@tuent/sentinel 0.1.0

package/dist/chunk-3U3PKD4N.js

@@ -0,0 +1,539 @@
+import {
+  acquireGatewayLock,
+  writePidFile
+} from "./chunk-CUJKNIKT.js";
+import {
+  discoverPolicy
+} from "./chunk-FMZWHT4M.js";
+import {
+  loadPolicyFromString
+} from "./chunk-2FFMYSVC.js";
+
+// src/setup/initClaudeCode.ts
+import { access, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { accessSync } from "fs";
+import { join, resolve, dirname as dirname2 } from "path";
+import { createServer } from "http";
+import { fileURLToPath } from "url";
+
+// src/gateway/hookScriptSource.ts
+var HOOK_SCRIPT_SOURCE = `#!/usr/bin/env node
+// Sentinel cc hook bridge \u2014 generated by sentinel init claude-code
+// Do not edit manually; regenerate with: sentinel init claude-code --force
+
+import { readFileSync, appendFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { spawn } from "node:child_process";
+
+const GATEWAY_ENTRY_POINT = "__GATEWAY_ENTRY_POINT__";
+const PORT = 7847;
+const BASE_URL = \`http://localhost:\${PORT}\`;
+const TIMEOUT_MS = 2000;
+const HOME = process.env.HOME || process.env.USERPROFILE || "";
+const TIERS_PATH = join(HOME, ".dahlia", "fail-closed-tiers.json");
+const FALLBACK_LOG = join(HOME, ".dahlia", "gateway-fallback.log");
+const PID_PATH = join(HOME, ".dahlia", "sentinel-gateway.pid");
+
+const mode = process.argv[2];
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function readStdin() {
+  return new Promise((resolve) => {
+    let data = "";
+    process.stdin.setEncoding("utf-8");
+    process.stdin.on("data", (chunk) => { data += chunk; });
+    process.stdin.on("end", () => resolve(data));
+  });
+}
+
+async function postToGateway(path, body) {
+  const http = await import("node:http");
+  return new Promise((resolve, reject) => {
+    const req = http.request(
+      { hostname: "localhost", port: PORT, path, method: "POST",
+        headers: { "Content-Type": "application/json" },
+        timeout: TIMEOUT_MS },
+      (res) => {
+        let data = "";
+        res.on("data", (c) => { data += c; });
+        res.on("end", () => resolve({ status: res.statusCode, body: data }));
+      },
+    );
+    req.on("error", reject);
+    req.on("timeout", () => { req.destroy(); reject(new Error("timeout")); });
+    req.write(body);
+    req.end();
+  });
+}
+
+function logFallback(entry) {
+  const line = JSON.stringify({ ...entry, timestamp: new Date().toISOString() });
+  try { appendFileSync(FALLBACK_LOG, line + "\\n"); } catch { /* best effort */ }
+}
+
+// Tier config uses flat format: { high, low, mcpDefault, unknownDefault } (plan v3.1 spec'd nested but simplified during 5a)
+function loadTiers() {
+  try {
+    return JSON.parse(readFileSync(TIERS_PATH, "utf-8"));
+  } catch {
+    // Default tiers if config is missing
+    return {
+      high: ["Bash", "Write", "Edit", "WebFetch", "NotebookEdit", "Task", "Skill"],
+      low: ["Read", "Glob", "Grep", "WebSearch"],
+      mcpDefault: "high",
+      unknownDefault: "high",
+    };
+  }
+}
+
+function isHighSensitivity(toolName, tiers) {
+  if (tiers.high && tiers.high.includes(toolName)) return true;
+  if (tiers.low && tiers.low.includes(toolName)) return false;
+  if (toolName.startsWith("mcp__")) return tiers.mcpDefault === "high";
+  return tiers.unknownDefault === "high";
+}
+
+// ---------------------------------------------------------------------------
+// Subcommands
+// ---------------------------------------------------------------------------
+
+if (mode === "pre") {
+  const input = await readStdin();
+  let payload;
+  try { payload = JSON.parse(input); } catch { process.exit(0); }
+  const toolName = payload.tool_name || "unknown";
+
+  try {
+    const resp = await postToGateway("/api/sentinel/pre-tool-use/claude-code", input);
+    const result = JSON.parse(resp.body);
+    process.stdout.write(JSON.stringify(result), () => process.exit(0));
+  } catch {
+    // Gateway unreachable \u2014 tiered fail-closed
+    const tiers = loadTiers();
+    if (isHighSensitivity(toolName, tiers)) {
