@glrs-dev/assume 0.6.4

package/CHANGELOG.md

@@ -0,0 +1,41 @@
+# @glrs-dev/assume
+
+## 0.6.4
+
+### Patch Changes
+
+- [#21](https://github.com/iceglober/glrs/pull/21) [`4db487c`](https://github.com/iceglober/glrs/commit/4db487ce0b6e13cbee62c2f6a88be5574649b4b2) Thanks [@iceglober](https://github.com/iceglober)! - Fix gs-assume daemon auto-refresh — stop launchd respawn loop, verify PID ownership, enable default tracing, truncate oversized log.
+
+  - `gs-assume serve --foreground` now exits 0 (not error) when a healthy daemon is already running, breaking the launchd KeepAlive tight-respawn loop
+  - `is_daemon_running()` now verifies process identity via `ps -p <pid> -o comm=` to detect recycled PIDs
+  - Added `RUST_LOG=info,hyper=warn` to launchd plist EnvironmentVariables and as default tracing filter
+  - Added `ThrottleInterval=10` to launchd plist as defense-in-depth
+  - Added log truncation on startup if `daemon.stderr.log` exceeds 10 MB
+  - After successful session refresh, credentials are now re-fetched in the same tick (eliminating the 60s dead window)
+
+## 0.6.3
+
+### Major Changes
+
+- First release under the `@glrs-dev` npm scope. Rust crate renamed from `assume` to `glrs-assume` for crates.io publishing; npm package name is `@glrs-dev/assume`.
+- Bins `gs-assume` and `gsa` are preserved — existing shell aliases and muscle memory keep working.
+- Source moved from [`iceglober/glorious`](https://github.com/iceglober/glorious) (now archived) to [`iceglober/glrs/packages/assume/`](https://github.com/iceglober/glrs/tree/main/packages/assume). Full git history preserved via `git-filter-repo`.
+
+### Packaging
+
+- npm package ships via the prebuilt-binary `optionalDependencies` pattern: five platform packages (`@glrs-dev/assume-{darwin-arm64,darwin-x64,linux-x64,linux-arm64,win32-x64}`) each carry the prebuilt binary; the main `@glrs-dev/assume` package selects the right one at runtime via its TypeScript shim. No postinstall scripts.
+- Rust crate also publishes to crates.io as `glrs-assume` — `cargo install glrs-assume` still works.
+
+### Install
+
+```bash
+# Prebuilt binary via npm (recommended for most users)
+npm i -g @glrs-dev/assume
+
+# Build from source via cargo
+cargo install glrs-assume
+```
+
+---
+
+_For version history before the monorepo consolidation, see [`iceglober/glorious/releases`](https://github.com/iceglober/glorious/releases) (filter: `assume-*`)._

