synapsexcoder 6.0.0

package/dist/utils/path-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-validator.d.ts","sourceRoot":"","sources":["../../src/utils/path-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB;;GAEG;AACH,eAAO,MAAM,cAAc,aA+BxB,CAAC;AAEJ;;GAEG;AACH,eAAO,MAAM,oBAAoB,aAK7B,CAAC;AAML;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB,MAAM,CAkBR;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAGrD;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG;IAC3C,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAUA;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GAClB;IACD,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAUA;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGtD;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAE5D;AAMD;;GAEG;AACH,eAAO,MAAM,qBAAqB,mGAYxB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,wBAAwB,mDAM3B,CAAC;;;;;;;;;;;;;AAMX,wBAWE"}

package/dist/utils/path-validator.js

@@ -0,0 +1,192 @@
+/**
+ * Path Validation Utility
+ *
+ * Provides secure path validation to prevent path traversal attacks.
+ * Uses Zod for schema validation and path normalization.
+ */
+import path from "path";
+import { z } from "zod";
+// ============================================================================
+// Schemas
+// ============================================================================
+/**
+ * Schema for validating file paths against common attack patterns
+ */
+export const SafePathSchema = z
+    .string()
+    .min(1, "Path cannot be empty")
+    .max(4096, "Path too long")
+    .refine((p) => !p.includes(".."), {
+    message: "Path traversal detected: '..' not allowed",
+})
+    .refine((p) => !p.includes("\0"), {
+    message: "Null byte detected in path",
+})
+    .refine((p) => {
+    // Block common dangerous system paths
+    const dangerous = [
+        /^\/etc\//i,
+        /^\/proc\//i,
+        /^\/sys\//i,
+        /^\/dev\//i,
+        /^C:\\Windows/i,
+        /^C:\\Program Files/i,
+        /authorized_keys$/i,
+        /\/\.ssh\//i,
+        /\.env$/i,
+        /passwd$/i,
+        /shadow$/i,
+    ];
+    return !dangerous.some((regex) => regex.test(p));
+}, {
+    message: "Access to system directories denied",
+});
+/**
+ * Schema for validating command arguments
+ */
+export const SafeCommandArgSchema = z
+    .string()
+    .max(10000, "Command argument too long")
+    .refine((arg) => !arg.includes("\0"), {
+    message: "Null byte detected in command argument",
+});
+// ============================================================================
+// Validation Functions
+// ============================================================================
+/**
+ * Validates and resolves a user-provided path against an allowed base directory.
+ *
+ * @param userPath - The user-provided path to validate
+ * @param allowedBase - The base directory that the path must be within
+ * @returns The validated and resolved absolute path
+ * @throws Error if the path is invalid or attempts traversal
+ */
+export function validateAndResolve(userPath, allowedBase) {
+    // Validate input schema
+    SafePathSchema.parse(userPath);
+    // Normalize and resolve to absolute path
+    const normalized = path.normalize(userPath);
+    const resolved = path.resolve(allowedBase, normalized);
+    const baseResolved = path.resolve(allowedBase);
+    // Ensure the resolved path is within the allowed base directory
+    const relativePath = path.relative(baseResolved, resolved);
+    if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
+        throw new Error(`Path traversal attempt detected: path must be within ${allowedBase}`);
+    }
+    return resolved;
+}
+/**
+ * Validates a path without requiring a base directory.
+ * Only checks for common attack patterns.
+ *
+ * @param userPath - The path to validate
+ * @returns The normalized path
+ * @throws Error if the path contains dangerous patterns
+ */
+export function validatePath(userPath) {
+    SafePathSchema.parse(userPath);
+    return path.normalize(userPath);
+}
+/**
+ * Checks if a path is safe without throwing errors.
+ *
+ * @param userPath - The path to check
+ * @returns Object with valid flag and optional error message
+ */
+export function checkPath(userPath) {
+    try {
+        const normalized = validatePath(userPath);
+        return { valid: true, normalized };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            error: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
+/**
+ * Validates a path is within a base directory without throwing errors.
