@s-gw/s-gw 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (123) hide show
  1. package/.codex-plugin/plugin.json +35 -0
  2. package/.mcp.json +16 -0
  3. package/LICENSE +201 -0
  4. package/NOTICE +7 -0
  5. package/README.md +197 -0
  6. package/TRADEMARKS.md +9 -0
  7. package/assets/icons/aws-ec2.png +0 -0
  8. package/assets/icons/lucide/bot.svg +8 -0
  9. package/assets/icons/lucide/monitor.svg +5 -0
  10. package/assets/icons/lucide/server.svg +6 -0
  11. package/assets/icons/lucide/terminal.svg +4 -0
  12. package/assets/icons/s-gw-128.png +0 -0
  13. package/assets/icons/s-gw-16.png +0 -0
  14. package/assets/icons/s-gw-180.png +0 -0
  15. package/assets/icons/s-gw-192.png +0 -0
  16. package/assets/icons/s-gw-32.png +0 -0
  17. package/assets/icons/s-gw-64.png +0 -0
  18. package/assets/icons/s-gw-menu-bar-template.png +0 -0
  19. package/dist/agent-context.d.ts +17 -0
  20. package/dist/agent-context.js +207 -0
  21. package/dist/agents.d.ts +64 -0
  22. package/dist/agents.js +763 -0
  23. package/dist/cli.d.ts +2 -0
  24. package/dist/cli.js +1385 -0
  25. package/dist/command-suggest.d.ts +3 -0
  26. package/dist/command-suggest.js +131 -0
  27. package/dist/console-server.d.ts +16 -0
  28. package/dist/console-server.js +978 -0
  29. package/dist/console-ui/assets/codex-DYTPdPxi.png +0 -0
  30. package/dist/console-ui/assets/cursor-CBrUTJD-.png +0 -0
  31. package/dist/console-ui/assets/geist-cyrillic-ext-wght-normal-DjL33-gN.woff2 +0 -0
  32. package/dist/console-ui/assets/geist-cyrillic-wght-normal-BEAKL7Jp.woff2 +0 -0
  33. package/dist/console-ui/assets/geist-latin-ext-wght-normal-DC-KSUi6.woff2 +0 -0
  34. package/dist/console-ui/assets/geist-latin-wght-normal-BgDaEnEv.woff2 +0 -0
  35. package/dist/console-ui/assets/geist-vietnamese-wght-normal-6IgcOCM7.woff2 +0 -0
  36. package/dist/console-ui/assets/hermes-B8hNbJPm.png +0 -0
  37. package/dist/console-ui/assets/index-BxUf0Sye.js +96 -0
  38. package/dist/console-ui/assets/index-CmTiBR_w.css +2 -0
  39. package/dist/console-ui/assets/omnigent-Cxa4p2Mq.png +0 -0
  40. package/dist/console-ui/assets/openclaw-C5wL4ZVW.png +0 -0
  41. package/dist/console-ui/assets/opencode-D_wFATSC.png +0 -0
  42. package/dist/console-ui/assets/openhands-DnrlGgev.svg +9 -0
  43. package/dist/console-ui/assets/s-gw-64-ByMUGQ3K.png +0 -0
  44. package/dist/console-ui/assets/vscode-Bdtr9eyf.png +0 -0
  45. package/dist/console-ui/assets/zeptoclaw-DztQW8Sw.png +0 -0
  46. package/dist/console-ui/index.html +13 -0
  47. package/dist/crypto.d.ts +6 -0
  48. package/dist/crypto.js +53 -0
  49. package/dist/executor.d.ts +7 -0
  50. package/dist/executor.js +297 -0
  51. package/dist/gateway.d.ts +31 -0
  52. package/dist/gateway.js +114 -0
  53. package/dist/guard.d.ts +61 -0
  54. package/dist/guard.js +247 -0
  55. package/dist/install.d.ts +146 -0
  56. package/dist/install.js +629 -0
  57. package/dist/mcp-server.d.ts +2 -0
  58. package/dist/mcp-server.js +119 -0
  59. package/dist/native/s-gw-core +0 -0
  60. package/dist/native/s-gw-keychain-helper +0 -0
  61. package/dist/onepassword.d.ts +48 -0
  62. package/dist/onepassword.js +412 -0
  63. package/dist/paths.d.ts +4 -0
  64. package/dist/paths.js +22 -0
  65. package/dist/s-gw Menu Bar.app/Contents/Info.plist +28 -0
  66. package/dist/s-gw Menu Bar.app/Contents/MacOS/s-gw-menu-bar-helper +0 -0
  67. package/dist/s-gw Menu Bar.app/Contents/Resources/AppIcon.icns +0 -0
  68. package/dist/s-gw Menu Bar.app/Contents/Resources/AwsEc2.png +0 -0
  69. package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-bot.svg +8 -0
  70. package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-monitor.svg +5 -0
  71. package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-server.svg +6 -0
  72. package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-terminal.svg +4 -0
  73. package/dist/s-gw Menu Bar.app/Contents/Resources/MenuBarTemplate.png +0 -0
  74. package/dist/s-gw Menu Bar.app/Contents/_CodeSignature/CodeResources +194 -0
  75. package/dist/s-gw.app/Contents/Info.plist +28 -0
