claude-gpt-launcher 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.codex/skills/claude-gpt-launcher/SKILL.md +46 -0
- package/.codex/skills/claude-gpt-launcher/agents/openai.yaml +4 -0
- package/CONTRIBUTING.md +23 -0
- package/Claude-GPT-Launcher-threat-model.md +191 -0
- package/LICENSE +21 -0
- package/Package.swift +25 -0
- package/README.md +239 -0
- package/RELEASING.md +43 -0
- package/Resources/AppIcon.icns +0 -0
- package/Resources/AppIcon.png +0 -0
- package/Resources/Info.plist +28 -0
- package/SECURITY.md +17 -0
- package/Sources/ClaudeGPTLauncher/App/ClaudeGPTLauncherApp.swift +61 -0
- package/Sources/ClaudeGPTLauncher/Models/ModelOption.swift +27 -0
- package/Sources/ClaudeGPTLauncher/Models/ProjectInfo.swift +10 -0
- package/Sources/ClaudeGPTLauncher/Services/ProjectInspector.swift +53 -0
- package/Sources/ClaudeGPTLauncher/Services/Shell.swift +47 -0
- package/Sources/ClaudeGPTLauncher/Services/TerminalLauncher.swift +85 -0
- package/Sources/ClaudeGPTLauncher/Stores/LauncherStore.swift +56 -0
- package/Sources/ClaudeGPTLauncher/Views/ContentView.swift +181 -0
- package/Sources/ClaudeGPTLauncher/Views/SettingsView.swift +22 -0
- package/Sources/ClaudeGPTMCP/ClaudeGPTMCPServer.swift +149 -0
- package/Sources/ClaudeGPTMCP/ClaudeHarnessRunner.swift +125 -0
- package/Sources/ClaudeGPTMCP/CommandRunner.swift +111 -0
- package/Sources/ClaudeGPTMCP/MCPProjectGuard.swift +74 -0
- package/npm/cli.mjs +233 -0
- package/package.json +76 -0
- package/script/build_and_run.sh +82 -0
- package/script/claude-gpt +92 -0
- package/script/install_backend.sh +21 -0
- package/script/release_macos.sh +61 -0
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: claude-gpt-launcher
|
|
3
|
+
description: Install, diagnose, open, unregister, or remove Claude GPT Launcher and its Codex MCP bridge. Use when a user asks to set up the launcher, verify prerequisites, manage the claude-gpt-harness MCP, or troubleshoot installation state on an Apple silicon Mac.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Claude GPT Launcher
|
|
7
|
+
|
|
8
|
+
Start with a read-only diagnostic:
|
|
9
|
+
|
|
10
|
+
```zsh
|
|
11
|
+
claude-gpt-launcher doctor --json
|
|
12
|
+
```
|
|
13
|
+
|
|
14
|
+
If the command is missing, install it from npm:
|
|
15
|
+
|
|
16
|
+
```zsh
|
|
17
|
+
npm install --global claude-gpt-launcher
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
Install the backend helper and native app explicitly:
|
|
21
|
+
|
|
22
|
+
```zsh
|
|
23
|
+
claude-gpt-launcher install
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
Register the optional Codex bridge only when requested:
|
|
27
|
+
|
|
28
|
+
```zsh
|
|
29
|
+
claude-gpt-launcher mcp install --enable-edits
|
|
30
|
+
claude-gpt-launcher mcp status --json
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
For sensitive repositories, pass comma-separated remote substrings:
|
|
34
|
+
|
|
35
|
+
```zsh
|
|
36
|
+
claude-gpt-launcher mcp install --enable-edits --protected-remotes "company/production,example/private-app"
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
Use `claude-gpt-launcher open` to open the installed app. Use
|
|
40
|
+
`claude-gpt-launcher mcp remove` to remove only the MCP registration. Run
|
|
41
|
+
`claude-gpt-launcher uninstall` only when the user explicitly asks to remove
|
|
42
|
+
the app, backend helper, and MCP registration.
|
|
43
|
+
|
|
44
|
+
Never request, print, extract, or pass OAuth tokens through CLI flags. Report
|
|
45
|
+
missing provider authentication and direct the user to the provider-supported
|
|
46
|
+
login flow.
|
package/CONTRIBUTING.md
ADDED
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
# Contributing
|
|
2
|
+
|
|
3
|
+
Thanks for helping improve Claude GPT Launcher.
|
|
4
|
+
|
|
5
|
+
## Before opening a pull request
|
|
6
|
+
|
|
7
|
+
1. Keep the change focused and avoid unrelated refactors.
|
|
8
|
+
2. Never commit OAuth material, API keys, private repository content, personal
|
|
9
|
+
paths, or real account identifiers.
|
|
10
|
+
3. Preserve localhost-only networking and explicit edit authorization.
|
|
11
|
+
4. Run the complete validation suite:
|
|
12
|
+
|
|
13
|
+
```zsh
|
|
14
|
+
npm test
|
|
15
|
+
npm run pack:check
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
5. Explain the user-facing effect and any security-boundary change.
|
|
19
|
+
|
|
20
|
+
## Reporting security problems
|
|
21
|
+
|
|
22
|
+
Follow [SECURITY.md](SECURITY.md). Do not open a public issue containing exploit
|
|
23
|
+
details or credentials.
