@way_marks/server 0.4.0

package/README.md

@@ -0,0 +1,73 @@
+# @way_marks/server
+
+MCP server and REST API backend for [Waymark](https://github.com/waymarks/waymark).
+
+> **This package is installed automatically** by `@way_marks/cli`.
+> End users should not install it directly.
+
+```bash
+# Correct — install the CLI, which pulls in this package
+npx @way_marks/cli init
+```
+
+---
+
+## What this package provides
+
+Two long-running Node.js processes, both spawned by `waymark start`:
+
+| Process | Entry point | What it does |
+|---------|-------------|--------------|
+| MCP server | `dist/mcp/server.js` | stdio MCP server — intercepts Claude Code tool calls, enforces policy, logs actions |
+| API server | `dist/api/server.js` | HTTP server on port 3001 — serves dashboard UI and REST API |
+
+Both processes share the same SQLite database (`<project-root>/.waymark/waymark.db`). The MCP process writes; the API process reads. All database calls are synchronous (`better-sqlite3`) so concurrent access is safe.
+
+---
+
+## Environment variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `WAYMARK_PROJECT_ROOT` | Yes | `process.cwd()` | Absolute path to the project being monitored. Sets where `waymark.config.json` and `data/waymark.db` are resolved. |
+| `PORT` | No | `3001` | Port for the API + dashboard server. |
+| `WAYMARK_SLACK_WEBHOOK_URL` | No | — | Incoming webhook URL for Slack notifications on pending actions. |
+| `WAYMARK_SLACK_CHANNEL` | No | — | Slack channel to post to (e.g. `#engineering`). |
+| `WAYMARK_BASE_URL` | No | `http://localhost:3001` | Base URL used in Slack message links back to the dashboard. |
+
+---
+
+## REST API
+
+All endpoints are served by `dist/api/server.js` on port 3001.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/api/actions` | List all logged actions. Query: `?count=true` returns `{ count: N }` for pending actions only. |
+| `GET` | `/api/actions/:id` | Get a single action by ID. |
+| `GET` | `/api/actions/:id/status` | Get the current status of an action (`pending`, `approved`, `rejected`, `blocked`, `allowed`). |
+| `POST` | `/api/actions/:id/approve` | Approve a pending action — executes the held write and marks it approved. |
+| `POST` | `/api/actions/:id/reject` | Reject a pending action — marks it rejected, action is not executed. |
+| `POST` | `/api/actions/:id/rollback` | Roll back an approved write_file action to its before-snapshot. |
+| `POST` | `/api/slack/interact` | Slack interactive component handler (approve/reject from Slack message buttons). |
+| `GET` | `/api/sessions` | List all session IDs that have logged actions. |
+| `GET` | `/api/config` | Return the current parsed `waymark.config.json` for the active project. |
+| `GET` | `*` | Catch-all — serves the dashboard `index.html`. |
+
+---
+
+## MCP tools
+
+The MCP server exposes three tools to Claude Code:
+
+| Tool | Replaces | Description |
+|------|----------|-------------|
+| `waymark:write_file` | `write_file` | Write a file — subject to policy before execution. |
+| `waymark:read_file` | `read_file` | Read a file — always logged. |
+| `waymark:bash` | `bash` | Run a shell command — checked against `blockedCommands` before execution. |
+
+---
+
+## License
+
+MIT — see [LICENSE](https://github.com/waymarks/waymark/blob/main/LICENSE)

