@s-gw/s-gw 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (123) hide show
  1. package/.codex-plugin/plugin.json +35 -0
  2. package/.mcp.json +16 -0
  3. package/LICENSE +201 -0
  4. package/NOTICE +7 -0
  5. package/README.md +197 -0
  6. package/TRADEMARKS.md +9 -0
  7. package/assets/icons/aws-ec2.png +0 -0
  8. package/assets/icons/lucide/bot.svg +8 -0
  9. package/assets/icons/lucide/monitor.svg +5 -0
  10. package/assets/icons/lucide/server.svg +6 -0
  11. package/assets/icons/lucide/terminal.svg +4 -0
  12. package/assets/icons/s-gw-128.png +0 -0
  13. package/assets/icons/s-gw-16.png +0 -0
  14. package/assets/icons/s-gw-180.png +0 -0
  15. package/assets/icons/s-gw-192.png +0 -0
  16. package/assets/icons/s-gw-32.png +0 -0
  17. package/assets/icons/s-gw-64.png +0 -0
  18. package/assets/icons/s-gw-menu-bar-template.png +0 -0
  19. package/dist/agent-context.d.ts +17 -0
  20. package/dist/agent-context.js +207 -0
  21. package/dist/agents.d.ts +64 -0
  22. package/dist/agents.js +763 -0
  23. package/dist/cli.d.ts +2 -0
  24. package/dist/cli.js +1385 -0
  25. package/dist/command-suggest.d.ts +3 -0
  26. package/dist/command-suggest.js +131 -0
  27. package/dist/console-server.d.ts +16 -0
  28. package/dist/console-server.js +978 -0
  29. package/dist/console-ui/assets/codex-DYTPdPxi.png +0 -0
  30. package/dist/console-ui/assets/cursor-CBrUTJD-.png +0 -0
  31. package/dist/console-ui/assets/geist-cyrillic-ext-wght-normal-DjL33-gN.woff2 +0 -0
  32. package/dist/console-ui/assets/geist-cyrillic-wght-normal-BEAKL7Jp.woff2 +0 -0
  33. package/dist/console-ui/assets/geist-latin-ext-wght-normal-DC-KSUi6.woff2 +0 -0
  34. package/dist/console-ui/assets/geist-latin-wght-normal-BgDaEnEv.woff2 +0 -0
  35. package/dist/console-ui/assets/geist-vietnamese-wght-normal-6IgcOCM7.woff2 +0 -0
  36. package/dist/console-ui/assets/hermes-B8hNbJPm.png +0 -0
  37. package/dist/console-ui/assets/index-BxUf0Sye.js +96 -0
  38. package/dist/console-ui/assets/index-CmTiBR_w.css +2 -0
  39. package/dist/console-ui/assets/omnigent-Cxa4p2Mq.png +0 -0
  40. package/dist/console-ui/assets/openclaw-C5wL4ZVW.png +0 -0
  41. package/dist/console-ui/assets/opencode-D_wFATSC.png +0 -0
  42. package/dist/console-ui/assets/openhands-DnrlGgev.svg +9 -0
  43. package/dist/console-ui/assets/s-gw-64-ByMUGQ3K.png +0 -0
  44. package/dist/console-ui/assets/vscode-Bdtr9eyf.png +0 -0
  45. package/dist/console-ui/assets/zeptoclaw-DztQW8Sw.png +0 -0
  46. package/dist/console-ui/index.html +13 -0
  47. package/dist/crypto.d.ts +6 -0
  48. package/dist/crypto.js +53 -0
  49. package/dist/executor.d.ts +7 -0
  50. package/dist/executor.js +297 -0
  51. package/dist/gateway.d.ts +31 -0
  52. package/dist/gateway.js +114 -0
  53. package/dist/guard.d.ts +61 -0
  54. package/dist/guard.js +247 -0
  55. package/dist/install.d.ts +146 -0
  56. package/dist/install.js +629 -0
  57. package/dist/mcp-server.d.ts +2 -0
  58. package/dist/mcp-server.js +119 -0
  59. package/dist/native/s-gw-core +0 -0
  60. package/dist/native/s-gw-keychain-helper +0 -0
  61. package/dist/onepassword.d.ts +48 -0
  62. package/dist/onepassword.js +412 -0
  63. package/dist/paths.d.ts +4 -0
  64. package/dist/paths.js +22 -0
  65. package/dist/s-gw Menu Bar.app/Contents/Info.plist +28 -0
  66. package/dist/s-gw Menu Bar.app/Contents/MacOS/s-gw-menu-bar-helper +0 -0