  76. package/dist/s-gw.app/Contents/MacOS/s-gw +0 -0
  77. package/dist/s-gw.app/Contents/Resources/AppIcon.icns +0 -0
  78. package/dist/s-gw.app/Contents/Resources/MenuBarTemplate.png +0 -0
  79. package/dist/s-gw.app/Contents/_CodeSignature/CodeResources +139 -0
  80. package/dist/scanner.d.ts +9 -0
  81. package/dist/scanner.js +437 -0
  82. package/dist/ssh.d.ts +31 -0
  83. package/dist/ssh.js +286 -0
  84. package/dist/store.d.ts +131 -0
  85. package/dist/store.js +1611 -0
  86. package/dist/types.d.ts +196 -0
  87. package/dist/types.js +2 -0
  88. package/dist/unlock.d.ts +29 -0
  89. package/dist/unlock.js +274 -0
  90. package/dist/windows/VERSION.txt +1 -0
  91. package/dist/windows/s-gw-client.cmd +4 -0
  92. package/dist/windows/s-gw-client.ps1 +106 -0
  93. package/dist/windows/s-gw-credential.cmd +4 -0
  94. package/dist/windows/s-gw-credential.ps1 +167 -0
  95. package/dist/windows/s-gw-helper.cmd +4 -0
  96. package/dist/windows/s-gw-helper.ps1 +180 -0
  97. package/docs/README.md +23 -0
  98. package/docs/agents.md +160 -0
  99. package/docs/architecture.md +72 -0
  100. package/docs/deployment.md +447 -0
  101. package/docs/detection.md +44 -0
  102. package/docs/images/s-gw-overview.png +0 -0
  103. package/docs/integrations.md +195 -0
  104. package/docs/keychain.md +39 -0
  105. package/docs/onepassword.md +84 -0
  106. package/docs/quickstart.md +104 -0
  107. package/docs/threat-model.md +100 -0
  108. package/docs/ui/THIRD_PARTY_NOTICES.md +111 -0
  109. package/docs/ui/apple-touch-icon.png +0 -0
  110. package/docs/ui/favicon-32.png +0 -0
  111. package/docs/ui/local-console.html +4477 -0
  112. package/docs/ui/vendor/d3-sankey/d3-array.LICENSE.txt +27 -0
  113. package/docs/ui/vendor/d3-sankey/d3-array.min.js +2 -0
  114. package/docs/ui/vendor/d3-sankey/d3-path.LICENSE.txt +27 -0
  115. package/docs/ui/vendor/d3-sankey/d3-path.min.js +2 -0
  116. package/docs/ui/vendor/d3-sankey/d3-sankey.LICENSE.txt +27 -0
  117. package/docs/ui/vendor/d3-sankey/d3-sankey.min.js +2 -0
  118. package/docs/ui/vendor/d3-sankey/d3-shape.LICENSE.txt +27 -0
  119. package/docs/ui/vendor/d3-sankey/d3-shape.min.js +2 -0
  120. package/docs/ui/vendor/sankeymatic/LICENSE.txt +17 -0
  121. package/docs/ui/vendor/sankeymatic/sankey.js +897 -0
  122. package/package.json +117 -0
  123. package/skills/s-gw/SKILL.md +19 -0
@@ -0,0 +1,447 @@
1
+ # s-gw Deployment
2
+
3
+ s-gw is deployed on the same machine that runs the coding agent. Do not deploy it as a remote MCP server that receives credential material.
4
+
5
+ ## Deployment Model
6
+
7
+ The supported local model is:
8
+
9
+ 1. Install the local `s-gw` CLI and `s-gw-mcp` stdio server.
10
+ 2. Store the local ledger unlock passphrase in the user's OS credential store.
11
+ 3. Initialize the local encrypted ledger under `SGW_HOME`.
12
+ 4. Enroll secrets from the local terminal, not from chat.
13
+ 5. Configure each coding tool to launch the local stdio MCP server.
14
+ 6. Launch CLI agents through guard mode when environment credential interception is needed.
15
+ 7. Approve secret-backed actions locally with the native macOS app or `s-gw approve <request-id>`.
16
+
17
+ Raw credentials stay in the local encrypted ledger and are decrypted only inside an approved local execution path.
18
+
19
+ ## Distribution Options
20
+
21
+ ### Source Package Or Tarball
22
+
23
+ This is the current practical installation path before signed public downloads are available.
24
+
25
+ Package:
26
+
27
+ ```bash
28
+ npm run package:local
29
+ ```
30
+
31
+ Install on the local machine:
32
+
33
+ ```bash
34
+ npm install -g ./s-gw-0.1.0.tgz
35
+ s-gw setup
36
+ ```
37
+
38
+ For most macOS users, this is the complete first run. `s-gw setup` generates a strong local unlock secret, stores it in macOS Keychain, initializes the encrypted ledger, installs and starts the console LaunchAgent, installs and starts the menu-bar helper, and opens the native macOS app. The browser console remains installed as a fallback local UI.
