@agentrecon/cli 2.0.0

package/LICENSE.md

@@ -0,0 +1,14 @@
+# AgentRecon — Proprietary Software
+
+Copyright AgentRecon (https://agentrecon.dev). All rights reserved.
+
+This software is proprietary and is licenced under the AgentRecon End User Licence Agreement (EULA). By downloading, installing, or using this software, you agree to the terms of the EULA.
+
+The full EULA is available at: https://agentrecon.dev/eula
+
+## Summary
+
+- You may use the software for any lawful purpose (personal, commercial, organisational)
+- You may not reverse engineer, redistribute, or use it to build a competing product
+- The software is provided "as is" without warranty
+- See the EULA for full terms

package/README.md

@@ -0,0 +1,48 @@
+<p align="center">
+  <img src="https://agentrecon.dev/brand/icon-512.png" width="96" alt="AgentRecon">
+</p>
+
+<h1 align="center">AgentRecon</h1>
+
+<p align="center">
+  Power tools for AI agents — fewer hallucinations, fewer tokens, faster work.
+</p>
+
+---
+
+AgentRecon indexes your codebase locally and plugs into Claude Code, Codex, Gemini, and any MCP-compatible assistant. It gives your AI ground truth — fast, local, and deterministic. Your assistant gets sharper. You stay in flow.
+
+Zero dependencies. Runs locally. Your source code never leaves your machine.
+
+## Install
+
+```sh
+npm install -g @agentrecon/cli
+```
+
+This package downloads the right native `recon` binary for your platform on install. Other channels:
+
+```sh
+# Homebrew (macOS / Linux)
+brew install agentrecon/tap/recon
+
+# curl (macOS / Linux)
+curl -fsSL https://raw.githubusercontent.com/AgentRecon/agentrecon/main/install.sh | sh
+```
+
+## Get started
+
+```sh
+recon init      # set up AgentRecon in your project
+recon index     # build the local code graph
+recon mcp       # run the MCP server your AI agent connects to
+```
+
+## Links
+
+- Website — https://agentrecon.dev
+- Documentation & releases — https://github.com/AgentRecon/agentrecon
+
+---
+
+The product is in alpha. The download works today.

package/bin/recon.js

@@ -0,0 +1,20 @@
+#!/usr/bin/env node
+"use strict";
+
+const { execFileSync } = require("child_process");
+const path = require("path");
+
+const ext = process.platform === "win32" ? ".exe" : "";
+const binary = path.join(__dirname, `recon${ext}`);
+
+try {
+  execFileSync(binary, process.argv.slice(2), { stdio: "inherit" });
+} catch (err) {
+  if (err.status !== null) {
+    process.exit(err.status);
+  }
+  console.error(`Failed to run AgentRecon: ${err.message}`);
+  console.error(`Expected binary at: ${binary}`);
+  console.error(`Try reinstalling: npm install -g @agentrecon/cli`);
+  process.exit(1);
+}

