npm - @safedep/gryph - Versions diffs - 0.0.1 - Mend

@safedep/gryph 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.npmignore ADDED Viewed

@@ -0,0 +1,17 @@
+# Exclude the actual binary (but keep the wrapper script)
+bin/gryph
+bin/gryph.exe
+# Exclude temp files and directories
+temp/
+.temp/
+# Exclude development files
+node_modules/
+.git/
+.gitignore
+*.log
+.DS_Store
+# Keep only the wrapper script in bin/
+!bin/gryph.js

package/README.md ADDED Viewed

@@ -0,0 +1,37 @@
+# Gryph
+AI coding agents read files, write code, and execute commands on your behalf. But what exactly did they do?
+**Gryph** is a local-first audit trail for AI coding agents. It hooks into your agents, logs every action to a local SQLite database, and gives you powerful querying capabilities to understand, review, and debug agent activity.
+## Why Gryph?
+- **Transparency** - See exactly what files were read, written, and what commands were run
+- **Pre-commit review** - Verify agent changes before committing to git
+- **Debugging** - Replay sessions to understand what went wrong
+- **Privacy** - All data stays local. No cloud, no telemetry
+## Installation
+```bash
+npm install -g @safedep/gryph
+```
+## Quick Start
+```bash
+# Install hooks for all detected agents
+gryph install
+# Verify installation
+gryph status
+# Start using your AI coding agent (Claude Code, Cursor, Gemini CLI, etc.)
+# ...
+# Review what happened
+gryph logs
+```
+See more details at our [GitHub Project](https://github.com/safedep/gryph)

package/bin/gryph.js ADDED Viewed

@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+const fs = require("fs");
+const path = require("path");
+const { spawn } = require("child_process");
+const { ORG_NAME, PACKAGE_NAME, BINARY_NAME } = require("../config");
+const BINARY_NAME_WITH_EXT =
+  process.platform === "win32" ? `${BINARY_NAME}.exe` : BINARY_NAME;
+const BINARY_PATH = path.join(__dirname, BINARY_NAME_WITH_EXT);
+function main() {
+  // Check if binary exists
+  if (!fs.existsSync(BINARY_PATH)) {
+    console.error(`❌ ${BINARY_NAME_WITH_EXT} binary not found`);
+    console.error(
+      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
+    );
+    process.exit(1);
+  }
+  // Verify binary is executable
+  try {
+    fs.accessSync(BINARY_PATH, fs.constants.F_OK | fs.constants.X_OK);
+  } catch (error) {
+    console.error(`❌ ${BINARY_NAME_WITH_EXT} is not executable`);
+    console.error(
+      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
+    );
+    process.exit(1);
+  }
+  // Pass all arguments to the binary
+  const args = process.argv.slice(2);
+  // Spawn the binary with inherited stdio for proper terminal interaction
+  const child = spawn(BINARY_PATH, args, {
+    stdio: "inherit",
+    windowsHide: false,
+  });
+  // Handle process termination
+  child.on("error", (error) => {
+    console.error(
+      `❌ Failed to execute ${BINARY_NAME_WITH_EXT}: ${error.message}`,
+    );
+    console.error(
+      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
+    );
+    process.exit(1);
+  });
+  // Exit with the same code as the child process
+  child.on("exit", (code, signal) => {
+    if (signal) {
+      process.kill(process.pid, signal);
+    } else {
+      process.exit(code || 0);
+    }
+  });
+  // Handle termination signals
+  process.on("SIGTERM", () => {
+    child.kill("SIGTERM");
+  });
+  process.on("SIGINT", () => {
+    child.kill("SIGINT");
+  });
+}
+if (require.main === module) {
+  main();
+}
+module.exports = { main };

package/config.js ADDED Viewed

@@ -0,0 +1,34 @@
+// Configuration for npm binary wrapper
+const ORG_NAME = "@safedep";
+const PACKAGE_NAME = "gryph";
+const BINARY_NAME = "gryph";
+// GitHub repository information for releases
+const REPO_OWNER = "safedep";
+const REPO_NAME = "gryph";
+// GitHub releases base URL (constructed from repo info)
+const GITHUB_RELEASES_BASE = `https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download`;
+// Platform-specific binary filename patterns (GoReleaser format)
+const BINARY_PATTERNS = {
+  "darwin-x64": `${BINARY_NAME}_Darwin_all.tar.gz`,
+  "darwin-arm64": `${BINARY_NAME}_Darwin_all.tar.gz`,
+  "linux-x64": `${BINARY_NAME}_Linux_x86_64.tar.gz`,
+  "linux-arm64": `${BINARY_NAME}_Linux_arm64.tar.gz`,
+  "linux-ia32": `${BINARY_NAME}_Linux_i386.tar.gz`,
+  "win32-x64": `${BINARY_NAME}_Windows_x86_64.zip`,
+  "win32-arm64": `${BINARY_NAME}_Windows_arm64.zip`,
+  "win32-ia32": `${BINARY_NAME}_Windows_i386.zip`,
+};
+module.exports = {
+  ORG_NAME,
+  PACKAGE_NAME,
+  BINARY_NAME,
+  REPO_OWNER,
+  REPO_NAME,
+  GITHUB_RELEASES_BASE,
+  BINARY_PATTERNS,
+};

