pmsec 0.1.0__tar.gz

pmsec-0.1.0/.gitignore

@@ -0,0 +1,10 @@
+node_modules/
+*.tgz
+.venv/
+__pycache__/
+*.pyc
+*.bak
+dist/
+build/
+*.egg-info/
+.pytest_cache/

pmsec-0.1.0/PKG-INFO

@@ -0,0 +1,45 @@
+Metadata-Version: 2.4
+Name: pmsec
+Version: 0.1.0
+Summary: Inspect and apply install-time cooldown (min-release-age / exclude-newer) for npm and uv.
+Author-email: Hikaru Egashira <ai@egahika.dev>
+License: MIT
+Keywords: cooldown,exclude-newer,min-release-age,npm,pmsec,supply-chain,uv
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+
+# pmsec (Python)
+
+`pmsec` is a cross-platform CLI that inspects and applies install-time cooldown
+settings (e.g. npm `min-release-age`, uv `exclude-newer`) to mitigate
+supply-chain attacks where malicious packages are typically detected and
+removed within hours to days of publication.
+
+## Install
+
+```bash
+uvx pmsec check --min 7
+uvx pmsec set 7
+uvx pmsec unset
+```
+
+## Supported tools
+
+npm, pnpm, yarn 4+, bun, cargo (RFC #3801), mise, uv
+
+## Commands
+
+| Command | Description |
+| --- | --- |
+| `pmsec check [--min N]` | Read each tool's config; exit 1 if any tool is below `N` days or unset |
+| `pmsec set <DAYS> [--force]` | Write `DAYS`-day cooldown to every selected tool |
+| `pmsec unset` | Remove only the cooldown key from each config (other keys preserved) |
+
+Options: `--tool npm,pnpm,yarn,bun,cargo,mise,uv`, `--json`.
+
+See the [project README](https://github.com/HikaruEgashira/pmsec) for the full
+table of keys, units, paths, and overrides.
+
+## License
+
+MIT

pmsec-0.1.0/README.md

@@ -0,0 +1,35 @@
+# pmsec (Python)
+
+`pmsec` is a cross-platform CLI that inspects and applies install-time cooldown
+settings (e.g. npm `min-release-age`, uv `exclude-newer`) to mitigate
+supply-chain attacks where malicious packages are typically detected and
+removed within hours to days of publication.
+
+## Install
+
+```bash
+uvx pmsec check --min 7
+uvx pmsec set 7
+uvx pmsec unset
+```
+
+## Supported tools
+
+npm, pnpm, yarn 4+, bun, cargo (RFC #3801), mise, uv
+
+## Commands
+
+| Command | Description |
+| --- | --- |
+| `pmsec check [--min N]` | Read each tool's config; exit 1 if any tool is below `N` days or unset |
+| `pmsec set <DAYS> [--force]` | Write `DAYS`-day cooldown to every selected tool |
+| `pmsec unset` | Remove only the cooldown key from each config (other keys preserved) |
+
+Options: `--tool npm,pnpm,yarn,bun,cargo,mise,uv`, `--json`.
+
+See the [project README](https://github.com/HikaruEgashira/pmsec) for the full
+table of keys, units, paths, and overrides.
+
+## License
+
+MIT

pmsec-0.1.0/pyproject.toml

@@ -0,0 +1,19 @@
+[project]
+name = "pmsec"
+version = "0.1.0"
+description = "Inspect and apply install-time cooldown (min-release-age / exclude-newer) for npm and uv."
+readme = "README.md"
+requires-python = ">=3.10"
+license = { text = "MIT" }
+authors = [{ name = "Hikaru Egashira", email = "ai@egahika.dev" }]
+keywords = ["supply-chain", "cooldown", "min-release-age", "exclude-newer", "npm", "uv", "pmsec"]
+
+[project.scripts]
+pmsec = "pmsec.cli:main"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/pmsec"]

pmsec-0.1.0/src/pmsec/__init__.py

@@ -0,0 +1 @@
+__all__ = ["cli"]

pmsec-0.1.0/src/pmsec/__main__.py

@@ -0,0 +1,3 @@
+from pmsec.cli import main
+
+raise SystemExit(main())

