@sanctix/client 0.1.0 → 0.1.2

package/bin/sanctix.js

@@ -5,6 +5,7 @@ import { uninstall } from '../cli/uninstall.js';
 import { status } from '../cli/status.js';
 import { start } from '../cli/start.js';
 import { stop } from '../cli/stop.js';
+import { launch } from '../cli/launch.js';
 
 program
   .name('sanctix')
@@ -39,6 +40,13 @@ program
   .option('-y, --yes', 'Skip confirmation for high-risk tasks')
   .action(start);
 
+program
+  .command('launch <task> <runtime>')
+  .description('Start a governed session, launch a runtime and stop when it exits')
+  .option('--risk <level>', 'Risk level: low, medium, high')
+  .option('-y, --yes', 'Skip confirmation for high-risk tasks')
+  .action(launch);
+
 program
   .command('stop')
   .description('Complete the active governed session')

package/cli/init.js

@@ -1,6 +1,7 @@
 import fs from 'fs-extra';
 import path from 'path';
 import url from 'url';
+import { randomUUID } from 'crypto';
 import inquirer from 'inquirer';
 import chalk from 'chalk';
 import {
@@ -20,12 +21,12 @@ const HOSTED_AUDIT_URL = 'https://awf.ruvoni.com';
 const SANCTIX_HOOK_COMMANDS = {
   PreToolUse: [
     { matcher: 'Bash',  command: 'node .claude/hooks/pre-tool-use/check-bash.cjs' },
-    { matcher: '.*',    command: 'node .claude/hooks/pre-tool-use/check-file-edit.cjs' },
+    { matcher: 'Edit|Write', command: 'node .claude/hooks/pre-tool-use/check-file-edit.cjs' },
     { matcher: 'Agent', command: 'node .claude/hooks/pre-tool-use/check-agent-spawn.cjs' },
   ],
   PostToolUse: [
     { matcher: 'Agent', command: 'node .claude/hooks/post-tool-use/check-agent-spawn-result.cjs' },
-    { matcher: '.*',    command: 'node .claude/hooks/post-tool-use/check-file-edit-result.cjs' },
+    { matcher: 'Edit|Write', command: 'node .claude/hooks/post-tool-use/check-file-edit-result.cjs' },
   ],
   SubagentStart: [
     { matcher: null,    command: 'node .claude/hooks/sub-agent-start/check-subagent-start.cjs' },
@@ -123,7 +124,17 @@ export async function init(options) {
   await fs.ensureDir(path.join(cwd, '.sanctix'));
   await fs.writeJSON(path.join(cwd, '.sanctix/sanctix.config.json'), manifest, { spaces: 2 });
 
-  // Step 7: Print confirmation.
+  // Step 7: Discover agents from Claude Code permissions and assign stable UUIDs.
+  if (runtime === 'claude_code') {
+    const agents = await discoverAgents(cwd);
+    const names = Object.keys(agents);
+    if (names.length > 0) {
+      const parts = names.map((n) => `${n} (${agents[n]})`);
+      console.log('Discovered agents: ' + parts.join(', '));
+    }
+  }
+
+  // Step 8: Print confirmation.
   console.log('');
   console.log(chalk.green('[ok] Sanctix is now governing your ' + runtime + ' sessions.'));
   console.log('');
@@ -137,6 +148,39 @@ export async function init(options) {
   console.log('  Docs: https://sanctix.ai');
 }
 
