forge-remote 0.1.1 → 0.1.3

package/firestore.rules

@@ -0,0 +1,100 @@
+rules_version = '2';
+
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    // Helper: request is from an authenticated user (including anonymous).
+    // In BYOF mode, the user owns their own Firebase project, so anonymous
+    // auth IS the auth method — there is no "public" access.
+    function isSignedIn() {
+      return request.auth != null;
+    }
+
+    // Helper: request is from the document owner.
+    function isOwner(uid) {
+      return request.auth != null && request.auth.uid == uid;
+    }
+
+    // Helper: enforce reasonable document size.
+    function isValidSize() {
+      return request.resource.data.keys().size() < 50;
+    }
+
+    // ---- Desktops ----
+    match /desktops/{desktopId} {
+      allow read: if isSignedIn();
+      allow create: if isSignedIn()
+                    && request.resource.data.keys().hasAll(['ownerUid', 'hostname', 'platform']);
+
+      // BYOF: user owns the entire Firebase project, so any authenticated
+      // user can update or delete desktops. No multi-user ownership needed.
+      allow update: if isSignedIn() && isValidSize();
+      allow delete: if isSignedIn();
+
+      // ---- Desktop commands (subcollection) ----
+      match /commands/{commandId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+    }
+
+    // ---- Sessions ----
+    match /sessions/{sessionId} {
+      allow read: if isSignedIn();
+      allow create: if isSignedIn()
+                    && request.resource.data.keys().hasAll(['ownerUid', 'desktopId', 'status']);
+      allow update: if isSignedIn()
+                    && isValidSize();
+
+      // ---- Messages (subcollection) ----
+      match /messages/{messageId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn()
+                      && request.resource.data.size() < 500000; // 500KB max per message
+      }
+
+      // ---- Commands (subcollection) ----
+      match /commands/{commandId} {
+        allow read: if isSignedIn();
+        allow create: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+
+      // ---- Permissions (subcollection) ----
+      match /permissions/{permId} {
+        allow read: if isSignedIn();
+        allow update: if isSignedIn();
+      }
+
+      // ---- Tool calls (subcollection) ----
+      match /toolCalls/{toolCallId} {
+        allow read: if isSignedIn();
+      }
+    }
+
+    // ---- Pairing tokens ----
+    match /pairingTokens/{tokenId} {
+      allow read: if isSignedIn();
+      allow update: if isSignedIn()
+                    && !resource.data.used
+                    && request.resource.data.used == true
+                    && request.resource.data.keys().hasAll(['used', 'claimedBy'])
+                    && request.resource.data.claimedBy == request.auth.uid;
+    }
+
+    // ---- User profiles (for preferences) ----
+    match /users/{userId} {
+      allow read, write: if request.auth != null && request.auth.uid == userId;
+
+      match /fcmTokens/{tokenId} {
+        allow read, write: if request.auth != null && request.auth.uid == userId;
+      }
+    }
+
+    // Deny everything else by default.
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "forge-remote",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Desktop relay for Forge Remote — monitor and control Claude Code sessions from your phone",
   "type": "module",
-  "license": "AGPL-3.0",
+  "license": "UNLICENSED",
   "author": "Daniel Wendel <daniel@ironforgeapps.com> (https://ironforgeapps.com)",
   "repository": {
     "type": "git",
@@ -21,12 +21,13 @@
   },
   "files": [
     "src/",
-    "LICENSE",
+    "firestore.rules",
     "README.md"
   ],
   "scripts": {
     "start": "node src/cli.js start",
-    "pair": "node src/cli.js pair"
+    "pair": "node src/cli.js pair",
+    "prepublishOnly": "cp ../firestore.rules ./firestore.rules"
   },
   "keywords": [
     "claude",

package/src/cli.js

@@ -3,10 +3,9 @@
 // Forge Remote Relay — Desktop Agent for Forge Remote
 // Copyright (c) 2025-2026 Iron Forge Apps
 // Created by Daniel Wendel, CEO/Founder of Iron Forge Apps
-// AGPL-3.0 License — See LICENSE
 
 import { program } from "commander";
-import { execSync } from "child_process";
+import { execFileSync } from "child_process";
 import { readFileSync, existsSync, writeFileSync } from "fs";
 import { join } from "path";
 import { hostname, homedir } from "os";
@@ -67,10 +66,14 @@ function loadSdkConfig() {
     return null;
   }
 
