milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into rama-integration-beta

Browse source
This commit is contained in:
Sander Declerck 2026-05-04 12:40:20 +02:00
commit 64a825f43a
No known key found for this signature in database
130 changed files with 6144 additions and 2494 deletions
Download patch file Download diff file Expand all files Collapse all files

133
install-scripts/install-endpoint-mac.sh Executable file
View file

@ -0,0 +1,133 @@
#!/bin/sh
# Downloads and installs Aikido Endpoint Protection on macOS
#
# Usage: curl -fsSL <url> | sudo sh -s -- --token <TOKEN>
set -e # Exit on error
# Configuration
INSTALL_URL="https://github.com/AikidoSec/safechain-internals/releases/download/v1.2.23/EndpointProtection.pkg"
DOWNLOAD_SHA256="9af1e0f72e53516c888ade1753ed03f087c1def89244eb0afb60e1f11e8e87e2"
TOKEN_FILE="/tmp/aikido_endpoint_token.txt"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
# Helper functions
info() {
printf "${GREEN}[INFO]${NC} %s\n" "$1"
}
error() {
printf "${RED}[ERROR]${NC} %s\n" "$1" >&2
exit 1
}
# Download file
download() {
url="$1"
dest="$2"
if command -v curl >/dev/null 2>&1; then
curl -fsSL "$url" -o "$dest" || error "Failed to download from $url"
elif command -v wget >/dev/null 2>&1; then
wget -q "$url" -O "$dest" || error "Failed to download from $url"
else
error "Neither curl nor wget found. Please install one of them."
fi
}
# Verify SHA256 checksum
verify_checksum() {
file="$1"
expected="$2"
actual=$(shasum -a 256 "$file" | awk '{ print $1 }')
if [ "$actual" != "$expected" ]; then
error "Checksum verification failed. Expected: $expected, Got: $actual"
fi
info "Checksum verified successfully."
}
# Cleanup temporary files
cleanup() {
if [ -f "$PKG_FILE" ]; then
rm -f "$PKG_FILE"
fi
if [ -f "$TOKEN_FILE" ]; then
rm -f "$TOKEN_FILE"
fi
}
# Parse command-line arguments
parse_arguments() {
TOKEN=""
while [ $# -gt 0 ]; do
case "$1" in
--token)
if [ -z "${2:-}" ]; then
error "--token requires a value"
fi
TOKEN="$2"
shift 2
;;
*)
error "Unknown argument: $1"
;;
esac
done
}
# Main installation
main() {
parse_arguments "$@"
# 1. Check if we're running on macOS
if [ "$(uname -s)" != "Darwin" ]; then
error "This script is only supported on macOS."
fi
# Check if we're running as root
if [ "$(id -u)" -ne 0 ]; then
error "Root privileges required. Please re-run with sudo, e.g.: curl -fsSL <url> | sudo sh -s -- --token <TOKEN>"
fi
# Check if token is provided via command argument
if [ -z "$TOKEN" ]; then
error "Token is required. Pass it with --token <TOKEN> or enter it when prompted."
fi
# Validate token to prevent injection
case "$TOKEN" in
*[\"\'\;\`\$\ ]*)
error "Invalid token format. Token must not contain quotes, semicolons, backticks, dollar signs, or whitespace."
;;
esac
# 2. Download and verify checksum
PKG_FILE=$(mktemp /tmp/AikidoEndpoint.XXXXXX.pkg)
trap cleanup EXIT
info "Downloading Aikido Endpoint Protection..."
download "$INSTALL_URL" "$PKG_FILE"
info "Verifying checksum..."
verify_checksum "$PKG_FILE" "$DOWNLOAD_SHA256"
# 3. Write token to file for the installer
printf "%s" "$TOKEN" > "$TOKEN_FILE"
# 4. Install the package
info "Installing Aikido Endpoint Protection..."
installer -pkg "$PKG_FILE" -target /
info "Aikido Endpoint Protection installed successfully!"
}
main "$@"