package/dist/api/server.js

@@ -0,0 +1,218 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+require("dotenv/config");
+const express_1 = __importDefault(require("express"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const database_1 = require("../db/database");
+const engine_1 = require("../policies/engine");
+const handler_1 = require("../approvals/handler");
+const app = (0, express_1.default)();
+const PORT = parseInt(process.env.WAYMARK_PORT || '3001', 10);
+app.use(express_1.default.json());
+app.use(express_1.default.urlencoded({ extended: true }));
+// Serve UI — path works for both ts-node (src/api/) and compiled (dist/api/)
+const UI_DIR = path.resolve(__dirname, '../../src/ui');
+app.use(express_1.default.static(UI_DIR));
+// GET /api/actions — list all actions (or ?count=true for pending count)
+app.get('/api/actions', (req, res) => {
+    try {
+        if (req.query.count === 'true') {
+            return res.json({ count: (0, database_1.getPendingCount)() });
+        }
+        const actions = (0, database_1.getActions)();
+        res.json(actions);
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// POST /api/actions/:action_id/approve
+app.post('/api/actions/:action_id/approve', async (req, res) => {
+    try {
+        const result = await (0, handler_1.approvePendingAction)(req.params.action_id, 'ui');
+        if (!result.success) {
+            const status = result.error === 'Action not found' ? 404 : 400;
+            return res.status(status).json({ error: result.error });
+        }
+        res.json(result);
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// POST /api/actions/:action_id/reject
+app.post('/api/actions/:action_id/reject', async (req, res) => {
+    try {
+        const reason = req.body?.reason || 'Rejected';
+        const result = await (0, handler_1.rejectPendingAction)(req.params.action_id, reason);
+        if (!result.success) {
+            const status = result.error === 'Action not found' ? 404 : 400;
+            return res.status(status).json({ error: result.error });
+        }
+        res.json(result);
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// GET /api/actions/:action_id/status — lightweight status for agent polling
+app.get('/api/actions/:action_id/status', (req, res) => {
+    try {
+        const action = (0, database_1.getAction)(req.params.action_id);
+        if (!action) {
+            return res.status(404).json({ error: 'Action not found' });
+        }
+        res.json({
+            status: action.status,
+            decision: action.decision,
+            approved_by: action.approved_by,
+            approved_at: action.approved_at,
+            rejected_reason: action.rejected_reason,
+            rejected_at: action.rejected_at,
+        });
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// GET /api/actions/:action_id — single action
+app.get('/api/actions/:action_id', (req, res) => {
+    try {
+        const action = (0, database_1.getAction)(req.params.action_id);
+        if (!action) {
+            return res.status(404).json({ error: 'Action not found' });
+        }
+        res.json(action);
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// POST /api/actions/:action_id/rollback
+app.post('/api/actions/:action_id/rollback', (req, res) => {
+    try {
+        const action = (0, database_1.getAction)(req.params.action_id);
+        if (!action) {
+            return res.status(404).json({ error: 'Action not found' });
+        }
+        if (action.tool_name !== 'write_file') {
+            return res.status(400).json({ error: 'Rollback only supported for write_file actions' });
+        }
+        if (action.rolled_back) {
+            return res.status(400).json({ error: 'Action already rolled back' });
+        }
+        if (!action.target_path) {
+            return res.status(400).json({ error: 'No target path on this action' });
+        }
+        // Bug 3: if no before_snapshot, file was newly created — delete it
+        if (!action.before_snapshot) {
+            fs.unlinkSync(action.target_path);
+            (0, database_1.markRolledBack)(action.action_id);
+            return res.json({ success: true, action: 'deleted', message: `Deleted new file: ${action.target_path}` });
+        }
+        // Restore file to before_snapshot
+        fs.mkdirSync(path.dirname(action.target_path), { recursive: true });
+        fs.writeFileSync(action.target_path, action.before_snapshot, 'utf8');
+        (0, database_1.markRolledBack)(action.action_id);
+        res.json({ success: true, action: 'restored', message: `Restored ${action.target_path} to previous state` });
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// POST /api/slack/interact — Slack interactive components (button clicks)
+// For local development: use ngrok or similar to expose this endpoint publicly: ngrok http 3001
+app.post('/api/slack/interact', async (req, res) => {
+    let payload;
+    try {
+        payload = JSON.parse(req.body.payload);
+    }
+    catch (err) {
+        console.error('Slack interact parse error:', err);
+        return res.status(400).json({ error: 'Invalid payload format' });
+    }
+    try {
+        if (!payload?.actions?.[0]) {
+            return res.status(400).json({ error: 'No actions in payload' });
+        }
+        const slackAction = payload.actions[0];
+        const actionId = slackAction.action_id;
+        const actionValue = slackAction.value; // waymark action_id
+        if (actionId === 'waymark_approve') {
+            const result = await (0, handler_1.approvePendingAction)(actionValue, 'slack');
+            return res.json({ text: result.success ? '✅ Approved by slack' : `❌ Error: ${result.error}` });
+        }
+        if (actionId === 'waymark_reject') {
+            const result = await (0, handler_1.rejectPendingAction)(actionValue, 'Rejected via Slack');
+            return res.json({ text: result.success ? '❌ Rejected by slack' : `❌ Error: ${result.error}` });
+        }
+        res.status(400).json({ error: `Unknown action_id: ${actionId}` });
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// GET /api/sessions
+app.get('/api/sessions', (req, res) => {
+    try {
+        const sessions = (0, database_1.getSessions)();
+        res.json(sessions);
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// GET /api/config
+app.get('/api/config', (req, res) => {
+    try {
+        res.json((0, engine_1.loadConfig)());
+    }
+    catch (err) {
+        res.status(500).json({ error: err.message });
+    }
+});
+// Fallback: serve UI for any unmatched route
+app.get('*', (req, res) => {
+    res.sendFile(path.join(UI_DIR, 'index.html'));
+});
+app.listen(PORT, () => {
+    console.log(`Waymark UI + API running at http://localhost:${PORT}`);
+});
+exports.default = app;