+      logFallback({ event: "fail-closed-block", tool: toolName, tier: "high" });
+      process.stderr.write(
+        \`Sentinel gateway unreachable; high-sensitivity tool "\${toolName}" blocked per fail-closed policy\`,
+        () => process.exit(2),
+      );
+    } else {
+      logFallback({ event: "fail-closed-allow", tool: toolName, tier: "low" });
+      process.stdout.write(JSON.stringify({
+        hookSpecificOutput: { hookEventName: "PreToolUse", permissionDecision: "allow" },
+      }), () => process.exit(0));
+    }
+  }
+
+} else if (mode === "post") {
+  const input = await readStdin();
+  try {
+    await postToGateway("/api/sentinel/post-tool-use/claude-code", input);
+  } catch {
+    let payload;
+    try { payload = JSON.parse(input); } catch { /* ignore */ }
+    logFallback({ event: "post-fallback", tool: payload?.tool_name || "unknown" });
+  }
+  process.exit(0);
+
+} else if (mode === "session-start") {
+  // P5 cold-start readiness poll (kept byte-equivalent to
+  // setup/gatewayReadiness.ts \u2014 a generated string can't import it). Bounded WAIT
+  // on /api/sentinel/health so cc's first PreToolUse hits a LISTENING gateway
+  // instead of racing the daemon's warmup into the tiered fail-closed. Health
+  // returns 200 only once the port is bound AFTER baseline+translator wiring, so
+  // 200 == evaluation-ready. On timeout we exit anyway; the first pre-tool-use
+  // uses the existing fail-closed, UNCHANGED. Never fail-opens.
+  async function waitForGatewayReady() {
+    const deadline = Date.now() + 5000;
+    while (Date.now() < deadline) {
+      try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), 500);
+        try {
+          const res = await fetch(BASE_URL + "/api/sentinel/health", { signal: controller.signal });
+          if (res.ok) return; // evaluation-ready
+        } finally { clearTimeout(timer); }
+      } catch { /* not listening yet \u2014 retry until the bound */ }
+      await new Promise((r) => setTimeout(r, 100));
+    }
+    // timed out \u2014 fall through; the first pre-tool-use uses the existing fail-closed.
+  }
+
+  // Check if gateway is already running (simple liveness; full PID validity is 5c)
+  if (existsSync(PID_PATH)) {
+    try {
+      const pid = parseInt(readFileSync(PID_PATH, "utf-8").trim(), 10);
+      process.kill(pid, 0); // throws if process doesn't exist
+      await waitForGatewayReady(); // alive but may still be warming \u2014 wait, bounded
+      process.exit(0); // gateway is running (and now ready, or timed out)
+    } catch {
+      // Stale PID \u2014 continue to launch
+    }
+  }
+
+  // Discover .sentinel.yaml by walking up from cwd
+  let dir = process.cwd();
+  let policyPath = null;
+  while (true) {
+    const candidate = join(dir, ".sentinel.yaml");
+    if (existsSync(candidate)) { policyPath = candidate; break; }
+    const parent = join(dir, "..");
+    if (parent === dir) break; // filesystem root
+    dir = parent;
+  }
+
+  if (!policyPath) {
+    process.stderr.write("Sentinel: no .sentinel.yaml found. Gateway not started.\\n", () => process.exit(0));
+  }
+
+  // Launch gateway daemon (detached). Extension-aware: an installed package
+  // substitutes dist/gatewayDaemon.js (plain node); the dev tree substitutes a
+  // .ts (node --import tsx/esm).
+  const gatewayArgs = GATEWAY_ENTRY_POINT.endsWith(".ts")
+    ? ["--import", "tsx/esm", GATEWAY_ENTRY_POINT, "--policy", policyPath, "--port", String(PORT)]
+    : [GATEWAY_ENTRY_POINT, "--policy", policyPath, "--port", String(PORT)];
+  const child = spawn("node", gatewayArgs, { detached: true, stdio: "ignore" });
+  child.unref();
+  await waitForGatewayReady(); // bounded wait for the just-spawned daemon to bind
+  process.exit(0);
+
+} else if (mode === "session-end") {
+  const input = await readStdin();
+  try {
+    await postToGateway("/api/sentinel/session-end/claude-code", input);
+  } catch {
+    logFallback({ event: "session-end-fallback" });
+  }
+  process.exit(0);
+
+} else if (mode === "prompt") {
+  // UserPromptSubmit \u2014 automatic per-prompt intent capture (Sprint 23 P1).