100
install-scripts/install-endpoint-windows.ps1 Normal file
View file

@ -0,0 +1,100 @@
# Downloads and installs Aikido Endpoint Protection on Windows
#
# Usage: iex "& { $(iwr '<url>' -UseBasicParsing) } -token <TOKEN>"
param(
[string]$token
)
# Configuration
$InstallUrl = "https://github.com/AikidoSec/safechain-internals/releases/download/v1.2.23/EndpointProtection.msi"
$DownloadSha256 = "3327d35db6654d12dbd7c5ccec0645edb0277f71dcd993ba9733e266bbd235f8"
# Ensure TLS 1.2 is enabled for downloads
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Helper functions
function Write-Info {
param([string]$Message)
Write-Host "[INFO] $Message" -ForegroundColor Green
}
function Write-Error-Custom {
param([string]$Message)
Write-Host "[ERROR] $Message" -ForegroundColor Red
exit 1
}
# Check if running as Administrator
function Test-Administrator {
$identity = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = New-Object Security.Principal.WindowsPrincipal($identity)
return $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
# Main installation
function Install-Endpoint {
# 1. Check if we're running as Administrator
if (-not (Test-Administrator)) {
Write-Error-Custom "Administrator privileges required. Please run this script in an elevated terminal (Run as Administrator)."
}
# Check if token is provided, prompt if not
if ([string]::IsNullOrWhiteSpace($token)) {
$token = Read-Host "Enter your Aikido endpoint token"
if ([string]::IsNullOrWhiteSpace($token)) {
Write-Error-Custom "Token is required. Pass it with -token <TOKEN> or enter it when prompted."
}
}
# Validate token to prevent command/property injection via msiexec
if ($token -match '[";`$\s]') {
Write-Error-Custom "Invalid token format. Token must not contain quotes, semicolons, backticks, dollar signs, or whitespace."
}
# 2. Download the .msi
$msiFile = Join-Path $env:TEMP "AikidoEndpoint-$([System.Guid]::NewGuid().ToString('N')).msi"
Write-Info "Downloading Aikido Endpoint Protection..."
try {
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri $InstallUrl -OutFile $msiFile -UseBasicParsing
$ProgressPreference = 'Continue'
}
catch {
Write-Error-Custom "Failed to download from $InstallUrl : $_"
}
try {
# Verify SHA256 checksum
Write-Info "Verifying checksum..."
$actualHash = (Get-FileHash -Path $msiFile -Algorithm SHA256).Hash.ToLower()
if ($actualHash -ne $DownloadSha256) {
Write-Error-Custom "Checksum verification failed. Expected: $DownloadSha256, Got: $actualHash"
}
Write-Info "Checksum verified successfully."
# 3. Install the package with token passed as MSI property
Write-Info "Installing Aikido Endpoint Protection..."
$process = Start-Process -FilePath "msiexec" -ArgumentList "/i", "`"$msiFile`"", "/qn", "/norestart", "AIKIDO_TOKEN=$token" -Wait -PassThru
if ($process.ExitCode -ne 0) {
Write-Error-Custom "MSI installer failed (exit code: $($process.ExitCode))."
}
Write-Info "Aikido Endpoint Protection installed successfully!"
}
finally {
# Cleanup
if (Test-Path $msiFile) {
Remove-Item -Path $msiFile -Force -ErrorAction SilentlyContinue
}
}
}
# Run installation
try {
Install-Endpoint
}
catch {
Write-Error-Custom "Installation failed: $_"
}

