Merge branch 'main' into feature/combine-certs

.github/workflows/test-on-pr.yml

@@ -6,7 +6,12 @@ jobs:
   unit-test:
     name: Run unit tests and linting
 
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
       - name: Checkout code
@@ -23,7 +28,7 @@ jobs:
           safe-chain setup-ci
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Run unit tests
         run: npm test
@@ -35,10 +40,12 @@ jobs:
         run: npm run typecheck --workspace=packages/safe-chain
 
       - name: Create package tarball
+        if: matrix.os == 'ubuntu-latest'
         run: npm pack --workspace=packages/safe-chain
 
       - name: Upload package tarball
         uses: actions/upload-artifact@v4
+        if: matrix.os == 'ubuntu-latest'
         with:
           name: safe-chain-package
           path: aikidosec-safe-chain-*.tgz

packages/safe-chain/src/main.js

@@ -64,8 +64,7 @@ export async function main(args) {
 
     const auditStats = getAuditStats();
     if (auditStats.totalPackages > 0) {
-      ui.emptyLine();
+      ui.writeVerbose(
-      ui.writeInformation(
         `${chalk.green("✔")} Safe-chain: Scanned ${
           auditStats.totalPackages
         } packages, no malware found.`

packages/safe-chain/src/registryProxy/interceptors/interceptorBuilder.js

@@ -20,6 +20,12 @@ import { EventEmitter } from "events";
  * @property {(headers: NodeJS.Dict<string | string[]> | undefined) => NodeJS.Dict<string | string[]> | undefined} modifyRequestHeaders
  * @property {() => boolean} modifiesResponse
  * @property {(body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer} modifyBody
+ *
+ * @typedef {Object} MalwareBlockedEvent
+ * @property {string} packageName
+ * @property {string} version
+ * @property {string} targetUrl
+ * @property {number} timestamp
  */
 
 /**

packages/safe-chain/src/registryProxy/registryProxy.js

@@ -140,9 +140,14 @@ function handleConnect(req, clientSocket, head) {
 
   if (interceptor) {
     // Subscribe to malware blocked events
-    interceptor.on("malwareBlocked", (event) => {
+    interceptor.on(
-      onMalwareBlocked(event.packageName, event.version, event.url);
+      "malwareBlocked",
-    });
+      (
+        /** @type {import("./interceptors/interceptorBuilder.js").MalwareBlockedEvent} */ event
+      ) => {
+        onMalwareBlocked(event.packageName, event.version, event.targetUrl);
+      }
+    );
 
     mitmConnect(req, clientSocket, interceptor);
   } else {

test/e2e/bun.e2e.spec.js

@@ -28,7 +28,9 @@ describe("E2E: bun coverage", () => {
 
   it(`safe-chain succesfully installs safe packages`, async () => {
     const shell = await container.openShell("bash");
-    const result = await shell.runCommand("bun i axios");
+    const result = await shell.runCommand(
+      "bun i axios --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),

test/e2e/npm-ci.e2e.spec.js

@@ -33,7 +33,9 @@ describe("E2E: npm coverage using PATH", () => {
 
   it(`safe-chain succesfully installs safe packages`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("npm i axios");
+    const result = await shell.runCommand(
+      "npm i axios --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),

test/e2e/npm.e2e.spec.js

@@ -28,7 +28,9 @@ describe("E2E: npm coverage", () => {
 
   it(`safe-chain succesfully installs safe packages`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("npm i axios");
+    const result = await shell.runCommand(
+      "npm i axios --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),

test/e2e/pip-ci.e2e.spec.js

@@ -100,7 +100,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
       const projectShell = await container.openShell(shell);
       // Use --break-system-packages to avoid Debian/Ubuntu external management restrictions
       const result = await projectShell.runCommand(
-        "pip3 install --break-system-packages certifi"
+        "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
       );
 
       const hasExpectedOutput = result.output.includes("no malware found.");
@@ -126,7 +126,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
 
       const projectShell = await container.openShell(shell);
       const result = await projectShell.runCommand(
-        "python -m pip install --break-system-packages certifi"
+        "python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
       );
 
