@agenshield/broker 0.1.0

package/client/index.js

@@ -0,0 +1,222 @@
+// libs/shield-broker/src/client/broker-client.ts
+import * as net from "node:net";
+import { randomUUID } from "node:crypto";
+var BrokerClient = class {
+  socketPath;
+  httpHost;
+  httpPort;
+  timeout;
+  preferSocket;
+  constructor(options = {}) {
+    this.socketPath = options.socketPath || "/var/run/agenshield/agenshield.sock";
+    this.httpHost = options.httpHost || "localhost";
+    this.httpPort = options.httpPort || 5201;
+    this.timeout = options.timeout || 3e4;
+    this.preferSocket = options.preferSocket ?? true;
+  }
+  /**
+   * Make an HTTP request through the broker
+   */
+  async httpRequest(params, options) {
+    return this.request("http_request", params, options);
+  }
+  /**
+   * Read a file through the broker
+   */
+  async fileRead(params, options) {
+    return this.request("file_read", params, options);
+  }
+  /**
+   * Write a file through the broker
+   */
+  async fileWrite(params, options) {
+    return this.request("file_write", params, {
+      ...options,
+      channel: "socket"
+      // file_write only allowed via socket
+    });
+  }
+  /**
+   * List files through the broker
+   */
+  async fileList(params, options) {
+    return this.request("file_list", params, options);
+  }
+  /**
+   * Execute a command through the broker
+   */
+  async exec(params, options) {
+    return this.request("exec", params, {
+      ...options,
+      channel: "socket"
+      // exec only allowed via socket
+    });
+  }
+  /**
+   * Open a URL through the broker
+   */
+  async openUrl(params, options) {
+    return this.request("open_url", params, options);
+  }
+  /**
+   * Inject a secret through the broker
+   */
+  async secretInject(params, options) {
+    return this.request("secret_inject", params, {
+      ...options,
+      channel: "socket"
+      // secret_inject only allowed via socket
+    });
+  }
+  /**
+   * Ping the broker
+   */
+  async ping(echo, options) {
+    return this.request("ping", { echo }, options);
+  }
+  /**
+   * Install a skill through the broker
+   * Socket-only operation due to privileged file operations
+   */
+  async skillInstall(params, options) {
+    return this.request("skill_install", params, {
+      ...options,
+      channel: "socket"
+      // skill_install only allowed via socket
+    });
+  }
+  /**
+   * Uninstall a skill through the broker
+   * Socket-only operation due to privileged file operations
+   */
+  async skillUninstall(params, options) {
+    return this.request("skill_uninstall", params, {
+      ...options,
+      channel: "socket"
+      // skill_uninstall only allowed via socket
+    });
+  }
+  /**
+   * Check if the broker is available
+   */
+  async isAvailable() {
+    try {
+      await this.ping();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Make a request to the broker
+   */
+  async request(method, params, options) {
+    const channel = options?.channel || (this.preferSocket ? "socket" : "http");
+    const timeout = options?.timeout || this.timeout;
+    if (channel === "socket") {
+      try {
+        return await this.socketRequest(method, params, timeout);
+      } catch (error) {
+        if (!options?.channel) {
+          return await this.httpRequest_internal(method, params, timeout);
+        }
+        throw error;
+      }
+    } else {
+      return await this.httpRequest_internal(method, params, timeout);
+    }
+  }
+  /**
+   * Make a request via Unix socket
+   */
+  async socketRequest(method, params, timeout) {
+    return new Promise((resolve, reject) => {
+      const socket = net.createConnection(this.socketPath);
+      const id = randomUUID();
+      let responseData = "";
+      let timeoutId;
+      socket.on("connect", () => {
+        const request = {
+          jsonrpc: "2.0",
+          id,
+          method,
+          params
+        };
+        socket.write(JSON.stringify(request) + "\n");
+        timeoutId = setTimeout(() => {
+          socket.destroy();
+          reject(new Error("Request timeout"));
+        }, timeout);
+      });
+      socket.on("data", (data) => {
+        responseData += data.toString();
+        const newlineIndex = responseData.indexOf("\n");
+        if (newlineIndex !== -1) {
+          clearTimeout(timeoutId);
+          socket.end();
+          try {
+            const response = JSON.parse(
+              responseData.slice(0, newlineIndex)
+            );
+            if (response.error) {
+              const error = new Error(response.error.message);
+              error.code = response.error.code;
+              reject(error);
+            } else {
+              resolve(response.result);
+            }
+          } catch (error) {
+            reject(new Error("Invalid response from broker"));
+          }
+        }
+      });
+      socket.on("error", (error) => {
+        clearTimeout(timeoutId);
+        reject(error);
+      });
+    });
+  }
+  /**
+   * Make a request via HTTP
+   */
+  async httpRequest_internal(method, params, timeout) {
+    const url = `http://${this.httpHost}:${this.httpPort}/rpc`;
+    const id = randomUUID();
+    const request = {
+      jsonrpc: "2.0",
+      id,
+      method,
+      params
+    };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(request),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        throw new Error(`HTTP error: ${response.status}`);
+      }
+      const jsonResponse = await response.json();
+      if (jsonResponse.error) {
+        const error = new Error(jsonResponse.error.message);
+        error.code = jsonResponse.error.code;
+        throw error;
+      }
+      return jsonResponse.result;
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === "AbortError") {
+        throw new Error("Request timeout");
+      }
+      throw error;
+    }
+  }
+};
+export {
+  BrokerClient
+};

