@cybedefend/vibedefend 1.1.1

package/dist/auth/callback-server.js

@@ -0,0 +1,216 @@
+/**
+ * Local HTTP callback server for the OAuth 2.0 Authorization Code flow.
+ *
+ * Binds to 127.0.0.1 (localhost only, never 0.0.0.0) on a random unprivileged
+ * port (port 0 → OS assigns a free port). After a successful callback the
+ * server is closed immediately.
+ *
+ * Security:
+ * - Binds to 127.0.0.1 only (not reachable from the network).
+ * - Validates the `state` parameter on every callback to prevent CSRF.
+ * - Closes as soon as the callback is received (no lingering listener).
+ */
+import { createServer } from 'node:http';
+/**
+ * Start a one-shot local HTTP server on a random port. Returns the port,
+ * a promise that resolves with the OAuth code, and a stop function.
+ *
+ * @param expectedState The CSRF state value the caller generated. Every
+ *   incoming callback is validated against this; mismatches are rejected.
+ */
+/**
+ * Default port for production. Matches the loopback redirect URIs registered
+ * on the Logto "CybeDefend CLI" Native application
+ * (http://localhost:9877/callback and http://127.0.0.1:9877/callback).
+ * Tests override this with port 0 to avoid sequential-test collisions.
+ */
+export const DEFAULT_CALLBACK_PORT = 9877;
+export async function startCallbackServer(expectedState, options = {}) {
+    let resolveCode;
+    let rejectCode;
+    const codePromise = new Promise((res, rej) => {
+        resolveCode = res;
+        rejectCode = rej;
+    });
+    const server = createServer((req, res) => {
+        const url = new URL(req.url ?? '/', 'http://localhost');
+        if (url.pathname !== '/callback') {
+            res.writeHead(404).end();
+            return;
+        }
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
+        const error = url.searchParams.get('error');
+        const errorDescription = url.searchParams.get('error_description') ?? '';
+        if (error) {
+            res.writeHead(400, { 'Content-Type': 'text/html' });
+            res.end(prettyErrorPage(error, errorDescription));
+            rejectCode(new Error(`OAuth error: ${error}${errorDescription ? ` — ${errorDescription}` : ''}`));
+            return;
+        }
+        if (!code || state !== expectedState) {
+            const reason = !code ? 'missing authorization code' : 'state mismatch';
+            res.writeHead(400, { 'Content-Type': 'text/html' });
+            res.end(prettyErrorPage('invalid_request', reason));
+            rejectCode(new Error(`Invalid OAuth callback: ${reason}.`));
+            return;
+        }
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(prettySuccessPage());
+        resolveCode(code);
+    });
+    // Bind to localhost on the chosen port. Production uses DEFAULT_CALLBACK_PORT
+    // (9877) because Logto enforces strict redirect_uri matching against the URIs
+    // registered for the "CybeDefend CLI" Native application
+    // (http://localhost:9877/callback and http://127.0.0.1:9877/callback). RFC
+    // 8252 recommends random loopback ports, but Logto does not honor wildcards.
+    // Tests pass port=0 to let the OS assign a free port — required to avoid
+    // EADDRINUSE collisions across sequentially-run test cases.
+    const requestedPort = options.port ?? DEFAULT_CALLBACK_PORT;
+    await new Promise((resolve, reject) => {
+        server.once('error', (err) => {
+            if (err.code === 'EADDRINUSE') {
+                reject(new Error(`Port ${requestedPort} is already in use. Another vibedefend login flow may be running, or another process is bound to this port. ` +
+                    `Kill the other process (lsof -i :${requestedPort}) and try again.`));
+            }
+            else {
+                reject(err);
+            }
+        });
+        server.listen(requestedPort, '127.0.0.1', resolve);
+    });
+    const addr = server.address();
+    if (!addr)
+        throw new Error('Failed to bind callback server.');
+    // When the caller passed port=0 the OS assigned a free port; reflect the
+    // ACTUAL bound port back to the caller so they can build the redirect_uri.