       assert.ok(
@@ -149,7 +149,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
 
       const projectShell = await container.openShell(shell);
       const result = await projectShell.runCommand(
-        "python3 -m pip install --break-system-packages certifi"
+        "python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
       );
 
       assert.ok(
@@ -172,7 +172,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
 
       const projectShell = await container.openShell(shell);
       const result = await projectShell.runCommand(
-        "pip install --break-system-packages certifi"
+        "pip install --break-system-packages certifi --safe-chain-logging=verbose"
       );
 
       assert.ok(
@@ -195,7 +195,7 @@ describe("E2E: safe-chain setup-ci command for pip/pip3", () => {
 
       const projectShell = await container.openShell(shell);
       const result = await projectShell.runCommand(
-        "pip3 install --break-system-packages certifi"
+        "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
       );
 
       assert.ok(

test/e2e/pip.e2e.spec.js

@@ -32,7 +32,7 @@ describe("E2E: pip coverage", () => {
   it(`successfully installs known safe packages with pip3`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "pip3 install --break-system-packages requests"
+      "pip3 install --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -43,7 +43,9 @@ describe("E2E: pip coverage", () => {
 
   it(`pip3 download`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("pip3 download requests");
+    const result = await shell.runCommand(
+      "pip3 download requests --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),
@@ -53,7 +55,9 @@ describe("E2E: pip coverage", () => {
 
   it(`pip3 .whl`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("pip3 wheel requests");
+    const result = await shell.runCommand(
+      "pip3 wheel requests --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),
@@ -64,7 +68,7 @@ describe("E2E: pip coverage", () => {
   it(`pip3 install --dry-run is respected by scanner`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "pip3 install --dry-run --break-system-packages requests"
+      "pip3 install --dry-run --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -76,7 +80,7 @@ describe("E2E: pip coverage", () => {
   it(`pip3 install with extras such as requests[socks]`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      'pip3 install --break-system-packages "requests[socks]==2.32.3"'
+      'pip3 install --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
     );
 
     assert.ok(
@@ -88,7 +92,7 @@ describe("E2E: pip coverage", () => {
   it(`pip3 install with range version specifier`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      'pip3 install --break-system-packages "Jinja2>=3.1,<3.2"'
+      'pip3 install --break-system-packages "Jinja2>=3.1,<3.2" --safe-chain-logging=verbose'
     );
 
     assert.ok(
@@ -100,7 +104,7 @@ describe("E2E: pip coverage", () => {
   it(`python3 -m pip install routes through safe-chain`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "python3 -m pip install --break-system-packages requests"
+      "python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -111,7 +115,9 @@ describe("E2E: pip coverage", () => {
 
   it(`python3 -m pip download routes through safe-chain`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("python3 -m pip download requests");
+    const result = await shell.runCommand(
+      "python3 -m pip download requests --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),
@@ -148,7 +154,7 @@ describe("E2E: pip coverage", () => {
   it(`python -m pip routes to aikido-pip (uses pip command)`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "python -m pip install --break-system-packages requests"
+      "python -m pip install --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -166,7 +172,7 @@ describe("E2E: pip coverage", () => {
   it(`python -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "python -m pip3 install --break-system-packages requests"
+      "python -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -184,7 +190,7 @@ describe("E2E: pip coverage", () => {
   it(`python3 -m pip routes to aikido-pip3 (uses pip3 command)`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "python3 -m pip install --break-system-packages requests"
+      "python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -202,7 +208,7 @@ describe("E2E: pip coverage", () => {
   it(`python3 -m pip3 routes to aikido-pip3 (uses pip3 command)`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "python3 -m pip3 install --break-system-packages requests"
+      "python3 -m pip3 install --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -222,7 +228,7 @@ describe("E2E: pip coverage", () => {
     // Install a simple package from GitHub - this should use TCP tunnel, not MITM
     // Using a popular, small package for testing
     const result = await shell.runCommand(
-      "pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
+      "pip3 install --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -248,7 +254,7 @@ describe("E2E: pip coverage", () => {
   it(`pip3 successfully validates certificates for HTTPS downloads`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "pip3 install --break-system-packages certifi"
+      "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -276,7 +282,7 @@ describe("E2E: pip coverage", () => {
     // Test installing from a direct HTTPS URL (not a registry)
     // This validates that non-registry HTTPS traffic works with our env-provided CA bundle
     const result = await shell.runCommand(
-      "pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
+      "pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -299,7 +305,7 @@ describe("E2E: pip coverage", () => {
     // This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots)
     // If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
     const result = await shell.runCommand(
-      "pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi"
+      "pip3 install --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -348,9 +354,7 @@ describe("E2E: pip coverage", () => {
     );
 