pmsec-0.1.0/src/pmsec/cli.py

@@ -0,0 +1,158 @@
+from __future__ import annotations
+
+import argparse
+import json
+import sys
+from pathlib import Path
+
+from pmsec.tools import bun, cargo, mise, npm, pnpm, uv, yarn
+from pmsec.util.paths import current_platform
+
+TOOLS = [npm, pnpm, yarn, bun, cargo, mise, uv]
+DEFAULT_MIN = 7
+
+USAGE_EPILOG = """\
+examples:
+  uvx pmsec check --min 7
+  uvx pmsec set 7
+  uvx pmsec unset --tool npm
+"""
+
+
+def _parser() -> argparse.ArgumentParser:
+    p = argparse.ArgumentParser(
+        prog="pmsec",
+        description="Inspect and apply install-time cooldown for npm, pnpm, yarn, bun, mise, and uv.",
+        epilog=USAGE_EPILOG,
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+    sub = p.add_subparsers(dest="command", required=True)
+
+    common = argparse.ArgumentParser(add_help=False)
+    common.add_argument("--tool", help="comma-separated subset of tools (npm,pnpm,yarn,bun,cargo,mise,uv)")
+    common.add_argument("--json", action="store_true", help="emit JSON output")
+
+    c = sub.add_parser("check", parents=[common], help="inspect cooldown settings")
+    c.add_argument("--min", type=int, default=DEFAULT_MIN, help=f"minimum days (default {DEFAULT_MIN})")
+
+    s = sub.add_parser("set", parents=[common], help="apply cooldown")
+    s.add_argument("days", type=int, help="cooldown in days (must be > 0)")
+    s.add_argument("--force", action="store_true", help="apply even if a tool's installed version is too old")
+
+    sub.add_parser("unset", parents=[common], help="remove cooldown")
+
+    return p
+
+
+def _select(only: str | None) -> list:
+    if not only:
+        return TOOLS
+    names = [n.strip() for n in only.split(",") if n.strip()]
+    found = [t for t in TOOLS if t.NAME in names]
+    missing = [n for n in names if not any(t.NAME == n for t in TOOLS)]
+    if missing:
+        raise SystemExit(f"pmsec: unknown tool(s): {','.join(missing)}")
+    return found
+
+
+def _gather(targets, env, home, platform):
+    rows = []
+    for t in targets:
+        r = t.read(env, home, platform)
+        rows.append({"tool": t.NAME, "key": t.KEY, **r})
+    return rows
+
+
+def _render_human(rows, min_days):
+    out = []
+    for r in rows:
+        if r["days"] is None:
+            status = "MISSING"
+        elif r["days"] < min_days:
+            status = "STALE  "
+        else:
+            status = "OK     "
+        out.append(f"{status} {r['tool']:<4} {r['key']} = {r['configured'] or '(unset)'}  [{r['path']}]")
+    return "\n".join(out) + "\n"
+
+
+def _check(args, targets, env, home, platform, out, err):
+    rows = _gather(targets, env, home, platform)
+    failing = [r for r in rows if r["days"] is None or r["days"] < args.min]
+    if args.json:
+        out.write(json.dumps({"min": args.min, "rows": rows, "ok": not failing}, indent=2) + "\n")
+    else:
+        out.write(_render_human(rows, args.min))
+    if failing:
+        err.write(f"pmsec: {len(failing)} tool(s) below {args.min} days\n")
+        return 1
+    return 0
+
+
+def _set(args, targets, env, home, platform, out, err):
+    if args.days <= 0:
+        raise SystemExit("pmsec: set requires DAYS > 0")
+    for t in targets:
+        pf = getattr(t, "preflight", None)
+        if pf is None:
+            continue
+        result = pf()
+        if result["ok"] and result.get("warn"):
+            err.write(f"pmsec: {t.NAME}: {result['message']}\n")
+        if result["ok"]:
+            continue
+        if not args.force:
+            raise SystemExit(f"pmsec: {t.NAME}: {result['message']}")
+        err.write(f"pmsec: {t.NAME}: {result['message']} (continuing due to --force)\n")
+    results = []
+    for t in targets:
+        r = t.write(args.days, env, home, platform)
+        results.append({"tool": t.NAME, "path": r["path"], "days": args.days})
+    if args.json:
+        out.write(json.dumps({"set": args.days, "results": results}, indent=2) + "\n")
+    else:
+        for r in results:
+            out.write(f"set  {r['tool']:<4} {r['days']} days  [{r['path']}]\n")
+    return 0
+
+
+def _unset(args, targets, env, home, platform, out):
+    results = []
+    for t in targets:
+        r = t.unset(env, home, platform)
+        results.append({"tool": t.NAME, "path": r["path"], "removed": r["removed"]})
+    if args.json:
+        out.write(json.dumps({"results": results}, indent=2) + "\n")
+    else:
+        for r in results:
+            tag = "rm  " if r["removed"] else "skip"
+            out.write(f"{tag} {r['tool']:<4} [{r['path']}]\n")
+    return 0
+
+
+def main(
+    argv: list[str] | None = None,
+    *,
+    env: dict[str, str] | None = None,
+    home: Path | None = None,
+    platform: str | None = None,
+    out=None,
+    err=None,
+) -> int:
+    import os
+
+    env = dict(os.environ) if env is None else env
+    home = Path.home() if home is None else home
+    platform = current_platform() if platform is None else platform
+    out = sys.stdout if out is None else out
+    err = sys.stderr if err is None else err
+
+    args = _parser().parse_args(argv)
+    targets = _select(args.tool)
+    if args.command == "check":
+        return _check(args, targets, env, home, platform, out, err)
+    if args.command == "set":
+        return _set(args, targets, env, home, platform, out, err)
+    if args.command == "unset":
+        return _unset(args, targets, env, home, platform, out)
+    return 2