|
|
@@ -0,0 +1,191 @@
|
|
|
1
|
+
# Claude GPT Launcher threat model
|
|
2
|
+
|
|
3
|
+
## Executive summary
|
|
4
|
+
|
|
5
|
+
The highest residual risks are npm supply-chain compromise and prompt-driven
|
|
6
|
+
access to sensitive local files when processing an untrusted repository. The
|
|
7
|
+
launcher now avoids install-time scripts, publishes through an OIDC-ready
|
|
8
|
+
workflow, notarizes hardened-runtime app archives, pins resolved executable
|
|
9
|
+
paths, selects an unused localhost port, validates real repository paths,
|
|
10
|
+
limits MCP work, and refuses to overwrite unrelated local artifacts. It is still a
|
|
11
|
+
same-user developer tool rather than an OS sandbox, so untrusted repositories
|
|
12
|
+
should run in a disposable account or container.
|
|
13
|
+
|
|
14
|
+
## Scope and assumptions
|
|
15
|
+
|
|
16
|
+
- In scope: `npm/`, `script/`, `Sources/ClaudeGPTMCP/`,
|
|
17
|
+
`Sources/ClaudeGPTLauncher/`, `Resources/`, and npm packaging metadata.
|
|
18
|
+
- Runtime assumption: individual Apple-silicon Mac developer account with
|
|
19
|
+
Claude Code, Codex, and the proxy installed intentionally.
|
|
20
|
+
- Distribution assumption: public npm package; no lifecycle `postinstall`.
|
|
21
|
+
- Data assumption: repository content and prompts may be confidential; OAuth
|
|
22
|
+
credentials stay in provider-supported storage.
|
|
23
|
+
- Out of scope: security of Claude Code, Codex, the proxy implementation, model
|
|
24
|
+
providers, npm itself, and a fully compromised local user account.
|
|
25
|
+
|
|
26
|
+
Open questions that could change ranking:
|
|
27
|
+
|
|
28
|
+
- Enterprise or shared-Mac deployment would increase local isolation risk.
|
|
29
|
+
- Automated CI use would require non-interactive credential and artifact rules.
|
|
30
|
+
- Supporting untrusted third-party repositories would make OS sandboxing a
|
|
31
|
+
release requirement rather than a recommendation.
|
|
32
|
+
|
|
33
|
+
## System model
|
|
34
|
+
|
|
35
|
+
### Primary components
|
|
36
|
+
|
|
37
|
+
- npm CLI: explicit installation, diagnostics, MCP registration, and removal
|
|
38
|
+
(`npm/cli.mjs`).
|
|
39
|
+
- Native SwiftUI launcher: selects a Git repository and opens Terminal
|
|
40
|
+
(`Sources/ClaudeGPTLauncher/`).
|
|
41
|
+
- Backend wrapper: starts a loopback proxy and Claude Code process
|
|
42
|
+
(`script/claude-gpt`).
|
|
43
|
+
- MCP server: validates requests and delegates bounded plan/edit tasks
|
|
44
|
+
(`Sources/ClaudeGPTMCP/`).
|
|
45
|
+
- Build/package tooling: ad-hoc signs local builds and separately creates a
|
|
46
|
+
Developer ID signed, notarized, stapled, checksummed release archive
|
|
47
|
+
(`script/build_and_run.sh`, `script/release_macos.sh`, `package.json`).
|
|
48
|
+
|
|
49
|
+
### Data flows and trust boundaries
|
|
50
|
+
|
|
51
|
+
- npm registry → npm CLI: package source and executable scripts; npm integrity
|
|
52
|
+
metadata applies, but publisher-account compromise remains possible.
|
|
53
|
+
- User → npm CLI: explicit commands and repository-protection patterns; parsed
|
|
54
|
+
as argument arrays without a shell.
|
|
55
|
+
- Codex → MCP server: newline-delimited JSON-RPC containing repository paths,
|
|
56
|
+
prompts, models, and edit intent; schema and size controls are applied.
|
|
57
|
+
- MCP server → backend wrapper: validated repository root and fixed CLI flags;
|
|
58
|
+
environment is reduced to a narrow allowlist.
|
|
59
|
+
- Backend wrapper → loopback proxy: prompts and model traffic over a randomly
|
|
60
|
+
selected `127.0.0.1` port; an occupied port fails closed.
|
|
61
|
+
- Claude Code → repository: read or edit tools under the user's OS account;
|
|
62
|
+
tool restrictions and deny patterns apply, but no OS sandbox exists.