39
+
40
+ For source-based installs:
41
+
42
+ ```bash
43
+ git clone <repo-url> s-gw
44
+ cd s-gw
45
+ npm install
46
+ npm run build
47
+ npm link
48
+ ```
49
+
50
+ ### Signed macOS Installer
51
+
52
+ Before publishing a macOS download, package a signed and notarized installer that includes:
53
+
54
+ - Node runtime or a bundled standalone executable;
55
+ - `s-gw` CLI;
56
+ - `s-gw-mcp` stdio server;
57
+ - native macOS Keychain helper;
58
+ - native macOS management app;
59
+ - a launcher or profile script that puts `s-gw` on PATH;
60
+ - optional managed defaults for `SGW_HOME` and policy templates.
61
+
62
+ This is the preferred enterprise deployment shape for MDM/Jamf/Kandji-style rollout. The installer should not pre-seed user passphrases or raw secrets.
63
+
64
+ ### Homebrew
65
+
66
+ Homebrew is a good developer-friendly channel after the native helper is code signed. It is less controlled than an enterprise `.pkg`, but easy for individual developers:
67
+
68
+ ```bash
69
+ brew install s-gw
70
+ ```
71
+
72
+ ### Not Recommended: Remote MCP Hosting
73
+
74
+ Do not host s-gw as a shared remote MCP service for user credentials. Remote services may provide documentation, policy templates, inventory, or aggregate reporting, but secret storage and redemption should remain local.
75
+
76
+ ## First-Run Setup
77
+
78
+ ### Recommended: One Command
79
+
80
+ ```bash
81
+ s-gw setup
82
+ ```
83
+
84
+ Useful variants:
85
+
86
+ ```bash
87
+ s-gw setup --no-open-app
88
+ s-gw setup --passphrase-stdin
89
+ s-gw setup --no-menubar
90
+ ```
91
+
92
+ `--no-open-console` is still accepted for compatibility with early builds.
93
+
94
+ After setup:
95
+
96
+ ```bash
97
+ s-gw status
98
+ s-gw start
99
+ s-gw stop
100
+ s-gw guard status
101
+ ```
102
+
103
+ ### Manual Setup
104
+
105
+ Set the local unlock passphrase:
106
+
107
+ ```bash
108
+ read -rsp "s-gw passphrase: " SGW_UNLOCK
109
+ printf '%s' "$SGW_UNLOCK" | s-gw unlock keychain set --value-stdin
110
+ unset SGW_UNLOCK
111
+ s-gw unlock status
112
+ ```
113
+
114
+ Initialize local storage:
115
+
116
+ ```bash
117
+ s-gw init
118
+ ```
119
+
120
+ Enroll a secret with an exact command grant:
121
+
122
+ ```bash
123
+ printf '%s' "$MY_API_TOKEN" | s-gw secret add \
124
+ --name demo-token \
125
+ --type api-token \
126
+ --value-stdin \
127
+ --inject-env API_TOKEN \
128
+ --allow-command "$(command -v node)"
129
+ ```
130
+
131
+ Configure the coding tool using [integrations.md](integrations.md).
132
+
133
+ Launch supported CLI agents through guard mode:
134
+
135
+ ```bash
136
+ s-gw run codex --dry-run -- -v
137
+ s-gw run codex -- --ask-for-approval never
138
+ s-gw guard run claude-code -- --help
139
+ ```
140
+
141
+ Guard mode tokenizes credential-looking environment values before the agent starts. It does not yet claim OS-wide prompt, file, shell, or terminal interception; those should be added through explicit agent config installers and command wrappers with backups and dry-run previews.
142
+
143
+ Launch the native macOS management app:
144
+
145
+ ```bash
146
+ s-gw app open
147
+ ```
148
+
149
+ The app shows daemon health, Keychain status, credential handles, pending approvals, configured agents, and audit events. It uses the installed local CLI and store; raw secret values are only provided to local approved execution paths.
150
+
151
+ Choose the approval mode in the app's Settings panel, or configure it from the CLI:
152
+
153
+ ```bash
154
+ s-gw approval set --mode per-transaction
155
+ s-gw approval set --mode timed-session --duration 15m
156
+ s-gw approval set --mode login-session
157
+ ```
158
+
159
+ `per-transaction` asks for every request. `timed-session` and `login-session` reuse approval only for the same handle and local action fingerprint, so approving one command does not authorize unrelated commands or credentials.
160
+
161
+ For managed installs, use approval policy rules for per-agent and per-credential defaults that should survive restarts:
162
+
163
+ ```bash
164
+ s-gw approval policy add \
165
+ --name "Cursor may use dev GitHub token" \
166
+ --decision allow \
167
+ --handle "$HANDLE" \
168
+ --agent Cursor \
169
+ --command "$(command -v git)" \
170
+ --inject-env GITHUB_TOKEN
171
+
172
+ s-gw approval policy add \
173
+ --name "Critical secrets ask first" \
174
+ --decision ask \
175
+ --min-severity critical \
176
+ --priority 10
177
+ ```
178
+
179
+ Policy rules can match credential handles, types, providers, minimum severity, agent names, action kinds, commands, injected environment names, working directories, SSH targets, and SSH ports. `allow` skips the approval popup for matching requests, `ask` keeps the normal approval/grant flow, and `deny` blocks matching requests before local execution.
