npm - toolcraft - Versions diffs - 0.0.24 → 0.0.26 - Mend

toolcraft 0.0.24 → 0.0.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/node_modules/@poe-code/process-runner/dist/docker/docker-execution-env.js CHANGED Viewed

@@ -1,11 +1,12 @@
 import { createHash, randomBytes } from "node:crypto";
 import { mkdtempSync, rmSync } from "node:fs";
-import { readdir, readFile, writeFile } from "node:fs/promises";
+import { readdir, readFile, realpath, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import path from "node:path";
-import { buildDockerRunArgs } from "./args.js";
+import { buildDockerEnvArgs, buildDockerRunArgs } from "./args.js";
 import { buildContextArgs, detectContext } from "./context.js";
 import { detectEngine } from "./engine.js";
+import { createDockerEnvFile } from "./env-file.js";
 import { createHostRunner } from "../host/host-runner.js";
 import { downloadWorkspace as downloadTransferredWorkspace, uploadWorkspace as uploadTransferredWorkspace } from "../workspace-transfer.js";
 const containerCommand = ["sh", "-c", "while :; do sleep 3600; done"];
@@ -103,25 +104,33 @@ function createDockerEnv(input) {
             return downloadTransferredWorkspace(workspaceTransferEnv, opts);
         },
         exec(spec) {
-            return input.runner.exec({
-                command: input.engine,
-                args: [
-                    ...buildContextArgs(input.engine, input.context),
-                    "exec",
-                    ...(spec.stdin === "pipe" || spec.stdin === "inherit" ? ["-i"] : []),
-                    ...(spec.tty === true ? ["-t"] : []),
-                    ...(spec.cwd !== undefined ? ["-w", spec.cwd] : []),
-                    ...buildEnvArgs(spec.env),
-                    containerRef,
-                    spec.command,
-                    ...(spec.args ?? [])
-                ],
-                stdin: spec.stdin,
-                stdout: spec.stdout,
-                stderr: spec.stderr,
-                tty: spec.tty,
-                signal: spec.signal
-            });
+            const envFile = createDockerEnvFile(spec.env);
+            try {
+                return cleanUpEnvFileAfterRun(input.runner.exec({
+                    command: input.engine,
+                    args: [
+                        ...buildContextArgs(input.engine, input.context),
+                        "exec",
+                        ...(spec.stdin === "pipe" || spec.stdin === "inherit" ? ["-i"] : []),
+                        ...(spec.tty === true ? ["-t"] : []),
+                        ...(spec.cwd !== undefined ? ["-w", spec.cwd] : []),
+                        ...buildDockerEnvArgs({ env: spec.env, envFilePath: envFile?.path }),
+                        containerRef,
+                        spec.command,
+                        ...(spec.args ?? [])
+                    ],
+                    stdin: spec.stdin,
+                    stdout: spec.stdout,
+                    stderr: spec.stderr,
+                    tty: spec.tty,
+                    signal: spec.signal,
+                    killProcessGroup: spec.killProcessGroup
+                }), envFile?.cleanup);
+            }
+            catch (error) {
+                envFile?.cleanup();
+                throw error;
+            }
         },
         async detach() {
             return createContainerJob(containerRef, input.runner, input.engine, input.context, detachedJobContext);
@@ -136,7 +145,8 @@ function createDockerEnv(input) {
                 stdin: "inherit",
                 stdout: "inherit",
                 stderr: "inherit",
-                tty: true
+                tty: true,
+                signal: shellSpec?.signal
             });
         },
         async close() {
@@ -173,8 +183,7 @@ export async function buildDockerRuntimeTemplate(input) {
     const runner = input.runner ?? createHostRunner();
     const engine = input.runtime.engine ?? detectEngine();
     const context = detectContext();
-    const dockerfilePath = path.resolve(input.cwd, input.runtime.dockerfile ?? path.join(".poe-code", "Dockerfile"));
-    const buildContext = path.resolve(input.cwd, input.runtime.build_context ?? ".");
+    const { dockerfilePath, buildContext } = await resolveRuntimeBuildPaths(input.cwd, input.runtime);
     const dockerfileBytes = await readFile(dockerfilePath);