  67. package/dist/s-gw Menu Bar.app/Contents/Resources/AppIcon.icns +0 -0
  68. package/dist/s-gw Menu Bar.app/Contents/Resources/AwsEc2.png +0 -0
  69. package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-bot.svg +8 -0
  70. package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-monitor.svg +5 -0
  71. package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-server.svg +6 -0
  72. package/dist/s-gw Menu Bar.app/Contents/Resources/Lucide-terminal.svg +4 -0
  73. package/dist/s-gw Menu Bar.app/Contents/Resources/MenuBarTemplate.png +0 -0
  74. package/dist/s-gw Menu Bar.app/Contents/_CodeSignature/CodeResources +194 -0
  75. package/dist/s-gw.app/Contents/Info.plist +28 -0
  76. package/dist/s-gw.app/Contents/MacOS/s-gw +0 -0
  77. package/dist/s-gw.app/Contents/Resources/AppIcon.icns +0 -0
  78. package/dist/s-gw.app/Contents/Resources/MenuBarTemplate.png +0 -0
  79. package/dist/s-gw.app/Contents/_CodeSignature/CodeResources +139 -0
  80. package/dist/scanner.d.ts +9 -0
  81. package/dist/scanner.js +437 -0
  82. package/dist/ssh.d.ts +31 -0
  83. package/dist/ssh.js +286 -0
  84. package/dist/store.d.ts +131 -0
  85. package/dist/store.js +1611 -0
  86. package/dist/types.d.ts +196 -0
  87. package/dist/types.js +2 -0
  88. package/dist/unlock.d.ts +29 -0
  89. package/dist/unlock.js +274 -0
  90. package/dist/windows/VERSION.txt +1 -0
  91. package/dist/windows/s-gw-client.cmd +4 -0
  92. package/dist/windows/s-gw-client.ps1 +106 -0
  93. package/dist/windows/s-gw-credential.cmd +4 -0
  94. package/dist/windows/s-gw-credential.ps1 +167 -0
  95. package/dist/windows/s-gw-helper.cmd +4 -0
  96. package/dist/windows/s-gw-helper.ps1 +180 -0
  97. package/docs/README.md +23 -0
  98. package/docs/agents.md +160 -0
  99. package/docs/architecture.md +72 -0
  100. package/docs/deployment.md +447 -0
  101. package/docs/detection.md +44 -0
  102. package/docs/images/s-gw-overview.png +0 -0
  103. package/docs/integrations.md +195 -0
  104. package/docs/keychain.md +39 -0
  105. package/docs/onepassword.md +84 -0
  106. package/docs/quickstart.md +104 -0
  107. package/docs/threat-model.md +100 -0
  108. package/docs/ui/THIRD_PARTY_NOTICES.md +111 -0
  109. package/docs/ui/apple-touch-icon.png +0 -0
  110. package/docs/ui/favicon-32.png +0 -0
  111. package/docs/ui/local-console.html +4477 -0
  112. package/docs/ui/vendor/d3-sankey/d3-array.LICENSE.txt +27 -0
  113. package/docs/ui/vendor/d3-sankey/d3-array.min.js +2 -0
  114. package/docs/ui/vendor/d3-sankey/d3-path.LICENSE.txt +27 -0
  115. package/docs/ui/vendor/d3-sankey/d3-path.min.js +2 -0
  116. package/docs/ui/vendor/d3-sankey/d3-sankey.LICENSE.txt +27 -0
  117. package/docs/ui/vendor/d3-sankey/d3-sankey.min.js +2 -0
  118. package/docs/ui/vendor/d3-sankey/d3-shape.LICENSE.txt +27 -0
  119. package/docs/ui/vendor/d3-sankey/d3-shape.min.js +2 -0
  120. package/docs/ui/vendor/sankeymatic/LICENSE.txt +17 -0
  121. package/docs/ui/vendor/sankeymatic/sankey.js +897 -0
  122. package/package.json +117 -0
  123. package/skills/s-gw/SKILL.md +19 -0
@@ -0,0 +1,39 @@
1
+ # OS Credential Store Backend
2
+
3
+ s-gw can store credential values in the local OS credential store: macOS Keychain on macOS and Windows Credential Manager on Windows preview builds. Agents still receive only handles such as `s-gw:api-token:...`; the raw value is read from the local store only after s-gw has an approved local request to execute.