180
+
181
+ Launch the fallback browser console when needed:
182
+
183
+ ```bash
184
+ s-gw console
185
+ ```
186
+
187
+ The console binds to `127.0.0.1`, serves the UI from the installed package, and injects a per-session token into the page. That token is required for local API writes such as approving or denying requests, so another browser origin cannot silently drive the credential API with a plain form post.
188
+
189
+ For a background setup, install the per-user console LaunchAgent instead:
190
+
191
+ ```bash
192
+ s-gw service install --start
193
+ s-gw service status
194
+ ```
195
+
196
+ This starts `s-gw console --host 127.0.0.1 --port 8718 --no-open` at login and writes logs under `~/.s-gw/logs`.
197
+
198
+ Launch the native menu-bar helper:
199
+
200
+ ```bash
201
+ s-gw menubar open
202
+ ```
203
+
204
+ Use the menu-bar count to choose what appears next to the icon:
205
+
206
+ ```bash
207
+ s-gw menubar open --count pending
208
+ s-gw menubar open --count credentials
209
+ s-gw menubar open --count none
210
+ ```
211
+
212
+ Install it as a login item:
213
+
214
+ ```bash
215
+ s-gw menubar install --start --count pending
216
+ s-gw menubar status
217
+ ```
218
+
219
+ The standalone helper is the only menu-bar owner. It is a small `LSUIElement` app bundled at `dist/s-gw Menu Bar.app`, remains available when the main app is closed, opens the native app by default, and keeps the web console as a fallback action.
220
+
221
+ ### Windows Preview Client
222
+
223
+ The package also stages a Windows client and tray helper:
224
+
225
+ ```powershell
226
+ npm run build:windows-client
227
+ s-gw app open
228
+ s-gw helper open
229
+ ```
230
+
231
+ On Windows, `s-gw app open` launches `dist\windows\s-gw-client.ps1`. It starts the local console on `127.0.0.1` if needed, then opens the UI in Edge or Chrome app mode. `s-gw helper open` launches `dist\windows\s-gw-helper.ps1`, a lightweight tray helper that shows pending approvals, opens the approval queue, and can approve or deny the oldest pending request through the local CLI.
232
+
233
+ The Windows Credential Manager helper is staged at `dist\windows\s-gw-credential.ps1`. It uses the Windows credential APIs and receives new values on stdin, so unlock passphrases and secret values are not passed as process arguments. Signed `.exe` wrappers, login-start registration, and MSIX/installer packaging are still separate hardening work.
234
+
235
+ ### Local Installer Artifacts
236
+
237
+ Build both platform downloads from the current source and package version:
238
+
239
+ ```bash
240
+ npm run build:installers
241
+ ```
242
+
243
+ The command rebuilds the native clients and console, then writes these files under `dist/installers`:
244
+
245
+ - `s-gw-VERSION-macos.dmg`, containing the local npm package and a double-clickable setup command;
246
+ - `s-gw-VERSION-windows.zip`, containing the local npm package plus PowerShell and CMD setup launchers;
247
+ - `s-gw-VERSION.tgz`, used by both installers and the in-app updater;
248
+ - `SHA256SUMS.txt` and per-artifact `.sha256` files.
249
+
250
+ The installer scripts require Node.js 20 or newer, install the bundled package globally, and run `s-gw setup`. They do not contain credentials or pre-seeded unlock material. The macOS DMG is not ready for public distribution until Developer ID signing and notarization are added. The Windows ZIP remains a preview until it is validated on Windows and replaced or supplemented by a signed installer format.
251
+
252
+ ## Data Locations
253
+
254
+ Default local ledger:
255
+
256
+ ```text
257
+ ~/.s-gw/store.json
258
+ ```
259
+
260
+ Default Keychain item:
261
+
262
+ ```text
263
+ service: com.s-gw.sgw.master-passphrase
264
+ account: <local username>
265
+ ```
266
+
267
+ Environment overrides:
268
+
269
+ ```bash
270
+ export SGW_HOME="$HOME/.s-gw"
271
+ export SGW_KEYCHAIN_SERVICE="com.s-gw.sgw.master-passphrase"
272
+ export SGW_KEYCHAIN_ACCOUNT="$USER"
273
+ ```
274
+
275
+ `SGW_MASTER_PASSPHRASE` remains available for automation and tests, but should not be used in repo-scoped MCP config.
276
+
277
+ ### macOS Keychain backend
278
+
279
+ For individual macOS users, prefer Keychain-backed handles. The local ledger stores only encrypted handle metadata and a Keychain pointer; the credential value is stored in the user's login Keychain:
280
+
281
+ ```bash
282
+ printf '%s' "$GITHUB_TOKEN" | s-gw secret add-keychain \
283
+ --name github-prod \
284
+ --type api-token \
285
+ --value-stdin \
286
+ --inject-env GITHUB_TOKEN \
287
+ --allow-command "$(command -v gh)"
288
+ ```
289
+
290
+ Use `SGW_SECRET_KEYCHAIN_SERVICE` or `--service` to isolate test, work, or user credential namespaces.
