@two7722/sentinel-guard 1.1.0

package/dist/socket/client.js

@@ -0,0 +1,81 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.connectSocket = connectSocket;
+exports.emitApprovalRequest = emitApprovalRequest;
+exports.getSocket = getSocket;
+exports.disconnectSocket = disconnectSocket;
+exports.isConnected = isConnected;
+const socket_io_client_1 = require("socket.io-client");
+const pending_1 = require("../relay/pending");
+const logger_1 = require("../lib/logger");
+let socket = null;
+let reconnectAttempts = 0;
+const MAX_RECONNECT = 10;
+/**
+ * 连接 Socket.IO，带 JWT auth 和指数退避重连
+ */
+function connectSocket(serverURL, token) {
+    if (socket?.connected)
+        return socket;
+    socket = (0, socket_io_client_1.io)(serverURL, {
+        auth: { token },
+        transports: ['websocket', 'polling'],
+        reconnection: true,
+        reconnectionDelay: 1000,
+        reconnectionDelayMax: 30000,
+        reconnectionAttempts: MAX_RECONNECT,
+    });
+    socket.on('connect', () => {
+        reconnectAttempts = 0;
+        logger_1.log.success(`Socket connected (id: ${socket.id})`);
+    });
+    socket.on('disconnect', (reason) => {
+        logger_1.log.warn(`Socket disconnected: ${reason}`);
+    });
+    socket.on('connect_error', (err) => {
+        reconnectAttempts++;
+        const delay = Math.min(Math.pow(2, reconnectAttempts - 1) * 1000, 30000);
+        logger_1.log.error(`Connection error: ${err.message} (retry in ${delay / 1000}s)`);
+    });
+    // ==================== 收到决策 ====================
+    socket.on('decision', (data) => {
+        logger_1.log.info(`Decision received: ${data.requestId} → ${data.action}`);
+        pending_1.pending.resolve(data.requestId, data.action);
+    });
+    socket.on('heartbeat', () => {
+        socket?.emit('heartbeat');
+    });
+    socket.on('heartbeat_ack', () => {
+        logger_1.log.debug('Heartbeat ack');
+    });
+    return socket;
+}
+/**
+ * 发送审批请求到 server，返回 requestId
+ */
+async function emitApprovalRequest(data) {
+    return new Promise((resolve, reject) => {
+        if (!socket?.connected) {
+            return reject(new Error('Socket not connected'));
+        }
+        socket.emit('approval_request', data, (res) => {
+            if (res.success && res.requestId) {
+                resolve(res.requestId);
+            }
+            else {
+                reject(new Error(res.error ?? 'Failed to send approval request'));
+            }
+        });
+    });
+}
+function getSocket() {
+    return socket;
+}
+function disconnectSocket() {
+    socket?.disconnect();
+    socket = null;
+}
+function isConnected() {
+    return socket?.connected ?? false;
+}
+//# sourceMappingURL=client.js.map

package/dist/socket/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/socket/client.ts"],"names":[],"mappings":";;AAWA,sCA2CC;AAKD,kDAkBC;AAED,8BAEC;AAED,4CAGC;AAED,kCAEC;AA1FD,uDAA8C;AAC9C,8CAA2C;AAC3C,0CAAoC;AAEpC,IAAI,MAAM,GAAkB,IAAI,CAAC;AACjC,IAAI,iBAAiB,GAAG,CAAC,CAAC;AAC1B,MAAM,aAAa,GAAG,EAAE,CAAC;AAEzB;;GAEG;AACH,SAAgB,aAAa,CAAC,SAAiB,EAAE,KAAa;IAC5D,IAAI,MAAM,EAAE,SAAS;QAAE,OAAO,MAAM,CAAC;IAErC,MAAM,GAAG,IAAA,qBAAE,EAAC,SAAS,EAAE;QACrB,IAAI,EAAE,EAAE,KAAK,EAAE;QACf,UAAU,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC;QACpC,YAAY,EAAE,IAAI;QAClB,iBAAiB,EAAE,IAAI;QACvB,oBAAoB,EAAE,KAAK;QAC3B,oBAAoB,EAAE,aAAa;KACpC,CAAC,CAAC;IAEH,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;QACxB,iBAAiB,GAAG,CAAC,CAAC;QACtB,YAAG,CAAC,OAAO,CAAC,yBAAyB,MAAO,CAAC,EAAE,GAAG,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE;QACjC,YAAG,CAAC,IAAI,CAAC,wBAAwB,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,GAAG,EAAE,EAAE;QACjC,iBAAiB,EAAE,CAAC;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,iBAAiB,GAAG,CAAC,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,CAAC;QACzE,YAAG,CAAC,KAAK,CAAC,qBAAqB,GAAG,CAAC,OAAO,cAAc,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,iDAAiD;IAEjD,MAAM,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC,IAA2C,EAAE,EAAE;QACpE,YAAG,CAAC,IAAI,CAAC,sBAAsB,IAAI,CAAC,SAAS,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAClE,iBAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,MAA2C,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,EAAE,CAAC,WAAW,EAAE,GAAG,EAAE;QAC1B,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,EAAE,CAAC,eAAe,EAAE,GAAG,EAAE;QAC9B,YAAG,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB,CAAC,IAIzC;IACC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC;YACvB,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC,GAA6D,EAAE,EAAE;YACtG,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,IAAI,iCAAiC,CAAC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,SAAS;IACvB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,gBAAgB;IAC9B,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,MAAM,GAAG,IAAI,CAAC;AAChB,CAAC;AAED,SAAgB,WAAW;IACzB,OAAO,MAAM,EAAE,SAAS,IAAI,KAAK,CAAC;AACpC,CAAC"}