+  // AWAIT the gateway so intent declaration completes before cc proceeds to the
+  // first tool call (cc blocks on hook completion). Declaration is best-effort:
+  // an unreachable gateway never blocks the prompt. Write nothing to stdout so
+  // we don't inject context into the conversation.
+  const input = await readStdin();
+  try {
+    await postToGateway("/api/sentinel/user-prompt-submit/claude-code", input);
+  } catch {
+    logFallback({ event: "prompt-fallback" });
+  }
+  process.exit(0);
+
+} else {
+  process.stderr.write(\`Unknown subcommand: \${mode}. Use: pre, post, session-start, session-end, prompt\\n\`, () => process.exit(1));
+}
+`;
+
+// src/setup/settingsMerge.ts
+import { readFile, writeFile, mkdir } from "fs/promises";
+import { dirname } from "path";
+var HOOK_EVENTS = [
+  "PreToolUse",
+  "PostToolUse",
+  "SessionStart",
+  "SessionEnd",
+  "UserPromptSubmit"
+];
+var COMMAND_MAP = {
+  PreToolUse: "node ~/.dahlia/cc-hook.mjs pre",
+  PostToolUse: "node ~/.dahlia/cc-hook.mjs post",
+  SessionStart: "node ~/.dahlia/cc-hook.mjs session-start",
+  SessionEnd: "node ~/.dahlia/cc-hook.mjs session-end",
+  // Sprint 23 P1 — automatic per-prompt intent capture.
+  UserPromptSubmit: "node ~/.dahlia/cc-hook.mjs prompt"
+};
+async function mergeClaudeSettings(filePath) {
+  const report = { created: false, added: [], alreadyPresent: [] };
+  let settings;
+  try {
+    const raw = await readFile(filePath, "utf-8");
+    try {
+      settings = JSON.parse(raw);
+    } catch (err) {
+      throw new Error(
+        `settings.local.json exists but is not valid JSON: ${err.message}. Manual intervention required.`,
+        { cause: err }
+      );
+    }
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      settings = {};
+      report.created = true;
+    } else {
+      throw err;
+    }
+  }
+  if (!("hooks" in settings)) {
+    settings.hooks = {};
+  } else if (typeof settings.hooks !== "object" || settings.hooks === null || Array.isArray(settings.hooks)) {
+    throw new Error(
+      "settings.local.json has a 'hooks' field that is not an object. Manual intervention required."
+    );
+  }
+  const hooks = settings.hooks;
+  for (const event of HOOK_EVENTS) {
+    const expectedCommand = COMMAND_MAP[event];
+    if (!(event in hooks)) {
+      hooks[event] = [];
+    } else if (!Array.isArray(hooks[event])) {
+      throw new Error(
+        `settings.local.json hooks.${event} is not an array. Manual intervention required.`
+      );
+    }
+    let eventArray = hooks[event];
+    eventArray = eventArray.filter((entry) => {
+      const isOldFormat = !Array.isArray(entry.hooks);
+      const isSentinelCommand = entry.command === expectedCommand;
+      return !(isOldFormat && isSentinelCommand);
+    });
+    hooks[event] = eventArray;
+    const exists = eventArray.some((wrapper) => {
+      const inner = wrapper.hooks;
+      if (!Array.isArray(inner)) return false;
+      return inner.some((h) => h.command === expectedCommand);
+    });
+    if (exists) {
+      report.alreadyPresent.push(event);
+    } else {
+      eventArray.push({
+        matcher: "*",
+        hooks: [{ type: "command", command: expectedCommand }]
+      });
+      report.added.push(event);
+    }
+  }
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, JSON.stringify(settings, null, 2) + "\n");
+  return report;
+}
+
+// src/setup/initClaudeCode.ts
+var __filename = fileURLToPath(import.meta.url);
+var __dirname = dirname2(__filename);
+var STARTER_POLICY = `version: "1.0"
+agent:
+  id: claude-code
+  name: Claude Code
+  description: Anthropic's command-line coding agent, monitored by Sentinel
+policy:
+  allow:
+    actions: [file_read, file_write, tool_invocation, network_request, command_exec]
+    targets:
+      - "src/**"
+      - "test/**"
+      - "**/*.md"
+    # Hosts the agent is explicitly allowed to reach via network_request actions.
