@highflame/overwatch-v2 2.0.0-internal.1

package/dist/installer.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Hook Installer
+ * Installs IDE-specific hooks that integrate with Guardian daemon
+ */
+export type SupportedIDE = "cursor" | "claudecode" | "github_copilot" | "gemini_cli" | "codex";
+interface InstallResult {
+    ide: string;
+    hooksLocation: string;
+    hooksInstalled: boolean;
+}
+/**
+ * Install hooks for an IDE
+ * @param ide IDE identifier
+ * @param options Optional configuration (e.g., repoPath for GitHub Copilot)
+ */
+export declare function installHooks(ide: string, options?: {
+    repoPath?: string;
+}): Promise<void>;
+/**
+ * Uninstall hooks for an IDE
+ * @param ide IDE name
+ * @param silent If true, don't print messages (used by clear command)
+ */
+export declare function uninstallHooks(ide: string, silent?: boolean): Promise<void>;
+/**
+ * List installed hooks
+ * Checks IDE-native hook locations to determine if hooks are installed
+ */
+export declare function listInstalledHooks(): Promise<InstallResult[]>;
+export {};

package/dist/module.d.ts

@@ -0,0 +1,55 @@
+export declare class GuardianModule {
+    private readonly configReader;
+    private httpServer;
+    private scanner;
+    private cerberusClient;
+    private hookPipeline;
+    private hookHandler;
+    private scanHandler;
+    private oauthHandler;
+    private skillsScanner;
+    private projectSkillsCache;
+    private static readonly PROJECT_SKILLS_CACHE_TTL;
+    private agentDetector;
+    private machineId;
+    private coverageInterval;
+    private static readonly COVERAGE_INTERVAL_MS;
+    private scanIngestor;
+    private skillsIngestor;
+    private adminClient;
+    private installationRecorder;
+    private pendingOAuthStates;
+    private readonly oauthStateTimeout;
+    private initialized;
+    private debug;
+    constructor(config?: {
+        httpPort?: number;
+        debug?: boolean;
+    });
+    init(): Promise<void>;
+    /**
+     * Start coverage reporting - runs on startup and every 10 minutes
+     */
+    private startCoverageReporting;
+    /**
+     * Report coverage metrics to admin API
+     */
+    private reportCoverage;
+    /**
+     * Initialize admin client for installation tracking and coverage reporting.
+     * Extracted from the removed initPolicyManager().
+     */
+    private initAdminClient;
+    private checkInstallation;
+    private recordInstallation;
+    startServer(): Promise<void>;
+    private runStartupSkillsScan;
+    private handleShutdown;
+    stopServer(): Promise<void>;
+    getPort(): number;
+    /**
+     * Scan project-level skills if not recently cached
+     * Called from hook handler when workspace is present in event
+     */
+    scanProjectSkillsIfNeeded(workspace: string): Promise<void>;
+}

