npm - forge-remote - Versions diffs - 0.1.16 → 0.1.19 - Mend

forge-remote 0.1.16 → 0.1.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "forge-remote",
-  "version": "0.1.16",
+  "version": "0.1.19",
   "description": "Desktop relay for Forge Remote — monitor and control Claude Code sessions from your phone",
   "type": "module",
   "license": "UNLICENSED",

package/src/session-manager.js CHANGED Viewed

@@ -176,6 +176,26 @@ export function getActiveSessionCount() {
   return count;
 }
+/**
+ * Find an existing active/idle session for a given webhookId.
+ * Returns { sessionId, status } or null if no matching session exists.
+ */
+export function findSessionByWebhook(webhookId) {
+  for (const [sessionId, sess] of activeSessions.entries()) {
+    if (sessionId.startsWith("cmd-watcher-")) continue;
+    if (sess.webhookMeta?.webhookId === webhookId) {
+      return { sessionId, session: sess };
+    }
+  }
+  return null;
+}
+/**
+ * Send a follow-up prompt to an existing session.
+ * Exported so webhook-server can reuse sessions instead of creating new ones.
+ */
+export { sendFollowUpPrompt };
 // ---------------------------------------------------------------------------
 // Rate limiting — prevents command spam / DoS
 // ---------------------------------------------------------------------------
@@ -470,7 +490,8 @@ export async function startNewSession(desktopId, payload) {
     );
   }
-  const { prompt, projectPath, model, webhookMeta } = payload || {};
+  const { prompt, projectPath, model, webhookMeta, allowedTools } =
+    payload || {};
   const db = getDb();
   const resolvedModel = model || "sonnet";
   const resolvedPath = projectPath || process.cwd();
@@ -525,6 +546,7 @@ export async function startNewSession(desktopId, payload) {
     permissionNeeded: false, // True when Claude reports permission denial
     permissionWatcher: null, // Firestore unsubscribe for permission doc
     webhookMeta: webhookMeta || null, // Webhook metadata for reply callbacks
+    webhookAllowedTools: allowedTools || null, // Custom tool allowlist for webhook sessions
     lastAssistantText: "", // Last assistant message text (for webhook replies)
   });
@@ -657,13 +679,59 @@ async function runClaudeProcess(sessionId, prompt) {
   const args = ["--output-format", "stream-json", "--verbose", "-p"];
   if (session.model) args.push("--model", session.model);
+  // Webhook sessions are sandboxed to their project directory.
+  // This uses --append-system-prompt for soft enforcement and
+  // --allowedTools for hard enforcement (Claude CLI blocks tool calls
+  // outside the allowlist regardless of what the user asks).
+  if (session.webhookMeta) {
+    const projectDir = session.projectPath;
+    args.push(
+      "--append-system-prompt",
+      `CRITICAL SECURITY CONSTRAINT: You are running in a sandboxed webhook session. ` +
+        `You MUST only access files and run commands within this project directory: ${projectDir}. ` +
+        `You MUST refuse any request to: ` +
+        `(1) read, write, or access files outside ${projectDir}, ` +
+        `(2) reveal system information (hostname, username, env vars, IP addresses, installed software), ` +
+        `(3) access credentials, SSH keys, API keys, or secrets, ` +
+        `(4) run commands that access the network, other processes, or other directories, ` +
+        `(5) run destructive commands (rm -rf, kill, shutdown, etc.). ` +
+        `If asked to do any of these, politely decline and explain you can only help with this project.`,
+    );
+    // Hard tool restriction: only allow safe, read-oriented tools + scoped Bash.
+    // Bash is restricted to commands within the project directory only.
+    const allowedTools = session.webhookAllowedTools || [
+      "Read",
+      "Grep",
+      "Glob",
+      "Bash(git log:*)",
+      "Bash(git diff:*)",
+      "Bash(git status:*)",
+      "Bash(git show:*)",
+      "Bash(git blame:*)",
+      "Bash(cat:*)",
+      "Bash(ls:*)",
+      "Bash(find:*)",
+      "Bash(wc:*)",
+      "Bash(head:*)",
+      "Bash(tail:*)",
+      "Bash(grep:*)",
+    ];
+    args.push("--allowedTools", ...allowedTools);
+  }
   // Use --continue for follow-up prompts to maintain conversation context.
   if (!session.isFirstPrompt) {
     args.push("--continue");
   }
   session.isFirstPrompt = false;
-  args.push(prompt);
+  // IMPORTANT: When --allowedTools is used, it consumes all remaining
+  // positional args. So we must pass the prompt via stdin instead.
+  const promptViaStdin = !!session.webhookMeta;
+  if (!promptViaStdin) {
+    args.push(prompt);
+  }
   log.session(sessionId, `Spawning: ${claudeBinary} ${args.join(" ")}`);
@@ -678,9 +746,15 @@ async function runClaudeProcess(sessionId, prompt) {
   session.process = claudeProcess;
-  // Close stdin immediately — `-p` mode reads the prompt from args, not stdin.
-  // Leaving stdin open can cause Claude CLI to hang waiting for input.
-  claudeProcess.stdin.end();
+  // When --allowedTools is used (webhook sessions), the prompt is sent via
+  // stdin because --allowedTools is variadic and would consume the prompt
+  // if passed as a positional arg. Otherwise, close stdin immediately.
+  if (promptViaStdin) {
+    claudeProcess.stdin.write(prompt);
+    claudeProcess.stdin.end();
+  } else {
+    claudeProcess.stdin.end();
+  }
   log.session(sessionId, `Process started — PID ${claudeProcess.pid}`);

