@solongate/proxy 0.43.0 → 0.44.0

package/dist/login.js

@@ -0,0 +1,308 @@
+#!/usr/bin/env node
+
+// src/login.ts
+import { spawn } from "child_process";
+
+// src/cli-utils.ts
+var c = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  italic: "\x1B[3m",
+  white: "\x1B[97m",
+  gray: "\x1B[90m",
+  blue1: "\x1B[38;2;20;50;160m",
+  blue2: "\x1B[38;2;40;80;190m",
+  blue3: "\x1B[38;2;60;110;215m",
+  blue4: "\x1B[38;2;90;140;230m",
+  blue5: "\x1B[38;2;130;170;240m",
+  blue6: "\x1B[38;2;170;200;250m",
+  green: "\x1B[38;2;80;200;120m",
+  red: "\x1B[38;2;220;80;80m",
+  cyan: "\x1B[38;2;100;200;220m",
+  yellow: "\x1B[38;2;220;200;80m",
+  bgBlue: "\x1B[48;2;20;50;160m"
+};
+var BANNER_COLORS = [c.blue1, c.blue2, c.blue3, c.blue4, c.blue5, c.blue6];
+
+// src/global-install.ts
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { resolve, join, dirname } from "path";
+import { homedir } from "os";
+import { fileURLToPath } from "url";
+import { createInterface } from "readline";
+import { execFileSync } from "child_process";
+var __dirname = dirname(fileURLToPath(import.meta.url));
+var HOOKS_DIR = resolve(__dirname, "..", "hooks");
+function lockFile(file) {
+  if (!existsSync(file)) return;
+  try {
+    if (process.platform === "win32") {
+      try {
+        execFileSync("icacls", [file, "/deny", "*S-1-1-0:(WD,AD,DC,DE)"], { stdio: "ignore" });
+      } catch {
+      }
+      try {
+        execFileSync("attrib", ["+R", file], { stdio: "ignore" });
+      } catch {
+      }
+    } else if (process.platform === "darwin") {
+      try {
+        execFileSync("chflags", ["uchg", file], { stdio: "ignore" });
+      } catch {
+      }
+    } else {
+      try {
+        execFileSync("chattr", ["+i", file], { stdio: "ignore" });
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
+function unlockFile(file) {
+  if (!existsSync(file)) return;
+  try {
+    if (process.platform === "win32") {
+      try {
+        execFileSync("icacls", [file, "/remove:d", "*S-1-1-0"], { stdio: "ignore" });
+      } catch {
+      }
+      try {
+        execFileSync("icacls", [file, "/reset"], { stdio: "ignore" });
+      } catch {
+      }
+      try {
+        execFileSync("attrib", ["-R", file], { stdio: "ignore" });
+      } catch {
+      }
+    } else if (process.platform === "darwin") {
+      try {
+        execFileSync("chflags", ["nouchg", file], { stdio: "ignore" });
+      } catch {
+      }
+    } else {
+      try {
+        execFileSync("chattr", ["-i", file], { stdio: "ignore" });
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
+function protectedTargets() {
+  const p = globalPaths();
+  return [
+    join(p.hooksDir, "guard.mjs"),
+    join(p.hooksDir, "audit.mjs"),
+    join(p.hooksDir, "stop.mjs"),
+    p.configPath,
+    p.settingsPath
+  ];
+}
+function lockProtected() {
+  for (const f of protectedTargets()) lockFile(f);
+}
+function unlockProtected() {
+  for (const f of protectedTargets()) unlockFile(f);
+}
+function globalPaths() {
+  const home = homedir();
+  const sgDir = join(home, ".solongate");
+  const hooksDir = join(sgDir, "hooks");
+  const claudeDir = join(home, ".claude");
+  return {
+    home,
+    sgDir,
+    hooksDir,
+    claudeDir,
+    settingsPath: join(claudeDir, "settings.json"),
+    backupPath: join(claudeDir, "settings.solongate.bak"),
+    configPath: join(sgDir, "cloud-guard.json")
+  };
+}
+function readHook(filename) {
+  return readFileSync(join(HOOKS_DIR, filename), "utf-8");
+}
+function readGuard() {
+  const bundled = join(HOOKS_DIR, "guard.bundled.mjs");
+  return existsSync(bundled) ? readFileSync(bundled, "utf-8") : readHook("guard.mjs");
+}
