forge-remote 0.1.1 → 0.1.2

package/firestore.rules

@@ -0,0 +1,100 @@
+rules_version = '2';
+
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    // Helper: request is from an authenticated user (including anonymous).
+    // In BYOF mode, the user owns their own Firebase project, so anonymous
+    // auth IS the auth method — there is no "public" access.
+    function isSignedIn() {
+      return request.auth != null;
+    }
+
+    // Helper: request is from the document owner.
+    function isOwner(uid) {
+      return request.auth != null && request.auth.uid == uid;
+    }
+
+    // Helper: enforce reasonable document size.
+    function isValidSize() {
+      return request.resource.data.keys().size() < 50;
+    }
+
+    // ---- Desktops ----
+    match /desktops/{desktopId} {
+      allow read: if isSignedIn();
+      allow create: if isSignedIn()
+                    && request.resource.data.keys().hasAll(['ownerUid', 'hostname', 'platform']);
+
+      // BYOF: user owns the entire Firebase project, so any authenticated
+      // user can update or delete desktops. No multi-user ownership needed.
+      allow update: if isSignedIn() && isValidSize();
+      allow delete: if isSignedIn();
+
+      // ---- Desktop commands (subcollection) ----
+      match /commands/{commandId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+    }
+
+    // ---- Sessions ----
+    match /sessions/{sessionId} {
+      allow read: if isSignedIn();
+      allow create: if isSignedIn()
+                    && request.resource.data.keys().hasAll(['ownerUid', 'desktopId', 'status']);
+      allow update: if isSignedIn()
+                    && isValidSize();
+
+      // ---- Messages (subcollection) ----
+      match /messages/{messageId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn()
+                      && request.resource.data.size() < 500000; // 500KB max per message
+      }
+
+      // ---- Commands (subcollection) ----
+      match /commands/{commandId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+
+      // ---- Permissions (subcollection) ----
+      match /permissions/{permId} {
+        allow read: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+
+      // ---- Tool calls (subcollection) ----
+      match /toolCalls/{toolCallId} {
+        allow read: if isSignedIn();
+      }
+    }
+
+    // ---- Pairing tokens ----
+    match /pairingTokens/{tokenId} {
+      allow read: if isSignedIn();
+      allow update: if isSignedIn()
+                    && !resource.data.used
+                    && request.resource.data.used == true
+                    && request.resource.data.keys().hasAll(['used', 'claimedBy'])
+                    && request.resource.data.claimedBy == request.auth.uid;
+    }
+
+    // ---- User profiles (for preferences) ----
+    match /users/{userId} {
+      allow read, write: if request.auth != null && request.auth.uid == userId;
+
+      match /fcmTokens/{tokenId} {
+        allow read, write: if request.auth != null && request.auth.uid == userId;
+      }
+    }
+
+    // Deny everything else by default.
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "forge-remote",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "Desktop relay for Forge Remote — monitor and control Claude Code sessions from your phone",
   "type": "module",
   "license": "AGPL-3.0",
@@ -21,12 +21,14 @@
   },
   "files": [
     "src/",
+    "firestore.rules",
     "LICENSE",
     "README.md"
   ],
   "scripts": {
     "start": "node src/cli.js start",
-    "pair": "node src/cli.js pair"
+    "pair": "node src/cli.js pair",
+    "prepublishOnly": "cp ../firestore.rules ./firestore.rules"
   },
   "keywords": [
     "claude",

