forge-remote 0.1.0 → 0.1.2

package/firestore.rules

@@ -0,0 +1,100 @@
+rules_version = '2';
+
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    // Helper: request is from an authenticated user (including anonymous).
+    // In BYOF mode, the user owns their own Firebase project, so anonymous
+    // auth IS the auth method — there is no "public" access.
+    function isSignedIn() {
+      return request.auth != null;
+    }
+
+    // Helper: request is from the document owner.
+    function isOwner(uid) {
+      return request.auth != null && request.auth.uid == uid;
+    }
+
+    // Helper: enforce reasonable document size.
+    function isValidSize() {
+      return request.resource.data.keys().size() < 50;
+    }
+
+    // ---- Desktops ----
+    match /desktops/{desktopId} {
+      allow read: if isSignedIn();
+      allow create: if isSignedIn()
+                    && request.resource.data.keys().hasAll(['ownerUid', 'hostname', 'platform']);
+
+      // BYOF: user owns the entire Firebase project, so any authenticated
+      // user can update or delete desktops. No multi-user ownership needed.
+      allow update: if isSignedIn() && isValidSize();
+      allow delete: if isSignedIn();
+
+      // ---- Desktop commands (subcollection) ----
+      match /commands/{commandId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+    }
+
+    // ---- Sessions ----
+    match /sessions/{sessionId} {
+      allow read: if isSignedIn();
+      allow create: if isSignedIn()
+                    && request.resource.data.keys().hasAll(['ownerUid', 'desktopId', 'status']);
+      allow update: if isSignedIn()
+                    && isValidSize();
+
+      // ---- Messages (subcollection) ----
+      match /messages/{messageId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn()
+                      && request.resource.data.size() < 500000; // 500KB max per message
+      }
+
+      // ---- Commands (subcollection) ----
+      match /commands/{commandId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+
+      // ---- Permissions (subcollection) ----
+      match /permissions/{permId} {
+        allow read: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+
+      // ---- Tool calls (subcollection) ----
+      match /toolCalls/{toolCallId} {
+        allow read: if isSignedIn();
+      }
+    }
+
+    // ---- Pairing tokens ----
+    match /pairingTokens/{tokenId} {
+      allow read: if isSignedIn();
+      allow update: if isSignedIn()
+                    && !resource.data.used
+                    && request.resource.data.used == true
+                    && request.resource.data.keys().hasAll(['used', 'claimedBy'])
+                    && request.resource.data.claimedBy == request.auth.uid;
+    }
+
+    // ---- User profiles (for preferences) ----
+    match /users/{userId} {
+      allow read, write: if request.auth != null && request.auth.uid == userId;
+
+      match /fcmTokens/{tokenId} {
+        allow read, write: if request.auth != null && request.auth.uid == userId;
+      }
+    }
+
+    // Deny everything else by default.
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "forge-remote",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Desktop relay for Forge Remote — monitor and control Claude Code sessions from your phone",
   "type": "module",
   "license": "AGPL-3.0",
@@ -21,12 +21,14 @@
   },
   "files": [
     "src/",
+    "firestore.rules",
     "LICENSE",
     "README.md"
   ],
   "scripts": {
     "start": "node src/cli.js start",
-    "pair": "node src/cli.js pair"
+    "pair": "node src/cli.js pair",
+    "prepublishOnly": "cp ../firestore.rules ./firestore.rules"
   },
   "keywords": [
     "claude",

package/src/cli.js

@@ -36,7 +36,7 @@ import * as log from "./logger.js";
 program
   .name("forge-remote")
   .description("Desktop relay for Forge Remote")
-  .version("0.1.0");
+  .version("0.1.1");
 
 /**
  * Load Firebase web SDK config.
@@ -74,19 +74,38 @@ function loadSdkConfig() {
       { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] },
     );
 