4
+
5
+ ## Add A Credential-Store-Backed Handle
6
+
7
+ ```bash
8
+ printf '%s' "$MY_API_TOKEN" | s-gw secret add-keychain \
9
+ --name prod-api-token \
10
+ --type api-token \
11
+ --value-stdin \
12
+ --inject-env API_TOKEN \
13
+ --allow-command "$(command -v node)"
14
+ ```
15
+
16
+ The raw credential is written through the bundled helper on stdin. The encrypted s-gw ledger keeps only handle metadata and an encrypted credential-store pointer:
17
+
18
+ ```json
19
+ {
20
+ "service": "com.s-gw.sgw.secret",
21
+ "account": "s-gw:api-token:..."
22
+ }
23
+ ```
24
+
25
+ Use `--service SERVICE` or `SGW_SECRET_KEYCHAIN_SERVICE` when you want a separate credential-store namespace for testing, work, or isolated profiles.
26
+
27
+ Automatic capture paths, including guard mode and the local console API, prefer the OS credential store on macOS and Windows. Set `SGW_SECRET_BACKEND=local` only for compatibility testing or environments without the native helper.
28
+
29
+ ## Local Execution Flow
30
+
31
+ 1. An agent sees a tokenized handle, not the credential.
32
+ 2. The agent asks s-gw to use the handle for a concrete action.
33
+ 3. s-gw applies policy and asks for approval when required.
34
+ 4. During approved execution, s-gw reads the credential from the local store and injects it into the local child process.
35
+ 5. Command output is sanitized back to handles before it is returned.
36
+
37
+ ## 1Password Migration Later
38
+
39
+ Do not read or migrate real 1Password values as part of normal setup. The safe migration path should be an explicit user-approved command that reads selected `op://...` references, writes those values into credential-store-backed handles, updates the encrypted ledger pointers, and leaves an audit event for each migrated handle.
@@ -0,0 +1,84 @@
1
+ # 1Password Integration
2
+
3
+ s-gw can use 1Password as an optional local secret backend or migration source. The s-gw ledger stores an encrypted `op://...` reference, not the raw secret value. After the user grants reusable approval, the first approved execution reads the value from the local 1Password CLI, stores an encrypted copy in the s-gw keystore for the approval TTL, and injects that value only into approved local child processes.
4
+
5
+ Agents still see typed handles such as `s-gw:api-token:...`; they never receive the raw value. One-time approvals read 1Password for that single execution. Timed, login-session, and unlimited approvals reuse the encrypted s-gw keystore copy until the approval expires or is revoked.
6
+
7
+ ## Requirements
8
+
9
+ - Install and configure the 1Password CLI as `op`.
10
+ - Use a 1Password secret reference:
11
+
12
+ ```text
13
+ op://vault-name/item-name/[section-name/]field-name
14
+ ```
15
+
16
+ The 1Password CLI also supports service-account use through `OP_SERVICE_ACCOUNT_TOKEN`; that is useful for team automation, while desktop users can rely on the normal 1Password app approval flow.
17
+
18
+ ## Add A 1Password-Backed Handle
19
+
20
+ ```bash
21
+ s-gw onepassword status
22
+
23
+ s-gw secret add-1password \
24
+ --name openai-prod \
25
+ --type api-token \
26
+ --ref 'op://Example/OpenAI/credential' \
27
+ --inject-env OPENAI_API_KEY \
28
+ --allow-command "$(command -v node)"
29
+ ```
30
+
31
+ Use `--verify` when you want s-gw to call `op read` immediately and fail early if the reference is wrong or 1Password is locked:
32
+
33
+ ```bash
34
+ s-gw secret add-1password \
35
+ --name openai-prod \
36
+ --type api-token \
37
+ --ref 'op://Example/OpenAI/credential' \
38
+ --inject-env OPENAI_API_KEY \
39
+ --allow-command "$(command -v node)" \
40
+ --verify
41
+ ```
42
+
43
+ Without `--verify`, s-gw stores the encrypted reference and resolves it later, when the approved command actually runs.