140
install-scripts/install-safe-chain.ps1
View file

@ -4,11 +4,52 @@
param(
[switch]$ci,
[switch]$includepython
[switch]$includepython,
[string]$InstallDir
)
# Validates and normalizes the requested install directory.
# Rejects non-absolute, root, PATH-like, and traversal-containing paths.
function Test-InstallDir {
param([string]$Dir)
if ([string]::IsNullOrWhiteSpace($Dir)) {
return @{ Ok = $true; Normalized = $null }
}
if (-not [System.IO.Path]::IsPathRooted($Dir)) {
return @{ Ok = $false; Reason = "-InstallDir must be an absolute path, got: $Dir" }
}
if ($Dir.Contains([System.IO.Path]::PathSeparator)) {
return @{ Ok = $false; Reason = "-InstallDir must not contain the PATH separator ($([System.IO.Path]::PathSeparator))" }
}
$inputSegments = $Dir.Split([char[]]@('\', '/'), [System.StringSplitOptions]::RemoveEmptyEntries)
if ($inputSegments -contains "..") {
return @{ Ok = $false; Reason = "-InstallDir must not contain path traversal segments" }
}
$normalized = [System.IO.Path]::GetFullPath($Dir)
$root = [System.IO.Path]::GetPathRoot($normalized)
if ($normalized.TrimEnd('\', '/') -eq $root.TrimEnd('\', '/')) {
return @{ Ok = $false; Reason = "-InstallDir cannot be a root or drive-root directory" }
}
return @{ Ok = $true; Normalized = $normalized }
}
$Version = $env:SAFE_CHAIN_VERSION # Will be fetched from latest release if not set
$InstallDir = Join-Path $env:USERPROFILE ".safe-chain\bin"
$SafeChainBase = if ($InstallDir) { $InstallDir } else { Join-Path $HOME ".safe-chain" }
$installDirValidation = Test-InstallDir -Dir $SafeChainBase
if (-not $installDirValidation.Ok) {
Write-Host "[ERROR] $($installDirValidation.Reason)" -ForegroundColor Red
exit 1
}
$SafeChainBase = $installDirValidation.Normalized
$InstallDir = Join-Path $SafeChainBase "bin"
$RepoUrl = "https://github.com/AikidoSec/safe-chain"
# Ensure TLS 1.2 is enabled for downloads
@ -98,6 +139,59 @@ function Get-Architecture {
}
}
# Emits the deprecation warning for SAFE_CHAIN_VERSION and prints the version-pinned install command.
# Returns immediately when no version was provided through the environment.
function Write-VersionDeprecationWarning {
if ([string]::IsNullOrWhiteSpace($env:SAFE_CHAIN_VERSION)) {
return
}
Write-Warn "SAFE_CHAIN_VERSION environment variable is deprecated."
Write-Warn ""
Write-Warn "Please use direct download URLs for version pinning instead:"
Write-Warn ""
if ($ci) {
Write-Warn " iex `"& { `$(iwr 'https://github.com/AikidoSec/safe-chain/releases/download/$env:SAFE_CHAIN_VERSION/install-safe-chain.ps1' -UseBasicParsing) } -ci`""
} else {
Write-Warn " iex (iwr `"https://github.com/AikidoSec/safe-chain/releases/download/$env:SAFE_CHAIN_VERSION/install-safe-chain.ps1`" -UseBasicParsing)"
}
Write-Warn ""
}
# Builds the Windows release binary filename for the detected architecture.
# Centralizes binary name generation for the download step.
function Get-BinaryName {
param([string]$Architecture)
return "safe-chain-win-$Architecture.exe"
}
# Runs safe-chain setup or setup-ci after the binary is installed.
# Temporarily appends the install directory to PATH and downgrades setup failures to warnings.
function Invoke-SafeChainSetup {
param(
[string]$BinaryPath,
[string]$InstallDirectory
)
$setupCmd = if ($ci) { "setup-ci" } else { "setup" }
Write-Info "Running safe-chain $setupCmd..."
try {
$env:Path = "$env:Path;$InstallDirectory"
& $BinaryPath $setupCmd
if ($LASTEXITCODE -ne 0) {
Write-Warn "safe-chain was installed but setup encountered issues."
Write-Warn "You can run 'safe-chain $setupCmd' manually later."
}
}
catch {
Write-Warn "safe-chain was installed but setup encountered issues: $_"
Write-Warn "You can run 'safe-chain $setupCmd' manually later."
}
}
# Check and uninstall npm global package if present
function Remove-NpmInstallation {
# Check if npm is available
@ -149,19 +243,7 @@ function Remove-VoltaInstallation {
# Main installation
function Install-SafeChain {
# Show deprecation warning if SAFE_CHAIN_VERSION is set
if (-not [string]::IsNullOrWhiteSpace($env:SAFE_CHAIN_VERSION)) {
Write-Warn "SAFE_CHAIN_VERSION environment variable is deprecated."
Write-Warn ""
Write-Warn "Please use direct download URLs for version pinning instead:"
Write-Warn ""
if ($ci) {
Write-Warn " iex `"& { `$(iwr 'https://github.com/AikidoSec/safe-chain/releases/download/$env:SAFE_CHAIN_VERSION/install-safe-chain.ps1' -UseBasicParsing) } -ci`""
} else {
Write-Warn " iex (iwr `"https://github.com/AikidoSec/safe-chain/releases/download/$env:SAFE_CHAIN_VERSION/install-safe-chain.ps1`" -UseBasicParsing)"
}
Write-Warn ""
}
Write-VersionDeprecationWarning
# Fetch latest version if VERSION is not set
if ([string]::IsNullOrWhiteSpace($Version)) {
@ -192,7 +274,7 @@ function Install-SafeChain {
# Detect platform
$arch = Get-Architecture
$binaryName = "safe-chain-win-$arch.exe"
$binaryName = Get-BinaryName -Architecture $arch
Write-Info "Detected architecture: $arch"
@ -238,31 +320,7 @@ function Install-SafeChain {
Write-Info "Binary installed to: $finalFile"
# Build setup command based on parameters
$setupCmd = if ($ci) { "setup-ci" } else { "setup" }
$setupArgs = @()
# Execute safe-chain setup
Write-Info "Running safe-chain $setupCmd $(if ($setupArgs) { $setupArgs -join ' ' })..."
try {
$env:Path = "$env:Path;$InstallDir"
if ($setupArgs) {
& $finalFile $setupCmd $setupArgs
}
else {
& $finalFile $setupCmd
}
if ($LASTEXITCODE -ne 0) {
Write-Warn "safe-chain was installed but setup encountered issues."
Write-Warn "You can run 'safe-chain $setupCmd $(if ($setupArgs) { $setupArgs -join ' ' })' manually later."
}
}
catch {
Write-Warn "safe-chain was installed but setup encountered issues: $_"
Write-Warn "You can run 'safe-chain $setupCmd $(if ($setupArgs) { $setupArgs -join ' ' })' manually later."
}
Invoke-SafeChainSetup -BinaryPath $finalFile -InstallDirectory $InstallDir
}
# Run installation

