugproof.uti.plist"
+mkdir -p "$(dirname "$PLIST_FILE")"
+
+cat > "$PLIST_FILE" <<'EOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>UTTypeIdentifier</key>
+  <string>com.bugproof.artifact</string>
+  <key>UTTypeDescription</key>
+  <string>BugProof Bug Artifact</string>
+  <key>UTTypeConformsTo</key>
+  <array>
+    <string>public.data</string>
+  </array>
+  <key>UTTypeTagSpecification</key>
+  <dict>
+    <key>com.apple.ostype</key>
+    <string>BUGF</string>
+    <key>public.filename-extension</key>
+    <array>
+      <string>bug</string>
+    </array>
+    <key>public.mime-type</key>
+    <string>application/x-bugproof</string>
+  </dict>
+</dict>
+</plist>
+EOF
+
+# Update LaunchServices database
+/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user
+
+echo "✓ macOS UTType registered"
+echo ""
+echo "✅ BugProof file association setup complete on macOS!"
+echo ""
+echo "🎯 You can now double-click .bug files to replay them"

package/scripts/bugproof-file-association-windows.reg

@@ -0,0 +1,44 @@
+Windows Registry Editor Version 5.00
+
+; BugProof .bug file association for Windows
+; This script associates .bug files with BugProof CLI and assigns an icon
+
+[HKEY_CLASSES_ROOT\.bug]
+@="BugProof.Artifact"
+
+[HKEY_CLASSES_ROOT\.bug\ShellNew]
+"FileName"=""
+
+[HKEY_CLASSES_ROOT\BugProof.Artifact]
+@="BugProof Bug Artifact"
+"AppUserModelID"="BugProof.CLI"
+
+[HKEY_CLASSES_ROOT\BugProof.Artifact\DefaultIcon]
+@="C:\\Program Files\\BugProof\\assets\\icon.ico,0"
+
+[HKEY_CLASSES_ROOT\BugProof.Artifact\shell]
+@=""
+
+[HKEY_CLASSES_ROOT\BugProof.Artifact\shell\open]
+@="Replay"
+
+[HKEY_CLASSES_ROOT\BugProof.Artifact\shell\open\command]
+@="cmd.exe /c \"bugproof replay \"%1\"\""
+
+[HKEY_CLASSES_ROOT\BugProof.Artifact\shell\inspect]
+@="Inspect"
+
+[HKEY_CLASSES_ROOT\BugProof.Artifact\shell\inspect\command]
+@="cmd.exe /c \"bugproof inspect \"%1\" && pause\""
+
+; Add BugProof to PATH via registry (optional, requires admin)
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
+; Note: User must manually add BugProof bin to PATH or run: npm link
+
+; Right-click context menu
+[HKEY_CLASSES_ROOT\*\shell\BugProof Capture]
+@="Capture with BugProof"
+"Icon"="C:\\Program Files\\BugProof\\assets\\icon.ico,0"
+
+[HKEY_CLASSES_ROOT\*\shell\BugProof Capture\command]
+@="cmd.exe /c \"bugproof capture -- \"%1\"\""