aegis-bridge 2.2.2

package/dist/transcript.d.ts

@@ -0,0 +1,47 @@
+/**
+ * transcript.ts — JSONL transcript parser for Claude Code sessions.
+ *
+ * Port of CCBot's transcript_parser.py.
+ * Reads CC session JSONL files and extracts structured messages.
+ */
+export interface ParsedEntry {
+    role: 'user' | 'assistant' | 'system';
+    contentType: 'text' | 'thinking' | 'tool_use' | 'tool_result' | 'tool_error' | 'permission_request' | 'progress';
+    text: string;
+    toolName?: string;
+    toolUseId?: string;
+    timestamp?: string;
+}
+interface ContentBlock {
+    type: string;
+    text?: string;
+    thinking?: string;
+    name?: string;
+    id?: string;
+    tool_use_id?: string;
+    input?: Record<string, unknown>;
+    content?: unknown;
+    is_error?: boolean;
+}
+interface JsonlEntry {
+    type: string;
+    message?: {
+        role: string;
+        content: string | ContentBlock[];
+        stop_reason?: string;
+    };
+    timestamp?: string;
+    tool_use_id?: string;
+    data?: Record<string, unknown>;
+}
+/** Parse entries from JSONL data. */
+export declare function parseEntries(entries: JsonlEntry[]): ParsedEntry[];
+/** Read JSONL file from byte offset, return new entries + new offset. */
+export declare function readNewEntries(filePath: string, fromOffset: number): Promise<{
+    entries: ParsedEntry[];
+    newOffset: number;
+    raw: JsonlEntry[];
+}>;
+/** Find the JSONL file for a session ID. */
+export declare function findSessionFile(sessionId: string, claudeProjectsDir?: string): Promise<string | null>;
+export {};

package/dist/transcript.js

@@ -0,0 +1,244 @@
+/**
+ * transcript.ts — JSONL transcript parser for Claude Code sessions.
+ *
+ * Port of CCBot's transcript_parser.py.
+ * Reads CC session JSONL files and extracts structured messages.
+ */
+import { stat, readFile, open } from 'node:fs/promises';
+import { createReadStream, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { readdir } from 'node:fs/promises';
+import { sessionsIndexSchema } from './validation.js';
+/** Default Claude projects directory */
+const DEFAULT_CLAUDE_PROJECTS_DIR = join(homedir(), '.claude', 'projects');
+/** Parse a single JSONL line. Returns null if not parseable. */
+function parseLine(line) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed[0] !== '{')
+        return null;
+    try {
+        return JSON.parse(trimmed);
+    }
+    catch { /* malformed JSON — skip line */
+        return null;
+    }
+}
+/** Summarize a tool_use block. */
+function summarizeTool(name, input) {
+    switch (name) {
+        case 'Read':
+        case 'ReadNotebook':
+            return `📖 **Read** ${input.file_path || input.path || ''}`;
+        case 'Write':
+        case 'MultiWrite':
+            return `✏️ **Write** ${input.file_path || input.path || ''}`;
+        case 'Edit':
+            return `🔧 **Edit** ${input.file_path || input.path || ''}`;
+        case 'Bash':
+        case 'Terminal':
+            return `💻 **Bash** \`${String(input.command || input.cmd || '').slice(0, 80)}\``;
+        case 'Grep':
+        case 'Search':
+            return `🔍 **Search** \`${input.pattern || input.query || ''}\``;
+        case 'Glob':
+        case 'ListFiles':
+            return `📁 **Glob** \`${input.pattern || input.path || ''}\``;
+        case 'AskUserQuestion':
+            return `❓ **Question**: ${input.question || ''}`;
+        case 'TodoWrite':
+            return `📝 **Todo** updated`;
+        default:
+            return `🔧 **${name}**`;
+    }
+}
+/** Parse entries from JSONL data. */
+export function parseEntries(entries) {
+    const results = [];
+    const pendingTools = new Map(); // tool_use_id -> summary
+    for (const entry of entries) {
+        if (entry.type === 'progress') {
+            const text = entry.data ? JSON.stringify(entry.data) : '';
+            if (text.trim()) {
+                results.push({ role: 'system', contentType: 'progress', text, timestamp: entry.timestamp });
+            }
+            continue;
+        }
+        if (!entry.message)
+            continue;
+        const role = entry.message.role;
+        const content = entry.message.content;
+        const timestamp = entry.timestamp;