package/dist/transport/cloudkit.d.ts

@@ -0,0 +1,30 @@
+import type { Transport, ApprovalPayload } from './interface';
+/**
+ * CloudKit transport — uses CloudKit Web Services REST API.
+ *
+ * Mac writes ApprovalRequest records, polls for Decision records.
+ * iOS writes Decision records via CKDatabase on-device.
+ *
+ * Env vars: CLOUDKIT_CONTAINER, CLOUDKIT_API_TOKEN, CLOUDKIT_ENVIRONMENT
+ */
+export declare class CloudKitTransport implements Transport {
+    readonly mode: "cloudkit";
+    private container;
+    private apiToken;
+    private environment;
+    private baseURL;
+    private pollTimer;
+    private decisionCb;
+    private knownDecisions;
+    private _connected;
+    constructor();
+    get isConnected(): boolean;
+    start(): Promise<void>;
+    sendApprovalRequest(payload: ApprovalPayload): Promise<string>;
+    onDecision(cb: (id: string, action: 'allowed' | 'blocked' | 'timeout') => void): void;
+    stop(): void;
+    private pollDecisions;
+    private query;
+    private saveRecord;
+    private updateRecordField;
+}

package/dist/transport/cloudkit.js

@@ -0,0 +1,162 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudKitTransport = void 0;
+const crypto_1 = require("crypto");
+const pending_1 = require("../relay/pending");
+const logger_1 = require("../lib/logger");
+const POLL_INTERVAL = 2000;
+/**
+ * CloudKit transport — uses CloudKit Web Services REST API.
+ *
+ * Mac writes ApprovalRequest records, polls for Decision records.
+ * iOS writes Decision records via CKDatabase on-device.
+ *
+ * Env vars: CLOUDKIT_CONTAINER, CLOUDKIT_API_TOKEN, CLOUDKIT_ENVIRONMENT
+ */
+class CloudKitTransport {
+    mode = 'cloudkit';
+    container;
+    apiToken;
+    environment;
+    baseURL;
+    pollTimer = null;
+    decisionCb = null;
+    knownDecisions = new Set();
+    _connected = false;
+    constructor() {
+        this.container = process.env.CLOUDKIT_CONTAINER ?? '';
+        this.apiToken = process.env.CLOUDKIT_API_TOKEN ?? '';
+        this.environment = process.env.CLOUDKIT_ENVIRONMENT ?? 'development';
+        this.baseURL = `https://api.apple-cloudkit.com/database/1/${this.container}/${this.environment}/private`;
+    }
+    get isConnected() {
+        return this._connected;
+    }
+    async start() {
+        if (!this.container || !this.apiToken) {
+            throw new Error('CloudKit requires CLOUDKIT_CONTAINER and CLOUDKIT_API_TOKEN env vars');
+        }
+        // Verify connectivity
+        try {
+            await this.query('Decisions', [], 1);
+            this._connected = true;
+            logger_1.log.success('[cloudkit] Connected to CloudKit');
+        }
+        catch (err) {
+            logger_1.log.warn(`[cloudkit] Initial query failed, will retry: ${err.message}`);
+            this._connected = true; // optimistic — polling will catch errors
+        }
+        // Start polling for decisions
+        this.pollTimer = setInterval(() => this.pollDecisions(), POLL_INTERVAL);
+        logger_1.log.info(`[cloudkit] Polling every ${POLL_INTERVAL / 1000}s for decisions`);
+    }
+    async sendApprovalRequest(payload) {
+        const requestId = (0, crypto_1.randomBytes)(12).toString('hex');
+        const record = {
+            recordType: 'ApprovalRequest',
+            fields: {
+                requestId: { value: requestId },
+                toolName: { value: payload.toolName },
+                toolInput: { value: JSON.stringify(payload.toolInput) },
+                riskLevel: { value: payload.riskLevel },
+                timestamp: { value: Date.now() },
