claude-rpc 0.13.4 → 0.13.6

package/README.md

@@ -185,7 +185,7 @@ For a complete account of the sensitive things claude-rpc does — startup persi
                                 └────────────┘
 ```
 
-No database, no message bus, no background polling when Claude Code isn't running. State on disk you can `cat` and `jq`. The single runtime dependency is `@xhayper/discord-rpc`.
+No database, no message bus, no background polling when Claude Code isn't running. State on disk you can `cat` and `jq`. **Zero runtime dependencies** — even the Discord Rich Presence IPC client is hand-rolled (`src/discord-ipc.js`).
 
 1. **hook** ([`src/hook.js`](src/hook.js)) — Claude Code spawns it on every lifecycle event. Parses the JSON from stdin and mutates the shared state file. Runs in ~20ms.
 2. **daemon** ([`src/daemon.js`](src/daemon.js)) — long-running. Connects to Discord's local IPC, watches the state file, pushes presence frames every few seconds. Exponential backoff with jitter on reconnect; `daemon.log` rotates at 5 MB.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-rpc",
-  "version": "0.13.4",
+  "version": "0.13.6",
   "description": "Discord Rich Presence for Claude Code — live model, project, tokens, and lifetime stats driven by Claude Code's hook system.",
   "type": "module",
   "license": "MIT",
@@ -37,9 +37,7 @@
     "format:check": "prettier --check \"src/**/*.js\" \"test/**/*.js\"",
     "typecheck": "tsc -p jsconfig.json"
   },
-  "dependencies": {
-    "@xhayper/discord-rpc": "^1.2.1"
-  },
+  "dependencies": {},
   "devDependencies": {
     "@eslint/js": "^10.0.1",
     "esbuild": "^0.24.0",
@@ -52,6 +50,10 @@
   "engines": {
     "node": ">=18"
   },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "keywords": [
     "claude",
     "claude-code",

package/src/daemon.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { writeFileSync, existsSync, unlinkSync, watch, appendFileSync, mkdirSync, statSync, renameSync } from 'node:fs';
 import { dirname } from 'node:path';
-import { Client } from '@xhayper/discord-rpc';
+import { Client } from './discord-ipc.js';
 import { readState } from './state.js';
 import { buildVars, fillTemplate, framePasses, applyIdle, applyShipped, applyTrigger } from './format.js';
 import { scan, readAggregate, findLiveSessions, readSessionTokens } from './scanner.js';
@@ -259,7 +259,7 @@ function buildActivity(opts = {}) {
     effectiveSessionStart = state.lastActivity || Date.now();
   }
   if (config.showElapsed && effectiveSessionStart && state.status !== 'stale') {
-    // Discord IPC + @xhayper/discord-rpc expect milliseconds (not seconds).
+    // Discord IPC expects millisecond timestamps (not seconds).
     activity.startTimestamp = effectiveSessionStart;
   }
 
@@ -366,11 +366,13 @@ async function pushPresence() {
 
 // Heuristic: does this error indicate the IPC transport itself is dead
 // (vs. a transient/application-level failure)? Matches the common broken-pipe
-// / closed-socket shapes from @xhayper/discord-rpc and the underlying net
+// / closed-socket shapes from our IPC client (src/discord-ipc.js) and the net
 // socket so we only force a reconnect when the connection is actually gone.
 function isConnectionError(e) {
   const code = (e && e.code) || '';
-  if (['EPIPE', 'ECONNRESET', 'ENOENT', 'ECONNREFUSED', 'ERR_STREAM_WRITE_AFTER_END'].includes(code)) return true;
+  // ETIMEDOUT: request() now deadlines nonce replies — a half-open pipe that
+  // acks writes but never answers is a dead transport, so reconnect.
+  if (['EPIPE', 'ECONNRESET', 'ENOENT', 'ECONNREFUSED', 'ETIMEDOUT', 'ERR_STREAM_WRITE_AFTER_END'].includes(code)) return true;
   const m = String((e && e.message) || '').toLowerCase();
   return /closed|reset|broken pipe|not connected|disconnect|write after end|socket|econnreset|epipe|connection/.test(m);
 }

package/src/discord-ipc.js

@@ -0,0 +1,358 @@
+// Minimal, dependency-free Discord Rich Presence IPC client.