291
+
292
+ ### 1Password backend
293
+
294
+ If credentials already live in 1Password, s-gw can use `op://...` references as an optional backend or migration source. Reusable approvals read 1Password once, then keep an encrypted local keystore copy until the approval expires or is revoked:
295
+
296
+ ```bash
297
+ s-gw secret add-1password \
298
+ --name github-prod \
299
+ --type api-token \
300
+ --ref 'op://Example/GitHub/credential' \
301
+ --inject-env GITHUB_TOKEN \
302
+ --allow-command "$(command -v gh)" \
303
+ --verify
304
+ ```
305
+
306
+ For interactive desktop users, the first approved reusable use may still require the normal 1Password app/CLI unlock. Later matching uses stay in s-gw until the TTL ends. For team automation, set `OP_SERVICE_ACCOUNT_TOKEN` in the environment used by the local s-gw service.
307
+
308
+ ## Operational Recovery
309
+
310
+ If the machine sleeps or a command is killed mid-run, the in-flight request can be left in an `executing` state. s-gw reaps these automatically a few minutes after the runner goes silent, so the store self-heals without intervention. An operator who wants to clear them immediately can:
311
+
312
+ ```bash
313
+ s-gw requests # inspect request states
314
+ s-gw requests --recover # fail every stranded execution now
315
+ s-gw requests --recover REQUEST_ID # fail one specific stranded execution
316
+ ```
317
+
318
+ The native app and browser console expose the same action on a stuck request. Recovery only moves a stranded execution to `failed`; it never reveals a secret or re-runs the command. Retrying means creating a fresh request that goes through approval again.
319
+
320
+ ## OS Support
321
+
322
+ | OS | Current status | Unlock provider | Notes |
323
+ | --- | --- | --- | --- |
324
+ | macOS arm64 | Primary development platform | Native Swift helper using Security.framework | Native app, menu helper, and Keychain path are covered by local tests. |
325
+ | macOS Intel | Build-from-source candidate | Native Swift helper using Security.framework | Expected to work when built on Intel macOS with Node >= 20 and Swift toolchain, but not yet QA-tested here. |
326
+ | Linux | Experimental CLI | `SGW_MASTER_PASSPHRASE` fallback | Needs a Secret Service/libsecret helper before desktop support. |
327
+ | Windows | Preview client/helper | Windows Credential Manager helper | PowerShell client opens the local console in browser app mode; tray helper supports queue/status actions. Needs Windows QA, signing, and installer work before production support. |
328
+
329
+ The current preview is developed primarily on macOS with the native Keychain helper. Windows has a packaged preview path through Credential Manager, but the client and helper still require broader QA, signing, and installer hardening.
330
+
331
+ ## Coding Tool Support
332
+
333
+ | Tool | Current status | Integration path | Config doc |
334
+ | --- | --- | --- | --- |
335
+ | Codex CLI / IDE extension | Supported | Local plugin manifest or stdio MCP config | `~/.codex/config.toml` or plugin `.mcp.json` |
336
+ | Claude Code | Supported | Local stdio MCP server | `claude mcp add --transport stdio ...` or `.mcp.json` |
337
+ | Cursor | Supported | Local MCP server config | `~/.cursor/mcp.json` |
338
+ | OpenClaw | Profiled | Local MCP server config | `~/.openclaw/openclaw.json` |
339
+ | ZeptoClaw | Profiled | Manual local MCP registration | `~/.zeptoclaw/config.json` or `.mcp.json` |
340
+ | Hermes Agent | Profiled | Local MCP server config | `~/.hermes/config.yaml` |
341
+ | Windsurf | Profiled | Existing local MCP config only | `~/.codeium/windsurf/mcp_config.json` or `mcp.json` |
342
+ | Gemini CLI | Supported | Local MCP server config | `~/.gemini/settings.json` |
343
+ | GitHub Copilot CLI | Supported | Local MCP server config | `~/.copilot/mcp-config.json`, `.github/mcp.json`, or `.mcp.json` |
344
+ | OpenHands | Profiled | Local MCP server config plus optional hooks | `~/.openhands/mcp.json`, `~/.openhands/hooks.json` |
345
+ | Antigravity | Profiled | Local MCP server config plus global hooks | `~/.gemini/config/mcp_config.json`, `./.agents/mcp_config.json`, `~/.gemini/config/hooks.json` |
346
+ | OpenCode | Supported | Local MCP server config; plugin hook surface profiled | `~/.config/opencode/opencode.json`, `opencode.json`, `.jsonc` variants |
347
+ | OmniGent | Planned/profiled | Custom policy bridge, not normal MCP | `$OMNIGENT_CONFIG_HOME/config.yaml` or `~/.omnigent/config.yaml` |
348
+ | VS Code + GitHub Copilot Agent Mode | Supported | Local stdio MCP server | `.vscode/mcp.json` or user MCP config |
349
+ | Zed, JetBrains, other MCP clients | Not yet profiled | Likely possible through stdio MCP | Add after hands-on testing and docs. |
350
+
351
+ Supported means s-gw has a documented standard MCP stdio path. Profiled means `s-gw agent list` and, when applicable, `s-gw agent mcp-snippet <agent>` know the likely local surfaces, but a hands-on client smoke test is still required before claiming full compatibility. Planned/profiled entries describe known integration shapes without emitting a normal MCP snippet. Automated end-to-end coverage uses the official MCP SDK client rather than every individual IDE UI.