+                timeoutAt: { value: Date.now() + 120_000 },
+                status: { value: 'pending' },
+            },
+        };
+        await this.saveRecord(record);
+        logger_1.log.info(`[cloudkit] Approval request saved: ${requestId}`);
+        return requestId;
+    }
+    onDecision(cb) {
+        this.decisionCb = cb;
+    }
+    stop() {
+        if (this.pollTimer) {
+            clearInterval(this.pollTimer);
+            this.pollTimer = null;
+        }
+        this._connected = false;
+    }
+    // ==================== CloudKit REST ====================
+    async pollDecisions() {
+        try {
+            const results = await this.query('Decision', [
+                { fieldName: 'status', comparator: 'EQUALS', fieldValue: { value: 'new' } },
+            ], 20);
+            for (const record of results) {
+                const requestId = record.fields?.requestId?.value;
+                const action = record.fields?.action?.value;
+                if (!requestId || !action)
+                    continue;
+                if (this.knownDecisions.has(record.recordName))
+                    continue;
+                this.knownDecisions.add(record.recordName);
+                const mapped = action === 'allow' ? 'allowed' : action === 'block' ? 'blocked' : action;
+                logger_1.log.info(`[cloudkit] Decision: ${requestId} → ${mapped}`);
+                pending_1.pending.resolve(requestId, mapped);
+                this.decisionCb?.(requestId, mapped);
+                // Mark as processed
+                await this.updateRecordField(record.recordName, 'Decision', 'status', 'processed');
+            }
+        }
+        catch (err) {
+            logger_1.log.debug(`[cloudkit] Poll error: ${err.message}`);
+        }
+    }
+    async query(recordType, filters, limit) {
+        const body = {
+            query: { recordType, filterBy: filters },
+            resultsLimit: limit,
+        };
+        const res = await fetch(`${this.baseURL}/records/query`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Apple-CloudKit-Request-KeyID': this.apiToken,
+            },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok)
+            throw new Error(`CloudKit query failed: ${res.status}`);
+        const json = (await res.json());
+        return json.records ?? [];
+    }
+    async saveRecord(record) {
+        const body = {
+            operations: [{ operationType: 'create', record }],
+        };
+        const res = await fetch(`${this.baseURL}/records/modify`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Apple-CloudKit-Request-KeyID': this.apiToken,
+            },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok)
+            throw new Error(`CloudKit save failed: ${res.status}`);
+    }
+    async updateRecordField(recordName, recordType, field, value) {
+        const body = {
+            operations: [{
+                    operationType: 'update',
+                    record: {
+                        recordName,
+                        recordType,
+                        fields: { [field]: { value } },
+                    },
+                }],
+        };
+        await fetch(`${this.baseURL}/records/modify`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Apple-CloudKit-Request-KeyID': this.apiToken,
+            },
+            body: JSON.stringify(body),
+        }).catch(() => { }); // best-effort
+    }
+}
+exports.CloudKitTransport = CloudKitTransport;
+//# sourceMappingURL=cloudkit.js.map