+//
+// claude-rpc only ever needs *local presence* — connect to the Discord
+// desktop client's IPC socket, set/clear an activity. It never touches
+// Discord's REST API, OAuth, the gateway, or voice. `@xhayper/discord-rpc`
+// (our former sole runtime dependency) shipped all of that plus undici, ws,
+// and the @discordjs/* stack — ~10 transitive packages for a feature that is,
+// on the wire, an 8-byte header and a JSON blob over a named pipe / unix
+// socket. This module reimplements exactly the slice the daemon uses, so the
+// published package has ZERO runtime dependencies.
+//
+// Wire protocol (unchanged Discord IPC):
+//   frame  = <op:uint32 LE> <len:uint32 LE> <json utf8 of length len>
+//   op 0 HANDSHAKE  · op 1 FRAME · op 2 CLOSE · op 3 PING · op 4 PONG
+//   handshake  → { v: 1, client_id }
+//   READY      ← { cmd:'DISPATCH', evt:'READY', data:{ user, config } }
+//   request    → { cmd, args, nonce }   response matched back by nonce
+//
+// The activity-object → payload mapping below is a faithful copy of
+// @xhayper's ClientUser.setActivity, so the rendered card is byte-identical
+// to what shipped through v0.13.4.
+import net from 'node:net';
+import fs from 'node:fs';
+import path from 'node:path';
+import { randomUUID } from 'node:crypto';
+import { EventEmitter } from 'node:events';
+
+export const OP_HANDSHAKE = 0;
+export const OP_FRAME = 1;
+export const OP_CLOSE = 2;
+export const OP_PING = 3;
+export const OP_PONG = 4;
+
+const CONNECT_TIMEOUT_MS = 10_000; // matches @xhayper's connect() timeout
+
+// Same resolution order @xhayper used: XDG_RUNTIME_DIR → TMPDIR → TMP → TEMP → /tmp.
+function getTempDir() {
+  const { XDG_RUNTIME_DIR, TMPDIR, TMP, TEMP } = process.env;
+  return fs.realpathSync(XDG_RUNTIME_DIR ?? TMPDIR ?? TMP ?? TEMP ?? `${path.sep}tmp`);
+}
+
+// Candidate IPC socket paths, mirroring @xhayper's defaultPathList.
+//   win32: named pipe \\?\pipe\discord-ipc-{0..9} (no existence pre-check)
+//   posix: <tmp>/discord-ipc-{0..9}, plus snap + flatpak subdirs on linux.
+// On posix we only keep paths that actually exist, exactly like the library —
+// connecting to a non-existent unix socket just wastes a syscall per id.
+export function candidatePaths(platform = process.platform) {
+  const out = [];
+  if (platform === 'win32') {
+    for (let i = 0; i < 10; i++) out.push(`\\\\?\\pipe\\discord-ipc-${i}`);
+    return out;
+  }
+  let base;
+  try {
+    base = getTempDir();
+  } catch {
+    base = '/tmp';
+  }
+  const dirs = [base];
+  if (platform === 'linux') {
+    dirs.push(path.join(base, 'snap.discord'));
+    dirs.push(path.join(base, 'app', 'com.discordapp.Discord'));
+  }
+  for (const dir of dirs) {
+    for (let i = 0; i < 10; i++) {
+      const p = path.join(dir, `discord-ipc-${i}`);
+      if (fs.existsSync(p)) out.push(p);
+    }
+  }
+  return out;
+}
+
+// Encode one IPC frame: 8-byte little-endian header + JSON body.
+export function encodeFrame(op, data) {
+  const body = data === undefined ? Buffer.alloc(0) : Buffer.from(JSON.stringify(data));
+  const header = Buffer.alloc(8);
+  header.writeUInt32LE(op, 0);
+  header.writeUInt32LE(body.length, 4);
+  return Buffer.concat([header, body]);
+}
+
+// Stateful decoder: feed it socket chunks, get back complete {op, data} frames.