+ *
+ * @param userPath - The path to check
+ * @param allowedBase - The base directory
+ * @returns Object with valid flag and optional error/resolved path
+ */
+export function checkPathInBase(userPath, allowedBase) {
+    try {
+        const resolved = validateAndResolve(userPath, allowedBase);
+        return { valid: true, resolved };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            error: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
+/**
+ * Validates a command argument for safe execution.
+ *
+ * @param arg - The command argument to validate
+ * @returns The validated argument
+ * @throws Error if the argument contains dangerous patterns
+ */
+export function validateCommandArg(arg) {
+    SafeCommandArgSchema.parse(arg);
+    return arg;
+}
+/**
+ * Validates multiple command arguments.
+ *
+ * @param args - Array of command arguments to validate
+ * @returns Array of validated arguments
+ * @throws Error if any argument contains dangerous patterns
+ */
+export function validateCommandArgs(args) {
+    return args.map(validateCommandArg);
+}
+// ============================================================================
+// Blocked Patterns
+// ============================================================================
+/**
+ * Patterns that are always blocked in file paths
+ */
+export const BLOCKED_PATH_PATTERNS = [
+    /\.\./, // Path traversal
+    /\0/, // Null byte
+    /^\/etc\//i, // System config
+    /^\/proc\//i, // Process info
+    /^\/sys\//i, // System info
+    /^\/dev\//i, // Device files
+    /authorized_keys$/i,
+    /\/\.ssh\//i,
+    /\/\.env$/i,
+    /passwd$/i,
+    /shadow$/i,
+];
+/**
+ * Patterns that are blocked in command arguments
+ */
+export const BLOCKED_COMMAND_PATTERNS = [
+    /\0/, // Null byte
+    /;\s*rm\s+-rf/i, // Destructive commands
+    /\|\s*sh/i, // Piped execution
+    /`.*`/, // Command substitution
+    /\$\(/, // Command substitution
+];
+// ============================================================================
+// Exports
+// ============================================================================
+export default {
+    SafePathSchema,
+    SafeCommandArgSchema,
+    validateAndResolve,
+    validatePath,
+    checkPath,
+    checkPathInBase,
+    validateCommandArg,
+    validateCommandArgs,
+    BLOCKED_PATH_PATTERNS,
+    BLOCKED_COMMAND_PATTERNS,
+};
+//# sourceMappingURL=path-validator.js.map

package/dist/utils/path-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-validator.js","sourceRoot":"","sources":["../../src/utils/path-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC;KAC5B,MAAM,EAAE;KACR,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC;KAC9B,GAAG,CAAC,IAAI,EAAE,eAAe,CAAC;KAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;IAChC,OAAO,EAAE,2CAA2C;CACrD,CAAC;KACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;IAChC,OAAO,EAAE,4BAA4B;CACtC,CAAC;KACD,MAAM,CACL,CAAC,CAAC,EAAE,EAAE;IACJ,sCAAsC;IACtC,MAAM,SAAS,GAAG;QAChB,WAAW;QACX,YAAY;QACZ,WAAW;QACX,WAAW;QACX,eAAe;QACf,qBAAqB;QACrB,mBAAmB;QACnB,YAAY;QACZ,SAAS;QACT,UAAU;QACV,UAAU;KACX,CAAC;IACF,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC,EACD;IACE,OAAO,EAAE,qCAAqC;CAC/C,CACF,CAAC;AAEJ;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC;KAClC,MAAM,EAAE;KACR,GAAG,CAAC,KAAK,EAAE,2BAA2B,CAAC;KACvC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;IACpC,OAAO,EAAE,wCAAwC;CAClD,CAAC,CAAC;AAEL,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAgB,EAChB,WAAmB;IAEnB,wBAAwB;IACxB,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAE/B,yCAAyC;IACzC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAE/C,gEAAgE;IAChE,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IAC3D,IAAI,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CACb,wDAAwD,WAAW,EAAE,CACtE,