@two7722/sentinel-guard 1.1.0

package/dist/__tests__/rules-engine.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/rules-engine.test.js

@@ -0,0 +1,69 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_test_1 = require("node:test");
+const node_assert_1 = __importDefault(require("node:assert"));
+/**
+ * Unit tests for the rules engine glob matching and rule matching logic.
+ * Uses Node.js built-in test runner (no extra dependencies).
+ *
+ * Run: npx tsx --test src/__tests__/rules-engine.test.ts
+ */
+// Inline the globMatch function to test independently
+function globMatch(pattern, value) {
+    const regex = pattern
+        .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+        .replace(/\*\*/g, '{{DOUBLESTAR}}')
+        .replace(/\*/g, '[^/]*')
+        .replace(/{{DOUBLESTAR}}/g, '.*');
+    return new RegExp(`^${regex}$`).test(value);
+}
+(0, node_test_1.describe)('globMatch', () => {
+    (0, node_test_1.test)('exact match', () => {
+        node_assert_1.default.strictEqual(globMatch('Bash', 'Bash'), true);
+        node_assert_1.default.strictEqual(globMatch('Bash', 'Write'), false);
+    });
+    (0, node_test_1.test)('single wildcard (*)', () => {
+        node_assert_1.default.strictEqual(globMatch('Edit*', 'Edit'), true);
+        node_assert_1.default.strictEqual(globMatch('Edit*', 'EditFile'), true);
+        node_assert_1.default.strictEqual(globMatch('*.ts', 'foo.ts'), true);
+        node_assert_1.default.strictEqual(globMatch('*.ts', 'foo/bar.ts'), false); // * doesn't cross /
+    });
+    (0, node_test_1.test)('double wildcard (**)', () => {
+        node_assert_1.default.strictEqual(globMatch('**/.env*', '/home/user/.env'), true);
+        node_assert_1.default.strictEqual(globMatch('**/.env*', '/home/user/.env.local'), true);
+        node_assert_1.default.strictEqual(globMatch('**/.env*', '.env'), true);
+        node_assert_1.default.strictEqual(globMatch('src/**/*.ts', 'src/foo/bar.ts'), true);
+        node_assert_1.default.strictEqual(globMatch('src/**/*.ts', 'src/a/b/c.ts'), true);
+    });
+    (0, node_test_1.test)('/tmp/** pattern', () => {
+        node_assert_1.default.strictEqual(globMatch('/tmp/**', '/tmp/foo.txt'), true);
+        node_assert_1.default.strictEqual(globMatch('/tmp/**', '/tmp/a/b/c'), true);
+        node_assert_1.default.strictEqual(globMatch('/tmp/**', '/home/tmp/foo'), false);
+    });
+    (0, node_test_1.test)('**/secrets/** pattern', () => {
+        node_assert_1.default.strictEqual(globMatch('**/secrets/**', '/app/secrets/key.pem'), true);
+        node_assert_1.default.strictEqual(globMatch('**/secrets/**', 'secrets/a'), true);
+        node_assert_1.default.strictEqual(globMatch('**/secrets/**', '/x/secrets/a/b'), true);
+    });
+    (0, node_test_1.test)('special regex characters in pattern', () => {
+        node_assert_1.default.strictEqual(globMatch('file.name.ts', 'file.name.ts'), true);
+        node_assert_1.default.strictEqual(globMatch('file.name.ts', 'filexnamexts'), false);
+    });
+});
+(0, node_test_1.describe)('rule priority sorting', () => {
+    (0, node_test_1.test)('lower priority number wins', () => {
+        const rules = [
+            { id: 'a', priority: 20 },
+            { id: 'b', priority: 1 },
+            { id: 'c', priority: 10 },
+        ];
+        const sorted = [...rules].sort((a, b) => a.priority - b.priority);
+        node_assert_1.default.strictEqual(sorted[0].id, 'b');
+        node_assert_1.default.strictEqual(sorted[1].id, 'c');
+        node_assert_1.default.strictEqual(sorted[2].id, 'a');
+    });
+});
+//# sourceMappingURL=rules-engine.test.js.map