pmsec-0.1.0/src/pmsec/tools/bun.py

@@ -0,0 +1,70 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+from pmsec.util.lines import read_key, remove_key, set_key
+from pmsec.util.paths import bun_config_path
+from pmsec.util.version import detect_version, gte
+
+NAME = "bun"
+KEY = "minimumReleaseAge"
+SECTION = "install"
+DOCS = "https://bun.com/docs/runtime/bunfig#install"
+MIN_BIN = (1, 3, 0)
+
+
+def path(env: dict[str, str], home: Path, platform: str) -> Path:
+    return bun_config_path(env, home)
+
+
+def preflight() -> dict:
+    v = detect_version("bun")
+    if v is None:
+        return {"ok": True, "message": None}
+    if gte(v, MIN_BIN):
+        return {"ok": True, "version": v[3], "message": None}
+    msg = (
+        f"bun {v[3]} < {'.'.join(str(n) for n in MIN_BIN)}: "
+        "minimumReleaseAge is silently ignored. Upgrade bun to enforce the cooldown."
+    )
+    return {"ok": True, "warn": True, "version": v[3], "message": msg}
+
+
+def read(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    raw = p.read_text("utf-8") if p.exists() else ""
+    value = read_key(raw, KEY, section=SECTION)
+    seconds = None
+    if value is not None:
+        try:
+            seconds = int(value)
+        except ValueError:
+            seconds = None
+    days = None if seconds is None else seconds // 86400
+    return {"path": str(p), "configured": value, "days": days}
+
+
+def write(days: int, env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    before = p.read_text("utf-8") if p.exists() else ""
+    after = set_key(before, KEY, f"{KEY} = {days * 86400}", section=SECTION)
+    p.parent.mkdir(parents=True, exist_ok=True)
+    bak = p.with_suffix(p.suffix + ".bak")
+    if p.exists() and not bak.exists():
+        bak.write_text(before, "utf-8")
+    p.write_text(after, "utf-8")
+    return {"path": str(p), "before": before, "after": after}
+
+
+def unset(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    if not p.exists():
+        return {"path": str(p), "removed": False}
+    before = p.read_text("utf-8")
+    after, removed = remove_key(before, KEY, section=SECTION)
+    if removed:
+        bak = p.with_suffix(p.suffix + ".bak")
+        if not bak.exists():
+            bak.write_text(before, "utf-8")
+        p.write_text(after, "utf-8")
+    return {"path": str(p), "removed": removed}

pmsec-0.1.0/src/pmsec/tools/cargo.py

@@ -0,0 +1,59 @@
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+from pmsec.util.lines import read_key, remove_key, set_key
+from pmsec.util.paths import cargo_config_path
+
+NAME = "cargo"
+KEY = "minimum-release-age"
+SECTION = "install"
+DOCS = "https://rust-lang.github.io/rfcs/3801-package-cooldown.html"
+
+
+def path(env: dict[str, str], home: Path, platform: str) -> Path:
+    return cargo_config_path(env, home)
+
+
+def _parse_days(value: str | None) -> int | None:
+    if value is None:
+        return None
+    m = re.match(r'^"?\s*(\d+)\s*(d|days?|w|weeks?)\s*"?$', value, re.IGNORECASE)
+    if not m:
+        return None
+    n = int(m.group(1))
+    return n * 7 if re.match(r"^(w|weeks?)$", m.group(2), re.IGNORECASE) else n
+
+
+def read(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    raw = p.read_text("utf-8") if p.exists() else ""
+    value = read_key(raw, KEY, section=SECTION)
+    return {"path": str(p), "configured": value, "days": _parse_days(value)}
+
+
+def write(days: int, env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    before = p.read_text("utf-8") if p.exists() else ""
+    after = set_key(before, KEY, f'{KEY} = "{days}d"', section=SECTION)
+    p.parent.mkdir(parents=True, exist_ok=True)
+    bak = p.with_suffix(p.suffix + ".bak")
+    if p.exists() and not bak.exists():
+        bak.write_text(before, "utf-8")
+    p.write_text(after, "utf-8")
+    return {"path": str(p), "before": before, "after": after}
+
+
+def unset(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    if not p.exists():
+        return {"path": str(p), "removed": False}
+    before = p.read_text("utf-8")
+    after, removed = remove_key(before, KEY, section=SECTION)
+    if removed:
+        bak = p.with_suffix(p.suffix + ".bak")
+        if not bak.exists():
+            bak.write_text(before, "utf-8")
+        p.write_text(after, "utf-8")
+    return {"path": str(p), "removed": removed}