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB;IAC3C,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC/B,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,QAAgB;IAKxC,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,WAAmB;IAMnB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAC3D,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACnC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,oBAAoB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAc;IAChD,OAAO,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;AACtC,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,MAAM,EAAE,iBAAiB;IACzB,IAAI,EAAE,YAAY;IAClB,WAAW,EAAE,gBAAgB;IAC7B,YAAY,EAAE,eAAe;IAC7B,WAAW,EAAE,cAAc;IAC3B,WAAW,EAAE,eAAe;IAC5B,mBAAmB;IACnB,YAAY;IACZ,WAAW;IACX,UAAU;IACV,UAAU;CACF,CAAC;AAEX;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,IAAI,EAAE,YAAY;IAClB,eAAe,EAAE,uBAAuB;IACxC,UAAU,EAAE,kBAAkB;IAC9B,MAAM,EAAE,uBAAuB;IAC/B,MAAM,EAAE,uBAAuB;CACvB,CAAC;AAEX,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,eAAe;IACb,cAAc;IACd,oBAAoB;IACpB,kBAAkB;IAClB,YAAY;IACZ,SAAS;IACT,eAAe;IACf,kBAAkB;IAClB,mBAAmB;IACnB,qBAAqB;IACrB,wBAAwB;CACzB,CAAC"}

package/dist/utils/secure-exec.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Secure Command Execution Utility
+ *
+ * Provides safe command execution using spawn with array arguments
+ * instead of string interpolation to prevent command injection.
+ */
+export interface SecureExecOptions {
+    /** Working directory for the command */
+    cwd?: string;
+    /** Timeout in milliseconds */
+    timeout?: number;
+    /** Environment variables to merge with process.env */
+    env?: Record<string, string>;
+    /** Allowlist of permitted commands (if set, only these commands can run) */
+    allowedCommands?: string[];
+    /** Whether to capture stderr separately */
+    captureStderr?: boolean;
+    /** Maximum output size in bytes (default: 10MB) */
+    maxOutputSize?: number;
+}
+export interface SecureExecResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+    timedOut: boolean;
+}
+/**
+ * Executes a command securely using spawn with array arguments.
+ *
+ * This function NEVER uses shell interpretation, preventing command injection.
+ * All arguments are passed directly to the process without shell parsing.
+ *
+ * @param command - The command to execute (must be an executable, not a shell built-in)
+ * @param args - Array of arguments to pass to the command
+ * @param options - Execution options
+ * @returns Promise resolving to execution result
+ */
+export declare function secureExec(command: string, args: string[], options?: SecureExecOptions): Promise<SecureExecResult>;
+/**
+ * Executes a bash command securely.
+ * Uses bash with -c but passes the command as a single argument (not interpolated).
+ *
+ * @param command - The bash command string to execute
+ * @param options - Execution options
+ * @returns Promise resolving to execution result
+ */
+export declare function secureBash(command: string, options?: SecureExecOptions): Promise<SecureExecResult>;
+/**
+ * Executes an npm command securely.
+ *
+ * @param npmCommand - The npm subcommand (e.g., 'install', 'test')
+ * @param args - Arguments to pass to npm
+ * @param options - Execution options
+ * @returns Promise resolving to execution result
+ */
+export declare function secureNpm(npmCommand: string, args?: string[], options?: SecureExecOptions): Promise<SecureExecResult>;
+/**
+ * Executes a git command securely.
+ *
+ * @param args - Arguments to pass to git
+ * @param options - Execution options
+ * @returns Promise resolving to execution result
+ */
+export declare function secureGit(args: string[], options?: SecureExecOptions): Promise<SecureExecResult>;
+/**
+ * Executes a command and returns only stdout.
+ * Throws if the command fails.