package/dist/scanner.d.ts

@@ -0,0 +1,79 @@
+/**
+ * MCP Scanner - Runs bundled ramparts binary for MCP config scanning
+ *
+ * Supports running ramparts as a child process for local YARA scanning
+ * of MCP server configurations.
+ *
+ * Uses platform-loader for cross-platform binary discovery.
+ */
+/**
+ * Scan result from ramparts CLI
+ */
+export interface ScanResult {
+    scan_type: string;
+    total_servers: number;
+    results: ScanServerResult[];
+}
+export interface ScanServerResult {
+    server_name: string;
+    url?: string;
+    server_info?: {
+        name?: string;
+        metadata?: {
+            transport?: string;
+        };
+    };
+    tools?: unknown[];
+    prompts?: unknown[];
+    resources?: unknown[];
+    security_issues?: {
+        tool_issues?: unknown[];
+    };
+    yara_results?: YaraResult[];
+}
+export interface YaraResult {
+    status: "ok" | "warning" | "error";
+    target_type?: string;
+    rule_name?: string;
+    rule_metadata?: {
+        severity?: string;
+        description?: string;
+    };
+}
+/**
+ * MCP Scanner that uses bundled ramparts binary
+ */
+export declare class MCPScanner {
+    private rampartsPath;
+    constructor();
+    /**
+     * Find the ramparts binary based on platform
+     * Uses platform-loader for cross-platform discovery.
+     *
+     * Search order:
+     * 1. Platform package (npm optionalDependency)
+     * 2. Local bin/ directory (dev mode)
+     * 3. ~/.overwatch/bin/
+     * 4. System PATH
+     */
+    private findRampartsBinary;
+    /**
+     * Check if scanner is available
+     */
+    isAvailable(): boolean;
+    /**
+     * Get the path to ramparts binary
+     */
+    getBinaryPath(): string | null;
+    /**
+     * Run MCP config scan
+     * @param rulesDir Optional custom YARA rules directory
+     */
+    runScan(rulesDir?: string): Promise<ScanResult>;
+    /**
+     * Parse ramparts CLI output
+     * Handles cases where CLI prints banner/logs before JSON
+     */
+    private parseOutput;
+    private getEmptyResult;
+}

package/dist/version.d.ts

@@ -0,0 +1,4 @@
+export declare const VERSION: string;
+export declare const HIGHFLAME_API_URL = "https://api.highflame.ai";
+export declare const HIGHFLAME_OAUTH_URL = "https://studio.highflame.ai";
+export declare const HIGHFLAME_CERBERUS_URL = "https://cerberus.highflame.ai";