+// Handles partial reads and multiple frames coalesced into one chunk.
+export function createFrameDecoder() {
+  let buf = Buffer.alloc(0);
+  return function push(chunk) {
+    buf = buf.length ? Buffer.concat([buf, chunk]) : chunk;
+    const frames = [];
+    while (buf.length >= 8) {
+      const op = buf.readUInt32LE(0);
+      const len = buf.readUInt32LE(4);
+      if (buf.length < 8 + len) break; // wait for the rest of the body
+      const body = buf.subarray(8, 8 + len);
+      buf = buf.subarray(8 + len);
+      let data;
+      try {
+        data = body.length ? JSON.parse(body.toString()) : undefined;
+      } catch {
+        continue; // skip a malformed frame, keep draining the buffer
+      }
+      frames.push({ op, data });
+    }
+    return frames;
+  };
+}
+
+// Friendly activity object → Discord's SET_ACTIVITY payload. Faithful copy of
+// @xhayper ClientUser.setActivity (the subset claude-rpc uses). Kept verbatim
+// so existing config renders identically.
+export function formatActivity(activity = {}, pid) {
+  const a = {
+    name: activity.name,
+    type: activity.type ?? 0, // 0 = Playing
+    instance: !!activity.instance,
+  };
+  if (activity.type === 1 && activity.url) a.url = activity.url; // Streaming only
+  if (activity.details) a.details = activity.details;
+  if (activity.state) a.state = activity.state;
+
+  if (activity.startTimestamp || activity.endTimestamp) {
+    a.timestamps = {};
+    const start = activity.startTimestamp instanceof Date ? activity.startTimestamp.getTime() : activity.startTimestamp;
+    const end = activity.endTimestamp instanceof Date ? activity.endTimestamp.getTime() : activity.endTimestamp;
+    if (typeof start === 'number') a.timestamps.start = start;
+    if (typeof end === 'number') a.timestamps.end = end;
+  }
+
+  if (activity.largeImageKey || activity.smallImageKey || activity.largeImageText || activity.smallImageText) {
+    a.assets = {};
+    if (activity.largeImageKey) a.assets.large_image = activity.largeImageKey;
+    if (activity.smallImageKey) a.assets.small_image = activity.smallImageKey;
+    if (activity.largeImageText) a.assets.large_text = activity.largeImageText;
+    if (activity.smallImageText) a.assets.small_text = activity.smallImageText;
+  }
+
+  if (activity.buttons?.length) a.buttons = activity.buttons;
+
+  return { pid: pid ?? process?.pid ?? 0, activity: a };
+}
+
+// Drop-in for the slice of @xhayper's `Client` the daemon relies on:
+//   new Client({ clientId, transport:{ type:'ipc', pathList? } })
+//   client.on('ready'|'disconnected', …) · await client.login()
+//   client.user.{username, setActivity(a), clearActivity()} · client.destroy()
+export class Client extends EventEmitter {
+  constructor(options = {}) {
+    super();
+    this.clientId = options.clientId;
+    // pathList override is used by tests to point at a fake server; production
+    // leaves it undefined and we discover the real Discord socket.
+    this._pathList = options.transport?.pathList;
+    this.socket = null;
+    this.user = null;
+    this._pending = new Map(); // nonce → { resolve, reject }
+    this._connected = false;
+    this._decode = null;
+  }
+
+  async _openSocket() {
+    const paths = this._pathList ?? candidatePaths();
+    for (const p of paths) {
+      const socket = await new Promise((resolve) => {
+        const s = net.createConnection(p);
+        const onErr = () => {
+          s.removeListener('connect', onOk);
+          resolve(null);
+        };
+        const onOk = () => {
+          s.removeListener('error', onErr);
+          resolve(s);
+        };
+        s.once('connect', onOk);
+        s.once('error', onErr);
+      });
+      if (socket) return socket;
+    }
+    return null;
+  }
+
+  // Connect, handshake, and resolve once Discord sends READY (which also
+  // populates `user`). Mirrors @xhayper: login() with no scopes === connect().
