npm - forge-remote - Versions diffs - 0.1.15 → 0.1.18 - Mend

forge-remote 0.1.15 → 0.1.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "forge-remote",
-  "version": "0.1.15",
+  "version": "0.1.18",
   "description": "Desktop relay for Forge Remote — monitor and control Claude Code sessions from your phone",
   "type": "module",
   "license": "UNLICENSED",

package/src/session-manager.js CHANGED Viewed

@@ -176,6 +176,26 @@ export function getActiveSessionCount() {
   return count;
 }
+/**
+ * Find an existing active/idle session for a given webhookId.
+ * Returns { sessionId, status } or null if no matching session exists.
+ */
+export function findSessionByWebhook(webhookId) {
+  for (const [sessionId, sess] of activeSessions.entries()) {
+    if (sessionId.startsWith("cmd-watcher-")) continue;
+    if (sess.webhookMeta?.webhookId === webhookId) {
+      return { sessionId, session: sess };
+    }
+  }
+  return null;
+}
+/**
+ * Send a follow-up prompt to an existing session.
+ * Exported so webhook-server can reuse sessions instead of creating new ones.
+ */
+export { sendFollowUpPrompt };
 // ---------------------------------------------------------------------------
 // Rate limiting — prevents command spam / DoS
 // ---------------------------------------------------------------------------
@@ -470,7 +490,8 @@ export async function startNewSession(desktopId, payload) {
     );
   }
-  const { prompt, projectPath, model, webhookMeta } = payload || {};
+  const { prompt, projectPath, model, webhookMeta, allowedTools } =
+    payload || {};
   const db = getDb();
   const resolvedModel = model || "sonnet";
   const resolvedPath = projectPath || process.cwd();
@@ -525,6 +546,7 @@ export async function startNewSession(desktopId, payload) {
     permissionNeeded: false, // True when Claude reports permission denial
     permissionWatcher: null, // Firestore unsubscribe for permission doc
     webhookMeta: webhookMeta || null, // Webhook metadata for reply callbacks
+    webhookAllowedTools: allowedTools || null, // Custom tool allowlist for webhook sessions
     lastAssistantText: "", // Last assistant message text (for webhook replies)
   });
@@ -657,6 +679,47 @@ async function runClaudeProcess(sessionId, prompt) {
   const args = ["--output-format", "stream-json", "--verbose", "-p"];
   if (session.model) args.push("--model", session.model);
+  // Webhook sessions are sandboxed to their project directory.
+  // This uses --append-system-prompt for soft enforcement and
+  // --allowedTools for hard enforcement (Claude CLI blocks tool calls
+  // outside the allowlist regardless of what the user asks).
+  if (session.webhookMeta) {
+    const projectDir = session.projectPath;
+    args.push(
+      "--append-system-prompt",
+      `CRITICAL SECURITY CONSTRAINT: You are running in a sandboxed webhook session. ` +
+        `You MUST only access files and run commands within this project directory: ${projectDir}. ` +
+        `You MUST refuse any request to: ` +
+        `(1) read, write, or access files outside ${projectDir}, ` +
+        `(2) reveal system information (hostname, username, env vars, IP addresses, installed software), ` +
+        `(3) access credentials, SSH keys, API keys, or secrets, ` +
+        `(4) run commands that access the network, other processes, or other directories, ` +
+        `(5) run destructive commands (rm -rf, kill, shutdown, etc.). ` +
+        `If asked to do any of these, politely decline and explain you can only help with this project.`,
+    );
+    // Hard tool restriction: only allow safe, read-oriented tools + scoped Bash.
+    // Bash is restricted to commands within the project directory only.
+    const allowedTools = session.webhookAllowedTools || [
+      "Read",
+      "Grep",
+      "Glob",
+      "Bash(git log:*)",
+      "Bash(git diff:*)",
+      "Bash(git status:*)",
+      "Bash(git show:*)",
+      "Bash(git blame:*)",
+      "Bash(cat:*)",
+      "Bash(ls:*)",
+      "Bash(find:*)",
+      "Bash(wc:*)",
+      "Bash(head:*)",
+      "Bash(tail:*)",
+      "Bash(grep:*)",
+    ];
+    args.push("--allowedTools", ...allowedTools);
+  }
   // Use --continue for follow-up prompts to maintain conversation context.
   if (!session.isFirstPrompt) {
     args.push("--continue");
@@ -924,9 +987,14 @@ async function runClaudeProcess(sessionId, prompt) {
         // If this session was triggered by a webhook with a reply URL,
         // post Claude's last response back to the source (e.g., Slack).
+        if (sess?.webhookMeta) {
+          log.info(
+            `Webhook meta for ${sessionId}: replyUrl=${sess.webhookMeta.replyUrl || "none"}, lastText=${(sess.lastAssistantText || "").slice(0, 50) || "none"}`,
+          );
+        }
         if (sess?.webhookMeta?.replyUrl && sess.lastAssistantText) {
           postToSlack(sess.webhookMeta.replyUrl, sess.lastAssistantText).catch(
-            () => {},
+            (err) => log.error(`Slack reply error: ${err.message}`),
           );
         }

