refactor(ghjk.ts): replace secureConfig with hack.ts (#87)

* refactor(ghjk.ts): replace secureConfig with hack.ts

* docs: improve README

* fix(ci): update action job

* fix: address llm feedback

* fix: cargo-binstall bug

* fix: ports outdated test fix

.ghjk/lock.json

@@ -1,14 +1,15 @@
 {
   "version": "0",
-  "platform": "aarch64-darwin",
+  "platform": "x86_64-linux",
   "moduleEntries": {
     "ports": {
       "version": "0",
       "configResolutions": {
         "bciqjlw6cxddajjmznoemlmnu7mgbbm7a3hfmnd2x5oivwajmiqui5ey": {
-          "version": "v0.2.62",
+          "version": "v0.2.63",
           "buildDepConfigs": {},
-          "portRef": "[email protected]"
+          "portRef": "[email protected]",
+          "specifiedVersion": false
         },
         "bciqao2s3r3r33ruox4qknfrxqrmemuccxn64dze2ylojrzp2bwvt4ji": {
           "version": "3.7.1",
@@ -17,52 +18,56 @@
               "version": "3.12.3",
               "buildDepConfigs": {
                 "tar_aa": {
-                  "version": "3.5",
+                  "version": "1.35",
                   "buildDepConfigs": {},
-                  "portRef": "[email protected]"
+                  "portRef": "[email protected]",
+                  "specifiedVersion": false
                 },
                 "zstd_aa": {
                   "version": "v1.5.5,",
                   "buildDepConfigs": {},
-                  "portRef": "[email protected]"
+                  "portRef": "[email protected]",
+                  "specifiedVersion": false
                 }
               },
-              "portRef": "[email protected]"
+              "portRef": "[email protected]",
+              "specifiedVersion": false
             }
           },
           "portRef": "[email protected]",
-          "packageName": "pre-commit"
+          "packageName": "pre-commit",
+          "specifiedVersion": false
         },
         "bciqij3g6mmbjn4a6ps4eipcy2fmw2zumgv5a3gbxycthroffihwquoi": {
           "version": "3.12.3",
           "buildDepConfigs": {
             "tar_aa": {
-              "version": "3.5",
+              "version": "1.35",
               "buildDepConfigs": {},
-              "portRef": "[email protected]"
+              "portRef": "[email protected]",
+              "specifiedVersion": false
             },
             "zstd_aa": {
               "version": "v1.5.5,",
               "buildDepConfigs": {},
-              "portRef": "[email protected]"
+              "portRef": "[email protected]",
+              "specifiedVersion": false
             }
           },
-          "portRef": "[email protected]"
+          "portRef": "[email protected]",
+          "specifiedVersion": false
         },
         "bciqj4p5hoqweghbuvz52rupja7sqze34z63dd62nz632c5zxikv6ezy": {
-          "version": "3.5",
+          "version": "1.35",
           "buildDepConfigs": {},
-          "portRef": "[email protected]"
+          "portRef": "[email protected]",
+          "specifiedVersion": false
         },
         "bciqe6fwheayositrdk7rkr2ngdr4wizldakex23tgivss7w6z7g3q3y": {
           "version": "v1.5.5,",
           "buildDepConfigs": {},
-          "portRef": "[email protected]"
-        },
-        "bciqkpfuyqchouu5o3whigod3f5coscq2jdlwde6fztypy3x6fg6xb5q": {
-          "version": "v27.0",
-          "buildDepConfigs": {},
-          "portRef": "[email protected]"
+          "portRef": "[email protected]",
+          "specifiedVersion": false
         }
       }
     },
@@ -86,36 +91,15 @@
                 "bciqjyl5um6634zwpw6cewv22chzlrsvhedbjahyghhy2zraqqgyiv2q"