+    const port = addr.port;
+    const stopServer = () => new Promise((resolve) => {
+        // server.close() alone only refuses NEW connections — existing keep-alive
+        // connections (the browser's callback request) remain in the event loop
+        // until they idle out, which hangs `vibedefend login` for ~5 s after
+        // success. closeAllConnections() forcefully closes those so the process
+        // can exit immediately. Available since Node 18.2; we require >=18.17.
+        server.closeAllConnections?.();
+        server.close(() => resolve());
+    });
+    return { port, codePromise, stopServer };
+}
+// ─── HTML pages ──────────────────────────────────────────────────────────────
+/**
+ * Shared HTML shell for the OAuth callback success / error pages.
+ *
+ * Mirrors the branded layout used by the Go `cybedefend-cli` (pkg/auth/oauth.go:
+ * `callbackPageBase`) so users see the same authentication-complete experience
+ * regardless of which CLI initiated the flow. The single shared template keeps
+ * the look-and-feel — radial-gradient background, white card, CybeDefend logo,
+ * "CybeDefend CLI" tag — consistent across both CLIs.
+ *
+ * Caller injects `body` as the inner content (icon + title + optional detail).
+ * The caller is responsible for HTML-escaping any user-controlled string before
+ * embedding it into `body`.
+ */
+function renderCallbackPage(body) {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>CybeDefend — Authentication</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background: radial-gradient(ellipse at 60% 10%, #2d1045 0%, #14082a 50%, #0a0414 100%);
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      color: #e8d8ff;
+    }
+    .card {
+      background: #ffffff;
+      border: none;
+      border-radius: 20px;
+      padding: 48px 52px;
+      max-width: 480px;
+      width: 100%;
+      text-align: center;
+      box-shadow: 0 8px 48px rgba(0,0,0,0.5);
+    }
+    h1 { color: #1a0a2e; font-size: 22px; font-weight: 600; margin-bottom: 10px; }
+    p  { color: rgba(40,20,60,0.6); font-size: 14px; line-height: 1.6; }
+    .logo { height: 44px; margin-bottom: 36px; }
+    .icon {
+      width: 72px; height: 72px;
+      border-radius: 50%;
+      display: flex; align-items: center; justify-content: center;
+      margin: 0 auto 24px;
+      font-size: 32px;
+    }
+    .icon.success { background: #e6f9ee; border: 1px solid #4caf7d; }
+    .icon.error   { background: rgba(255,80,80,0.08); border: 1px solid rgba(255,80,80,0.25); }
+    .detail {
+      margin-top: 16px;
+      padding: 12px 16px;
+      background: rgba(255,80,80,0.06);
+      border: 1px solid rgba(255,80,80,0.18);
+      border-radius: 10px;
+      font-size: 13px;
+      color: rgba(200,40,40,0.85);
+      word-break: break-word;
+    }
+    .tag {
+      display: inline-block;
+      margin-top: 28px;
+      padding: 5px 14px;
+      border-radius: 99px;
+      font-size: 11px;
+      letter-spacing: 0.05em;
+      text-transform: uppercase;
+      border: 1px solid rgba(100,50,180,0.25);
+      color: rgba(100,50,180,0.5);
+    }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <img class="logo" src="https://eu.cybedefend.com/logo.webp" alt="CybeDefend" />
+    ${body}
+    <span class="tag">VibeDefend</span>
+  </div>
+</body>
+</html>`;
+}
+function prettySuccessPage() {
+    const body = `
+    <div class="icon success">
+      <svg width="34" height="34" viewBox="0 0 24 24" fill="none" stroke="#1a7a40" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>
+    </div>
+    <h1>Authentication successful</h1>
+    <p>You're now logged in. You can close this tab and return to your terminal.</p>
+    <script>
+      // Best-effort auto-close — works in most browsers unless blocked by policy.
