Scaffold safe-chain-bun setup command

.github/workflows/build-and-release.yml

@@ -27,8 +27,10 @@ jobs:
           version="${{ github.ref_name }}"
           echo "tag=$version" >> $GITHUB_OUTPUT
 
-      - name: Set the version in safe-chain package
-        run: npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }} --workspace=packages/safe-chain
+      - name: Set the version in both packages
+        run: |
+          npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }} --workspace=packages/safe-chain
+          npm --no-git-tag-version version ${{ steps.get_version.outputs.tag }} --workspace=packages/safe-chain-bun
 
       - name: Install dependencies
         run: npm ci
@@ -42,9 +44,24 @@ jobs:
           cp LICENSE packages/safe-chain/
           cp -r docs packages/safe-chain/
 
-      - name: Publish to npm
+      - name: Publish safe-chain to npm
         run: |
-          echo "Publishing version ${{ steps.get_version.outputs.tag }} to NPM"
+          echo "Publishing safe-chain version ${{ steps.get_version.outputs.tag }} to NPM"
           npm publish --workspace=packages/safe-chain --access public
         env:
           NPM_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+
+      - name: Update safe-chain-bun dependency for publishing
+        run: |
+          # During development, safe-chain-bun uses "file:../safe-chain" to depend on the local package
+          # This works great for local development but breaks when published to npm registry
+          # We need to replace it with the actual version number so users can install from npm
+          # Changes: "@aikidosec/safe-chain": "file:../safe-chain" → "@aikidosec/safe-chain": "1.0.0"
+          sed -i 's/"@aikidosec\/safe-chain": "file:..\/safe-chain"/"@aikidosec\/safe-chain": "${{ steps.get_version.outputs.tag }}"/g' packages/safe-chain-bun/package.json
+
+      - name: Publish safe-chain-bun to npm
+        run: |
+          echo "Publishing safe-chain-bun version ${{ steps.get_version.outputs.tag }} to NPM"
+          npm publish --workspace=packages/safe-chain-bun --access public
+        env:
+          NPM_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.github/workflows/test-on-pr.yml

@@ -26,14 +26,16 @@ jobs:
       - name: Run ESLint
         run: npm run lint
 
-      - name: Create package tarball
-        run: npm pack --workspace=packages/safe-chain
+      - name: Create package tarballs
+        run: |
+          npm pack --workspace=packages/safe-chain
+          npm pack --workspace=packages/safe-chain-bun
 
-      - name: Upload package tarball
+      - name: Upload package tarballs
         uses: actions/upload-artifact@v4
         with:
-          name: safe-chain-package
-          path: aikidosec-safe-chain-*.tgz
+          name: safe-chain-packages
+          path: aikidosec-*.tgz
 
   e2e-tests:
     name: Run E2E tests

packages/safe-chain-bun/bin/safe-chain-bun.js

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+
+// Placeholder for setup function - will be implemented in next step
+function setup(configFile) {
+  console.log("Setup functionality coming soon...");
+  console.log("Target config file:", configFile || "~/.bunfig.toml");
+}
+
+if (process.argv.length < 3) {
+  console.error("No command provided. Please provide a command to execute.");
+  console.log();
+  writeHelp();
+  process.exit(1);
+}
+
+const command = process.argv[2];
+
+if (command === "help" || command === "--help" || command === "-h") {
+  writeHelp();
+  process.exit(0);
+}
+
+if (command === "setup") {
+  const configFile = process.argv[3];
+  setup(configFile);
+} else {
+  console.error(`Unknown command: ${command}.`);
+  console.log();
+  writeHelp();
+  process.exit(1);
+}
+
+function writeHelp() {
+  console.log("Usage: safe-chain-bun <command>");
+  console.log();
+  console.log("Available commands: setup, help");
+  console.log();
+  console.log("- safe-chain-bun setup: Register Safe-Chain-Bun as a security scanner in ~/.bunfig.toml");
+  console.log("- safe-chain-bun setup <file>: Register Safe-Chain-Bun as a security scanner in specified bunfig.toml file");
+  console.log();
+}

packages/safe-chain-bun/package.json

@@ -3,6 +3,9 @@
   "version": "1.0.0",
   "type": "module",
   "main": "src/index.js",
+  "bin": {
+    "safe-chain-bun": "bin/safe-chain-bun.js"
+  },
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'"
   },
@@ -12,7 +15,13 @@
       "default": "./src/index.js"
     }
   },
-  "keywords": ["bun", "security", "scanner", "malware", "aikido"],
+  "keywords": [
+    "bun",
+    "security",
+    "scanner",
+    "malware",
+    "aikido"
+  ],
   "author": "Aikido Security",
   "license": "AGPL-3.0-or-later",
   "description": "Aikido Security Scanner for Bun package manager - detects malware and security threats during package installation",
@@ -27,4 +36,4 @@
   "peerDependencies": {
     "bun": ">=1.2.21"
   }
-}
+}