pmsec-0.1.0/src/pmsec/tools/mise.py

@@ -0,0 +1,71 @@
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+from pmsec.util.lines import read_key, remove_key, set_key
+from pmsec.util.paths import mise_config_path
+
+NAME = "mise"
+KEY = "minimum_release_age"
+SECTION = "settings"
+DOCS = "https://mise.jdx.dev/configuration/settings.html#minimum_release_age"
+
+_DURATION = re.compile(
+    r'^"?\s*(\d+)\s*(d|days?|w|weeks?|m|months?|y|years?)\s*"?$',
+    re.IGNORECASE,
+)
+
+
+def path(env: dict[str, str], home: Path, platform: str) -> Path:
+    return mise_config_path(env, home, platform)
+
+
+def _parse_days(value: str | None) -> int | None:
+    if value is None:
+        return None
+    m = _DURATION.match(value)
+    if not m:
+        return None
+    n = int(m.group(1))
+    unit = m.group(2).lower()
+    if unit in ("w", "week", "weeks"):
+        return n * 7
+    if unit in ("m", "month", "months"):
+        return n * 30
+    if unit in ("y", "year", "years"):
+        return n * 365
+    return n
+
+
+def read(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    raw = p.read_text("utf-8") if p.exists() else ""
+    value = read_key(raw, KEY, section=SECTION)
+    return {"path": str(p), "configured": value, "days": _parse_days(value)}
+
+
+def write(days: int, env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    before = p.read_text("utf-8") if p.exists() else ""
+    after = set_key(before, KEY, f'{KEY} = "{days}d"', section=SECTION)
+    p.parent.mkdir(parents=True, exist_ok=True)
+    bak = p.with_suffix(p.suffix + ".bak")
+    if p.exists() and not bak.exists():
+        bak.write_text(before, "utf-8")
+    p.write_text(after, "utf-8")
+    return {"path": str(p), "before": before, "after": after}
+
+
+def unset(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    if not p.exists():
+        return {"path": str(p), "removed": False}
+    before = p.read_text("utf-8")
+    after, removed = remove_key(before, KEY, section=SECTION)
+    if removed:
+        bak = p.with_suffix(p.suffix + ".bak")
+        if not bak.exists():
+            bak.write_text(before, "utf-8")
+        p.write_text(after, "utf-8")
+    return {"path": str(p), "removed": removed}

pmsec-0.1.0/src/pmsec/tools/npm.py

@@ -0,0 +1,63 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+from pmsec.util.lines import read_key, remove_key, set_key
+from pmsec.util.paths import npmrc_path
+from pmsec.util.version import detect_version, gte
+
+NAME = "npm"
+KEY = "min-release-age"
+DOCS = "https://docs.npmjs.com/cli/v11/using-npm/config#min-release-age"
+MIN_BIN = (11, 10, 0)
+
+
+def preflight() -> dict:
+    v = detect_version("npm")
+    if v is None:
+        return {"ok": True, "message": None}
+    if gte(v, MIN_BIN):
+        return {"ok": True, "version": v[3], "message": None}
+    msg = (
+        f"npm {v[3]} < {'.'.join(str(n) for n in MIN_BIN)}: "
+        "min-release-age is silently ignored. Upgrade npm to enforce the cooldown."
+    )
+    return {"ok": True, "warn": True, "version": v[3], "message": msg}
+
+
+def path(env: dict[str, str], home: Path, platform: str) -> Path:
+    return npmrc_path(env, home)
+
+
+def read(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    raw = p.read_text("utf-8") if p.exists() else ""
+    value = read_key(raw, KEY)
+    days = None if value is None else int(value)
+    return {"path": str(p), "configured": value, "days": days}
+
+
+def write(days: int, env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    before = p.read_text("utf-8") if p.exists() else ""
+    after = set_key(before, KEY, f"{KEY}={days}")
+    p.parent.mkdir(parents=True, exist_ok=True)
+    bak = p.with_suffix(p.suffix + ".bak")
+    if p.exists() and not bak.exists():
+        bak.write_text(before, "utf-8")
+    p.write_text(after, "utf-8")
+    return {"path": str(p), "before": before, "after": after}
+
+
+def unset(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    if not p.exists():
+        return {"path": str(p), "removed": False}
+    before = p.read_text("utf-8")
+    after, removed = remove_key(before, KEY)
+    if removed:
+        bak = p.with_suffix(p.suffix + ".bak")
+        if not bak.exists():
+            bak.write_text(before, "utf-8")
+        p.write_text(after, "utf-8")
+    return {"path": str(p), "removed": removed}

pmsec-0.1.0/src/pmsec/tools/pnpm.py

@@ -0,0 +1,69 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+from pmsec.util.lines import read_key, remove_key, set_key
+from pmsec.util.paths import npmrc_path
+from pmsec.util.version import detect_version, gte
+
+NAME = "pnpm"
+KEY = "minimum-release-age"
+DOCS = "https://pnpm.io/settings#minimumreleaseage"
+MIN_BIN = (10, 6, 0)
+
+
+def path(env: dict[str, str], home: Path, platform: str) -> Path:
+    return npmrc_path(env, home)
+
+
+def preflight() -> dict:
+    v = detect_version("pnpm")
+    if v is None:
+        return {"ok": True, "message": None}
+    if gte(v, MIN_BIN):
+        return {"ok": True, "version": v[3], "message": None}
+    msg = (
+        f"pnpm {v[3]} < {'.'.join(str(n) for n in MIN_BIN)}: "
+        "minimum-release-age is silently ignored. Upgrade pnpm to enforce the cooldown."
+    )
+    return {"ok": True, "warn": True, "version": v[3], "message": msg}
+
+
+def read(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    raw = p.read_text("utf-8") if p.exists() else ""
+    value = read_key(raw, KEY)
+    minutes = None
+    if value is not None:
+        try:
+            minutes = int(value)
+        except ValueError:
+            minutes = None
+    days = None if minutes is None else minutes // (60 * 24)
+    return {"path": str(p), "configured": value, "days": days}
+
+
+def write(days: int, env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    before = p.read_text("utf-8") if p.exists() else ""
+    after = set_key(before, KEY, f"{KEY}={days * 24 * 60}")
+    p.parent.mkdir(parents=True, exist_ok=True)
+    bak = p.with_suffix(p.suffix + ".bak")
+    if p.exists() and not bak.exists():
+        bak.write_text(before, "utf-8")
+    p.write_text(after, "utf-8")
+    return {"path": str(p), "before": before, "after": after}
+
+
+def unset(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    if not p.exists():
+        return {"path": str(p), "removed": False}
+    before = p.read_text("utf-8")
+    after, removed = remove_key(before, KEY)
+    if removed:
+        bak = p.with_suffix(p.suffix + ".bak")
+        if not bak.exists():
+            bak.write_text(before, "utf-8")
+        p.write_text(after, "utf-8")
+    return {"path": str(p), "removed": removed}