+      setTimeout(() => { try { window.close(); } catch (e) {} }, 1500);
+    </script>`;
+    return renderCallbackPage(body);
+}
+function prettyErrorPage(error, description) {
+    const safeError = htmlEscape(error || 'Authentication error');
+    const safeDesc = htmlEscape(description || '');
+    const body = `
+    <div class="icon error">✕</div>
+    <h1>${safeError}</h1>
+    <p>Authentication could not be completed.</p>
+    ${safeDesc ? `<div class="detail">${safeDesc}</div>` : ''}`;
+    return renderCallbackPage(body);
+}
+function htmlEscape(s) {
+    return s
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+//# sourceMappingURL=callback-server.js.map

package/dist/auth/callback-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback-server.js","sourceRoot":"","sources":["../../src/auth/callback-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAWzC;;;;;;GAMG;AACH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,aAAqB,EACrB,UAA6B,EAAE;IAE/B,IAAI,WAAoC,CAAC;IACzC,IAAI,UAA+B,CAAC;IACpC,MAAM,WAAW,GAAG,IAAI,OAAO,CAAS,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACnD,WAAW,GAAG,GAAG,CAAC;QAClB,UAAU,GAAG,GAAG,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,YAAY,CACzB,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;QAC5C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACxD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,gBAAgB,GACpB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;QAElD,IAAI,KAAK,EAAE,CAAC;YACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;YACpD,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC;YAClD,UAAU,CACR,IAAI,KAAK,CACP,gBAAgB,KAAK,GAAG,gBAAgB,CAAC,CAAC,CAAC,MAAM,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3E,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,IAAI,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,gBAAgB,CAAC;YACvE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;YACpD,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC;YACpD,UAAU,CACR,IAAI,KAAK,CAAC,2BAA2B,MAAM,GAAG,CAAC,CAChD,CAAC;YACF,OAAO;QACT,CAAC;QAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;QACpD,GAAG,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC;QAC7B,WAAW,CAAC,IAAI,CAAC,CAAC;IACpB,CAAC,CACF,CAAC;IAEF,8EAA8E;IAC9E,8EAA8E;IAC9E,yDAAyD;IACzD,2EAA2E;IAC3E,6EAA6E;IAC7E,yEAAyE;IACzE,4DAA4D;IAC5D,MAAM,aAAa,GAAG,OAAO,CAAC,IAAI,IAAI,qBAAqB,CAAC;IAC5D,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAA0B,EAAE,EAAE;YAClD,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,KAAK,CACd,QAAQ,aAAa,8GAA8G;oBACnI,oCAAoC,aAAa,kBAAkB,CACpE,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAA6B,CAAC;IACzD,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IAC9D,yEAAyE;IACzE,2EAA2E;IAC3E,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAEvB,MAAM,UAAU,GAAG,GAAkB,EAAE,CACrC,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QACtB,0EAA0E;QAC1E,wEAAwE;QACxE,qEAAqE;QACrE,wEAAwE;QACxE,uEAAuE;QACvE,MAAM,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC/B,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEL,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;GAYG;AACH,SAAS,kBAAkB,CAAC,IAAY;IACtC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAiEH,IAAI;;;;QAIF,CAAC;AACT,CAAC;AAED,SAAS,iBAAiB;IACxB,MAAM,IAAI,GAAG;;;;;;;;;cASD,CAAC;IACb,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,eAAe,CAAC,KAAa,EAAE,WAAmB;IACzD,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,IAAI,sBAAsB,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,UAAU,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG;;UAEL,SAAS;;MAEb,QAAQ,CAAC,CAAC,CAAC,uBAAuB,QAAQ,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC9D,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC;SACL,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC"}

package/dist/auth/pkce.js

@@ -0,0 +1,31 @@
+/**
+ * PKCE (Proof Key for Code Exchange) helpers for the OAuth 2.0 Authorization
+ * Code flow. Used by `vibedefend login` to authenticate against Logto without
+ * a client_secret (Public/Native client model).
+ *
+ * RFC 7636 — PKCE spec.
+ */
+import { createHash, randomBytes } from 'node:crypto';
+/**
+ * Generate a cryptographically random, URL-safe base64 string of the given
+ * byte length. Used both for the PKCE code_verifier and the state CSRF token.
+ *
+ * PKCE spec requires 43-128 characters for code_verifier. A 64-byte random
+ * value produces an 86-character base64url string (well within the range).
+ */
+export function randomBase64url(byteLength) {
+    return randomBytes(byteLength).toString('base64url');
+}
+/**
+ * Compute the PKCE code_challenge from a code_verifier using the S256 method:
+ *   BASE64URL(SHA256(ASCII(code_verifier)))
+ *
+ * The resulting challenge is sent in the authorization request; the verifier
+ * is sent in the token exchange. The server re-derives the challenge and
+ * verifies they match, proving the entity that started the flow is the same
+ * one completing it.
