@neurosec/sentry 1.0.0

package/scripts/install-sentry.sh

@@ -0,0 +1,253 @@
+#!/usr/bin/env bash
+# NeuroShield Sentry Daemon — Linux systemd Installation Script
+# Usage: sudo bash install-sentry.sh [--mode enforce|monitor|quarantine]
+
+set -euo pipefail
+
+SENTRY_VERSION="${SENTRY_VERSION:-1.0.0}"
+INSTALL_DIR="/usr/local/lib/neuroshield"
+CONFIG_DIR="/etc/neuroshield"
+STATE_DIR="/var/lib/neuroshield/sentry"
+LOG_DIR="/var/log/neuroshield"
+BIN_PATH="/usr/local/bin/neuroshield-sentryd"
+CONFIG_PATH="${CONFIG_DIR}/sentry.yaml"
+SERVICE_NAME="neuroshield-sentry"
+SERVICE_FILE="/etc/systemd/system/${SERVICE_NAME}.service"
+ENFORCEMENT_MODE="${1:-monitor}"
+MODE_FLAG="${1:-}"
+if [ -z "${MODE_FLAG}" ]; then
+  MODE_FLAG="monitor"
+fi
+
+# Parse --mode flag
+if [[ "${MODE_FLAG}" == --mode=* ]]; then
+  ENFORCEMENT_MODE="${MODE_FLAG#*=}"
+elif [[ "${MODE_FLAG}" == --mode ]]; then
+  ENFORCEMENT_MODE="$2"
+fi
+
+echo "============================================"
+echo " NeuroShield Sentry v${SENTRY_VERSION} Installer"
+echo " Mode: ${ENFORCEMENT_MODE}"
+echo "============================================"
+
+# Check prerequisites
+if [ "$EUID" -ne 0 ]; then
+  echo "Error: This script must be run as root (sudo)" >&2
+  exit 1
+fi
+
+if ! command -v node &>/dev/null; then
+  echo "Error: Node.js is required (>= 20)" >&2
+  exit 1
+fi
+
+NODE_VERSION=$(node -v | sed 's/v//' | cut -d. -f1)
+if [ "${NODE_VERSION}" -lt 20 ]; then
+  echo "Error: Node.js >= 20 required (found v${NODE_VERSION})" >&2
+  exit 1
+fi
+
+# Create directories
+echo "Creating directories..."
+mkdir -p "${INSTALL_DIR}"
+mkdir -p "${CONFIG_DIR}"
+mkdir -p "${STATE_DIR}"
+mkdir -p "${LOG_DIR}"
+
+# Build the sentry package
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+SENTRY_PACKAGE="${PROJECT_DIR}/packages/sentry"
+
+if [ -f "${SENTRY_PACKAGE}/package.json" ]; then
+  echo "Building sentry daemon from source..."
+  cd "${SENTRY_PACKAGE}"
+  if [ ! -d "node_modules" ]; then
+    npm install --production
+  fi
+  npx tsc --outDir dist 2>/dev/null || true
+  cp -r dist "${INSTALL_DIR}/"
+  cp -r node_modules "${INSTALL_DIR}/"
+  cp package.json "${INSTALL_DIR}/"
+else
+  echo "Warning: Sentry package not found at ${SENTRY_PACKAGE}"
+  echo "Creating placeholder..."
+  mkdir -p "${INSTALL_DIR}/dist"
+  cat > "${INSTALL_DIR}/package.json" <<- EOF
+{
+  "name": "@neurosec/sentry",
+  "version": "${SENTRY_VERSION}"
+}
+EOF
+fi
+
+# Install binary wrapper
+cat > "${BIN_PATH}" <<- 'BINEOF'
+#!/usr/bin/env node
+require('/usr/local/lib/neuroshield/dist/index.js');
+BINEOF
+chmod +x "${BIN_PATH}"
+
+# Generate default config if not exists
+if [ ! -f "${CONFIG_PATH}" ]; then
+  echo "Generating default config..."