+        if (typeof content === 'string') {
+            // Simple text message
+            if (content.trim()) {
+                results.push({ role, contentType: 'text', text: content.trim(), timestamp });
+            }
+            continue;
+        }
+        if (!Array.isArray(content))
+            continue;
+        for (const block of content) {
+            switch (block.type) {
+                case 'text':
+                    if (block.text?.trim()) {
+                        results.push({ role, contentType: 'text', text: block.text.trim(), timestamp });
+                    }
+                    break;
+                case 'thinking':
+                    if (block.thinking?.trim()) {
+                        results.push({ role, contentType: 'thinking', text: block.thinking.trim(), timestamp });
+                    }
+                    break;
+                case 'tool_use': {
+                    const name = block.name || 'unknown';
+                    const input = (block.input || {});
+                    const summary = summarizeTool(name, input);
+                    if (block.id) {
+                        pendingTools.set(block.id, summary);
+                    }
+                    results.push({
+                        role: 'assistant',
+                        contentType: 'tool_use',
+                        text: summary,
+                        toolName: name,
+                        toolUseId: block.id,
+                        timestamp,
+                    });
+                    break;
+                }
+                case 'tool_result': {
+                    const toolId = block.tool_use_id || '';
+                    let resultText = '';
+                    if (typeof block.content === 'string') {
+                        resultText = block.content;
+                    }
+                    else if (Array.isArray(block.content)) {
+                        resultText = block.content
+                            .filter(c => c.type === 'text')
+                            .map(c => c.text || '')
+                            .join('\n');
+                    }
+                    // Truncate long results
+                    if (resultText.length > 500) {
+                        resultText = resultText.slice(0, 500) + '... (truncated)';
+                    }
+                    if (resultText.trim()) {
+                        results.push({
+                            role: 'assistant',
+                            contentType: block.is_error ? 'tool_error' : 'tool_result',
+                            text: resultText.trim(),
+                            toolUseId: toolId,
+                            timestamp,
+                        });
+                    }
+                    pendingTools.delete(toolId);
+                    break;
+                }
+                case 'permission_request': {
+                    const permText = block.text || JSON.stringify(block);
+                    if (permText.trim()) {
+                        results.push({
+                            role: 'user',
+                            contentType: 'permission_request',
+                            text: permText.trim(),
+                            timestamp,
+                        });
+                    }
+                    break;
+                }
+            }
+        }
+    }
+    return results;
+}
+/** Read JSONL file from byte offset, return new entries + new offset. */
+export async function readNewEntries(filePath, fromOffset) {
+    const fileStat = await stat(filePath);
+    // File truncated (e.g. after /clear)
+    if (fromOffset > fileStat.size) {
+        return { entries: [], newOffset: 0, raw: [] };
+    }
+    if (fromOffset >= fileStat.size) {
+        return { entries: [], newOffset: fromOffset, raw: [] };
+    }
+    // Read from byte offset to end using createReadStream to avoid loading entire file
+    // Issue #222: Only read from offset forward, not the whole file
+    // Issue #259: If offset lands mid-entry, scan backwards to previous newline
+    // Issue #409: Use async I/O instead of readFileSync to avoid blocking the event loop