package/dist/__tests__/rules-engine.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rules-engine.test.js","sourceRoot":"","sources":["../../src/__tests__/rules-engine.test.ts"],"names":[],"mappings":";;;;;AAAA,yCAA2C;AAC3C,8DAAiC;AAEjC;;;;;GAKG;AAEH,sDAAsD;AACtD,SAAS,SAAS,CAAC,OAAe,EAAE,KAAa;IAC/C,MAAM,KAAK,GAAG,OAAO;SAClB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,OAAO,EAAE,gBAAgB,CAAC;SAClC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;SACvB,OAAO,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC;IACpC,OAAO,IAAI,MAAM,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC9C,CAAC;AAED,IAAA,oBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAA,gBAAI,EAAC,aAAa,EAAE,GAAG,EAAE;QACvB,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC;QACpD,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,qBAAqB,EAAE,GAAG,EAAE;QAC/B,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC;QACrD,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,OAAO,EAAE,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;QACzD,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC;QACtD,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,oBAAoB;IAClF,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,sBAAsB,EAAE,GAAG,EAAE;QAChC,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,EAAE,iBAAiB,CAAC,EAAE,IAAI,CAAC,CAAC;QACnE,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,CAAC;QACzE,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC;QACxD,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,aAAa,EAAE,gBAAgB,CAAC,EAAE,IAAI,CAAC,CAAC;QACrE,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,aAAa,EAAE,cAAc,CAAC,EAAE,IAAI,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,iBAAiB,EAAE,GAAG,EAAE;QAC3B,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,IAAI,CAAC,CAAC;QAC/D,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,IAAI,CAAC,CAAC;QAC7D,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,EAAE,eAAe,CAAC,EAAE,KAAK,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,uBAAuB,EAAE,GAAG,EAAE;QACjC,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,EAAE,IAAI,CAAC,CAAC;QAC7E,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,eAAe,EAAE,WAAW,CAAC,EAAE,IAAI,CAAC,CAAC;QAClE,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,eAAe,EAAE,gBAAgB,CAAC,EAAE,IAAI,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,qCAAqC,EAAE,GAAG,EAAE;QAC/C,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,cAAc,CAAC,EAAE,IAAI,CAAC,CAAC;QACpE,qBAAM,CAAC,WAAW,CAAC,SAAS,CAAC,cAAc,EAAE,cAAc,CAAC,EAAE,KAAK,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,oBAAQ,EAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,IAAA,gBAAI,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG;YACZ,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,EAAE;YACzB,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE;YACxB,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,EAAE;SAC1B,CAAC;QACF,MAAM,MAAM,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAClE,qBAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QACtC,qBAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QACtC,qBAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/transport-encryption.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/transport-encryption.test.js

@@ -0,0 +1,95 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_test_1 = require("node:test");
+const node_assert_1 = __importDefault(require("node:assert"));
+const tweetnacl_1 = __importDefault(require("tweetnacl"));
+const tweetnacl_util_1 = require("tweetnacl-util");
+/**
+ * Unit tests for transport encryption (NaCl secretbox).