-    const parse = (field) => {
-      const m = output.match(new RegExp(`${field}:\\s*"([^"]+)"`));
-      return m ? m[1] : null;
-    };
-
-    const config = {
-      apiKey: parse("apiKey"),
-      authDomain: parse("authDomain"),
-      projectId: parse("projectId"),
-      storageBucket: parse("storageBucket"),
-      messagingSenderId: parse("messagingSenderId"),
-      appId: parse("appId"),
-    };
+    // Output may be JSON (quoted keys) or JS object (unquoted keys).
+    let config = null;
+    const jsonMatch = output.match(/\{[\s\S]*\}/);
+    if (jsonMatch) {
+      try {
+        const parsed = JSON.parse(jsonMatch[0]);
+        config = {
+          apiKey: parsed.apiKey,
+          authDomain: parsed.authDomain,
+          projectId: parsed.projectId,
+          storageBucket: parsed.storageBucket,
+          messagingSenderId: parsed.messagingSenderId,
+          appId: parsed.appId,
+        };
+      } catch {
+        // Not valid JSON — fall back to regex.
+      }
+    }
+    if (!config) {
+      const parse = (field) => {
+        const m = output.match(new RegExp(`"?${field}"?:\\s*"([^"]+)"`));
+        return m ? m[1] : null;
+      };
+      config = {
+        apiKey: parse("apiKey"),
+        authDomain: parse("authDomain"),
+        projectId: parse("projectId"),
+        storageBucket: parse("storageBucket"),
+        messagingSenderId: parse("messagingSenderId"),
+        appId: parse("appId"),
+      };
+    }
 
     if (!config.apiKey || !config.projectId) return null;
 