|
|
63
|
+
|
|
64
|
+
#### Diagram
|
|
65
|
+
|
|
66
|
+
```mermaid
|
|
67
|
+
flowchart LR
|
|
68
|
+
NPM["npm registry"] --> CLI["npm CLI"]
|
|
69
|
+
USER["Local user"] --> CLI
|
|
70
|
+
CLI --> APP["macOS app"]
|
|
71
|
+
CODEX["Codex"] --> MCP["MCP server"]
|
|
72
|
+
APP --> WRAP["Backend wrapper"]
|
|
73
|
+
MCP --> WRAP
|
|
74
|
+
WRAP --> PROXY["Loopback proxy"]
|
|
75
|
+
WRAP --> CLAUDE["Claude Code"]
|
|
76
|
+
CLAUDE --> REPO["Git repository"]
|
|
77
|
+
PROXY --> PROVIDER["Model provider"]
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
## Assets and security objectives
|
|
81
|
+
|
|
82
|
+
| Asset | Why it matters | Security objective (C/I/A) |
|
|
83
|
+
|---|---|---|
|
|
84
|
+
| Repository content | May contain proprietary source and configuration | C/I |
|
|
85
|
+
| OAuth credentials | Account compromise could consume subscription access | C/I |
|
|
86
|
+
| Local filesystem | Same-user processes can access personal developer files | C/I/A |
|
|
87
|
+
| MCP edit authorization | Controls whether delegated changes are permitted | I |
|
|
88
|
+
| npm package and app bundle | Compromise executes code under the installer user | I |
|
|
89
|
+
| Proxy availability | Required for model-backed sessions | A |
|
|
90
|
+
| Logs and MCP output | May contain code, paths, or errors | C |
|
|
91
|
+
|
|
92
|
+
## Attacker model
|
|
93
|
+
|
|
94
|
+
### Capabilities
|
|
95
|
+
|
|
96
|
+
- Publish or substitute a malicious npm package after publisher compromise.
|
|
97
|
+
- Commit prompt-injection content to a repository the user opens.
|
|
98
|
+
- Invoke the local MCP if the attacker already controls a permitted Codex/MCP
|
|
99
|
+
client under the same user account.
|
|
100
|
+
- Race or occupy local ports and place executables earlier in a hostile `PATH`.
|
|
101
|
+
- Supply malformed paths, symlinks, prompts, and oversized MCP work requests.
|
|
102
|
+
|
|
103
|
+
### Non-capabilities
|
|
104
|
+
|
|
105
|
+
- No unauthenticated internet listener is exposed by this repository.
|
|
106
|
+
- A remote attacker cannot directly call the stdio MCP without local process
|
|
107
|
+
access.
|
|
108
|
+
- The tool does not intentionally read or store OAuth tokens.
|
|
109
|
+
- The model cannot execute Bash through the MCP's declared tool set.
|
|
110
|
+
|
|
111
|
+
## Entry points and attack surfaces
|
|
112
|
+
|
|
113
|
+
| Surface | How reached | Trust boundary | Notes | Evidence |
|
|
114
|
+
|---|---|---|---|---|
|
|
115
|
+
| npm CLI arguments | Local shell or `npx` | User → CLI | Explicit write commands; JSON mode | `npm/cli.mjs` command switch |
|
|
116
|
+
| npm package install | npm registry | Registry → local user | No `postinstall`; package still contains executable code | `package.json` scripts and bin |
|
|
117
|
+
| Project picker | Native app | User → app | Resolves selected Git root | `ProjectInspector.swift` |
|
|
118
|
+
| MCP JSON-RPC | Codex stdio | Codex → MCP | Plan and gated edit tools | `ClaudeGPTMCPServer.swift` |
|
|
119
|
+
| Project path | MCP tool argument | Client → filesystem | Symlinks resolved; real root rechecked | `MCPProjectGuard.validate` |
|
|
120
|
+
| Prompt | MCP tool argument | Client/repository → model | Length and turn limits; prompt injection remains | `ClaudeHarnessRunner.run` |
|
|
121
|
+
| Proxy port | Local TCP | Wrapper → proxy | Random loopback port; occupied port rejected | `script/claude-gpt` |
|
|
122
|
+
| Install destinations | Local filesystem | npm CLI → user home | Ownership checks prevent name collisions | installer and uninstall functions |
|
|
123
|
+
|
|
124
|
+
## Top abuse paths
|
|
125
|
+
|
|
126
|
+
1. Attacker compromises npm publisher → publishes a trojan release → user runs
|
|
127
|
+
`npx ... install` → attacker gains same-user code execution.
|
|
128
|
+
2. Malicious repository embeds prompt instructions → Claude reads them during
|
|
129
|
+
analysis → attempts to read sensitive files outside the repo → content is
|
|
130
|
+
returned through MCP. Common secret directories are denied, but the OS does
|
|
131
|
+
not enforce full confinement.
|
|
132
|
+
3. Overbroad user request plus enabled MCP edits → model changes more files than
|
|
133
|
+
intended → repository integrity is damaged before Codex review.
|
|
134
|
+
4. Local process occupies a chosen proxy port → launcher detects the listener
|
|
135
|
+
and fails rather than sending prompts to it.
|
|
136
|
+
5. Hostile working environment alters `PATH` → wrapper resolves each dependency
|
|
137
|
+
before entering the repository and invokes the absolute path.
|
|
138
|
+
6. Unrelated app/helper/MCP uses the same name → install or uninstall checks
|
|
139
|
+
ownership → operation refuses or skips the unrelated artifact.
|
|
140
|
+
7. Client submits excessive prompt/output work → prompt, output, turn, and time
|
|
141
|
+
limits terminate the request before unbounded local resource consumption.