352
+
353
+ ## Upgrade
354
+
355
+ The native macOS app can check a GitHub Releases feed from Settings or the `Check for Updates` menu command. The default release repository is `sgateway/s-gw`. Publish release notes on the GitHub release and attach an npm tarball asset such as `s-gw-0.1.1.tgz`; the app can download that asset, run `npm install -g`, restart the service/menu helper, and reopen s-gw. If no installable tarball is attached, the app still shows the release notes and opens the release page.
356
+
357
+ Upgrade the package:
358
+
359
+ ```bash
360
+ npm install -g ./s-gw-0.1.1.tgz
361
+ s-gw unlock status
362
+ s-gw secret list
363
+ s-gw service start
364
+ s-gw menubar start
365
+ s-gw app open
366
+ ```
367
+
368
+ The local ledger and Keychain item should persist across package upgrades.
369
+
370
+ ## Uninstall
371
+
372
+ Remove the tool:
373
+
374
+ ```bash
375
+ s-gw menubar uninstall
376
+ s-gw service uninstall
377
+ npm uninstall -g s-gw
378
+ ```
379
+
380
+ Remove local unlock material:
381
+
382
+ ```bash
383
+ s-gw unlock keychain delete
384
+ ```
385
+
386
+ Remove local ledger if desired:
387
+
388
+ ```bash
389
+ rm -rf ~/.s-gw
390
+ ```
391
+
392
+ Also remove the MCP server entry from each configured coding tool.
393
+
394
+ ## Packaging Checklist
395
+
396
+ Before publishing a build:
397
+
398
+ ```bash
399
+ npm run verify
400
+ npm pack
401
+ ```
402
+
403
+ For macOS production packages, also verify:
404
+
405
+ - native helper exists at `dist/native/s-gw-keychain-helper`;
406
+ - native macOS app exists at `dist/s-gw.app`;
407
+ - `s-gw unlock status` reports `provider: "native-helper"`;
408
+ - real Keychain + MCP e2e passes with no `SGW_MASTER_PASSPHRASE`;
409
+ - `s-gw app open` launches the native app and shows the Overview window;
410
+ - `s-gw console --no-open` serves the local UI and the console HTTP e2e test passes;
411
+ - `s-gw doctor` finds the installed CLI, MCP server, native Keychain helper, and menu-bar app bundle;
412
+ - `s-gw service install --start` loads the console LaunchAgent;
413
+ - `s-gw menubar open` launches the menu-bar helper and sees pending requests;
414
+ - package or installer is signed and notarized;
415
+ - install/uninstall leaves no raw secrets in logs or shell history.
416
+
417
+ For Windows preview packages, also verify:
418
+
419
+ - Windows scripts exist under `dist/windows`;
420
+ - `s-gw unlock keychain set --value-stdin` stores unlock material through Credential Manager;
421
+ - `s-gw app open` starts the local console and opens the client shell;
422
+ - `s-gw helper open` creates a tray icon and sees pending requests;
423
+ - helper approve/deny actions use the CLI and do not require the console API token;
424
+ - installer/startup registration does not log raw secrets or command stdin.
425
+
426
+ ## What The Package Contains
427
+
428
+ The current npm/tarball package contains:
429
+
430
+ - `s-gw` CLI and `s-gw-mcp` stdio MCP server;
431
+ - compiled TypeScript under `dist`;
432
+ - compiled Rust execution core at `dist/native/s-gw-core` or `s-gw-core.exe`;
433
+ - native macOS Keychain helper at `dist/native/s-gw-keychain-helper`;
434
+ - native macOS management app at `dist/s-gw.app`;
435
+ - native macOS menu-bar helper app at `dist/s-gw Menu Bar.app`;
436
+ - local console HTML/CSS/JS assets under `docs/ui`;
437
+ - integration docs and agent profile docs;
438
+
439
+ It intentionally does not contain native application source files, source maps, credentials, user policy files, npm build caches, SwiftPM `.build` caches, or any pre-seeded Keychain material.
440
+
441
+ ## Reference Docs
442
+
443
+ - OpenAI Docs MCP quickstart covers Codex, VS Code, Cursor, and Claude Code MCP setup patterns: https://developers.openai.com/learn/docs-mcp
444
+ - Claude Code MCP docs cover stdio servers, scopes, and `.mcp.json`: https://code.claude.com/docs/en/mcp
445
+ - VS Code MCP configuration reference covers `.vscode/mcp.json`, stdio fields, and Agent Mode commands: https://code.visualstudio.com/docs/agents/reference/mcp-configuration
446
+ - OpenCode MCP docs cover local MCP server configuration: https://thdxr.dev.opencode.ai/docs/mcp-servers/
447
+ - DefenseClaw connector docs are one source for agent hook, plugin, and policy surfaces: https://github.com/cisco-ai-defense/defenseclaw/tree/main/docs-site/content/docs/connectors
@@ -0,0 +1,44 @@
1
+ # Secret Detection
2
+
3
+ s-gw identifies credentials locally before any tokenized text is sent to an AI coding agent.
4
+
5
+ ## Current Approach
6
+
7
+ Detection is deterministic by default. The scanner uses a provider-aware rule pack with regular expressions, light validators, placeholder filtering, severity, and confidence metadata.