     const buildContextFiles = await readBuildContextFiles(buildContext);
     const hash = hashDockerTemplate(dockerfileBytes, buildContextFiles, input.runtime.build_args ?? {}, engine);
@@ -211,6 +220,28 @@ export async function buildDockerRuntimeTemplate(input) {
         cached: false
     };
 }
+async function resolveRuntimeBuildPaths(cwd, runtime) {
+    const dockerfilePath = path.resolve(cwd, runtime.dockerfile ?? path.join(".poe-code", "Dockerfile"));
+    const buildContext = path.resolve(cwd, runtime.build_context ?? ".");
+    const canonicalCwd = await realpath(cwd);
+    const canonicalDockerfilePath = await realpath(dockerfilePath);
+    const canonicalBuildContext = await realpath(buildContext);
+    assertRuntimePathInsideCwd(canonicalCwd, canonicalDockerfilePath, "runtime.dockerfile");
+    assertRuntimePathInsideCwd(canonicalCwd, canonicalBuildContext, "runtime.build_context");
+    return {
+        dockerfilePath: canonicalDockerfilePath,
+        buildContext: canonicalBuildContext
+    };
+}
+function assertRuntimePathInsideCwd(cwd, targetPath, fieldName) {
+    if (!isPathInsideOrEqual(cwd, targetPath)) {
+        throw new Error(`${fieldName} must remain inside runtime cwd ${cwd}.`);
+    }
+}
+function isPathInsideOrEqual(rootPath, targetPath) {
+    const relativePath = path.relative(rootPath, targetPath);
+    return relativePath === "" || (!relativePath.startsWith("..") && !path.isAbsolute(relativePath));
+}
 function hashDockerTemplate(dockerfileBytes, buildContextFiles, buildArgs, engine) {
     const hash = createHash("sha256");
     hash.update(dockerfileBytes);
@@ -306,9 +337,49 @@ async function runAndRead(runner, spec) {
     }
     return output;
 }
+async function runAndReadBytes(runner, spec) {
+    const handle = runner.exec(spec);
+    const stdout = readStreamBytes(handle.stdout);
+    const stderr = readStream(handle.stderr);
+    const result = await handle.result;
+    const output = await stdout;
+    if (result.exitCode !== 0) {
+        const errorOutput = await stderr;
+        throw new Error(`Command failed with exit code ${result.exitCode}: ${spec.command} ${(spec.args ?? []).join(" ")}${errorOutput ? `\n${errorOutput}` : ""}`);
+    }
+    return output;
+}
 async function runOrThrow(runner, spec) {
     await runAndRead(runner, spec);
 }
+function cleanUpEnvFileAfterRun(handle, cleanup) {
+    if (cleanup === undefined) {
+        return handle;
+    }
+    let cleanedUp = false;
+    const cleanupOnce = () => {
+        if (cleanedUp) {
+            return;
+        }
+        cleanedUp = true;
+        try {
+            cleanup();
+        }
+        catch {
+            // Cleanup is best effort; preserve the command result.
+        }
+    };
+    return {
+        pid: handle.pid,
+        stdin: handle.stdin,
+        stdout: handle.stdout,
+        stderr: handle.stderr,
+        result: handle.result.finally(cleanupOnce),
+        kill(signal) {
+            handle.kill(signal);
+        }
+    };
+}
 async function readStream(stream) {
     if (stream === null) {
         return "";
@@ -320,15 +391,19 @@ async function readStream(stream) {
     }
     return chunks.join("");
 }
+async function readStreamBytes(stream) {
+    if (stream === null) {
+        return Buffer.alloc(0);
+    }
+    const chunks = [];
+    for await (const chunk of stream) {
+        chunks.push(typeof chunk === "string" ? Buffer.from(chunk, "utf8") : Buffer.from(chunk));
+    }
+    return Buffer.concat(chunks);
+}
 function sortedBuildArgs(buildArgs) {
     return Object.entries(buildArgs).sort(([left], [right]) => left.localeCompare(right));
 }
-function buildEnvArgs(env) {
-    if (env === undefined) {
-        return [];
-    }
-    return Object.entries(env).flatMap(([key, value]) => ["-e", `${key}=${value}`]);
-}
 function createContainerName() {
     return `poe-env-${randomBytes(6).toString("hex")}`;
 }
@@ -383,10 +458,25 @@ function createContainerWorkspaceFileSystem(input) {
             await execShell(`mkdir -p ${shellQuote(targetPath)}`);
         },
         async readdir(targetPath) {
-            const output = await execShell(`for item in ${shellQuote(targetPath)}/* ${shellQuote(targetPath)}/.[!.]* ${shellQuote(targetPath)}/..?*; do [ -e "$item" ] || continue; if [ -d "$item" ]; then kind=d; size=0; else kind=f; size=$(wc -c < "$item"); fi; printf '%s\\t%s\\t%s\\n' "\${item##*/}" "$kind" "$size"; done`);
