@sanctix/client 0.1.0

package/hooks/check-file-edit.cjs

@@ -0,0 +1,63 @@
+#!/usr/bin/env node
+"use strict";
+
+const fs     = require('fs');
+const path   = require('path');
+const crypto = require('crypto');
+
+const { captureToolContext } = require(path.join(__dirname, 'tool-capture.cjs'));
+const { postAuditEvent }     = require(path.join(__dirname, 'post-audit-event.cjs'));
+
+const AUDIT_URL      = process.env.SANCTIX_AUDIT_URL  || 'http://localhost:8787';
+const API_KEY        = process.env.SANCTIX_API_KEY    || null;
+const CORRELATION_ID = process.env.AWF_CORRELATION_ID || crypto.randomUUID();
+const USER_ID        = process.env.AWF_USER_ID        || 'user';
+
+const LOG_PATH = '/tmp/sanctix-audit.log';
+
+let input = {};
+try {
+  input = JSON.parse(fs.readFileSync(0, 'utf8'));
+} catch (_e) {
+  input = {};
+}
+
+const toolName  = (input && input.tool_name) || '';
+const filePath  = (input && input.tool_input && (input.tool_input.path || input.tool_input.file_path)) || 'unknown';
+const timestamp = new Date().toISOString();
+
+try {
+  fs.appendFileSync(LOG_PATH, JSON.stringify({
+    timestamp,
+    tool: toolName,
+    file: filePath,
+    hook: 'pre-tool-use',
+    decision: 'allow',
+  }) + '\n');
+} catch (_e) {}
+
+(async () => {
+  let toolCtx = null;
+  try { toolCtx = captureToolContext(input); } catch (_e) {}
+
+  try {
+    await postAuditEvent({
+      actor_type:       'agent',
+      event_type:       'hook.file_edit.pre_tool_use',
+      timestamp_utc:    timestamp,
+      correlation_id:   CORRELATION_ID,
+      user_id:          USER_ID,
+      runtime_provider: 'claude_code',
+      event_data: {
+        tool_name:     toolCtx && toolCtx.tool_name,
+        file_path:     toolCtx && toolCtx.file_path,
+        command:       toolCtx && toolCtx.command,
+        args_redacted: toolCtx && toolCtx.args_redacted,
+      },
+      before_state: toolCtx && toolCtx.before_state,
+    }, { url: AUDIT_URL, apiKey: API_KEY, timeoutMs: 500 });
+  } catch (_e) {}
+
+  process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  process.exit(0);
+})();

package/hooks/check-subagent-start.cjs

@@ -0,0 +1,59 @@
+#!/usr/bin/env node
+"use strict";
+
+const fs     = require('fs');
+const path   = require('path');
+const crypto = require('crypto');
+
+const { captureToolContext } = require(path.join(__dirname, 'tool-capture.cjs'));
+const { postAuditEvent }     = require(path.join(__dirname, 'post-audit-event.cjs'));
+
+const AUDIT_URL      = process.env.SANCTIX_AUDIT_URL  || 'http://localhost:8787';
+const API_KEY        = process.env.SANCTIX_API_KEY    || null;
+const CORRELATION_ID = process.env.AWF_CORRELATION_ID || crypto.randomUUID();
+const USER_ID        = process.env.AWF_USER_ID        || 'user';
+
+const LOG_PATH = '/tmp/sanctix-audit.log';
+
+let input = {};
+try {
+  input = JSON.parse(fs.readFileSync(0, 'utf8'));
+} catch (_e) {
+  input = {};
+}
+
+const timestamp = new Date().toISOString();
+
+try {
+  fs.appendFileSync(LOG_PATH, JSON.stringify({
+    timestamp,
+    hook: 'sub-agent-start',
+    decision: 'allow',
+  }) + '\n');
+} catch (_e) {}
+
+(async () => {
+  let toolCtx = null;
+  try { toolCtx = captureToolContext(input); } catch (_e) {}
+
+  try {
+    await postAuditEvent({
+      actor_type:       'agent',
+      event_type:       'hook.subagent.start',
+      timestamp_utc:    timestamp,
+      correlation_id:   CORRELATION_ID,
+      user_id:          USER_ID,
+      runtime_provider: 'claude_code',
+      event_data: {
+        tool_name:     toolCtx && toolCtx.tool_name,
+        file_path:     toolCtx && toolCtx.file_path,
+        command:       toolCtx && toolCtx.command,
+        args_redacted: toolCtx && toolCtx.args_redacted,
+      },
+      before_state: toolCtx && toolCtx.before_state,
+    }, { url: AUDIT_URL, apiKey: API_KEY, timeoutMs: 500 });
+  } catch (_e) {}
+
+  process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  process.exit(0);
+})();

package/hooks/post-audit-event.cjs

@@ -0,0 +1,50 @@
+"use strict";
+
+// Self-contained audit POST helper for all client-side hook shims.
+// Uses Node http/https only. Never throws.
+
+const http  = require('http');
+const https = require('https');
+
+async function postAuditEvent(payload, opts) {
+  const url       = (opts && opts.url) || 'http://localhost:8787';
+  const apiKey    = (opts && opts.apiKey) || null;
+  const timeoutMs = (opts && opts.timeoutMs) || 500;
+
+  return new Promise((resolve) => {
+    try {
+      const parsed = new URL('/events', url);
+      const isHttps = parsed.protocol === 'https:';
+      const lib = isHttps ? https : http;
+      const data = Buffer.from(JSON.stringify(payload));
+      const headers = {
+        'content-type':   'application/json',
+        'content-length': data.length,
+      };
+      if (apiKey) {
+        headers['X-Sanctix-API-Key'] = apiKey;
+      }
+      const req = lib.request({
+        host:     parsed.hostname,
+        port:     parsed.port || (isHttps ? 443 : 80),
+        path:     parsed.pathname,
+        method:   'POST',
+        headers:  headers,
+      }, (res) => {
+        res.on('data', () => {});
+        res.on('end', resolve);
+      });
+      req.on('error', () => resolve());
+      req.setTimeout(timeoutMs, () => {
+        try { req.destroy(); } catch (_e) {}
+        resolve();
+      });
+      req.write(data);
+      req.end();
+    } catch (_e) {
+      resolve();
+    }
+  });
+}
+
+module.exports = { postAuditEvent };