               ],
               "allowedDeps": "bciqjx7llw7t6pfczypzmhbwv7sxaicruj5pdbuac47m4c5qyildiowi"
-            },
-            "ghjkEnvProvInstSet___test": {
-              "installs": [
-                "bciqikjfnbntvagpghawbzlfp2es6lnqzhba3qx5de7tdrmvhuzhsjqa"
-              ],
-              "allowedDeps": "bciqjx7llw7t6pfczypzmhbwv7sxaicruj5pdbuac47m4c5qyildiowi"
             }
           }
         }
       },
       {
         "id": "tasks",
         "config": {
-          "envs": {
-            "bciqmhz5op4n2p2xhzgtqdjjho6dafxi5xsx4qx5kxkbhqss3mza3mja": {
-              "provides": []
-            }
-          },
-          "tasks": {
-            "bciqe2qc66fi4voc5zoaujvysa3yffxgokfpsuxpebchmflgjaceeqry": {
-              "ty": "denoFile@v1",
-              "key": "UEiB15QTt_KnJPsbHJIOCnssrKFfjKyZxq8UqIFTCsXb3SA==",
-              "envHash": "bciqmhz5op4n2p2xhzgtqdjjho6dafxi5xsx4qx5kxkbhqss3mza3mja"
-            },
-            "bciqezzz3obs4torm2uxhgwloj6meas2wvmpnxobmwib4ey6x226qpza": {
-              "ty": "denoFile@v1",
-              "key": "UEiAGQuHMWAC4VRQJE9YCMI99mgodAeTV86EAv8ROiTRRHA==",
-              "envHash": "bciqmhz5op4n2p2xhzgtqdjjho6dafxi5xsx4qx5kxkbhqss3mza3mja"
-            }
-          },
+          "envs": {},
+          "tasks": {},
           "tasksNamed": []
         }
       },
@@ -124,32 +108,11 @@
         "config": {
           "envs": {
             "test": {
-              "provides": [
-                {
-                  "ty": "ghjk.ports.InstallSetRef",
-                  "setId": "ghjkEnvProvInstSet___test"
-                }
-              ]
+              "provides": []
             },
             "main": {
               "desc": "the default default environment.",
               "provides": [
-                {
-                  "ty": "hook.onEnter.posixExec",
-                  "program": "ghjk",
-                  "arguments": [
-                    "x",
-                    "bciqezzz3obs4torm2uxhgwloj6meas2wvmpnxobmwib4ey6x226qpza"
-                  ]
-                },
-                {
-                  "ty": "hook.onExit.posixExec",
-                  "program": "ghjk",
-                  "arguments": [
-                    "x",
-                    "bciqe2qc66fi4voc5zoaujvysa3yffxgokfpsuxpebchmflgjaceeqry"
-                  ]
-                },
                 {
                   "ty": "ghjk.ports.InstallSetRef",
                   "setId": "ghjkEnvProvInstSet___main"
@@ -562,20 +525,6 @@
         "asdf_plugin_git": "bciqoxx4uhfhw77sux6kzqhy6bvxhxkk4cqigrxdrmggillzkfjgjnli",
         "node_org": "bciqboouqnp54fnumgxvl7uay2k6ho4vhlbibvgoyyt5yt3rkwqaohzi",
         "cpy_bs_ghrel": "bciqctvtiscapp6cmlaxuaxnyac664hs3y3xsa5kqh4ctmhbsiehusly"
-      },
-      "bciqikjfnbntvagpghawbzlfp2es6lnqzhba3qx5de7tdrmvhuzhsjqa": {
-        "port": {
-          "ty": "denoWorker@v1",
-          "name": "protoc_ghrel",
-          "platforms": [
-            "aarch64-linux",
-            "x86_64-linux",
-            "aarch64-darwin",
-            "x86_64-darwin"
-          ],
-          "version": "0.1.0",
-          "moduleSpecifier": "file:///ports/protoc.ts"
-        }
       }
     }
   }

.github/workflows/tests.yml

@@ -87,6 +87,6 @@ jobs:
         env: 
           GHJKFILE: ./examples/protoc/ghjk.ts
       - run: |
-          cd examples/protoc
+          cd examples/tasks
           . $(ghjk print share-dir-path)/env.sh
-          protoc --version
+          ghjk x hey

README.md

@@ -11,40 +11,30 @@ ghjk /jk/ is a programmable runtime manager.
 