+            const quotedTargetPath = shellQuote(targetPath);
+            const output = await execShell([
+                `for item in ${quotedTargetPath}/* ${quotedTargetPath}/.[!.]* ${quotedTargetPath}/..?*; do`,
+                `[ -e "$item" ] || [ -L "$item" ] || continue;`,
+                `if [ -L "$item" ]; then kind=l; size=0;`,
+                `elif [ -d "$item" ]; then kind=d; size=0;`,
+                `elif [ -f "$item" ]; then kind=f; size=$(wc -c < "$item");`,
+                `else continue; fi;`,
+                `printf '%s\\t%s\\t%s\\n' "\${item##*/}" "$kind" "$size";`,
+                `done`
+            ].join(" "));
             return output.split("\n").filter(Boolean).map((line) => {
                 const [name = "", kind = "f"] = line.split("\t");
-                return { name, isFile: () => kind === "f", isDirectory: () => kind === "d" };
+                return {
+                    name,
+                    isFile: () => kind === "f",
+                    isDirectory: () => kind === "d",
+                    isSymbolicLink: () => kind === "l"
+                };
             });
         },
         readFile: readFileFromContainer,
@@ -459,8 +549,10 @@ function createContainerJob(containerId, runner, engine, context, detachedJobCon
                 ? ""
                 : ` && test $(stat -c %Y ${logFile} 2>/dev/null || stat -f %m ${logFile}) -ge ${Math.ceil(opts.since.getTime() / 1000)}`;
             let byteOffset = opts?.sinceByte ?? 0;
+            let pendingBytes = Buffer.alloc(0);
+            let pendingByteOffset = byteOffset;
             while (true) {
-                const stdout = await runAndRead(runner, {
+                const stdout = await runAndReadBytes(runner, {
                     command: engine,
                     args: [
                         ...buildContextArgs(engine, context),
@@ -473,9 +565,18 @@ function createContainerJob(containerId, runner, engine, context, detachedJobCon
                     stdout: "pipe",
                     stderr: "pipe"
                 });
-                if (stdout.length > 0) {
-                    yield { byteOffset, data: stdout };
-                    byteOffset += Buffer.byteLength(stdout);
+                if (stdout.byteLength > 0) {
+                    const combined = pendingBytes.byteLength === 0
+                        ? stdout
+                        : Buffer.concat([pendingBytes, stdout]);
+                    const completeLength = completeUtf8PrefixLength(combined);
+                    byteOffset += stdout.byteLength;
+                    pendingBytes = combined.subarray(completeLength);
+                    const data = combined.subarray(0, completeLength).toString("utf8");
+                    if (data.length > 0) {
+                        yield { byteOffset: pendingByteOffset, data };
+                        pendingByteOffset += completeLength;
+                    }
                 }
                 if (opts?.follow !== true || (await this.status()) !== "running") {
                     return;
@@ -517,6 +618,39 @@ function createContainerJob(containerId, runner, engine, context, detachedJobCon
         }
     };
 }
+function completeUtf8PrefixLength(contents) {
+    if (contents.length === 0) {
+        return 0;
+    }
+    let leadIndex = contents.length - 1;
+    while (leadIndex >= 0 && isUtf8ContinuationByte(contents[leadIndex])) {
+        leadIndex -= 1;
+    }
+    if (leadIndex < 0) {
+        return contents.length;
+    }
+    const expectedLength = utf8SequenceLength(contents[leadIndex]);
+    if (expectedLength === 0) {
+        return contents.length;
+    }
+    const availableLength = contents.length - leadIndex;
+    return availableLength < expectedLength ? leadIndex : contents.length;
+}
+function isUtf8ContinuationByte(byte) {
+    return byte >= 0x80 && byte <= 0xbf;
+}
+function utf8SequenceLength(byte) {
+    if (byte >= 0xc2 && byte <= 0xdf) {
+        return 2;
+    }
+    if (byte >= 0xe0 && byte <= 0xef) {
+        return 3;
+    }
+    if (byte >= 0xf0 && byte <= 0xf4) {
+        return 4;
+    }
+    return 0;
+}
 async function readDetachedExitCode(containerId, jobId, runner, engine, context) {
     const exitFile = shellQuote(`/tmp/poe-jobs/${jobId}.exit`);
     const handle = runner.exec({