+ *
+ * Run: npx tsx --test src/__tests__/transport-encryption.test.ts
+ */
+// Inline encrypt/decrypt to avoid module init side effects
+function encryptMessage(plaintext, key) {
+    const nonce = tweetnacl_1.default.randomBytes(24);
+    const msgBytes = new TextEncoder().encode(plaintext);
+    const encrypted = tweetnacl_1.default.secretbox(msgBytes, nonce, key);
+    const combined = new Uint8Array(24 + encrypted.length);
+    combined.set(nonce, 0);
+    combined.set(encrypted, 24);
+    return (0, tweetnacl_util_1.encodeBase64)(combined);
+}
+function decryptMessage(encoded, key) {
+    try {
+        const combined = (0, tweetnacl_util_1.decodeBase64)(encoded);
+        if (combined.length < 25)
+            return null;
+        const nonce = combined.slice(0, 24);
+        const ciphertext = combined.slice(24);
+        const decrypted = tweetnacl_1.default.secretbox.open(ciphertext, nonce, key);
+        if (!decrypted)
+            return null;
+        return new TextDecoder().decode(decrypted);
+    }
+    catch {
+        return null;
+    }
+}
+(0, node_test_1.describe)('transport encryption', () => {
+    const key = tweetnacl_1.default.randomBytes(32);
+    (0, node_test_1.test)('encrypt then decrypt roundtrip', () => {
+        const message = '{"event":"approval_request","data":{"id":"abc123"}}';
+        const encrypted = encryptMessage(message, key);
+        const decrypted = decryptMessage(encrypted, key);
+        node_assert_1.default.strictEqual(decrypted, message);
+    });
+    (0, node_test_1.test)('decrypt with wrong key fails', () => {
+        const wrongKey = tweetnacl_1.default.randomBytes(32);
+        const encrypted = encryptMessage('secret data', key);
+        const result = decryptMessage(encrypted, wrongKey);
+        node_assert_1.default.strictEqual(result, null);
+    });
+    (0, node_test_1.test)('decrypt garbage returns null', () => {
+        node_assert_1.default.strictEqual(decryptMessage('not-valid-base64!!!', key), null);
+        node_assert_1.default.strictEqual(decryptMessage((0, tweetnacl_util_1.encodeBase64)(new Uint8Array(10)), key), null);
+    });
+    (0, node_test_1.test)('handles empty message', () => {
+        const encrypted = encryptMessage('', key);
+        const decrypted = decryptMessage(encrypted, key);
+        node_assert_1.default.strictEqual(decrypted, '');
+    });
+    (0, node_test_1.test)('handles unicode', () => {
+        const msg = '审批请求：工具 Write → /tmp/文件.txt';
+        const encrypted = encryptMessage(msg, key);
+        const decrypted = decryptMessage(encrypted, key);
+        node_assert_1.default.strictEqual(decrypted, msg);
+    });
+    (0, node_test_1.test)('encrypted output is base64', () => {
+        const encrypted = encryptMessage('test', key);
+        // Should be valid base64
+        node_assert_1.default.doesNotThrow(() => (0, tweetnacl_util_1.decodeBase64)(encrypted));
+        // Should not be plain text
+        node_assert_1.default.notStrictEqual(encrypted, 'test');
+    });
+    (0, node_test_1.test)('nonce is unique per encryption', () => {
+        const e1 = encryptMessage('same', key);
+        const e2 = encryptMessage('same', key);
+        // Same plaintext, different nonces → different ciphertext
+        node_assert_1.default.notStrictEqual(e1, e2);
+    });
+});
+(0, node_test_1.describe)('pending request store', () => {
+    (0, node_test_1.test)('resolve resolves the promise', async () => {
+        // Simple simulation of the pending store behavior
+        let resolvedAction = null;
+        const promise = new Promise((resolve) => {
+            setTimeout(() => resolve('allowed'), 10);
+        });
+        resolvedAction = await promise;
+        node_assert_1.default.strictEqual(resolvedAction, 'allowed');
+    });
+});
+//# sourceMappingURL=transport-encryption.test.js.map