     // Verify it was persisted by reading it back
-    const getResult = await shell.runCommand(
+    const getResult = await shell.runCommand("pip3 config get global.timeout");
-      "pip3 config get global.timeout"
-    );
 
     assert.ok(
       getResult.output.includes("60"),
@@ -384,7 +388,9 @@ describe("E2E: pip coverage", () => {
     assert.ok(getResult.output.includes("120"));
 
     // Unset it
-    const unsetResult = await shell.runCommand("pip3 config unset global.timeout");
+    const unsetResult = await shell.runCommand(
+      "pip3 config unset global.timeout"
+    );
     assert.ok(
       unsetResult.output.includes("Writing to"),
       `pip3 config unset should write config. Output was:\n${unsetResult.output}`
@@ -428,7 +434,8 @@ describe("E2E: pip coverage", () => {
 
     // Should show either cached wheels or "No locally built wheels"
     assert.ok(
-      result.output.includes("certifi") || result.output.includes("No locally built"),
+      result.output.includes("certifi") ||
+        result.output.includes("No locally built"),
       `Should output cache list information. Output was:\n${result.output}`
     );
   });
@@ -458,7 +465,9 @@ describe("E2E: pip coverage", () => {
 
     // Should output shell completion code
     assert.ok(
-      result.output.includes("compdef") || result.output.includes("_pip") || result.output.includes("pip completion"),
+      result.output.includes("compdef") ||
+        result.output.includes("_pip") ||
+        result.output.includes("pip completion"),
       `Should output completion code. Output was:\n${result.output}`
     );
   });
@@ -472,7 +481,7 @@ describe("E2E: pip coverage", () => {
 
     // Now install should still work with malware protection
     const result = await shell.runCommand(
-      "pip3 install --break-system-packages certifi"
+      "pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -491,7 +500,9 @@ describe("E2E: pip coverage", () => {
     const shell = await container.openShell("zsh");
 
     // Configure pip with timeout and extra index URL
-    const configTimeout = await shell.runCommand("pip3 config set global.timeout 60");
+    const configTimeout = await shell.runCommand(
+      "pip3 config set global.timeout 60"
+    );
     assert.ok(
       configTimeout.output.includes("Writing to"),
       `Config set should succeed. Output was:\n${configTimeout.output}`
@@ -512,13 +523,14 @@ describe("E2E: pip coverage", () => {
       `Config should show timeout=60. Output was:\n${listConfig.output}`
     );
     assert.ok(
-      listConfig.output.includes("extra-index-url") && listConfig.output.includes("pypi.org"),
+      listConfig.output.includes("extra-index-url") &&
+        listConfig.output.includes("pypi.org"),
       `Config should show extra-index-url. Output was:\n${listConfig.output}`
     );
 
     // Now download packages with the configured settings
     const downloadResult = await shell.runCommand(
-      "pip3 download -d /tmp/packages requests certifi"
+      "pip3 download -d /tmp/packages requests certifi --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -528,7 +540,8 @@ describe("E2E: pip coverage", () => {
 