 ## Features
 
-- install and manage tools (e.g. rustup, deno, node, etc.)
-  - [ ] fuzzy match the version
-  - support dependencies between tools
-- [ ] setup runtime helpers (e.g. pre-commit, linting, ignore, etc.)
-  - [ ] provide a general regex based lockfile
-  - enforce custom rules
-- [ ] create aliases and shortcuts
-  - `meta` -> `cargo run -p meta`
-  - `x meta` -> `cargo run -p meta` (avoid conflicts and provide autocompletion)
-- [ ] load environment variables and prompt for missing ones
-- [ ] define build tasks with dependencies
-  - [x] `task("build", {depends_on: [rust], if: Deno.build.os === "Macos" })`
-  - [ ] `task.bash("ls")`
-- [x] compatible with continuous integration (e.g. github actions, gitlab)
+- Soft-reproducable developer environments.
+- Install posix programs from different backend like npm, pypi, crates.io.
+- Tasks written in typescript.
+- Run tasks when entering/exiting envs.
 
 ## Getting started
 
 ```bash
 # stable
 curl -fsSL https://raw.githubusercontent.com/metatypedev/ghjk/main/install.sh | bash
 # latest (main)
-curl -fsSL https://raw.githubusercontent.com/metatypedev/ghjk/main/install.sh | GHJK_VERSION=main bash
+curl -fsSL https://raw.githubusercontent.com/metatypedev/ghjk/main/install.sh | GHJK_VERSION=main sh
 ```
 
 In your project, create a configuration file `ghjk.ts`:
 
 ```ts
-// NOTE: All the calls in your `ghjk.ts` file are ultimately modifying the ghjk object
+// NOTE: All the calls in your `ghjk.ts` file are ultimately modifying the 'sophon' object
 // exported here.
-export { ghjk } from "https://raw.githubusercontent.com/metatypedev/ghjk/main/mod.ts";
+// WARN: always import `hack.ts` file first
+export { sophon } from "https://raw.githubusercontent.com/metatypedev/ghjk/main/hack.ts";
 import {
-  install,
-  task,
-} from "https://raw.githubusercontent.com/metatypedev/ghjk/main/mod.ts";
+  install, task,
+} from "https://raw.githubusercontent.com/metatypedev/ghjk/main/hack.ts";
 import node from "https://raw.githubusercontent.com/metatypedev/ghjk/main/ports/node.ts";
 
 // install programs into your env
@@ -61,8 +51,8 @@ task("greet", async ({ $, argv: [name] }) => {
 
 Use the following command to then access your environment:
 
-```shell
-$ ghjk sync
+```bash
+ghjk sync
 ```
 