package/dist/__tests__/transport-encryption.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport-encryption.test.js","sourceRoot":"","sources":["../../src/__tests__/transport-encryption.test.ts"],"names":[],"mappings":";;;;;AAAA,yCAA2C;AAC3C,8DAAiC;AACjC,0DAA6B;AAC7B,mDAA4D;AAE5D;;;;GAIG;AAEH,2DAA2D;AAC3D,SAAS,cAAc,CAAC,SAAiB,EAAE,GAAe;IACxD,MAAM,KAAK,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACnC,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,mBAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IACvD,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACvB,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC5B,OAAO,IAAA,6BAAY,EAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,GAAe;IACtD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAA,6BAAY,EAAC,OAAO,CAAC,CAAC;QACvC,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACtC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpC,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,SAAS,GAAG,mBAAI,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9D,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAC5B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,IAAA,oBAAQ,EAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,MAAM,GAAG,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAEjC,IAAA,gBAAI,EAAC,gCAAgC,EAAE,GAAG,EAAE;QAC1C,MAAM,OAAO,GAAG,qDAAqD,CAAC;QACtE,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC/C,MAAM,SAAS,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACjD,qBAAM,CAAC,WAAW,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACxC,MAAM,QAAQ,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,SAAS,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnD,qBAAM,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACxC,qBAAM,CAAC,WAAW,CAAC,cAAc,CAAC,qBAAqB,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;QACrE,qBAAM,CAAC,WAAW,CAAC,cAAc,CAAC,IAAA,6BAAY,EAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,uBAAuB,EAAE,GAAG,EAAE;QACjC,MAAM,SAAS,GAAG,cAAc,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACjD,qBAAM,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,iBAAiB,EAAE,GAAG,EAAE;QAC3B,MAAM,GAAG,GAAG,6BAA6B,CAAC;QAC1C,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACjD,qBAAM,CAAC,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACtC,MAAM,SAAS,GAAG,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC9C,yBAAyB;QACzB,qBAAM,CAAC,YAAY,CAAC,GAAG,EAAE,CAAC,IAAA,6BAAY,EAAC,SAAS,CAAC,CAAC,CAAC;QACnD,2BAA2B;QAC3B,qBAAM,CAAC,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,IAAA,gBAAI,EAAC,gCAAgC,EAAE,GAAG,EAAE;QAC1C,MAAM,EAAE,GAAG,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACvC,MAAM,EAAE,GAAG,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACvC,0DAA0D;QAC1D,qBAAM,CAAC,cAAc,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,oBAAQ,EAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,IAAA,gBAAI,EAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC9C,kDAAkD;QAClD,IAAI,cAAc,GAAkB,IAAI,CAAC;QACzC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,EAAE;YAC9C,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QACH,cAAc,GAAG,MAAM,OAAO,CAAC;QAC/B,qBAAM,CAAC,WAAW,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/api/client.d.ts

@@ -0,0 +1,27 @@
+interface TokenFile {
+    serverURL: string;
+    token: string;
+    deviceId: string;
+    expiresAt: string;
+}
+/**
+ * POST /v1/auth — 用 Ed25519 challenge-response 换 JWT
+ */
+export declare function authGetToken(serverURL: string): Promise<TokenFile>;
+/**
+ * 读取已保存的 JWT — 如果过期或不存在返回 null
+ */
+export declare function loadToken(): TokenFile | null;
+/**
+ * 确保有有效 token — 没有则走 auth 流程
+ */
+export declare function ensureToken(serverURL: string): Promise<TokenFile>;
+/**
+ * 获取已存 serverURL（如果有）
+ */
+export declare function getStoredServerURL(): string | null;
+/**
+ * 清除 token
+ */
+export declare function clearToken(): void;
+export {};

package/dist/api/client.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authGetToken = authGetToken;
+exports.loadToken = loadToken;
+exports.ensureToken = ensureToken;
+exports.getStoredServerURL = getStoredServerURL;
+exports.clearToken = clearToken;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const keys_1 = require("../crypto/keys");
+const logger_1 = require("../lib/logger");
+const TOKEN_PATH = (0, path_1.join)((0, keys_1.getSentinelDir)(), 'token.json');
+// ==================== Auth ====================
+/**
+ * POST /v1/auth — 用 Ed25519 challenge-response 换 JWT
+ */
+async function authGetToken(serverURL) {
+    const challenge = (0, keys_1.authChallenge)();
+    const url = `${serverURL.replace(/\/$/, '')}/v1/auth`;