     // Verify downloads succeeded
     assert.ok(
-      downloadResult.output.includes("Saved") || downloadResult.output.includes("requests"),
+      downloadResult.output.includes("Saved") ||
+        downloadResult.output.includes("requests"),
       `Download should succeed with configured settings. Output was:\n${downloadResult.output}`
     );
     assert.ok(
@@ -575,7 +588,9 @@ describe("E2E: pip coverage", () => {
 
   it(`python3 -c "print('hello')" should bypass safe-chain and execute code`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("python3 -c \"print('hello world')\"");
+    const result = await shell.runCommand(
+      "python3 -c \"print('hello world')\""
+    );
 
     // Should execute Python code
     assert.ok(
@@ -592,7 +607,9 @@ describe("E2E: pip coverage", () => {
 
   it(`python -c should bypass safe-chain and execute code`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("python -c \"import sys; print(sys.version)\"");
+    const result = await shell.runCommand(
+      'python -c "import sys; print(sys.version)"'
+    );
 
     // Should execute Python code and print version
     assert.ok(
@@ -611,7 +628,9 @@ describe("E2E: pip coverage", () => {
     const shell = await container.openShell("zsh");
 
     // Create a simple Python script
-    await shell.runCommand("echo \"print('script executed')\" > /tmp/test_script.py");
+    await shell.runCommand(
+      "echo \"print('script executed')\" > /tmp/test_script.py"
+    );
 
     const result = await shell.runCommand("python3 /tmp/test_script.py");
 
@@ -632,7 +651,9 @@ describe("E2E: pip coverage", () => {
     const shell = await container.openShell("zsh");
 
     // Create a simple Python script
-    await shell.runCommand("echo \"print('python2/3 compatible')\" > /tmp/test_script2.py");
+    await shell.runCommand(
+      "echo \"print('python2/3 compatible')\" > /tmp/test_script2.py"
+    );
 
     const result = await shell.runCommand("python /tmp/test_script2.py");
 
@@ -653,11 +674,13 @@ describe("E2E: pip coverage", () => {
     const shell = await container.openShell("zsh");
 
     // json.tool is a built-in Python module for formatting JSON
-    const result = await shell.runCommand("echo '{\"test\": 123}' | python3 -m json.tool");
+    const result = await shell.runCommand(
+      "echo '{\"test\": 123}' | python3 -m json.tool"
+    );
 
     // Should format JSON
     assert.ok(
-      result.output.includes('"test"') && result.output.includes('123'),
+      result.output.includes('"test"') && result.output.includes("123"),
       `Should format JSON. Output was:\n${result.output}`
     );
 
@@ -673,7 +696,9 @@ describe("E2E: pip coverage", () => {
 
     // Start http.server in background and kill it immediately
     // We just want to verify it starts without safe-chain interference
-    const result = await shell.runCommand("timeout 1 python3 -m http.server 8999 || true");
+    const result = await shell.runCommand(
+      "timeout 1 python3 -m http.server 8999 || true"
+    );
 
     // Should NOT go through safe-chain
     assert.ok(
@@ -683,7 +708,9 @@ describe("E2E: pip coverage", () => {
 
     // Should either start the server or timeout (both are success for bypass test)
     assert.ok(
-      result.output.includes("Serving HTTP") || result.output === "" || result.exitCode !== undefined,
+      result.output.includes("Serving HTTP") ||
+        result.output === "" ||
+        result.exitCode !== undefined,
       `Should attempt to start server. Output was:\n${result.output}`
     );
   });
@@ -732,7 +759,9 @@ describe("E2E: pip coverage", () => {
     );
 
     // Verify venv was created
-    const checkVenv = await shell.runCommand("test -f /tmp/test_venv/bin/python3 && echo 'exists'");
+    const checkVenv = await shell.runCommand(
+      "test -f /tmp/test_venv/bin/python3 && echo 'exists'"
+    );
     assert.ok(
       checkVenv.output.includes("exists"),
       `venv should be created. Output was:\n${checkVenv.output}`
@@ -743,7 +772,9 @@ describe("E2E: pip coverage", () => {
     const shell = await container.openShell("zsh");
 
     // pytest may not be installed, but the bypass should work regardless
-    const result = await shell.runCommand("python3 -m pytest --version 2>&1 || true");
+    const result = await shell.runCommand(
+      "python3 -m pytest --version 2>&1 || true"
+    );
 
