npm - @guardion/guardion - Versions diffs - 0.2.0 - Mend

@guardion/guardion 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/hooks/guardion-hook.cjs ADDED Viewed

@@ -0,0 +1,202 @@
+#!/usr/bin/env node
+/**
+ * Guardion Claude Code hook — monitoring-only event forwarder.
+ *
+ * Reads hook event JSON from stdin, resolves config + token, posts to Guard API.
+ * Always exits 0 — never blocks Claude Code.
+ *
+ * Config (in priority order):
+ *   ~/.guardion/config.json     written by `npx guardion init`
+ *   GUARDION_API_URL env        override for CI / testing
+ *   GUARDION_POLICY env         override for CI / testing
+ *
+ * Token (first match wins):
+ *   GUARDION_TOKEN env          CI / testing
+ *   macOS Keychain              service=guardion, account=token
+ *   /etc/guardion/token         enterprise MDM, root-owned
+ *   ~/.guardion/token           user-level fallback
+ */
+'use strict';
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+const http  = require('http');
+const https = require('https');
+const { execFileSync } = require('child_process');
+// ── Constants ────────────────────────────────────────────────────────────────
+const HOOK_TIMEOUT_MS    = 3000;
+const KEYCHAIN_TIMEOUT   = 1000;
+const GUARDION_DIR       = path.join(os.homedir(), '.guardion');
+const CONFIG_JSON_PATH   = path.join(GUARDION_DIR, 'config.json');
+const SESSION_DIR        = path.join(GUARDION_DIR, 'sessions');
+const CURRENT_SESSION    = path.join(GUARDION_DIR, 'current-session');
+const HOOK_EVENTS_PATH   = '/v1/hooks/events';
+// ── Config ───────────────────────────────────────────────────────────────────
+function loadConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_JSON_PATH, 'utf8'));
+  } catch {
+    return {
+      api_url:     process.env.GUARDION_API_URL     || 'https://api.guardion.ai',
+      policy:      process.env.GUARDION_POLICY      || '',
+      application: process.env.GUARDION_APPLICATION || 'claude-code',
+      tier:        process.env.GUARDION_TIER        || 'hooks',
+    };
+  }
+}
+// ── Token ────────────────────────────────────────────────────────────────────
+function resolveToken() {
+  if (process.env.GUARDION_TOKEN) return process.env.GUARDION_TOKEN.trim();
+  if (process.platform === 'darwin') {
+    try {
+      const t = execFileSync(
+        'security',
+        ['find-generic-password', '-s', 'guardion', '-a', 'token', '-w'],
+        { timeout: KEYCHAIN_TIMEOUT, encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }
+      ).trim();
+      if (t) return t;
+    } catch { /* not in keychain */ }
+  }
+  for (const p of ['/etc/guardion/token', path.join(GUARDION_DIR, 'token')]) {
+    try {
+      const t = fs.readFileSync(p, 'utf8').trim();
+      if (t) return t;
+    } catch { /* file absent */ }
+  }
+  return '';
+}
+// ── Session persistence ───────────────────────────────────────────────────────
+function writeCurrentSession(sessionId) {
+  try {
+    fs.mkdirSync(GUARDION_DIR, { recursive: true });
+    const tmp = CURRENT_SESSION + '.tmp';
+    fs.writeFileSync(tmp, sessionId, 'utf8');
+    fs.renameSync(tmp, CURRENT_SESSION);
+  } catch { /* non-critical */ }
+}
+function readCurrentSession() {
+  try { return fs.readFileSync(CURRENT_SESSION, 'utf8').trim(); } catch { return ''; }
+}
+function deleteCurrentSession() {
+  try { fs.unlinkSync(CURRENT_SESSION); } catch { /* already gone */ }
