@vibelet/cli 0.1.34 → 0.1.36

package/src/advertised-hosts.ts

@@ -0,0 +1,225 @@
+import { execFileSync } from 'child_process';
+import type { NetworkInterfaceInfo } from 'os';
+
+export interface AdvertisedHostsOptions {
+  canonicalHost: string;
+  configuredCanonicalHost?: string;
+  configuredFallbackHosts?: string[];
+  tailscaleCanonicalHost?: string;
+  tailscaleFallbackHosts?: string[];
+  interfaces: NodeJS.Dict<NetworkInterfaceInfo[]>;
+}
+
+interface TailscaleStatusPayload {
+  Self?: {
+    DNSName?: string;
+    TailscaleIPs?: string[];
+  };
+}
+
+export interface TailscaleHosts {
+  canonicalHost?: string;
+  fallbackHosts: string[];
+}
+
+export interface AdvertisedConnectionTargetOptions {
+  canonicalHost: string;
+  fallbackHosts?: string[];
+  port: number;
+  relayUrl?: string;
+}
+
+export interface AdvertisedConnectionTarget {
+  canonicalHost: string;
+  fallbackHosts: string[];
+  port: number;
+}
+
+function isIpv4(address: string): boolean {
+  const parts = address.split('.');
+  if (parts.length !== 4) return false;
+  return parts.every((part) => /^\d+$/.test(part) && Number(part) >= 0 && Number(part) <= 255);
+}
+
+function isTailscaleIpv4(address: string): boolean {
+  if (!isIpv4(address)) return false;
+  const [first, second] = address.split('.').map(Number);
+  return first === 100 && second >= 64 && second <= 127;
+}
+
+function isLinkLocalIpv4(address: string): boolean {
+  if (!isIpv4(address)) return false;
+  const [first, second] = address.split('.').map(Number);
+  return first === 169 && second === 254;
+}
+
+function isBenchmarkIpv4(address: string): boolean {
+  if (!isIpv4(address)) return false;
+  const [first, second] = address.split('.').map(Number);
+  return first === 198 && (second === 18 || second === 19);
+}
+
+function isUsableHost(address: string): boolean {
+  return Boolean(address)
+    && !isLinkLocalIpv4(address)
+    && !isBenchmarkIpv4(address);
+}
+
+function normalizeHost(host: string | undefined): string | undefined {
+  if (!host) return undefined;
+  const trimmed = host.trim().replace(/\.$/, '');
+  return trimmed ? trimmed.toLowerCase() : undefined;
+}
+
+function normalizeFallbackHosts(
+  hosts: string[] | undefined,
+  canonicalHost: string,
+): string[] {
+  return (hosts ?? [])
+    .map((host) => normalizeHost(host))
+    .filter((host): host is string => Boolean(host))
+    .filter((host) => isUsableHost(host))
+    .filter((host, index, all) => host !== canonicalHost && all.indexOf(host) === index);
+}
+
+export function readConfiguredFallbackHosts(rawValue: string | undefined): string[] {
+  if (!rawValue) return [];
+  return rawValue
+    .split(',')
+    .map((entry) => entry.trim())
+    .filter(Boolean);
+}
+
+function collectInterfaceHosts(interfaces: NodeJS.Dict<NetworkInterfaceInfo[]>): string[] {
+  const tailscaleHosts: string[] = [];
+  const lanHosts: string[] = [];
+
+  for (const entries of Object.values(interfaces)) {
+    if (!entries) continue;
+    for (const entry of entries) {
+      if (entry.internal || entry.family !== 'IPv4') continue;
+      if (!isUsableHost(entry.address)) continue;
+      if (isTailscaleIpv4(entry.address)) {
+        tailscaleHosts.push(entry.address);
+      } else {
+        lanHosts.push(entry.address);
+      }
+    }
+  }
+
+  return [...tailscaleHosts, ...lanHosts];
+}
+
+export function parseTailscaleStatus(rawStatus: string): TailscaleHosts {
+  const parsed = JSON.parse(rawStatus) as TailscaleStatusPayload;
+  const dnsName = normalizeHost(parsed.Self?.DNSName);