     // Should NOT go through safe-chain
     assert.ok(
@@ -775,12 +806,13 @@ describe("E2E: pip coverage", () => {
   it(`python3 -m pip DOES go through safe-chain (sanity check)`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "python3 -m pip install --break-system-packages certifi"
+      "python3 -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
     );
 
     // SHOULD go through safe-chain
     assert.ok(
-      result.output.includes("Safe-chain") || result.output.includes("no malware found"),
+      result.output.includes("Safe-chain") ||
+        result.output.includes("no malware found"),
       `python3 -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
     );
   });
@@ -788,12 +820,13 @@ describe("E2E: pip coverage", () => {
   it(`python3 -m pip3 DOES go through safe-chain (sanity check)`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "python3 -m pip3 install --break-system-packages certifi"
+      "python3 -m pip3 install --break-system-packages certifi --safe-chain-logging=verbose"
     );
 
     // SHOULD go through safe-chain
     assert.ok(
-      result.output.includes("Safe-chain") || result.output.includes("no malware found"),
+      result.output.includes("Safe-chain") ||
+        result.output.includes("no malware found"),
       `python3 -m pip3 SHOULD go through safe-chain. Output was:\n${result.output}`
     );
   });
@@ -801,12 +834,13 @@ describe("E2E: pip coverage", () => {
   it(`python -m pip DOES go through safe-chain (sanity check)`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "python -m pip install --break-system-packages certifi"
+      "python -m pip install --break-system-packages certifi --safe-chain-logging=verbose"
     );
 
     // SHOULD go through safe-chain
     assert.ok(
-      result.output.includes("Safe-chain") || result.output.includes("no malware found"),
+      result.output.includes("Safe-chain") ||
+        result.output.includes("no malware found"),
       `python -m pip SHOULD go through safe-chain. Output was:\n${result.output}`
     );
   });

test/e2e/pnpm-ci.e2e.spec.js

@@ -33,7 +33,9 @@ describe("E2E: pnpm coverage", () => {
 
   it(`safe-chain succesfully installs safe packages`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("pnpm add axios");
+    const result = await shell.runCommand(
+      "pnpm add axios --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),

test/e2e/pnpm.e2e.spec.js

@@ -28,7 +28,9 @@ describe("E2E: pnpm coverage", () => {
 
   it(`safe-chain succesfully installs safe packages`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("pnpm add axios");
+    const result = await shell.runCommand(
+      "pnpm add axios --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),

test/e2e/poetry.e2e.spec.js

@@ -16,6 +16,9 @@ describe("E2E: poetry coverage", () => {
 
     const installationShell = await container.openShell("zsh");
     await installationShell.runCommand("safe-chain setup --include-python");
+    
+    // Clear poetry cache
+    await installationShell.runCommand("command poetry cache clear pypi --all -n");
   });
 
   afterEach(async () => {
@@ -29,9 +32,6 @@ describe("E2E: poetry coverage", () => {
   it(`successfully installs known safe packages with poetry add`, async () => {
     const shell = await container.openShell("zsh");
     
-    // Clear poetry cache using command to bypass safe-chain wrapper
-    await shell.runCommand("command poetry cache clear pypi --all -n");
-    
     // Initialize a new poetry project
     await shell.runCommand("mkdir /tmp/test-poetry-project && cd /tmp/test-poetry-project");
     await shell.runCommand("cd /tmp/test-poetry-project && poetry init --no-interaction");

test/e2e/safe-chain-cli-python.e2e.spec.js

@@ -14,6 +14,10 @@ describe("E2E: safe-chain CLI python/pip support", () => {
     await container.start();
     // Note: We do NOT run 'safe-chain setup' here.
     // We want to test the 'safe-chain' CLI command directly.
+
+    // Clear pip cache
+    const shell = await container.openShell("zsh");
+    await shell.runCommand("pip3 cache purge");
   });
 