8
+
9
+ Current provider coverage includes:
10
+
11
+ - OpenAI and Anthropic API keys
12
+ - AWS access keys and secret access key assignments
13
+ - GitHub and GitLab tokens
14
+ - Slack and Discord webhooks/tokens
15
+ - Stripe keys
16
+ - Google API keys
17
+ - Azure storage keys and SAS signatures
18
+ - SendGrid, Mailgun, Twilio, npm, and PyPI tokens
19
+ - JWTs with local header/payload validation
20
+ - database connection-string credentials
21
+ - Basic and Bearer auth headers
22
+ - generic secret, token, API key, and password assignments
23
+ - PEM private key blocks
24
+
25
+ When a value is detected, only the matched sensitive value is replaced with a `<<SGW_SECRET:...>>` handle token. Non-secret context around it remains visible so the agent can still reason about code structure.
26
+
27
+ ## Why Not Remote AI Detection
28
+
29
+ Raw secrets should not leave the user's machine. A remote model is not part of the detection path.
30
+
31
+ A future local small language model can be useful for ambiguous cases, such as classifying a strange variable assignment or helping name a handle. It should not be the primary detector and should not receive raw values unless it runs fully local under the same trust boundary.
32
+
33
+ ## Metadata
34
+
35
+ Findings and persisted handles can carry non-secret metadata:
36
+
37
+ - `provider`
38
+ - `ruleId`
39
+ - `severity`
40
+ - `confidence`
41
+ - `type`
42
+ - source file or source label
43
+
44
+ This metadata is safe to show in a future management UI and helps users review high-risk items without exposing credential values.
Binary file
@@ -0,0 +1,195 @@
1
+ # s-gw Integrations
2
+
3
+ s-gw is intended to run locally. Coding tools should launch the local stdio MCP server instead of calling a remote service that would need to trust or store credentials.
4
+
5
+ s-gw's preferred desktop backend is the local OS credential store: macOS Keychain on macOS and Windows Credential Manager on Windows preview builds. Add handles with `s-gw secret add-keychain`; reusable approval reads the credential only inside approved local execution. See [keychain.md](keychain.md).
6
+
7
+ s-gw can also use 1Password as an optional source/backend for handles. Store an encrypted `op://...` reference with `s-gw secret add-1password`; reusable approval reads the local `op` CLI once, then uses s-gw's encrypted keystore copy until the approval expires or is revoked. See [onepassword.md](onepassword.md).
8
+
9
+ For installation, supported operating systems, and packaging channels, see [deployment.md](deployment.md).
10
+
11
+ For the broader agent profile matrix, including OpenClaw, ZeptoClaw, Hermes, Windsurf, Gemini CLI, GitHub Copilot CLI, OpenHands, Antigravity, OpenCode, and OmniGent, see [agents.md](agents.md). You can also run `s-gw agent list` and `s-gw agent mcp-snippet <agent>` when the profile has a normal MCP surface.
12
+
13
+ Build first:
14
+
15
+ ```bash
16
+ cd /path/to/s-gw
17
+ npm install
18
+ npm run build
19
+ npm link
20
+ ```
21
+
22
+ Store a local unlock passphrase in the OS credential store before starting the MCP server:
23
+
24
+ ```bash
25
+ read -rsp "s-gw passphrase: " SGW_UNLOCK
26
+ printf '%s' "$SGW_UNLOCK" | s-gw unlock keychain set --value-stdin
27
+ unset SGW_UNLOCK
28
+ s-gw unlock status
29
+ ```
30
+
31
+ For automation, `SGW_MASTER_PASSPHRASE` still works as a fallback. Keep real passphrases in a local user environment or OS credential store, not in project-scoped MCP files. On macOS, the normal path uses the bundled native helper at `dist/native/s-gw-keychain-helper`; on Windows preview builds it uses `dist\windows\s-gw-credential.ps1`. Both helpers receive new passphrases on stdin.
32
+
33
+ ## Guarded Launch
34
+
35
+ MCP registration gives the agent SGW tools, but it does not intercept every prompt, file read, or environment variable by itself. For CLI agents, start with guard mode when you need launch-environment interception:
36
+
37
+ ```bash
38
+ s-gw run codex --dry-run -- -v
39
+ s-gw run codex -- --ask-for-approval never
40
+ s-gw guard run claude-code -- --help
41
+ ```
42
+
43
+ A real guarded run stores detected environment credentials locally, replaces the child process value with a `<<SGW_SECRET:...>>` handle, and sets guard instructions for the launched process. Use `--command CMD` for agents without a default launcher.