+  async login() {
+    const socket = await this._openSocket();
+    if (!socket) {
+      const err = new Error('Could not connect to Discord client');
+      err.code = 'ECONNREFUSED';
+      throw err;
+    }
+    this.socket = socket;
+    this._decode = createFrameDecoder();
+
+    const ready = new Promise((resolve, reject) => {
+      const timer = setTimeout(() => {
+        const err = new Error('Connection timed out');
+        err.code = 'ETIMEDOUT';
+        reject(err);
+      }, CONNECT_TIMEOUT_MS);
+      if (typeof timer === 'object' && 'unref' in timer) timer.unref();
+      this._readyResolve = () => {
+        clearTimeout(timer);
+        resolve();
+      };
+      this._readyReject = (e) => {
+        clearTimeout(timer);
+        reject(e);
+      };
+    });
+
+    socket.on('data', (chunk) => this._onData(chunk));
+    socket.on('close', () => this._onClose('Connection ended'));
+    socket.on('error', () => this._onClose('socket error'));
+
+    this._send(OP_HANDSHAKE, { v: 1, client_id: this.clientId });
+
+    await ready;
+    // No OAuth scopes are ever requested, so READY === ready, same as the lib.
+    this.emit('ready');
+  }
+
+  _send(op, data) {
+    if (!this.socket) return;
+    try {
+      this.socket.write(encodeFrame(op, data));
+    } catch {
+      // Broken pipe mid-write — the 'close'/'error' handler will drive the
+      // daemon's reconnect. Swallow so a write race can't crash the process.
+    }
+  }
+
+  // Send a command frame and resolve when the nonce-matched reply arrives.
+  // Times out after 10s: on a half-open pipe Discord can ack the socket write
+  // but never send the nonce reply, and without a deadline that await would
+  // hang forever — freezing the daemon's presence on a stale frame, with the
+  // watchdog blind because `connected` still reads true.
+  request(cmd, args, timeoutMs = 10_000) {
+    return new Promise((resolve, reject) => {
+      if (!this.socket) {
+        const err = new Error('Not connected');
+        err.code = 'ENOTCONN';
+        reject(err);
+        return;
+      }
+      const nonce = randomUUID();
+      const timer = setTimeout(() => {
+        this._pending.delete(nonce);
+        const err = new Error(`No reply to ${cmd} within ${timeoutMs}ms`);
+        err.code = 'ETIMEDOUT';
+        reject(err);
+      }, timeoutMs);
+      if (timer.unref) timer.unref();
+      this._pending.set(nonce, { resolve, reject, timer });
+      this._send(OP_FRAME, { cmd, args, nonce });
+    });
+  }
+
+  _onData(chunk) {
+    let frames;
+    try {
+      frames = this._decode(chunk);
+    } catch {
+      return;
+    }
+    for (const { op, data } of frames) this._onFrame(op, data);
+  }
+
+  _onFrame(op, msg) {
+    if (op === OP_PING) {
+      this._send(OP_PONG, msg);
+      return;
+    }
+    if (op === OP_CLOSE) {
+      this._onClose(msg);
+      return;
+    }
+    if (op !== OP_FRAME || !msg) return;
+
+    if (msg.cmd === 'DISPATCH' && msg.evt === 'READY') {
+      this.user = this._buildUser(msg.data?.user || {});
+      this._connected = true;
+      if (this._readyResolve) this._readyResolve();
+      return;
+    }
+
+    // Nonce-matched response to a request() (e.g. SET_ACTIVITY).
+    if (msg.nonce && this._pending.has(msg.nonce)) {
+      const { resolve, reject, timer } = this._pending.get(msg.nonce);
+      clearTimeout(timer);
+      this._pending.delete(msg.nonce);
+      if (msg.evt === 'ERROR') {
+        const err = new Error(msg.data?.message || 'Discord RPC error');
+        err.code = msg.data?.code;
+        reject(err);
+      } else {
+        resolve(msg);
+      }
+    }
+  }
+
+  // Wrap the READY user payload with the activity methods the daemon calls on
+  // `client.user`. Spreading the raw fields preserves `.username` (and id, etc).