package/client/shield-client.d.ts

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+/**
+ * Shield Client CLI
+ *
+ * Command-line client for interacting with the broker daemon.
+ */
+export {};
+//# sourceMappingURL=shield-client.d.ts.map

package/client/shield-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shield-client.d.ts","sourceRoot":"","sources":["../../src/client/shield-client.ts"],"names":[],"mappings":";AACA;;;;GAIG"}

package/client/shield-client.js

@@ -0,0 +1,410 @@
+#!/usr/bin/env node
+
+// libs/shield-broker/src/client/broker-client.ts
+import * as net from "node:net";
+import { randomUUID } from "node:crypto";
+var BrokerClient = class {
+  socketPath;
+  httpHost;
+  httpPort;
+  timeout;
+  preferSocket;
+  constructor(options = {}) {
+    this.socketPath = options.socketPath || "/var/run/agenshield/agenshield.sock";
+    this.httpHost = options.httpHost || "localhost";
+    this.httpPort = options.httpPort || 5201;
+    this.timeout = options.timeout || 3e4;
+    this.preferSocket = options.preferSocket ?? true;
+  }
+  /**
+   * Make an HTTP request through the broker
+   */
+  async httpRequest(params, options) {
+    return this.request("http_request", params, options);
+  }
+  /**
+   * Read a file through the broker
+   */
+  async fileRead(params, options) {
+    return this.request("file_read", params, options);
+  }
+  /**
+   * Write a file through the broker
+   */
+  async fileWrite(params, options) {
+    return this.request("file_write", params, {
+      ...options,
+      channel: "socket"
+      // file_write only allowed via socket
+    });
+  }
+  /**
+   * List files through the broker
+   */
+  async fileList(params, options) {
+    return this.request("file_list", params, options);
+  }
+  /**
+   * Execute a command through the broker
+   */
+  async exec(params, options) {
+    return this.request("exec", params, {
+      ...options,
+      channel: "socket"
+      // exec only allowed via socket
+    });
+  }
+  /**
+   * Open a URL through the broker
+   */
+  async openUrl(params, options) {
+    return this.request("open_url", params, options);
+  }
+  /**
+   * Inject a secret through the broker
+   */
+  async secretInject(params, options) {
+    return this.request("secret_inject", params, {
+      ...options,
+      channel: "socket"
+      // secret_inject only allowed via socket
+    });
+  }
+  /**
+   * Ping the broker
+   */
+  async ping(echo, options) {
+    return this.request("ping", { echo }, options);
+  }
+  /**
+   * Install a skill through the broker
+   * Socket-only operation due to privileged file operations
+   */
+  async skillInstall(params, options) {
+    return this.request("skill_install", params, {
+      ...options,
+      channel: "socket"
+      // skill_install only allowed via socket
+    });
+  }
+  /**
+   * Uninstall a skill through the broker
+   * Socket-only operation due to privileged file operations
+   */
+  async skillUninstall(params, options) {
+    return this.request("skill_uninstall", params, {
+      ...options,
+      channel: "socket"
+      // skill_uninstall only allowed via socket
+    });
+  }
+  /**
+   * Check if the broker is available
+   */
+  async isAvailable() {
+    try {
+      await this.ping();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Make a request to the broker
+   */
+  async request(method, params, options) {
+    const channel = options?.channel || (this.preferSocket ? "socket" : "http");
+    const timeout = options?.timeout || this.timeout;
+    if (channel === "socket") {
+      try {
+        return await this.socketRequest(method, params, timeout);
+      } catch (error) {
+        if (!options?.channel) {
+          return await this.httpRequest_internal(method, params, timeout);
+        }
+        throw error;
+      }
+    } else {
+      return await this.httpRequest_internal(method, params, timeout);
+    }
+  }
+  /**
+   * Make a request via Unix socket
+   */
+  async socketRequest(method, params, timeout) {