pmsec-0.1.0/src/pmsec/tools/uv.py

@@ -0,0 +1,76 @@
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+from pmsec.util.lines import read_key, remove_key, set_key
+from pmsec.util.paths import uv_config_path
+from pmsec.util.version import detect_version, gte
+
+NAME = "uv"
+KEY = "exclude-newer"
+DOCS = "https://docs.astral.sh/uv/reference/settings/#exclude-newer"
+MIN_BIN = (0, 9, 17)
+
+
+def preflight() -> dict:
+    v = detect_version("uv")
+    if v is None:
+        return {"ok": True, "message": None}
+    if gte(v, MIN_BIN):
+        return {"ok": True, "version": v[3], "message": None}
+    msg = (
+        f"uv {v[3]} < {'.'.join(str(n) for n in MIN_BIN)}: writing "
+        f'exclude-newer = "N days" will break this uv. '
+        "Upgrade uv (uv self update) or rerun with --force."
+    )
+    return {"ok": False, "version": v[3], "message": msg}
+
+_DURATION = re.compile(r'^"\s*(\d+)\s*(day|days|d|week|weeks|w)\s*"$', re.IGNORECASE)
+
+
+def path(env: dict[str, str], home: Path, platform: str) -> Path:
+    return uv_config_path(env, home, platform)
+
+
+def _parse_days(value: str | None) -> int | None:
+    if value is None:
+        return None
+    m = _DURATION.match(value)
+    if not m:
+        return None
+    n = int(m.group(1))
+    return n * 7 if m.group(2).lower() in ("week", "weeks", "w") else n
+
+
+def read(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    raw = p.read_text("utf-8") if p.exists() else ""
+    value = read_key(raw, KEY)
+    return {"path": str(p), "configured": value, "days": _parse_days(value)}
+
+
+def write(days: int, env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    before = p.read_text("utf-8") if p.exists() else ""
+    after = set_key(before, KEY, f'{KEY} = "{days} days"')
+    p.parent.mkdir(parents=True, exist_ok=True)
+    bak = p.with_suffix(p.suffix + ".bak")
+    if p.exists() and not bak.exists():
+        bak.write_text(before, "utf-8")
+    p.write_text(after, "utf-8")
+    return {"path": str(p), "before": before, "after": after}
+
+
+def unset(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    if not p.exists():
+        return {"path": str(p), "removed": False}
+    before = p.read_text("utf-8")
+    after, removed = remove_key(before, KEY)
+    if removed:
+        bak = p.with_suffix(p.suffix + ".bak")
+        if not bak.exists():
+            bak.write_text(before, "utf-8")
+        p.write_text(after, "utf-8")
+    return {"path": str(p), "removed": removed}

pmsec-0.1.0/src/pmsec/tools/yarn.py

@@ -0,0 +1,76 @@
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+from pmsec.util.lines import read_key, remove_key, set_key
+from pmsec.util.paths import yarnrc_path
+from pmsec.util.version import detect_version, gte
+
+NAME = "yarn"
+KEY = "npmMinimalAgeGate"
+DOCS = "https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate"
+MIN_BIN = (4, 10, 0)
+SEP = ":"
+
+_DURATION = re.compile(r'^"?\s*(\d+)\s*(d|days?|w|weeks?)\s*"?$', re.IGNORECASE)
+
+
+def path(env: dict[str, str], home: Path, platform: str) -> Path:
+    return yarnrc_path(env, home)
+
+
+def preflight() -> dict:
+    v = detect_version("yarn")
+    if v is None:
+        return {"ok": True, "message": None}
+    if gte(v, MIN_BIN):
+        return {"ok": True, "version": v[3], "message": None}
+    msg = (
+        f"yarn {v[3]} < {'.'.join(str(n) for n in MIN_BIN)}: "
+        "npmMinimalAgeGate is silently ignored. Upgrade yarn (v4.10+) to enforce the cooldown."
+    )
+    return {"ok": True, "warn": True, "version": v[3], "message": msg}
+
+
+def _parse_days(value: str | None) -> int | None:
+    if value is None:
+        return None
+    m = _DURATION.match(value)
+    if not m:
+        return None
+    n = int(m.group(1))
+    return n * 7 if m.group(2).lower() in ("w", "week", "weeks") else n
+
+
+def read(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    raw = p.read_text("utf-8") if p.exists() else ""
+    value = read_key(raw, KEY, sep=SEP)
+    return {"path": str(p), "configured": value, "days": _parse_days(value)}
+
+
+def write(days: int, env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    before = p.read_text("utf-8") if p.exists() else ""
+    after = set_key(before, KEY, f'{KEY}: "{days}d"', sep=SEP)
+    p.parent.mkdir(parents=True, exist_ok=True)
+    bak = p.with_suffix(p.suffix + ".bak")
+    if p.exists() and not bak.exists():
+        bak.write_text(before, "utf-8")
+    p.write_text(after, "utf-8")
+    return {"path": str(p), "before": before, "after": after}
+
+
+def unset(env: dict[str, str], home: Path, platform: str) -> dict:
+    p = path(env, home, platform)
+    if not p.exists():
+        return {"path": str(p), "removed": False}
+    before = p.read_text("utf-8")
+    after, removed = remove_key(before, KEY, sep=SEP)
+    if removed:
+        bak = p.with_suffix(p.suffix + ".bak")
+        if not bak.exists():
+            bak.write_text(before, "utf-8")
+        p.write_text(after, "utf-8")
+    return {"path": str(p), "removed": removed}