+  // Validate project ID before using it in any command.
+  if (!/^[a-z][a-z0-9-]{4,28}[a-z0-9]$/.test(projectId)) return null;
+
   // 3. Fetch via Firebase CLI.
   try {
-    const output = execSync(
-      `firebase apps:sdkconfig web --project ${projectId}`,
+    const output = execFileSync(
+      "firebase",
+      ["apps:sdkconfig", "web", "--project", projectId],
       { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] },
     );
 
@@ -110,7 +113,7 @@ function loadSdkConfig() {
     if (!config.apiKey || !config.projectId) return null;
 
     // Cache for next time.
-    writeFileSync(cachedPath, JSON.stringify(config, null, 2));
+    writeFileSync(cachedPath, JSON.stringify(config, null, 2), { mode: 0o600 });
     return config;
   } catch {
     return null;

package/src/cloudflared-installer.js

@@ -0,0 +1,163 @@
+// Forge Remote Relay — Desktop Agent for Forge Remote
+// Copyright (c) 2025-2026 Iron Forge Apps
+// Created by Daniel Wendel, CEO/Founder of Iron Forge Apps
+
+import { execSync } from "child_process";
+import {
+  existsSync,
+  mkdirSync,
+  chmodSync,
+  createWriteStream,
+  unlinkSync,
+} from "fs";
+import { join } from "path";
+import { homedir, platform, arch } from "os";
+import { get as httpsGet } from "https";
+
+const BASE_URL =
+  "https://github.com/cloudflare/cloudflared/releases/latest/download";
+
+const PLATFORM_URLS = {
+  "darwin-arm64": `${BASE_URL}/cloudflared-darwin-arm64.tgz`,
+  "darwin-x64": `${BASE_URL}/cloudflared-darwin-amd64.tgz`,
+  "linux-x64": `${BASE_URL}/cloudflared-linux-amd64`,
+  "linux-arm64": `${BASE_URL}/cloudflared-linux-arm64`,
+  "win32-x64": `${BASE_URL}/cloudflared-windows-amd64.exe`,
+};
+
+const BIN_DIR = join(homedir(), ".forge-remote", "bin");
+
+function getBinaryName() {
+  return platform() === "win32" ? "cloudflared.exe" : "cloudflared";
+}
+
+/**
+ * Return the absolute path to the local cloudflared binary, or null
+ * if it hasn't been installed yet.
+ */
+export function getLocalCloudflaredPath() {
+  const binPath = join(BIN_DIR, getBinaryName());
+  return existsSync(binPath) ? binPath : null;
+}
+
+/**
+ * Check if cloudflared is functional by running `cloudflared --version`.
+ */
+export function isCloudflaredWorking(binaryPath) {
+  try {
+    execSync(`"${binaryPath}" --version`, {
+      stdio: "pipe",
+      timeout: 10_000,
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Download a file from a URL, following up to 5 redirects.
+ * Returns a promise that resolves to the destination file path.
+ */
+function downloadFile(url, destPath, redirectsLeft = 5) {
+  return new Promise((resolve, reject) => {
+    if (redirectsLeft <= 0) {
+      return reject(new Error("Too many redirects"));
+    }
+
+    httpsGet(url, (res) => {
+      // Follow redirects (GitHub releases use 301/302).
+      if (
+        (res.statusCode === 301 || res.statusCode === 302) &&
+        res.headers.location
+      ) {
+        res.resume(); // Drain the response.
+        return resolve(
+          downloadFile(res.headers.location, destPath, redirectsLeft - 1),
+        );
+      }
+
+      if (res.statusCode !== 200) {
+        res.resume();
+        return reject(
+          new Error(`Download failed: HTTP ${res.statusCode} from ${url}`),
+        );
+      }
+
+      const file = createWriteStream(destPath);