+async function discoverAgents(cwd) {
+  const settingsPath = path.join(cwd, '.claude/settings.json');
+  if (!(await fs.pathExists(settingsPath))) return {};
+
+  let settings;
+  try {
+    settings = await fs.readJSON(settingsPath);
+  } catch {
+    return {};
+  }
+
+  const allowList = (settings.permissions && settings.permissions.allow) || [];
+  const agentNames = allowList
+    .filter((p) => typeof p === 'string' && p.startsWith('Agent(') && p.endsWith(')'))
+    .map((p) => p.slice(6, -1).trim())
+    .filter((name) => name.length > 0);
+
+  if (agentNames.length === 0) return {};
+
+  const agentsPath = path.join(cwd, '.sanctix/agents.json');
+  const existing = (await fs.pathExists(agentsPath)) ? await fs.readJSON(agentsPath) : {};
+
+  const result = {};
+  for (const name of agentNames) {
+    result[name] = existing[name] || randomUUID();
+  }
+
+  await fs.ensureDir(path.join(cwd, '.sanctix'));
+  await fs.writeJSON(agentsPath, result, { spaces: 2 });
+
+  return result;
+}
+
 function managedFilesFor(runtime) {
   if (runtime === 'claude_code') return CLAUDE_MANAGED_FILES;
   if (runtime === 'cursor')      return ['.cursor/rules/sanctix-governance.mdc'];

package/cli/launch.js

@@ -0,0 +1,133 @@
+import { spawn } from 'child_process';
+import fs from 'fs-extra';
+import path from 'path';
+import chalk from 'chalk';
+import { start } from './start.js';
+import { stop } from './stop.js';
+
+const RUNTIMES = {
+  claude_code: {
+    command: 'claude',
+    args: ['--dangerously-skip-permissions'],
+    label: 'Claude Code',
+  },
+  cursor: {
+    command: 'cursor',
+    args: ['.'],
+    label: 'Cursor',
+  },
+  codex: {
+    command: 'codex',
+    args: [],
+    label: 'Codex',
+  },
+};
+
+export async function launch(taskDescription, runtime, options = {}) {
+  const selectedRuntime = String(runtime || '').toLowerCase();
+  const spec = RUNTIMES[selectedRuntime];
+
+  if (!spec) {
+    console.error(chalk.red('Unknown runtime: ' + runtime));
+    console.error('Runtime must be one of: claude_code, cursor, codex');
+    process.exit(1);
+  }
+
+  let runtimeResult = { code: 1, signal: null };
+  let started = false;
+
+  try {
+    const session = await start(taskDescription, {
+      ...options,
+      runtime: selectedRuntime,
+      launch: true,
+      noExit: true,
+    });
+    started = true;
+
+    const sessionEnv = await readSessionEnv(process.cwd());
+    const childEnv = {
+      ...process.env,
+      ...sessionEnv,
+      AWF_CORRELATION_ID: session.correlationId,
+      AWF_SESSION_ID: session.sessionId,
+      AWF_USER_ID: session.userId,
+      SANCTIX_AUDIT_URL: session.auditUrl,
+      SANCTIX_RUNTIME: selectedRuntime,
+    };
+
+    if (session.apiKey) {
+      childEnv.SANCTIX_API_KEY = session.apiKey;
+    }
+
+    console.log('');
+    console.log(chalk.bold('Launching ' + spec.label + ' with Sanctix session ' + session.correlationId));
+    runtimeResult = await runRuntime(spec, childEnv);
+  } finally {
+    if (started) {
+      await stop({ yes: true, noExit: true });
+    }
+  }
+
+  exitWithRuntimeResult(runtimeResult);
+}
+
+function runRuntime(spec, env) {
+  return new Promise((resolve) => {
+    const child = spawn(spec.command, spec.args, {
+      stdio: 'inherit',
+      env,
+    });
+
+    child.on('error', (err) => {
+      console.error(chalk.red('Failed to launch ' + spec.command + ': ' + err.message));
+      resolve({ code: 127, signal: null });
+    });
+
+    child.on('exit', (code, signal) => {
+      resolve({ code: code == null ? 1 : code, signal });
+    });
+  });
+}
+
+async function readSessionEnv(cwd) {
+  const sessionEnvPath = path.join(cwd, '.sanctix/session.env');
+  if (!(await fs.pathExists(sessionEnvPath))) return {};
+
+  const text = await fs.readFile(sessionEnvPath, 'utf8');
+  const env = {};
+  for (const line of text.split('\n')) {
+    const m = line.match(/^([A-Z0-9_]+)=(.*)$/);
+    if (m) env[m[1]] = m[2];
+  }
+  return env;
+}
+
+function exitWithRuntimeResult(result) {
+  if (result.signal) {
+    const signalNumber = signalExitCode(result.signal);
+    process.exit(signalNumber || 1);
+  }
+  process.exit(result.code == null ? 1 : result.code);
+}
+
+function signalExitCode(signal) {
+  const signals = {
+    SIGHUP: 1,
+    SIGINT: 2,
+    SIGQUIT: 3,
+    SIGILL: 4,
+    SIGTRAP: 5,
+    SIGABRT: 6,
+    SIGBUS: 7,
+    SIGFPE: 8,
+    SIGKILL: 9,
+    SIGUSR1: 10,
+    SIGSEGV: 11,
+    SIGUSR2: 12,
+    SIGPIPE: 13,
+    SIGALRM: 14,
+    SIGTERM: 15,
+  };
+  return signals[signal] ? 128 + signals[signal] : null;
+}