package/node_modules/@poe-code/process-runner/dist/docker/docker-runner.js CHANGED Viewed

@@ -3,6 +3,9 @@ import { randomBytes } from "node:crypto";
 import { buildDockerRunArgs } from "./args.js";
 import { buildContextArgs, detectContext } from "./context.js";
 import { detectEngine } from "./engine.js";
+import { createDockerEnvFile } from "./env-file.js";
+const DOCKER_ABORT_GRACE_MS = 10_000;
+const DOCKER_ABORT_FORCE_GRACE_MS = 5_000;
 export function createDockerRunner(options) {
     const engine = options.engine ?? detectEngine();
     const context = options.context ?? detectContext();
@@ -27,6 +30,7 @@ export function createDockerRunner(options) {
                 stderrMode === "inherit" &&
                 spec.tty === true;
             const containerName = buildContainerName(options.containerName ?? spec.command);
+            const envFile = createDockerEnvFile(spec.env);
             const runArgs = buildDockerRunArgs({
                 engine,
                 context,
@@ -35,6 +39,7 @@ export function createDockerRunner(options) {
                 args: spec.args ?? [],
                 cwd: spec.cwd,
                 env: spec.env,
+                envFilePath: envFile?.path,
                 mounts: options.mounts ?? [],
                 ports: options.ports ?? [],
                 network: options.network,
@@ -46,25 +51,55 @@ export function createDockerRunner(options) {
                 extraArgs: options.extraArgs ?? []
             });
             const [command, ...args] = runArgs;
-            const child = childProcess.spawn(command, args, {
-                stdio: interactiveMode ? "inherit" : [stdinMode, stdoutMode, stderrMode]
-            });
+            let child;
+            try {
+                child = childProcess.spawn(command, args, {
+                    stdio: interactiveMode ? "inherit" : [stdinMode, stdoutMode, stderrMode]
+                });
+            }
+            catch (error) {
+                envFile?.cleanup();
+                throw error;
+            }
             let isResultSettled = false;
+            let exitCodeOverride = null;
             let resolveResult = null;
+            let abortEscalationTimers = [];
             const result = new Promise((resolve) => {
                 resolveResult = resolve;
             });
+            const clearAbortEscalation = () => {
+                for (const timer of abortEscalationTimers) {
+                    clearTimeout(timer);
+                }
+                abortEscalationTimers = [];
+            };
             const settleResult = (exitCode) => {
                 if (isResultSettled) {
                     return;
                 }
                 isResultSettled = true;
                 cleanupAbort();
-                resolveResult?.({ exitCode });
+                clearAbortEscalation();
+                envFile?.cleanup();
+                resolveResult?.({ exitCode: exitCodeOverride ?? exitCode });
+            };
+            const scheduleAbortEscalation = () => {
+                const terminateTimer = setTimeout(() => {
+                    killHostDockerChild(child, "SIGTERM");
+                    const forceTimer = setTimeout(() => {
+                        killHostDockerChild(child, "SIGKILL");
+                    }, DOCKER_ABORT_FORCE_GRACE_MS);
+                    unrefTimer(forceTimer);
+                    abortEscalationTimers.push(forceTimer);
+                }, DOCKER_ABORT_GRACE_MS);
+                unrefTimer(terminateTimer);
+                abortEscalationTimers.push(terminateTimer);
             };
             const cleanupAbort = bindAbortSignal(spec.signal, () => {
-                settleResult(1);
+                exitCodeOverride = 1;
                 spawnControlCommand(engine, context, ["stop", containerName]);
+                scheduleAbortEscalation();
             });
             child.once("error", () => {
                 settleResult(1);
@@ -93,6 +128,14 @@ export function createDockerRunner(options) {
         }
     };
 }
+function killHostDockerChild(child, signal) {
+    try {
+        child.kill(signal);
+    }
+    catch {
+        return;
+    }
+}
 function buildContainerName(name) {
     const suffix = randomBytes(3).toString("hex").slice(0, 6);
     const sanitizedName = sanitizeContainerName(name);
@@ -123,10 +166,16 @@ function isContainerNameCharacter(char) {
     return char === "." || char === "_" || char === "-";
 }
 function spawnControlCommand(engine, context, args) {
-    const child = childProcess.spawn(engine, [...buildContextArgs(engine, context), ...args], {
-        stdio: "ignore"
-    });
-    child.once("error", () => undefined);
+    try {
+        const child = childProcess.spawn(engine, [...buildContextArgs(engine, context), ...args], {
+            stdio: "ignore"
+        });
+        child.once("error", () => undefined);
+        child.unref();
+    }
+    catch {
+        return;
+    }
 }
 function bindAbortSignal(signal, onAbort) {
     if (signal === undefined) {
@@ -141,3 +190,11 @@ function bindAbortSignal(signal, onAbort) {
         signal.removeEventListener("abort", onAbort);
     };
 }
+function unrefTimer(timer) {
+    if (typeof timer === "object" &&
+        timer !== null &&
+        "unref" in timer &&
+        typeof timer.unref === "function") {
+        timer.unref();
+    }
+}