+      res.pipe(file);
+      file.on("finish", () => {
+        file.close(() => resolve(destPath));
+      });
+      file.on("error", (err) => {
+        unlinkSync(destPath);
+        reject(err);
+      });
+    }).on("error", reject);
+  });
+}
+
+/**
+ * Download the cloudflared binary for the current platform to
+ * ~/.forge-remote/bin/cloudflared. No-op if already present and functional.
+ *
+ * @returns {Promise<string>} Absolute path to the cloudflared binary.
+ * @throws {Error} If the platform is unsupported or download fails.
+ */
+export async function installCloudflared() {
+  const binPath = join(BIN_DIR, getBinaryName());
+
+  // Skip if already installed and working.
+  if (existsSync(binPath) && isCloudflaredWorking(binPath)) {
+    return binPath;
+  }
+
+  const key = `${platform()}-${arch()}`;
+  const url = PLATFORM_URLS[key];
+  if (!url) {
+    throw new Error(
+      `Unsupported platform: ${key}. ` +
+        `Install cloudflared manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/`,
+    );
+  }
+
+  // Ensure bin directory exists.
+  mkdirSync(BIN_DIR, { recursive: true });
+
+  const isTarball = url.endsWith(".tgz");
+
+  if (isTarball) {
+    // macOS: download tarball, extract the binary.
+    const tarPath = join(BIN_DIR, "cloudflared.tgz");
+    await downloadFile(url, tarPath);
+
+    try {
+      execSync(`tar xzf "${tarPath}" -C "${BIN_DIR}"`, { stdio: "pipe" });
+    } finally {
+      // Clean up tarball.
+      try {
+        unlinkSync(tarPath);
+      } catch {
+        // Ignore cleanup failure.
+      }
+    }
+  } else {
+    // Linux/Windows: download binary directly.
+    await downloadFile(url, binPath);
+  }
+
+  // Make executable (not needed on Windows).
+  if (platform() !== "win32") {
+    chmodSync(binPath, 0o755);
+  }
+
+  // Verify it works.
+  if (!isCloudflaredWorking(binPath)) {
+    throw new Error(
+      "cloudflared was downloaded but failed verification. " +
+        "Try installing manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+    );
+  }
+
+  return binPath;
+}

package/src/desktop.js

@@ -1,5 +1,7 @@
 import { getDb, FieldValue, Timestamp } from "./firebase.js";
-import { hostname, platform } from "os";
+import { hostname, platform, homedir } from "os";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
 import { v4 as uuidv4 } from "uuid";
 import * as log from "./logger.js";
 
@@ -102,11 +104,22 @@ export async function createPairingToken(desktopId) {
 }
 
 /**
- * Get a stable desktop ID based on hostname.
- * In production you'd store this in a config file.
+ * Get a stable desktop ID.
+ * Reads from ~/.forge-remote/config.json (written by `init`) so the ID
+ * stays consistent even when macOS changes the hostname across networks.
+ * Falls back to hostname-based ID if config doesn't exist yet.
  */
 export function getDesktopId() {
-  // Use a consistent ID so the same machine always maps to the same doc.
+  const configPath = join(homedir(), ".forge-remote", "config.json");
+  if (existsSync(configPath)) {
+    try {
+      const config = JSON.parse(readFileSync(configPath, "utf-8"));
+      if (config.desktopId) return config.desktopId;
+    } catch {
+      // Fall through to hostname-based.
+    }
+  }
+
   const name = hostname()
     .toLowerCase()
     .replace(/[^a-z0-9]/g, "-");