188
install-scripts/install-safe-chain.sh
View file

@ -6,9 +6,53 @@
set -e # Exit on error
# Validates a user-provided install dir and exits on unsafe values.
# Rejects relative paths, root paths, PATH separators, and traversal segments.
validate_install_dir() {
dir="$1"
if [ -z "$dir" ]; then
return 0
fi
case "$dir" in
/*) ;;
*)
printf '[ERROR] --install-dir must be an absolute path, got: %s\n' "$dir" >&2
exit 1
;;
esac
case "$dir" in
*:*)
printf '[ERROR] --install-dir must not contain the PATH separator (:)\n' >&2
exit 1
;;
esac
if [ "$dir" = "/" ]; then
printf '[ERROR] --install-dir cannot be a root or drive-root directory\n' >&2
exit 1
fi
old_ifs=$IFS
IFS='/'
set -- $dir
IFS=$old_ifs
for segment in "$@"; do
if [ "$segment" = ".." ]; then
printf '[ERROR] --install-dir must not contain path traversal segments\n' >&2
exit 1
fi
done
}
# Configuration
VERSION="${SAFE_CHAIN_VERSION:-}" # Will be fetched from latest release if not set
INSTALL_DIR="${HOME}/.safe-chain/bin"
SAFE_CHAIN_BASE="${HOME}/.safe-chain"
INSTALL_DIR="${SAFE_CHAIN_BASE}/bin"
REPO_URL="https://github.com/AikidoSec/safe-chain"
# Colors for output
@ -126,6 +170,75 @@ download() {
fi
}
# Prints the deprecation warning for SAFE_CHAIN_VERSION and the replacement install command.
# Returns immediately when no version was pinned through the environment.
warn_deprecated_version_env() {
if [ -z "$SAFE_CHAIN_VERSION" ]; then
return
fi
warn "SAFE_CHAIN_VERSION environment variable is deprecated."
warn ""
warn "Please use direct download URLs for version pinning instead:"
warn ""
if [ "$USE_CI_SETUP" = "true" ]; then
warn " curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/${SAFE_CHAIN_VERSION}/install-safe-chain.sh | sh -s -- --ci"
else
warn " curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/${SAFE_CHAIN_VERSION}/install-safe-chain.sh | sh"
fi
warn ""
}
# Ensures VERSION is populated before installation continues.
# Fetches the latest release only when no explicit version was provided.
ensure_version() {
if [ -n "$VERSION" ]; then
return
fi
info "Fetching latest release version..."
VERSION=$(fetch_latest_version)
}
# Constructs platform-specific binary filename to match GitHub release asset naming convention.
get_binary_name() {
os="$1"
arch="$2"
if [ "$os" = "win" ]; then
printf 'safe-chain-%s-%s.exe\n' "$os" "$arch"
else
printf 'safe-chain-%s-%s\n' "$os" "$arch"
fi
}
# Returns the final installation path for the downloaded safe-chain binary.
# Uses INSTALL_DIR and the platform-specific executable name.
get_final_binary_path() {
os="$1"
if [ "$os" = "win" ]; then
printf '%s/safe-chain.exe\n' "$INSTALL_DIR"
else
printf '%s/safe-chain\n' "$INSTALL_DIR"
fi
}
run_setup_command() {
final_file="$1"
setup_cmd="setup"
if [ "$USE_CI_SETUP" = "true" ]; then
setup_cmd="setup-ci"
fi
info "Running safe-chain $setup_cmd..."
if ! "$final_file" "$setup_cmd"; then
warn "safe-chain was installed but setup encountered issues."
warn "You can run 'safe-chain $setup_cmd' manually later."
fi
}
# Check and uninstall npm global package if present
remove_npm_installation() {
if ! command_exists npm; then
@ -229,11 +342,27 @@ remove_nvm_installation() {
# Parse command-line arguments
parse_arguments() {
for arg in "$@"; do
case "$arg" in
while [ $# -gt 0 ]; do
case "$1" in
--ci)
USE_CI_SETUP=true
;;
--install-dir)
shift
if [ $# -eq 0 ]; then
error "Missing value for --install-dir"
fi
if [ -z "$1" ]; then
error "--install-dir must not be empty"
fi
SAFE_CHAIN_BASE="$1"
;;
--install-dir=*)
SAFE_CHAIN_BASE="${1#--install-dir=}"
if [ -z "$SAFE_CHAIN_BASE" ]; then
error "--install-dir must not be empty"
fi
;;
--include-python)
warn "--include-python is deprecated and ignored. Python ecosystem is now included by default."
;;
@ -241,10 +370,14 @@ parse_arguments() {
USE_RAMA_PROXY=true
;;
*)
error "Unknown argument: $arg"
error "Unknown argument: $1"
;;
esac
shift
done
validate_install_dir "${SAFE_CHAIN_BASE}"
INSTALL_DIR="${SAFE_CHAIN_BASE}/bin"
}
# Main installation
@ -256,25 +389,9 @@ main() {
# Parse command-line arguments
parse_arguments "$@"
# Show deprecation warning if SAFE_CHAIN_VERSION is set
if [ -n "$SAFE_CHAIN_VERSION" ]; then
warn "SAFE_CHAIN_VERSION environment variable is deprecated."
warn ""
warn "Please use direct download URLs for version pinning instead:"
warn ""
if [ "$USE_CI_SETUP" = "true" ]; then
warn " curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/${SAFE_CHAIN_VERSION}/install-safe-chain.sh | sh -s -- --ci"
else
warn " curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/${SAFE_CHAIN_VERSION}/install-safe-chain.sh | sh"
fi
warn ""
fi
warn_deprecated_version_env
# Fetch latest version if VERSION is not set
if [ -z "$VERSION" ]; then
info "Fetching latest release version..."
VERSION=$(fetch_latest_version)
fi
ensure_version
# Check if the requested version is already installed
if is_version_installed "$VERSION"; then
@ -298,11 +415,7 @@ main() {
# Detect platform
OS=$(detect_os)
ARCH=$(detect_arch)
if [ "$OS" = "win" ]; then
BINARY_NAME="safe-chain-${OS}-${ARCH}.exe"
else
BINARY_NAME="safe-chain-${OS}-${ARCH}"
fi
BINARY_NAME=$(get_binary_name "$OS" "$ARCH")
info "Detected platform: ${OS}-${ARCH}"
@ -320,11 +433,7 @@ main() {
download "$DOWNLOAD_URL" "$TEMP_FILE"
# Rename and make executable
if [ "$OS" = "win" ]; then
FINAL_FILE="${INSTALL_DIR}/safe-chain.exe"
else
FINAL_FILE="${INSTALL_DIR}/safe-chain"
fi
FINAL_FILE=$(get_final_binary_path "$OS")
mv "$TEMP_FILE" "$FINAL_FILE" || error "Failed to move binary to $FINAL_FILE"
if [ "$OS" != "win" ]; then
chmod +x "$FINAL_FILE" || error "Failed to make binary executable"
@ -359,20 +468,7 @@ main() {
fi
fi
# Build setup command based on arguments
SETUP_CMD="setup"
SETUP_ARGS=""
if [ "$USE_CI_SETUP" = "true" ]; then
SETUP_CMD="setup-ci"
fi
# Execute safe-chain setup
info "Running safe-chain $SETUP_CMD $SETUP_ARGS..."
if ! "$FINAL_FILE" $SETUP_CMD $SETUP_ARGS; then
warn "safe-chain was installed but setup encountered issues."
warn "You can run 'safe-chain $SETUP_CMD $SETUP_ARGS' manually later."
fi
run_setup_command "$FINAL_FILE"
}
main "$@"