package/node_modules/@poe-code/process-runner/dist/docker/env-file.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export interface DockerEnvFile {
+    path: string;
+    cleanup(): void;
+}
+export declare function createDockerEnvFile(env: Record<string, string> | undefined): DockerEnvFile | null;
+export declare function serializeDockerEnvFile(entries: Array<[string, string]>): string;

package/node_modules/@poe-code/process-runner/dist/docker/env-file.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import path from "node:path";
+export function createDockerEnvFile(env) {
+    const entries = Object.entries(env ?? {});
+    if (entries.length === 0) {
+        return null;
+    }
+    const directory = mkdtempSync(path.join(tmpdir(), "poe-docker-env-"));
+    const filePath = path.join(directory, "env");
+    let active = true;
+    try {
+        writeFileSync(filePath, serializeDockerEnvFile(entries), {
+            encoding: "utf8",
+            flag: "wx",
+            mode: 0o600
+        });
+    }
+    catch (error) {
+        rmSync(directory, { recursive: true, force: true });
+        throw error;
+    }
+    return {
+        path: filePath,
+        cleanup() {
+            if (!active) {
+                return;
+            }
+            active = false;
+            rmSync(directory, { recursive: true, force: true });
+        }
+    };
+}
+export function serializeDockerEnvFile(entries) {
+    return (entries.map(([key, value]) => `${formatDockerEnvKey(key)}=${formatDockerEnvValue(value)}`).join("\n") +
+        "\n");
+}
+function formatDockerEnvKey(key) {
+    if (key.length === 0 || key.includes("=") || key.includes("\n") || key.includes("\r")) {
+        throw new Error(`Invalid Docker environment variable name: ${JSON.stringify(key)}`);
+    }
+    return key;
+}
+function formatDockerEnvValue(value) {
+    if (value.includes("\n") || value.includes("\r")) {
+        throw new Error("Docker env-file values cannot contain newline characters.");
+    }
+    return value;
+}