+ */
+export function pkceChallenge(verifier) {
+    return createHash('sha256').update(verifier).digest('base64url');
+}
+//# sourceMappingURL=pkce.js.map

package/dist/auth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB;IAChD,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACnE,CAAC"}

package/dist/auth/token-exchange.js

@@ -0,0 +1,83 @@
+/**
+ * OAuth 2.0 token exchange and refresh helpers.
+ *
+ * Handles two grant types against Logto's /oidc/token endpoint:
+ *   - authorization_code  (initial login, includes PKCE code_verifier)
+ *   - refresh_token       (transparent refresh before API calls)
+ *
+ * Both functions accept an optional `fetchImpl` so they can be injected
+ * in unit tests without touching globalThis.fetch.
+ */
+// ─── Errors ───────────────────────────────────────────────────────────────────
+/**
+ * Thrown when the /oidc/token endpoint rejects the refresh_token (e.g. the
+ * token was revoked, expired beyond the inactivity window, or the user
+ * changed their password). The caller should clear local credentials and
+ * ask the user to `vibedefend login` again.
+ */
+export class RefreshTokenInvalidError extends Error {
+    constructor(msg) {
+        super(msg);
+        this.name = 'RefreshTokenInvalidError';
+    }
+}
+/**
+ * Exchange an authorization code + PKCE code_verifier for a full token bundle.
+ *
+ * Called once at the end of the `vibedefend login` browser flow. The resulting
+ * tokens (access, refresh, id) are persisted to the OS keychain / file store.
+ */
+export async function exchangeCodeForTokens(params) {
+    const f = params.fetchImpl ?? globalThis.fetch;
+    const body = new URLSearchParams({
+        grant_type: 'authorization_code',
+        code: params.code,
+        code_verifier: params.codeVerifier,
+        client_id: params.clientId,
+        redirect_uri: params.redirectUri,
+        resource: params.resource,
+    });
+    const res = await f(`${params.logtoEndpoint}/oidc/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body,
+        signal: AbortSignal.timeout(10_000),
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => '');
+        throw new Error(`Token exchange failed: HTTP ${res.status}${text ? ` — ${text}` : ''}`);
+    }
+    return res.json();
+}
+/**
+ * Exchange a refresh_token for a new access_token (and a rotated
+ * refresh_token, if Logto is configured for rolling refresh).
+ *
+ * Throws `RefreshTokenInvalidError` on 400/401 so the caller can purge
+ * local credentials and prompt for re-login.
+ */
+export async function refreshAccessToken(params) {
+    const f = params.fetchImpl ?? globalThis.fetch;
+    const body = new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: params.refreshToken,
+        client_id: params.clientId,
+        resource: params.resource,
+    });
+    const res = await f(`${params.logtoEndpoint}/oidc/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body,
+        signal: AbortSignal.timeout(10_000),
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => '');
+        // 400 (invalid_grant) and 401 both indicate a dead refresh token.
+        if (res.status === 400 || res.status === 401) {
+            throw new RefreshTokenInvalidError(`Refresh token rejected: HTTP ${res.status}${text ? ` — ${text}` : ''}`);
+        }
+        throw new Error(`Token refresh failed: HTTP ${res.status}${text ? ` — ${text}` : ''}`);
+    }
+    return res.json();
+}
+//# sourceMappingURL=token-exchange.js.map

package/dist/auth/token-exchange.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-exchange.js","sourceRoot":"","sources":["../../src/auth/token-exchange.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAoBH,iFAAiF;AAEjF;;;;;GAKG;AACH,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjD,YAAY,GAAW;QACrB,KAAK,CAAC,GAAG,CAAC,CAAC;QACX,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AAcD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAA0B;IAE1B,MAAM,CAAC,GAAG,MAAM,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;IAE/C,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,MAAM,CAAC,aAAa,aAAa,EAAE;QACxD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;QACJ,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACpC,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,+BAA+B,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACvE,CAAC;IACJ,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,EAA0B,CAAC;AAC5C,CAAC;AAYD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAA0B;IAE1B,MAAM,CAAC,GAAG,MAAM,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;IAE/C,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,eAAe;QAC3B,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,MAAM,CAAC,aAAa,aAAa,EAAE;QACxD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;QACJ,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACpC,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,kEAAkE;QAClE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7C,MAAM,IAAI,wBAAwB,CAChC,gCAAgC,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACxE,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CACb,8BAA8B,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACtE,CAAC;IACJ,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,EAA4B,CAAC;AAC9C,CAAC"}

package/dist/clients/claude-code.js

@@ -0,0 +1,170 @@
+/**
+ * Claude Code adapter.