44
+
45
+ ## Capture Text Into 1Password
46
+
47
+ When a local agent or UI hands s-gw text that contains a credential, capture it through stdin so the value never appears in shell history:
48
+
49
+ ```bash
50
+ s-gw onepassword capture \
51
+ --vault Dev \
52
+ --name "captured ssh credential" \
53
+ --text-stdin \
54
+ --inject-env SGW_SSH_PASSWORD \
55
+ --allow-command "$(command -v ssh)"
56
+ ```
57
+
58
+ The command scans the supplied text, creates a 1Password item in the `Dev` vault for each detected secret, stores only an encrypted `op://...` reference in the s-gw ledger, and returns tokenized text containing `<<SGW_SECRET:...>>` handles.
59
+
60
+ ## Approved Execution
61
+
62
+ ```bash
63
+ HANDLE="s-gw:api-token:..."
64
+
65
+ s-gw request env-command "$HANDLE" \
66
+ --command "$(command -v node)" \
67
+ --inject-env OPENAI_API_KEY \
68
+ --arg -e \
69
+ --arg 'console.log(process.env.OPENAI_API_KEY)'
70
+
71
+ s-gw approve req_...
72
+ s-gw execute req_...
73
+ ```
74
+
75
+ If the child process prints the secret, s-gw sanitizes it back to the handle token before returning output to the agent.
76
+
77
+ ## Operational Notes
78
+
79
+ - The `op://...` reference is encrypted in the local s-gw store.
80
+ - For reusable approvals, the raw value is read from 1Password once, then cached encrypted in the s-gw keystore until the approval TTL, login session, unlimited grant, revoke, clear, or credential deletion ends it.
81
+ - For one-time approvals, s-gw does not keep a cached value after the execution.
82
+ - `SGW_OP_CLI=/path/to/op` can point s-gw at a non-default CLI path.
83
+ - `SGW_ONEPASSWORD_TIMEOUT_MS=60000` can extend the approval/read timeout.
84
+ - For service-account automation, provide `OP_SERVICE_ACCOUNT_TOKEN` to the local environment that runs the s-gw daemon or CLI.
@@ -0,0 +1,104 @@
1
+ # Quick Start
2
+
3
+ This guide builds s-gw from source and exercises its approval boundary with disposable data. It does not require a real credential.
4
+
5
+ Building from source requires Node.js 20 or newer and the Rust toolchain pinned by `rust-toolchain.toml`.
6
+
7
+ ## Build
8
+
9
+ ```bash
10
+ git clone https://github.com/sgateway/s-gw.git
11
+ cd s-gw
12
+ npm ci
13
+ npm run build
14
+ npm link
15
+ ```
16
+
17
+ For normal use, run `s-gw setup`. The demonstration below instead uses a temporary home and an environment-provided passphrase so it leaves the operating system credential store untouched.
18
+
19
+ ## Run The Trust Loop
20
+
21
+ Create a disposable store:
22
+
23
+ ```bash
24
+ export SGW_HOME="$(mktemp -d)/home"
25
+ PASS="$(openssl rand -base64 32)"
26
+ printf -v SGW_MASTER_PASSPHRASE '%s' "$PASS"
27
+ export SGW_MASTER_PASSPHRASE
28
+ s-gw init
29
+ ```
30
+
31
+ Enroll a fake value and permit only the local `printenv` executable to receive it:
32
+
33
+ ```bash
34
+ printf '%s' "demo-token-value" | s-gw secret add \
35
+ --name demo-token \
36
+ --type api-token \
37
+ --value-stdin \
38
+ --inject-env DEMO_TOKEN \
39
+ --allow-command "$(command -v printenv)"
40
+ ```
41
+
42
+ Get the generated handle. The list contains metadata, not the credential value:
43
+
44
+ ```bash
45
+ HANDLE=$(s-gw secret list | node -e '
46
+ let data = "";
47
+ process.stdin.on("data", chunk => data += chunk);
48
+ process.stdin.on("end", () => console.log(JSON.parse(data)[0].handle));
49
+ ')
50
+ ```
51
+
52
+ Create a request as an agent would:
53
+
54
+ ```bash
55
+ REQUEST=$(s-gw request env-command "$HANDLE" \
56
+ --command "$(command -v printenv)" \
57
+ --arg DEMO_TOKEN \
58
+ --inject-env DEMO_TOKEN \
59
+ --reason "Read the disposable token")
60
+
61
+ REQUEST_ID=$(printf '%s' "$REQUEST" | node -e '
62
+ let data = "";
63