+    const res = await fetch(url, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            ...challenge,
+            deviceName: `${process.env.USER ?? 'unknown'}@${require('os').hostname()}`,
+            deviceType: 'mac',
+        }),
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Auth failed (${res.status}): ${body}`);
+    }
+    const json = (await res.json());
+    if (!json.success) {
+        throw new Error('Auth response: success=false');
+    }
+    const tokenFile = {
+        serverURL: serverURL.replace(/\/$/, ''),
+        token: json.data.token,
+        deviceId: json.data.deviceId,
+        expiresAt: new Date(Date.now() + json.data.expiresIn * 1000).toISOString(),
+    };
+    (0, fs_1.writeFileSync)(TOKEN_PATH, JSON.stringify(tokenFile, null, 2), { mode: 0o600 });
+    logger_1.log.info(`Authenticated. Device ID: ${tokenFile.deviceId}`);
+    return tokenFile;
+}
+// ==================== Token Storage ====================
+/**
+ * 读取已保存的 JWT — 如果过期或不存在返回 null
+ */
+function loadToken() {
+    if (!(0, fs_1.existsSync)(TOKEN_PATH))
+        return null;
+    try {
+        const raw = JSON.parse((0, fs_1.readFileSync)(TOKEN_PATH, 'utf-8'));
+        if (new Date(raw.expiresAt) < new Date()) {
+            logger_1.log.warn('Token expired, re-auth needed');
+            return null;
+        }
+        return raw;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * 确保有有效 token — 没有则走 auth 流程
+ */
+async function ensureToken(serverURL) {
+    const existing = loadToken();
+    if (existing && existing.serverURL === serverURL.replace(/\/$/, '')) {
+        return existing;
+    }
+    return authGetToken(serverURL);
+}
+/**
+ * 获取已存 serverURL（如果有）
+ */
+function getStoredServerURL() {
+    return loadToken()?.serverURL ?? null;
+}
+/**
+ * 清除 token
+ */
+function clearToken() {
+    const { unlinkSync } = require('fs');
+    if ((0, fs_1.existsSync)(TOKEN_PATH)) {
+        unlinkSync(TOKEN_PATH);
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/api/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":";;AAmBA,oCAuCC;AAOD,8BAaC;AAKD,kCAMC;AAKD,gDAEC;AAKD,gCAKC;AA1GD,2BAA6D;AAC7D,+BAA4B;AAC5B,yCAA+D;AAC/D,0CAAoC;AAEpC,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,IAAA,qBAAc,GAAE,EAAE,YAAY,CAAC,CAAC;AASxD,iDAAiD;AAEjD;;GAEG;AACI,KAAK,UAAU,YAAY,CAAC,SAAiB;IAClD,MAAM,SAAS,GAAG,IAAA,oBAAa,GAAE,CAAC;IAElC,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC;IACtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,GAAG,SAAS;YACZ,UAAU,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC1E,UAAU,EAAE,KAAK;SAClB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,gBAAgB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAG7B,CAAC;IAEF,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,SAAS,GAAc;QAC3B,SAAS,EAAE,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;QACvC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK;QACtB,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;QAC5B,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;KAC3E,CAAC;IAEF,IAAA,kBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/E,YAAG,CAAC,IAAI,CAAC,6BAA6B,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE5D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,0DAA0D;AAE1D;;GAEG;AACH,SAAgB,SAAS;IACvB,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAc,CAAC;QACvE,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACzC,YAAG,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,WAAW,CAAC,SAAiB;IACjD,MAAM,QAAQ,GAAG,SAAS,EAAE,CAAC;IAC7B,IAAI,QAAQ,IAAI,QAAQ,CAAC,SAAS,KAAK,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,EAAE,CAAC;QACpE,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,YAAY,CAAC,SAAS,CAAC,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB;IAChC,OAAO,SAAS,EAAE,EAAE,SAAS,IAAI,IAAI,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU;IACxB,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,UAAU,CAAC,UAAU,CAAC,CAAC;IACzB,CAAC;AACH,CAAC"}

package/dist/cli/bootstrap.d.ts

@@ -0,0 +1,12 @@
+import { type TransportMode } from '../transport/interface';
+export interface BootstrapOpts {
+    mode: TransportMode;
+    port: number;
+    server?: string;
+    remote?: boolean;
+}
+/**
+ * Start transport + HTTP hook server. Used by both `sentinel start` and `sentinel run`.