+  _buildUser(raw) {
+    return {
+      ...raw,
+      setActivity: (activity, pid) => this.request('SET_ACTIVITY', formatActivity(activity, pid)),
+      clearActivity: (pid) => this.request('SET_ACTIVITY', { pid: pid ?? process?.pid ?? 0 }),
+    };
+  }
+
+  _onClose(reason) {
+    const wasConnected = this._connected || !!this.socket;
+    // Fail any in-flight requests so awaiters don't hang forever.
+    for (const { reject, timer } of this._pending.values()) {
+      clearTimeout(timer);
+      const err = new Error(typeof reason === 'string' ? reason : 'Connection closed');
+      err.code = 'ECONNRESET';
+      reject(err);
+    }
+    this._pending.clear();
+    if (this._readyReject && !this._connected) {
+      const err = new Error('Connection closed before ready');
+      err.code = 'ECONNRESET';
+      this._readyReject(err);
+    }
+    this._readyResolve = this._readyReject = null;
+    this._teardownSocket();
+    this._connected = false;
+    if (wasConnected) this.emit('disconnected');
+  }
+
+  _teardownSocket() {
+    if (!this.socket) return;
+    try {
+      this.socket.removeAllListeners();
+      this.socket.destroy();
+    } catch {
+      // already gone
+    }
+    this.socket = null;
+  }
+
+  destroy() {
+    // Best-effort close; don't emit 'disconnected' on an explicit teardown
+    // (the daemon calls destroy() itself and manages its own reconnect).
+    this._readyResolve = this._readyReject = null;
+    // Reject in-flight requests (mirrors _onClose) — a pushPresence parked on
+    // `await setActivity` when the watchdog tears the client down must settle,
+    // not leak as a forever-pending promise.
+    for (const { reject, timer } of this._pending.values()) {
+      clearTimeout(timer);
+      const err = new Error('Client destroyed');
+      err.code = 'ECONNRESET';
+      reject(err);
+    }
+    this._pending.clear();
+    this._teardownSocket();
+    this._connected = false;
+  }
+}

package/src/server/assets/dashboard.client.js

@@ -30,6 +30,12 @@
   let churnSeries = [];   // [{ d: Date, add, rem }] — for the churn-sparkline tooltip
 
   // ── Utilities ───────────────────────────────────────────
+  // Escape before any innerHTML interpolation: project/file/command/model
+  // names come from the aggregate, i.e. ultimately from directory and file
+  // names on disk — a repo named `<img onerror=…>` must render, not run.
+  const esc = (s) => String(s).replace(/[&<>"']/g, (c) => (
+    { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' }[c]
+  ));
   const fmtH = (ms) => {
     if (!ms) return '0h';
     const h = ms / 3_600_000;
@@ -232,10 +238,10 @@
       if (r.onClick) tr.classList.add('clickable');
       const ico = r.color ? '<span class="ico" style="background:' + r.color + '"></span>' : '';
       const nameHtml = opts.mono
-        ? '<code style="font-family: JetBrains Mono, monospace; font-size: 12px;">' + ico + r.name + '</code>'
-        : ico + r.name;
+        ? '<code style="font-family: JetBrains Mono, monospace; font-size: 12px;">' + ico + esc(r.name) + '</code>'
+        : ico + esc(r.name);
       tr.innerHTML = '<td class="name">' + nameHtml + '</td>' +
-                     '<td class="val">' + r.val + (r.unit ? '<span class="u">' + r.unit + '</span>' : '') + '</td>';
+                     '<td class="val">' + esc(r.val) + (r.unit ? '<span class="u">' + esc(r.unit) + '</span>' : '') + '</td>';
       if (r.onClick) tr.addEventListener('click', r.onClick);
       tbl.appendChild(tr);
     });
@@ -276,7 +282,7 @@