package/hooks/tool-capture.cjs

@@ -0,0 +1,138 @@
+"use strict";
+
+// Self-contained tool-input capture for client-side hook audit payloads.
+// CommonJS so it can be require()d from .cjs hooks.
+// Best-effort: every field is wrapped in try/catch and falls back to null.
+// captureToolContext never throws.
+
+const { execFileSync } = require('child_process');
+
+const SECRET_KEY_PATTERNS = [
+  'password',
+  'secret',
+  'key',
+  'token',
+  'api_key',
+  'apikey',
+  'auth',
+  'credential',
+  'database_url',
+  'private',
+];
+
+const BEARER_TOKEN_RE = /^(Bearer\s+|sk-|ghp_|xoxb-)/i;
+
+const COMMAND_MAX_LEN = 500;
+
+function isSecretKey(key) {
+  if (typeof key !== 'string') return false;
+  const lower = key.toLowerCase();
+  return SECRET_KEY_PATTERNS.some((p) => lower.includes(p));
+}
+
+function isSecretValue(value) {
+  if (typeof value !== 'string') return false;
+  if (BEARER_TOKEN_RE.test(value)) return true;
+  if (value.length > 200 && !/\s/.test(value)) return true;
+  return false;
+}
+
+function parseArgsRedacted(command) {
+  try {
+    if (typeof command !== 'string') return null;
+    const result = {};
+    const tokens = command.split(/\s+/);
+    for (const tok of tokens) {
+      if (!tok) continue;
+      const eqIdx = tok.indexOf('=');
+      if (eqIdx <= 0) continue;
+      const key = tok.slice(0, eqIdx);
+      const value = tok.slice(eqIdx + 1);
+      if (isSecretKey(key) || isSecretValue(value)) {
+        result[key] = '[REDACTED]';
+      }
+    }
+    return Object.keys(result).length ? result : null;
+  } catch (_e) {
+    return null;
+  }
+}
+
+function parsePorcelain(output) {
+  const staged = [];
+  const unstaged = [];
+  const untracked = [];
+  if (!output) return { staged, unstaged, untracked };
+  const lines = output.split('\n');
+  for (const line of lines) {
+    if (!line || line.length < 3) continue;
+    const X = line[0];
+    const Y = line[1];
+    const path = line.slice(3);
+    if (X === '?' && Y === '?') {
+      untracked.push({ status: '??', path });
+      continue;
+    }
+    if (X !== ' ' && X !== '?') {
+      staged.push({ status: X, path });
+    }
+    if (Y !== ' ' && Y !== '?') {
+      unstaged.push({ status: Y, path });
+    }
+  }
+  return { staged, unstaged, untracked };
+}
+
+function captureGitState() {
+  try {
+    const out = execFileSync('git', ['status', '--porcelain'], {
+      cwd: process.cwd(),
+      stdio: ['ignore', 'pipe', 'ignore'],
+      encoding: 'utf8',
+      timeout: 2000,
+    });
+    return parsePorcelain(out);
+  } catch (_e) {
+    return null;
+  }
+}
+
+function captureToolContext(input) {
+  const ctx = {
+    tool_name: null,
+    file_path: null,
+    command: null,
+    args_redacted: null,
+    before_state: null,
+  };
+  try {
+    if (!input || typeof input !== 'object') return ctx;
+
+    try {
+      ctx.tool_name = input.tool_name || null;
+    } catch (_e) {}
+
+    const toolInput = (input && input.tool_input) || {};
+
+    try {
+      ctx.file_path = toolInput.path || toolInput.file_path || null;
+    } catch (_e) {}
+
+    try {
+      if (ctx.tool_name === 'Bash' && typeof toolInput.command === 'string') {
+        ctx.command = toolInput.command.slice(0, COMMAND_MAX_LEN);
+        ctx.args_redacted = parseArgsRedacted(toolInput.command);
+      }
+    } catch (_e) {}
+
+    try {
+      ctx.before_state = captureGitState();
+    } catch (_e) {}
+
+    return ctx;
+  } catch (_e) {
+    return ctx;
+  }
+}
+
+module.exports = { captureToolContext };

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@sanctix/client",
+  "version": "0.1.0",
+  "description": "Sanctix governed edge client. Installs governance hooks for Claude Code, Codex and Cursor. Connects to the Sanctix control plane.",
+  "type": "module",
+  "bin": {
+    "sanctix": "bin/sanctix.js"
+  },
+  "files": [
+    "bin/",
+    "cli/",
+    "hooks/",
+    "templates/",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "commander": "^12.0.0",
+    "inquirer": "^9.0.0",
+    "chalk": "^5.0.0",
+    "fs-extra": "^11.0.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "keywords": [
+    "agent-governance",
+    "ai-agents",
+    "trust",
+    "audit",
+    "claude-code",
+    "codex",
+    "cursor"
+  ],
+  "author": "Ruvoni Inc.",
+  "license": "MIT"
+}