+ *
+ * Wires the Node-based hook runner into `~/.claude/settings.json` and
+ * registers the MCP server via `claude mcp add`.
+ *
+ * Hook entries point at `node <path>/hook-runner.js <subcommand>` — the
+ * universal bundled runner installed at `~/.cybedefend/hook-runner.js`.
+ * No bash, no jq — runs the same way on Linux / macOS / Windows.
+ */
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { home, log, readJson, run, which, writeJson } from '../utils.js';
+import { hookCommand, VIBEDEFEND_PATH_MARKER, isVibedefendOwnedHookCommand, } from '../hooks/install.js';
+import { probeBinaryVersion } from './detect.js';
+const CLAUDE_SETTINGS = home('.claude', 'settings.json');
+function detect() {
+    if (which('claude') === null) {
+        return {
+            installed: false,
+            supportsHooks: false,
+            reason: '`claude` CLI not on PATH. Install Claude Code from https://claude.com/claude-code',
+        };
+    }
+    const version = probeBinaryVersion('claude') ?? undefined;
+    return { installed: true, version, supportsHooks: true };
+}
+function supports(event) {
+    return [
+        'fetch-rules',
+        'session-start',
+        'stop',
+        'pre-compact',
+        // Claude Code is the ONLY adapter that opts into UserPromptSubmit
+        // today — see user-prompt-submit.ts header for the rationale (the
+        // brainstorming skill hijack we need to backstop). Codex follows the
+        // doctrine directly via MCP Server.instructions; the other clients
+        // either don't have an equivalent event or haven't shown the same
+        // hijack behaviour.
+        'user-prompt-submit',
+    ].includes(event);
+}
+/**
+ * Drop any prior entry that belongs to vibedefend (V0 manual template
+ * `tools/cybedefend-claude-hooks/hook-*.sh`, V1 bash hooks under
+ * `~/.cybedefend/hooks/*.sh`, and current V2 entries
+ * `node ~/.cybedefend/hook-runner.js ...`). Preserves unrelated user
+ * hooks. See `isVibedefendOwnedHookCommand` for the exact match set.
+ */
+function dropOurs(entries) {
+    return entries.filter((e) => !(e.hooks ?? []).some((h) => isVibedefendOwnedHookCommand(h.command)));
+}
+function writeSettings(opts) {
+    const settings = readJson(CLAUDE_SETTINGS, {});
+    settings.hooks ??= {};
+    settings.hooks.PreToolUse ??= [];
+    settings.hooks.Stop ??= [];
+    settings.hooks.SessionStart ??= [];
+    settings.hooks.PreCompact ??= [];
+    settings.hooks.UserPromptSubmit ??= [];
+    settings.hooks.PreToolUse = dropOurs(settings.hooks.PreToolUse);
+    settings.hooks.SessionStart = dropOurs(settings.hooks.SessionStart);
+    settings.hooks.Stop = dropOurs(settings.hooks.Stop);
+    settings.hooks.PreCompact = dropOurs(settings.hooks.PreCompact);
+    settings.hooks.UserPromptSubmit = dropOurs(settings.hooks.UserPromptSubmit);
+    settings.hooks.PreToolUse.push({
+        matcher: 'Edit|Write|MultiEdit',
+        hooks: [{ type: 'command', command: hookCommand('fetch-rules') }],
+    });
+    // Action Guards: hard-block hook. Runs on every tool call (no matcher so
+    // it fires for Read/Write/Edit/Bash/WebFetch etc.). Exit code 2 → Claude
+    // Code blocks the tool call and surfaces the message to the model.