+ process.stdin.on("data", chunk => data += chunk);
64
+ process.stdin.on("end", () => console.log(JSON.parse(data).id));
65
+ ')
66
+ ```
67
+
68
+ Execution is refused while the request is pending:
69
+
70
+ ```bash
71
+ s-gw execute "$REQUEST_ID"
72
+ ```
73
+
74
+ Approve it locally, then execute it:
75
+
76
+ ```bash
77
+ s-gw approve "$REQUEST_ID"
78
+ s-gw execute "$REQUEST_ID"
79
+ ```
80
+
81
+ The child process reads `demo-token-value`, but the returned output contains an s-gw handle:
82
+
83
+ ```json
84
+ {
85
+ "exitCode": 0,
86
+ "stdout": "<<SGW_SECRET:s-gw:api-token:...>>\n",
87
+ "proof": "s-gw-proof:req_...",
88
+ "sanitized": true
89
+ }
90
+ ```
91
+
92
+ Remove the disposable store:
93
+
94
+ ```bash
95
+ rm -rf "$SGW_HOME"
96
+ unset SGW_HOME SGW_MASTER_PASSPHRASE HANDLE REQUEST REQUEST_ID
97
+ ```
98
+
99
+ ## Next Steps
100
+
101
+ - Run `s-gw setup` for a persistent local installation.
102
+ - Use `s-gw agent mcp-snippet <agent>` to configure a supported client.
103
+ - Read the [threat model](threat-model.md) before enrolling sensitive credentials.
104
+ - Open the native app with `s-gw app open` or the fallback console with `s-gw console`.
@@ -0,0 +1,100 @@
1
+ # Threat Model
2
+
3
+ ## Purpose
4
+
5
+ s-gw reduces the chance that raw credentials are exposed to coding agents, model context, chat transcripts, tool results, or routine shell arguments. It keeps credential redemption and approval on the user's machine.
6
+
7
+ This document describes the intended security boundary for the current preview. It is not a claim of formal verification or independent audit.
8
+
9
+ ## Protected Assets
10
+
11
+ - raw credential values and local unlock material;
12
+ - credential-store pointers and encrypted ledger contents;
13
+ - approval decisions and reusable-grant scope;
14
+ - command, environment, working-directory, and SSH destination policy;
15
+ - sanitized execution output and audit records.
16
+
17
+ ## Trust Boundaries
18
+
19
+ ```mermaid
20
+ flowchart TB
21
+ subgraph Untrusted["Agent-controlled or externally influenced"]
22
+ A["Agent request"]
23
+ O["Command output"]
24
+ F["Scanned text and files"]
25
+ end
26
+
27
+ subgraph Local["Trusted local s-gw boundary"]
28
+ V["Manifest and policy validation"]
29
+ P["User approval"]
30
+ S["Encrypted store"]
31
+ B["Credential resolver and approval broker"]
32
+ R["Rust execution core"]
33
+ Z["Bounded output sanitizer"]
34
+ end
35
+
36
+ A --> V
37
+ F --> V
38
+ V --> P
39
+ P --> B
40
+ S --> B
41
+ B --> R
42
+ R --> O
43
+ O --> Z
44
+ Z --> A
45
+ ```
46
+
47
+ The local operating system account, s-gw broker and Rust core processes, operating system credential store, approved executable, and user approval decision are trusted for an approved action. Agent input, scanned content, command arguments, destinations, and command output are treated as untrusted.
48
+
49
+ ## Intended Guarantees
50
+
51
+ - Agent-facing interfaces use typed handles and metadata rather than raw values.
52
+ - A secret-backed action must match the handle's allowed command or owned SSH policy.
53
+ - Pending actions do not execute until a policy or local user decision approves them.
54
+ - Reusable approvals are bounded by stored request attributes and expiry or login session.
55
+ - Credential and unlock values entered through supported commands use stdin instead of process arguments.
56
+ - The loopback console requires a per-session token for state-changing operations.
57
+ - Known raw credential values are replaced in captured command output before it is returned to the caller.
58
+ - Approved environment commands run with a cleared child environment and only the allowlisted system variables plus approved credential bindings.