package/src/cloudflared-installer.js

@@ -0,0 +1,164 @@
+// Forge Remote Relay — Desktop Agent for Forge Remote
+// Copyright (c) 2025-2026 Iron Forge Apps
+// Created by Daniel Wendel, CEO/Founder of Iron Forge Apps
+// AGPL-3.0 License — See LICENSE
+
+import { execSync } from "child_process";
+import {
+  existsSync,
+  mkdirSync,
+  chmodSync,
+  createWriteStream,
+  unlinkSync,
+} from "fs";
+import { join } from "path";
+import { homedir, platform, arch } from "os";
+import { get as httpsGet } from "https";
+
+const BASE_URL =
+  "https://github.com/cloudflare/cloudflared/releases/latest/download";
+
+const PLATFORM_URLS = {
+  "darwin-arm64": `${BASE_URL}/cloudflared-darwin-arm64.tgz`,
+  "darwin-x64": `${BASE_URL}/cloudflared-darwin-amd64.tgz`,
+  "linux-x64": `${BASE_URL}/cloudflared-linux-amd64`,
+  "linux-arm64": `${BASE_URL}/cloudflared-linux-arm64`,
+  "win32-x64": `${BASE_URL}/cloudflared-windows-amd64.exe`,
+};
+
+const BIN_DIR = join(homedir(), ".forge-remote", "bin");
+
+function getBinaryName() {
+  return platform() === "win32" ? "cloudflared.exe" : "cloudflared";
+}
+
+/**
+ * Return the absolute path to the local cloudflared binary, or null
+ * if it hasn't been installed yet.
+ */
+export function getLocalCloudflaredPath() {
+  const binPath = join(BIN_DIR, getBinaryName());
+  return existsSync(binPath) ? binPath : null;
+}
+
+/**
+ * Check if cloudflared is functional by running `cloudflared --version`.
+ */
+export function isCloudflaredWorking(binaryPath) {
+  try {
+    execSync(`"${binaryPath}" --version`, {
+      stdio: "pipe",
+      timeout: 10_000,
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Download a file from a URL, following up to 5 redirects.
+ * Returns a promise that resolves to the destination file path.
+ */
+function downloadFile(url, destPath, redirectsLeft = 5) {
+  return new Promise((resolve, reject) => {
+    if (redirectsLeft <= 0) {
+      return reject(new Error("Too many redirects"));
+    }
+
+    httpsGet(url, (res) => {
+      // Follow redirects (GitHub releases use 301/302).
+      if (
+        (res.statusCode === 301 || res.statusCode === 302) &&
+        res.headers.location
+      ) {
+        res.resume(); // Drain the response.
+        return resolve(
+          downloadFile(res.headers.location, destPath, redirectsLeft - 1),
+        );
+      }
+
+      if (res.statusCode !== 200) {
+        res.resume();
+        return reject(
+          new Error(`Download failed: HTTP ${res.statusCode} from ${url}`),
+        );
+      }
+
+      const file = createWriteStream(destPath);
+      res.pipe(file);
+      file.on("finish", () => {
+        file.close(() => resolve(destPath));
+      });
+      file.on("error", (err) => {
+        unlinkSync(destPath);
+        reject(err);
+      });
+    }).on("error", reject);
+  });
+}
+
+/**
+ * Download the cloudflared binary for the current platform to
+ * ~/.forge-remote/bin/cloudflared. No-op if already present and functional.
+ *
+ * @returns {Promise<string>} Absolute path to the cloudflared binary.
+ * @throws {Error} If the platform is unsupported or download fails.
+ */
+export async function installCloudflared() {
+  const binPath = join(BIN_DIR, getBinaryName());
+
+  // Skip if already installed and working.
+  if (existsSync(binPath) && isCloudflaredWorking(binPath)) {
+    return binPath;
+  }
+
+  const key = `${platform()}-${arch()}`;
+  const url = PLATFORM_URLS[key];
+  if (!url) {
+    throw new Error(
+      `Unsupported platform: ${key}. ` +
+        `Install cloudflared manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/`,
+    );
+  }
+
+  // Ensure bin directory exists.
+  mkdirSync(BIN_DIR, { recursive: true });
+
+  const isTarball = url.endsWith(".tgz");
+
+  if (isTarball) {
+    // macOS: download tarball, extract the binary.
+    const tarPath = join(BIN_DIR, "cloudflared.tgz");
+    await downloadFile(url, tarPath);
+
+    try {
+      execSync(`tar xzf "${tarPath}" -C "${BIN_DIR}"`, { stdio: "pipe" });
+    } finally {
+      // Clean up tarball.
+      try {
+        unlinkSync(tarPath);
+      } catch {
+        // Ignore cleanup failure.
+      }
+    }
+  } else {
+    // Linux/Windows: download binary directly.
+    await downloadFile(url, binPath);
+  }
+
+  // Make executable (not needed on Windows).
+  if (platform() !== "win32") {
+    chmodSync(binPath, 0o755);
+  }
+
+  // Verify it works.
+  if (!isCloudflaredWorking(binPath)) {
+    throw new Error(
+      "cloudflared was downloaded but failed verification. " +
+        "Try installing manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+    );
+  }
+
+  return binPath;
+}

package/src/desktop.js

@@ -1,5 +1,7 @@
 import { getDb, FieldValue, Timestamp } from "./firebase.js";
-import { hostname, platform } from "os";
+import { hostname, platform, homedir } from "os";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
 import { v4 as uuidv4 } from "uuid";
 import * as log from "./logger.js";
 
@@ -102,11 +104,22 @@ export async function createPairingToken(desktopId) {
 }
 
 /**
- * Get a stable desktop ID based on hostname.
- * In production you'd store this in a config file.
+ * Get a stable desktop ID.
+ * Reads from ~/.forge-remote/config.json (written by `init`) so the ID
+ * stays consistent even when macOS changes the hostname across networks.
+ * Falls back to hostname-based ID if config doesn't exist yet.
  */
 export function getDesktopId() {
-  // Use a consistent ID so the same machine always maps to the same doc.
+  const configPath = join(homedir(), ".forge-remote", "config.json");
+  if (existsSync(configPath)) {
+    try {
+      const config = JSON.parse(readFileSync(configPath, "utf-8"));
+      if (config.desktopId) return config.desktopId;
+    } catch {
+      // Fall through to hostname-based.
+    }
+  }
+
   const name = hostname()
     .toLowerCase()
     .replace(/[^a-z0-9]/g, "-");