package/README.md

@@ -0,0 +1,221 @@
+<div align="center">
+
+<br/>
+
+# `@glrs-dev/assume`
+
+**Authenticate once, work all day.**<br/>
+Multi-cloud credential manager with per-shell context switching.
+
+[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square)](LICENSE)
+[![npm version](https://img.shields.io/npm/v/@glrs-dev/assume?style=flat-square)](https://www.npmjs.com/package/@glrs-dev/assume)
+
+<br/>
+
+</div>
+
+## Getting Started
+
+### Install
+
+```bash
+npm i -g @glrs-dev/assume
+```
+
+The prebuilt binary for your platform is auto-selected via npm's `optionalDependencies`. No postinstall scripts.
+
+Two equivalent bins ship with the package: `gs-assume` and `gsa` (shorter alias). Pick one; they're identical.
+
+> [!NOTE]
+> Crates.io publishing (`cargo install glrs-assume`) is planned but not yet enabled. For now, `npm i -g @glrs-dev/assume` is the only install path.
+
+### First-time setup
+
+```bash
+gsa login aws       # Opens browser for AWS Identity Center
+gsa profiles        # List all available account/role pairs
+gsa use dev         # Switch context by fuzzy match
+```
+
+<br/>
+
+## The Daily Loop
+
+> Login once, switch instantly, credentials follow you.
+
+```bash
+gsa login aws                    # authenticate (once per session)
+gsa use dev                      # switch context in this shell
+gsa use prod                     # different context in another shell
+aws s3 ls                        # just works — credentials served locally
+gsa console                      # open AWS console in browser
+```
+
+<br/>
+
+## Commands
+
+| Command | What happens |
+|:--|:--|
+| `gsa login <provider>` | Interactive auth — opens browser, polls for completion |
+| `gsa use <pattern>` | Fuzzy-match context switch, per-shell. TUI picker if no pattern. |
+| `gsa profiles` | List all contexts with active marker and danger tags |
+| `gsa status` | Auth status, token expiry, active context, daemon health |
+| `gsa sync` | Re-fetch contexts from provider APIs |
+| `gsa exec -- <cmd>` | Run a command with injected credentials |
+| `gsa console` | Open provider's web console for active context |
+| `gsa credential-process` | AWS `credential_process` JSON output for SDK integration |
+| `gsa config show` | View current configuration |
+| `gsa config set <key> <val>` | Set a config value (dot notation) |
+| `gsa shell-init <shell>` | Print shell integration script (bash, zsh, fish) |
+| `gsa serve --install` | Install to PATH + launch agent (daemon starts on login) |
+| `gsa serve --uninstall` | Remove binary, symlink, and launch agent |
+| `gsa upgrade` | Self-update to latest release |
+| `gsa logout [provider]` | Clear stored credentials |
+
+<br/>
+
+## Agent & MCP Integration
+
+Permission-gated credential access for AI agents (Claude Code, etc.).
+
+| Command | What happens |
+|:--|:--|
+| `gsa agent allow` | TUI multi-select to toggle which contexts agents can access |
+| `gsa agent allow --list` | Show currently approved contexts |
+| `gsa agent allow --clear` | Revoke all agent access |
+| `gsa agent exec -- <cmd>` | Run a command with auto-refreshing credentials (permission-gated) |
+| `gsa agent mcp` | Start MCP server for AI agent integration |
+
+**Default deny** — no context is agent-accessible unless explicitly approved via `gsa agent allow`.
+
+### MCP server
+
+Register in your Claude Code settings:
+
+```json
+{
+  "mcpServers": {
+    "gsa": { "command": "gsa", "args": ["agent", "mcp"] }
+  }
+}
+```
+
+Tools provided:
+- **`run_with_credentials`** — run a shell command with auto-refreshing AWS credentials
+- **`list_contexts`** — list contexts approved for agent access
+
+### Wrapping other MCP servers
+
+Any MCP server that needs AWS credentials can be wrapped with `gsa agent exec`:
+
+```json
+{
+  "mcpServers": {
+    "aws-tools": { "command": "gsa", "args": ["agent", "exec", "--", "npx", "@aws/mcp-server"] }
+  }
+}
+```
+
+The wrapped server inherits `AWS_CONTAINER_CREDENTIALS_FULL_URI` pointing at the daemon, so credentials auto-refresh indefinitely.
+
+<br/>
+
+## Shell Integration
+
+`serve --install` adds this to your shell rc automatically:
+
+```bash
+eval "$(gsa shell-init zsh)"
+```
+
+This gives you:
+- **`gsa` wrapper** — `gsa use` sets context as an env var in the current shell
+- **Prompt segment** — shows `[aws:account/role]` in green (or red for dangerous contexts)
+- **Per-shell isolation** — each terminal can have a different active context
+- **Zero prompt delay** — reads an env var, no subprocess
+
+<br/>
+
+## Configuration
+
+Config file: `~/.config/gs-assume/config.toml` (macOS: `~/Library/Application Support/gs-assume/config.toml`)
+
+```toml
+[providers.aws]
+start_url = "https://myorg.awsapps.com/start"
+region = "us-east-1"
+
+[[providers.aws.profiles]]
+account_id = "111111111111"
+role_name = "AdministratorAccess"
+alias = "prod/admin"
+tags = ["production", "dangerous"]
+color = "red"
+confirm = true
+```
+
+Team config (`gs-assume.team.toml` in repo root) merges with user config — user wins on conflicts.
+
+<br/>
+
+## Security
+
+- Credentials encrypted at rest with **AES-256-GCM** (not plaintext like AWS CLI, granted, or Leapp)
+- Encryption key stored at `vault.key` with `0600` permissions
+- Credential daemon serves tokens over `localhost` only
+- All token files are `0600`
+- Agent access gated by `agent-allowed.json` allowlist (default deny)
+- All credential operations audit-logged to `~/.config/gs-assume/audit.log`
+
+<br/>
+
+## Architecture
+
+```
+src/
+├── main.rs                 # CLI entry (clap)
+├── cli/
+│   ├── agent.rs            # Agent access: allow, exec, mcp dispatch
+│   ├── mcp.rs              # MCP JSON-RPC 2.0 server over stdio
+│   ├── login.rs            # Interactive auth + first-time setup
+│   ├── use_cmd.rs          # Fuzzy context switch, per-shell env vars
+│   ├── status.rs           # Auth status + prompt segment
+│   ├── profiles.rs         # Context listing with danger tags
+│   ├── sync.rs             # Re-fetch contexts from APIs
+│   ├── exec.rs             # Run command with injected creds
+│   ├── serve.rs            # Daemon + install/uninstall
+│   ├── console.rs          # Open web console
+│   ├── config_cmd.rs       # Config get/set/show
+│   ├── shell_init.rs       # Shell integration output
+│   ├── credential_process.rs # AWS credential_process
+│   ├── logout.rs           # Clear credentials
+│   └── upgrade.rs          # Self-update
+├── core/
+│   ├── config.rs           # TOML config + team config merging
+│   ├── keychain.rs         # AES-256-GCM encrypted storage
+│   ├── cache.rs            # Context + active context + agent-allowed cache
+│   ├── daemon.rs           # Daemon lifecycle, refresh loop, launchd
+│   ├── fuzzy.rs            # nucleo fuzzy matching
+│   ├── rpc.rs              # Unix socket RPC
+│   ├── audit.rs            # Event logging
+│   ├── notify.rs           # Desktop notifications
+│   └── update_check.rs     # Version check + auto-upgrade
+├── plugin/
+│   ├── mod.rs              # Provider trait + data types
+│   └── registry.rs         # Plugin registry + validation
+├── providers/
+│   ├── aws/                # AWS Identity Center (SSO OIDC + STS)
+│   └── gcp/                # Google Cloud (stub)
+├── tui/
+│   └── picker.rs           # Interactive context picker + multi-select
+└── shell/
+    ├── prompt.rs           # ANSI prompt formatting
+    └── completions.rs      # Shell completions
+```
+
+---
+
+<div align="center">
+<sub>MIT License</sub>
+</div>