|
|
142
|
+
|
|
143
|
+
## Threat model table
|
|
144
|
+
|
|
145
|
+
| Threat ID | Threat source | Prerequisites | Threat action | Impact | Impacted assets | Existing controls (evidence) | Gaps | Recommended mitigations | Detection ideas | Likelihood | Impact severity | Priority |
|
|
146
|
+
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
147
|
+
| TM-001 | npm account/package compromise | User installs a malicious release | Execute arbitrary package code | Same-user compromise | Filesystem, credentials, source | No dependencies or postinstall; OIDC-ready publish workflow with provenance; Developer ID signing, notarization, stapling, and checksums for app archives | npm and Apple publisher identities remain external trust anchors | Configure npm trusted publishing, require npm 2FA, protect releases, and sign Git tags | Monitor npm owner/version changes and verify Gatekeeper/checksum results | Low | High | High |
|
|
148
|
+
| TM-002 | Malicious repository content | User delegates analysis of untrusted code | Prompt injection induces out-of-repo reads | Secret or source disclosure | Filesystem, credentials | Tool allowlist and credential-directory deny rules in `ClaudeHarnessRunner.swift` | Claude Code can normally read outside cwd | Recommend container/disposable account; evaluate a real sandbox before claiming untrusted-repo safety | Audit returned paths and provider telemetry | Medium | High | High |
|
|
149
|
+
| TM-003 | Overbroad model action | MCP edits explicitly enabled | Modify unintended in-repo files | Repository integrity loss | Source, Git state | Install-time edit gate, call confirmation, no Bash, Codex diff validation | Confirmation is delegated to client policy | Keep edits off by default; add per-call UI approval if Codex exposes one | Log mode, root, and changed-file summary without content | Medium | Medium | Medium |
|
|
150
|
+
| TM-004 | Same-user local process | Can bind local TCP first | Capture proxy-bound traffic | Prompt/source disclosure | Repository content | Random loopback port and occupied-port fail-closed logic in `script/claude-gpt` | Port allocation still has a small race | Prefer authenticated Unix socket if proxy supports it | Record bind failures without prompt data | Low | High | Medium |
|
|
151
|
+
| TM-005 | Hostile PATH/repository | User launches from manipulated environment | Substitute git, curl, proxy, or Claude binary | Same-user execution | Filesystem, credentials | Absolute executable resolution before `cd` in `script/claude-gpt` | A hostile PATH before launch can still select a malicious binary | Document trusted installation sources; optionally pin known install locations | `doctor` reports resolved paths | Low | High | Medium |
|
|
152
|
+
| TM-006 | Name collision or malicious local artifact | Existing same-name app/helper/MCP | Trick install/uninstall into replacing unrelated data | Local data loss or tool hijack | Filesystem, app integrity | Bundle ID, ownership marker, and MCP-command checks | Marker is not cryptographic | Add manifest hashes for future upgrades | Report every skipped collision | Low | Medium | Low |
|
|
153
|
+
| TM-007 | MCP client/model output | Authorized local call | Return sensitive code or fill disk | Disclosure or local DoS | Logs, source, availability | Private temporary logs, 0600 files, default cleanup, 10 MB output, and 10-minute timeout in `CommandRunner.swift` and `script/claude-gpt` | MCP response intentionally enters Codex chat | Add optional redaction and lower configurable limits | Count failures by reason, never log prompt content | Medium | Medium | Medium |
|
|
154
|
+
| TM-008 | Symlink/path manipulation | Client supplies crafted path | Escape home/repository boundary | Unauthorized local reads/edits | Filesystem | Resolve symlinks and revalidate Git root in `MCPProjectGuard.swift` | Files inside an allowed repo may themselves be symlinks | Treat untrusted repositories as requiring OS isolation | Log rejected canonical root only | Low | High | Medium |
|
|
155
|
+
|
|
156
|
+
## Criticality calibration
|
|
157
|
+
|
|
158
|
+
- Critical: remote or package-level compromise that silently extracts provider
|
|
159
|
+
credentials at scale; arbitrary code execution from a normal read-only call.
|
|
160
|
+
- High: likely disclosure of local secrets from an untrusted repository;
|
|
161
|
+
malicious npm release executing as the developer.
|
|
162
|
+
- Medium: same-user port race, overbroad in-repo edits, bounded resource abuse,
|
|
163
|
+
or path attacks requiring a crafted local repository.
|
|
164
|
+
- Low: safe refusal, diagnostic path disclosure to the local user, or collision
|
|
165
|
+
behavior that skips rather than deletes an artifact.