44
+
45
+ ## Codex
46
+
47
+ Install as a local plugin by pointing Codex at a marketplace that includes this plugin, or add the MCP server directly while developing:
48
+
49
+ ```bash
50
+ codex mcp add s-gw -- node /path/to/s-gw/dist/mcp-server.js
51
+ ```
52
+
53
+ Equivalent `~/.codex/config.toml` snippet:
54
+
55
+ ```toml
56
+ [mcp_servers.s-gw]
57
+ command = "node"
58
+ args = ["/path/to/s-gw/dist/mcp-server.js"]
59
+ env = { SGW_HOME = "~/.s-gw" }
60
+ startup_timeout_sec = 10
61
+ tool_timeout_sec = 60
62
+ default_tools_approval_mode = "prompt"
63
+ ```
64
+
65
+ ## Claude Code
66
+
67
+ ```bash
68
+ claude mcp add --transport stdio --scope user s-gw -- node /path/to/s-gw/dist/mcp-server.js
69
+ ```
70
+
71
+ Project-scoped `.mcp.json`:
72
+
73
+ ```json
74
+ {
75
+ "mcpServers": {
76
+ "s-gw": {
77
+ "command": "node",
78
+ "args": ["/path/to/s-gw/dist/mcp-server.js"],
79
+ "env": {
80
+ "SGW_HOME": "~/.s-gw"
81
+ }
82
+ }
83
+ }
84
+ }
85
+ ```
86
+
87
+ ## Cursor
88
+
89
+ Add to `~/.cursor/mcp.json`:
90
+
91
+ ```json
92
+ {
93
+ "mcpServers": {
94
+ "s-gw": {
95
+ "command": "node",
96
+ "args": ["/path/to/s-gw/dist/mcp-server.js"],
97
+ "env": {
98
+ "SGW_HOME": "~/.s-gw"
99
+ }
100
+ }
101
+ }
102
+ }
103
+ ```
104
+
105
+ ## OpenCode
106
+
107
+ Add to `~/.config/opencode/opencode.json`, `opencode.json`, or the `.jsonc` variant your OpenCode install loads:
108
+
109
+ ```jsonc
110
+ {
111
+ "$schema": "https://opencode.ai/config.json",
112
+ "mcp": {
113
+ "s-gw": {
114
+ "type": "local",
115
+ "command": ["node", "/path/to/s-gw/dist/mcp-server.js"],
116
+ "enabled": true,
117
+ "environment": {
118
+ "SGW_HOME": "~/.s-gw"
119
+ }
120
+ }
121
+ }
122
+ }
123
+ ```
124
+
125
+ ## VS Code / GitHub Copilot Agent Mode
126
+
127
+ Add `.vscode/mcp.json`:
128
+
129
+ ```json
130
+ {
131
+ "servers": {
132
+ "s-gw": {
133
+ "type": "stdio",
134
+ "command": "node",
135
+ "args": ["/path/to/s-gw/dist/mcp-server.js"],
136
+ "env": {
137
+ "SGW_HOME": "~/.s-gw"
138
+ }
139
+ }
140
+ }
141
+ }
142
+ ```
143
+
144
+ ## Local Approval Flow
145
+
146
+ MCP clients should not receive reusable secret authority. The agent calls `sgw_request_execution` to create a pending manifest; nothing runs yet. You review and approve it locally (native app, menu bar, console, or CLI):
147
+
148
+ ```bash
149
+ s-gw requests
150
+ s-gw approve <request-id>
151
+ ```
152
+
153
+ Only after approval may the agent call `sgw_execute_request`. The executor injects the secret inside the local child process, sanitizes the output, records an audit event, and returns a tokenized result — the agent never receives the raw value:
154
+
155
+ ```json
156
+ {
157
+ "exitCode": 0,
158
+ "stdout": "<<SGW_SECRET:s-gw:api-token:x-AaH8zvtj96>>\n",
159
+ "proof": "s-gw-proof:req_...",
160
+ "sanitized": true
161
+ }
162
+ ```
163
+
164
+ For SSH, use `sgw_request_ssh_session` rather than asking the agent to run raw `ssh`. s-gw opens the approved connection through its own persistent ControlMaster socket, then runs later commands over that socket with `BatchMode=yes` while the approval grant is still valid. The matching CLI flow is:
165
+
166
+ ```bash
167
+ s-gw secret allow-command "$HANDLE" --command s-gw:ssh-session
168
+ s-gw ssh request "$HANDLE" --target ubuntu@example.com --arg hostname
169
+ s-gw approve <request-id> --mode timed-session --duration 8h
170
+ s-gw ssh run --request-id <request-id>
171
+ ```
172
+
173
+ To watch the generic credential loop run against a disposable store before wiring up an agent, see "See the Trust Loop End to End" in the [README](../README.md).
174
+
175
+ ## Unlock Commands
176
+
177
+ ```bash
178
+ s-gw unlock status
179
+ read -rsp "s-gw passphrase: " SGW_UNLOCK
180
+ printf '%s' "$SGW_UNLOCK" | s-gw unlock keychain set --value-stdin
181
+ unset SGW_UNLOCK
182
+ s-gw unlock keychain delete
183
+ ```
184
+
185
+ The MCP server never exposes the unlock passphrase as a tool result. It only uses the local unlock material to decrypt a handle during an approved local execution.
186
+
187
+ ## Command Grants
188
+
189
+ s-gw treats command grants as exact strings after normalization:
190
+
191
+ ```bash
192
+ printf '%s' "$TOKEN" | s-gw secret add --name prod-token --type api-token --value-stdin --inject-env TOKEN --allow-command "$(command -v node)"
193
+ ```
194
+
195
+ If a handle is enrolled with `/opt/homebrew/bin/node`, an agent request for plain `node` is denied. If a handle is enrolled with plain `node`, an agent request for `/opt/homebrew/bin/node` is denied. Prefer absolute command paths for production policies.