+ * Returns a shutdown callback.
+ */
+export declare function bootstrapSentinel(opts: BootstrapOpts): Promise<() => void>;

package/dist/cli/bootstrap.js

@@ -0,0 +1,132 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bootstrapSentinel = bootstrapSentinel;
+// packages/sentinel-cli/src/cli/bootstrap.ts
+const factory_1 = require("../transport/factory");
+const local_1 = require("../transport/local");
+const interface_1 = require("../transport/interface");
+const http_1 = require("../server/http");
+const engine_1 = require("../rules/engine");
+const pending_1 = require("../relay/pending");
+const logger_1 = require("../lib/logger");
+const child_process_1 = require("child_process");
+/** Kill any stale process holding the given port (best-effort, silent). */
+function freePort(port) {
+    try {
+        (0, child_process_1.execSync)(`lsof -ti :${port} | xargs kill -9`, { stdio: 'ignore' });
+    }
+    catch { }
+}
+/**
+ * Start transport + HTTP hook server. Used by both `sentinel start` and `sentinel run`.
+ * Returns a shutdown callback.
+ */
+async function bootstrapSentinel(opts) {
+    const { mode, port, remote } = opts;
+    // Free stale processes on both ports before binding
+    freePort(port); // hook server port (7749)
+    freePort(7750); // TCP transport port
+    if (mode === 'server') {
+        const { ensureToken, getStoredServerURL } = await Promise.resolve().then(() => __importStar(require('../api/client')));
+        const serverURL = opts.server ?? getStoredServerURL();
+        if (!serverURL) {
+            logger_1.log.error('Server mode requires -s URL.');
+            process.exit(1);
+        }
+        logger_1.log.info('Authenticating...');
+        const tokenData = await ensureToken(serverURL);
+        const transport = (0, factory_1.createTransport)('server', { serverUrl: serverURL, token: tokenData.token });
+        (0, interface_1.setTransport)(transport);
+        logger_1.log.info(`Connecting to ${serverURL}...`);
+        await transport.start();
+    }
+    else if (mode === 'cloudkit') {
+        const transport = (0, factory_1.createTransport)('cloudkit');
+        (0, interface_1.setTransport)(transport);
+        await transport.start();
+    }
+    else {
+        // local
+        const transport = (0, factory_1.createTransport)('local');
+        (0, interface_1.setTransport)(transport);
+        await transport.start();
+        if (transport instanceof local_1.LocalTransport) {
+            const info = transport.getConnectionInfo();
+            logger_1.log.info(`iOS can connect to: ${info.ip}:${info.port}`);
+            try {
+                const qrcode = require('qrcode-terminal');
+                const qrData = `sentinel://${info.ip}:${info.port}`;
+                console.log('');
+                logger_1.log.info('Scan QR code with Sentinel iOS app:');
+                qrcode.generate(qrData, { small: true }, (code) => { console.log(code); });
+            }
+            catch { }
+            transport.onRulesUpdate((rules) => (0, engine_1.setCustomRules)(rules));
+        }
+    }
+    (0, engine_1.watchRules)();
+    await (0, http_1.startHttpServer)(port);
+    (0, http_1.setupUserMessageHandler)();
+    const cleanupFns = [];
+    if (remote) {
+        try {
+            const { startTunnel, stopTunnel } = require('../lib/tunnel');
+            logger_1.log.info('Starting Cloudflare Tunnel...');
+            const tunnelUrl = await startTunnel(7750);
+            const remoteAddr = tunnelUrl.replace(/https?:\/\//, '');
+            logger_1.log.success(`Remote: ${tunnelUrl}`);
+            try {
+                const qrcode = require('qrcode-terminal');
+                const qrData = `sentinel-remote://${remoteAddr}`;
+                console.log('');
+                logger_1.log.info('Scan QR code for remote access:');
+                qrcode.generate(qrData, { small: true }, (code) => { console.log(code); });
+            }