+ *
+ * @param command - The command to execute
+ * @param args - Arguments to pass to the command
+ * @param options - Execution options
+ * @returns Promise resolving to stdout string
+ */
+export declare function secureExecOutput(command: string, args: string[], options?: SecureExecOptions): Promise<string>;
+/**
+ * Validates that a command string doesn't contain dangerous patterns.
+ *
+ * @param command - The command string to validate
+ * @returns true if the command is safe
+ * @throws Error if the command contains dangerous patterns
+ */
+export declare function validateCommandString(command: string): boolean;
+declare const _default: {
+    secureExec: typeof secureExec;
+    secureBash: typeof secureBash;
+    secureNpm: typeof secureNpm;
+    secureGit: typeof secureGit;
+    secureExecOutput: typeof secureExecOutput;
+    validateCommandString: typeof validateCommandString;
+};
+export default _default;
+//# sourceMappingURL=secure-exec.d.ts.map

package/dist/utils/secure-exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-exec.d.ts","sourceRoot":"","sources":["../../src/utils/secure-exec.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,iBAAiB;IAChC,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,4EAA4E;IAC5E,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,2CAA2C;IAC3C,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,mDAAmD;IACnD,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,OAAO,CAAC;CACnB;AA+BD;;;;;;;;;;GAUG;AACH,wBAAsB,UAAU,CAC9B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CA8E3B;AAMD;;;;;;;GAOG;AACH,wBAAsB,UAAU,CAC9B,OAAO,EAAE,MAAM,EACf,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAY3B;AAED;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAC7B,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE,MAAM,EAAO,EACnB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAE3B;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAE3B;AAED;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,MAAM,CAAC,CAUjB;AAsCD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAS9D;;;;;;;;;AAMD,wBAOE"}

package/dist/utils/secure-exec.js

@@ -0,0 +1,230 @@
+/**
+ * Secure Command Execution Utility
+ *
+ * Provides safe command execution using spawn with array arguments
+ * instead of string interpolation to prevent command injection.
+ */
+import { spawn } from "child_process";
+import { validateCommandArgs } from "./path-validator.js";
+// ============================================================================
+// Constants
+// ============================================================================
+const DEFAULT_MAX_OUTPUT_SIZE = 10 * 1024 * 1024; // 10MB
+const DEFAULT_TIMEOUT = 60000; // 60 seconds
+/**
+ * Default commands allowed when no explicit allowlist is provided.
+ * All other commands require an explicit allowedCommands option.
+ */
+const DEFAULT_ALLOWED_COMMANDS = [
+    "git",
+    "npm",
+    "node",
+    "npx",
+    "tsx",
+    "bash",
+    "cat",
+    "echo",
+    "ls",
+    "sleep",
+    "which",
+];
+// ============================================================================
+// Core Execution Function
+// ============================================================================
+/**
+ * Executes a command securely using spawn with array arguments.
+ *
+ * This function NEVER uses shell interpretation, preventing command injection.
+ * All arguments are passed directly to the process without shell parsing.