package/lib/platform-loader.js

@@ -0,0 +1,234 @@
+/**
+ * Platform Loader
+ *
+ * Runtime platform detection and binary/module loading for @highflame/overwatch-v2.
+ * Follows the esbuild distribution pattern with platform-specific optionalDependencies.
+ *
+ * Loading order:
+ * 1. Try loading from @highflame/overwatch-{platform} package (npm install)
+ * 2. Fall back to local bin/ 
+ * 3. Fall back to ~/.overwatch/bin/ and system PATH
+ */
+
+const path = require("path");
+const fs = require("fs");
+const os = require("os");
+
+// Platform mapping: Node.js platform/arch -> package suffix and Rust target
+const PLATFORM_MAP = {
+  'darwin-arm64': {
+    package: '@highflame/overwatch-v2-darwin-arm64',
+    rustTarget: 'aarch64-apple-darwin',
+    binaryName: 'ramparts-aarch64-apple-darwin',
+  },
+  'darwin-x64': {
+    package: '@highflame/overwatch-v2-darwin-x64',
+    rustTarget: 'x86_64-apple-darwin',
+    binaryName: 'ramparts-x86_64-apple-darwin',
+  },
+  'linux-x64': {
+    package: '@highflame/overwatch-v2-linux-x64',
+    rustTarget: 'x86_64-unknown-linux-gnu',
+    binaryName: 'ramparts-x86_64-unknown-linux-gnu',
+  },
+  'linux-arm64': {
+    package: '@highflame/overwatch-v2-linux-arm64',
+    rustTarget: 'aarch64-unknown-linux-gnu',
+    binaryName: 'ramparts-aarch64-unknown-linux-gnu',
+  },
+  "win32-x64": {
+    package: "@highflame/overwatch-v2-win32-x64",
+    rustTarget: "x86_64-pc-windows-msvc",
+    binaryName: "ramparts-x86_64-pc-windows-msvc.exe",
+  },
+  "win32-arm64": {
+    package: "@highflame/overwatch-v2-win32-arm64",
+    rustTarget: "aarch64-pc-windows-msvc",
+    binaryName: "ramparts-aarch64-pc-windows-msvc.exe",
+  },
+};
+
+/**
+ * Get current platform key (e.g., "darwin-arm64")
+ * @returns {string}
+ */
+function getPlatformKey() {
+  return `${process.platform}-${process.arch}`;
+}
+
+/**
+ * Get platform configuration for current platform
+ * @returns {object|null}
+ */
+function getPlatformConfig() {
+  const key = getPlatformKey();
+  return PLATFORM_MAP[key] || null;
+}
+
+/**
+ * Try to load the platform-specific package
+ * Uses indirect require to prevent bundler analysis (esbuild, webpack)
+ * @returns {object|null} The loaded platform package or null
+ */
+function loadPlatformPackage() {
+  const config = getPlatformConfig();
+  if (!config) {
+    return null;
+  }
+
+  try {
+    // Use indirect require to prevent bundler from analyzing this
+    // This allows the optionalDependencies to work correctly
+    const dynamicRequire =
+      typeof __non_webpack_require__ !== "undefined"
+        ? __non_webpack_require__
+        : require;
+    return dynamicRequire(config.package);
+  } catch (error) {
+    // Package not installed - this is expected when using local dev setup
+    return null;
+  }
+}
+
+/**
+ * Get the guardian package root directory
+ * Works from both dist/ and lib/ locations
+ * @returns {string}
+ */
+function getPackageRoot() {
+  // This file is in lib/, so go up one level
+  // When bundled, __dirname will be dist/, so this still works
+  let currentDir = __dirname;
+
+  // Handle various directory structures
+  const baseName = path.basename(currentDir);
+  if (baseName === "lib" || baseName === "dist") {
+    return path.resolve(currentDir, "..");
+  }
+
+  // If we're deeply nested (e.g., dist/lib), go up appropriately
+  return path.resolve(currentDir, "..");
+}
+
+/**
+ * Get the path to the ramparts binary
+ *
+ * Search order:
+ * 1. Platform package (npm optionalDependency)
+ * 2. Local bin/ directory (dev mode)
+ * 3. ~/.overwatch/bin/
+ * 4. System PATH
+ *
+ * @returns {string|null} Path to binary or null if not found
+ */
+function getRampartsBinaryPath() {
+  const config = getPlatformConfig();
+
+  // 1. Try platform package first
+  const platformPkg = loadPlatformPackage();
+  if (platformPkg && typeof platformPkg.getRampartsBinaryPath === "function") {
+    const binaryPath = platformPkg.getRampartsBinaryPath();
+    if (binaryPath && fs.existsSync(binaryPath)) {
+      return binaryPath;
+    }
+  }
+
+  // 2. Try local bin/ directory (dev mode)
+  const packageRoot = getPackageRoot();
+  const localPaths = [];
+  const isWindows = process.platform === "win32";
+  const genericBinaryName = isWindows ? "ramparts.exe" : "ramparts";
+
+  if (config) {
+    // Platform-specific binary name
+    localPaths.push(path.join(packageRoot, "bin", config.binaryName));
+  }
+
+  // Generic paths
+  localPaths.push(
+    path.join(packageRoot, "bin", genericBinaryName),
+    path.join(packageRoot, "dist", "bin", genericBinaryName),
+  );
+
+  for (const p of localPaths) {
+    if (fs.existsSync(p)) {
+      return p;
+    }
+  }
+
+  // 3. Try ~/.overwatch/bin/
+  const overwatchPaths = [];
+  if (config) {
+    overwatchPaths.push(
+      path.join(os.homedir(), ".overwatch", "bin", config.binaryName),
+    );
+  }
+  overwatchPaths.push(
+    path.join(os.homedir(), ".overwatch", "bin", genericBinaryName),
+  );
+
+  for (const p of overwatchPaths) {
+    if (fs.existsSync(p)) {
+      return p;
+    }
+  }
+
+  // 4. Try PATH as last resort
+  try {
+    const { execSync } = require("child_process");
+    const findCmd = isWindows
+      ? `where ${genericBinaryName}`
+      : `which ${genericBinaryName}`;
+
+    const result = execSync(findCmd, { encoding: "utf-8" }).trim();
+    // 'where' on Windows can return multiple lines; take the first one
+    const foundPath = result.split(/\r?\n/)[0];
+    if (foundPath && fs.existsSync(foundPath)) {
+      return foundPath;
+    }
+  } catch {
+    // Not in PATH
+  }
+
+  return null;
+}
+
+/**
+ * Check if the current platform is supported
+ * @returns {boolean}
+ */
+function isPlatformSupported() {
+  return getPlatformConfig() !== null;
+}
+
+/**
+ * Get a helpful error message when platform binaries are not found
+ * @returns {string}
+ */
+function getPlatformNotFoundMessage() {
+  const key = getPlatformKey();
+  const config = getPlatformConfig();
+
+  if (!config) {
+    return `Unsupported platform: ${key}. Supported platforms: ${Object.keys(PLATFORM_MAP).join(", ")}`;
+  }
+
+  return (
+    `Platform binaries not found for ${key}.\n` +
+    `\n` +
+    `To fix this, either:\n` +
+    `  1. Install the platform package: npm install ${config.package}\n` +
+    `  2. Run the native deps build: ./scripts/build-native-deps.sh\n` +
+    `  3. Place binaries in ~/.overwatch/bin/\n`
+  );
+}
+
+module.exports = {
+  getPlatformKey,
+  getPlatformConfig,
+  loadPlatformPackage,
+  getRampartsBinaryPath,
+  isPlatformSupported,
+  getPlatformNotFoundMessage,
+  PLATFORM_MAP,
+};