package/cli/start.js

@@ -29,6 +29,7 @@ export async function start(taskDescription, options = {}) {
   const sessionId     = crypto.randomUUID();
   const startedAt     = new Date().toISOString();
   const userId        = process.env.USER || process.env.USERNAME || 'user';
+  const runtimeProvider = options.runtime || manifest.runtime || 'unknown';
 
   // Step 3: Infer risk if not provided.
   let risk;
@@ -52,7 +53,7 @@ export async function start(taskDescription, options = {}) {
       timestamp_utc:    startedAt,
       correlation_id:   correlationId,
       user_id:          userId,
-      runtime_provider: manifest.runtime,
+      runtime_provider: runtimeProvider,
       event_data: {
         session_id:       sessionId,
         task_description: taskDescription,
@@ -100,6 +101,7 @@ export async function start(taskDescription, options = {}) {
     'SANCTIX_SESSION_STARTED=' + startedAt,
     'SANCTIX_TASK=' + truncatedTask,
     'SANCTIX_RISK=' + risk,
+    'SANCTIX_RUNTIME=' + runtimeProvider,
     '',
   ];
   await fs.ensureDir(path.join(cwd, '.sanctix'));
@@ -112,6 +114,21 @@ export async function start(taskDescription, options = {}) {
   console.log('Task:        ' + taskDescription);
   console.log('Risk:        ' + risk);
   console.log('Started:     ' + startedAt);
+  if (options.launch) {
+    console.log('Runtime:     ' + runtimeProvider);
+    console.log(chalk.bold('================================'));
+    return {
+      correlationId,
+      sessionId,
+      userId,
+      startedAt,
+      task: taskDescription,
+      risk,
+      auditUrl: manifest.auditUrl,
+      apiKey,
+      runtime: runtimeProvider,
+    };
+  }
   console.log('');
   console.log('Activate this session by running ONE of the following');
   console.log('before launching your runtime:');
@@ -137,6 +154,19 @@ export async function start(taskDescription, options = {}) {
   console.log(chalk.bold('================================'));
 
   // Step 8: Exit 0.
+  if (options.noExit) {
+    return {
+      correlationId,
+      sessionId,
+      userId,
+      startedAt,
+      task: taskDescription,
+      risk,
+      auditUrl: manifest.auditUrl,
+      apiKey,
+      runtime: runtimeProvider,
+    };
+  }
   process.exit(0);
 }
 

package/cli/stop.js

@@ -10,6 +10,7 @@ export async function stop(_options = {}) {
   const sessionEnvPath = path.join(cwd, '.sanctix/session.env');
   if (!(await fs.pathExists(sessionEnvPath))) {
     console.log('No active Sanctix session found.');
+    if (_options.noExit) return;
     process.exit(0);
   }
 
@@ -26,28 +27,14 @@ export async function stop(_options = {}) {
   const manifestPath = path.join(cwd, '.sanctix/sanctix.config.json');
   if (!(await fs.pathExists(manifestPath))) {
     console.error(chalk.red('Sanctix manifest missing. Cannot complete session cleanly.'));
+    if (_options.noExit) return;
     process.exit(1);
   }
   const manifest = await fs.readJSON(manifestPath);
   const auditUrl = manifest.auditUrl.replace(/\/$/, '');
   const apiKey = process.env.SANCTIX_API_KEY || readEnvKey(cwd, 'SANCTIX_API_KEY');
 