59
+ - The broker verifies that the Rust result contains no known raw credential and that its proof matches the request and sanitized output.
60
+ - Approval, execution, denial, failure, and policy activity is recorded locally.
61
+
62
+ ## Attacker Capabilities Considered
63
+
64
+ - A coding agent may create arbitrary tool requests and misleading reasons.
65
+ - Repository content may contain prompt injection or request unsafe commands.
66
+ - A local web page may attempt to call the loopback console.
67
+ - A child process may print the injected credential in its output.
68
+ - An attacker may guess handles, request IDs, or local API routes.
69
+ - A request may be interrupted by process exit, sleep, or a hung command.
70
+
71
+ ## Non-Goals And Residual Risk
72
+
73
+ s-gw does not protect against:
74
+
75
+ - compromise of the current operating system account, kernel, credential store, or s-gw process;
76
+ - a malicious or compromised executable that the user approves to receive a credential;
77
+ - screen capture, keylogging, debugger access, process-memory inspection, or privileged endpoint monitoring;
78
+ - network exfiltration performed by an approved command;
79
+ - every transformed, encoded, hashed, fragmented, or derived representation of a credential in output;
80
+ - secrets the user pastes directly into chat, source files, terminal commands, or agent configuration;
81
+ - credential access by tools that bypass s-gw entirely;
82
+ - broad prompt, file, terminal, or operating system interception solely through MCP registration;
83
+ - denial of service, destructive approved commands, or incorrect user approval decisions.
84
+
85
+ Output sanitization is a last line of defense, not a data-loss-prevention guarantee. Keep allowed commands narrow, review destinations and arguments, and use low-privilege credentials with independent provider-side controls.
86
+
87
+ ## Secure Use
88
+
89
+ - Enroll credentials from a local terminal or supported UI, never from agent chat.
90
+ - Prefer macOS Keychain or Windows Credential Manager over environment-provided unlock material.
91
+ - Use absolute executable paths for command grants where practical.
92
+ - Keep reusable approvals short and scoped to one agent when possible.
93
+ - Treat unlimited approvals and high-severity credentials as exceptional.
94
+ - Review SSH destinations, ports, and remote commands before approval.
95
+ - Keep the operating system, Node.js, s-gw, and credential providers updated.
96
+ - Review the local audit log and revoke stale policies and grants.
97
+
98
+ ## Reporting
99
+
100
+ Report suspected boundary failures through the private process in [SECURITY.md](../SECURITY.md). Do not test with credentials or systems you do not own or have permission to use.
@@ -0,0 +1,111 @@
1
+ # Third-Party Notices
2
+
3
+ ## Rust Execution Core
4
+
5
+ The compiled `sgw-core` runner uses crates from crates.io. Exact versions are
6
+ locked in `Cargo.lock`.
7
+
8
+ - `base64`, `block-buffer`, `cfg-if`, `cpufeatures`, `crypto-common`, `digest`,
9
+ `itoa`, `libc`, `proc-macro2`, `quote`, `serde`, `serde_core`, `serde_derive`,
10
+ `serde_json`, `sha2`, `syn`, `typenum`, and `version_check`: MIT or Apache-2.0
11
+ - `generic-array` and `zmij`: MIT
12
+ - `memchr`: Unlicense or MIT
13
+ - `unicode-ident`: MIT or Apache-2.0, with Unicode-3.0 data terms
14
+
15
+ Sources and license files are available through each package entry at
16
+ https://crates.io/ and in the corresponding Cargo registry source archive.
17
+
18
+ ## AWS Architecture Icons
19
+
20
+ The macOS approval helper includes the Amazon EC2 service icon from the official
21
+ AWS Architecture Icons package. This asset is used only to identify Amazon EC2.
22
+ AWS and Amazon EC2 are trademarks of Amazon.com, Inc. or its affiliates.
23
+
24
+ - Source: https://aws.amazon.com/architecture/icons/
25
+
26
+ ## Lucide Icons
27
+
28
+ The local console and native macOS menu helper embed selected Lucide SVG icons.
29
+ The helper uses Lucide for generic agent, terminal, server, and local-machine
30
+ concepts while retaining service-specific marks where identity matters.
31
+
32
+ - Source: https://lucide.dev/
33
+ - Package: `lucide-react@1.23.0`
34
+ - License: ISC
35
+
36
+ The selected icons are embedded directly in `local-console.html` so the local credential console works offline and does not call a CDN.