|
|
166
|
+
|
|
167
|
+
## Focus paths for security review
|
|
168
|
+
|
|
169
|
+
| Path | Why it matters | Related Threat IDs |
|
|
170
|
+
|---|---|---|
|
|
171
|
+
| `npm/cli.mjs` | Owns installation, registration, and destructive removal | TM-001, TM-006 |
|
|
172
|
+
| `package.json` | Defines public package execution and release scripts | TM-001 |
|
|
173
|
+
| `script/claude-gpt` | Controls executable resolution, proxy lifecycle, and environment | TM-004, TM-005 |
|
|
174
|
+
| `script/install_backend.sh` | Writes an executable into the user's home | TM-006 |
|
|
175
|
+
| `script/build_and_run.sh` | Replaces and signs the installed app bundle | TM-001, TM-006 |
|
|
176
|
+
| `script/release_macos.sh` | Signs, notarizes, staples, verifies, and checksums public app archives | TM-001 |
|
|
177
|
+
| `.github/workflows/publish-npm.yml` | Defines the tokenless npm publication trust boundary | TM-001 |
|
|
178
|
+
| `Sources/ClaudeGPTMCP/MCPProjectGuard.swift` | Enforces canonical repository boundaries | TM-008 |
|
|
179
|
+
| `Sources/ClaudeGPTMCP/ClaudeHarnessRunner.swift` | Defines tool, prompt, edit, and model policy | TM-002, TM-003 |
|
|
180
|
+
| `Sources/ClaudeGPTMCP/CommandRunner.swift` | Handles environment, temp output, timeout, and subprocesses | TM-005, TM-007 |
|
|
181
|
+
| `Sources/ClaudeGPTMCP/ClaudeGPTMCPServer.swift` | Parses client input and exposes edit capabilities | TM-003, TM-007 |
|
|
182
|
+
| `SECURITY.md` | Sets disclosure expectations and states the non-sandbox boundary | TM-001, TM-002 |
|
|
183
|
+
|
|
184
|
+
## Quality check
|
|
185
|
+
|
|
186
|
+
- [x] Covered npm, CLI, app, MCP, subprocess, filesystem, and loopback entry points.
|
|
187
|
+
- [x] Represented every discovered trust boundary in at least one threat.
|
|
188
|
+
- [x] Separated runtime behavior from build, test, and publication behavior.
|
|
189
|
+
- [x] Recorded the assumed individual-developer deployment model and open
|
|
190
|
+
enterprise/untrusted-repo questions.
|
|
191
|
+
- [x] Distinguished implemented controls from residual risks and recommendations.
|
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Claude GPT Launcher contributors
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/Package.swift
ADDED
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
// swift-tools-version: 5.9
|
|
2
|
+
import PackageDescription
|
|
3
|
+
|
|
4
|
+
let package = Package(
|
|
5
|
+
name: "ClaudeGPTLauncher",
|
|
6
|
+
platforms: [.macOS(.v14)],
|
|
7
|
+
products: [
|
|
8
|
+
.executable(name: "ClaudeGPTLauncher", targets: ["ClaudeGPTLauncher"]),
|
|
9
|
+
.executable(name: "ClaudeGPTMCP", targets: ["ClaudeGPTMCP"])
|
|
10
|
+
],
|
|
11
|
+
targets: [
|
|
12
|
+
.executableTarget(
|
|
13
|
+
name: "ClaudeGPTLauncher",
|
|
14
|
+
path: "Sources/ClaudeGPTLauncher"
|
|
15
|
+
),
|
|
16
|
+
.executableTarget(
|
|
17
|
+
name: "ClaudeGPTMCP",
|
|
18
|
+
path: "Sources/ClaudeGPTMCP"
|
|
19
|
+
),
|
|
20
|
+
.testTarget(
|
|
21
|
+
name: "ClaudeGPTLauncherTests",
|
|
22
|
+
dependencies: ["ClaudeGPTLauncher", "ClaudeGPTMCP"]
|
|
23
|
+
)
|
|
24
|
+
]
|
|
25
|
+
)
|
package/README.md
ADDED
|
@@ -0,0 +1,239 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<img src="Resources/AppIcon.png" width="180" alt="Claude GPT Launcher icon">
|
|
3
|
+
</p>
|
|
4
|
+
|
|
5
|
+
<h1 align="center">Claude GPT Launcher</h1>
|
|
6
|
+
|
|
7
|
+
<p align="center">
|
|
8
|
+
<strong>The Claude Code workflow. GPT models. One click.</strong>
|
|
9
|
+
</p>
|
|
10
|
+
|
|
11
|
+
<p align="center">
|
|
12
|
+
<img alt="macOS 14+" src="https://img.shields.io/badge/macOS-14%2B-111827?logo=apple">
|
|
13
|
+
<img alt="Apple silicon" src="https://img.shields.io/badge/Apple%20silicon-native-2563EB">
|
|
14
|
+
<img alt="Swift" src="https://img.shields.io/badge/Swift-5.9%2B-F05138?logo=swift&logoColor=white">
|
|
15
|
+
<img alt="MCP" src="https://img.shields.io/badge/MCP-ready-7C3AED">
|
|
16
|
+
<a href="https://www.npmjs.com/package/claude-gpt-launcher"><img alt="npm" src="https://img.shields.io/npm/v/claude-gpt-launcher?logo=npm"></a>
|
|
17
|
+
<img alt="MIT license" src="https://img.shields.io/badge/license-MIT-16A34A">
|
|
18
|
+
</p>
|
|
19
|
+
|
|
20
|
+
Claude GPT Launcher is a tiny native macOS app for developers who enjoy the
|
|
21
|
+
Claude Code terminal experience and want to route it through GPT models exposed
|
|
22
|
+
by a local Codex-compatible proxy.