+ *
+ * @param command - The command to execute (must be an executable, not a shell built-in)
+ * @param args - Array of arguments to pass to the command
+ * @param options - Execution options
+ * @returns Promise resolving to execution result
+ */
+export async function secureExec(command, args, options = {}) {
+    // Validate command against allowlist (default or explicit)
+    const allowlist = options.allowedCommands ?? DEFAULT_ALLOWED_COMMANDS;
+    if (!allowlist.includes(command)) {
+        throw new Error(`Command '${command}' not in allowlist. Use allowedCommands option to permit this command. ` +
+            `Default allowed: ${DEFAULT_ALLOWED_COMMANDS.join(", ")}`);
+    }
+    // Validate all arguments for safety
+    const sanitizedArgs = validateCommandArgs(args);
+    // Set defaults
+    const maxOutputSize = options.maxOutputSize ?? DEFAULT_MAX_OUTPUT_SIZE;
+    const timeout = options.timeout ?? DEFAULT_TIMEOUT;
+    return new Promise((resolve, reject) => {
+        const spawnOptions = {
+            cwd: options.cwd || process.cwd(),
+            env: { ...process.env, ...options.env },
+            // CRITICAL: Never use shell interpretation
+            shell: false,
+            stdio: ["pipe", "pipe", "pipe"],
+        };
+        const proc = spawn(command, sanitizedArgs, spawnOptions);
+        let stdout = "";
+        let stderr = "";
+        let timedOut = false;
+        let killed = false;
+        // Set up timeout
+        const timeoutId = setTimeout(() => {
+            timedOut = true;
+            killed = true;
+            proc.kill("SIGTERM");
+            // Force kill after 5 seconds if SIGTERM doesn't work
+            setTimeout(() => {
+                if (!proc.killed) {
+                    proc.kill("SIGKILL");
+                }
+            }, 5000);
+        }, timeout);
+        // Capture stdout with size limit
+        proc.stdout?.on("data", (data) => {
+            if (stdout.length < maxOutputSize) {
+                stdout += data.toString();
+            }
+        });
+        // Capture stderr with size limit
+        proc.stderr?.on("data", (data) => {
+            if (stderr.length < maxOutputSize) {
+                stderr += data.toString();
+            }
+        });
+        // Handle process completion
+        proc.on("close", (code) => {
+            clearTimeout(timeoutId);
+            resolve({
+                stdout,
+                stderr,
+                exitCode: code ?? (killed ? 1 : 0),
+                timedOut,
+            });
+        });
+        // Handle process errors
+        proc.on("error", (error) => {
+            clearTimeout(timeoutId);
+            reject(new Error(`Failed to execute '${command}': ${error.message}`));
+        });
+    });
+}
+// ============================================================================
+// Convenience Functions
+// ============================================================================
+/**
+ * Executes a bash command securely.
+ * Uses bash with -c but passes the command as a single argument (not interpolated).
+ *
+ * @param command - The bash command string to execute
+ * @param options - Execution options
+ * @returns Promise resolving to execution result
+ */
+export async function secureBash(command, options = {}) {
+    // Validate the command string itself
+    if (command.includes("\0")) {
+        throw new Error("Null byte detected in command");
+    }
+    // Check for dangerous patterns before execution
+    validateCommandString(command);
+    // Use bash -c with the command as a separate argument
+    // This is safer than string interpolation because spawn doesn't use shell interpretation
+    return secureExec("bash", ["-c", command], options);
+}
+/**
+ * Executes an npm command securely.
+ *
+ * @param npmCommand - The npm subcommand (e.g., 'install', 'test')
+ * @param args - Arguments to pass to npm
+ * @param options - Execution options
+ * @returns Promise resolving to execution result
+ */
+export async function secureNpm(npmCommand, args = [], options = {}) {
+    return secureExec("npm", [npmCommand, ...args], options);
+}
+/**
+ * Executes a git command securely.
+ *
+ * @param args - Arguments to pass to git
+ * @param options - Execution options
+ * @returns Promise resolving to execution result
+ */
+export async function secureGit(args, options = {}) {
+    return secureExec("git", args, options);
+}
+/**
+ * Executes a command and returns only stdout.
+ * Throws if the command fails.