+  cat > "${CONFIG_PATH}" <<- EOF
+# NeuroShield Sentry Daemon Configuration
+sentry:
+  host_id: "$(hostname)-sentry"
+  version: "${SENTRY_VERSION}"
+  health_port: 9190
+  api_port: 9191
+  state_dir: ${STATE_DIR}
+  pid_file_path: /var/run/neuroshield-sentry.pid
+
+neurosec:
+  endpoint: "https://api.neurosec.ai"
+  org_id: "${NEUROSEC_ORG_ID:-}"
+  token_path: ${CONFIG_DIR}/sentry.token
+  tls_cert: ${CONFIG_DIR}/cert.pem
+  tls_key: ${CONFIG_DIR}/key.pem
+  sync_interval_ms: 30000
+  heartbeat_interval_ms: 300000
+
+enforcement:
+  mode: "${ENFORCEMENT_MODE}"
+  sandbox_enabled: true
+  syscall_filter_enabled: true
+  network_filter_enabled: true
+  filesystem_filter_enabled: true
+
+sandbox_defaults:
+  cpu_max: "0.5"
+  memory_max: "512MB"
+  pid_max: 100
+
+network:
+  allow_hosts:
+    - "api.openai.com:443"
+    - "api.anthropic.com:443"
+    - "api.neurosec.ai:443"
+  block_hosts:
+    - "*.pastebin.com"
+    - "*.ngrok.io"
+    - "*.requestbin.net"
+    - "*.webhook.site"
+  allow_private: false
+  dns_monitor_enabled: true
+
+skill_authz:
+  enabled: true
+  allow_unknown: false
+  require_approval:
+    - "shell_exec"
+    - "bash"
+    - "terminal"
+    - "run_command"
+    - "execute_command"
+
+audit:
+  log_path: ${LOG_DIR}/sentry.log
+  retention_days: 90
+  max_size_mb: 500
+
+discovery:
+  interval_ms: 30000
+  source_paths:
+    - /workspace
+    - /app
+    - /home
+    - /tmp
+EOF
+  echo "  Config written to ${CONFIG_PATH}"
+  echo "  IMPORTANT: Edit ${CONFIG_PATH} and set:"
+  echo "    - neurosec.org_id"
+  echo "    - Place token at ${CONFIG_DIR}/sentry.token"
+  echo "    - Place TLS cert at ${CONFIG_DIR}/cert.pem"
+  echo "    - Place TLS key at ${CONFIG_DIR}/key.pem"
+fi
+
+# Create empty token file with secure permissions if it doesn't exist
+if [ ! -f "${CONFIG_DIR}/sentry.token" ]; then
+  touch "${CONFIG_DIR}/sentry.token"
+  chmod 600 "${CONFIG_DIR}/sentry.token"
+  echo "  Created empty token file: ${CONFIG_DIR}/sentry.token"
+fi
+
+# Install systemd service
+echo "Installing systemd service..."
+cat > "${SERVICE_FILE}" <<- EOF
+[Unit]
+Description=NeuroShield Sentry — Host-Level Agent Protection Daemon
+Documentation=https://docs.neurosec.ai/sentry
+After=network.target network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${BIN_PATH} ${CONFIG_PATH}
+Restart=always
+RestartSec=10
+TimeoutStopSec=30
+KillMode=process
+SendSIGKILL=no
+
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=${STATE_DIR} ${LOG_DIR} ${CONFIG_DIR}
+ReadOnlyPaths=/usr/local/lib/neuroshield
+
+# Capabilities for sandboxing (cgroups, seccomp, network filtering)
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_NET_ADMIN CAP_NET_RAW CAP_KILL
+AmbientCapabilities=CAP_SYS_ADMIN CAP_NET_ADMIN CAP_NET_RAW CAP_KILL
+
+# Resource limits
+MemoryMax=512M
+CPUQuota=50%
+LimitNOFILE=65536
+
+# Environment
+Environment=NODE_ENV=production
+Environment=SENTRY_CONFIG_PATH=${CONFIG_PATH}
+Environment=LOG_LEVEL=info
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+chmod 644 "${SERVICE_FILE}"
+echo "  Service file: ${SERVICE_FILE}"
+
+# Enable and start service
+systemctl daemon-reload
+systemctl enable "${SERVICE_NAME}"
+
+echo ""
+echo "============================================"
+echo " Installation Complete!"