   afterEach(async () => {
@@ -27,7 +31,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
     const shell = await container.openShell("zsh");
     // Invoke safe-chain directly with pip3 command
     const result = await shell.runCommand(
-      "safe-chain pip3 install --break-system-packages requests"
+      "safe-chain pip3 install --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -44,7 +48,7 @@ describe("E2E: safe-chain CLI python/pip support", () => {
   it("safe-chain python3 -m pip install routes through proxy", async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "safe-chain python3 -m pip install --break-system-packages requests"
+      "safe-chain python3 -m pip install --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(

test/e2e/setup-ci.e2e.spec.js

@@ -39,7 +39,9 @@ describe("E2E: safe-chain setup-ci command", () => {
       );
 
       const projectShell = await container.openShell(shell);
-      const result = await projectShell.runCommand("npm i axios");
+      const result = await projectShell.runCommand(
+        "npm i axios --safe-chain-logging=verbose"
+      );
 
       const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
       assert.ok(

test/e2e/setup.teardown.e2e.spec.js

@@ -29,7 +29,9 @@ describe("E2E: safe-chain setup command", () => {
 
       const projectShell = await container.openShell(shell);
       await projectShell.runCommand("cd /testapp");
-      const result = await projectShell.runCommand("npm i axios");
+      const result = await projectShell.runCommand(
+        "npm i axios --safe-chain-logging=verbose"
+      );
 
       const hasExpectedOutput = result.output.includes("Safe-chain: Scanned");
       assert.ok(

test/e2e/uv.e2e.spec.js

@@ -16,6 +16,9 @@ describe("E2E: uv coverage", () => {
 
     const installationShell = await container.openShell("zsh");
     await installationShell.runCommand("safe-chain setup --include-python");
+
+    // Clear uv cache
+    await installationShell.runCommand("uv cache clean");
   });
 
   afterEach(async () => {
@@ -29,7 +32,7 @@ describe("E2E: uv coverage", () => {
   it(`successfully installs known safe packages with uv pip install`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages requests"
+      "uv pip install --system --break-system-packages requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -41,7 +44,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install with specific version`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages requests==2.32.3"
+      "uv pip install --system --break-system-packages requests==2.32.3 --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -53,7 +56,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install with version specifiers (>=)`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      'uv pip install --system --break-system-packages "Jinja2>=3.1"'
+      'uv pip install --system --break-system-packages "Jinja2>=3.1" --safe-chain-logging=verbose'
     );
 
     assert.ok(
@@ -65,7 +68,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install with extras such as requests[socks]`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      'uv pip install --system --break-system-packages "requests[socks]==2.32.3"'
+      'uv pip install --system --break-system-packages "requests[socks]==2.32.3" --safe-chain-logging=verbose'
     );
 
     assert.ok(
@@ -77,7 +80,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install multiple packages`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages requests certifi urllib3"
+      "uv pip install --system --break-system-packages requests certifi urllib3 --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -94,7 +97,7 @@ describe("E2E: uv coverage", () => {
     await shell.runCommand("echo 'certifi>=2024.0.0' >> requirements.txt");
 
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages -r requirements.txt"
+      "uv pip install --system --break-system-packages -r requirements.txt --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -110,7 +113,7 @@ describe("E2E: uv coverage", () => {
     await shell.runCommand("echo 'requests==2.32.3' > requirements-sync.txt");
 
     const result = await shell.runCommand(
-      "uv pip sync --system --break-system-packages requirements-sync.txt"
+      "uv pip sync --system --break-system-packages requirements-sync.txt --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -149,7 +152,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install from GitHub URL using the CA bundle`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3"
+      "uv pip install --system --break-system-packages git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -169,7 +172,7 @@ describe("E2E: uv coverage", () => {
     const shell = await container.openShell("zsh");
 
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages certifi"
+      "uv pip install --system --break-system-packages certifi --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -196,7 +199,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install from direct HTTPS wheel URL`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl"
+      "uv pip install --system --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -215,11 +218,13 @@ describe("E2E: uv coverage", () => {
     const shell = await container.openShell("zsh");
 