+    return new Promise((resolve, reject) => {
+      const socket = net.createConnection(this.socketPath);
+      const id = randomUUID();
+      let responseData = "";
+      let timeoutId;
+      socket.on("connect", () => {
+        const request = {
+          jsonrpc: "2.0",
+          id,
+          method,
+          params
+        };
+        socket.write(JSON.stringify(request) + "\n");
+        timeoutId = setTimeout(() => {
+          socket.destroy();
+          reject(new Error("Request timeout"));
+        }, timeout);
+      });
+      socket.on("data", (data) => {
+        responseData += data.toString();
+        const newlineIndex = responseData.indexOf("\n");
+        if (newlineIndex !== -1) {
+          clearTimeout(timeoutId);
+          socket.end();
+          try {
+            const response = JSON.parse(
+              responseData.slice(0, newlineIndex)
+            );
+            if (response.error) {
+              const error = new Error(response.error.message);
+              error.code = response.error.code;
+              reject(error);
+            } else {
+              resolve(response.result);
+            }
+          } catch (error) {
+            reject(new Error("Invalid response from broker"));
+          }
+        }
+      });
+      socket.on("error", (error) => {
+        clearTimeout(timeoutId);
+        reject(error);
+      });
+    });
+  }
+  /**
+   * Make a request via HTTP
+   */
+  async httpRequest_internal(method, params, timeout) {
+    const url = `http://${this.httpHost}:${this.httpPort}/rpc`;
+    const id = randomUUID();
+    const request = {
+      jsonrpc: "2.0",
+      id,
+      method,
+      params
+    };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(request),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        throw new Error(`HTTP error: ${response.status}`);
+      }
+      const jsonResponse = await response.json();
+      if (jsonResponse.error) {
+        const error = new Error(jsonResponse.error.message);
+        error.code = jsonResponse.error.code;
+        throw error;
+      }
+      return jsonResponse.result;
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === "AbortError") {
+        throw new Error("Request timeout");
+      }
+      throw error;
+    }
+  }
+};
+
+// libs/shield-broker/src/client/shield-client.ts
+var client = new BrokerClient({
+  socketPath: process.env["AGENSHIELD_SOCKET"] || "/var/run/agenshield/agenshield.sock",
+  httpHost: process.env["AGENSHIELD_HTTP_HOST"] || "localhost",
+  httpPort: parseInt(process.env["AGENSHIELD_HTTP_PORT"] || "5201", 10)
+});
+async function main() {
+  const args = process.argv.slice(2);
+  const command = args[0];
+  if (!command || command === "help" || command === "--help" || command === "-h") {
+    printHelp();
+    return;
+  }
+  try {
+    switch (command) {
+      case "ping":
+        await handlePing(args.slice(1));
+        break;
+      case "http":
+        await handleHttp(args.slice(1));
+        break;
+      case "file":
+        await handleFile(args.slice(1));
+        break;
+      case "exec":
+        await handleExec(args.slice(1));
+        break;
+      case "open":
+        await handleOpen(args.slice(1));
+        break;
+      case "secret":
+        await handleSecret(args.slice(1));
+        break;
+      default:
+        console.error(`Unknown command: ${command}`);
+        printHelp();
+        process.exit(1);
+    }
+  } catch (error) {
+    console.error("Error:", error.message);
+    process.exit(1);
+  }
+}
+function printHelp() {
+  console.log(`
+Shield Client - AgenShield Broker CLI
+
+Usage: shield-client <command> [options]
+
+Commands:
+  ping [message]                     Ping the broker
+  http <method> <url> [body]         Make an HTTP request
+  file read <path>                   Read a file
+  file write <path> <content>        Write a file
+  file list <path> [--recursive]     List directory contents
+  exec <command> [args...]           Execute a command
+  open <url>                         Open a URL in the browser
