forge-remote 2.1.5 → 2.2.0

package/firestore.rules

@@ -134,6 +134,20 @@ service cloud.firestore {
       allow update: if isSignedIn() && isValidSize();
     }
 
+    // ---- Forge Hall (RPG party / quests / inventory / battle history) ----
+    // BYOF: single-player. State is stored as a single doc at
+    //   forge_hall/state
+    // with subcollections for inventory items + battle history. The mobile
+    // app is the only writer; relay reads are read-only for now.
+    match /forge_hall/{docId} {
+      allow read: if isSignedIn();
+      allow write: if isSignedIn();
+
+      match /{subColl}/{subDoc} {
+        allow read, write: if isSignedIn();
+      }
+    }
+
     // ---- User profiles (for preferences) ----
     match /users/{userId} {
       allow read, write: if request.auth != null && request.auth.uid == userId;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "forge-remote",
-  "version": "2.1.5",
-  "description": "Desktop relay for Forge Remote — mobile command center for AI coding agents",
+  "version": "2.2.0",
+  "description": "Desktop relay for Forge Remote — monitor and control Claude Code sessions from your phone",
   "type": "module",
   "license": "UNLICENSED",
   "author": "Daniel Wendel <daniel@ironforgeapps.com> (https://ironforgeapps.com)",
@@ -34,6 +34,7 @@
   ],
   "dependencies": {
     "chalk": "^5.4.0",
+    "chokidar": "^4.0.3",
     "commander": "^13.0.0",
     "firebase-admin": "^13.0.0",
     "localtunnel": "^2.0.2",

package/src/auto-approve-engine.js

@@ -0,0 +1,119 @@
+// Forge Remote — Auto-Approve Engine
+// Copyright (c) 2025-2026 Iron Forge Apps
+//
+// Reads `auto_approve_patterns` from Firestore and decides whether to
+// auto-approve an incoming permission request before pinging the user's
+// phone. Always defers to manual approval for high/critical risk.
+
+import {
+  collection,
+  doc,
+  getDocs,
+  getDoc,
+  setDoc,
+  serverTimestamp,
+} from "firebase/firestore";
+import { db } from "./firebase.js";
+import * as log from "./logger.js";
+
+const HIGH_RISK_TOOLS = new Set([
+  "Bash:rm",
+  "Bash:dropdb",
+  "Bash:git push --force",
+  "Bash:firebase deploy",
+]);
+
+const cache = new Map();
+let lastRefresh = 0;
+const REFRESH_INTERVAL_MS = 30_000;
+
+function normalize(preview) {
+  return preview.trim().replace(/\s+/g, " ");
+}
+
+function patternKey(tool, preview) {
+  return `${tool}:${normalize(preview)}`;
+}
+
+function classifyRisk(tool, preview) {
+  const k = patternKey(tool, preview);
+  for (const high of HIGH_RISK_TOOLS) {
+    if (k.startsWith(high)) return "high";
+  }
+  if (tool === "Read" || tool === "Glob" || tool === "Grep") return "low";
+  if (tool === "Edit" || tool === "Write") return "medium";
+  if (tool === "Bash") return "medium";
+  return "medium";
+}
+
+async function refreshCache() {
+  const now = Date.now();
+  if (now - lastRefresh < REFRESH_INTERVAL_MS) return;
+  try {
+    const snap = await getDocs(collection(db, "auto_approve_patterns"));
+    cache.clear();
+    snap.forEach((d) => cache.set(d.id, d.data()));
+    lastRefresh = now;
+  } catch (e) {
+    log.warn(`Auto-approve cache refresh failed: ${e.message}`);
+  }
+}
+
+/**
+ * Returns 'auto-allow' if the request matches an auto-approve pattern,
+ * otherwise null (caller should prompt the phone normally).
+ */
+export async function maybeAutoApprove({ tool, preview, sessionId }) {
+  const risk = classifyRisk(tool, preview);
+  if (risk === "high" || risk === "critical") return null;
+
+  await refreshCache();
+  const key = patternKey(tool, preview);
+  const safeId = key.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, 60);
+  const pattern = cache.get(safeId);
+  if (!pattern || !pattern.autoApprove) return null;
+
+  // Log to Firestore for the audit trail.
+  try {
+    await setDoc(doc(db, "auto_approve_audit", `${Date.now()}-${safeId}`), {
+      patternKey: key,
+      preview,
+      decision: "auto-allow",
+      risk,
+      sessionId: sessionId ?? null,
+      decidedAt: serverTimestamp(),
+    });
+  } catch (e) {
+    log.warn(`Auto-approve audit write failed: ${e.message}`);
+  }
+
+  log.info(`Auto-approved ${tool}: ${preview.slice(0, 60)}`);
+  return "auto-allow";
+}
+
+/**
+ * Update a pattern's counters after a manual decision (the mobile app
+ * usually does this directly, but the relay calls this when a permission
+ * times out).
+ */
+export async function recordRelayDecision({ tool, preview, decision }) {
+  const key = patternKey(tool, preview);
+  const safeId = key.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, 60);
+  const ref = doc(db, "auto_approve_patterns", safeId);
+  const existing = await getDoc(ref);
+  const current = existing.exists() ? existing.data() : {};
+  await setDoc(
+    ref,
+    {
+      key,
+      tool,
+      preview,
+      risk: classifyRisk(tool, preview),
+      approvals: (current.approvals ?? 0) + (decision === "allow" ? 1 : 0),
+      denials: (current.denials ?? 0) + (decision === "deny" ? 1 : 0),
+      autoApprove: current.autoApprove ?? false,
+      updatedAt: serverTimestamp(),
+    },
+    { merge: true },
+  );
+}