package/dist/chunk-J5BWAQEL.js

@@ -0,0 +1,42 @@
+// src/npm-shim/index.ts
+import { createRequire } from "module";
+import * as path from "path";
+import * as fs from "fs";
+var require2 = createRequire(import.meta.url);
+function detectPlatform() {
+  const { platform, arch } = process;
+  if (platform === "darwin" && arch === "arm64") return "darwin-arm64";
+  if (platform === "darwin" && arch === "x64") return "darwin-x64";
+  if (platform === "linux" && arch === "x64") return "linux-x64";
+  if (platform === "linux" && arch === "arm64") return "linux-arm64";
+  throw new Error(
+    `[@glrs-dev/assume] Unsupported platform: ${platform}-${arch}. Supported: darwin-arm64, darwin-x64, linux-x64, linux-arm64. Windows support is not currently available \u2014 the daemon is Unix-architectured. File an issue at https://github.com/iceglober/glrs/issues if you need another target.`
+  );
+}
+var BIN_NAME = "gs-assume";
+function getBinaryPath() {
+  const platform = detectPlatform();
+  const pkgName = `@glrs-dev/assume-${platform}`;
+  let pkgJsonPath;
+  try {
+    pkgJsonPath = require2.resolve(`${pkgName}/package.json`);
+  } catch (err) {
+    throw new Error(
+      `[@glrs-dev/assume] Platform package '${pkgName}' not found. This usually means 'optionalDependencies' were skipped (e.g. 'npm install --no-optional'). Reinstall with optional deps enabled, or run 'npm i ${pkgName}' directly.`,
+      { cause: err }
+    );
+  }
+  const pkgDir = path.dirname(pkgJsonPath);
+  const binPath = path.join(pkgDir, "bin", BIN_NAME);
+  if (!fs.existsSync(binPath)) {
+    throw new Error(
+      `[@glrs-dev/assume] Binary not found at ${binPath}. The platform package '${pkgName}' appears corrupted. Try reinstalling.`
+    );
+  }
+  return binPath;
+}
+
+export {
+  BIN_NAME,
+  getBinaryPath
+};