50
install-scripts/uninstall-endpoint-mac.sh Executable file
View file

@ -0,0 +1,50 @@
#!/bin/sh
# Uninstalls Aikido Endpoint Protection on macOS
#
# Usage: curl -fsSL <url> | sudo sh
set -e # Exit on error
# Configuration
UNINSTALL_SCRIPT="/Applications/Aikido Endpoint Protection.app/Contents/Resources/scripts/uninstall"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
# Helper functions
info() {
printf "${GREEN}[INFO]${NC} %s\n" "$1"
}
error() {
printf "${RED}[ERROR]${NC} %s\n" "$1" >&2
exit 1
}
# Main uninstallation
main() {
# Check if we're running on macOS
if [ "$(uname -s)" != "Darwin" ]; then
error "This script is only supported on macOS."
fi
# Check if we're running as root
if [ "$(id -u)" -ne 0 ]; then
error "Root privileges required. Please re-run with sudo, e.g.: curl -fsSL <url> | sudo sh"
fi
# Check if the uninstall script exists
if [ ! -f "$UNINSTALL_SCRIPT" ]; then
error "Aikido Endpoint Protection does not appear to be installed (uninstall script not found)."
fi
info "Uninstalling Aikido Endpoint Protection..."
"$UNINSTALL_SCRIPT"
info "Aikido Endpoint Protection uninstalled successfully!"
}
main "$@"

59
install-scripts/uninstall-endpoint-windows.ps1 Normal file
View file

@ -0,0 +1,59 @@
# Uninstalls Aikido Endpoint Protection endpoint on Windows
#
# Usage: iex (iwr '<url>' -UseBasicParsing)
# Configuration
$AppName = "Aikido Endpoint Protection"
# Helper functions
function Write-Info {
param([string]$Message)
Write-Host "[INFO] $Message" -ForegroundColor Green
}
function Write-Error-Custom {
param([string]$Message)
Write-Host "[ERROR] $Message" -ForegroundColor Red
exit 1
}
# Check if running as Administrator
function Test-Administrator {
$identity = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = New-Object Security.Principal.WindowsPrincipal($identity)
return $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
# Main uninstallation
function Uninstall-Endpoint {
# Check if we're running as Administrator
if (-not (Test-Administrator)) {
Write-Error-Custom "Administrator privileges required. Please run this script in an elevated terminal (Run as Administrator)."
}
# Find the installed product
Write-Info "Looking for Aikido Endpoint Protection installation..."
$app = Get-WmiObject -Class Win32_Product -Filter "Name='$AppName'"
if (-not $app) {
Write-Error-Custom "Aikido Endpoint Protection does not appear to be installed."
}
$productCode = $app.IdentifyingNumber
Write-Info "Uninstalling Aikido Endpoint Protection..."
$process = Start-Process -FilePath "msiexec" -ArgumentList "/x", $productCode, "/qn", "/norestart" -Wait -PassThru
if ($process.ExitCode -ne 0) {
Write-Error-Custom "Uninstall failed (exit code: $($process.ExitCode))."
}
Write-Info "Aikido Endpoint Protection uninstalled successfully!"
}
# Run uninstallation
try {
Uninstall-Endpoint
}
catch {
Write-Error-Custom "Uninstallation failed: $_"
}