package/package.json

@@ -0,0 +1,75 @@
+{
+  "name": "@highflame/overwatch-v2",
+  "version": "2.0.0-internal.1",
+  "description": "Standalone security daemon for IDE-agnostic AI agent security",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": {
+    "overwatch": "./bin/overwatch",
+    "overwatch-daemon": "./dist/daemon.js"
+  },
+  "scripts": {
+    "build": "node esbuild.config.mjs && tsc --emitDeclarationOnly",
+    "build:watch": "node esbuild.config.mjs --watch",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist",
+    "prebuild": "npm run clean",
+    "prepublishOnly": "npm run build",
+    "test": "jest",
+    "test:unit": "jest --selectProjects unit",
+    "test:integration": "jest --selectProjects integration"
+  },
+  "keywords": [
+    "security",
+    "validation",
+    "javelin",
+    "guardrails",
+    "daemon",
+    "ipc",
+    "ai-security",
+    "mcp",
+    "ide-security",
+    "cursor",
+    "claude-code"
+  ],
+  "author": "Highflame AI",
+  "license": "MIT",
+  "homepage": "https://docs.highflame.ai/",
+  "publishConfig": {
+    "access": "public",
+    "tag": "internal"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "commander": "^11.1.0",
+    "open": "^11.0.0"
+  },
+  "optionalDependencies": {
+    "@highflame/overwatch-v2-darwin-arm64": "2.0.0-internal.1",
+    "@highflame/overwatch-v2-darwin-x64": "2.0.0-internal.1",
+    "@highflame/overwatch-v2-linux-arm64": "2.0.0-internal.1",
+    "@highflame/overwatch-v2-linux-x64": "2.0.0-internal.1",
+    "@highflame/overwatch-v2-win32-arm64": "2.0.0-internal.1",
+    "@highflame/overwatch-v2-win32-x64": "2.0.0-internal.1"
+  },
+  "devDependencies": {
+    "@types/jest": "^30.0.0",
+    "@types/node": "^18.19.130",
+    "esbuild": "^0.20.2",
+    "jest": "^30.2.0",
+    "ts-jest": "^29.4.6",
+    "typescript": "^5.9.3"
+  },
+  "files": [
+    "dist/*.js",
+    "dist/*.d.ts",
+    "dist/bin",
+    "dist/hooks",
+    "lib",
+    "bin/overwatch",
+    "README.md",
+    "LICENSE"
+  ]
+}