+function ask(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  return new Promise((res) => rl.question(question, (a) => {
+    rl.close();
+    res(a.trim());
+  }));
+}
+async function runGlobalInstall(opts = {}) {
+  const p = globalPaths();
+  let apiKey = opts.apiKey || process.env["SOLONGATE_API_KEY"] || "";
+  if (!apiKey || apiKey === "sg_live_your_key_here") {
+    try {
+      const cfg = JSON.parse(readFileSync(p.configPath, "utf-8"));
+      if (cfg && typeof cfg.apiKey === "string") apiKey = cfg.apiKey;
+    } catch {
+    }
+  }
+  if (!apiKey || apiKey === "sg_live_your_key_here") {
+    apiKey = await ask("  Enter your SolonGate API key (sg_live_\u2026 from https://dashboard.solongate.com): ");
+  }
+  if (!apiKey.startsWith("sg_live_") && !apiKey.startsWith("sg_test_")) {
+    console.log("  Invalid API key. Must start with sg_live_ or sg_test_");
+    process.exit(1);
+  }
+  const apiUrl = opts.apiUrl || process.env["SOLONGATE_API_URL"] || "https://api.solongate.com";
+  mkdirSync(p.hooksDir, { recursive: true });
+  mkdirSync(p.claudeDir, { recursive: true });
+  unlockProtected();
+  writeFileSync(join(p.hooksDir, "guard.mjs"), readGuard());
+  writeFileSync(join(p.hooksDir, "audit.mjs"), readHook("audit.mjs"));
+  writeFileSync(join(p.hooksDir, "stop.mjs"), readHook("stop.mjs"));
+  console.log(`  Installed hooks \u2192 ${p.hooksDir}`);
+  writeFileSync(p.configPath, JSON.stringify({ apiKey, apiUrl }, null, 2) + "\n");
+  console.log(`  Wrote ${p.configPath}`);
+  let existing = {};
+  if (existsSync(p.settingsPath)) {
+    const raw = readFileSync(p.settingsPath, "utf-8");
+    if (!existsSync(p.backupPath)) {
+      writeFileSync(p.backupPath, raw);
+      console.log(`  Backed up existing settings \u2192 ${p.backupPath}`);
+    }
+    try {
+      existing = JSON.parse(raw);
+    } catch {
+      existing = {};
+    }
+  }
+  const guardAbs = join(p.hooksDir, "guard.mjs").replace(/\\/g, "/");
+  const auditAbs = join(p.hooksDir, "audit.mjs").replace(/\\/g, "/");
+  const stopAbs = join(p.hooksDir, "stop.mjs").replace(/\\/g, "/");
+  const merged = {
+    ...existing,
+    hooks: {
+      PreToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${guardAbs}" claude-code "Claude Code"` }] }],
+      PostToolUse: [{ matcher: "", hooks: [{ type: "command", command: `node "${auditAbs}" claude-code "Claude Code"` }] }],
+      Stop: [{ matcher: "", hooks: [{ type: "command", command: `node "${stopAbs}" claude-code "Claude Code"` }] }]
+    }
+  };
+  writeFileSync(p.settingsPath, JSON.stringify(merged, null, 2) + "\n");
+  console.log(`  Registered global hooks \u2192 ${p.settingsPath}`);
+  if (process.env["SOLONGATE_OS_LOCK"] === "1") {
+    lockProtected();
+    console.log("  Locked protection files (OS-level read-only/immutable).");
+  }
+}
+
+// src/login.ts
+var sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+function parseArgs(argv) {
+  const args = argv.slice(3);
+  let apiUrl = process.env["SOLONGATE_API_URL"] || "https://api.solongate.com";
+  let install = true;
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--api-url") apiUrl = args[++i] || apiUrl;
+    else if (args[i] === "--no-install") install = false;
+  }
+  return { apiUrl, install };
+}
+function openBrowser(url) {
+  try {
+    const cmd = process.platform === "win32" ? "cmd" : process.platform === "darwin" ? "open" : "xdg-open";
+    const args = process.platform === "win32" ? ["/c", "start", '""', url] : [url];
+    spawn(cmd, args, { stdio: "ignore", detached: true }).unref();
+  } catch {
+  }
+}
+async function main() {
+  const { apiUrl, install } = parseArgs(process.argv);
+  console.log("");
+  console.log(`  ${c.bold}SolonGate \u2014 Login${c.reset}`);