+ *
+ * @param command - The command to execute
+ * @param args - Arguments to pass to the command
+ * @param options - Execution options
+ * @returns Promise resolving to stdout string
+ */
+export async function secureExecOutput(command, args, options = {}) {
+    const result = await secureExec(command, args, options);
+    if (result.exitCode !== 0) {
+        throw new Error(`Command '${command}' failed with exit code ${result.exitCode}: ${result.stderr}`);
+    }
+    return result.stdout;
+}
+// ============================================================================
+// Command Validation
+// ============================================================================
+/**
+ * Dangerous command patterns that should be blocked
+ */
+const DANGEROUS_COMMAND_PATTERNS = [
+    // Destructive file operations
+    /;\s*rm\s+-rf\s+\//i,
+    /&&\s*rm\s+-rf\s+\//i,
+    /;\s*mkfs/i,
+    /;\s*dd\s+if/i,
+    /;\s*format\s+/i,
+    // Remote code execution via pipe-to-shell
+    /\|\s*sh\b/i,
+    /\|\s*bash\b/i,
+    /\|\s*zsh\b/i,
+    /\|\s*powershell\b/i,
+    /\|\s*pwsh\b/i,
+    // Command substitution
+    /`.*`/,
+    /\$\(/,
+    // System config tampering
+    />\s*\/etc\//i,
+    />\s*\/boot\//i,
+    />\s*\/dev\//i,
+    // Remote download + execute
+    /curl.*\|\s*(sh|bash|zsh)\b/i,
+    /wget.*\|\s*(sh|bash|zsh)\b/i,
+    // Privilege escalation
+    /chmod\s+4777/i,
+    /chown\s+root/i,
+    /chmod\s+777\s+\/etc/i,
+];
+/**
+ * Validates that a command string doesn't contain dangerous patterns.
+ *
+ * @param command - The command string to validate
+ * @returns true if the command is safe
+ * @throws Error if the command contains dangerous patterns
+ */
+export function validateCommandString(command) {
+    for (const pattern of DANGEROUS_COMMAND_PATTERNS) {
+        if (pattern.test(command)) {
+            throw new Error(`Command contains potentially dangerous pattern: ${pattern.source}`);
+        }
+    }
+    return true;
+}
+// ============================================================================
+// Exports
+// ============================================================================
+export default {
+    secureExec,
+    secureBash,
+    secureNpm,
+    secureGit,
+    secureExecOutput,
+    validateCommandString,
+};
+//# sourceMappingURL=secure-exec.js.map

package/dist/utils/secure-exec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-exec.js","sourceRoot":"","sources":["../../src/utils/secure-exec.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAgB,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AA4B1D,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,uBAAuB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AACzD,MAAM,eAAe,GAAG,KAAK,CAAC,CAAC,aAAa;AAE5C;;;GAGG;AACH,MAAM,wBAAwB,GAAG;IAC/B,KAAK;IACL,KAAK;IACL,MAAM;IACN,KAAK;IACL,KAAK;IACL,MAAM;IACN,KAAK;IACL,MAAM;IACN,IAAI;IACJ,OAAO;IACP,OAAO;CACC,CAAC;AAEX,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,OAAe,EACf,IAAc,EACd,UAA6B,EAAE;IAE/B,2DAA2D;IAC3D,MAAM,SAAS,GAAG,OAAO,CAAC,eAAe,IAAI,wBAA+C,CAAC;IAC7F,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,YAAY,OAAO,yEAAyE;YAC5F,oBAAoB,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1D,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,MAAM,aAAa,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAEhD,eAAe;IACf,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,uBAAuB,CAAC;IACvE,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,eAAe,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,YAAY,GAAiB;YACjC,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;YACjC,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE;YACvC,2CAA2C;YAC3C,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC;QAEF,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;QAEzD,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,MAAM,GAAG,KAAK,CAAC;QAEnB,iBAAiB;QACjB,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;YAChC,QAAQ,GAAG,IAAI,CAAC;YAChB,MAAM,GAAG,IAAI,CAAC;YACd,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAErB,qDAAqD;YACrD,UAAU,CAAC,GAAG,EAAE;gBACd,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;oBACjB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC,EAAE,IAAI,CAAC,CAAC;QACX,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