+            catch { }
+            cleanupFns.push(stopTunnel);
+        }
+        catch (err) {
+            logger_1.log.error(`Tunnel failed: ${err.message}`);
+        }
+    }
+    return () => {
+        for (const fn of cleanupFns)
+            fn();
+        pending_1.pending.clear();
+        (0, interface_1.getTransport)()?.stop();
+    };
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/cli/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/cli/bootstrap.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0BA,8CAuEC;AAjGD,6CAA6C;AAC7C,kDAAuD;AACvD,8CAAoD;AACpD,sDAAwF;AACxF,yCAA0E;AAC1E,4CAA6D;AAC7D,8CAA2C;AAC3C,0CAAoC;AACpC,iDAAyC;AASzC,2EAA2E;AAC3E,SAAS,QAAQ,CAAC,IAAY;IAC5B,IAAI,CAAC;QAAC,IAAA,wBAAQ,EAAC,aAAa,IAAI,kBAAkB,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;AACtF,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,iBAAiB,CAAC,IAAmB;IACzD,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAEpC,oDAAoD;IACpD,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAO,0BAA0B;IAChD,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAO,qBAAqB;IAE3C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,EAAE,WAAW,EAAE,kBAAkB,EAAE,GAAG,wDAAa,eAAe,GAAC,CAAC;QAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,IAAI,kBAAkB,EAAE,CAAC;QACtD,IAAI,CAAC,SAAS,EAAE,CAAC;YAAC,YAAG,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;YAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAAC,CAAC;QAC/E,YAAG,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAC9B,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,CAAC;QAC/C,MAAM,SAAS,GAAG,IAAA,yBAAe,EAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;QAC9F,IAAA,wBAAY,EAAC,SAAS,CAAC,CAAC;QACxB,YAAG,CAAC,IAAI,CAAC,iBAAiB,SAAS,KAAK,CAAC,CAAC;QAC1C,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;SAAM,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,IAAA,yBAAe,EAAC,UAAU,CAAC,CAAC;QAC9C,IAAA,wBAAY,EAAC,SAAS,CAAC,CAAC;QACxB,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,QAAQ;QACR,MAAM,SAAS,GAAG,IAAA,yBAAe,EAAC,OAAO,CAAC,CAAC;QAC3C,IAAA,wBAAY,EAAC,SAAS,CAAC,CAAC;QACxB,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;QACxB,IAAI,SAAS,YAAY,sBAAc,EAAE,CAAC;YACxC,MAAM,IAAI,GAAG,SAAS,CAAC,iBAAiB,EAAE,CAAC;YAC3C,YAAG,CAAC,IAAI,CAAC,uBAAuB,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACxD,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;gBAC1C,MAAM,MAAM,GAAG,cAAc,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACpD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,YAAG,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;gBAChD,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,IAAY,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACrF,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;YACV,SAAS,CAAC,aAAa,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAA,uBAAc,EAAC,KAAK,CAAC,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,IAAA,mBAAU,GAAE,CAAC;IACb,MAAM,IAAA,sBAAe,EAAC,IAAI,CAAC,CAAC;IAC5B,IAAA,8BAAuB,GAAE,CAAC;IAE1B,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;YAC7D,YAAG,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;YAC1C,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YACxD,YAAG,CAAC,OAAO,CAAC,WAAW,SAAS,EAAE,CAAC,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;gBAC1C,MAAM,MAAM,GAAG,qBAAqB,UAAU,EAAE,CAAC;gBACjD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,YAAG,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;gBAC5C,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,IAAY,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACrF,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;YACV,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,YAAG,CAAC,KAAK,CAAC,kBAAmB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO,GAAG,EAAE;QACV,KAAK,MAAM,EAAE,IAAI,UAAU;YAAE,EAAE,EAAE,CAAC;QAClC,iBAAO,CAAC,KAAK,EAAE,CAAC;QAChB,IAAA,wBAAY,GAAE,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC,CAAC;AACJ,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};