+  const tailscaleIps = (parsed.Self?.TailscaleIPs ?? [])
+    .map((host) => normalizeHost(host))
+    .filter((host): host is string => Boolean(host))
+    .filter((host) => isTailscaleIpv4(host) && isUsableHost(host));
+  const canonicalHost = tailscaleIps[0] ?? dnsName;
+  const fallbackHosts = [
+    ...(dnsName && dnsName !== canonicalHost ? [dnsName] : []),
+    ...tailscaleIps.filter((host) => host !== canonicalHost),
+  ];
+
+  return {
+    canonicalHost,
+    fallbackHosts,
+  };
+}
+
+export function readTailscaleHosts(runCommand: typeof execFileSync = execFileSync): TailscaleHosts {
+  const socketPaths = [
+    process.env.TAILSCALE_SOCKET,
+    '/tmp/tailscale.sock',
+  ].filter(Boolean) as string[];
+
+  // Try with custom socket paths first
+  for (const socket of socketPaths) {
+    try {
+      const rawStatus = runCommand('tailscale', ['--socket', socket, 'status', '--json'], {
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: 1500,
+      });
+      return parseTailscaleStatus(rawStatus);
+    } catch { /* try next */ }
+  }
+
+  // Fallback to default socket
+  try {
+    const rawStatus = runCommand('tailscale', ['status', '--json'], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+      timeout: 1500,
+    });
+    return parseTailscaleStatus(rawStatus);
+  } catch {
+    return { fallbackHosts: [] };
+  }
+}
+
+export function computeAdvertisedConnectionTarget(
+  options: AdvertisedConnectionTargetOptions,
+): AdvertisedConnectionTarget {
+  const baseCanonicalHost = normalizeHost(options.canonicalHost) || 'localhost';
+  const baseFallbackHosts = normalizeFallbackHosts(options.fallbackHosts, baseCanonicalHost);
+
+  if (!options.relayUrl) {
+    return {
+      canonicalHost: baseCanonicalHost,
+      fallbackHosts: baseFallbackHosts,
+      port: options.port,
+    };
+  }
+
+  try {
+    const relay = new URL(options.relayUrl);
+    const relayCanonicalHost = normalizeHost(relay.hostname);
+    if (!relayCanonicalHost) {
+      throw new Error('invalid relay hostname');
+    }
+
+    const relayPort = relay.port
+      ? Number(relay.port)
+      : (relay.protocol === 'https:' ? 443 : 80);
+
+    return {
+      canonicalHost: relayCanonicalHost,
+      fallbackHosts: normalizeFallbackHosts([baseCanonicalHost, ...baseFallbackHosts], relayCanonicalHost),
+      port: Number.isFinite(relayPort) && relayPort > 0 ? Math.floor(relayPort) : options.port,
+    };
+  } catch {
+    return {
+      canonicalHost: baseCanonicalHost,
+      fallbackHosts: baseFallbackHosts,
+      port: options.port,
+    };
+  }
+}
+
+export function computeAdvertisedHosts(options: AdvertisedHostsOptions): { canonicalHost: string; fallbackHosts: string[] } {
+  const baseCanonicalHost = normalizeHost(options.canonicalHost);
+  const canonicalHost = normalizeHost(options.configuredCanonicalHost)
+    || normalizeHost(options.tailscaleCanonicalHost)
+    || baseCanonicalHost
+    || 'localhost';
+  const fallbackHosts = [
+    ...(baseCanonicalHost && baseCanonicalHost !== canonicalHost
+      ? [baseCanonicalHost]
+      : []),
+    ...(options.configuredFallbackHosts ?? []),
+    ...(options.tailscaleFallbackHosts ?? []),
+    ...collectInterfaceHosts(options.interfaces),
+  ]
+    .map((host) => normalizeHost(host))
+    .filter((host): host is string => Boolean(host))
+    .filter((host) => isUsableHost(host))
+    .filter((host, index, all) => host !== canonicalHost && all.indexOf(host) === index);
+
+  return {
+    canonicalHost,
+    fallbackHosts,
+  };
+}