package/install.js ADDED Viewed

@@ -0,0 +1,234 @@
+#!/usr/bin/env node
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const https = require("https");
+const crypto = require("crypto");
+const { execSync } = require("child_process");
+const {
+  BINARY_NAME,
+  REPO_OWNER,
+  REPO_NAME,
+  GITHUB_RELEASES_BASE,
+  BINARY_PATTERNS,
+} = require("./config");
+// Read version from package.json with strict validation
+function getValidatedVersion() {
+  try {
+    const packageJson = JSON.parse(
+      fs.readFileSync(path.join(__dirname, "package.json"), "utf8"),
+    );
+    const version = packageJson.version;
+    // Strict validation: must be valid semver (x.y.z)
+    if (!/^\d+\.\d+\.\d+$/.test(version)) {
+      throw new Error(`Invalid version format: ${version}`);
+    }
+    return `v${version}`;
+  } catch (error) {
+    throw new Error(`Failed to read valid version: ${error.message}`);
+  }
+}
+const RELEASE_VERSION = getValidatedVersion();
+const BASE_URL = `${GITHUB_RELEASES_BASE}/${RELEASE_VERSION}`;
+// Platform-specific binary URLs (constructed from config)
+const BINARY_URLS = {};
+Object.keys(BINARY_PATTERNS).forEach((platform) => {
+  BINARY_URLS[platform] = `${BASE_URL}/${BINARY_PATTERNS[platform]}`;
+});
+const CHECKSUMS_URL = `${BASE_URL}/checksums.txt`;
+function getPlatformKey() {
+  const platform = process.platform;
+  const arch = process.arch;
+  return `${platform}-${arch}`;
+}
+function downloadFile(url, dest, maxRedirects = 5) {
+  return new Promise((resolve, reject) => {
+    if (maxRedirects < 0) {
+      reject(new Error("Too many redirects"));
+      return;
+    }
+    const file = fs.createWriteStream(dest);
+    https
+      .get(url, (response) => {
+        if (response.statusCode === 302 || response.statusCode === 301) {
+          file.close();
+          fs.unlink(dest, () => { });
+          return downloadFile(response.headers.location, dest, maxRedirects - 1)
+            .then(resolve)
+            .catch(reject);
+        }
+        if (response.statusCode !== 200) {
+          file.close();
+          fs.unlink(dest, () => { });
+          reject(new Error(`Download failed: ${response.statusCode}`));
+          return;
+        }
+        response.pipe(file);
+        file.on("finish", () => {
+          file.close();
+          resolve();
+        });
+        file.on("error", (err) => {
+          fs.unlink(dest, () => { });
+          reject(err);
+        });
+      })
+      .on("error", reject);
+  });
+}
+function calculateChecksum(filePath) {
+  const fileBuffer = fs.readFileSync(filePath);
+  const hashSum = crypto.createHash("sha256");
+  hashSum.update(fileBuffer);
+  return hashSum.digest("hex");
+}
+function validateChecksum(filePath, expectedChecksum) {
+  const actualChecksum = calculateChecksum(filePath);
+  return actualChecksum === expectedChecksum;
+}
+function extractArchive(archivePath, extractDir) {
+  const isZip = archivePath.endsWith(".zip");
+  if (isZip) {
+    execSync(`unzip -o "${archivePath}" -d "${extractDir}"`, { stdio: "pipe" });
+  } else {
+    execSync(`tar -xzf "${archivePath}" -C "${extractDir}"`, { stdio: "pipe" });
+  }
+}
+async function install() {
+  let tempWorkspace;
+  try {
+    console.log("📦 Installing Gryph binary...");
+    // Get platform-specific URL
+    const platformKey = getPlatformKey();
+    const binaryUrl = BINARY_URLS[platformKey];
+    if (!binaryUrl) {
+      throw new Error(`Unsupported platform: ${platformKey}`);
+    }
+    console.log(`🔍 Platform: ${platformKey}`);
+    console.log(`📡 Version: ${RELEASE_VERSION}`);
+    // Create directories
+    const binDir = path.join(__dirname, "bin");
+    tempWorkspace = fs.mkdtempSync(path.join(os.tmpdir(), "gryph-install-"));
+    fs.mkdirSync(binDir, { recursive: true });
+    // Download binary archive
+    const archiveFilename = path.basename(binaryUrl);
+    const archivePath = path.join(tempWorkspace, archiveFilename);
+    console.log(`⬇️  Downloading binary...`);
+    await downloadFile(binaryUrl, archivePath);
+    // Download checksums
+    const checksumsPath = path.join(tempWorkspace, "checksums.txt");
+    console.log(`⬇️  Downloading checksums...`);
+    await downloadFile(CHECKSUMS_URL, checksumsPath);
+    // Parse checksums file
+    const checksumsContent = fs.readFileSync(checksumsPath, "utf8");
+    const checksumLines = checksumsContent.split("\n");
+    let expectedChecksum = null;
+    for (const line of checksumLines) {
+      if (line.includes(archiveFilename)) {
+        expectedChecksum = line.split(/\s+/)[0];
+        break;
+      }
+    }
+    if (!expectedChecksum) {
+      throw new Error(`Checksum not found for ${archiveFilename}`);
+    }
+    // Validate checksum
+    console.log(`🔐 Validating checksum...`);
+    if (!validateChecksum(archivePath, expectedChecksum)) {
+      throw new Error(
+        "Checksum validation failed - binary may be corrupted or tampered",
+      );
+    }
+    console.log(`✅ Checksum validated`);
+    // Extract archive
+    console.log(`📂 Extracting binary...`);
+    extractArchive(archivePath, tempWorkspace);
+    // Find and move binary
+    const binaryName =
+      process.platform === "win32" ? `${BINARY_NAME}.exe` : BINARY_NAME;
+    const extractedBinaryPath = path.join(tempWorkspace, binaryName);
+    const finalBinaryPath = path.join(binDir, binaryName);
+    if (!fs.existsSync(extractedBinaryPath)) {
+      throw new Error(
+        `Binary not found at expected location: ${extractedBinaryPath}`,
+      );
+    }
+    // Move binary to final location (handle cross-device links)
+    try {
+      fs.renameSync(extractedBinaryPath, finalBinaryPath);
+    } catch (error) {
+      if (error.code === "EXDEV") {
+        // Cross-device link not permitted, copy and delete instead
+        fs.copyFileSync(extractedBinaryPath, finalBinaryPath);
+        fs.unlinkSync(extractedBinaryPath);
+      } else {
+        throw error;
+      }
+    }
+    // Make executable on Unix systems
+    if (process.platform !== "win32") {
+      fs.chmodSync(finalBinaryPath, "755");
+    }
+    // Clean up
+    fs.rmSync(tempWorkspace, { recursive: true, force: true });
+    console.log("✅ Gryph binary installed successfully!");
+  } catch (error) {
+    console.error("❌ Installation failed:", error.message);
+    // Clean up on failure
+    try {
+      if (tempWorkspace && fs.existsSync(tempWorkspace)) {
+        fs.rmSync(tempWorkspace, { recursive: true, force: true });
+      }
+    } catch (cleanupError) {
+      console.warn("⚠️  Failed to clean up:", cleanupError.message);
+    }
+    process.exit(1);
+  }
+}
+// Run installation
+install();