package/dist/transport/cloudkit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloudkit.js","sourceRoot":"","sources":["../../src/transport/cloudkit.ts"],"names":[],"mappings":";;;AAAA,mCAAqC;AAErC,8CAA2C;AAC3C,0CAAoC;AAEpC,MAAM,aAAa,GAAG,IAAI,CAAC;AAE3B;;;;;;;GAOG;AACH,MAAa,iBAAiB;IACnB,IAAI,GAAG,UAAmB,CAAC;IAE5B,SAAS,CAAS;IAClB,QAAQ,CAAS;IACjB,WAAW,CAAS;IACpB,OAAO,CAAS;IAChB,SAAS,GAA0B,IAAI,CAAC;IACxC,UAAU,GAA6E,IAAI,CAAC;IAC5F,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,UAAU,GAAG,KAAK,CAAC;IAE3B;QACE,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC;QACtD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC;QACrD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,aAAa,CAAC;QACrE,IAAI,CAAC,OAAO,GAAG,6CAA6C,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,WAAW,UAAU,CAAC;IAC3G,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAC1F,CAAC;QAED,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;YACrC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;YACvB,YAAG,CAAC,OAAO,CAAC,kCAAkC,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,YAAG,CAAC,IAAI,CAAC,gDAAiD,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YACnF,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,yCAAyC;QACnE,CAAC;QAED,8BAA8B;QAC9B,IAAI,CAAC,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,aAAa,CAAC,CAAC;QACxE,YAAG,CAAC,IAAI,CAAC,4BAA4B,aAAa,GAAG,IAAI,iBAAiB,CAAC,CAAC;IAC9E,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAwB;QAChD,MAAM,SAAS,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAElD,MAAM,MAAM,GAAG;YACb,UAAU,EAAE,iBAAiB;YAC7B,MAAM,EAAE;gBACN,SAAS,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;gBAC/B,QAAQ,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,QAAQ,EAAE;gBACrC,SAAS,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE;gBACvD,SAAS,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,SAAS,EAAE;gBACvC,SAAS,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE;gBAChC,SAAS,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE;gBAC1C,MAAM,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE;aAC7B;SACF,CAAC;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC9B,YAAG,CAAC,IAAI,CAAC,sCAAsC,SAAS,EAAE,CAAC,CAAC;QAC5D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,UAAU,CAAC,EAAmE;QAC5E,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;IACvB,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC9B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC;IAC1B,CAAC;IAED,0DAA0D;IAElD,KAAK,CAAC,aAAa;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;gBAC3C,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;aAC5E,EAAE,EAAE,CAAC,CAAC;YAEP,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,SAAS,EAAE,KAAe,CAAC;gBAC5D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,KAAe,CAAC;gBAEtD,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM;oBAAE,SAAS;gBACpC,IAAI,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC;oBAAE,SAAS;gBAEzD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;gBAE3C,MAAM,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC;gBACxF,YAAG,CAAC,IAAI,CAAC,wBAAwB,SAAS,MAAM,MAAM,EAAE,CAAC,CAAC;gBAC1D,iBAAO,CAAC,OAAO,CAAC,SAAS,EAAE,MAAa,CAAC,CAAC;gBAC1C,IAAI,CAAC,UAAU,EAAE,CAAC,SAAS,EAAE,MAAa,CAAC,CAAC;gBAE5C,oBAAoB;gBACpB,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;YACrF,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,YAAG,CAAC,KAAK,CAAC,0BAA2B,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,KAAK,CAAC,UAAkB,EAAE,OAAc,EAAE,KAAa;QACnE,MAAM,IAAI,GAAG;YACX,KAAK,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE;YACxC,YAAY,EAAE,KAAK;SACpB,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,gBAAgB,EAAE;YACvD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,gCAAgC,EAAE,IAAI,CAAC,QAAQ;aAChD;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAwB,CAAC;QACvD,OAAO,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;IAC5B,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,MAAW;QAClC,MAAM,IAAI,GAAG;YACX,UAAU,EAAE,CAAC,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;SAClD,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,iBAAiB,EAAE;YACxD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,gCAAgC,EAAE,IAAI,CAAC,QAAQ;aAChD;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACtE,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,UAAkB,EAAE,UAAkB,EAAE,KAAa,EAAE,KAAa;QAClG,MAAM,IAAI,GAAG;YACX,UAAU,EAAE,CAAC;oBACX,aAAa,EAAE,QAAQ;oBACvB,MAAM,EAAE;wBACN,UAAU;wBACV,UAAU;wBACV,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,EAAE,EAAE;qBAC/B;iBACF,CAAC;SACH,CAAC;QAEF,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,iBAAiB,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,gCAAgC,EAAE,IAAI,CAAC,QAAQ;aAChD;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC,CAAC,cAAc;IACpC,CAAC;CACF;AApKD,8CAoKC"}

package/dist/transport/factory.d.ts

@@ -0,0 +1,6 @@
+import type { Transport, TransportMode } from './interface';
+export interface TransportOptions {
+    serverUrl?: string;
+    token?: string;
+}
+export declare function createTransport(mode: TransportMode, opts?: TransportOptions): Transport;

package/dist/transport/factory.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTransport = createTransport;
+const local_1 = require("./local");
+const remote_1 = require("./remote");
+const cloudkit_1 = require("./cloudkit");
+function createTransport(mode, opts) {
+    switch (mode) {
+        case 'local':
+            return new local_1.LocalTransport();
+        case 'cloudkit':
+            return new cloudkit_1.CloudKitTransport();
+        case 'server':
+            if (!opts?.serverUrl || !opts?.token) {
+                throw new Error('Server mode requires serverUrl and token');
+            }
+            return new remote_1.RemoteTransport(opts.serverUrl, opts.token);
+    }
+}
+//# sourceMappingURL=factory.js.map