     // First install a package
-    await shell.runCommand("uv pip install --system --break-system-packages requests==2.31.0");
+    await shell.runCommand(
+      "uv pip install --system --break-system-packages requests==2.31.0"
+    );
 
     // Then upgrade it
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages --upgrade requests"
+      "uv pip install --system --break-system-packages --upgrade requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -231,7 +236,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install with --no-deps flag`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages --no-deps requests"
+      "uv pip install --system --break-system-packages --no-deps requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -245,11 +250,15 @@ describe("E2E: uv coverage", () => {
 
     // Create a simple package structure
     await shell.runCommand("mkdir -p /tmp/test-pkg");
-    await shell.runCommand("echo 'from setuptools import setup' > /tmp/test-pkg/setup.py");
+    await shell.runCommand(
-    await shell.runCommand("echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py");
+      "echo 'from setuptools import setup' > /tmp/test-pkg/setup.py"
+    );
+    await shell.runCommand(
+      "echo \"setup(name='test-pkg', version='0.1.0')\" >> /tmp/test-pkg/setup.py"
+    );
 
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages -e /tmp/test-pkg"
+      "uv pip install --system --break-system-packages -e /tmp/test-pkg --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -264,9 +273,7 @@ describe("E2E: uv coverage", () => {
     // Create an input requirements file
     await shell.runCommand("echo 'requests' > requirements.in");
 
-    const result = await shell.runCommand(
+    const result = await shell.runCommand("uv pip compile requirements.in");
-      "uv pip compile requirements.in"
-    );
 
     // uv pip compile doesn't install packages, just resolves dependencies
     // It should complete successfully and output resolved requirements
@@ -279,7 +286,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install with --index-url for alternate registry`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi"
+      "uv pip install --system --break-system-packages --index-url https://test.pypi.org/simple certifi --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -310,7 +317,7 @@ describe("E2E: uv coverage", () => {
   it(`uv pip install with version range constraint`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0"'
+      'uv pip install --system --break-system-packages "requests>=2.31.0,<2.33.0" --safe-chain-logging=verbose'
     );
 
     assert.ok(
@@ -323,7 +330,9 @@ describe("E2E: uv coverage", () => {
     const shell = await container.openShell("zsh");
 
     // Install a package first
-    await shell.runCommand("uv pip install --system --break-system-packages requests");
+    await shell.runCommand(
+      "uv pip install --system --break-system-packages requests"
+    );
 
     // Then list packages - this shouldn't trigger safe-chain scanning
     const result = await shell.runCommand("uv pip list --system");
@@ -340,7 +349,7 @@ describe("E2E: uv coverage", () => {
 
     // Initialize a new uv project and add package in same command
     const result = await shell.runCommand(
-      "uv init test-project && cd test-project && uv add requests"
+      "uv init test-project && cd test-project && uv add requests --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -356,7 +365,7 @@ describe("E2E: uv coverage", () => {
     await shell.runCommand("uv init test-project-version");
 
     const result = await shell.runCommand(
-      "cd test-project-version && uv add requests==2.32.3"
+      "cd test-project-version && uv add requests==2.32.3 --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -372,7 +381,7 @@ describe("E2E: uv coverage", () => {
     await shell.runCommand("uv init test-project-dev");
 
     const result = await shell.runCommand(
-      "cd test-project-dev && uv add --dev pytest"
+      "cd test-project-dev && uv add --dev pytest --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -388,7 +397,7 @@ describe("E2E: uv coverage", () => {
     await shell.runCommand("uv init test-project-multi");
 
     const result = await shell.runCommand(
-      "cd test-project-multi && uv add requests certifi urllib3"
+      "cd test-project-multi && uv add requests certifi urllib3 --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -424,20 +433,19 @@ describe("E2E: uv coverage", () => {
   it(`uv tool install installs a global tool`, async () => {
     const shell = await container.openShell("zsh");
     const result = await shell.runCommand(
-      "uv tool install ruff"
+      "uv tool install ruff --safe-chain-logging=verbose"
     );
 