+    # When this list is unset or the host isn't listed, network_request actions
+    # emit a MEDIUM scope_violation and are denied by default per the runtime's
+    # DEFAULT_MEDIUM_DISPOSITION map. The starter list below covers common
+    # developer-tooling hosts cc tends to fetch during normal workflows.
+    #
+    # Add or remove entries per your security posture. Literal hostname match
+    # only \u2014 wildcards not supported in v1. Hosts NOT in this list will deny;
+    # to permit a new host, add it explicitly.
+    #
+    # Denylist controls (RFC1918, link-local, loopback CIDRs and dangerous
+    # schemes like file://, data://, javascript://) apply regardless of this
+    # allowlist and cannot be overridden by adding entries here.
+    networkHosts:
+      # Anthropic
+      - "api.anthropic.com"
+      - "docs.anthropic.com"
+      - "console.anthropic.com"
+      # GitHub
+      - "github.com"
+      - "raw.githubusercontent.com"
+      - "gist.github.com"
+      - "api.github.com"
+      - "objects.githubusercontent.com"
+      # Package registries
+      - "registry.npmjs.org"
+      - "www.npmjs.com"
+      - "pypi.org"
+      - "files.pythonhosted.org"
+      # Developer documentation
+      - "developer.mozilla.org"
+      - "nodejs.org"
+      - "www.python.org"
+      - "docs.python.org"
+      - "www.typescriptlang.org"
+      # Q&A and reference
+      - "stackoverflow.com"
+      - "api.stackexchange.com"
+  forbid:
+    targets:
+      - ".env*"
+      - "secrets/**"
+      - ".ssh/**"
+      - ".aws/**"
+      - "**/credentials/**"
+      - "**/id_rsa*"
+      - "**/id_dsa*"
+      - "**/id_ecdsa*"
+      - "**/id_ed25519*"
+      - "**/*.pem"
+      - "**/*.key"
+      - "/etc/**"
+enforcement:
+  restrictAfter: 3
+  quarantineAfter: 5
+`;
+var FAIL_CLOSED_TIERS = {
+  high: ["Bash", "Write", "Edit", "WebFetch", "NotebookEdit", "Task", "Skill"],
+  low: ["Read", "Glob", "Grep", "WebSearch"],
+  mcpDefault: "high",
+  unknownDefault: "high"
+};
+async function runInitClaudeCode(options) {
+  const force = options.force ?? false;
+  const port = options.port ?? 7847;
+  const cwd = options.cwd ?? process.cwd();
+  const { homedir: homedir2 } = await import("os");
+  const home = options.home ?? homedir2();
+  const report = { created: [], skipped: [], merged: [], errors: [] };
+  await checkPortAvailable(port);
+  const dahliaDir = join(home, ".dahlia");
+  await mkdir2(dahliaDir, { recursive: true, mode: 448 });
+  try {
+    loadPolicyFromString(STARTER_POLICY);
+  } catch (err) {
+    throw new Error(
+      `Starter policy template failed to parse (this is a bug): ${err.message}`,
+      { cause: err }
+    );
+  }
+  const policyPath = join(cwd, ".sentinel.yaml");
+  await writeIfAbsent(policyPath, STARTER_POLICY, force, report);
+  const tiersPath = join(dahliaDir, "fail-closed-tiers.json");
+  await writeIfAbsent(
+    tiersPath,
+    JSON.stringify(FAIL_CLOSED_TIERS, null, 2) + "\n",
+    force,
+    report,
+    420
+  );
+  const hookPath = join(dahliaDir, "cc-hook.mjs");
+  const gatewayEntryPoint = resolveGatewayEntryPoint();
+  const hookContent = HOOK_SCRIPT_SOURCE.replace(/__GATEWAY_ENTRY_POINT__/g, gatewayEntryPoint);
+  if (hookContent.includes("__GATEWAY_ENTRY_POINT__")) {
+    throw new Error("Failed to substitute all __GATEWAY_ENTRY_POINT__ placeholders");
+  }
+  await writeIfAbsent(hookPath, hookContent, force, report, 493);
+  const settingsPath = join(cwd, ".claude", "settings.local.json");