pmsec-0.1.0/src/pmsec/util/lines.py

@@ -0,0 +1,108 @@
+from __future__ import annotations
+
+import re
+
+_SECTION = re.compile(r"^\s*\[[^\]]+\]\s*$")
+_KEY_EQ = re.compile(r"^\s*([A-Za-z0-9_.\-]+)\s*=")
+_KEY_COLON = re.compile(r"^\s*([A-Za-z0-9_.\-]+)\s*:")
+_FULL_EQ = re.compile(r"^\s*[A-Za-z0-9_.\-]+\s*=\s*(.*?)\s*$")
+_FULL_COLON = re.compile(r"^\s*[A-Za-z0-9_.\-]+\s*:\s*(.*?)\s*$")
+
+
+def _line_key(line: str, sep: str) -> str | None:
+    pattern = _KEY_COLON if sep == ":" else _KEY_EQ
+    m = pattern.match(line)
+    return m.group(1) if m else None
+
+
+def _range_for_section(lines: list[str], section: str | None) -> tuple[int, int] | None:
+    if section is None:
+        for i, line in enumerate(lines):
+            if _SECTION.match(line):
+                return 0, i
+        return 0, len(lines)
+    header = f"[{section}]"
+    start = -1
+    for i, line in enumerate(lines):
+        if line.strip() == header:
+            start = i + 1
+            break
+    if start < 0:
+        return None
+    end = len(lines)
+    for i in range(start, len(lines)):
+        if _SECTION.match(lines[i]):
+            end = i
+            break
+    return start, end
+
+
+def _index_of_key(lines: list[str], rng: tuple[int, int], key: str, sep: str) -> int:
+    for i in range(rng[0], rng[1]):
+        if _line_key(lines[i], sep) == key:
+            return i
+    return -1
+
+
+def _index_first_section(lines: list[str]) -> int:
+    for i, line in enumerate(lines):
+        if _SECTION.match(line):
+            return i
+    return -1
+
+
+def read_key(text: str, key: str, *, sep: str = "=", section: str | None = None) -> str | None:
+    lines = text.splitlines()
+    rng = _range_for_section(lines, section)
+    if rng is None:
+        return None
+    i = _index_of_key(lines, rng, key, sep)
+    if i < 0:
+        return None
+    pattern = _FULL_COLON if sep == ":" else _FULL_EQ
+    m = pattern.match(lines[i])
+    return m.group(1) if m else None
+
+
+def set_key(text: str, key: str, value_line: str, *, sep: str = "=", section: str | None = None) -> str:
+    trailing = text.endswith("\n") or text == ""
+    lines = [] if text == "" else text.rstrip("\n").split("\n")
+    rng = _range_for_section(lines, section)
+    if rng is None:
+        if lines and lines[-1] != "":
+            lines.append("")
+        lines.extend([f"[{section}]", value_line])
+    else:
+        idx = _index_of_key(lines, rng, key, sep)
+        if idx >= 0:
+            lines[idx] = value_line
+        elif section:
+            lines[rng[0]:rng[0]] = [value_line]
+        else:
+            first_sec = _index_first_section(lines)
+            if first_sec < 0:
+                lines.append(value_line)
+            else:
+                lines[first_sec:first_sec] = [value_line, ""]
+    out = "\n".join(lines)
+    if trailing or lines:
+        out += "\n"
+    return out
+
+
+def remove_key(text: str, key: str, *, sep: str = "=", section: str | None = None) -> tuple[str, bool]:
+    trailing = text.endswith("\n")
+    lines = [] if text == "" else text.rstrip("\n").split("\n")
+    rng = _range_for_section(lines, section)
+    if rng is None:
+        return text, False
+    idx = _index_of_key(lines, rng, key, sep)
+    if idx < 0:
+        return text, False
+    del lines[idx]
+    if idx < len(lines) and lines[idx] == "":
+        del lines[idx]
+    out = "\n".join(lines)
+    if trailing and lines:
+        out += "\n"
+    return out, True