37
+
38
+ ## Simple Icons
39
+
40
+ The credential provider table embeds the GitHub SVG mark from Simple Icons 16.22.0.
41
+
42
+ - Source: https://simpleicons.org/
43
+ - Package: `simple-icons@16.22.0`
44
+ - License: CC0-1.0
45
+
46
+ Simple Icons supplies brand SVGs; trademark rights remain with the respective brand owners. AWS and OpenAI remain text marks in the legacy prototype because the package used there did not include matching current SVG marks under those provider names.
47
+
48
+ The React console also uses the Claude, Google Gemini, GitHub Copilot, and
49
+ Windsurf marks from Simple Icons 16.22.0 to identify known coding agents.
50
+
51
+ The React Credentials view uses the 1Password mark from Simple Icons 16.24.1
52
+ to make the provider immediately recognizable. The mark is bundled locally;
53
+ 1Password remains a trademark of AgileBits, Inc.
54
+
55
+ ## Installed Application Icons
56
+
57
+ The React console includes scaled application icons for Codex, Cursor, OpenCode,
58
+ and Visual Studio Code so approval and activity views use the product artwork
59
+ users already recognize. These icons are used only for product identification.
60
+ The products and their artwork remain trademarks of their respective owners and
61
+ are not licensed under s-gw's Apache-2.0 license.
62
+
63
+ - Codex: https://openai.com/codex/
64
+ - Cursor: https://cursor.com/
65
+ - OpenCode: https://github.com/anomalyco/opencode
66
+ - Visual Studio Code: https://github.com/microsoft/vscode
67
+
68
+ ## Agent Project Artwork
69
+
70
+ The React console uses artwork from the following official project repositories
71
+ to identify configured agents. The artwork is used only for product
72
+ identification; project names and marks remain with their respective owners.
73
+
74
+ - OpenClaw: https://github.com/openclaw/openclaw (MIT)
75
+ - ZeptoClaw: https://github.com/qhkm/zeptoclaw (Apache-2.0)
76
+ - Hermes Agent: https://github.com/NousResearch/hermes-agent (MIT)
77
+ - OpenHands: https://github.com/OpenHands/OpenHands (MIT outside `enterprise/`)
78
+ - OmniGent: https://github.com/omnigent-ai/omnigent (Apache-2.0)
79
+
80
+ The Google Antigravity favicon is sourced from the official Antigravity site and
81
+ is used only to identify that product. Google and Antigravity are trademarks of
82
+ Google LLC.
83
+
84
+ - Source: https://www.antigravity.google/
85
+
86
+ ## d3-sankey and d3 Modules
87
+
88
+ The Usage Flow panel uses d3-sankey for the local, offline Agent -> Credential -> Action Sankey chart. The browser bundles are vendored so the console does not call a CDN.
89
+
90
+ - Source: https://github.com/d3/d3-sankey
91
+ - Package: `d3-sankey@0.12.3`
92
+ - File: `docs/ui/vendor/d3-sankey/d3-sankey.min.js`
93
+ - License: BSD-3-Clause
94
+
95
+ d3-sankey's browser bundle depends on these d3 modules, also vendored locally:
96
+
97
+ - `d3-array@2.12.1`, BSD-3-Clause, `docs/ui/vendor/d3-sankey/d3-array.min.js`
98
+ - `d3-path@1.0.9`, BSD-3-Clause, `docs/ui/vendor/d3-sankey/d3-path.min.js`
99
+ - `d3-shape@1.3.7`, BSD-3-Clause, `docs/ui/vendor/d3-sankey/d3-shape.min.js`
100
+
101
+ The upstream BSD license files are included beside the bundles in `docs/ui/vendor/d3-sankey/`.
102
+
103
+ ## SankeyMATIC
104
+
105
+ A legacy SankeyMATIC layout-core copy remains in the repository from an earlier prototype but is not loaded by the current Usage Flow panel.
106
+
107
+ - Source: https://github.com/nowthis/sankeymatic
108
+ - File: `docs/ui/vendor/sankeymatic/sankey.js`
109
+ - License: ISC
110
+
111
+ The upstream ISC license is included at `docs/ui/vendor/sankeymatic/LICENSE.txt`.
Binary file
Binary file