+  secret get <name>                  Get a secret value
+
+Environment:
+  AGENSHIELD_SOCKET      Unix socket path (default: /var/run/agenshield/agenshield.sock)
+  AGENSHIELD_HTTP_HOST   HTTP fallback host (default: localhost)
+  AGENSHIELD_HTTP_PORT   HTTP fallback port (default: 5201)
+
+Examples:
+  shield-client ping
+  shield-client http GET https://api.example.com/data
+  shield-client file read /path/to/file.txt
+  shield-client exec ls -la
+  shield-client open https://example.com
+`);
+}
+async function handlePing(args) {
+  const echo = args[0];
+  const result = await client.ping(echo);
+  console.log("Pong!");
+  console.log(`  Version: ${result.version}`);
+  console.log(`  Timestamp: ${result.timestamp}`);
+  if (result.echo) {
+    console.log(`  Echo: ${result.echo}`);
+  }
+}
+async function handleHttp(args) {
+  const method = args[0]?.toUpperCase();
+  const url = args[1];
+  const body = args[2];
+  if (!method || !url) {
+    console.error("Usage: shield-client http <method> <url> [body]");
+    process.exit(1);
+  }
+  const result = await client.httpRequest({
+    url,
+    method,
+    body
+  });
+  console.log(`Status: ${result.status} ${result.statusText}`);
+  console.log("Headers:");
+  for (const [key, value] of Object.entries(result.headers)) {
+    console.log(`  ${key}: ${value}`);
+  }
+  console.log("\nBody:");
+  console.log(result.body);
+}
+async function handleFile(args) {
+  const subcommand = args[0];
+  switch (subcommand) {
+    case "read": {
+      const path = args[1];
+      if (!path) {
+        console.error("Usage: shield-client file read <path>");
+        process.exit(1);
+      }
+      const result = await client.fileRead({ path });
+      console.log(result.content);
+      break;
+    }
+    case "write": {
+      const path = args[1];
+      const content = args.slice(2).join(" ");
+      if (!path || !content) {
+        console.error("Usage: shield-client file write <path> <content>");
+        process.exit(1);
+      }
+      const result = await client.fileWrite({ path, content });
+      console.log(`Wrote ${result.bytesWritten} bytes to ${result.path}`);
+      break;
+    }
+    case "list": {
+      const path = args[1] || ".";
+      const recursive = args.includes("--recursive") || args.includes("-r");
+      const result = await client.fileList({ path, recursive });
+      for (const entry of result.entries) {
+        const typeChar = entry.type === "directory" ? "d" : entry.type === "symlink" ? "l" : "-";
+        console.log(`${typeChar} ${entry.size.toString().padStart(10)} ${entry.name}`);
+      }
+      break;
+    }
+    default:
+      console.error("Usage: shield-client file <read|write|list> [options]");
+      process.exit(1);
+  }
+}
+async function handleExec(args) {
+  const command = args[0];
+  const commandArgs = args.slice(1);
+  if (!command) {
+    console.error("Usage: shield-client exec <command> [args...]");
+    process.exit(1);
+  }
+  const result = await client.exec({
+    command,
+    args: commandArgs
+  });
+  if (result.stdout) {
+    process.stdout.write(result.stdout);
+  }
+  if (result.stderr) {
+    process.stderr.write(result.stderr);
+  }
+  process.exit(result.exitCode);
+}
+async function handleOpen(args) {
+  const url = args[0];
+  if (!url) {
+    console.error("Usage: shield-client open <url>");
+    process.exit(1);
+  }
+  const result = await client.openUrl({ url });
+  console.log(result.opened ? "URL opened successfully" : "Failed to open URL");
+}
+async function handleSecret(args) {
+  const subcommand = args[0];
+  if (subcommand !== "get") {
+    console.error("Usage: shield-client secret get <name>");
+    process.exit(1);
+  }
+  const name = args[1];
+  if (!name) {
+    console.error("Usage: shield-client secret get <name>");
+    process.exit(1);
+  }
+  const result = await client.secretInject({ name });
+  console.log(result.value);
+}
+main().catch((error) => {
+  console.error("Fatal error:", error);
+  process.exit(1);
+});