-  // Step 4: Get session summary from audit service.
-  const sessionRes = await httpRequestJson('GET', auditUrl + '/session/' + correlationId, {
-    apiKey: apiKey || null,
-    timeoutMs: 3000,
-  });
-  let summaryLine = null;
-  if (sessionRes.status === 200 && sessionRes.body && typeof sessionRes.body === 'object') {
-    const count = sessionRes.body.event_count;
-    const chain = sessionRes.body.chain_status;
-    summaryLine = 'Events:     ' + (count !== undefined ? count : 'n/a') +
-      (chain ? ' (chain: ' + chain + ')' : '');
-  } else {
-    summaryLine = 'Session data not yet available.';
-  }
-
-  // Step 5: Post SANCTIX_SESSION_COMPLETED event.
+  // Step 4: Post sanctix.session.completed event.
   const completedAt = new Date().toISOString();
   const userId = process.env.USER || process.env.USERNAME || 'user';
   const postRes = await httpRequestJson('POST', auditUrl + '/events', {
@@ -76,23 +63,54 @@ export async function stop(_options = {}) {
     ));
   }
 
+  // Step 5: Fetch session summary from audit service.
+  const sessionRes = await httpRequestJson('GET', auditUrl + '/session/' + correlationId, {
+    apiKey: apiKey || null,
+    timeoutMs: 3000,
+  });
+
   // Step 6: Remove session env file.
   await fs.remove(sessionEnvPath);
 
   // Step 7: Print summary.
   const duration = formatDuration(startedAt, completedAt);
   console.log('');
-  console.log(chalk.bold('=== Sanctix Session Complete ==='));
-  console.log('Session:    ' + correlationId);
-  console.log('Task:       ' + task);
-  console.log('Risk:       ' + risk);
-  console.log('Duration:   ' + duration);
-  if (summaryLine) console.log(summaryLine);
-  console.log('');
-  console.log('To view this session:');
-  console.log('  awf audit show --correlation-id ' + correlationId);
-  console.log('');
-  console.log(chalk.bold('================================'));
+  console.log(chalk.bold('=== Sanctix Session Summary ==='));
+  if (sessionRes.status === 200 && sessionRes.body && typeof sessionRes.body === 'object') {
+    const s = sessionRes.body;
+    const toolBreakdown = s.tool_breakdown || {};
+    const toolCalls = Object.values(toolBreakdown).reduce((a, b) => a + (Number(b) || 0), 0);
+    const filesChanged = Array.isArray(s.files_changed) ? s.files_changed : [];
+    const commands     = Array.isArray(s.commands)      ? s.commands      : [];
+
+    console.log('Task:        ' + task);
+    console.log('Risk:        ' + risk);
+    console.log('Duration:    ' + duration);
+    console.log('');
+    console.log('What happened:');
+    console.log('  Tool calls:     ' + toolCalls);
+    console.log('  Files changed:  ' + filesChanged.length);
+    console.log('  Commands run:   ' + (s.commands_run || 0));
+    console.log('  Agent spawns:   ' + (s.agent_spawns || 0));
+    if (commands.length > 0) {
+      console.log('');
+      console.log('Commands run:');
+      for (const c of commands) console.log('  ' + c);
+    }
+    if (filesChanged.length > 0) {
+      console.log('');
+      console.log('Files touched:');
+      for (const f of filesChanged) console.log('  ' + f);
+    }
+    console.log('');
+    console.log('Audit:');
+    console.log('  Events:   ' + (s.event_count != null ? s.event_count : 'n/a'));
+    console.log('  Chain:    ' + (s.chain_status || 'unknown'));
+    console.log('  Session:  ' + correlationId);
+  } else {
+    console.log('Session:  ' + correlationId);
+  }
+  console.log('================================');
 }
 
 function parseEnvFile(text) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sanctix/client",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Sanctix governed edge client. Installs governance hooks for Claude Code, Codex and Cursor. Connects to the Sanctix control plane.",
   "type": "module",
   "bin": {