@highflame/overwatch 1.0.0

package/dist/yara/engine.d.ts

@@ -0,0 +1,58 @@
+/**
+ * YARA Engine - Native YARA pattern matching using @litko/yara-x
+ *
+ * Provides local YARA scanning for content validation without
+ * requiring external binaries.
+ */
+/**
+ * Individual pattern match data from YARA
+ */
+export interface YaraMatchData {
+    identifier: string;
+    data: string;
+    offset: number;
+    length: number;
+}
+export interface YaraMatch {
+    rule: string;
+    namespace?: string;
+    severity: string;
+    category: string;
+    description?: string;
+    metadata?: Record<string, unknown>;
+    tags?: string[];
+    matches?: YaraMatchData[];
+}
+/**
+ * YARA Engine - compiles and runs YARA rules
+ */
+export declare class YaraEngine {
+    private rules;
+    private rulesLoaded;
+    private rulesCount;
+    /**
+     * Load and compile YARA rules from a directory
+     */
+    loadRules(rulesDir: string): Promise<void>;
+    /**
+     * Check if engine is ready for scanning
+     */
+    isReady(): boolean;
+    /**
+     * Get number of loaded rule files
+     */
+    getRulesCount(): number;
+    /**
+     * Scan content synchronously
+     */
+    scan(content: string): YaraMatch[];
+    /**
+     * Scan content asynchronously (for large content)
+     */
+    scanAsync(content: string): Promise<YaraMatch[]>;
+    /**
+     * Parse raw matches into structured format
+     */
+    private parseMatches;
+}
+//# sourceMappingURL=engine.d.ts.map

package/dist/yara/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/yara/engine.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,EAAE,CAAC;CAC3B;AAED;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,KAAK,CAAsB;IACnC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,UAAU,CAAK;IAEvB;;OAEG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAuDhD;;OAEG;IACH,OAAO,IAAI,OAAO;IAIlB;;OAEG;IACH,aAAa,IAAI,MAAM;IAIvB;;OAEG;IACH,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE;IAgBlC;;OAEG;IACG,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAgBtD;;OAEG;IACH,OAAO,CAAC,YAAY;CA6BrB"}

package/dist/yara/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * YARA module exports
+ */
+export { YaraEngine, type YaraMatch, type YaraMatchData } from "./engine";
+//# sourceMappingURL=index.d.ts.map

package/dist/yara/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/yara/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAE,KAAK,aAAa,EAAE,MAAM,UAAU,CAAC"}