+    settings.hooks.PreToolUse.push({
+        hooks: [{ type: 'command', command: hookCommand('guard-check') }],
+    });
+    settings.hooks.SessionStart.push({
+        hooks: [{ type: 'command', command: hookCommand('session-start') }],
+    });
+    // UserPromptSubmit fires before the agent processes each user prompt.
+    // We use it to backstop the CybeDefend doctrine when a skill (notably
+    // superpowers:brainstorming) auto-activates and would otherwise
+    // hijack the flow before step 0 / step 1 fire. See
+    // src/hooks/runtime/user-prompt-submit.ts for the full rationale.
+    settings.hooks.UserPromptSubmit.push({
+        hooks: [{ type: 'command', command: hookCommand('user-prompt-submit') }],
+    });
+    if (opts.enableSessionReview) {
+        settings.hooks.Stop.push({
+            matcher: 'Stop',
+            hooks: [{ type: 'command', command: hookCommand('session-review') }],
+        });
+        settings.hooks.PreCompact.push({
+            hooks: [{ type: 'command', command: hookCommand('pre-compact') }],
+        });
+    }
+    writeJson(CLAUDE_SETTINGS, settings);
+    log.ok(`Claude Code hooks wired into ${CLAUDE_SETTINGS}`);
+}
+function registerMcp(opts) {
+    const { region } = opts;
+    log.step(`Registering MCP "${region.mcpName}" in Claude Code`);
+    log.hint(`URL: ${region.mcpUrl}`);
+    const code = run('claude', [
+        'mcp',
+        'add',
+        region.mcpName,
+        '--transport',
+        'http',
+        region.mcpUrl,
+    ]);
+    if (code === 0) {
+        log.ok(`MCP "${region.mcpName}" registered.`);
+        return true;
+    }
+    log.warn(`\`claude mcp add\` returned exit ${code}. It may already be registered — run \`claude mcp list\` to verify.`);
+    return false;
+}
+/**
+ * Pure introspection — never throws. Reports whether our hooks are wired
+ * into `~/.claude/settings.json` and whether the MCP server is registered.
+ *
+ * `mcpRegistered` shells out to `claude mcp list` (the MCP registry lives
+ * in Claude Code's internal store, not a file we can read directly). If
+ * the `claude` binary is absent or the command fails, we degrade to
+ * `false` rather than throwing.
+ */
+function inspect(region) {
+    let hooksWired = false;
+    try {
+        if (existsSync(CLAUDE_SETTINGS)) {
+            hooksWired = readFileSync(CLAUDE_SETTINGS, 'utf8').includes(VIBEDEFEND_PATH_MARKER);
+        }
+    }
+    catch {
+        /* missing/unreadable → false */
+    }
+    let mcpRegistered = false;
+    try {
+        const stdout = execFileSync('claude', ['mcp', 'list'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        });
+        mcpRegistered = stdout.includes(region.mcpName);
+    }
+    catch {
+        /* `claude` binary absent or command failed → false */
+    }
+    return { hooksWired, mcpRegistered };
+}
+export const claudeCodeAdapter = {
+    id: 'claude-code',
+    label: 'Claude Code',
+    detect,
+    supports,
+    writeSettings,
+    registerMcp,
+    inspect,
+};
+/**
+ * Cross-platform sanity gate (used by the installer banner).
+ *
+ * With the Node-based hook runtime (V2), Windows is now SUPPORTED — no
+ * Git Bash / WSL needed. Linux and macOS were already fine. We keep
+ * this function as the central place to gate hooks support in case a
+ * future platform (e.g. some embedded shell) needs special handling.