package/src/audit.test.ts

@@ -0,0 +1,38 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { buildAppAuditEntry, sanitizeAppAuditData } from './audit.js';
+
+test('sanitizeAppAuditData strips reserved audit fields from client payloads', () => {
+  assert.deepEqual(
+    sanitizeAppAuditData({
+      event: 'override',
+      source: 'app',
+      level: 'debug',
+      appEvent: 'fake',
+      ts: '2026-01-01T00:00:00.000Z',
+      sessionId: 'session-123',
+      agent: 'codex',
+    }),
+    {
+      sessionId: 'session-123',
+      agent: 'codex',
+    },
+  );
+});
+
+test('buildAppAuditEntry preserves the audit envelope while keeping client data', () => {
+  const entry = buildAppAuditEntry('app.session.send', 'info', {
+    sessionId: 'session-123',
+    event: 'override',
+    level: 'debug',
+  }, '2026-03-21T12:00:00.000Z');
+
+  assert.deepEqual(entry, {
+    ts: '2026-03-21T12:00:00.000Z',
+    event: 'app.log',
+    source: 'app',
+    appEvent: 'app.session.send',
+    level: 'info',
+    sessionId: 'session-123',
+  });
+});

package/src/audit.ts

@@ -0,0 +1,117 @@
+/**
+ * Size-bounded audit log for session lifecycle events.
+ *
+ * Writes JSONL to ~/.vibelet/data/audit.jsonl.
+ * Each line is a self-contained event with timestamp, event type, and context.
+ *
+ * Usage:
+ *   import { audit } from './audit.js';
+ *   audit.emit('session.create', { sessionId, agent, cwd });
+ *   audit.emit('session.done', { sessionId, cost, usage });
+ */
+
+import { appendFileSync, mkdirSync } from 'fs';
+import { dirname } from 'path';
+import { AUDIT_PATH } from './paths.js';
+import { config } from './config.js';
+import { trimFileTailSync } from './storage-housekeeping.js';
+
+export type AuditEvent =
+  | 'session.create'
+  | 'session.resume'
+  | 'session.reconnect'
+  | 'session.send'
+  | 'session.done'
+  | 'session.interrupted'
+  | 'session.stop'
+  | 'session.delete'
+  | 'session.interrupt'
+  | 'driver.spawn'
+  | 'driver.init'
+  | 'driver.exit'
+  | 'driver.error'
+  | 'driver.idle_timeout'
+  | 'driver.stall_timeout'
+  | 'approval.request'
+  | 'approval.response'
+  | 'ws.connect'
+  | 'ws.disconnect'
+  | 'daemon.start'
+  | 'daemon.shutdown'
+  | 'daemon.error'
+  | 'app.log';
+
+export type AuditSource = 'daemon' | 'app';
+
+interface AuditEntry {
+  ts: string;
+  event: AuditEvent | string;
+  source?: AuditSource;
+  [key: string]: unknown;
+}
+
+let initialized = false;
+const APP_AUDIT_RESERVED_FIELDS = new Set(['ts', 'event', 'source', 'appEvent', 'level']);
+
+function isTestRuntime(): boolean {
+  return process.env.VIBE_TEST === '1' || process.argv.includes('--test');
+}
+
+export function sanitizeAppAuditData(data: Record<string, unknown> = {}): Record<string, unknown> {
+  const sanitized: Record<string, unknown> = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (APP_AUDIT_RESERVED_FIELDS.has(key)) continue;
+    sanitized[key] = value;
+  }
+  return sanitized;
+}
+
+export function buildAppAuditEntry(
+  appEvent: string,
+  level: string,
+  data: Record<string, unknown> = {},
+  clientTs?: string,
+): AuditEntry {
+  return {
+    ts: clientTs ?? new Date().toISOString(),
+    event: 'app.log',
+    source: 'app' as AuditSource,
+    appEvent,
+    level,
+    ...sanitizeAppAuditData(data),
+  };
+}
+
+function ensureDir(): void {
+  if (initialized) return;
+  mkdirSync(dirname(AUDIT_PATH), { recursive: true });
+  initialized = true;
+}
+
+class AuditLog {
+  emit(event: AuditEvent, data: Record<string, unknown> = {}): void {
+    this.write({ ts: new Date().toISOString(), event, ...data });
+  }
+
+  /** Write an app-reported log entry. Preserves client-side timestamp if provided. */
+  emitApp(appEvent: string, level: string, data: Record<string, unknown> = {}, clientTs?: string): void {
+    this.write(buildAppAuditEntry(appEvent, level, data, clientTs));
+  }
+
+  private write(entry: Record<string, unknown>): void {
+    if (isTestRuntime()) return;
+    ensureDir();
+    try {
+      const line = JSON.stringify(entry) + '\n';
+      trimFileTailSync(AUDIT_PATH, {
+        maxBytes: config.auditMaxBytes,
+        incomingBytes: Buffer.byteLength(line),
+      });
+      appendFileSync(AUDIT_PATH, line);
+    } catch {
+      // Audit log is best-effort — never crash the daemon
+    }
+  }
+}
+
+export const audit = new AuditLog();