     assert.ok(
-      result.output.includes("no malware found.") || result.output.includes("Installed"),
+      result.output.includes("no malware found.") ||
+        result.output.includes("Installed"),
       `Output did not include expected text. Output was:\n${result.output}`
     );
   });
 
   it(`safe-chain blocks malicious packages via uv tool install`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand(
+    const result = await shell.runCommand("uv tool install safe-chain-pi-test");
-      "uv tool install safe-chain-pi-test"
-    );
 
     assert.ok(
       result.output.includes("blocked 1 malicious package downloads:"),
@@ -453,10 +461,12 @@ describe("E2E: uv coverage", () => {
     const shell = await container.openShell("zsh");
 
     // Create a simple Python script
-    await shell.runCommand("echo 'import requests; print(requests.__version__)' > test_script.py");
+    await shell.runCommand(
+      "echo 'import requests; print(requests.__version__)' > test_script.py"
+    );
 
     const result = await shell.runCommand(
-      "uv run --with requests test_script.py"
+      "uv run --with requests test_script.py --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -486,7 +496,7 @@ describe("E2E: uv coverage", () => {
 
     // Initialize a new uv project, add a dependency, remove venv, and sync in one command chain
     const result = await shell.runCommand(
-      "uv init test-sync-project && cd test-sync-project && uv add requests && rm -rf .venv && uv sync"
+      "uv init test-sync-project && cd test-sync-project && uv add requests --safe-chain-logging=verbose && rm -rf .venv && uv sync --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -502,7 +512,7 @@ describe("E2E: uv coverage", () => {
     await shell.runCommand("uv init test-git-add");
 
     const result = await shell.runCommand(
-      "cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3"
+      "cd test-git-add && uv add git+https://github.com/psf/requests.git@v2.32.3 --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -518,7 +528,7 @@ describe("E2E: uv coverage", () => {
     await shell.runCommand("uv init test-optional");
 
     const result = await shell.runCommand(
-      "cd test-optional && uv add --optional dev pytest"
+      "cd test-optional && uv add --optional dev pytest --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -532,10 +542,12 @@ describe("E2E: uv coverage", () => {
 
     // Create requirements file and script
     await shell.runCommand("echo 'requests' > run_requirements.txt");
-    await shell.runCommand("echo 'import requests; print(requests.__version__)' > run_script.py");
+    await shell.runCommand(
+      "echo 'import requests; print(requests.__version__)' > run_script.py"
+    );
 
     const result = await shell.runCommand(
-      "uv run --with-requirements run_requirements.txt run_script.py"
+      "uv run --with-requirements run_requirements.txt run_script.py --safe-chain-logging=verbose"
     );
 
     assert.ok(
@@ -549,7 +561,7 @@ describe("E2E: uv coverage", () => {
 
     // Initialize project with optional dependency and sync in one command chain
     const result = await shell.runCommand(
-      "uv init test-extras && cd test-extras && uv add --optional dev pytest && uv sync --all-extras"
+      "uv init test-extras && cd test-extras && uv add --optional dev pytest --safe-chain-logging=verbose && uv sync --all-extras"
     );
 
     assert.ok(
@@ -558,4 +570,3 @@ describe("E2E: uv coverage", () => {
     );
   });
 });
-

test/e2e/yarn-ci.e2e.spec.js

@@ -33,7 +33,9 @@ describe("E2E: yarn coverage", () => {
 
   it(`safe-chain succesfully installs safe packages`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("yarn add axios");
+    const result = await shell.runCommand(
+      "yarn add axios --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),

test/e2e/yarn.e2e.spec.js

@@ -28,7 +28,9 @@ describe("E2E: yarn coverage", () => {
 
   it(`safe-chain succesfully installs safe packages`, async () => {
     const shell = await container.openShell("zsh");
-    const result = await shell.runCommand("yarn add axios");
+    const result = await shell.runCommand(
+      "yarn add axios --safe-chain-logging=verbose"
+    );
 
     assert.ok(
       result.output.includes("no malware found."),