Rama integration beta

install-scripts/install-safe-chain.sh

@@ -429,6 +429,9 @@ parse_arguments() {
             --include-python)
                 warn "--include-python is deprecated and ignored. Python ecosystem is now included by default."
                 ;;
+            --experimental-rama-proxy)
+                USE_RAMA_PROXY=true
+                ;;
             *)
                 error "Unknown argument: $1"
                 ;;
@@ -444,6 +447,7 @@ parse_arguments() {
 main() {
     # Initialize argument flags
     USE_CI_SETUP=false
+    USE_RAMA_PROXY=false
 
     # Parse command-line arguments
     parse_arguments "$@"
@@ -503,6 +507,33 @@ main() {
 
     info "Binary installed to: $FINAL_FILE"
 
+    # Download safechain-proxy
+    if [ "$USE_RAMA_PROXY" = "true" ] && { [ "$OS" = "macos" ] || [ "$OS" = "linux" ] || [ "$OS" = "linuxstatic" ]; }; then
+        info "Downloading safechain-proxy..."
+
+        if [ "$OS" = "macos" ]; then
+            if [ "$ARCH" = "arm64" ]; then
+                PROXY_URL="https://github.com/AikidoSec/safechain-internals/releases/download/v1.0.0/safechain-proxy-darwin-arm64"
+            else
+                PROXY_URL="https://github.com/AikidoSec/safechain-internals/releases/download/v1.0.0/safechain-proxy-darwin-amd64"
+            fi
+        else
+            # Linux (both linux and linuxstatic)
+            if [ "$ARCH" = "x64" ]; then
+                PROXY_URL="https://github.com/AikidoSec/safechain-internals/releases/download/v1.0.0/safechain-proxy-linux-amd64"
+            else
+                PROXY_URL="https://github.com/AikidoSec/safechain-internals/releases/download/v1.0.0/safechain-proxy-linux-arm64"
+            fi
+        fi
+
+        if [ -n "$PROXY_URL" ]; then
+            PROXY_FILE="${INSTALL_DIR}/safechain-proxy"
+            download "$PROXY_URL" "$PROXY_FILE"
+            chmod +x "$PROXY_FILE" || error "Failed to make proxy executable"
+            info "Proxy installed to: $PROXY_FILE"
+        fi
+    fi
+
     run_setup_command "$FINAL_FILE"
 }
 

packages/safe-chain/src/main.js

@@ -20,8 +20,22 @@ export async function main(args) {
   process.on("SIGINT", handleProcessTermination);
   process.on("SIGTERM", handleProcessTermination);
 
+  /** @type {import("./registryProxy/registryProxy.js").PackageBlockedEvent[]} */
+  let malwareBlockedEvents = [];
+  /** @type {import("./registryProxy/registryProxy.js").PackageBlockedEvent[]} */
+  let minPackageAgeBlocks = [];
+  /** @type {import("./registryProxy/registryProxy.js").MinPackageAgeSuppressionEvent[]} */
+  let suppressedVersionEvents = [];
+
   const proxy = createSafeChainProxy();
   await proxy.startServer();
+  proxy.addListener("malwareBlocked", (ev) => malwareBlockedEvents.push(ev));
+  proxy.addListener("minPackageAgeVersionsSuppressed", (ev) =>
+    suppressedVersionEvents.push(ev),
+  );
+  proxy.addListener("minimumAgeRequestBlocked", (ev) =>
+    minPackageAgeBlocks.push(ev),
+  );
 
   // Global error handlers to log unhandled errors
   process.on("uncaughtException", (error) => {
@@ -64,11 +78,13 @@ export async function main(args) {
     // Write all buffered logs
     ui.writeBufferedLogsAndStopBuffering();
 
-    if (proxy.hasBlockedMaliciousPackages()) {
+    if (malwareBlockedEvents.length > 0) {
+      printBlockedMalware(malwareBlockedEvents);
       return 1;
     }
 
-    if (proxy.hasBlockedMinimumAgeRequests()) {
+    if (minPackageAgeBlocks.length > 0) {
+      printMinPackageAgeBlocks(minPackageAgeBlocks);
       return 1;
     }
 