       const w = Math.max(2, (cost / total) * 100);
       const row = document.createElement('div');
       row.className = 'cost-bar';
-      row.innerHTML = '<span class="name">' + model + '</span>' +
+      row.innerHTML = '<span class="name">' + esc(model) + '</span>' +
         '<span class="track"><span class="fill" style="width:' + w.toFixed(0) + '%"></span></span>' +
         '<span class="val">' + fmtCost(cost) + '</span>';
       bars.appendChild(row);
@@ -303,7 +309,7 @@
       const row = document.createElement('div');
       row.className = 'row';
       row.innerHTML = '<span class="swatch" style="background:' + (LANGS[name] || '#888') + '"></span>' +
-        '<span class="name">' + name + '</span>' +
+        '<span class="name">' + esc(name) + '</span>' +
         '<span class="val">' + fmtN(v.edits) + ' edits · ' + fmtN(v.files) + ' files</span>';
       list.appendChild(row);
     }
@@ -337,7 +343,7 @@
       const isCurrent = i === onAir;
       li.className = isCurrent ? 'current' : f.passes ? 'live' : 'skip';
       const summary = f.passes ? ((f.details || '—') + (f.state ? ' · ' + f.state : '')) : (f.details || '—');
-      li.innerHTML = '<span class="pip"></span><span class="frame-text">' + summary + '</span>';
+      li.innerHTML = '<span class="pip"></span><span class="frame-text">' + esc(summary) + '</span>';
       ul.appendChild(li);
     });
   }

package/src/server/index.js

@@ -30,7 +30,20 @@ function parseUrl(rawUrl) {
   return { path: url.pathname, query: Object.fromEntries(url.searchParams) };
 }
 
+// Loopback-only Host allowlist. Binding to 127.0.0.1 blocks the LAN, but not
+// DNS rebinding: a malicious page can point its own hostname at 127.0.0.1 and
+// become "same-origin" with this server, then read /api/export.json. Rejecting
+// non-local Host headers closes that — browsers always send the page's host.
+function isLocalHost(host) {
+  const h = String(host || '').replace(/:\d+$/, '').replace(/^\[|\]$/g, '').toLowerCase();
+  return h === 'localhost' || h === '127.0.0.1' || h === '::1';
+}
+
 const server = createServer((req, res) => {
+  if (!isLocalHost(req.headers.host)) {
+    res.writeHead(403, JSON_HEADERS).end(JSON.stringify({ error: 'forbidden' }));
+    return;
+  }
   const { path, query } = parseUrl(req.url);
   const key = `${req.method} ${path}`;
 

package/src/state.js

@@ -8,6 +8,7 @@ import {
   closeSync,
   unlinkSync,
   statSync,
+  fstatSync,
 } from 'node:fs';
 import { basename } from 'node:path';
 import { STATE_PATH, STATE_DIR } from './paths.js';
@@ -110,11 +111,24 @@ function acquireLock() {
 
 function releaseLock(fd) {
   if (fd === null) return;
+  // Only unlink the lock if the path still points at OUR lock file. If this
+  // process somehow held it past LOCK_STALE_MS, a sibling has reclaimed the
+  // path (unlink + fresh 'wx' create); deleting that by path would collapse
+  // mutual exclusion for a third writer. Inode equality proves ownership.
+  let ours;
+  try {
+    const a = fstatSync(fd);
+    const b = statSync(LOCK_PATH);
+    ours = a.ino === b.ino && a.dev === b.dev;
+  } catch {
+    ours = false; // lock already gone — nothing to unlink
+  }
   try {
     closeSync(fd);
   } catch {
     /* already closed */
   }
+  if (!ours) return;
   try {
     unlinkSync(LOCK_PATH);
   } catch {

package/src/version.js

@@ -11,7 +11,7 @@ import { readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { ROOT } from './paths.js';
 
-const BAKED = '0.13.4';
+const BAKED = '0.13.6';
 
 function readPkgVersion() {
   try {