package/lib/platform-loader.js

@@ -0,0 +1,210 @@
+/**
+ * Platform Loader
+ *
+ * Runtime platform detection and binary/module loading for @highflame/overwatch.
+ * Follows the esbuild distribution pattern with platform-specific optionalDependencies.
+ *
+ * Loading order:
+ * 1. Try loading from @highflame/overwatch-{platform} package (npm install)
+ * 2. Fall back to local bin/ 
+ * 3. Fall back to ~/.overwatch/bin/ and system PATH
+ */
+
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+
+// Platform mapping: Node.js platform/arch -> package suffix and Rust target
+const PLATFORM_MAP = {
+  'darwin-arm64': {
+    package: '@highflame/overwatch-darwin-arm64',
+    rustTarget: 'aarch64-apple-darwin',
+    binaryName: 'ramparts-aarch64-apple-darwin',
+  },
+  'darwin-x64': {
+    package: '@highflame/overwatch-darwin-x64',
+    rustTarget: 'x86_64-apple-darwin',
+    binaryName: 'ramparts-x86_64-apple-darwin',
+  },
+  'linux-x64': {
+    package: '@highflame/overwatch-linux-x64',
+    rustTarget: 'x86_64-unknown-linux-gnu',
+    binaryName: 'ramparts-x86_64-unknown-linux-gnu',
+  },
+  'linux-arm64': {
+    package: '@highflame/overwatch-linux-arm64',
+    rustTarget: 'aarch64-unknown-linux-gnu',
+    binaryName: 'ramparts-aarch64-unknown-linux-gnu',
+  },
+};
+
+/**
+ * Get current platform key (e.g., "darwin-arm64")
+ * @returns {string}
+ */
+function getPlatformKey() {
+  return `${process.platform}-${process.arch}`;
+}
+
+/**
+ * Get platform configuration for current platform
+ * @returns {object|null}
+ */
+function getPlatformConfig() {
+  const key = getPlatformKey();
+  return PLATFORM_MAP[key] || null;
+}
+
+/**
+ * Try to load the platform-specific package
+ * Uses indirect require to prevent bundler analysis (esbuild, webpack)
+ * @returns {object|null} The loaded platform package or null
+ */
+function loadPlatformPackage() {
+  const config = getPlatformConfig();
+  if (!config) {
+    return null;
+  }
+
+  try {
+    // Use indirect require to prevent bundler from analyzing this
+    // This allows the optionalDependencies to work correctly
+    const dynamicRequire = typeof __non_webpack_require__ !== 'undefined'
+      ? __non_webpack_require__
+      : require;
+    return dynamicRequire(config.package);
+  } catch (error) {
+    // Package not installed - this is expected when using local dev setup
+    return null;
+  }
+}
+
+/**
+ * Get the guardian package root directory
+ * Works from both dist/ and lib/ locations
+ * @returns {string}
+ */
+function getPackageRoot() {
+  // This file is in lib/, so go up one level
+  // When bundled, __dirname will be dist/, so this still works
+  let currentDir = __dirname;
+
+  // Handle various directory structures
+  const baseName = path.basename(currentDir);
+  if (baseName === 'lib' || baseName === 'dist') {
+    return path.resolve(currentDir, '..');
+  }
+
+  // If we're deeply nested (e.g., dist/lib), go up appropriately
+  return path.resolve(currentDir, '..');
+}
+
+/**
+ * Get the path to the ramparts binary
+ *
+ * Search order:
+ * 1. Platform package (npm optionalDependency)
+ * 2. Local bin/ directory (dev mode)
+ * 3. ~/.overwatch/bin/
+ * 4. System PATH
+ *
+ * @returns {string|null} Path to binary or null if not found
+ */
+function getRampartsBinaryPath() {
+  const config = getPlatformConfig();
+
+  // 1. Try platform package first
+  const platformPkg = loadPlatformPackage();
+  if (platformPkg && typeof platformPkg.getRampartsBinaryPath === 'function') {
+    const binaryPath = platformPkg.getRampartsBinaryPath();
+    if (binaryPath && fs.existsSync(binaryPath)) {
+      return binaryPath;
+    }
+  }
+
+  // 2. Try local bin/ directory (dev mode)
+  const packageRoot = getPackageRoot();
+  const localPaths = [];
+
+  if (config) {
+    // Platform-specific binary name
+    localPaths.push(path.join(packageRoot, 'bin', config.binaryName));
+  }
+
+  // Generic paths
+  localPaths.push(
+    path.join(packageRoot, 'bin', 'ramparts'),
+    path.join(packageRoot, 'dist', 'bin', 'ramparts'),
+  );
+
+  for (const p of localPaths) {
+    if (fs.existsSync(p)) {
+      return p;
+    }
+  }
+
+  // 3. Try ~/.overwatch/bin/
+  const overwatchPaths = [];
+  if (config) {
+    overwatchPaths.push(path.join(os.homedir(), '.overwatch', 'bin', config.binaryName));
+  }
+  overwatchPaths.push(path.join(os.homedir(), '.overwatch', 'bin', 'ramparts'));
+
+  for (const p of overwatchPaths) {
+    if (fs.existsSync(p)) {
+      return p;
+    }
+  }
+
+  // 4. Try PATH as last resort
+  try {
+    const { execSync } = require('child_process');
+    const which = execSync('which ramparts', { encoding: 'utf-8' }).trim();
+    if (which && fs.existsSync(which)) {
+      return which;
+    }
+  } catch {
+    // Not in PATH
+  }
+
+  return null;
+}
+
+
+/**
+ * Check if the current platform is supported
+ * @returns {boolean}
+ */
+function isPlatformSupported() {
+  return getPlatformConfig() !== null;
+}
+
+/**
+ * Get a helpful error message when platform binaries are not found
+ * @returns {string}
+ */
+function getPlatformNotFoundMessage() {
+  const key = getPlatformKey();
+  const config = getPlatformConfig();
+
+  if (!config) {
+    return `Unsupported platform: ${key}. Supported platforms: ${Object.keys(PLATFORM_MAP).join(', ')}`;
+  }
+
+  return `Platform binaries not found for ${key}.\n` +
+    `\n` +
+    `To fix this, either:\n` +
+    `  1. Install the platform package: npm install ${config.package}\n` +
+    `  2. Run the native deps build: ./scripts/build-native-deps.sh\n` +
+    `  3. Place binaries in ~/.overwatch/bin/\n`;
+}
+
+module.exports = {
+  getPlatformKey,
+  getPlatformConfig,
+  loadPlatformPackage,
+  getRampartsBinaryPath,
+  isPlatformSupported,
+  getPlatformNotFoundMessage,
+  PLATFORM_MAP,
+};