+    let effectiveOffset = fromOffset;
+    if (effectiveOffset > 0) {
+        const scanSize = 4096;
+        const scanStart = Math.max(0, effectiveOffset - scanSize);
+        const scanLen = effectiveOffset - scanStart;
+        const scanBuf = Buffer.alloc(scanLen);
+        const fd = await open(filePath, 'r');
+        try {
+            await fd.read(scanBuf, 0, scanLen, scanStart);
+        }
+        finally {
+            await fd.close();
+        }
+        for (let i = scanBuf.length - 1; i >= 0; i--) {
+            if (scanBuf[i] === 0x0a) { // '\n'
+                effectiveOffset = scanStart + i + 1;
+                break;
+            }
+        }
+    }
+    const slicedContent = await new Promise((resolve, reject) => {
+        const chunks = [];
+        const stream = createReadStream(filePath, { start: effectiveOffset });
+        stream.on('data', (chunk) => chunks.push(chunk));
+        stream.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
+        stream.on('error', reject);
+    });
+    const lines = slicedContent.split('\n');
+    const rawEntries = [];
+    for (const line of lines) {
+        const entry = parseLine(line);
+        if (entry) {
+            rawEntries.push(entry);
+        }
+    }
+    const parsed = parseEntries(rawEntries);
+    return { entries: parsed, newOffset: fileStat.size, raw: rawEntries };
+}
+/** Find the JSONL file for a session ID. */
+export async function findSessionFile(sessionId, claudeProjectsDir = DEFAULT_CLAUDE_PROJECTS_DIR) {
+    const projectsDir = claudeProjectsDir;
+    if (!existsSync(projectsDir))
+        return null;
+    // Strategy 1: Direct glob across all project dirs
+    const dirs = await readdir(projectsDir, { withFileTypes: true });
+    for (const dir of dirs) {
+        if (!dir.isDirectory())
+            continue;
+        const jsonlPath = join(projectsDir, dir.name, `${sessionId}.jsonl`);
+        if (existsSync(jsonlPath))
+            return jsonlPath;
+    }
+    // Strategy 2: Check sessions-index.json files
+    for (const dir of dirs) {
+        if (!dir.isDirectory())
+            continue;
+        const indexPath = join(projectsDir, dir.name, 'sessions-index.json');
+        if (existsSync(indexPath)) {
+            try {
+                const indexRaw = await readFile(indexPath, 'utf-8');
+                const indexParsed = sessionsIndexSchema.safeParse(JSON.parse(indexRaw));
+                if (!indexParsed.success)
+                    continue;
+                const entries = indexParsed.data.entries || [];
+                for (const entry of entries) {
+                    if (entry.sessionId === sessionId && entry.fullPath && existsSync(entry.fullPath)) {
+                        return entry.fullPath;
+                    }
+                }
+            }
+            catch { /* skip bad index */ }
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=transcript.js.map

package/dist/validation.d.ts

@@ -0,0 +1,222 @@
+/**
+ * validation.ts — Zod schemas for API request body validation.
+ *
+ * Issue #359: Centralized validation for all POST route bodies.
+ * Issue #435: Path traversal defense in validateWorkDir.
+ */
+import { z } from 'zod';
+/** Regex for UUID v4 format: 8-4-4-4-12 hex digits */
+export declare const UUID_REGEX: RegExp;
+/** POST /v1/auth/keys */
+export declare const authKeySchema: z.ZodObject<{
+    name: z.ZodString;
+    rateLimit: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>;
+/** POST /v1/sessions/:id/send */
+export declare const sendMessageSchema: z.ZodObject<{
+    text: z.ZodString;
+}, z.core.$strict>;
+/** POST /v1/sessions/:id/command */
+export declare const commandSchema: z.ZodObject<{
+    command: z.ZodString;
+}, z.core.$strict>;
+/** POST /v1/sessions/:id/bash */
+export declare const bashSchema: z.ZodObject<{
+    command: z.ZodString;
+}, z.core.$strict>;
+/** POST /v1/sessions/:id/screenshot */
+export declare const screenshotSchema: z.ZodObject<{
+    url: z.ZodString;
+    fullPage: z.ZodOptional<z.ZodBoolean>;
+    width: z.ZodOptional<z.ZodNumber>;
+    height: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>;
+/** Webhook endpoint — validates structure of each webhook entry */