+  await mergeClaudeSettings(settingsPath);
+  report.merged.push(settingsPath);
+  return report;
+}
+function resolveGatewayEntryPoint() {
+  const candidates = [
+    resolve(__dirname, "gatewayDaemon.js"),
+    // installed (bundled, dist/ sibling)
+    resolve(__dirname, "..", "gatewayDaemon.ts")
+    // dev (src/setup → src/)
+  ];
+  for (const candidate of candidates) {
+    try {
+      accessSync(candidate);
+      return candidate;
+    } catch {
+    }
+  }
+  throw new Error(
+    `Gateway daemon entry not found (looked in: ${candidates.join(", ")}). Sentinel installation may be incomplete.`
+  );
+}
+function checkPortAvailable(port) {
+  return new Promise((resolve2, reject) => {
+    const server = createServer();
+    server.once("error", (err) => {
+      if (err.code === "EADDRINUSE") {
+        reject(
+          new Error(`Port ${port} is in use. Either free the port or run with --port <override>.`)
+        );
+      } else {
+        reject(err);
+      }
+    });
+    server.listen(port, () => {
+      server.close(() => resolve2());
+    });
+  });
+}
+async function writeIfAbsent(path, content, force, report, mode) {
+  if (!force) {
+    try {
+      await access(path);
+      report.skipped.push(path);
+      return;
+    } catch {
+    }
+  }
+  await mkdir2(dirname2(path), { recursive: true });
+  await writeFile2(path, content, { mode: mode ?? 420 });
+  report.created.push(path);
+}
+
+// src/setup/sessionStart.ts
+import { spawn } from "child_process";
+import { homedir } from "os";
+
+// src/setup/gatewayReadiness.ts
+var GATEWAY_READY_TIMEOUT_MS = 5e3;
+var GATEWAY_READY_INTERVAL_MS = 100;
+var GATEWAY_READY_PROBE_MS = 500;
+async function waitForGatewayReady(port, options) {
+  const timeoutMs = options?.timeoutMs ?? GATEWAY_READY_TIMEOUT_MS;
+  const intervalMs = options?.intervalMs ?? GATEWAY_READY_INTERVAL_MS;
+  const url = `http://localhost:${port}/api/sentinel/health`;
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    try {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), GATEWAY_READY_PROBE_MS);
+      try {
+        const res = await fetch(url, { signal: controller.signal });
+        if (res.ok) return true;
+      } finally {
+        clearTimeout(timer);
+      }
+    } catch {
+    }
+    await new Promise((resolve2) => setTimeout(resolve2, intervalMs));
+  }
+  return false;
+}
+
+// src/setup/sessionStart.ts
+async function runSessionStart(options) {
+  const cwd = options?.cwd ?? process.cwd();
+  const home = options?.home ?? homedir();
+  const port = options?.port ?? 7847;
+  const policyPath = discoverPolicy(cwd, home);
+  if (!policyPath) {
+    return { action: "no-policy" };
+  }
+  const lock = acquireGatewayLock(home);
+  if (lock.reused) {
+    await waitForGatewayReady(port);
+    return { action: "reused", pid: lock.pid, policyPath };
+  }
+  const gatewayEntry = resolveGatewayEntryPoint();
+  const gatewayArgs = gatewayEntry.endsWith(".ts") ? ["--import", "tsx/esm", gatewayEntry, "--policy", policyPath, "--port", String(port)] : [gatewayEntry, "--policy", policyPath, "--port", String(port)];
+  const child = spawn("node", gatewayArgs, { detached: true, stdio: "ignore" });
+  child.unref();
+  if (child.pid) {
+    writePidFile(home, child.pid);
+  }
+  await waitForGatewayReady(port);
+  return { action: "spawned", pid: child.pid, policyPath };
+}
+
+export {
+  runInitClaudeCode,
+  runSessionStart
+};
+//# sourceMappingURL=chunk-3U3PKD4N.js.map