@tameflare/cli 0.10.2 → 0.10.3

package/README.md

@@ -1,6 +1,6 @@
 # @tameflare/cli
 
-The official CLI for [TameFlare](https://tameflare.com) - secure and govern AI agent traffic through a transparent proxy gateway.
+The official CLI for [TameFlare](https://tameflare.com) - secure and govern AI agent traffic through a cloud proxy gateway.
 
 ## Install
 
@@ -8,75 +8,53 @@ The official CLI for [TameFlare](https://tameflare.com) - secure and govern AI a
 npm i -g @tameflare/cli
 ```
 
-Or run directly with npx:
-
-```bash
-npx @tameflare/cli init
-```
-
 ## Quick Start
 
 ```bash
-# 1. Initialize TameFlare in your project
-tf init
+# 1. Log in (opens browser)
+tf login
 
-# 2. Add a connector (e.g. GitHub)
-tf connector add github --token ghp_xxx
+# 2. Pick a gateway
+tf init --list
 
-# 3. Run your agent through the gateway
-tf run --name my-agent -- python agent.py
+# 3. Run your agent through the cloud proxy
+tf run -- python agent.py
 ```
 
 ## Commands
 
 | Command | Description |
 |---------|-------------|
-| `tf init` | Initialize TameFlare - downloads gateway, creates config |
-| `tf run --name <n> <cmd>` | Run a process through the proxy gateway |
-| `tf status` | Show gateway status and active processes |
-| `tf stop` | Stop the gateway |
-| `tf logs` | View recent traffic logs |
-| `tf kill-switch` | Emergency stop - block all traffic |
-| `tf connector add <type>` | Add a connector (github, openai, slack, stripe, generic) |
-| `tf connector list` | List active connectors |
-| `tf connector remove <id>` | Remove a connector |
-| `tf permissions set` | Set access rules for a gateway |
-| `tf permissions list` | List access rules |
-| `tf approvals list` | List pending approval requests |
-| `tf approvals approve <id>` | Approve a pending request |
-| `tf approvals deny <id>` | Deny a pending request |
+| `tf login` | Authenticate via browser (saves credentials to `~/.tameflare/`) |
+| `tf logout` | Remove saved credentials |
+| `tf init` | Select a gateway and save config to `.tf/config.yaml` |
+| `tf run -- <cmd>` | Run a process through the cloud proxy |
+| `tf status` | Show gateway config and connectivity |
+| `tf logs` | Open dashboard traffic view in browser |
+| `tf reset` | Remove `.tf/` directory |
+
+Connectors, permissions, approvals, and kill switch are managed in the [dashboard](https://tameflare.com/dashboard).
 
 ## How It Works
 
-TameFlare acts as a transparent HTTP/HTTPS proxy between your AI agent and external APIs. When you run `tf run`, the CLI:
+When you run `tf run -- python agent.py`, the CLI:
 
-1. Starts (or connects to) the TameFlare gateway
-2. Registers your process and gets a dedicated proxy port
-3. Sets `HTTP_PROXY` and `HTTPS_PROXY` env vars on your process
-4. All outbound traffic flows through the gateway for inspection and enforcement
+1. Sets `HTTPS_PROXY=https://{gateway_token}@proxy.tameflare.com`
+2. Spawns your process with the proxy environment variable
+3. All outbound HTTP traffic routes through the cloud gateway
+4. The gateway parses requests, checks permissions, and logs everything
 
-The gateway matches requests against connectors (GitHub, OpenAI, Stripe, etc.), applies permission rules, and either allows, denies, or holds requests for human approval.
+No local binary, no Docker, no server to manage. The gateway runs in the cloud at `proxy.tameflare.com`.
 
 ## Requirements
 
 - Node.js >= 18
-- The TameFlare gateway binary (downloaded automatically by `tf init`)
-
-## Dashboard
-
-TameFlare includes a web dashboard for real-time traffic monitoring, policy management, and approval workflows. Start it with:
-
-```bash
-docker compose up
-```
-
-Then open [http://localhost:3000](http://localhost:3000).
 
 ## Links
 
 - [Documentation](https://tameflare.com/docs)
 - [GitHub](https://github.com/tameflare/tameflare)
-- [Website](https://tameflare.com)
+- [Dashboard](https://tameflare.com/dashboard)
 
 ## License
 

package/dist/commands/run.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.runCommand = runCommand;
 const commander_1 = require("commander");
 const child_process_1 = require("child_process");
+const path_1 = require("path");
+const fs_1 = require("fs");
 const utils_1 = require("../utils");
 function runCommand() {
     const cmd = new commander_1.Command("run")
@@ -16,13 +18,32 @@ function runCommand() {
         console.log(`[TF] Proxy:   https://${cfg.proxy_host}`);
         console.log(`[TF] Running: ${command} ${args.join(" ")}`);
         console.log("");
+        // Register heartbeat so dashboard shows gateway as online
+        try {
+            await fetch(`${cfg.dashboard_url}/api/gateway/v2/verify`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ gateway_token: cfg.gateway_token }),
+            });
+        }
+        catch {
+            // Non-fatal — gateway still works even if dashboard is temporarily unreachable
+        }
+        // Locate the proxy bootstrap script (shipped alongside the CLI)
+        // Use forward slashes to avoid Windows shell escaping issues with --require
+        const bootstrapPath = (0, path_1.resolve)((0, path_1.dirname)(__filename), "..", "proxy-bootstrap.js").replace(/\\/g, "/");