package/node_modules/@poe-code/process-runner/dist/host/host-runner.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { spawn as spawnChildProcess } from "node:child_process";
 export function createHostRunner(options = {}) {
-    const detached = options.detached === true;
+    const detachedByDefault = options.detached === true;
     return {
         name: "host",
         exec(spec) {
@@ -17,6 +17,7 @@ export function createHostRunner(options = {}) {
             const stdinMode = spec.stdin ?? "ignore";
             const stdoutMode = spec.stdout ?? "pipe";
             const stderrMode = spec.stderr ?? "pipe";
+            const killProcessGroup = detachedByDefault || spec.killProcessGroup === true;
             const stdio = stdinMode === "inherit" && stdoutMode === "inherit" && stderrMode === "inherit"
                 ? "inherit"
                 : [stdinMode, stdoutMode, stderrMode];
@@ -24,13 +25,13 @@ export function createHostRunner(options = {}) {
                 cwd: spec.cwd,
                 env: spec.env,
                 stdio,
-                ...(detached ? { detached: true } : {})
+                ...(killProcessGroup ? { detached: true } : {})
             });
-            if (detached) {
+            if (killProcessGroup) {
                 child.unref();
             }
             const kill = (signal) => {
-                if (detached && process.platform !== "win32" && child.pid !== undefined) {
+                if (killProcessGroup && process.platform !== "win32" && child.pid !== undefined) {
                     process.kill(-child.pid, signal);
                     return;
                 }

package/node_modules/@poe-code/process-runner/dist/types.d.ts CHANGED Viewed

@@ -20,6 +20,8 @@ export interface RunSpec {
     stderr?: "pipe" | "inherit";
     tty?: boolean;
     signal?: AbortSignal;
+    /** Start in a separate process group so kill() can signal the full group where supported. */
+    killProcessGroup?: boolean;
 }
 export interface Runner {
     exec(spec: RunSpec): RunHandle;
@@ -163,6 +165,7 @@ export interface DockerRunArgs {
     args: string[];
     cwd?: string;
     env?: Record<string, string>;
+    envFilePath?: string;
     mounts: DockerMount[];
     ports: DockerPortMapping[];
     network?: string;

package/node_modules/@poe-code/process-runner/dist/workspace-transfer.d.ts CHANGED Viewed

@@ -4,6 +4,7 @@ export interface WorkspaceTransferDirent {
     name: string;
     isFile(): boolean;
     isDirectory(): boolean;
+    isSymbolicLink?(): boolean;
 }
 export interface WorkspaceTransferStats {
     isFile(): boolean;
@@ -20,7 +21,10 @@ export interface WorkspaceTransferFileSystem {
     }): Promise<WorkspaceTransferDirent[]>;
     readFile(path: string): Promise<Buffer>;
     readFile(path: string, encoding: BufferEncoding): Promise<string>;
-    writeFile(path: string, data: string | Buffer): Promise<void>;
+    writeFile(path: string, data: string | Buffer, options?: {
+        flag?: string;
+        mode?: number;
+    }): Promise<void>;
     stat(path: string): Promise<WorkspaceTransferStats>;
     lstat?(path: string): Promise<WorkspaceTransferStats>;
     rename?(oldPath: string, newPath: string): Promise<void>;