214
install-scripts/uninstall-safe-chain.ps1
View file

@ -4,7 +4,6 @@
# Use HOME on Unix, USERPROFILE on Windows (PowerShell Core is cross-platform)
$HomeDir = if ($env:HOME) { $env:HOME } else { $env:USERPROFILE }
$InstallDir = Join-Path $HomeDir ".safe-chain/bin"
# Helper functions
function Write-Info {
@ -23,6 +22,146 @@ function Write-Error-Custom {
exit 1
}
# Derives the safe-chain base install directory from a resolved binary path.
# Rejects wrapper scripts and paths that do not match the packaged bin layout.
function Get-InstallDirFromBinaryPath {
param([string]$BinaryPath)
if ([string]::IsNullOrWhiteSpace($BinaryPath)) {
return $null
}
try {
$resolvedPath = (Resolve-Path -LiteralPath $BinaryPath -ErrorAction Stop).Path
}
catch {
$resolvedPath = [System.IO.Path]::GetFullPath($BinaryPath)
}
$fileName = [System.IO.Path]::GetFileName($resolvedPath)
if (($fileName -ne "safe-chain") -and ($fileName -ne "safe-chain.exe")) {
return $null
}
if ($resolvedPath -match '\.(js|cjs|mjs|cmd|ps1)$') {
return $null
}
$binDir = Split-Path -Parent $resolvedPath
if ((Split-Path -Leaf $binDir) -ne "bin") {
return $null
}
return (Split-Path -Parent $binDir)
}
# Returns the first safe-chain command found on PATH, if any.
# Used as the starting point for install-dir discovery.
function Get-SafeChainCommand {
return Get-Command safe-chain -ErrorAction SilentlyContinue | Select-Object -First 1
}
# Returns the safe-chain command path only when it points to a valid packaged binary install.
# Prevents teardown from invoking arbitrary wrappers or scripts from PATH.
function Get-ValidatedSafeChainCommandPath {
$command = Get-SafeChainCommand
if (-not $command -or [string]::IsNullOrWhiteSpace($command.Path)) {
return $null
}
$installDir = Get-InstallDirFromBinaryPath -BinaryPath $command.Path
if (-not $installDir) {
return $null
}
return $command.Path
}
# Invokes the validated safe-chain binary with get-install-dir and returns the reported base directory.
# Safely returns $null when the command is unavailable or the lookup fails.
function Get-ReportedInstallDir {
$safeChainPath = Get-ValidatedSafeChainCommandPath
if (-not $safeChainPath) {
return $null
}
try {
$reportedInstallDir = & $safeChainPath get-install-dir 2>$null | Select-Object -First 1
if ($reportedInstallDir) {
$reportedInstallDir = $reportedInstallDir.Trim()
}
if ($reportedInstallDir) {
return $reportedInstallDir
}
}
catch {
return $null
}
return $null
}
# Determines the safe-chain base install directory for uninstall.
# Prefers the binary-reported location, then derives it from PATH, then falls back to the default home-dir layout.
function Get-SafeChainInstallDir {
$reportedInstallDir = Get-ReportedInstallDir
if ($reportedInstallDir) {
return $reportedInstallDir
}
$command = Get-SafeChainCommand
if ($command -and $command.Path) {
$discoveredInstallDir = Get-InstallDirFromBinaryPath -BinaryPath $command.Path
if ($discoveredInstallDir) {
return $discoveredInstallDir
}
}
return (Join-Path $HomeDir ".safe-chain")
}
# Finds the installed safe-chain binary inside the resolved install directory.
# Falls back to a validated safe-chain command when the expected file is missing.
function Find-SafeChainBinary {
param([string]$DotSafeChain)
$safeChainExe = Join-Path $DotSafeChain "bin/safe-chain.exe"
$safeChainBin = Join-Path $DotSafeChain "bin/safe-chain"
if (Test-Path $safeChainExe) {
return $safeChainExe
}
if (Test-Path $safeChainBin) {
return $safeChainBin
}
return Get-ValidatedSafeChainCommandPath