package/install.js

@@ -0,0 +1,189 @@
+#!/usr/bin/env node
+"use strict";
+
+const { execSync } = require("child_process");
+const fs = require("fs");
+const https = require("https");
+const path = require("path");
+const os = require("os");
+const { createHash } = require("crypto");
+
+const REPO = "AgentRecon/agentrecon";
+const BINARY_NAME = "recon";
+
+const PLATFORM_MAP = {
+  "darwin-x64": "x86_64-apple-darwin",
+  "darwin-arm64": "aarch64-apple-darwin",
+  "linux-x64": "x86_64-unknown-linux-gnu",
+  "linux-arm64": "aarch64-unknown-linux-gnu",
+  "win32-x64": "x86_64-pc-windows-msvc",
+  "win32-arm64": "aarch64-pc-windows-msvc",
+};
+
+const ARCHIVE_EXT = {
+  darwin: "tar.gz",
+  linux: "tar.gz",
+  win32: "zip",
+};
+
+function getPlatformTarget() {
+  const key = `${process.platform}-${process.arch}`;
+  const target = PLATFORM_MAP[key];
+  if (!target) {
+    console.error(`Unsupported platform: ${key}`);
+    console.error(`Supported: ${Object.keys(PLATFORM_MAP).join(", ")}`);
+    process.exit(1);
+  }
+  return target;
+}
+
+function getVersion() {
+  const pkg = require("./package.json");
+  // npm version may be "2.0.0-alpha.1" — tag is "v2.0.0-alpha.1"
+  return `v${pkg.version}`;
+}
+
+function fetch(url) {
+  return new Promise((resolve, reject) => {
+    const get = (url, redirectCount) => {
+      if (redirectCount > 5) return reject(new Error("Too many redirects"));
+      https
+        .get(url, { headers: { "User-Agent": "agentrecon-npm-installer" } }, (res) => {
+          if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+            return get(res.headers.location, redirectCount + 1);
+          }
+          if (res.statusCode !== 200) {
+            return reject(new Error(`HTTP ${res.statusCode} for ${url}`));
+          }
+          const chunks = [];
+          res.on("data", (chunk) => chunks.push(chunk));
+          res.on("end", () => resolve(Buffer.concat(chunks)));
+          res.on("error", reject);
+        })
+        .on("error", reject);
+    };
+    get(url, 0);
+  });
+}
+
+async function downloadAndVerify(version, target) {
+  const ext = ARCHIVE_EXT[process.platform];
+  const archiveName = `${BINARY_NAME}-${version}-${target}.${ext}`;
+  const baseUrl = `https://github.com/${REPO}/releases/download/${version}`;
+
+  console.log(`Downloading AgentRecon ${version} for ${target}...`);
+
+  // ES256 signature sidecar — present from v2.0.0-alpha.8 onwards. Older
+  // releases had no .sig file or legacy Ed25519 sigs that were never
+  // actually verified; we don't fail if it's missing or 404s.
+  let sigFile = null;
+  const [archive, checksumFile, sigResp] = await Promise.all([
+    fetch(`${baseUrl}/${archiveName}`),
+    fetch(`${baseUrl}/${archiveName}.sha256`),
+    fetchOptional(`${baseUrl}/${archiveName}.sig`),
+  ]);
+  if (sigResp) {
+    sigFile = sigResp;
+  }
+
+  // Verify checksum (mandatory — fails install if mismatch)
+  const expectedHash = checksumFile.toString("utf8").trim().split(/\s+/)[0];
+  const actualHash = createHash("sha256").update(archive).digest("hex");
+
+  if (expectedHash !== actualHash) {
+    console.error(`Checksum mismatch!`);
+    console.error(`  Expected: ${expectedHash}`);
+    console.error(`  Actual:   ${actualHash}`);
+    process.exit(1);
+  }
+
+  console.log("Checksum verified.");
+
+  // Note on cryptographic signature verification:
+  // The .sig file contains an ES256 (P-256 ECDSA) signature produced by
+  // the release-sign-prod key in our Azure Key Vault. We do NOT verify
+  // it in this npm postinstall hook to keep the surface area minimal at
+  // first-install time. Trust chain at install:
+  //
+  //   1. HTTPS to github.com  → authenticates the source
+  //   2. SHA-256 of archive   → verifies download integrity
+  //   3. npm provenance       → attests this package was published via
+  //                              our GitHub Actions release workflow
+  //
+  // After install, the binary's `recon update` flow performs full ES256
+  // verification against the embedded public key in keys/release.pub.
+  // Every subsequent update IS cryptographically verified.
+  //
+  // To verify the .sig at install time yourself, see SECURITY.md.
+  if (sigFile) {
+    console.log("ES256 signature available alongside (downloadable from GitHub Release page).");
+  }
+
+  return { archive, ext };
+}
+
+/**
+ * Like fetch() but returns null on 404 / missing instead of throwing.
+ * Used for the optional .sig sidecar.
+ */
+async function fetchOptional(url) {
+  try {
+    return await fetch(url);
+  } catch (_err) {
+    return null;
+  }
+}
+
+function extractBinary(archive, ext) {
+  const binDir = path.join(__dirname, "bin");
+  fs.mkdirSync(binDir, { recursive: true });
+
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "agentrecon-"));
+  const archivePath = path.join(tmpDir, `archive.${ext}`);
+  fs.writeFileSync(archivePath, archive);
+
+  try {
+    if (ext === "tar.gz") {
+      execSync(`tar xzf "${archivePath}" -C "${binDir}"`, { stdio: "pipe" });
+    } else if (ext === "zip") {
+      // Windows: use PowerShell to extract
+      execSync(
+        `powershell -Command "Expand-Archive -Path '${archivePath}' -DestinationPath '${binDir}' -Force"`,
+        { stdio: "pipe" }
+      );
+    }
+  } finally {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  }
+
+  const binaryPath = path.join(binDir, process.platform === "win32" ? `${BINARY_NAME}.exe` : BINARY_NAME);
+
+  if (!fs.existsSync(binaryPath)) {
+    console.error(`Binary not found at ${binaryPath} after extraction.`);
+    process.exit(1);
+  }
+
+  if (process.platform !== "win32") {
+    fs.chmodSync(binaryPath, 0o755);
+  }
+
+  console.log(`Installed: ${binaryPath}`);
+}
+
+async function main() {
+  // Skip install in CI if AGENTRECON_SKIP_INSTALL is set
+  if (process.env.AGENTRECON_SKIP_INSTALL) {
+    console.log("AGENTRECON_SKIP_INSTALL set, skipping binary download.");
+    return;
+  }
+
+  const target = getPlatformTarget();
+  const version = getVersion();
+  const { archive, ext } = await downloadAndVerify(version, target);
+  extractBinary(archive, ext);
+}
+
+main().catch((err) => {
+  console.error(`Failed to install AgentRecon: ${err.message}`);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@agentrecon/cli",
+  "version": "2.0.0",
+  "description": "Code intelligence engine for AI coding assistants",
+  "license": "LicenseRef-Proprietary",
+  "homepage": "https://agentrecon.dev",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/AgentRecon/agentrecon.git"
+  },
+  "bin": {
+    "recon": "bin/recon.js"
+  },
+  "scripts": {
+    "postinstall": "node install.js"
+  },
+  "os": [
+    "darwin",
+    "linux",
+    "win32"
+  ],
+  "cpu": [
+    "x64",
+    "arm64"
+  ],
+  "keywords": [
+    "agentrecon",
+    "code-intelligence",
+    "mcp",
+    "ai-coding",
+    "static-analysis",
+    "security",
+    "blast-radius"
+  ],
+  "files": [
+    "install.js",
+    "bin/recon.js",
+    "LICENSE.md"
+  ]
+}