+        let nodeOptions = process.env.NODE_OPTIONS || "";
+        if ((0, fs_1.existsSync)(bootstrapPath)) {
+            const requireFlag = `--require "${bootstrapPath}"`;
+            nodeOptions = nodeOptions ? `${nodeOptions} ${requireFlag}` : requireFlag;
+        }
         const env = {
             ...process.env,
             HTTP_PROXY: proxyUrl,
             HTTPS_PROXY: proxyUrl,
             http_proxy: proxyUrl,
             https_proxy: proxyUrl,
-            TF_GATEWAY_ID: cfg.gateway_id,
+            NODE_OPTIONS: nodeOptions,
         };
         const child = (0, child_process_1.spawn)(command, args, {
             stdio: "inherit",

package/dist/commands/status.js

@@ -15,14 +15,23 @@ function statusCommand() {
         console.log(`  Dashboard:     ${cfg.dashboard_url}`);
         console.log(`  Proxy:         https://${cfg.proxy_host}`);
         console.log("");
-        // Check cloud proxy connectivity
+        // Ping dashboard and register gateway heartbeat
         try {
-            const res = await fetch(`${cfg.dashboard_url}/api/health`);
+            const res = await fetch(`${cfg.dashboard_url}/api/gateway/v2/verify`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ gateway_token: cfg.gateway_token }),
+            });
             if (res.ok) {
                 console.log(`  Dashboard:     \x1b[32mreachable\x1b[0m`);
+                console.log(`  Gateway:       \x1b[32monline\x1b[0m`);
+            }
+            else if (res.status === 401) {
+                console.log(`  Dashboard:     \x1b[32mreachable\x1b[0m`);
+                console.log(`  Gateway:       \x1b[31minvalid token\x1b[0m`);
             }
             else {
-                console.log(`  Dashboard:     \x1b[31munreachable (${res.status})\x1b[0m`);
+                console.log(`  Dashboard:     \x1b[31merror (${res.status})\x1b[0m`);
             }
         }
         catch {

package/dist/proxy-bootstrap.js

@@ -0,0 +1,68 @@
+/**
+ * TameFlare Proxy Bootstrap
+ *
+ * This script is injected via NODE_OPTIONS="--require <this-file>" by `tf run`.
+ * It overrides globalThis.fetch to route all HTTP/HTTPS requests through the
+ * TameFlare cloud proxy.
+ *
+ * Architecture: The cloud proxy runs behind Railway's TLS termination, so
+ * standard HTTP CONNECT tunneling doesn't work. Instead, we send requests
+ * directly to the proxy with the target URL in the X-TF-Target-URL header.
+ * The proxy reads this header, forwards the request to the real upstream,
+ * and returns the response.
+ */
+
+"use strict";
+
+const proxyUrl = process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy;
+
+if (proxyUrl) {
+  const originalFetch = globalThis.fetch;
+
+  // Parse proxy URL: https://token@proxy.tameflare.com
+  let proxyOrigin, proxyToken;
+  try {
+    const parsed = new URL(proxyUrl);
+    proxyToken = parsed.username || "";
+    parsed.username = "";
+    parsed.password = "";
+    proxyOrigin = parsed.origin;
+  } catch (_) {}
+
+  if (proxyOrigin && originalFetch) {
+    globalThis.fetch = function tfProxyFetch(input, init) {
+      try {
+        const req = new Request(input, init);
+        const targetUrl = req.url;
+
+        // Only proxy http/https requests
+        if (!targetUrl.startsWith("http://") && !targetUrl.startsWith("https://")) {
+          return originalFetch(input, init);
+        }
+
+        // Extract the path from the target URL to build the proxy request URL
+        // e.g. https://api.openai.com/v1/models → proxy sends to proxy.tameflare.com/v1/models
+        const targetParsed = new URL(targetUrl);
+        const proxyRequestUrl = proxyOrigin + targetParsed.pathname + targetParsed.search;
+
+        // Build headers
+        const headers = new Headers(req.headers);
+        headers.set("X-TF-Target-URL", targetUrl);
+        headers.set("X-TF-Target-Host", targetParsed.host);
+        if (proxyToken) {
+          headers.set("X-TF-Gateway-Token", proxyToken);
+        }
+
+        return originalFetch(proxyRequestUrl, {
+          method: req.method,
+          headers: headers,
+          body: req.body,
+          redirect: "manual",
+          duplex: "half",
+        });
+      } catch (_) {
+        return originalFetch(input, init);
+      }
+    };
+  }
+}

package/package.json

@@ -1,21 +1,22 @@
 {
   "name": "@tameflare/cli",
-  "version": "0.10.2",
+  "version": "0.10.3",
   "description": "TameFlare CLI - secure and govern AI agent traffic through a transparent proxy gateway",
   "bin": {
     "tf": "dist/index.js"
   },
   "scripts": {
-    "build": "tsc",
+    "build": "tsc && node -e \"require('fs').copyFileSync('src/proxy-bootstrap.js','dist/proxy-bootstrap.js')\"",
     "dev": "tsc --watch",
-    "prepublishOnly": "tsc"
+    "prepublishOnly": "tsc && node -e \"require('fs').copyFileSync('src/proxy-bootstrap.js','dist/proxy-bootstrap.js')\""
   },
   "dependencies": {
-    "commander": "^12.1.0"
+    "commander": "^12.1.0",
+    "undici": "^7.21.0"
   },
   "devDependencies": {
-    "typescript": "^5.7.0",
-    "@types/node": "^22.0.0"
+    "@types/node": "^22.0.0",
+    "typescript": "^5.7.0"
   },
   "files": [
     "dist",