package/dist/cli.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/cli.js

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+import {
+  getBinaryPath
+} from "./chunk-J5BWAQEL.js";
+
+// src/npm-shim/cli.ts
+import { spawn } from "child_process";
+try {
+  const binary = getBinaryPath();
+  const args = process.argv.slice(2);
+  const child = spawn(binary, args, {
+    stdio: "inherit",
+    windowsHide: false
+  });
+  child.on("error", (err) => {
+    console.error(`[@glrs-dev/assume] Failed to spawn binary: ${err.message}`);
+    process.exit(127);
+  });
+  child.on("exit", (code, signal) => {
+    if (signal) {
+      process.kill(process.pid, signal);
+      return;
+    }
+    process.exit(code ?? 0);
+  });
+} catch (err) {
+  console.error(err.message);
+  process.exit(1);
+}

package/dist/index.d.ts

@@ -0,0 +1,25 @@
+/**
+ * @glrs-dev/assume — platform resolution shim.
+ *
+ * The main npm package contains no binaries itself. Instead, one of five
+ * platform-specific packages is installed via `optionalDependencies`, and
+ * this shim locates the correct prebuilt binary at runtime.
+ *
+ * The pattern mirrors esbuild, swc, and turbo. No postinstall scripts are
+ * involved — npm's `os` + `cpu` fields in each platform package cause
+ * npm/pnpm/bun to skip packages that don't match the user's platform.
+ */
+declare const BIN_NAME = "gs-assume";
+/**
+ * Resolve the path to the prebuilt binary for this platform.
+ *
+ * If you hit a "platform package not found" error, you may have run `npm
+ * install --no-optional` or have a package manager that silently skipped
+ * the optional dep. In that case install the matching platform package
+ * directly:
+ *
+ *     npm i @glrs-dev/assume-<platform>
+ */
+declare function getBinaryPath(): string;
+
+export { BIN_NAME, getBinaryPath };

package/dist/index.js

@@ -0,0 +1,8 @@
+import {
+  BIN_NAME,
+  getBinaryPath
+} from "./chunk-J5BWAQEL.js";
+export {
+  BIN_NAME,
+  getBinaryPath
+};

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "@glrs-dev/assume",
+  "version": "0.6.4",
+  "publishConfig": {
+    "access": "public"
+  },
+  "description": "Unified SSO credential manager for AWS, GCP, and more — npm distribution of the glrs-assume Rust binary.",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/iceglober/glrs.git",
+    "directory": "packages/assume"
+  },
+  "homepage": "https://glrs.dev/assume",
+  "bugs": {
+    "url": "https://github.com/iceglober/glrs/issues"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "bin": {
+    "gs-assume": "./dist/cli.js",
+    "gsa": "./dist/cli.js"
+  },
+  "files": [
+    "dist",
+    "CHANGELOG.md"
+  ],
+  "keywords": [
+    "sso",
+    "aws",
+    "gcp",
+    "credentials",
+    "assume",
+    "glrs"
+  ],
+  "engines": {
+    "bun": ">=1.2.0"
+  },
+  "scripts": {
+    "build": "tsup src/npm-shim/index.ts src/npm-shim/cli.ts --format esm --dts --clean",
+    "typecheck": "tsc --noEmit",
+    "test": "bun test scripts/sync-version.test.mjs scripts/pack-platform-tarballs.test.mjs",
+    "lint": "echo 'no linter configured yet'",
+    "pack:platforms": "bun scripts/pack-platform-tarballs.mjs",
+    "sync:version": "bun scripts/sync-version.mjs"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "@types/node": "^22",
+    "tsup": "^8",
+    "typescript": "^5"
+  },
+  "optionalDependencies": {
+    "@glrs-dev/assume-darwin-arm64": "0.6.4",
+    "@glrs-dev/assume-darwin-x64": "0.6.4",
+    "@glrs-dev/assume-linux-x64": "0.6.4",
+    "@glrs-dev/assume-linux-arm64": "0.6.4"
+  }
+}