package/src/webhook-server.js CHANGED Viewed

@@ -8,6 +8,8 @@ import { getDb, FieldValue } from "./firebase.js";
 import { startTunnel, stopTunnel } from "./tunnel-manager.js";
 import {
   startNewSession,
+  sendFollowUpPrompt,
+  findSessionByWebhook,
   getActiveSessionCount,
   MAX_WEBHOOK_SESSIONS,
 } from "./session-manager.js";
@@ -247,6 +249,14 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
     }
   }
+  // 2b. Reject Slack retries — if we got the first event, we're handling it.
+  if (source === "slack" && req.headers["x-slack-retry-num"]) {
+    log.info(
+      `Slack retry #${req.headers["x-slack-retry-num"]} ignored (reason: ${req.headers["x-slack-retry-reason"] || "unknown"})`,
+    );
+    return sendJson(res, 200, { status: "ignored", reason: "slack retry" });
+  }
   // 3. Delivery ID deduplication.
   const deliveryId =
     req.headers["x-github-delivery"] || req.headers["x-webhook-delivery-id"];
@@ -329,6 +339,15 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
       return sendJson(res, 200, { status: "ignored", reason: "no event" });
     }
+    // Deduplicate using Slack's event_id (unique per event).
+    if (payload.event_id) {
+      if (recentDeliveryIds.has(payload.event_id)) {
+        log.info(`Duplicate Slack event ignored: ${payload.event_id}`);
+        return sendJson(res, 200, { status: "duplicate" });
+      }
+      addDeliveryId(payload.event_id);
+    }
     // Ignore bot messages (including our own replies) to prevent loops.
     if (event.bot_id || event.subtype === "bot_message") {
       return sendJson(res, 200, { status: "ignored", reason: "bot message" });
@@ -342,6 +361,21 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
       });
     }
+    // When subscribed to both message and app_mention events, Slack sends
+    // separate events for the same user message. Deduplicate by using the
+    // Slack message timestamp (ts) which is identical across both events.
+    if (event.ts) {
+      const tsKey = `slack-ts:${event.channel}:${event.ts}`;
+      if (recentDeliveryIds.has(tsKey)) {
+        log.info(`Duplicate Slack message ts ignored: ${event.ts}`);
+        return sendJson(res, 200, {
+          status: "duplicate",
+          reason: "same message ts",
+        });
+      }
+      addDeliveryId(tsKey);
+    }
     // Flatten the Slack event into the payload for template rendering.
     // This lets templates use {{text}}, {{user}}, {{channel}} directly.
     payload = { ...payload, ...event };
@@ -355,9 +389,75 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
   const projectPath = config.projectPath || process.cwd();
   const model = config.model || "sonnet";
-  // 8. Start a new session.
+  // For Slack, respond immediately with 200 to prevent retries,
+  // then process the session asynchronously.
+  if (source === "slack") {
+    sendJson(res, 200, { status: "accepted" });
+    // Process async — errors are logged but don't affect the HTTP response.
+    processWebhookSession(
+      webhookId,
+      source,
+      sourceIp,
+      prompt,
+      projectPath,
+      model,
+      config,
+    ).catch((err) =>
+      log.error(`Async webhook processing failed: ${err.message}`),
+    );
+    return;
+  }
+  // Non-Slack sources: process synchronously and return result.
+  const sessionId = await processWebhookSession(
+    webhookId,
+    source,
+    sourceIp,
+    prompt,
+    projectPath,
+    model,
+    config,
+  );
+  return sendJson(res, 200, {
+    status: "accepted",
+    sessionId: sessionId || null,
+  });
+}
+/**
+ * Process the webhook session — reuse existing or start new.
+ * Extracted so Slack can call this async after responding with 200.
+ */
+async function processWebhookSession(
+  webhookId,
+  source,
+  sourceIp,
+  prompt,
+  projectPath,
+  model,
+  config,
+) {
   let sessionId;
-  try {
+  const existingSession = findSessionByWebhook(webhookId);
+  if (existingSession) {
+    sessionId = existingSession.sessionId;
+    try {
+      await sendFollowUpPrompt(sessionId, prompt);
+      log.info(
+        `Webhook ${webhookId} — reusing session ${sessionId.slice(0, 8)} (follow-up)`,
+      );
+    } catch (err) {
+      log.warn(
+        `Follow-up to ${sessionId.slice(0, 8)} failed (${err.message}), starting new session`,
+      );
+      sessionId = null;
+    }
+  }
+  if (!sessionId) {
     sessionId = await startNewSession(currentDesktopId, {
       prompt,
       projectPath,
@@ -368,20 +468,10 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
         replyUrl:
           source === "slack" ? config.sourceConfig?.replyWebhookUrl : null,
       },
+      allowedTools: config.allowedTools || null,
     });
-  } catch (err) {
-    await writeAuditLog(
-      webhookId,
-      source,
-      sourceIp,
-      "rejected",
-      `session start failed: ${err.message}`,
-      null,
-    );
-    return sendJson(res, 500, { error: "failed to start session" });
   }
-  // 9. Audit log + update trigger count.
   await writeAuditLog(webhookId, source, sourceIp, "accepted", null, sessionId);
   await updateTriggerCount(webhookId);
@@ -389,10 +479,7 @@ async function handleWebhookPost(req, res, webhookId, sourceIp) {
     `Webhook ${webhookId} (${source}) accepted — session ${sessionId || "started"}`,
   );
-  return sendJson(res, 200, {
-    status: "accepted",
-    sessionId: sessionId || null,
-  });
+  return sessionId;
 }
 // ---------------------------------------------------------------------------