package/src/cloudflared-installer.js

@@ -0,0 +1,164 @@
+// Forge Remote Relay — Desktop Agent for Forge Remote
+// Copyright (c) 2025-2026 Iron Forge Apps
+// Created by Daniel Wendel, CEO/Founder of Iron Forge Apps
+// AGPL-3.0 License — See LICENSE
+
+import { execSync } from "child_process";
+import {
+  existsSync,
+  mkdirSync,
+  chmodSync,
+  createWriteStream,
+  unlinkSync,
+} from "fs";
+import { join } from "path";
+import { homedir, platform, arch } from "os";
+import { get as httpsGet } from "https";
+
+const BASE_URL =
+  "https://github.com/cloudflare/cloudflared/releases/latest/download";
+
+const PLATFORM_URLS = {
+  "darwin-arm64": `${BASE_URL}/cloudflared-darwin-arm64.tgz`,
+  "darwin-x64": `${BASE_URL}/cloudflared-darwin-amd64.tgz`,
+  "linux-x64": `${BASE_URL}/cloudflared-linux-amd64`,
+  "linux-arm64": `${BASE_URL}/cloudflared-linux-arm64`,
+  "win32-x64": `${BASE_URL}/cloudflared-windows-amd64.exe`,
+};
+
+const BIN_DIR = join(homedir(), ".forge-remote", "bin");
+
+function getBinaryName() {
+  return platform() === "win32" ? "cloudflared.exe" : "cloudflared";
+}
+
+/**
+ * Return the absolute path to the local cloudflared binary, or null
+ * if it hasn't been installed yet.
+ */
+export function getLocalCloudflaredPath() {
+  const binPath = join(BIN_DIR, getBinaryName());
+  return existsSync(binPath) ? binPath : null;
+}
+
+/**
+ * Check if cloudflared is functional by running `cloudflared --version`.
+ */
+export function isCloudflaredWorking(binaryPath) {
+  try {
+    execSync(`"${binaryPath}" --version`, {
+      stdio: "pipe",
+      timeout: 10_000,
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Download a file from a URL, following up to 5 redirects.
+ * Returns a promise that resolves to the destination file path.
+ */
+function downloadFile(url, destPath, redirectsLeft = 5) {
+  return new Promise((resolve, reject) => {
+    if (redirectsLeft <= 0) {
+      return reject(new Error("Too many redirects"));
+    }
+
+    httpsGet(url, (res) => {
+      // Follow redirects (GitHub releases use 301/302).
+      if (
+        (res.statusCode === 301 || res.statusCode === 302) &&
+        res.headers.location
+      ) {
+        res.resume(); // Drain the response.
+        return resolve(
+          downloadFile(res.headers.location, destPath, redirectsLeft - 1),
+        );
+      }
+
+      if (res.statusCode !== 200) {
+        res.resume();
+        return reject(
+          new Error(`Download failed: HTTP ${res.statusCode} from ${url}`),
+        );
+      }
+
+      const file = createWriteStream(destPath);
+      res.pipe(file);
+      file.on("finish", () => {
+        file.close(() => resolve(destPath));
+      });
+      file.on("error", (err) => {
+        unlinkSync(destPath);
+        reject(err);
+      });
+    }).on("error", reject);
+  });
+}
+
+/**
+ * Download the cloudflared binary for the current platform to
+ * ~/.forge-remote/bin/cloudflared. No-op if already present and functional.
+ *
+ * @returns {Promise<string>} Absolute path to the cloudflared binary.
+ * @throws {Error} If the platform is unsupported or download fails.
+ */
+export async function installCloudflared() {
+  const binPath = join(BIN_DIR, getBinaryName());
+
+  // Skip if already installed and working.
+  if (existsSync(binPath) && isCloudflaredWorking(binPath)) {
+    return binPath;
+  }
+
+  const key = `${platform()}-${arch()}`;
+  const url = PLATFORM_URLS[key];
+  if (!url) {
+    throw new Error(
+      `Unsupported platform: ${key}. ` +
+        `Install cloudflared manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/`,
+    );
+  }
+
+  // Ensure bin directory exists.
+  mkdirSync(BIN_DIR, { recursive: true });
+
+  const isTarball = url.endsWith(".tgz");
+
+  if (isTarball) {
+    // macOS: download tarball, extract the binary.
+    const tarPath = join(BIN_DIR, "cloudflared.tgz");
+    await downloadFile(url, tarPath);
+
+    try {
+      execSync(`tar xzf "${tarPath}" -C "${BIN_DIR}"`, { stdio: "pipe" });
+    } finally {
+      // Clean up tarball.
+      try {
+        unlinkSync(tarPath);
+      } catch {
+        // Ignore cleanup failure.
+      }
+    }
+  } else {
+    // Linux/Windows: download binary directly.
+    await downloadFile(url, binPath);
+  }
+
+  // Make executable (not needed on Windows).
+  if (platform() !== "win32") {
+    chmodSync(binPath, 0o755);
+  }
+
+  // Verify it works.
+  if (!isCloudflaredWorking(binPath)) {
+    throw new Error(
+      "cloudflared was downloaded but failed verification. " +
+        "Try installing manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+    );
+  }
+
+  return binPath;
+}

package/src/desktop.js

@@ -1,5 +1,7 @@
 import { getDb, FieldValue, Timestamp } from "./firebase.js";
-import { hostname, platform } from "os";
+import { hostname, platform, homedir } from "os";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
 import { v4 as uuidv4 } from "uuid";
 import * as log from "./logger.js";
 