}
# Runs safe-chain teardown before removing the installation directory.
# Converts teardown failures into warnings so uninstall can still complete.
function Invoke-SafeChainTeardown {
param([string]$SafeChainPath)
if (-not $SafeChainPath) {
Write-Warn "safe-chain command not found. Proceeding with uninstallation."
return
}
Write-Info "Running safe-chain teardown..."
try {
& $SafeChainPath teardown
if ($LASTEXITCODE -ne 0) {
Write-Warn "safe-chain teardown encountered issues, continuing with uninstallation..."
}
}
catch {
Write-Warn "safe-chain teardown encountered issues: $_"
Write-Warn "Continuing with uninstallation..."
}
}
# Check and uninstall npm global package if present
function Remove-NpmInstallation {
# Check if npm is available
@ -75,82 +214,27 @@ function Remove-VoltaInstallation {
# Main uninstallation
function Uninstall-SafeChain {
Write-Info "Uninstalling safe-chain..."
# Run teardown if safe-chain is available
# Check for both safe-chain.exe (Windows) and safe-chain (Unix) since PowerShell Core runs on all platforms
$safeChainExe = Join-Path $InstallDir "safe-chain.exe"
$safeChainBin = Join-Path $InstallDir "safe-chain"
$safeChainPath = $null
if (Test-Path $safeChainExe) {
$safeChainPath = $safeChainExe
}
elseif (Test-Path $safeChainBin) {
$safeChainPath = $safeChainBin
}
if ($safeChainPath) {
Write-Info "Running safe-chain teardown..."
try {
& $safeChainPath teardown
if ($LASTEXITCODE -ne 0) {
Write-Warn "safe-chain teardown encountered issues, continuing with uninstallation..."
}
}
catch {
Write-Warn "safe-chain teardown encountered issues: $_"
Write-Warn "Continuing with uninstallation..."
}
}
elseif (Get-Command safe-chain -ErrorAction SilentlyContinue) {
Write-Info "Running safe-chain teardown..."
try {
safe-chain teardown
if ($LASTEXITCODE -ne 0) {
Write-Warn "safe-chain teardown encountered issues, continuing with uninstallation..."
}
}
catch {
Write-Warn "safe-chain teardown encountered issues: $_"
Write-Warn "Continuing with uninstallation..."
}
}
else {
Write-Warn "safe-chain command not found. Proceeding with uninstallation."
}
$DotSafeChain = Get-SafeChainInstallDir
$safeChainPath = Find-SafeChainBinary -DotSafeChain $DotSafeChain
Invoke-SafeChainTeardown -SafeChainPath $safeChainPath
# Remove npm and Volta installations
Remove-NpmInstallation
Remove-VoltaInstallation
# Remove installation directory
if (Test-Path $InstallDir) {
Write-Info "Removing installation directory: $InstallDir"
# Remove .safe-chain directory
if (Test-Path $DotSafeChain) {
Write-Info "Removing installation directory: $DotSafeChain"
try {
Remove-Item -Path $InstallDir -Recurse -Force
Remove-Item -Path $DotSafeChain -Recurse -Force
Write-Info "Successfully removed installation directory"
}
catch {
Write-Error-Custom "Failed to remove $InstallDir : $_"
Write-Error-Custom "Failed to remove $DotSafeChain : $_"
}
}
else {
Write-Info "Installation directory $InstallDir does not exist. Nothing to remove."
}
# Also try to remove the parent .safe-chain directory if it's empty
$parentDir = Split-Path $InstallDir -Parent
if (Test-Path $parentDir) {
$items = Get-ChildItem -Path $parentDir -Force
if ($items.Count -eq 0) {
Write-Info "Removing empty parent directory: $parentDir"
try {
Remove-Item -Path $parentDir -Force
}
catch {
Write-Warn "Could not remove empty parent directory: $_"
}
}
Write-Info "Installation directory $DotSafeChain does not exist. Nothing to remove."
}
Write-Info "safe-chain has been uninstalled successfully!"