@@ -81,17 +97,8 @@ export async function main(args) {
       );
     }
 
-    if (proxy.hasSuppressedVersions()) {
-      ui.writeInformation(
-        `${chalk.yellow(
-          "ℹ",
-        )} Safe-chain: Some package versions were suppressed during package metadata resolution due to minimum package age.`,
-      );
-      ui.writeInformation(
-        `  To disable this check, use: ${chalk.cyan(
-          "--safe-chain-skip-minimum-package-age",
-        )}`,
-      );
+    if (suppressedVersionEvents.length > 0) {
+      printSuppressedVersions(suppressedVersionEvents);
     }
 
     // Returning the exit code back to the caller allows the promise
@@ -121,3 +128,77 @@ function isSafeChainVerify(args) {
     return true;
   }
 }
+
+/**
+ *
+ * @param {import("./registryProxy/registryProxy.js").PackageBlockedEvent[]} malwareBlockedEvents
+ */
+function printBlockedMalware(malwareBlockedEvents) {
+  ui.emptyLine();
+
+  ui.writeInformation(
+    `Safe-chain: ${chalk.bold(
+      `blocked ${malwareBlockedEvents.length} malicious package downloads`,
+    )}:`,
+  );
+
+  for (const ev of malwareBlockedEvents) {
+    ui.writeInformation(` - ${ev.packageName}@${ev.packageVersion}`);
+  }
+
+  ui.emptyLine();
+  ui.writeExitWithoutInstallingMaliciousPackages();
+  ui.emptyLine();
+}
+
+/**
+ *
+ * @param {import("./registryProxy/registryProxy.js").PackageBlockedEvent[]} minPackageAgeBlocks
+ */
+function printMinPackageAgeBlocks(minPackageAgeBlocks) {
+  ui.emptyLine();
+
+  ui.writeInformation(
+    `Safe-chain: ${chalk.bold(
+      `blocked ${minPackageAgeBlocks.length} direct package download request(s) due to minimum package age`,
+    )}:`,
+  );
+
+  for (const req of minPackageAgeBlocks) {
+    ui.writeInformation(` - ${req.packageName}@${req.packageVersion}`);
+  }
+
+  ui.writeInformation(
+    `  To disable this check, use: ${chalk.cyan(
+      "--safe-chain-skip-minimum-package-age",
+    )}`,
+  );
+
+  ui.emptyLine();
+  ui.writeError(
+    "Safe-chain: Exiting without installing packages blocked by the direct download minimum package age check.",
+  );
+  ui.emptyLine();
+}
+
+/**
+ *
+ * @param {import("./registryProxy/registryProxy.js").MinPackageAgeSuppressionEvent[]} minPackageAgeSuppressionEvents
+ */
+function printSuppressedVersions(minPackageAgeSuppressionEvents) {
+  ui.writeVerbose(
+    `${chalk.yellow(
+      "ℹ",
+    )} Safe-chain: Some package versions were suppressed during package metadata resolution due to minimum package age:`,
+  );
+
+  for (const ev of minPackageAgeSuppressionEvents) {
+    ui.writeVerbose(`   - ${ev.packageName} (${ev.packageVersions.join(", ")})`);
+  }
+
+  ui.writeVerbose(
+    `  To disable this check, use: ${chalk.cyan(
+      "--safe-chain-skip-minimum-package-age",
+    )}`,
+  );
+}

packages/safe-chain/src/packagemanager/pip/runPipCommand.js

@@ -1,7 +1,9 @@
 import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
-import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
-import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import {
+  getProxySettings,
+  mergeSafeChainProxyEnvironmentVariables,
+} from "../../registryProxy/registryProxy.js";
 import { PIP_COMMAND, PIP3_COMMAND, PYTHON_COMMAND, PYTHON3_COMMAND } from "./pipSettings.js";
 import fs from "node:fs/promises";
 import fsSync from "node:fs";
@@ -100,7 +102,7 @@ export async function runPip(command, args) {
     // Always provide Python with a complete CA bundle (Safe Chain CA + Mozilla + Node built-in roots + user certs)
     // so that any network request made by pip, including those outside explicit CLI args,
     // validates correctly under both MITM'd and tunneled HTTPS.
-    const combinedCaPath = getCombinedCaBundlePath();
+    const combinedCaPath = getProxySettings().caCertBundlePath;
 