pmsec-0.1.0/src/pmsec/util/paths.py

@@ -0,0 +1,52 @@
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+
+def npmrc_path(env: dict[str, str], home: Path) -> Path:
+    if "NPM_CONFIG_USERCONFIG" in env:
+        return Path(env["NPM_CONFIG_USERCONFIG"])
+    return home / ".npmrc"
+
+
+def bun_config_path(env: dict[str, str], home: Path) -> Path:
+    if "BUN_CONFIG_FILE" in env:
+        return Path(env["BUN_CONFIG_FILE"])
+    return home / ".bunfig.toml"
+
+
+def yarnrc_path(env: dict[str, str], home: Path) -> Path:
+    if "YARN_RC_FILENAME" in env:
+        return Path(env["YARN_RC_FILENAME"])
+    return home / ".yarnrc.yml"
+
+
+def cargo_config_path(env: dict[str, str], home: Path) -> Path:
+    if "CARGO_HOME" in env:
+        return Path(env["CARGO_HOME"]) / "config.toml"
+    return home / ".cargo" / "config.toml"
+
+
+def mise_config_path(env: dict[str, str], home: Path, platform: str) -> Path:
+    if "MISE_GLOBAL_CONFIG_FILE" in env:
+        return Path(env["MISE_GLOBAL_CONFIG_FILE"])
+    if platform == "win32":
+        base = Path(env["LOCALAPPDATA"]) if "LOCALAPPDATA" in env else home / "AppData" / "Local"
+        return base / "mise" / "config.toml"
+    base = Path(env["XDG_CONFIG_HOME"]) if "XDG_CONFIG_HOME" in env else home / ".config"
+    return base / "mise" / "config.toml"
+
+
+def uv_config_path(env: dict[str, str], home: Path, platform: str) -> Path:
+    if "UV_CONFIG_FILE" in env:
+        return Path(env["UV_CONFIG_FILE"])
+    if platform == "win32":
+        base = Path(env["APPDATA"]) if "APPDATA" in env else home / "AppData" / "Roaming"
+        return base / "uv" / "uv.toml"
+    base = Path(env["XDG_CONFIG_HOME"]) if "XDG_CONFIG_HOME" in env else home / ".config"
+    return base / "uv" / "uv.toml"
+
+
+def current_platform() -> str:
+    return "win32" if os.name == "nt" else "linux"

pmsec-0.1.0/src/pmsec/util/version.py

@@ -0,0 +1,28 @@
+from __future__ import annotations
+
+import re
+import subprocess
+
+
+def detect_version(bin_name: str, args: list[str] | None = None) -> tuple[int, int, int, str] | None:
+    args = args or ["--version"]
+    try:
+        out = subprocess.run([bin_name, *args], capture_output=True, text=True, timeout=5)
+    except (FileNotFoundError, subprocess.TimeoutExpired):
+        return None
+    if out.returncode != 0:
+        return None
+    m = re.search(r"(\d+)\.(\d+)\.(\d+)", out.stdout or "")
+    if not m:
+        return None
+    return int(m.group(1)), int(m.group(2)), int(m.group(3)), m.group(0)
+
+
+def gte(v: tuple[int, int, int, str] | None, target: tuple[int, int, int]) -> bool | None:
+    if v is None:
+        return None
+    if v[0] != target[0]:
+        return v[0] > target[0]
+    if v[1] != target[1]:
+        return v[1] > target[1]
+    return v[2] >= target[2]