+  console.log("");
+  let start;
+  try {
+    const res = await fetch(`${apiUrl}/api/v1/auth/device/start`, { method: "POST" });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    start = await res.json();
+  } catch (e) {
+    console.log(`  Could not reach SolonGate (${apiUrl}).`);
+    console.log(`  ${e instanceof Error ? e.message : String(e)}`);
+    process.exit(1);
+  }
+  const { device_code, user_code, verification_uri_complete, verification_uri, interval, expires_in } = start;
+  const verifyUrl = verification_uri_complete || verification_uri;
+  console.log(`  Opening your browser to authorize this device\u2026`);
+  console.log("");
+  console.log(`  ${c.dim}If it doesn't open, visit this link:${c.reset}`);
+  console.log(`  ${c.dim}${verifyUrl}${c.reset}`);
+  console.log("");
+  void user_code;
+  openBrowser(verifyUrl);
+  const pollMs = Math.max(2, Number(interval) || 3) * 1e3;
+  const deadline = Date.now() + (Number(expires_in) || 600) * 1e3;
+  let apiKey = "";
+  process.stderr.write("  Waiting for authorization");
+  while (Date.now() < deadline) {
+    await sleep(pollMs);
+    process.stderr.write(".");
+    try {
+      const res = await fetch(`${apiUrl}/api/v1/auth/device/poll`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ device_code })
+      });
+      const data = await res.json().catch(() => ({}));
+      if (data?.status === "approved" && data?.api_key) {
+        apiKey = data.api_key;
+        process.stderr.write("\n");
+        console.log("");
+        const who = data?.user?.name || data?.user?.email;
+        const mail = data?.user?.email;
+        if (who) {
+          const suffix = mail && mail !== who ? ` ${c.dim}(${mail})${c.reset}` : "";
+          console.log(`  ${c.green}\u2713${c.reset} ${c.bold}Logged in as ${who}${c.reset}${suffix}`);
+        } else {
+          console.log(`  ${c.green}\u2713${c.reset} ${c.bold}Logged in${c.reset}`);
+        }
+        if (data?.project?.name) {
+          console.log(`  ${c.dim}Project:${c.reset} ${data.project.name}`);
+        }
+        break;
+      }
+      if (data?.status === "expired" || data?.status === "not_found") {
+        process.stderr.write("\n");
+        console.log("  Code expired. Run `login` again.");
+        process.exit(1);
+      }
+    } catch {
+    }
+  }
+  if (!apiKey) {
+    process.stderr.write("\n");
+    console.log("  Timed out waiting for authorization. Run `login` again.");
+    process.exit(1);
+  }
+  if (!install) {
+    console.log("");
+    console.log("  Logged in. Run `init --global` to enable system-wide enforcement.");
+    return;
+  }
+  console.log("");
+  await runGlobalInstall({ apiKey, apiUrl });
+  console.log("");
+  console.log("  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510");
+  console.log("  \u2502  You are logged in and protected.               \u2502");
+  console.log("  \u2502  Every Claude Code session on this machine is   \u2502");
+  console.log("  \u2502  now guarded by your cloud policy (OPA WASM).   \u2502");
+  console.log("  \u2502                                                 \u2502");
+  console.log("  \u2502  Undo:  npx @solongate/proxy init --global      \u2502");
+  console.log("  \u2502         --restore                               \u2502");
+  console.log("  \u2502  Manage policy: https://dashboard.solongate.com \u2502");
+  console.log("  \u2502  Restart Claude Code to apply.                  \u2502");
+  console.log("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
+  console.log("");
+}
+main().catch((err) => {
+  console.log(`Fatal: ${err instanceof Error ? err.message : String(err)}`);
+  process.exit(1);
+});