176
install-scripts/uninstall-safe-chain.sh
View file

@ -7,7 +7,6 @@
set -e # Exit on error
# Configuration
INSTALL_DIR="${HOME}/.safe-chain/bin"
# Colors for output
RED='\033[0;31m'
@ -34,6 +33,159 @@ command_exists() {
command -v "$1" >/dev/null 2>&1
}
# Resolves a path to its canonical filesystem location when possible.
# Follows symlinks so binary validation can inspect the real installed path.
resolve_path() {
target="$1"
while [ -L "$target" ]; do
link_target=$(readlink "$target" 2>/dev/null || echo "")
if [ -z "$link_target" ]; then
break
fi
case "$link_target" in
/*) target="$link_target" ;;
*)
target="$(dirname "$target")/$link_target"
;;
esac
done
target_dir=$(dirname "$target")
target_name=$(basename "$target")
if cd "$target_dir" 2>/dev/null; then
printf '%s/%s\n' "$(pwd -P)" "$target_name"
else
printf '%s\n' "$target"
fi
}
# Derives the safe-chain base install directory from a packaged binary path.
# Rejects wrapper scripts and paths that do not match the expected bin layout.
derive_install_dir_from_binary() {
binary_path="$1"
if [ -z "$binary_path" ]; then
return 1
fi
resolved_path=$(resolve_path "$binary_path")
binary_name=$(basename "$resolved_path")
case "$binary_name" in
safe-chain|safe-chain.exe) ;;
*) return 1 ;;
esac
case "$resolved_path" in
*.js|*.cjs|*.mjs|*.cmd|*.ps1) return 1 ;;
esac
binary_dir=$(dirname "$resolved_path")
if [ "$(basename "$binary_dir")" != "bin" ]; then
return 1
fi
dirname "$binary_dir"
}
# Determines the installed safe-chain base directory for uninstall.
# Prefers the binary-reported location, then infers it from PATH, then falls back to ~/.safe-chain.
get_install_dir() {
reported_install_dir=$(get_reported_install_dir || true)
if [ -n "$reported_install_dir" ]; then
printf '%s\n' "$reported_install_dir"
return 0
fi
command_path=$(get_safe_chain_command_path || true)
install_dir=$(derive_install_dir_from_binary "$command_path" || true)
if [ -n "$install_dir" ]; then
printf '%s\n' "$install_dir"
return 0
fi
printf '%s\n' "${HOME}/.safe-chain"
}
# Returns the current safe-chain command path from PATH.
# Fails when safe-chain is not currently resolvable.
get_safe_chain_command_path() {
if ! command_exists safe-chain; then
return 1
fi
command -v safe-chain
}
# Returns the safe-chain command path only when it resolves to a valid packaged binary install.
# Prevents the uninstaller from invoking arbitrary PATH entries.
get_validated_safe_chain_command_path() {
command_path=$(get_safe_chain_command_path || true)
if [ -z "$command_path" ]; then
return 1
fi
install_dir=$(derive_install_dir_from_binary "$command_path" || true)
if [ -z "$install_dir" ]; then
return 1
fi
printf '%s\n' "$command_path"
}
# Asks the validated safe-chain binary for its install directory via get-install-dir.
# Returns nothing if the command is unavailable or the lookup fails.
get_reported_install_dir() {
safe_chain_path=$(get_validated_safe_chain_command_path || true)
if [ -z "$safe_chain_path" ]; then
return 1
fi
install_dir=$("$safe_chain_path" get-install-dir 2>/dev/null || true)
if [ -n "$install_dir" ]; then
printf '%s\n' "$install_dir"
return 0
fi
return 1
}
# Locates the installed safe-chain binary to use for teardown.
# Checks the discovered install dir first, then falls back to a validated PATH entry.
find_installed_safe_chain_binary() {
dot_safe_chain="$1"
safe_chain_location="$dot_safe_chain/bin/safe-chain"
if [ -x "$safe_chain_location" ]; then
printf '%s\n' "$safe_chain_location"
return 0
fi
command_path=$(get_validated_safe_chain_command_path || true)
if [ -n "$command_path" ]; then
printf '%s\n' "$command_path"
return 0
fi
return 1
}
# Runs safe-chain teardown before removing files.
# Continues with uninstall even if teardown is unavailable or fails.
run_safe_chain_teardown() {
safe_chain_command="$1"
if [ -z "$safe_chain_command" ]; then
warn "safe-chain command not found. Proceeding with uninstallation."
return
fi
info "Running safe-chain teardown..."
"$safe_chain_command" teardown || warn "safe-chain teardown encountered issues, continuing with uninstallation..."
}
# Check and uninstall npm global package if present
remove_npm_installation() {
if ! command_exists npm; then
@ -139,17 +291,9 @@ remove_nvm_installation() {
# Main uninstallation
main() {
SAFE_CHAIN_LOCATION="$INSTALL_DIR/safe-chain"
if [ -x "$SAFE_CHAIN_LOCATION" ]; then
info "Running safe-chain teardown..."
"$SAFE_CHAIN_LOCATION" teardown || warn "safe-chain teardown encountered issues, continuing with uninstallation..."
elif command_exists safe-chain; then
info "Running safe-chain teardown..."
safe-chain teardown || warn "safe-chain teardown encountered issues, continuing with uninstallation..."
else
warn "safe-chain command not found. Proceeding with uninstallation."
fi
DOT_SAFE_CHAIN=$(get_install_dir)
SAFE_CHAIN_COMMAND=$(find_installed_safe_chain_binary "$DOT_SAFE_CHAIN" || true)
run_safe_chain_teardown "$SAFE_CHAIN_COMMAND"
# Check for existing safe-chain installation through nvm, volta, or npm
remove_npm_installation
@ -157,11 +301,11 @@ main() {
remove_nvm_installation
# Remove install dir recursively if it exists
if [ -d "$INSTALL_DIR" ]; then
info "Removing installation directory $INSTALL_DIR"
rm -rf "$INSTALL_DIR" || error "Failed to remove $INSTALL_DIR"
if [ -d "$DOT_SAFE_CHAIN" ]; then
info "Removing installation directory $DOT_SAFE_CHAIN"
rm -rf "$DOT_SAFE_CHAIN" || error "Failed to remove $DOT_SAFE_CHAIN"
else
info "Installation directory $INSTALL_DIR does not exist. Nothing to remove."
info "Installation directory $DOT_SAFE_CHAIN does not exist. Nothing to remove."
fi
}