package/package.json

@@ -0,0 +1,63 @@
+{
+  "name": "@highflame/overwatch",
+  "version": "1.0.0",
+  "description": "Standalone security daemon for IDE-agnostic AI agent security",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": {
+    "overwatch": "./bin/overwatch",
+    "overwatch-daemon": "./dist/daemon.js"
+  },
+  "scripts": {
+    "build": "node esbuild.config.mjs && tsc --emitDeclarationOnly",
+    "build:watch": "node esbuild.config.mjs --watch",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist",
+    "prebuild": "npm run clean",
+    "prepublishOnly": "npm run build",
+    "postinstall": "node scripts/postinstall.js || true"
+  },
+  "keywords": [
+    "security",
+    "validation",
+    "javelin",
+    "guardrails",
+    "daemon",
+    "ipc",
+    "ai-security",
+    "mcp",
+    "ide-security",
+    "cursor",
+    "claude-code"
+  ],
+  "author": "Highflame AI",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@highflame/policy": "^1.1.3",
+    "@litko/yara-x": "^0.4.0",
+    "commander": "^11.1.0",
+    "ejs": "^3.1.9",
+    "open": "^11.0.0"
+  },
+  "optionalDependencies": {
+    "@highflame/overwatch-darwin-arm64": "1.0.0",
+    "@highflame/overwatch-darwin-x64": "1.0.0",
+    "@highflame/overwatch-linux-arm64": "1.0.0",
+    "@highflame/overwatch-linux-x64": "1.0.0"
+  },
+  "devDependencies": {
+    "@types/ejs": "^3.1.5",
+    "@types/node": "^18.19.130",
+    "esbuild": "^0.20.2",
+    "typescript": "^5.9.3"
+  },
+  "files": [
+    "dist",
+    "lib",
+    "scripts",
+    "README.md",
+    "LICENSE"
+  ]
+}

package/scripts/postinstall.js

@@ -0,0 +1,121 @@
+#!/usr/bin/env node
+
+/**
+ * Postinstall Script for @highflame/overwatch
+ *
+ * Automatically starts the daemon and installs Cursor hooks.
+ */
+
+const { spawn } = require('child_process');
+const path = require('path');
+
+// CI environment detection
+const CI_ENV_VARS = [
+  'CI',
+  'CONTINUOUS_INTEGRATION',
+  'GITHUB_ACTIONS',
+  'TRAVIS',
+  'CIRCLECI',
+  'JENKINS',
+  'GITLAB_CI',
+  'BUILDKITE',
+  'DRONE',
+  'TEAMCITY_VERSION',
+];
+
+function isCI() {
+  return CI_ENV_VARS.some(envVar => process.env[envVar]);
+}
+
+function shouldSkip() {
+  // Skip in CI environments
+  if (isCI()) {
+    return true;
+  }
+
+  // Skip if GUARDIAN_SKIP_POSTINSTALL is set
+  if (process.env.GUARDIAN_SKIP_POSTINSTALL) {
+    return true;
+  }
+
+  // Skip during npm pack/publish
+  if (process.env.npm_command === 'pack' || process.env.npm_command === 'publish') {
+    return true;
+  }
+
+  // Skip if called from postinstall (prevent recursion)
+  if (process.env.GUARDIAN_POSTINSTALL) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Run a command and return a promise
+ */
+function runCommand(command, args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const proc = spawn(command, args, {
+      stdio: options.silent ? 'ignore' : 'inherit',
+      env: {
+        ...process.env,
+        GUARDIAN_POSTINSTALL: '1', // Prevent recursion
+      },
+      ...options,
+    });
+
+    proc.on('close', (code) => {
+      if (code === 0) {
+        resolve();
+      } else {
+        reject(new Error(`Command failed with code ${code}`));
+      }
+    });
+
+    proc.on('error', reject);
+  });
+}
+
+async function main() {
+  if (shouldSkip()) {
+    return;
+  }
+
+  console.log('');
+  console.log('[overwatch] Setting up Overwatch Guardian...');
+  console.log('');
+
+  // Run CLI directly via Node.js 
+  const cliPath = path.join(__dirname, '..', 'dist', 'cli.js');
+
+  try {
+    // Step 1: Start the daemon
+    console.log('[overwatch] Starting Guardian daemon...');
+    await runCommand(process.execPath, [cliPath, 'start']);
+    console.log('[overwatch] ✅ Daemon started');
+  } catch (error) {
+    console.log('[overwatch] ⚠️  Could not start daemon automatically');
+    console.log('[overwatch] Run manually: overwatch start');
+  }
+
+  try {
+    // Step 2: Install Cursor hooks
+    console.log('[overwatch] Installing Cursor hooks...');
+    await runCommand(process.execPath, [cliPath, 'install', 'cursor']);
+    console.log('[overwatch] ✅ Cursor hooks installed');
+  } catch (error) {
+    console.log('[overwatch] ⚠️  Could not install Cursor hooks automatically');
+    console.log('[overwatch] Run manually: overwatch install cursor');
+  }
+
+  console.log('');
+  console.log('[overwatch] Setup complete!');
+  console.log('[overwatch] Check status: overwatch status');
+  console.log('');
+}
+
+main().catch((error) => {
+  // Don't fail the install on postinstall errors
+  console.error('[overwatch] Postinstall warning:', error.message);
+});