package/src/auth.ts

@@ -0,0 +1,31 @@
+export function isLoopbackAddress(address: string | undefined): boolean {
+  if (!address) return false;
+  return address === '127.0.0.1'
+    || address === '::1'
+    || address === '::ffff:127.0.0.1';
+}
+
+export function readBearerToken(header: string | undefined): string | null {
+  if (!header) return null;
+  const match = header.match(/^Bearer\s+(.+)$/i);
+  return match?.[1]?.trim() || null;
+}
+
+export function resolveRequestToken(authHeader: string | undefined, queryToken: string | null): string | null {
+  return readBearerToken(authHeader) ?? queryToken;
+}
+
+export function isLegacyToken(token: string | null, legacyToken: string): boolean {
+  return Boolean(token && legacyToken && token === legacyToken);
+}
+
+export function isAuthorizedToken(
+  token: string | null,
+  legacyToken: string,
+  validatePairToken: (token: string, touch?: boolean) => unknown,
+  touch = true,
+): boolean {
+  if (!token) return false;
+  if (isLegacyToken(token, legacyToken)) return true;
+  return Boolean(validatePairToken(token, touch));
+}

package/src/claude-hooks.ts

@@ -0,0 +1,195 @@
+import { mkdirSync, rmSync, writeFileSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { randomUUID } from 'crypto';
+
+export const CLAUDE_HOOK_APPROVAL_PREFIX = 'claude-hook:';
+export const CLAUDE_HOOK_SECRET_HEADER = 'x-vibelet-claude-hook-secret';
+
+export type ClaudeSessionHookData = {
+  session_id?: string;
+  sessionId?: string;
+  transcript_path?: string;
+  transcriptPath?: string;
+  cwd?: string;
+  hook_event_name?: string;
+  hookEventName?: string;
+  source?: string;
+  [key: string]: unknown;
+};
+
+export type ClaudePermissionHookData = {
+  session_id?: string;
+  sessionId?: string;
+  transcript_path?: string;
+  transcriptPath?: string;
+  cwd?: string;
+  hook_event_name?: string;
+  hookEventName?: string;
+  permission_mode?: string;
+  permissionMode?: string;
+  tool_name?: string;
+  toolName?: string;
+  tool_input?: unknown;
+  toolInput?: unknown;
+  tool_use_id?: string;
+  toolUseId?: string;
+  permission_suggestions?: unknown;
+  permissionSuggestions?: unknown;
+  [key: string]: unknown;
+};
+
+export type ClaudePermissionHookResponse = {
+  continue: boolean;
+  suppressOutput?: boolean;
+  stopReason?: string;
+  systemMessage?: string;
+  hookSpecificOutput?: {
+    hookEventName?: 'PreToolUse';
+    permissionDecision?: 'allow' | 'deny' | 'ask';
+    permissionDecisionReason?: string;
+    updatedInput?: unknown;
+    [key: string]: unknown;
+  };
+  [key: string]: unknown;
+};
+
+export type ClaudeHookFiles = {
+  secret: string;
+  dirPath: string;
+  settingsPath: string;
+  sessionScriptPath: string;
+  permissionScriptPath: string;
+};
+
+export const DEFAULT_CLAUDE_PERMISSION_HOOK_RESPONSE: ClaudePermissionHookResponse = {
+  continue: true,
+  suppressOutput: true,
+  hookSpecificOutput: {
+    hookEventName: 'PreToolUse',
+  },
+};
+
+function buildSessionForwarderScript(port: number, secret: string): string {
+  return `#!/usr/bin/env node
+const http = require('http');
+const chunks = [];
+process.stdin.on('data', (chunk) => chunks.push(chunk));
+process.stdin.on('end', () => {
+  const body = Buffer.concat(chunks);
+  const req = http.request({
+    host: '127.0.0.1',
+    port: ${port},
+    method: 'POST',