+}
+function writeSessionMeta(sessionId, meta) {
+  try {
+    fs.mkdirSync(SESSION_DIR, { recursive: true });
+    fs.writeFileSync(
+      path.join(SESSION_DIR, `${sessionId}.json`),
+      JSON.stringify(meta, null, 2),
+      'utf8'
+    );
+  } catch { /* non-critical */ }
+}
+function deleteSessionMeta(sessionId) {
+  if (!sessionId) return;
+  try { fs.unlinkSync(path.join(SESSION_DIR, `${sessionId}.json`)); } catch { /* gone */ }
+}
+// ── HTTP POST ─────────────────────────────────────────────────────────────────
+function postEvent(apiUrl, token, payload) {
+  return new Promise((resolve) => {
+    let url;
+    try { url = new URL(HOOK_EVENTS_PATH, apiUrl); } catch {
+      return resolve();
+    }
+    const transport = url.protocol === 'https:' ? https : http;
+    const body = JSON.stringify(payload);
+    const req = transport.request(
+      {
+        hostname: url.hostname,
+        port:     url.port || (url.protocol === 'https:' ? 443 : 80),
+        path:     url.pathname + url.search,
+        method:   'POST',
+        headers:  {
+          'Content-Type':   'application/json',
+          'Authorization':  `Bearer ${token}`,
+          'Content-Length': Buffer.byteLength(body),
+        },
+        timeout: HOOK_TIMEOUT_MS,
+      },
+      (res) => { res.resume(); res.on('end', resolve); }
+    );
+    req.on('error',   resolve);
+    req.on('timeout', () => { req.destroy(); resolve(); });
+    req.write(body);
+    req.end();
+  });
+}
+// ── Metadata ──────────────────────────────────────────────────────────────────
+function collectMetadata(payload) {
+  try {
+    const { collectMetadata: collect } = require('./metadata.cjs');
+    return collect(payload);
+  } catch {
+    return { session_id: payload.session_id || null, cwd: payload.cwd || process.cwd() };
+  }
+}
+// ── Main ──────────────────────────────────────────────────────────────────────
+// Safety: hard exit after timeout regardless of network state
+setTimeout(() => process.exit(0), HOOK_TIMEOUT_MS + 1500);
+let rawInput = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', (chunk) => { rawInput += chunk; });
+process.stdin.on('end', async () => {
+  let payload;
+  try { payload = JSON.parse(rawInput); } catch { return process.exit(0); }
+  const config = loadConfig();
+  const token  = resolveToken();
+  if (!token) return process.exit(0);
+  const event = payload.hook_event_name || payload.event || '';
+  // Enrich payload with config context
+  if (config.policy)      payload.policy      = config.policy;
+  if (config.application) payload.application = config.application;
+  if (event === 'SessionStart') {
+    const meta      = collectMetadata(payload);
+    const sessionId = payload.session_id || meta.session_id || `gs-${Date.now()}`;
+    payload.trace_id = sessionId;
+    payload.metadata = meta;
+    writeCurrentSession(sessionId);
+    writeSessionMeta(sessionId, meta);
+  } else if (event === 'SessionEnd') {
+    const sessionId = payload.session_id || readCurrentSession();
+    payload.trace_id = sessionId;
+    deleteCurrentSession();
+    deleteSessionMeta(sessionId);
+  } else {
+    const traceId = process.env.GUARDION_TRACE_ID || readCurrentSession();
+    if (traceId) payload.trace_id = traceId;
+  }
+  await postEvent(config.api_url, token, payload);
+  process.exit(0);
+});