@@ -102,11 +104,22 @@ export async function createPairingToken(desktopId) {
 }
 
 /**
- * Get a stable desktop ID based on hostname.
- * In production you'd store this in a config file.
+ * Get a stable desktop ID.
+ * Reads from ~/.forge-remote/config.json (written by `init`) so the ID
+ * stays consistent even when macOS changes the hostname across networks.
+ * Falls back to hostname-based ID if config doesn't exist yet.
  */
 export function getDesktopId() {
-  // Use a consistent ID so the same machine always maps to the same doc.
+  const configPath = join(homedir(), ".forge-remote", "config.json");
+  if (existsSync(configPath)) {
+    try {
+      const config = JSON.parse(readFileSync(configPath, "utf-8"));
+      if (config.desktopId) return config.desktopId;
+    } catch {
+      // Fall through to hostname-based.
+    }
+  }
+
   const name = hostname()
     .toLowerCase()
     .replace(/[^a-z0-9]/g, "-");

package/src/google-auth.js

@@ -0,0 +1,334 @@
+// Forge Remote Relay — Desktop Agent for Forge Remote
+// Copyright (c) 2025-2026 Iron Forge Apps
+// Created by Daniel Wendel, CEO/Founder of Iron Forge Apps
+// AGPL-3.0 License — See LICENSE
+
+import { readFileSync, existsSync } from "fs";
+import { join } from "path";
+import { homedir, platform } from "os";
+
+// ─── Firebase CLI OAuth credentials ─────────────────────────────────────────
+// These are the same public client credentials embedded in the Firebase CLI.
+// Using them to exchange the stored refresh token for an access token is
+// equivalent to what the Firebase CLI does internally.
+
+const FIREBASE_CLIENT_ID =
+  "563584335869-fgrhgmd47bqnekij5i8b5pr03ho849e6.apps.googleusercontent.com";
+const FIREBASE_CLIENT_SECRET = "j9iVZfS8kkCEFUPaAeJV0sAi";
+
+// ─── Token Management ───────────────────────────────────────────────────────
+
+/**
+ * Get the path to the Firebase CLI's stored credentials file.
+ */
+function getFirebaseConfigPath() {
+  if (platform() === "win32") {
+    const appData =
+      process.env.APPDATA || join(homedir(), "AppData", "Roaming");
+    return join(appData, "configstore", "firebase-tools.json");
+  }
+  return join(homedir(), ".config", "configstore", "firebase-tools.json");
+}
+
+/**
+ * Read the refresh token from the Firebase CLI's stored credentials.
+ * Returns null if no token is found.
+ */
+export function readRefreshToken() {
+  const configPath = getFirebaseConfigPath();
+  if (!existsSync(configPath)) {
+    return null;
+  }
+  try {
+    const config = JSON.parse(readFileSync(configPath, "utf-8"));
+    return config?.tokens?.refresh_token || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Exchange the Firebase CLI's refresh token for a fresh access token.
+ * Throws if the token exchange fails.
+ */
+export async function getAccessToken() {
+  const refreshToken = readRefreshToken();
+  if (!refreshToken) {
+    throw new Error(
+      "No Firebase CLI refresh token found. Run `firebase login` first.",
+    );
+  }
+
+  const response = await fetch("https://oauth2.googleapis.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: FIREBASE_CLIENT_ID,
+      client_secret: FIREBASE_CLIENT_SECRET,
+      refresh_token: refreshToken,
+      grant_type: "refresh_token",
+    }),
+  });
+
+  if (!response.ok) {
+    const err = await response.text();
+    throw new Error(
+      `Token exchange failed (run \`firebase login\` again): ${err}`,
+    );
+  }
+
+  const data = await response.json();
+  return data.access_token;
+}
+
+// ─── Anonymous Authentication ───────────────────────────────────────────────
+
+/**
+ * Enable Anonymous Authentication for the given Firebase project.
+ * Uses the Identity Toolkit Admin v2 API.
+ */
+export async function enableAnonymousAuth(projectId) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/config?updateMask=signIn.anonymous.enabled`,
+    {
+      method: "PATCH",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Goog-User-Project": projectId,
+      },
+      body: JSON.stringify({
+        signIn: {
+          anonymous: {
+            enabled: true,
+          },
+        },
+      }),
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to enable Anonymous Auth: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  return true;
+}
+
+// ─── Google Cloud API Enablement ─────────────────────────────────────────────
+
+/**
+ * Enable a Google Cloud API for the given project.
+ * Uses the Service Usage API. Idempotent — safe to call even if already enabled.
+ * Waits for the operation to complete (up to ~60s).
+ */
+export async function enableApi(projectId, apiName) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://serviceusage.googleapis.com/v1/projects/${projectId}/services/${apiName}:enable`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Goog-User-Project": projectId,
+      },
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to enable ${apiName}: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  // The response is a long-running operation. Poll until done.