     // Commands that need access to persistent config/cache/state files
     // These should not have PIP_CONFIG_FILE overridden as it would prevent them from

packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js

@@ -45,6 +45,12 @@ describe("runPipCommand environment variable handling", () => {
           HTTPS_PROXY: "http://localhost:8080",
           HTTP_PROXY: "",
         }),
+        getProxySettings: () => {
+          return {
+            proxyUrl: "http://localhost:8080",
+            caCertBundlePath: "/tmp/test-combined-ca.pem",
+          };
+        },
       },
     });
 

packages/safe-chain/src/packagemanager/pipx/runPipXCommand.js

@@ -1,7 +1,9 @@
 import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
-import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
-import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import {
+  getProxySettings,
+  mergeSafeChainProxyEnvironmentVariables,
+} from "../../registryProxy/registryProxy.js";
 import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
@@ -42,7 +44,7 @@ export async function runPipX(command, args) {
   try {
     const env = mergeSafeChainProxyEnvironmentVariables(process.env);
 
-    const combinedCaPath = getCombinedCaBundlePath();
+    const combinedCaPath = getProxySettings().caCertBundlePath;
     const modifiedEnv = getPipXCaBundleEnvironmentVariables(env, combinedCaPath);
 
     // Note: pipx uses HTTPS_PROXY and HTTP_PROXY environment variables for proxy configuration

packages/safe-chain/src/packagemanager/pipx/runPipXCommand.spec.js

@@ -38,6 +38,12 @@ describe("runPipXCommand", () => {
           mergeCalls.push(env);
           return { ...env, ...mergedEnvReturn };
         },
+        getProxySettings: () => {
+          return {
+            proxyUrl: "",
+            caCertBundlePath: "/tmp/test-combined-ca.pem",
+          };
+        },
       },
     });
 

packages/safe-chain/src/packagemanager/poetry/createPoetryPackageManager.js

@@ -1,7 +1,9 @@
 import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
-import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
-import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import {
+  getProxySettings,
+  mergeSafeChainProxyEnvironmentVariables,
+} from "../../registryProxy/registryProxy.js";
 import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
@@ -57,7 +59,7 @@ async function runPoetryCommand(args) {
   try {
     const env = mergeSafeChainProxyEnvironmentVariables(process.env);
 
-    const combinedCaPath = getCombinedCaBundlePath();
+    const combinedCaPath = getProxySettings().caCertBundlePath;
     setPoetryCaBundleEnvironmentVariables(env, combinedCaPath);
 
     const result = await safeSpawn("poetry", args, {

packages/safe-chain/src/packagemanager/uv/runUvCommand.js

@@ -1,7 +1,9 @@
 import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
-import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
-import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import {
+  getProxySettings,
+  mergeSafeChainProxyEnvironmentVariables,
+} from "../../registryProxy/registryProxy.js";
 import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
@@ -48,7 +50,7 @@ export async function runUv(command, args) {
   try {
     const env = mergeSafeChainProxyEnvironmentVariables(process.env);
 
-    const combinedCaPath = getCombinedCaBundlePath();
+    const combinedCaPath = getProxySettings().caCertBundlePath;
     setUvCaBundleEnvironmentVariables(env, combinedCaPath);
 
     // Note: uv uses HTTPS_PROXY and HTTP_PROXY environment variables for proxy configuration

packages/safe-chain/src/registryProxy/certUtils.js → packages/safe-chain/src/registryProxy/builtInProxy/certUtils.js

@@ -1,7 +1,7 @@
 import forge from "node-forge";
 import path from "path";
 import fs from "fs";
-import { getCertsDir } from "../config/safeChainDir.js";
+import { getCertsDir } from "../../config/safeChainDir.js";
 
 const ca = loadCa();
 

packages/safe-chain/src/registryProxy/certUtils.spec.js → packages/safe-chain/src/registryProxy/builtInProxy/certUtils.spec.js

@@ -6,7 +6,7 @@ describe("certUtils", () => {
 
   beforeEach(() => {
     installedSafeChainDir = undefined;
-    mock.module("../config/safeChainDir.js", {
+    mock.module("../../config/safeChainDir.js", {
       namedExports: {
         getSafeChainBaseDir: () => installedSafeChainDir ?? "/home/test/.safe-chain",
         getCertsDir: () => `${installedSafeChainDir ?? "/home/test/.safe-chain"}/certs`,