+    path: '/hook/claude/session-start',
+    headers: {
+      'Content-Type': 'application/json',
+      'Content-Length': body.length,
+      '${CLAUDE_HOOK_SECRET_HEADER}': ${JSON.stringify(secret)}
+    }
+  }, (res) => { res.resume(); });
+  req.on('error', () => {});
+  req.end(body);
+});
+process.stdin.resume();
+`;
+}
+
+function buildPermissionForwarderScript(port: number, secret: string): string {
+  return `#!/usr/bin/env node
+const http = require('http');
+const fallback = ${JSON.stringify(JSON.stringify(DEFAULT_CLAUDE_PERMISSION_HOOK_RESPONSE))};
+const chunks = [];
+process.stdin.on('data', (chunk) => chunks.push(chunk));
+process.stdin.on('end', () => {
+  const body = Buffer.concat(chunks);
+  const req = http.request({
+    host: '127.0.0.1',
+    port: ${port},
+    method: 'POST',
+    path: '/hook/claude/permission-request',
+    headers: {
+      'Content-Type': 'application/json',
+      'Content-Length': body.length,
+      '${CLAUDE_HOOK_SECRET_HEADER}': ${JSON.stringify(secret)}
+    }
+  }, (res) => {
+    const responseChunks = [];
+    res.on('data', (chunk) => responseChunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+    res.on('end', () => {
+      const statusCode = res.statusCode || 0;
+      if (statusCode < 200 || statusCode >= 300) {
+        process.stdout.write(fallback);
+        return;
+      }
+      const payload = Buffer.concat(responseChunks).toString('utf8').trim();
+      process.stdout.write(payload || fallback);
+    });
+  });
+  req.on('error', () => {
+    process.stdout.write(fallback);
+  });
+  req.end(body);
+});
+process.stdin.resume();
+`;
+}
+
+export function createClaudeHookFiles(port: number, secret: string): ClaudeHookFiles {
+  const dirPath = join(tmpdir(), `vibelet-claude-hooks-${process.pid}-${randomUUID()}`);
+  mkdirSync(dirPath, { recursive: true });
+
+  const settingsPath = join(dirPath, 'settings.json');
+  const sessionScriptPath = join(dirPath, 'session_hook_forwarder.cjs');
+  const permissionScriptPath = join(dirPath, 'permission_hook_forwarder.cjs');
+
+  writeFileSync(sessionScriptPath, buildSessionForwarderScript(port, secret), 'utf8');
+  writeFileSync(permissionScriptPath, buildPermissionForwarderScript(port, secret), 'utf8');
+  writeFileSync(
+    settingsPath,
+    JSON.stringify({
+      hooks: {
+        SessionStart: [
+          {
+            matcher: '*',
+            hooks: [
+              {
+                type: 'command',
+                command: `${JSON.stringify(process.execPath)} ${JSON.stringify(sessionScriptPath)}`,
+              },
+            ],
+          },
+        ],
+        PreToolUse: [
+          {
+            matcher: '*',
+            hooks: [
+              {
+                type: 'command',
+                command: `${JSON.stringify(process.execPath)} ${JSON.stringify(permissionScriptPath)}`,
+              },
+            ],
+          },
+        ],
+      },
+    }, null, 2),
+    'utf8',
+  );
+
+  return {
+    secret,
+    dirPath,
+    settingsPath,
+    sessionScriptPath,
+    permissionScriptPath,
+  };
+}
+
+export function cleanupClaudeHookFiles(hookFiles: ClaudeHookFiles | null | undefined): void {
+  if (!hookFiles) return;
+  try {
+    rmSync(hookFiles.dirPath, { recursive: true, force: true });
+  } catch {
+    // best effort cleanup
+  }
+}