|
|
23
|
+
|
|
24
|
+
Pick a repository. Pick a model. Get a real Claude Code session—without copying
|
|
25
|
+
tokens, pasting environment variables, or leaving a proxy running forever.
|
|
26
|
+
|
|
27
|
+
> [!IMPORTANT]
|
|
28
|
+
> This is an independent community project. It is not affiliated with,
|
|
29
|
+
> endorsed by, or supported by Anthropic or OpenAI. It relies on the third-party
|
|
30
|
+
> [`raine/claude-code-proxy`](https://github.com/raine/claude-code-proxy)
|
|
31
|
+
> project and may be affected by provider policy or protocol changes.
|
|
32
|
+
|
|
33
|
+
## Why does this exist?
|
|
34
|
+
|
|
35
|
+
Claude Code has a distinctive interactive harness: project awareness, planning,
|
|
36
|
+
edits, tool calls, and a terminal-first workflow. Codex-backed GPT models offer
|
|
37
|
+
a different model family and subscription path. This project joins those two
|
|
38
|
+
pieces behind a friendly Mac launcher and an optional MCP bridge.
|
|
39
|
+
|
|
40
|
+
```text
|
|
41
|
+
Native Mac app or Codex chat
|
|
42
|
+
↓
|
|
43
|
+
Claude Code harness
|
|
44
|
+
↓
|
|
45
|
+
localhost compatibility proxy
|
|
46
|
+
↓
|
|
47
|
+
Codex / GPT models
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## What you get
|
|
51
|
+
|
|
52
|
+
| Surface | What it does |
|
|
53
|
+
|---|---|
|
|
54
|
+
| 🖥️ Native app | Pick any Git project and open a configured Claude Code session |
|
|
55
|
+
| ⌨️ `claude-gpt` | Start the same workflow from any terminal |
|
|
56
|
+
| 🔌 Codex MCP | Let a Codex chat consult or edit through the Claude Code harness |
|
|
57
|
+
| 🧭 Model picker | Switch between configured Sol, Terra, and Luna model aliases |
|
|
58
|
+
| 🧹 Owned cleanup | The session stops its own proxy and removes temporary state |
|
|
59
|
+
|
|
60
|
+
## Quick start
|
|
61
|
+
|
|
62
|
+
### 1. Install the prerequisites
|
|
63
|
+
|
|
64
|
+
Install Claude Code using Anthropic's package:
|
|
65
|
+
|
|
66
|
+
```zsh
|
|
67
|
+
npm install --global @anthropic-ai/claude-code
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
Install the proxy:
|
|
71
|
+
|
|
72
|
+
```zsh
|
|
73
|
+
brew install raine/claude-code-proxy/claude-code-proxy
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
Start the proxy's supported browser OAuth flow:
|
|
77
|
+
|
|
78
|
+
```zsh
|
|
79
|
+
claude-code-proxy codex auth login
|
|
80
|
+
claude-code-proxy codex auth status
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
The login result is stored by the proxy in macOS Keychain. Never paste or
|
|
84
|
+
commit the resulting credential.
|
|
85
|
+
|
|
86
|
+
### 2. Install Claude GPT Launcher
|
|
87
|
+
|
|
88
|
+
Install and build from npm:
|
|
89
|
+
|
|
90
|
+
```zsh
|
|
91
|
+
npx claude-gpt-launcher install
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
Or download the Apple-notarized ZIP from the
|
|
95
|
+
[latest GitHub release](https://github.com/Bennyyy28/claude-gpt-launcher/releases/latest),
|
|
96
|
+
verify its checksum, and move **Claude GPT.app** to Applications:
|
|
97
|
+
|
|
98
|
+
```zsh
|
|
99
|
+
shasum -a 256 -c Claude-GPT-Launcher-*.zip.sha256
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
### 3. Open a project
|
|
103
|
+
|
|
104
|
+
Open **Claude GPT** from `~/Applications`, drag in a Git repository, choose a
|
|
105
|
+
model, and select **Open Claude GPT**.
|
|
106
|
+
|
|
107
|
+
Or skip the window:
|
|
108
|
+
|
|
109
|
+
```zsh
|
|
110
|
+
claude-gpt "$HOME/code/my-project"
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
## Bring the harness into Codex
|
|
114
|
+
|
|
115
|
+
The installed app bundles a local stdio MCP server:
|
|
116
|
+
|
|
117
|
+
- `claude_code_plan` performs a read-only harness consultation.
|
|
118
|
+
- `claude_code_edit` performs repository edits without Bash or network tools.
|
|
119
|
+
|
|
120
|
+
Register it with Codex:
|
|
121
|
+
|
|
122
|
+
```zsh
|
|
123
|
+
claude-gpt-launcher mcp install --enable-edits
|
|
124
|
+
claude-gpt-launcher mcp status --json
|
|
125
|
+
```
|
|
126
|
+
|
|
127
|
+
Then open a new Codex chat. The MCP result returns directly to that chat—no
|
|
128
|
+
second terminal and no prompt copy/paste.