package/package.json ADDED Viewed

@@ -0,0 +1,58 @@
+{
+  "name": "@safedep/gryph",
+  "description": "AI coding agent audit trail tool",
+  "main": "bin/gryph.js",
+  "bin": {
+    "gryph": "bin/gryph.js"
+  },
+  "scripts": {
+    "preinstall": "echo \"Installing Gryph binary for your platform...\"",
+    "postinstall": "node install.js"
+  },
+  "keywords": [
+    "security",
+    "package-manager",
+    "malicious-packages",
+    "npm",
+    "cli",
+    "vulnerability",
+    "dependency-security",
+    "safedep"
+  ],
+  "author": "SafeDep <devops@safedep.io>",
+  "license": "Apache-2.0",
+  "homepage": "https://github.com/safedep/gryph#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/safedep/gryph.git"
+  },
+  "bugs": {
+    "url": "https://github.com/safedep/gryph/issues"
+  },
+  "engines": {
+    "node": ">=14"
+  },
+  "os": [
+    "darwin",
+    "linux",
+    "win32"
+  ],
+  "cpu": [
+    "x64",
+    "arm64",
+    "ia32"
+  ],
+  "files": [
+    "bin/gryph.js",
+    "install.js",
+    "config.js",
+    "test.js",
+    "README.md",
+    ".npmignore"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {},
+  "version": "0.0.1"
+}