+export declare const webhookEndpointSchema: z.ZodObject<{
+    url: z.ZodString;
+    events: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    timeoutMs: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>;
+/** POST /v1/sessions/:id/hooks/permission */
+export declare const permissionHookSchema: z.ZodObject<{
+    session_id: z.ZodOptional<z.ZodString>;
+    tool_name: z.ZodOptional<z.ZodString>;
+    tool_input: z.ZodOptional<z.ZodUnknown>;
+    permission_mode: z.ZodOptional<z.ZodString>;
+    hook_event_name: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+/** POST /v1/sessions/:id/hooks/stop */
+export declare const stopHookSchema: z.ZodObject<{
+    session_id: z.ZodOptional<z.ZodString>;
+    stop_reason: z.ZodOptional<z.ZodString>;
+    hook_event_name: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+/** POST /v1/sessions/batch — max 50 sessions per batch */
+export declare const batchSessionSchema: z.ZodObject<{
+    sessions: z.ZodArray<z.ZodObject<{
+        name: z.ZodOptional<z.ZodString>;
+        workDir: z.ZodString;
+        prompt: z.ZodOptional<z.ZodString>;
+        permissionMode: z.ZodOptional<z.ZodEnum<{
+            default: "default";
+            bypassPermissions: "bypassPermissions";
+            plan: "plan";
+        }>>;
+        autoApprove: z.ZodOptional<z.ZodBoolean>;
+        stallThresholdMs: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
+}, z.core.$strict>;
+/** POST /v1/pipelines */
+export declare const pipelineSchema: z.ZodObject<{
+    name: z.ZodString;
+    workDir: z.ZodString;
+    stages: z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        workDir: z.ZodOptional<z.ZodString>;
+        prompt: z.ZodString;
+        dependsOn: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        permissionMode: z.ZodOptional<z.ZodEnum<{
+            default: "default";
+            bypassPermissions: "bypassPermissions";
+            plan: "plan";
+        }>>;
+        autoApprove: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>;
+}, z.core.$strict>;
+/** Clamp a numeric value to [min, max]. Returns default if input is NaN. */
+export declare function clamp(value: number, min: number, max: number, fallback: number): number;
+/** Parse an env string to integer with NaN/isFinite guard. Returns fallback on failure. */
+export declare function parseIntSafe(value: string | undefined, fallback: number): number;
+/** Validate that a string looks like a UUID. */
+export declare function isValidUUID(id: string): boolean;
+/** Schema for persisted SessionState (sessions: { [id]: SessionInfo }). */
+export declare const persistedStateSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
+    id: z.ZodString;
+    windowId: z.ZodString;
+    windowName: z.ZodString;
+    workDir: z.ZodString;
+    claudeSessionId: z.ZodOptional<z.ZodString>;
+    jsonlPath: z.ZodOptional<z.ZodString>;
+    byteOffset: z.ZodNumber;
+    monitorOffset: z.ZodNumber;
+    status: z.ZodEnum<{
+        unknown: "unknown";
+        idle: "idle";
+        working: "working";
+        permission_prompt: "permission_prompt";
+        bash_approval: "bash_approval";
+        plan_mode: "plan_mode";
+        ask_question: "ask_question";
+        settings: "settings";
+    }>;
+    createdAt: z.ZodNumber;
+    lastActivity: z.ZodNumber;
+    stallThresholdMs: z.ZodNumber;
+    permissionStallMs: z.ZodDefault<z.ZodNumber>;
+    permissionMode: z.ZodString;
+    settingsPatched: z.ZodOptional<z.ZodBoolean>;
+    hookSettingsFile: z.ZodOptional<z.ZodString>;
+    lastHookAt: z.ZodOptional<z.ZodNumber>;
+    activeSubagents: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    permissionPromptAt: z.ZodOptional<z.ZodNumber>;
+    permissionRespondedAt: z.ZodOptional<z.ZodNumber>;
+    lastHookReceivedAt: z.ZodOptional<z.ZodNumber>;
+    lastHookEventAt: z.ZodOptional<z.ZodNumber>;
+    model: z.ZodOptional<z.ZodString>;
+    lastDeadAt: z.ZodOptional<z.ZodNumber>;
+    ccPid: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>>;
+/** Schema for session_map.json entries. */
+export declare const sessionMapSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
+    session_id: z.ZodString;