,iCAAiC;QACjC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACvC,IAAI,MAAM,CAAC,MAAM,GAAG,aAAa,EAAE,CAAC;gBAClC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,iCAAiC;QACjC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACvC,IAAI,MAAM,CAAC,MAAM,GAAG,aAAa,EAAE,CAAC;gBAClC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,4BAA4B;QAC5B,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,YAAY,CAAC,SAAS,CAAC,CAAC;YACxB,OAAO,CAAC;gBACN,MAAM;gBACN,MAAM;gBACN,QAAQ,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClC,QAAQ;aACT,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,wBAAwB;QACxB,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;YACzB,YAAY,CAAC,SAAS,CAAC,CAAC;YACxB,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,OAAO,MAAM,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,OAAe,EACf,UAA6B,EAAE;IAE/B,qCAAqC;IACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,gDAAgD;IAChD,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAE/B,sDAAsD;IACtD,yFAAyF;IACzF,OAAO,UAAU,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,UAAkB,EAClB,OAAiB,EAAE,EACnB,UAA6B,EAAE;IAE/B,OAAO,UAAU,CAAC,KAAK,EAAE,CAAC,UAAU,EAAE,GAAG,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;AAC3D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAc,EACd,UAA6B,EAAE;IAE/B,OAAO,UAAU,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAe,EACf,IAAc,EACd,UAA6B,EAAE;IAE/B,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAExD,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,YAAY,OAAO,2BAA2B,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,MAAM,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;AACvB,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,0BAA0B,GAAG;IACjC,8BAA8B;IAC9B,oBAAoB;IACpB,qBAAqB;IACrB,WAAW;IACX,cAAc;IACd,gBAAgB;IAChB,0CAA0C;IAC1C,YAAY;IACZ,cAAc;IACd,aAAa;IACb,oBAAoB;IACpB,cAAc;IACd,uBAAuB;IACvB,MAAM;IACN,MAAM;IACN,0BAA0B;IAC1B,cAAc;IACd,eAAe;IACf,cAAc;IACd,4BAA4B;IAC5B,6BAA6B;IAC7B,6BAA6B;IAC7B,uBAAuB;IACvB,eAAe;IACf,eAAe;IACf,sBAAsB;CACd,CAAC;AAEX;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,KAAK,MAAM,OAAO,IAAI,0BAA0B,EAAE,CAAC;QACjD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,mDAAmD,OAAO,CAAC,MAAM,EAAE,CACpE,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,eAAe;IACb,UAAU;IACV,UAAU;IACV,SAAS;IACT,SAAS;IACT,gBAAgB;IAChB,qBAAqB;CACtB,CAAC"}

package/dist/verification/claim-parser.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Claim Parser — Extract verification claims from all sources
+ *
+ * Parses and extracts claims from:
+ * - markdown files (docs, README, etc.)
+ * - TODO/FIXME files
+ * - changelogs
+ * - architecture docs
+ * - reviews and summaries
+ * - inline comments
+ * - issue references
+ * - planning docs
+ */
+import { VerificationClaim } from "./types.js";
+export declare class ClaimParser {
+    private readonly docExtensions;
+    private readonly codeExtensions;
+    /**
+     * Parse claims from an entire directory recursively
+     */
+    parseFromDirectory(directoryPath: string): Promise<VerificationClaim[]>;
+    /**
+     * Parse claims from a single file
+     */
+    parseFromFile(filePath: string): Promise<VerificationClaim[]>;
+    /**
+     * Build verification map from claims
+     */
+    buildVerificationMap(claims: VerificationClaim[]): Map<string, VerificationClaim[]>;
+    private parseFromMarkdown;
+    private parseFromCode;
+    private parseFromComments;
+    private getExtension;
+    private inferSystemsFromContent;
+    private inferSystemsFromFilePath;
+}
+//# sourceMappingURL=claim-parser.d.ts.map

package/dist/verification/claim-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claim-parser.d.ts","sourceRoot":"","sources":["../../src/verification/claim-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAG/C,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAmC;IACjE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA0E;IAEzG;;OAEG;IACG,kBAAkB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAiC7E;;OAEG;IACG,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAqCnE;;OAEG;IACH,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAcnF,OAAO,CAAC,iBAAiB;IA2CzB,OAAO,CAAC,aAAa;IAuBrB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,uBAAuB;IAkB/B,OAAO,CAAC,wBAAwB;CAejC"}