package/dist/approvals/handler.js

@@ -0,0 +1,84 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.approvePendingAction = approvePendingAction;
+exports.rejectPendingAction = rejectPendingAction;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const database_1 = require("../db/database");
+const engine_1 = require("../policies/engine");
+async function approvePendingAction(actionId, approvedBy = 'ui') {
+    const action = (0, database_1.getAction)(actionId);
+    if (!action) {
+        return { success: false, error: 'Action not found' };
+    }
+    if (action.status !== 'pending') {
+        return { success: false, error: `Action is not pending (current status: ${action.status})` };
+    }
+    let after_snapshot;
+    if (action.tool_name === 'write_file') {
+        const { path: filePath, content } = JSON.parse(action.input_payload);
+        const resolvedPath = path.resolve(filePath);
+        // Re-check current policies — they may have changed since the action was queued
+        const currentConfig = (0, engine_1.loadConfig)();
+        const recheck = (0, engine_1.checkFileAction)(resolvedPath, 'write', currentConfig);
+        if (recheck.decision === 'block') {
+            return { success: false, error: `Approval blocked: policy changed (${recheck.reason})` };
+        }
+        fs.mkdirSync(path.dirname(resolvedPath), { recursive: true });
+        fs.writeFileSync(resolvedPath, content, 'utf8');
+        after_snapshot = content;
+    }
+    else if (action.tool_name === 'read_file') {
+        // read_file: no re-execution needed, just mark approved
+        // (the file read already happened conceptually; approval means "yes, this was ok")
+    }
+    else {
+        return { success: false, error: `Unsupported tool for approval: ${action.tool_name}` };
+    }
+    (0, database_1.approveAction)(actionId, approvedBy, after_snapshot);
+    return { success: true, action: actionId };
+}
+async function rejectPendingAction(actionId, reason) {
+    const action = (0, database_1.getAction)(actionId);
+    if (!action) {
+        return { success: false, error: 'Action not found' };
+    }
+    if (action.status !== 'pending') {
+        return { success: false, error: `Action is not pending (current status: ${action.status})` };
+    }
+    (0, database_1.rejectAction)(actionId, reason);
+    return { success: true, action: actionId };
+}