package/handlers/exec.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Exec Handler
+ *
+ * Handles command execution operations with:
+ * - Command allowlist validation (static + dynamic via CommandAllowlist)
+ * - Workspace path enforcement for FS commands
+ * - URL policy validation for curl/wget
+ * - Exec monitoring via SSE events
+ */
+import type { HandlerContext, HandlerResult, ExecResult } from '../types.js';
+import type { HandlerDependencies } from './types.js';
+export declare function handleExec(params: Record<string, unknown>, context: HandlerContext, deps: HandlerDependencies): Promise<HandlerResult<ExecResult>>;
+//# sourceMappingURL=exec.d.ts.map

package/handlers/exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../src/handlers/exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAc,UAAU,EAAE,MAAM,aAAa,CAAC;AACzF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AA+FtD,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CA0GpC"}

package/handlers/file.d.ts

@@ -0,0 +1,20 @@
+/**
+ * File Operation Handlers
+ *
+ * Handles file read, write, and list operations.
+ */
+import type { HandlerContext, HandlerResult, FileReadResult, FileWriteResult, FileListResult } from '../types.js';
+import type { HandlerDependencies } from './types.js';
+/**
+ * Handle file read operation
+ */
+export declare function handleFileRead(params: Record<string, unknown>, context: HandlerContext, deps: HandlerDependencies): Promise<HandlerResult<FileReadResult>>;
+/**
+ * Handle file write operation
+ */
+export declare function handleFileWrite(params: Record<string, unknown>, context: HandlerContext, deps: HandlerDependencies): Promise<HandlerResult<FileWriteResult>>;
+/**
+ * Handle file list operation
+ */
+export declare function handleFileList(params: Record<string, unknown>, context: HandlerContext, deps: HandlerDependencies): Promise<HandlerResult<FileListResult>>;
+//# sourceMappingURL=file.d.ts.map

package/handlers/file.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file.d.ts","sourceRoot":"","sources":["../../src/handlers/file.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EACV,cAAc,EACd,aAAa,EAEb,cAAc,EAEd,eAAe,EAEf,cAAc,EACf,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD;;GAEG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC,CAyDxC;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,eAAe,CAAC,CAAC,CAqDzC;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC,CAkDxC"}

package/handlers/http.d.ts

@@ -0,0 +1,9 @@
+/**
+ * HTTP Request Handler
+ *
+ * Proxies HTTP requests through the broker.
+ */
+import type { HandlerContext, HandlerResult, HttpRequestResult } from '../types.js';
+import type { HandlerDependencies } from './types.js';
+export declare function handleHttpRequest(params: Record<string, unknown>, context: HandlerContext, deps: HandlerDependencies): Promise<HandlerResult<HttpRequestResult>>;
+//# sourceMappingURL=http.d.ts.map

package/handlers/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/handlers/http.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAqB,iBAAiB,EAAE,MAAM,aAAa,CAAC;AACvG,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC,CAyF3C"}