+ */
+export function checkPlatformSupport() {
+    return { hooksSupported: true };
+}
+//# sourceMappingURL=claude-code.js.map

package/dist/clients/claude-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-code.js","sourceRoot":"","sources":["../../src/clients/claude-code.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEnD,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EACL,WAAW,EACX,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,qBAAqB,CAAC;AAS7B,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;AAkBzD,SAAS,MAAM;IACb,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;QAC7B,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,aAAa,EAAE,KAAK;YACpB,MAAM,EACJ,mFAAmF;SACtF,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,kBAAkB,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC;IAC1D,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AAC3D,CAAC;AAED,SAAS,QAAQ,CAAC,KAAqB;IACrC,OAAO;QACL,aAAa;QACb,eAAe;QACf,MAAM;QACN,aAAa;QACb,kEAAkE;QAClE,kEAAkE;QAClE,qEAAqE;QACrE,mEAAmE;QACnE,kEAAkE;QAClE,oBAAoB;QACpB,oBAAoB;KACrB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,QAAQ,CAAC,OAA0B;IAC1C,OAAO,OAAO,CAAC,MAAM,CACnB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,4BAA4B,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAC7E,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,IAAiB;IACtC,MAAM,QAAQ,GAAG,QAAQ,CAAiB,eAAe,EAAE,EAAE,CAAC,CAAC;IAC/D,QAAQ,CAAC,KAAK,KAAK,EAAE,CAAC;IACtB,QAAQ,CAAC,KAAK,CAAC,UAAU,KAAK,EAAE,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,EAAE,CAAC;IAC3B,QAAQ,CAAC,KAAK,CAAC,YAAY,KAAK,EAAE,CAAC;IACnC,QAAQ,CAAC,KAAK,CAAC,UAAU,KAAK,EAAE,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,gBAAgB,KAAK,EAAE,CAAC;IAEvC,QAAQ,CAAC,KAAK,CAAC,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAChE,QAAQ,CAAC,KAAK,CAAC,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACpE,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpD,QAAQ,CAAC,KAAK,CAAC,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAChE,QAAQ,CAAC,KAAK,CAAC,gBAAgB,GAAG,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAE5E,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAC7B,OAAO,EAAE,sBAAsB;QAC/B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC;KAClE,CAAC,CAAC;IAEH,yEAAyE;IACzE,yEAAyE;IACzE,mEAAmE;IACnE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAC7B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC;KAClE,CAAC,CAAC;IACH,QAAQ,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC;QAC/B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,CAAC,eAAe,CAAC,EAAE,CAAC;KACpE,CAAC,CAAC;IAEH,sEAAsE;IACtE,sEAAsE;IACtE,gEAAgE;IAChE,mDAAmD;IACnD,kEAAkE;IAClE,QAAQ,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC;QACnC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,CAAC,oBAAoB,CAAC,EAAE,CAAC;KACzE,CAAC,CAAC;IAEH,IAAI,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC7B,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,MAAM;YACf,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,CAAC,gBAAgB,CAAC,EAAE,CAAC;SACrE,CAAC,CAAC;QACH,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;YAC7B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC;SAClE,CAAC,CAAC;IACL,CAAC;IAED,SAAS,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IACrC,GAAG,CAAC,EAAE,CAAC,gCAAgC,eAAe,EAAE,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,WAAW,CAAC,IAAuC;IAC1D,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IACxB,GAAG,CAAC,IAAI,CAAC,oBAAoB,MAAM,CAAC,OAAO,kBAAkB,CAAC,CAAC;IAC/D,GAAG,CAAC,IAAI,CAAC,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAElC,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE;QACzB,KAAK;QACL,KAAK;QACL,MAAM,CAAC,OAAO;QACd,aAAa;QACb,MAAM;QACN,MAAM,CAAC,MAAM;KACd,CAAC,CAAC;IACH,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;QACf,GAAG,CAAC,EAAE,CAAC,QAAQ,MAAM,CAAC,OAAO,eAAe,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,GAAG,CAAC,IAAI,CACN,oCAAoC,IAAI,qEAAqE,CAC9G,CAAC;IACF,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,OAAO,CAAC,MAAoB;IAInC,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YAChC,UAAU,GAAG,YAAY,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,QAAQ,CACzD,sBAAsB,CACvB,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IAED,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE;YACrD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC;QACH,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;IACxD,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAkB;IAC9C,EAAE,EAAE,aAAa;IACjB,KAAK,EAAE,aAAa;IACpB,MAAM;IACN,QAAQ;IACR,aAAa;IACb,WAAW;IACX,OAAO;CACR,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB;IAIlC,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC;AAClC,CAAC"}