npm - claude-remote-guard - Versions diffs - 1.0.0 - Mend

claude-remote-guard 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (82) hide show

package/README.md +433 -0
package/dist/bin/cli.d.ts +3 -0
package/dist/bin/cli.d.ts.map +1 -0
package/dist/bin/cli.js +427 -0
package/dist/bin/cli.js.map +1 -0
package/dist/bin/hook.d.ts +3 -0
package/dist/bin/hook.d.ts.map +1 -0
package/dist/bin/hook.js +136 -0
package/dist/bin/hook.js.map +1 -0
package/dist/index.d.ts +6 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +6 -0
package/dist/index.js.map +1 -0
package/dist/lib/claude-settings.d.ts +11 -0
package/dist/lib/claude-settings.d.ts.map +1 -0
package/dist/lib/claude-settings.js +96 -0
package/dist/lib/claude-settings.js.map +1 -0
package/dist/lib/config.d.ts +47 -0
package/dist/lib/config.d.ts.map +1 -0
package/dist/lib/config.js +177 -0
package/dist/lib/config.js.map +1 -0
package/dist/lib/edge-function.d.ts +14 -0
package/dist/lib/edge-function.d.ts.map +1 -0
package/dist/lib/edge-function.js +521 -0
package/dist/lib/edge-function.js.map +1 -0
package/dist/lib/firebase.d.ts +27 -0
package/dist/lib/firebase.d.ts.map +1 -0
package/dist/lib/firebase.js +136 -0
package/dist/lib/firebase.js.map +1 -0
package/dist/lib/messenger/base.d.ts +6 -0
package/dist/lib/messenger/base.d.ts.map +1 -0
package/dist/lib/messenger/base.js +34 -0
package/dist/lib/messenger/base.js.map +1 -0
package/dist/lib/messenger/factory.d.ts +15 -0
package/dist/lib/messenger/factory.d.ts.map +1 -0
package/dist/lib/messenger/factory.js +37 -0
package/dist/lib/messenger/factory.js.map +1 -0
package/dist/lib/messenger/index.d.ts +7 -0
package/dist/lib/messenger/index.d.ts.map +1 -0
package/dist/lib/messenger/index.js +9 -0
package/dist/lib/messenger/index.js.map +1 -0
package/dist/lib/messenger/slack.d.ts +14 -0
package/dist/lib/messenger/slack.d.ts.map +1 -0
package/dist/lib/messenger/slack.js +169 -0
package/dist/lib/messenger/slack.js.map +1 -0
package/dist/lib/messenger/telegram.d.ts +15 -0
package/dist/lib/messenger/telegram.d.ts.map +1 -0
package/dist/lib/messenger/telegram.js +120 -0
package/dist/lib/messenger/telegram.js.map +1 -0
package/dist/lib/messenger/types.d.ts +21 -0
package/dist/lib/messenger/types.d.ts.map +1 -0
package/dist/lib/messenger/types.js +2 -0
package/dist/lib/messenger/types.js.map +1 -0
package/dist/lib/messenger/whatsapp.d.ts +16 -0
package/dist/lib/messenger/whatsapp.d.ts.map +1 -0
package/dist/lib/messenger/whatsapp.js +103 -0
package/dist/lib/messenger/whatsapp.js.map +1 -0
package/dist/lib/rules.d.ts +17 -0
package/dist/lib/rules.d.ts.map +1 -0
package/dist/lib/rules.js +138 -0
package/dist/lib/rules.js.map +1 -0
package/dist/lib/rules.test.d.ts +2 -0
package/dist/lib/rules.test.d.ts.map +1 -0
package/dist/lib/rules.test.js +144 -0
package/dist/lib/rules.test.js.map +1 -0
package/dist/lib/setup-instructions.d.ts +3 -0
package/dist/lib/setup-instructions.d.ts.map +1 -0
package/dist/lib/setup-instructions.js +55 -0
package/dist/lib/setup-instructions.js.map +1 -0
package/dist/lib/slack.d.ts +18 -0
package/dist/lib/slack.d.ts.map +1 -0
package/dist/lib/slack.js +21 -0
package/dist/lib/slack.js.map +1 -0
package/dist/lib/supabase.d.ts +33 -0
package/dist/lib/supabase.d.ts.map +1 -0
package/dist/lib/supabase.js +169 -0
package/dist/lib/supabase.js.map +1 -0
package/package.json +67 -0
package/supabase/functions/slack-callback/index.ts +198 -0
package/supabase/functions/telegram-callback/index.ts +209 -0
package/supabase/functions/whatsapp-callback/index.ts +180 -0
package/supabase/migrations/001_create_approval_requests.sql +91 -0