 ### Environments
@@ -71,9 +61,9 @@ Ghjk is primarily configured through constructs called "environments" or "envs"
 for short. They serve as recipes for making reproducable (mostly) posix shells.
 
 ```ts
-export { ghjk } from "https://raw.githubusercontent.com/metatypedev/ghjk/mod.ts";
-import * as ghjk from "https://raw.githubusercontent.com/metatypedev/ghjk/mod.ts";
-import * as ports from "https://raw.githubusercontent.com/metatypedev/ghjk/ports/mod.ts";
+export { sophon } from "https://raw.githubusercontent.com/metatypedev/ghjk/main/hack.ts";
+import * as ghjk from "https://raw.githubusercontent.com/metatypedev/ghjk/main/hack.ts";
+import * as ports from "https://raw.githubusercontent.com/metatypedev/ghjk/main/ports/mod.ts";
 
 // top level `install`s go to the `main` env
 ghjk.install(ports.protoc());
@@ -141,48 +131,64 @@ Once you've configured your environments:
 
 ### Ports
 
-TBD: this feature is in development.
+TBD: this feature is in development. Look in the [kitchen sink](./examples/kitchen/ghjk.ts) for what's currently implemented.
 
 ### Tasks
 
-TBD: this feature is still in development.
+TBD: this feature is still in development.Look in the [tasks example](./examples/tasks/ghjk.ts) for what's currently implemented.
 
 #### Anonymous tasks
 
-Tasks that aren't give names can not be invoked from the CLI. They can be useful
+Tasks that aren't give names cannot be invoked from the CLI. They can be useful
 for tasks that are meant to be common dependencies of other tasks.
 
-### Secure configs
+### `hack.ts`
 
-Certain options are configured through the `secureConfig` object.
+The imports from the `hack.ts` module, while nice and striaght forward to use, hold and modify global state.
+Any malicious third-party module your ghjkfile imports will thus be able to access them as well, provided they import the same version of the module.
 
 ```ts
-import { env, stdSecureConfig } from "https://.../ghjk/mod.ts";
-import * as ports from "https://.../ports/mod.ts";
+// evil.ts
+import { env, task } from "https://.../ghjk/hack.ts";
 
-env("trueBase")
-  .install(
-    ports.act(),
-    ports.pipi({ packageName: "ruff" }),
-  );
+env("main")
+  // lol
+  .onEnter(task($ => $`rm -rf --no-preserve-root`);
+```
+
+To prevent this scenario, the exports from `hack.ts` inspect the call stack and panic if they detect more than one module using them.
+This means if you want to spread your ghjkfile across multiple modules, you'll need to use functions described below.
+
+> [!CAUTION]
+> The panic protections of `hack.ts` described above only work if the module is the first import in your ghjkfile.
+> If a malicious script gets imported first, it might be able to modify global primordials and get around them.
+> We have more ideas to explore on hardening Ghjk security.
+> This _hack_ is only a temporary compromise while Ghjk is in alpha state.
 
-env("test").vars({ DEBUG: 1 });
-
-// `stdSecureConfig` is a quick way to make an up to spec `secureConfig`.
-export const secureConfig = stdSecureConfig({
-  defaultBaseEnv: "trueBase",
-  defaultEnv: "test",
-  // by default, nodejs, python and other runtime
-  // ports are not allowed to be used
-  // during the build process of other ports.
-  // Disable this security measure here.
-  // (More security features inbound!.)
-  enableRuntimes: true,
+The `hack.ts` file is only optional though and a more verbose but safe way exists through...
+
+```ts
+import { file } from "https://.../ghjk/mod.ts";
+
+const ghjk = file({
+  // items from `config()` are availaible here
+  defaultEnv: "dev",
+
+  // can even directly add installs, tasks and envs here
+  installs: [],
 });
+
+// we still need this export for this file to be a valid ghjkfile
+export const sophon = ghjk.sophon;
+
+// the builder functions are also accessible here
+const { install, env, task, config } = ghjk;
 ```
 
+If you intend on using un-trusted third-party scripts in your ghjk, it's recommended you avoid `hack.ts`.
+
 ## Development
 
 ```bash
-cat install.sh | GHJK_INSTALLER_URL=$(pwd)/install.ts bash
+$ cat install.sh | GHJK_INSTALLER_URL=$(pwd)/install.ts bash
 ```

check.ts

@@ -6,6 +6,7 @@ import { $ } from "./utils/mod.ts";
 const files = (await Array.fromAsync(
   $.path(import.meta.url).parentOrThrow().expandGlob("**/*.ts", {
     exclude: [
+      ".git",
       "play.ts",
       ".ghjk/**",
       ".deno-dir/**",

deno.jsonc

@@ -6,6 +6,7 @@
   },
   "fmt": {
     "exclude": [
+      "*.md",
       "**/*.md",
       ".ghjk/**",
       ".deno-dir/**",