package/src/webhook-server.js CHANGED Viewed

@@ -8,6 +8,8 @@ import { getDb, FieldValue } from "./firebase.js";
 import { startTunnel, stopTunnel } from "./tunnel-manager.js";
 import {
   startNewSession,
+  sendFollowUpPrompt,
+  findSessionByWebhook,
   getActiveSessionCount,
   MAX_WEBHOOK_SESSIONS,
 } from "./session-manager.js";
@@ -247,6 +249,14 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
     }
   }
+  // 2b. Reject Slack retries — if we got the first event, we're handling it.
+  if (source === "slack" && req.headers["x-slack-retry-num"]) {
+    log.info(
+      `Slack retry #${req.headers["x-slack-retry-num"]} ignored (reason: ${req.headers["x-slack-retry-reason"] || "unknown"})`,
+    );
+    return sendJson(res, 200, { status: "ignored", reason: "slack retry" });
+  }
   // 3. Delivery ID deduplication.
   const deliveryId =
     req.headers["x-github-delivery"] || req.headers["x-webhook-delivery-id"];
@@ -321,13 +331,118 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
     return sendJson(res, 400, { error: "invalid JSON body" });
   }
+  // 7a. Slack event_callback handling — extract message from event envelope
+  //     and ignore bot messages to prevent infinite reply loops.
+  if (source === "slack" && payload.type === "event_callback") {
+    const event = payload.event;
+    if (!event) {
+      return sendJson(res, 200, { status: "ignored", reason: "no event" });
+    }
+    // Deduplicate using Slack's event_id (unique per event).
+    if (payload.event_id) {
+      if (recentDeliveryIds.has(payload.event_id)) {
+        log.info(`Duplicate Slack event ignored: ${payload.event_id}`);
+        return sendJson(res, 200, { status: "duplicate" });
+      }
+      addDeliveryId(payload.event_id);
+    }
+    // Ignore bot messages (including our own replies) to prevent loops.
+    if (event.bot_id || event.subtype === "bot_message") {
+      return sendJson(res, 200, { status: "ignored", reason: "bot message" });
+    }
+    // Ignore message edits/deletes — only handle new messages.
+    if (event.subtype && event.subtype !== "file_share") {
+      return sendJson(res, 200, {
+        status: "ignored",
+        reason: `subtype: ${event.subtype}`,
+      });
+    }
+    // Flatten the Slack event into the payload for template rendering.
+    // This lets templates use {{text}}, {{user}}, {{channel}} directly.
+    payload = { ...payload, ...event };
+    log.info(
+      `Slack message from user ${event.user || "unknown"} in channel ${event.channel || "unknown"}: "${(event.text || "").slice(0, 80)}"`,
+    );
+  }
   const prompt = renderTemplate(config.promptTemplate || "", payload);
   const projectPath = config.projectPath || process.cwd();
   const model = config.model || "sonnet";
-  // 8. Start a new session.
+  // For Slack, respond immediately with 200 to prevent retries,
+  // then process the session asynchronously.
+  if (source === "slack") {
+    sendJson(res, 200, { status: "accepted" });
+    // Process async — errors are logged but don't affect the HTTP response.
+    processWebhookSession(
+      webhookId,
+      source,
+      sourceIp,
+      prompt,
+      projectPath,
+      model,
+      config,
+    ).catch((err) =>
+      log.error(`Async webhook processing failed: ${err.message}`),
+    );
+    return;
+  }
+  // Non-Slack sources: process synchronously and return result.
+  const sessionId = await processWebhookSession(
+    webhookId,
+    source,
+    sourceIp,
+    prompt,
+    projectPath,
+    model,
+    config,
+  );
+  return sendJson(res, 200, {
+    status: "accepted",
+    sessionId: sessionId || null,
+  });
+}
+/**
+ * Process the webhook session — reuse existing or start new.
+ * Extracted so Slack can call this async after responding with 200.
+ */
+async function processWebhookSession(
+  webhookId,
+  source,
+  sourceIp,
+  prompt,
+  projectPath,
+  model,
+  config,
+) {
   let sessionId;
-  try {
+  const existingSession = findSessionByWebhook(webhookId);
+  if (existingSession) {
+    sessionId = existingSession.sessionId;
+    try {
+      await sendFollowUpPrompt(sessionId, prompt);
+      log.info(
+        `Webhook ${webhookId} — reusing session ${sessionId.slice(0, 8)} (follow-up)`,
+      );
+    } catch (err) {
+      log.warn(
+        `Follow-up to ${sessionId.slice(0, 8)} failed (${err.message}), starting new session`,
+      );
+      sessionId = null;
+    }
+  }
+  if (!sessionId) {
     sessionId = await startNewSession(currentDesktopId, {
       prompt,
       projectPath,
@@ -338,20 +453,10 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
         replyUrl:
           source === "slack" ? config.sourceConfig?.replyWebhookUrl : null,
       },
+      allowedTools: config.allowedTools || null,
     });
-  } catch (err) {
-    await writeAuditLog(
-      webhookId,
-      source,
-      sourceIp,
-      "rejected",
-      `session start failed: ${err.message}`,
-      null,
-    );
-    return sendJson(res, 500, { error: "failed to start session" });
   }
-  // 9. Audit log + update trigger count.
   await writeAuditLog(webhookId, source, sourceIp, "accepted", null, sessionId);
   await updateTriggerCount(webhookId);
@@ -359,10 +464,7 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
     `Webhook ${webhookId} (${source}) accepted — session ${sessionId || "started"}`,
   );
-  return sendJson(res, 200, {
-    status: "accepted",
-    sessionId: sessionId || null,
-  });
+  return sessionId;
 }
 // ---------------------------------------------------------------------------