package/supabase/functions/whatsapp-callback/index.ts ADDED Viewed

@@ -0,0 +1,180 @@
+// Supabase Edge Function for WhatsApp (Twilio) Callbacks
+// Deploy: supabase functions deploy whatsapp-callback
+//
+// Required environment variables:
+// - TWILIO_AUTH_TOKEN: Your Twilio auth token for signature verification
+// - SUPABASE_URL: Auto-provided by Supabase
+// - SUPABASE_SERVICE_ROLE_KEY: Auto-provided by Supabase
+import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+// Timing-safe string comparison to prevent timing attacks
+function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+// Verify Twilio request signature
+async function verifyTwilioSignature(
+  authToken: string,
+  signature: string,
+  url: string,
+  params: Record<string, string>
+): Promise<boolean> {
+  // Sort parameters and create string
+  const sortedParams = Object.keys(params)
+    .sort()
+    .map(key => `${key}${params[key]}`)
+    .join('');
+  const data = url + sortedParams;
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(authToken),
+    { name: 'HMAC', hash: 'SHA-1' },
+    false,
+    ['sign']
+  );
+  const signatureBuffer = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+  const computedSignature = btoa(String.fromCharCode(...new Uint8Array(signatureBuffer)));
+  // Timing-safe comparison
+  return timingSafeEqual(signature, computedSignature);
+}
+serve(async (req: Request) => {
+  // Only allow POST
+  if (req.method !== 'POST') {
+    return new Response('Method not allowed', { status: 405 });
+  }
+  try {
+    const authToken = Deno.env.get('TWILIO_AUTH_TOKEN');
+    if (!authToken) {
+      console.error('Missing TWILIO_AUTH_TOKEN environment variable');
+      return new Response('Server configuration error', { status: 500 });
+    }
+    // Parse form data
+    const formData = await req.formData();
+    const params: Record<string, string> = {};
+    formData.forEach((value, key) => {
+      params[key] = value.toString();
+    });
+    // Verify Twilio signature (required for security)
+    const twilioSignature = req.headers.get('X-Twilio-Signature');
+    if (!twilioSignature) {
+      console.error('Missing Twilio signature header');
+      return new Response('Unauthorized', { status: 401 });
+    }
+    const isValid = await verifyTwilioSignature(
+      authToken,
+      twilioSignature,
+      req.url,
+      params
+    );
+    if (!isValid) {
+      console.error('Invalid Twilio signature');
+      return new Response('Unauthorized', { status: 401 });
+    }
+    // Get message body
+    const body = params['Body']?.trim();
+    const from = params['From'];
+    if (!body) {
+      return twimlResponse('No message body received.');
+    }
+    // Parse command: "APPROVE <requestId>" or "REJECT <requestId>"
+    const match = body.match(/^(APPROVE|REJECT)\s+([a-f0-9-]+)$/i);
+    if (!match) {
+      return twimlResponse(
+        'Invalid format. Use:\nAPPROVE <request-id>\nor\nREJECT <request-id>'
+      );
+    }
+    const [, action, requestId] = match;
+    const status = action.toUpperCase() === 'APPROVE' ? 'approved' : 'rejected';
+    // Extract phone number for resolved_by
+    const resolvedBy = from?.replace('whatsapp:', '') || 'unknown';
+    // Initialize Supabase client
+    const supabaseUrl = Deno.env.get('SUPABASE_URL');
+    const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+    if (!supabaseUrl || !supabaseServiceKey) {
+      console.error('Missing Supabase environment variables');
+      return twimlResponse('Server configuration error.');
+    }
+    const supabase = createClient(supabaseUrl, supabaseServiceKey);
+    // Update the approval request
+    const { data, error } = await supabase
+      .from('approval_requests')
+      .update({
+        status,
+        resolved_at: new Date().toISOString(),
+        resolved_by: resolvedBy,
+      })
+      .eq('id', requestId)
+      .eq('status', 'pending')
+      .select('id');
+    if (error) {
+      console.error('Failed to update request:', error);
+      return twimlResponse('Failed to update request. Please try again.');
+    }
+    if (!data || data.length === 0) {
+      return twimlResponse('Request not found or already resolved.');
+    }
+    // Send success response
+    const emoji = status === 'approved' ? '✅' : '❌';
+    const actionText = status === 'approved' ? 'approved' : 'rejected';
+    return twimlResponse(`${emoji} Request ${requestId.substring(0, 8)}... has been ${actionText}.`);
+  } catch (error) {
+    console.error('Error processing request:', error);
+    return twimlResponse('Internal server error.');
+  }
+});
+function twimlResponse(message: string): Response {
+  const twiml = `<?xml version="1.0" encoding="UTF-8"?>
+<Response>
+  <Message>${escapeXml(message)}</Message>
+</Response>`;
+  return new Response(twiml, {
+    status: 200,
+    headers: {
+      'Content-Type': 'application/xml',
+    },
+  });
+}
+function escapeXml(text: string): string {
+  return text
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}