package/dist/transport/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/transport/factory.ts"],"names":[],"mappings":";;AAUA,0CAYC;AArBD,mCAAyC;AACzC,qCAA2C;AAC3C,yCAA+C;AAO/C,SAAgB,eAAe,CAAC,IAAmB,EAAE,IAAuB;IAC1E,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,OAAO;YACV,OAAO,IAAI,sBAAc,EAAE,CAAC;QAC9B,KAAK,UAAU;YACb,OAAO,IAAI,4BAAiB,EAAE,CAAC;QACjC,KAAK,QAAQ;YACX,IAAI,CAAC,IAAI,EAAE,SAAS,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;gBACrC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;YAC9D,CAAC;YACD,OAAO,IAAI,wBAAe,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC"}

package/dist/transport/interface.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Transport interface — abstracts local (TCP) vs remote (Socket.IO) communication.
+ * Both modes use the same message format for approval_request / decision.
+ */
+export type TransportMode = 'local' | 'cloudkit' | 'server';
+export interface ApprovalPayload {
+    toolName: string;
+    toolInput: Record<string, unknown>;
+    riskLevel: string;
+    diff?: string;
+    contextSummary?: string;
+}
+export interface Transport {
+    readonly mode: TransportMode;
+    readonly isConnected: boolean;
+    start(): Promise<void>;
+    sendApprovalRequest(payload: ApprovalPayload): Promise<string>;
+    onDecision(cb: (requestId: string, action: 'allowed' | 'blocked' | 'timeout') => void): void;
+    stop(): void;
+    /** Send fire-and-forget event to iOS (terminal, activity, notification) */
+    sendEvent?(data: Record<string, unknown>): void;
+    sendNotification?(title: string, message: string): void;
+}
+export declare function setTransport(t: Transport): void;
+export declare function getTransport(): Transport | null;

package/dist/transport/interface.js

@@ -0,0 +1,13 @@
+"use strict";
+/**
+ * Transport interface — abstracts local (TCP) vs remote (Socket.IO) communication.
+ * Both modes use the same message format for approval_request / decision.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setTransport = setTransport;
+exports.getTransport = getTransport;
+/** Global transport instance — set by start command */
+let _transport = null;
+function setTransport(t) { _transport = t; }
+function getTransport() { return _transport; }
+//# sourceMappingURL=interface.js.map

package/dist/transport/interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface.js","sourceRoot":"","sources":["../../src/transport/interface.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA6BH,oCAAoE;AACpE,oCAAuE;AAJvE,uDAAuD;AACvD,IAAI,UAAU,GAAqB,IAAI,CAAC;AAExC,SAAgB,YAAY,CAAC,CAAY,IAAU,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC;AACpE,SAAgB,YAAY,KAAuB,OAAO,UAAU,CAAC,CAAC,CAAC"}

package/dist/transport/local.d.ts

@@ -0,0 +1,46 @@
+import type { Transport, ApprovalPayload } from './interface';
+import type { Rule } from '../rules/engine';
+/**
+ * Local transport — TCP server + Bonjour (mDNS) for LAN-direct mode.
+ *
+ * - Opens a TCP server on port 7750
+ * - Publishes _sentinel._tcp via Bonjour so iOS can auto-discover
+ * - iOS connects directly, same JSON message format as remote mode
+ * - Messages are newline-delimited JSON over raw TCP
+ */
+export declare class LocalTransport implements Transport {
+    readonly mode: "local";
+    private server;
+    private bonjour;
+    private iosSocket;
+    private buffer;
+    private static readonly MAX_BUFFER_SIZE;
+    private decisionCb;
+    private rulesUpdateCb;
+    private userMessageCb;
+    private activeClaudeProcess;
+    get isConnected(): boolean;
+    start(): Promise<void>;
+    private publishBonjour;
+    /** Process newline-delimited messages from buffer (encrypted or plain) */
+    private processBuffer;
+    private handleMessage;
+    /** Send a notification to iOS */
+    sendNotification(title: string, message: string): void;
+    sendEvent(data: Record<string, unknown>): void;
+    private runClaude;
+    /** Send a JSON message to connected iOS */
+    private send;
+    sendApprovalRequest(payload: ApprovalPayload): Promise<string>;
+    onDecision(cb: (id: string, action: 'allowed' | 'blocked' | 'timeout') => void): void;
+    /** Register callback for rules updates from iOS */
+    onRulesUpdate(cb: (rules: Rule[]) => void): void;
+    /** Register callback for user messages from iOS */
+    onUserMessage(cb: (text: string) => void): void;
+    stop(): void;
+    /** Get info for pairing display */
+    getConnectionInfo(): {
+        ip: string;
+        port: number;
+    };
+}