|
|
129
|
+
|
|
130
|
+
To protect sensitive repositories by remote substring:
|
|
131
|
+
|
|
132
|
+
```zsh
|
|
133
|
+
claude-gpt-launcher mcp install \
|
|
134
|
+
--enable-edits \
|
|
135
|
+
--protected-remotes "company/production,example/private-app"
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
Matching repositories remain denied until a caller explicitly opts in.
|
|
139
|
+
|
|
140
|
+
## Useful commands
|
|
141
|
+
|
|
142
|
+
```zsh
|
|
143
|
+
# Check platform, dependencies, app, backend, and MCP state
|
|
144
|
+
claude-gpt-launcher doctor --json
|
|
145
|
+
|
|
146
|
+
# Open the app
|
|
147
|
+
claude-gpt-launcher open
|
|
148
|
+
|
|
149
|
+
# Remove only the MCP registration
|
|
150
|
+
claude-gpt-launcher mcp remove
|
|
151
|
+
|
|
152
|
+
# Remove owned app, helper, and MCP artifacts
|
|
153
|
+
claude-gpt-launcher uninstall
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
## Safety model
|
|
157
|
+
|
|
158
|
+
The defaults are intentionally narrow:
|
|
159
|
+
|
|
160
|
+
- The proxy binds to a randomly selected `127.0.0.1` port.
|
|
161
|
+
- A port collision fails closed instead of reusing an unknown listener.
|
|
162
|
+
- OAuth material is never printed, extracted, or committed by this project.
|
|
163
|
+
- MCP edits require both installation-time enablement and call-time confirmation.
|
|
164
|
+
- The MCP excludes Bash and network tools.
|
|
165
|
+
- Repository roots and symlinks are canonicalized before delegation.
|
|
166
|
+
- Prompts, turns, output, and runtime are bounded.
|
|
167
|
+
- Installation and removal refuse to overwrite unrelated same-name artifacts.
|
|
168
|
+
|
|
169
|
+
> [!WARNING]
|
|
170
|
+
> Claude Code is not an OS sandbox and can normally read outside its working
|
|
171
|
+
> directory. The MCP adds deny rules for common credential locations, but you
|
|
172
|
+
> should still use a disposable account, container, or VM for untrusted code.
|
|
173
|
+
|
|
174
|
+
Read the full [security policy](SECURITY.md) and
|
|
175
|
+
[adversarial threat model](Claude-GPT-Launcher-threat-model.md) before enabling
|
|
176
|
+
MCP edits broadly.
|
|
177
|
+
|
|
178
|
+
## FAQ
|
|
179
|
+
|
|
180
|
+
<details>
|
|
181
|
+
<summary><strong>Does this extract my subscription token?</strong></summary>
|
|
182
|
+
|
|
183
|
+
No. Authentication is initiated through the proxy's supported OAuth screen.
|
|
184
|
+
This project never prints or asks you to paste the resulting token.
|
|
185
|
+
|
|
186
|
+
</details>
|
|
187
|
+
|
|
188
|
+
<details>
|
|
189
|
+
<summary><strong>Is this an official Anthropic or OpenAI integration?</strong></summary>
|
|
190
|
+
|
|
191
|
+
No. It is an open-source compatibility project built on another open-source
|
|
192
|
+
proxy. Provider policies and protocols can change, so use it with that risk in
|
|
193
|
+
mind.
|
|
194
|
+
|
|
195
|
+
</details>
|
|
196
|
+
|
|
197
|
+
<details>
|
|
198
|
+
<summary><strong>Why not just use Codex directly?</strong></summary>
|
|
199
|
+
|
|
200
|
+
You absolutely can. This project is specifically for people who prefer the
|
|
201
|
+
Claude Code harness or want Codex to call that harness through MCP.
|
|
202
|
+
|
|
203
|
+
</details>
|
|
204
|
+
|
|
205
|
+
<details>
|
|
206
|
+
<summary><strong>Does closing the session stop the proxy?</strong></summary>
|
|
207
|
+
|
|
208
|
+
Yes. Each launcher session owns a temporary proxy process and cleans it up when
|
|
209
|
+
Claude Code exits.
|
|
210
|
+
|
|
211
|
+
</details>
|
|
212
|
+
|
|
213
|
+
## Build from source
|
|
214
|
+
|
|
215
|
+
```zsh
|
|
216
|
+
./script/install_backend.sh
|
|
217
|
+
./script/build_and_run.sh --install
|
|
218
|
+
npm test
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
Requirements: Apple-silicon Mac, macOS 14+, Swift 5.9+, Node.js 20+, Claude
|
|
222
|
+
Code, and `claude-code-proxy`.
|
|
223
|
+
|
|
224
|
+
## Contributing
|
|
225
|
+
|
|
226
|
+
Issues, focused pull requests, documentation improvements, and security-minded
|
|
227
|
+
reviews are welcome. Start with [CONTRIBUTING.md](CONTRIBUTING.md). Please use
|
|
228
|
+
private vulnerability reporting for security issues.
|
|
229
|
+
|
|
230
|
+
## Acknowledgements
|
|
231
|
+
|
|
232
|
+
- [`raine/claude-code-proxy`](https://github.com/raine/claude-code-proxy) for
|
|
233
|
+
the Anthropic-compatible local proxy.