package/supabase/migrations/001_create_approval_requests.sql ADDED Viewed

@@ -0,0 +1,91 @@
+-- Create approval_requests table with proper security
+-- Run this in your Supabase SQL editor
+-- Create the table
+CREATE TABLE IF NOT EXISTS approval_requests (
+  id UUID PRIMARY KEY,
+  command TEXT NOT NULL,
+  danger_reason TEXT NOT NULL,
+  severity TEXT NOT NULL CHECK (severity IN ('low', 'medium', 'high', 'critical')),
+  cwd TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending' CHECK (status IN ('pending', 'approved', 'rejected', 'timeout')),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  resolved_at TIMESTAMPTZ,
+  resolved_by TEXT,
+  -- Add machine identifier for multi-user scenarios
+  machine_id TEXT,
+  -- Add index for faster queries
+  CONSTRAINT valid_resolution CHECK (
+    (status = 'pending' AND resolved_at IS NULL AND resolved_by IS NULL) OR
+    (status != 'pending' AND resolved_at IS NOT NULL)
+  )
+);
+-- Create indexes for common queries
+CREATE INDEX IF NOT EXISTS idx_approval_requests_status ON approval_requests(status);
+CREATE INDEX IF NOT EXISTS idx_approval_requests_created_at ON approval_requests(created_at);
+CREATE INDEX IF NOT EXISTS idx_approval_requests_machine_id ON approval_requests(machine_id);
+-- Enable Row Level Security
+ALTER TABLE approval_requests ENABLE ROW LEVEL SECURITY;
+-- Drop existing policies if any
+DROP POLICY IF EXISTS "Allow insert for authenticated and anon" ON approval_requests;
+DROP POLICY IF EXISTS "Allow select own requests" ON approval_requests;
+DROP POLICY IF EXISTS "Allow update via service role only" ON approval_requests;
+DROP POLICY IF EXISTS "Allow delete old requests" ON approval_requests;
+-- Policy: Allow insert (CLI creates requests)
+-- In production, consider adding machine_id validation
+CREATE POLICY "Allow insert for authenticated and anon" ON approval_requests
+  FOR INSERT
+  WITH CHECK (
+    status = 'pending' AND
+    resolved_at IS NULL AND
+    resolved_by IS NULL
+  );
+-- Policy: Allow select own pending requests only (for real-time subscription)
+-- Clients can only see their own pending requests
+CREATE POLICY "Allow select pending requests" ON approval_requests
+  FOR SELECT
+  USING (
+    status = 'pending' AND
+    created_at > NOW() - INTERVAL '1 hour'
+  );
+-- Policy: Only service role can update (Edge Function uses service role key)
+-- This prevents unauthorized approval/rejection via anon key
+CREATE POLICY "Allow update via service role only" ON approval_requests
+  FOR UPDATE
+  USING (auth.role() = 'service_role');
+-- Policy: Allow cleanup of old requests
+CREATE POLICY "Allow delete old requests" ON approval_requests
+  FOR DELETE
+  USING (created_at < NOW() - INTERVAL '24 hours');
+-- Enable realtime for the table
+ALTER PUBLICATION supabase_realtime ADD TABLE approval_requests;
+-- Create a function to auto-cleanup old requests (optional)
+CREATE OR REPLACE FUNCTION cleanup_old_approval_requests()
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+BEGIN
+  DELETE FROM approval_requests
+  WHERE created_at < NOW() - INTERVAL '7 days';
+END;
+$$;
+-- Grant necessary permissions
+GRANT SELECT, INSERT, DELETE ON approval_requests TO anon;
+GRANT SELECT, INSERT, UPDATE, DELETE ON approval_requests TO authenticated;
+GRANT ALL ON approval_requests TO service_role;
+-- Comment for documentation
+COMMENT ON TABLE approval_requests IS 'Stores pending command approval requests from Claude Guard CLI';
+COMMENT ON COLUMN approval_requests.command IS 'The command that requires approval (sensitive info masked)';
+COMMENT ON COLUMN approval_requests.machine_id IS 'Optional identifier to scope requests per machine';