package/node_modules/@poe-code/process-runner/dist/workspace-transfer.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { createHash } from "node:crypto";
+import { createHash, randomUUID } from "node:crypto";
 import { promises as nodeFs } from "node:fs";
 import path from "node:path";
 const uploadState = new WeakMap();
@@ -82,7 +82,7 @@ export async function downloadWorkspace(env, opts) {
     const remoteFs = env.remoteFs ?? localFs;
     const workspaceDir = env.workspaceDir ?? "/workspace";
     const state = uploadState.get(env) ?? new Map();
-    const remoteFiles = await listFilesIfExists(remoteFs, workspaceDir);
+    const remoteFiles = await listFilesIfExists(remoteFs, workspaceDir, { rejectSymlinks: true });
     const remotePaths = new Set(remoteFiles.map((file) => file.path));
     const conflicts = [];
     let files = 0;
@@ -96,7 +96,7 @@ export async function downloadWorkspace(env, opts) {
             conflicts.push({ path: remoteFile.path, reason: "local_modified" });
             continue;
         }
-        await writeFileAtomically(localFs, localPath, remoteContent, ".download-tmp");
+        await writeFileAtomically(localFs, env.cwd, localPath, remoteContent, ".download-tmp");
         state.set(remoteFile.path, {
             hash: hashBuffer(remoteContent),
             uploaded: true
@@ -122,9 +122,9 @@ export async function downloadWorkspace(env, opts) {
     }
     return { files, bytes, conflicts };
 }
-async function listFilesIfExists(fs, root) {
+async function listFilesIfExists(fs, root, options = {}) {
     try {
-        return await listFiles(fs, root);
+        return await listFiles(fs, root, options);
     }
     catch (error) {
         if (isNotFoundError(error)) {
@@ -133,12 +133,15 @@ async function listFilesIfExists(fs, root) {
         throw error;
     }
 }
-async function listFiles(fs, root) {
+async function listFiles(fs, root, options = {}) {
     const result = [];
     async function visit(dir) {
         const dirents = await fs.readdir(dir, { withFileTypes: true });
         for (const dirent of dirents.sort((left, right) => left.name.localeCompare(right.name))) {
             const absolutePath = path.join(dir, dirent.name);
+            if (options.rejectSymlinks === true && dirent.isSymbolicLink?.() === true) {
+                throw new Error("Workspace download must not follow symbolic links.");
+            }
             if (dirent.isDirectory()) {
                 await visit(absolutePath);
                 continue;
@@ -347,15 +350,28 @@ async function renamePath(fs, sourcePath, destinationPath) {
     }
     await fs.rename(sourcePath, destinationPath);
 }
-async function writeFileAtomically(fs, destinationPath, data, temporarySuffix) {
-    const temporaryPath = `${destinationPath}${temporarySuffix}`;
+async function writeFileAtomically(fs, workspacePath, destinationPath, data, temporarySuffix) {
+    const temporaryPath = `${destinationPath}.${randomUUID()}${temporarySuffix}`;
+    let temporaryCreated = false;
     await fs.mkdir(path.dirname(destinationPath), { recursive: true });
     try {
-        await fs.writeFile(temporaryPath, data);
+        await assertSafeLocalDownloadPath(fs, workspacePath, temporaryPath);
+        try {
+            await fs.writeFile(temporaryPath, data, { flag: "wx", mode: 0o600 });
+            temporaryCreated = true;
+        }
+        catch (error) {
+            if (!isAlreadyExistsError(error)) {
+                await removeFile(fs, temporaryPath).catch(() => undefined);
+            }
+            throw error;
+        }
         await renamePath(fs, temporaryPath, destinationPath);
     }
     catch (error) {
-        await removeFile(fs, temporaryPath).catch(() => undefined);
+        if (temporaryCreated) {
+            await removeFile(fs, temporaryPath).catch(() => undefined);
+        }
         throw error;
     }
 }
@@ -482,3 +498,6 @@ function stripSlashes(value) {
 function isNotFoundError(error) {
     return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
 }
+function isAlreadyExistsError(error) {
+    return typeof error === "object" && error !== null && "code" in error && error.code === "EEXIST";
+}

package/node_modules/auth-store/dist/encrypted-file-store.d.ts CHANGED Viewed

@@ -33,6 +33,7 @@ export interface EncryptedFileStoreInput {
 export declare class EncryptedFileStore implements SecretStore {
     private readonly fs;
     private readonly filePath;
+    private readonly symbolicLinkCheckStartPath;
     private readonly salt;
     private readonly getMachineIdentity;
     private readonly getRandomBytes;