|
|
234
|
+
- Claude Code and Codex for inspiring a delightfully strange bridge between two
|
|
235
|
+
excellent developer workflows.
|
|
236
|
+
|
|
237
|
+
## License
|
|
238
|
+
|
|
239
|
+
MIT — see [LICENSE](LICENSE).
|
package/RELEASING.md
ADDED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# Releasing
|
|
2
|
+
|
|
3
|
+
Releases have two independent artifacts: the npm source package and a notarized
|
|
4
|
+
Apple-silicon app archive. Never put npm, Apple ID, or App Store Connect secrets
|
|
5
|
+
in this repository or in command-line arguments.
|
|
6
|
+
|
|
7
|
+
## npm
|
|
8
|
+
|
|
9
|
+
Run the full validation, then publish from a clean release commit:
|
|
10
|
+
|
|
11
|
+
```zsh
|
|
12
|
+
npm test
|
|
13
|
+
npm run pack:check
|
|
14
|
+
npm publish --access public --provenance
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
For later releases, configure npm trusted publishing for
|
|
18
|
+
`Bennyyy28/claude-gpt-launcher` and workflow `publish-npm.yml`. The release
|
|
19
|
+
workflow then publishes without a long-lived npm token. Trusted publishing
|
|
20
|
+
requires npm 11.5.1 or newer; the workflow pins a compatible npm release.
|
|
21
|
+
|
|
22
|
+
## Notarized macOS archive
|
|
23
|
+
|
|
24
|
+
Create a Keychain-backed `notarytool` profile once. Enter the app-specific
|
|
25
|
+
password only at the interactive prompt:
|
|
26
|
+
|
|
27
|
+
```zsh
|
|
28
|
+
xcrun notarytool store-credentials claude-gpt-launcher-notary \
|
|
29
|
+
--apple-id "YOUR_APPLE_ID" \
|
|
30
|
+
--team-id "YOUR_TEAM_ID"
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Build, sign, submit, staple, assess, and checksum the archive:
|
|
34
|
+
|
|
35
|
+
```zsh
|
|
36
|
+
DEVELOPER_ID_APPLICATION="Developer ID Application: YOUR NAME (YOUR_TEAM_ID)" \
|
|
37
|
+
NOTARYTOOL_PROFILE="claude-gpt-launcher-notary" \
|
|
38
|
+
npm run release:macos
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
The distributable ZIP and its SHA-256 file are written to `dist/release/`.
|
|
42
|
+
Upload both to the matching GitHub release. The script fails closed unless
|
|
43
|
+
Apple accepts the submission and Gatekeeper accepts the stapled app.
|
|
Binary file
|
|
Binary file
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
3
|
+
<plist version="1.0">
|
|
4
|
+
<dict>
|
|
5
|
+
<key>CFBundleExecutable</key>
|
|
6
|
+
<string>ClaudeGPTLauncher</string>
|
|
7
|
+
<key>CFBundleIdentifier</key>
|
|
8
|
+
<string>app.claudegpt.launcher</string>
|
|
9
|
+
<key>CFBundleName</key>
|
|
10
|
+
<string>Claude GPT</string>
|
|
11
|
+
<key>CFBundleDisplayName</key>
|
|
12
|
+
<string>Claude GPT</string>
|
|
13
|
+
<key>CFBundleIconFile</key>
|
|
14
|
+
<string>AppIcon</string>
|
|
15
|
+
<key>CFBundlePackageType</key>
|
|
16
|
+
<string>APPL</string>
|
|
17
|
+
<key>CFBundleShortVersionString</key>
|
|
18
|
+
<string>1.0.0</string>
|
|
19
|
+
<key>CFBundleVersion</key>
|
|
20
|
+
<string>1</string>
|
|
21
|
+
<key>LSMinimumSystemVersion</key>
|
|
22
|
+
<string>14.0</string>
|
|
23
|
+
<key>NSHighResolutionCapable</key>
|
|
24
|
+
<true/>
|
|
25
|
+
<key>NSPrincipalClass</key>
|
|
26
|
+
<string>NSApplication</string>
|
|
27
|
+
</dict>
|
|
28
|
+
</plist>
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Reporting a vulnerability
|
|
4
|
+
|
|
5
|
+
Use the repository host's private vulnerability-reporting feature. Do not open
|
|
6
|
+
a public issue containing exploit details, credentials, repository contents, or
|
|
7
|
+
OAuth material.
|
|
8
|
+
|
|
9
|
+
Include the affected version, platform, reproduction steps, impact, and any
|
|
10
|
+
suggested mitigation. Never include live tokens; use clearly fake placeholders.
|
|
11
|
+
|
|
12
|
+
## Security boundary
|
|
13
|
+
|
|
14
|
+
Claude GPT Launcher is a local developer tool, not an OS sandbox. It runs under
|
|
15
|
+
the current user's permissions and sends selected repository context through
|
|
16
|
+
the configured model provider. Use disposable environments for untrusted
|
|
17
|
+
repositories and review changes before committing them.
|