+echo "============================================"
+echo ""
+echo " Next steps:"
+echo "   1. Edit ${CONFIG_PATH} with your NeuroSec org ID"
+echo "   2. Set your sentry token: echo 'your-token' > ${CONFIG_DIR}/sentry.token"
+echo "   3. Start the daemon:  systemctl start ${SERVICE_NAME}"
+echo "   4. Check status:     systemctl status ${SERVICE_NAME}"
+echo "   5. View logs:        journalctl -u ${SERVICE_NAME} -f"
+echo "   6. Local API:        curl http://127.0.0.1:9191/api/v1/status"
+echo ""
+echo " Monitoring mode: ${ENFORCEMENT_MODE}"
+echo "   - monitor:    Log violations only (safe for initial rollout)"
+echo "   - enforce:    Block violations per policy"
+echo "   - quarantine: Block everything, kill on repeated violations"
+echo ""
+echo " To switch mode later:"
+echo "   sed -i 's/mode:.*/mode: \"enforce\"/' ${CONFIG_PATH}"
+echo "   systemctl restart ${SERVICE_NAME}"
+echo ""

package/scripts/postinstall.js

@@ -0,0 +1,191 @@
+#!/usr/bin/env node
+/**
+ * NeuroShield Sentry — postinstall script
+ * Runs after `npm install @neurosec/sentry` or `npm install -g @neurosec/sentry`
+ *
+ * Creates a default sentry.yaml in /etc/neuroshield/ (or user-local fallback)
+ * so the daemon works out of the box. The user should run `neuroshield-sentry setup`
+ * for a guided configuration.
+ */
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
+
+const VERSION = '1.0.0';
+
+function getPlatformPaths() {
+  const platform = os.platform();
+  if (platform === 'darwin') {
+    return {
+      configDir: '/usr/local/etc/neuroshield',
+      configPath: '/usr/local/etc/neuroshield/sentry.yaml',
+      tokenPath: '/usr/local/etc/neuroshield/sentry.token',
+      stateDir: '/usr/local/var/lib/neuroshield/sentry',
+      logDir: '/usr/local/var/log/neuroshield',
+      pidFile: '/usr/local/var/run/neuroshield-sentry.pid',
+    };
+  }
+  if (platform === 'linux') {
+    return {
+      configDir: '/etc/neuroshield',
+      configPath: '/etc/neuroshield/sentry.yaml',
+      tokenPath: '/etc/neuroshield/sentry.token',
+      stateDir: '/var/lib/neuroshield/sentry',
+      logDir: '/var/log/neuroshield',
+      pidFile: '/var/run/neuroshield-sentry.pid',
+    };
+  }
+  // fallback: user-local
+  const home = os.homedir();
+  return {
+    configDir: path.join(home, '.config', 'neuroshield'),
+    configPath: path.join(home, '.config', 'neuroshield', 'sentry.yaml'),
+    tokenPath: path.join(home, '.config', 'neuroshield', 'sentry.token'),
+    stateDir: path.join(home, '.local', 'share', 'neuroshield', 'sentry'),
+    logDir: path.join(home, '.local', 'share', 'neuroshield', 'logs'),
+    pidFile: path.join(home, '.local', 'run', 'neuroshield-sentry.pid'),
+  };
+}
+
+function generateDefaultConfig(paths) {
+  const hostname = os.hostname();
+  const token = `nst_${crypto.randomBytes(24).toString('hex')}`;
+
+  return `# NeuroShield Sentry Daemon Configuration
+# Auto-generated by postinstall at ${new Date().toISOString()}
+# Run \`neuroshield-sentry setup\` for an interactive guided setup
+
+sentry:
+  host_id: "${hostname}-sentry"
+  version: "${VERSION}"
+  health_port: 9190
+  api_port: 9191
+  state_dir: "${paths.stateDir}"
+  pid_file_path: "${paths.pidFile}"
+
+neurosec:
+  endpoint: "https://api.neurosec.ai"
+  org_id: ""
+  token_path: "${paths.tokenPath}"
+  sync_interval_ms: 30000
+  heartbeat_interval_ms: 300000
+
+enforcement:
+  mode: "monitor"
+  sandbox_enabled: ${os.platform() === 'linux' ? 'true' : 'false'}
+  syscall_filter_enabled: ${os.platform() === 'linux' ? 'true' : 'false'}
+  network_filter_enabled: true
+  filesystem_filter_enabled: true
+
+sandbox_defaults:
+  cpu_max: "0.5"
+  memory_max: "512MB"
+  pid_max: 100
+
+network:
+  allow_hosts:
+    - "api.openai.com:443"
+    - "api.anthropic.com:443"
+    - "api.neurosec.ai:443"
+  block_hosts:
+    - "*.pastebin.com"
+    - "*.ngrok.io"
+    - "*.requestbin.net"
+    - "*.webhook.site"
+  allow_private: false
+  dns_monitor_enabled: true
+
+skill_authz:
+  enabled: true
+  allow_unknown: false
+  require_approval:
+    - "shell_exec"
+    - "bash"
+    - "terminal"
+    - "run_command"
+
+audit:
+  log_path: "${paths.logDir}/sentry.log"
+  retention_days: 90