package/hooks/metadata.cjs ADDED Viewed

@@ -0,0 +1,86 @@
+'use strict';
+const os   = require('os');
+const fs   = require('fs');
+const path = require('path');
+const { execFileSync } = require('child_process');
+const GIT_TIMEOUT_MS  = 2000;
+const SESSION_FILE_DIR = path.join(os.homedir(), '.claude', 'sessions');
+function gitCmd(args, cwd) {
+  try {
+    return execFileSync('git', args, {
+      cwd: cwd || process.cwd(),
+      timeout: GIT_TIMEOUT_MS,
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+function readSessionFile() {
+  const pids = [process.pid, process.ppid];
+  for (const pid of pids) {
+    try {
+      return JSON.parse(fs.readFileSync(path.join(SESSION_FILE_DIR, `${pid}.json`), 'utf8'));
+    } catch { /* try next */ }
+  }
+  // Fallback: most recent session file
+  try {
+    const files = fs.readdirSync(SESSION_FILE_DIR)
+      .filter(f => f.endsWith('.json'))
+      .map(f => ({ name: f, mtime: fs.statSync(path.join(SESSION_FILE_DIR, f)).mtimeMs }))
+      .sort((a, b) => b.mtime - a.mtime);
+    if (files.length > 0) {
+      return JSON.parse(fs.readFileSync(path.join(SESSION_FILE_DIR, files[0].name), 'utf8'));
+    }
+  } catch { /* dir absent or empty */ }
+  return null;
+}
+function collectMetadata(hookPayload) {
+  const cwd         = hookPayload.cwd || process.cwd();
+  const sessionFile = readSessionFile();
+  const meta = {
+    session_id:  hookPayload.session_id || sessionFile?.sessionId || null,
+    pid:         sessionFile?.pid || process.ppid || null,
+    cwd,
+    started_at:  sessionFile?.startedAt || null,
+    kind:        sessionFile?.kind || null,
+    entrypoint:  sessionFile?.entrypoint || null,
+  };
+  try { meta.os_user = os.userInfo().username; } catch {
+    meta.os_user = process.env.USER || process.env.USERNAME || null;
+  }
+  try { meta.os_uid = process.getuid ? process.getuid() : null; } catch { meta.os_uid = null; }
+  meta.git_user_name  = gitCmd(['config', 'user.name'], cwd);
+  meta.git_user_email = gitCmd(['config', 'user.email'], cwd);
+  try { meta.hostname = os.hostname(); } catch { meta.hostname = null; }
+  meta.platform    = process.platform;
+  meta.arch        = process.arch;
+  try { meta.os_version = os.release(); } catch { meta.os_version = null; }
+  meta.node_version = process.version;
+  meta.shell        = process.env.SHELL || null;
+  meta.git_remote = gitCmd(['remote', 'get-url', 'origin'], cwd);
+  meta.git_branch = gitCmd(['branch', '--show-current'], cwd);
+  meta.git_commit = gitCmd(['rev-parse', '--short', 'HEAD'], cwd);
+  const porcelain = gitCmd(['status', '--porcelain'], cwd);
+  meta.git_dirty  = porcelain !== null ? porcelain.length > 0 : null;
+  // Strip null/undefined to keep payload compact
+  for (const k of Object.keys(meta)) {
+    if (meta[k] === null || meta[k] === undefined) delete meta[k];
+  }
+  return meta;
+}
+module.exports = { collectMetadata, readSessionFile, gitCmd };

package/package.json ADDED Viewed

@@ -0,0 +1,67 @@
+{
+  "name": "@guardion/guardion",
+  "version": "0.2.0",
+  "type": "module",
+  "description": "AI security monitoring for Claude Code — full agent observability via hooks",
+  "bin": {
+    "guardion": "dist/cli.js"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/GuardionAI/guardion.git"
+  },
+  "homepage": "https://guardion.ai",
+  "keywords": [
+    "security",
+    "monitoring",
+    "ai",
+    "claude",
+    "claude-code",
+    "guardrails",
+    "hooks",
+    "observability",
+    "llm"
+  ],
+  "author": {
+    "name": "Guardion AI",
+    "email": "rafael@guardion.ai",
+    "url": "https://guardion.ai"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/cli.ts",
+    "hook": "tsx src/cli.ts hook",
+    "mock": "tsx src/cli.ts mock",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:integration": "vitest run --reporter=verbose __tests__/integration"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "express": "^4.21.0",
+    "js-yaml": "^4.1.0",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/express": "^4.17.21",
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^22.0.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.6.0",
+    "vitest": "^4.1.4"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "files": [
+    "dist",
+    "hooks",
+    "plugin.json",
+    "config.yaml.example"
+  ],
+  "license": "MIT"
+}