package/dist/db/database.js

@@ -0,0 +1,223 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.insertAction = insertAction;
+exports.updateAction = updateAction;
+exports.getActions = getActions;
+exports.getAction = getAction;
+exports.markRolledBack = markRolledBack;
+exports.getSessions = getSessions;
+exports.approveAction = approveAction;
+exports.rejectAction = rejectAction;
+exports.getPendingCount = getPendingCount;
+const better_sqlite3_1 = __importDefault(require("better-sqlite3"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const PROJECT_ROOT = process.env.WAYMARK_PROJECT_ROOT || process.cwd();
+const DB_PATH = process.env.WAYMARK_DB_PATH
+    || path.join(PROJECT_ROOT, '.waymark', 'waymark.db');
+const DB_DIR = path.dirname(DB_PATH);
+// Ensure database directory exists
+if (!fs.existsSync(DB_DIR)) {
+    fs.mkdirSync(DB_DIR, { recursive: true });
+}
+const db = new better_sqlite3_1.default(DB_PATH);
+// Create table on startup
+db.exec(`
+  CREATE TABLE IF NOT EXISTS action_log (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    action_id TEXT UNIQUE NOT NULL,
+    session_id TEXT NOT NULL,
+    tool_name TEXT NOT NULL,
+    target_path TEXT,
+    input_payload TEXT NOT NULL,
+    before_snapshot TEXT,
+    after_snapshot TEXT,
+    status TEXT NOT NULL DEFAULT 'pending',
+    error_message TEXT,
+    stdout TEXT,
+    stderr TEXT,
+    rolled_back INTEGER NOT NULL DEFAULT 0,
+    rolled_back_at TEXT,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+  )
+`);
+// Migrate existing DBs — add stdout/stderr if not present
+try {
+    db.exec('ALTER TABLE action_log ADD COLUMN stdout TEXT');
+}
+catch { }
+try {
+    db.exec('ALTER TABLE action_log ADD COLUMN stderr TEXT');
+}
+catch { }
+// Migrate v2: policy engine columns
+try {
+    db.exec("ALTER TABLE action_log ADD COLUMN decision TEXT NOT NULL DEFAULT 'allow'");
+}
+catch { }
+try {
+    db.exec('ALTER TABLE action_log ADD COLUMN policy_reason TEXT');
+}
+catch { }
+try {
+    db.exec('ALTER TABLE action_log ADD COLUMN matched_rule TEXT');
+}
+catch { }
+// Migrate v3: approval flow columns
+try {
+    db.exec('ALTER TABLE action_log ADD COLUMN approved_at TEXT');
+}
+catch { }
+try {
+    db.exec('ALTER TABLE action_log ADD COLUMN approved_by TEXT');
+}
+catch { }
+try {
+    db.exec('ALTER TABLE action_log ADD COLUMN rejected_at TEXT');
+}
+catch { }
+try {
+    db.exec('ALTER TABLE action_log ADD COLUMN rejected_reason TEXT');
+}
+catch { }
+// Indexes for query performance
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_action_id ON action_log(action_id)');
+}
+catch { }
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_status ON action_log(status)');
+}
+catch { }
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_session_id ON action_log(session_id)');
+}
+catch { }
+const insertStmt = db.prepare(`
+  INSERT INTO action_log (action_id, session_id, tool_name, target_path, input_payload, before_snapshot, status, decision, policy_reason, matched_rule)
+  VALUES (@action_id, @session_id, @tool_name, @target_path, @input_payload, @before_snapshot, @status, @decision, @policy_reason, @matched_rule)
+`);
+const updateStmt = db.prepare(`
+  UPDATE action_log
+  SET status = COALESCE(@status, status),
+      after_snapshot = COALESCE(@after_snapshot, after_snapshot),
+      error_message = COALESCE(@error_message, error_message),
+      stdout = COALESCE(@stdout, stdout),
+      stderr = COALESCE(@stderr, stderr)
+  WHERE action_id = @action_id
+`);
+function insertAction(params) {
+    insertStmt.run({
+        action_id: params.action_id,
+        session_id: params.session_id,
+        tool_name: params.tool_name,
+        target_path: params.target_path ?? null,
+        input_payload: params.input_payload,
+        before_snapshot: params.before_snapshot ?? null,
+        status: params.status,
+        decision: params.decision ?? 'pending',
+        policy_reason: params.policy_reason ?? null,
+        matched_rule: params.matched_rule ?? null,
+    });
+}
+function updateAction(action_id, params) {
+    updateStmt.run({
+        action_id,
+        status: params.status ?? null,
+        after_snapshot: params.after_snapshot ?? null,
+        error_message: params.error_message ?? null,
+        stdout: params.stdout ?? null,
+        stderr: params.stderr ?? null,
+    });
+}
+function getActions() {
+    return db.prepare(`
+    SELECT * FROM action_log ORDER BY created_at DESC LIMIT 100
+  `).all();
+}
+function getAction(action_id) {
+    return db.prepare(`
+    SELECT * FROM action_log WHERE action_id = ?
+  `).get(action_id);
+}
+function markRolledBack(action_id) {
+    db.prepare(`
+    UPDATE action_log
+    SET rolled_back = 1, rolled_back_at = datetime('now')
+    WHERE action_id = ?
+  `).run(action_id);
+}
+function getSessions() {
+    return db.prepare(`
+    SELECT session_id,
+           COUNT(*) as action_count,
+           MAX(created_at) as latest
+    FROM action_log
+    GROUP BY session_id
+    ORDER BY latest DESC
+  `).all();
+}
+function approveAction(action_id, approved_by, after_snapshot) {
+    db.prepare(`
+    UPDATE action_log
+    SET status = 'success',
+        decision = 'allow',
+        approved_at = datetime('now'),
+        approved_by = @approved_by,
+        after_snapshot = COALESCE(@after_snapshot, after_snapshot)
+    WHERE action_id = @action_id
+  `).run({ action_id, approved_by, after_snapshot: after_snapshot ?? null });
+}
+function rejectAction(action_id, reason) {
+    db.prepare(`
+    UPDATE action_log
+    SET status = 'rejected',
+        decision = 'rejected',
+        rejected_at = datetime('now'),
+        rejected_reason = @reason
+    WHERE action_id = @action_id
+  `).run({ action_id, reason });
+}
+function getPendingCount() {
+    const row = db.prepare(`
+    SELECT COUNT(*) as count FROM action_log WHERE status = 'pending'
+  `).get();
+    return row.count;
+}
+exports.default = db;