+  max_size_mb: 500
+
+discovery:
+  interval_ms: 30000
+  source_paths:
+    - /workspace
+    - /app
+    - /home
+    - /tmp
+`;
+}
+
+function main() {
+  const paths = getPlatformPaths();
+  const configDir = paths.configDir;
+  const configPath = paths.configPath;
+  const tokenPath = paths.tokenPath;
+
+  // Skip if config already exists
+  if (fs.existsSync(configPath)) {
+    console.log(`[neuroshield-sentry] Config already exists at ${configPath} — skipping`);
+    return;
+  }
+
+  // Create directories
+  const dirs = [configDir, paths.stateDir, paths.logDir, path.dirname(paths.pidFile)];
+  for (const dir of dirs) {
+    try {
+      fs.mkdirSync(dir, { recursive: true });
+    } catch (e) {
+      console.warn(`[neuroshield-sentry] Warning: could not create ${dir}: ${e.message}`);
+    }
+  }
+
+  // Write default config
+  const content = generateDefaultConfig(paths);
+  try {
+    fs.writeFileSync(configPath, content, 'utf8');
+    console.log(`[neuroshield-sentry] Default config written to ${configPath}`);
+  } catch (e) {
+    console.warn(`[neuroshield-sentry] Warning: could not write config to ${configPath}`);
+    console.warn(`  ${e.message}`);
+    console.warn(`  Run \`sudo neuroshield-sentry setup\` to configure.`);
+    return;
+  }
+
+  // Write placeholder token
+  try {
+    const placeholderToken = `nst_${crypto.randomBytes(24).toString('hex')}`;
+    fs.writeFileSync(tokenPath, placeholderToken, 'utf8');
+    fs.chmodSync(tokenPath, 0o600);
+    console.log(`[neuroshield-sentry] Token file created at ${tokenPath}`);
+  } catch (e) {
+    console.warn(`[neuroshield-sentry] Warning: could not write token: ${e.message}`);
+  }
+
+  console.log('');
+  console.log('╔══════════════════════════════════════════════════════════╗');
+  console.log('║     NeuroShield Sentry installed!                       ║');
+  console.log('╠══════════════════════════════════════════════════════════╣');
+  console.log('║                                                          ║');
+  console.log('║  Next steps:                                             ║');
+  console.log('║                                                          ║');
+  console.log('║  1. Configure your NeuroSec connection:                  ║');
+  console.log(`║     neuroshield-sentry setup                             ║`);
+  console.log('║     (or set env vars: NEUROSEC_ORG_ID, etc.)             ║');
+  console.log('║                                                          ║');
+  console.log('║  2. Install as a system service:                         ║');
+  console.log('║     sudo neuroshield-sentry install                      ║');
+  console.log('║                                                          ║');
+  console.log('║  3. Or run directly:                                     ║');
+  console.log('║     sudo neuroshield-sentryd                             ║');
+  console.log('║                                                          ║');
+  console.log('║  4. Check status:                                        ║');
+  console.log('║     neuroshield-sentry status                            ║');
+  console.log('║                                                          ║');
+  console.log('╚══════════════════════════════════════════════════════════╝');
+  console.log('');
+}
+
+main();

package/scripts/prepack.js

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+/**
+ * NeuroShield Sentry — prepack script
+ * Runs before `npm pack` / `npm publish`.
+ * Ensures everything is built and ready for distribution.
+ */
+const fs = require('fs');
+const path = require('path');
+
+const REQUIRED_FILES = [
+  'dist/index.js',
+  'dist/cli.js',
+  'dist/setup.js',
+  'bin/sentryd.js',
+  'bin/cli.js',
+  'scripts/postinstall.js',
+  'package.json',
+];
+
+let allOk = true;
+for (const file of REQUIRED_FILES) {
+  const fullPath = path.resolve(__dirname, '..', file);
+  if (!fs.existsSync(fullPath)) {
+    console.error(`[prepack] MISSING: ${file} — run \`npm run build\` first`);
+    allOk = false;
+  }
+}
+
+if (!allOk) {
+  process.exit(1);
+}
+
+console.log(`[prepack] All required files present. Package ready for publish.`);