package/dist/pull-push.js

@@ -7,7 +7,8 @@ import { resolve as resolve2 } from "path";
 // src/config.ts
 import { readFileSync, existsSync } from "fs";
 import { appendFile } from "fs/promises";
-import { resolve } from "path";
+import { resolve, join } from "path";
+import { homedir } from "os";
 async function fetchCloudPolicy(apiKey, apiUrl, policyId) {
   let resolvedId = policyId;
   if (!resolvedId) {

package/hooks/audit.mjs

@@ -6,6 +6,7 @@
  */
 import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'node:fs';
 import { resolve, join } from 'node:path';
+import { homedir } from 'node:os';
 
 function loadEnvKey(dir) {
   try {
@@ -21,6 +22,18 @@ function loadEnvKey(dir) {
   } catch { return {}; }
 }
 
+// Global cloud config written by `init --global` (~/.solongate/cloud-guard.json).
+// A system-wide PostToolUse hook runs from any cwd, so a project .env can't be
+// relied on for the key — read the absolute global config too.
+function loadGlobalCloudConfig() {
+  try {
+    const p = resolve(homedir(), '.solongate', 'cloud-guard.json');
+    if (!existsSync(p)) return {};
+    const cfg = JSON.parse(readFileSync(p, 'utf-8'));
+    return (cfg && typeof cfg === 'object') ? cfg : {};
+  } catch { return {}; }
+}
+
 function guessPermission(toolName) {
   const name = (toolName || '').toLowerCase();
   if (name.includes('exec') || name.includes('shell') || name.includes('run') || name.includes('eval') || name === 'bash') return 'EXECUTE';
@@ -30,14 +43,16 @@ function guessPermission(toolName) {
 }
 
 const dotenv = loadEnvKey(process.cwd());
-const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || '';
-const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || 'https://api.solongate.com';
+const globalCfg = loadGlobalCloudConfig();
+const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || globalCfg.apiKey || '';
+const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || globalCfg.apiUrl || 'https://api.solongate.com';
 
 // Agent identity from CLI args: node audit.mjs <agent_id> <agent_name>
 const AGENT_ID = process.argv[2] || 'claude-code';
 const AGENT_NAME = process.argv[3] || 'Claude Code';
 
-if (!API_KEY || !API_KEY.startsWith('sg_live_')) process.exit(0);
+// Accept both live and test keys (test keys are used for trials / sandboxes).
+if (!API_KEY || !(API_KEY.startsWith('sg_live_') || API_KEY.startsWith('sg_test_'))) process.exit(0);
 
 let input = '';
 process.stdin.on('data', c => input += c);
@@ -45,12 +60,16 @@ process.stdin.on('end', async () => {
   try {
     const data = JSON.parse(input);
 
-    // Debug: append raw stdin to file for agent detection troubleshooting
-    try {
-      const debugLine = JSON.stringify({ ts: new Date().toISOString(), argv: process.argv.slice(2), tool_name: data.tool_name || data.toolName, agent_id: AGENT_ID }) + '\n';
-      const { appendFileSync: afs } = await import('node:fs');
-      afs(resolve('.solongate', '.debug-audit-log'), debugLine);
-    } catch {}
+    // Debug: append raw stdin to file for agent detection troubleshooting.
+    // Opt-in (SOLONGATE_DEBUG) so a global hook doesn't litter every cwd.
+    if (process.env.SOLONGATE_DEBUG) {
+      try {
+        const debugLine = JSON.stringify({ ts: new Date().toISOString(), argv: process.argv.slice(2), tool_name: data.tool_name || data.toolName, agent_id: AGENT_ID }) + '\n';
+        const { appendFileSync: afs, mkdirSync: mds } = await import('node:fs');
+        mds(resolve('.solongate'), { recursive: true });
+        afs(resolve('.solongate', '.debug-audit-log'), debugLine);
+      } catch {}
+    }
 
     let toolName = data.tool_name || data.toolName || '';
     let toolInput = data.tool_input || data.toolInput || data.params || {};
@@ -84,10 +103,12 @@ process.stdin.on('end', async () => {
       (toolOutput && typeof toolOutput === 'string' && toolOutput.includes('"error"')) ||
       (resultJson && resultJson.includes('"error"'));
 
+    // Keep the full command/args for audit review (the dashboard shows them in
+    // the detail view). Only cap pathologically large values.
     const argsSummary = {};
     for (const [k, v] of Object.entries(toolInput)) {
-      argsSummary[k] = typeof v === 'string' && v.length > 200
-        ? v.slice(0, 200) + '...'
+      argsSummary[k] = typeof v === 'string' && v.length > 8000
+        ? v.slice(0, 8000) + '…'
         : v;
     }