+    cwd: z.ZodString;
+    window_name: z.ZodString;
+    transcript_path: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    permission_mode: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    agent_id: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    source: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    agent_type: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    model: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    written_at: z.ZodNumber;
+}, z.core.$strip>>;
+/** Schema for stop_signals.json entries. */
+export declare const stopSignalsSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
+    event: z.ZodOptional<z.ZodString>;
+    timestamp: z.ZodOptional<z.ZodNumber>;
+    error: z.ZodOptional<z.ZodUnknown>;
+    error_details: z.ZodOptional<z.ZodUnknown>;
+    last_assistant_message: z.ZodOptional<z.ZodUnknown>;
+    agent_id: z.ZodOptional<z.ZodUnknown>;
+    stop_reason: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>>;
+/** Schema for persisted auth keys store (Issue #506). */
+export declare const authStoreSchema: z.ZodObject<{
+    keys: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+        hash: z.ZodString;
+        createdAt: z.ZodNumber;
+        lastUsedAt: z.ZodNumber;
+        rateLimit: z.ZodNumber;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+/** Schema for sessions-index.json entries (Issue #506). */
+export declare const sessionsIndexSchema: z.ZodObject<{
+    entries: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        sessionId: z.ZodString;
+        fullPath: z.ZodString;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+/** Schema for persisted metrics file (Issue #506). */
+export declare const metricsFileSchema: z.ZodObject<{
+    global: z.ZodOptional<z.ZodObject<{
+        sessionsCreated: z.ZodOptional<z.ZodNumber>;
+        sessionsCompleted: z.ZodOptional<z.ZodNumber>;
+        sessionsFailed: z.ZodOptional<z.ZodNumber>;
+        totalMessages: z.ZodOptional<z.ZodNumber>;
+        totalToolCalls: z.ZodOptional<z.ZodNumber>;
+        autoApprovals: z.ZodOptional<z.ZodNumber>;
+        webhooksSent: z.ZodOptional<z.ZodNumber>;
+        webhooksFailed: z.ZodOptional<z.ZodNumber>;
+        screenshotsTaken: z.ZodOptional<z.ZodNumber>;
+        pipelinesCreated: z.ZodOptional<z.ZodNumber>;
+        batchesCreated: z.ZodOptional<z.ZodNumber>;
+        promptsSent: z.ZodOptional<z.ZodNumber>;
+        promptsDelivered: z.ZodOptional<z.ZodNumber>;
+        promptsFailed: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$loose>>;
+    savedAt: z.ZodOptional<z.ZodNumber>;
+}, z.core.$loose>;
+/** Schema for WebSocket inbound messages (Issue #506). */
+export declare const wsInboundMessageSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    type: z.ZodLiteral<"input">;
+    text: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    type: z.ZodLiteral<"resize">;
+    cols: z.ZodOptional<z.ZodNumber>;
+    rows: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>, z.ZodObject<{
+    type: z.ZodLiteral<"auth">;
+    token: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>], "type">;
+/** Schema for CC settings.json shape (Issue #506).
+ *  Permissive — only validates the fields Aegis cares about. */
+export declare const ccSettingsSchema: z.ZodObject<{
+    permissions: z.ZodOptional<z.ZodObject<{
+        defaultMode: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>>;
+}, z.core.$loose>;
+/** Helper: extract error message from unknown catch value. */
+export declare function getErrorMessage(e: unknown): string;
+/** Validate workDir to prevent path traversal attacks (Issue #435).
+ *  1. Reject raw strings containing ".." before any normalization.
+ *  2. Resolve to absolute path and resolve symlinks via fs.realpath().
+ *  3. Verify the resolved path is under an allowed directory:
+ *     - If allowedWorkDirs is configured, use that list.
+ *     - Otherwise, use default safe dirs (home, /tmp, cwd).
+ *  Returns the resolved real path on success, or an error object on failure. */
+export declare function validateWorkDir(workDir: string, allowedWorkDirs?: readonly string[]): Promise<string | {
+    error: string;
+    code: string;
+}>;