package/src/cli-version.test.ts

@@ -0,0 +1,36 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { createRequire } from 'node:module';
+import { fileURLToPath } from 'node:url';
+import { resolveCliVersion } from './cli-version.js';
+
+const require = createRequire(import.meta.url);
+const packageJson = require('../../../package.json') as { version?: string };
+const daemonPackageDir = fileURLToPath(new URL('..', import.meta.url));
+
+test('resolveCliVersion prefers VIBELET_CLI_VERSION when provided', () => {
+  const original = process.env.VIBELET_CLI_VERSION;
+  process.env.VIBELET_CLI_VERSION = '9.9.9-test';
+
+  try {
+    assert.equal(resolveCliVersion(), '9.9.9-test');
+  } finally {
+    if (original === undefined) delete process.env.VIBELET_CLI_VERSION;
+    else process.env.VIBELET_CLI_VERSION = original;
+  }
+});
+
+test('resolveCliVersion falls back to the root package version', () => {
+  const original = process.env.VIBELET_CLI_VERSION;
+  const originalCwd = process.cwd();
+  delete process.env.VIBELET_CLI_VERSION;
+  process.chdir(daemonPackageDir);
+
+  try {
+    assert.equal(resolveCliVersion(), packageJson.version);
+  } finally {
+    process.chdir(originalCwd);
+    if (original === undefined) delete process.env.VIBELET_CLI_VERSION;
+    else process.env.VIBELET_CLI_VERSION = original;
+  }
+});

package/src/cli-version.ts

@@ -0,0 +1,46 @@
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+type RootPackageJson = {
+  name?: string;
+  version?: string;
+};
+
+const ROOT_PACKAGE_NAME = '@vibelet/cli';
+
+function readVersionFromPackageJson(path: string): string | null {
+  try {
+    const packageJson = JSON.parse(readFileSync(path, 'utf8')) as RootPackageJson;
+    if (packageJson.name === ROOT_PACKAGE_NAME && typeof packageJson.version === 'string' && packageJson.version.length > 0) {
+      return packageJson.version;
+    }
+  } catch {
+    // Continue through the fallback chain.
+  }
+
+  return null;
+}
+
+export function resolveCliVersion(): string {
+  if (process.env.VIBELET_CLI_VERSION) {
+    return process.env.VIBELET_CLI_VERSION;
+  }
+
+  let currentDir = process.cwd();
+  for (let depth = 0; depth < 4; depth += 1) {
+    const version = readVersionFromPackageJson(resolve(currentDir, 'package.json'));
+    if (version) {
+      return version;
+    }
+
+    const parentDir = resolve(currentDir, '..');
+    if (parentDir === currentDir) {
+      break;
+    }
+    currentDir = parentDir;
+  }
+
+  return '0.0.0';
+}
+
+export const CLI_VERSION = resolveCliVersion();