pmsec-0.1.0/tests/test_cli.py

@@ -0,0 +1,141 @@
+from __future__ import annotations
+
+import io
+import json
+import sys
+from pathlib import Path
+
+import pytest
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[1] / "src"))
+
+from pmsec.cli import main  # noqa: E402
+
+
+def env_for(home: Path) -> dict[str, str]:
+    return {"HOME": str(home), "XDG_CONFIG_HOME": str(home / ".config")}
+
+
+def run(argv, home, platform="linux"):
+    out, err = io.StringIO(), io.StringIO()
+    code = main(argv, env=env_for(home), home=home, platform=platform, out=out, err=err)
+    return code, out.getvalue(), err.getvalue()
+
+
+def test_set_writes_every_supported_tool_config(tmp_path):
+    code, _, _ = run(["set", "7"], tmp_path)
+    assert code == 0
+    assert "min-release-age=7" in (tmp_path / ".npmrc").read_text()
+    assert "minimum-release-age=10080" in (tmp_path / ".npmrc").read_text()
+    assert 'exclude-newer = "7 days"' in (tmp_path / ".config" / "uv" / "uv.toml").read_text()
+    bunfig = (tmp_path / ".bunfig.toml").read_text()
+    assert "[install]" in bunfig
+    assert "minimumReleaseAge = 604800" in bunfig
+    assert 'npmMinimalAgeGate: "7d"' in (tmp_path / ".yarnrc.yml").read_text()
+    mise = (tmp_path / ".config" / "mise" / "config.toml").read_text()
+    assert "[settings]" in mise
+    assert 'minimum_release_age = "7d"' in mise
+
+
+def test_check_passes_after_set(tmp_path):
+    run(["set", "7"], tmp_path)
+    code, _, _ = run(["check", "--min", "7"], tmp_path)
+    assert code == 0
+
+
+def test_check_fails_when_missing(tmp_path):
+    code, out, _ = run(["check"], tmp_path)
+    assert code == 1
+    for tool in ("npm", "pnpm", "yarn", "bun", "cargo", "mise", "uv"):
+        assert f"MISSING {tool}" in out
+
+
+def test_unset_preserves_other_keys(tmp_path):
+    (tmp_path / ".npmrc").write_text(
+        "registry=https://r/\nmin-release-age=7\nminimum-release-age=10080\n"
+    )
+    uv_dir = tmp_path / ".config" / "uv"
+    uv_dir.mkdir(parents=True)
+    (uv_dir / "uv.toml").write_text(
+        'exclude-newer = "7 days"\nindex-strategy = "unsafe-best-match"\n'
+    )
+    (tmp_path / ".bunfig.toml").write_text(
+        '[install]\nminimumReleaseAge = 604800\nregistry = "https://x/"\n'
+    )
+    (tmp_path / ".yarnrc.yml").write_text(
+        'npmMinimalAgeGate: "7d"\nnpmRegistryServer: "https://r/"\n'
+    )
+    run(["unset"], tmp_path)
+    assert (tmp_path / ".npmrc").read_text() == "registry=https://r/\n"
+    assert (uv_dir / "uv.toml").read_text() == 'index-strategy = "unsafe-best-match"\n'
+    assert (tmp_path / ".bunfig.toml").read_text() == '[install]\nregistry = "https://x/"\n'
+    assert (tmp_path / ".yarnrc.yml").read_text() == 'npmRegistryServer: "https://r/"\n'
+
+
+def test_set_replaces_existing_value(tmp_path):
+    (tmp_path / ".npmrc").write_text("min-release-age=3\nregistry=https://r/\n")
+    run(["set", "10", "--tool", "npm"], tmp_path)
+    assert (tmp_path / ".npmrc").read_text() == "min-release-age=10\nregistry=https://r/\n"
+
+
+def test_tool_filter(tmp_path):
+    run(["set", "7", "--tool", "npm,bun"], tmp_path)
+    assert (tmp_path / ".npmrc").exists()
+    assert (tmp_path / ".bunfig.toml").exists()
+    assert not (tmp_path / ".config" / "uv" / "uv.toml").exists()
+
+
+def test_windows_uv_path(tmp_path):
+    appdata = tmp_path / "AppData" / "Roaming"
+    out, err = io.StringIO(), io.StringIO()
+    main(["set", "7", "--tool", "uv"], env={"APPDATA": str(appdata)}, home=tmp_path, platform="win32", out=out, err=err)
+    assert (appdata / "uv" / "uv.toml").read_text().splitlines()[0] == 'exclude-newer = "7 days"'
+
+
+def test_check_json(tmp_path):
+    _, out, _ = run(["check", "--json"], tmp_path)
+    data = json.loads(out)
+    assert data["ok"] is False
+    assert len(data["rows"]) == 7
+    assert [r["tool"] for r in data["rows"]] == ["npm", "pnpm", "yarn", "bun", "cargo", "mise", "uv"]
+
+
+def test_set_rejects_zero(tmp_path):
+    with pytest.raises(SystemExit):
+        run(["set", "0"], tmp_path)
+
+
+def test_bun_section_insert(tmp_path):
+    (tmp_path / ".bunfig.toml").write_text('[install]\nregistry = "https://x/"\n')
+    run(["set", "7", "--tool", "bun"], tmp_path)
+    text = (tmp_path / ".bunfig.toml").read_text()
+    assert text.startswith("[install]\nminimumReleaseAge = 604800\nregistry =")
+
+
+def test_bun_creates_section_if_missing(tmp_path):
+    (tmp_path / ".bunfig.toml").write_text("telemetry = false\n")
+    run(["set", "7", "--tool", "bun"], tmp_path)
+    text = (tmp_path / ".bunfig.toml").read_text()
+    assert text == "telemetry = false\n\n[install]\nminimumReleaseAge = 604800\n"
+
+
+def test_yarn_check_parses_days(tmp_path):
+    (tmp_path / ".yarnrc.yml").write_text('npmMinimalAgeGate: "14d"\n')
+    _, out, _ = run(["check", "--json", "--tool", "yarn", "--min", "7"], tmp_path)
+    data = json.loads(out)
+    assert data["ok"] is True
+    assert data["rows"][0]["days"] == 14
+
+
+def test_pnpm_check_normalizes_minutes(tmp_path):
+    (tmp_path / ".npmrc").write_text("minimum-release-age=20160\n")
+    _, out, _ = run(["check", "--json", "--tool", "pnpm"], tmp_path)
+    data = json.loads(out)
+    assert data["rows"][0]["days"] == 14
+
+
+def test_bak_created_once(tmp_path):
+    (tmp_path / ".npmrc").write_text("registry=https://original/\n")
+    run(["set", "7", "--tool", "npm"], tmp_path)
+    run(["set", "10", "--tool", "npm"], tmp_path)
+    assert (tmp_path / ".npmrc.bak").read_text() == "registry=https://original/\n"

pmsec-0.1.0/uv.lock

@@ -0,0 +1,7 @@
+version = 1
+requires-python = ">=3.10"
+
+[[package]]
+name = "pmsec"
+version = "0.1.0"
+source = { editable = "." }