+  const op = await response.json();
+  if (op.done) return true;
+
+  const opName = op.name;
+  for (let i = 0; i < 12; i++) {
+    await new Promise((r) => setTimeout(r, 5000));
+    const pollResp = await fetch(
+      `https://serviceusage.googleapis.com/v1/${opName}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "X-Goog-User-Project": projectId,
+        },
+      },
+    );
+    if (pollResp.ok) {
+      const pollData = await pollResp.json();
+      if (pollData.done) return true;
+    }
+  }
+
+  throw new Error(`Timed out waiting for ${apiName} to be enabled.`);
+}
+
+// ─── Service Account Management ─────────────────────────────────────────────
+
+/**
+ * Find the firebase-adminsdk service account for the given project.
+ * Returns the account object (with `.email`) or null if not found.
+ */
+export async function findFirebaseAdminSdkAccount(projectId) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts?pageSize=100`,
+    {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "X-Goog-User-Project": projectId,
+      },
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    throw new Error(
+      `Failed to list service accounts: ${err.error?.message || response.statusText}`,
+    );
+  }
+
+  const data = await response.json();
+  const accounts = data.accounts || [];
+  return (
+    accounts.find((a) => a.email && a.email.includes("firebase-adminsdk")) ||
+    null
+  );
+}
+
+/**
+ * Create a new private key for the given service account.
+ * Returns the parsed JSON key file content.
+ */
+export async function createServiceAccountKey(projectId, serviceAccountEmail) {
+  const token = await getAccessToken();
+
+  const response = await fetch(
+    `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts/${serviceAccountEmail}/keys`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "X-Goog-User-Project": projectId,
+      },
+      body: JSON.stringify({
+        privateKeyType: "TYPE_GOOGLE_CREDENTIALS_FILE",
+        keyAlgorithm: "KEY_ALG_RSA_2048",
+      }),
+    },
+  );
+
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({}));
+    const msg = err.error?.message || response.statusText;
+    if (msg.includes("maximum number of keys")) {
+      throw new Error(
+        `Service account has reached the 10-key limit. Delete old keys at:\n` +
+          `  https://console.cloud.google.com/iam-admin/serviceaccounts/details/${encodeURIComponent(serviceAccountEmail)}/keys?project=${projectId}`,
+      );
+    }
+    throw new Error(`Failed to create service account key: ${msg}`);
+  }
+
+  const data = await response.json();
+  const keyJson = Buffer.from(data.privateKeyData, "base64").toString("utf-8");
+  return JSON.parse(keyJson);
+}
+
+// ─── Firestore Security Rules ───────────────────────────────────────────────
+
+/**
+ * Deploy Firestore security rules via the Firebase Rules REST API.
+ *
+ * Two-step process:
+ *   1. Create a new ruleset containing the rules source.
+ *   2. Update (or create) the `cloud.firestore` release to point to it.
+ */
+export async function deployFirestoreRules(projectId, rulesContent) {
+  const token = await getAccessToken();
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json",
+    "X-Goog-User-Project": projectId,
+  };
+
+  // Step 1: Create ruleset
+  const rulesetResponse = await fetch(
+    `https://firebaserules.googleapis.com/v1/projects/${projectId}/rulesets`,
+    {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        source: {
+          files: [
+            {
+              content: rulesContent,
+              name: "firestore.rules",
+            },
+          ],
+        },
+      }),
+    },
+  );
+
+  if (!rulesetResponse.ok) {
+    const err = await rulesetResponse.json().catch(() => ({}));
+    throw new Error(
+      `Failed to create ruleset: ${err.error?.message || rulesetResponse.statusText}`,
+    );
+  }
+
+  const ruleset = await rulesetResponse.json();
+  const rulesetName = ruleset.name;
+
+  // Step 2: Update existing release, or create if it doesn't exist yet
+  const releaseName = `projects/${projectId}/releases/cloud.firestore`;
+  const releaseBody = {
+    release: {
+      name: releaseName,
+      rulesetName: rulesetName,
+    },
+  };
+
+  let releaseResponse = await fetch(
+    `https://firebaserules.googleapis.com/v1/${releaseName}`,
+    {
+      method: "PATCH",
+      headers,
+      body: JSON.stringify(releaseBody),
+    },
+  );
+
+  if (!releaseResponse.ok && releaseResponse.status === 404) {
+    // Release doesn't exist yet — create it
+    releaseResponse = await fetch(
+      `https://firebaserules.googleapis.com/v1/projects/${projectId}/releases`,
+      {
+        method: "POST",
+        headers,
+        body: JSON.stringify(releaseBody),
+      },
+    );
+  }
+
+  if (!releaseResponse.ok) {
+    const err = await releaseResponse.json().catch(() => ({}));
+    throw new Error(
+      `Failed to deploy rules release: ${err.error?.message || releaseResponse.statusText}`,
+    );
+  }
+
+  return true;
+}