package/src/build-manager.js

@@ -2,7 +2,7 @@
 // Copyright (c) 2025-2026 Iron Forge Apps
 // Created by Daniel Wendel, CEO/Founder of Iron Forge Apps
 
-import { execSync, spawn } from "child_process";
+import { execSync, spawn, spawnSync } from "child_process";
 import path from "node:path";
 import {
   existsSync,
@@ -231,60 +231,88 @@ export async function runBuild(projectPath, platform, onOutput) {
         process.env.DEVELOPER_DIR ||
         "/Applications/Xcode.app/Contents/Developer",
     };
-    try {
-      const output = execSync(buildCmd, {
-        cwd: projectPath,
-        env: buildEnv,
-        timeout: 600000, // 10 minutes
-        encoding: "utf-8",
-        stdio: ["pipe", "pipe", "pipe"],
-        shell: shell,
-      });
+    // For iOS builds, run flutter clean first to avoid stale storyboard caches
+    const fullCmd =
+      platform === "ios"
+        ? `flutter clean > /dev/null 2>&1; ${buildCmd}`
+        : buildCmd;
+    const proc = spawn(shell, ["-l", "-c", fullCmd], {
+      cwd: projectPath,
+      env: buildEnv,
+      stdio: ["pipe", "pipe", "pipe"],
+    });
 
-      const duration = Math.round((Date.now() - startTime) / 1000);
-      const outputPath =
-        projectInfo.outputPaths[platform] ||
-        projectInfo.outputPaths.web ||
-        projectInfo.outputPaths.default ||
-        null;
+    // Timeout: 10 minutes max for any build
+    const buildTimeout = setTimeout(() => {
+      log.warn(`Build timed out after 10 minutes: ${buildCmd}`);
+      try {
+        proc.kill("SIGTERM");
+      } catch {}
+      setTimeout(() => {
+        try {
+          proc.kill("SIGKILL");
+        } catch {}
+      }, 5000);
+      reject(new Error(`Build timed out after 10 minutes`));
+    }, 600000);
 
-      // Stream output lines to callback
-      for (const line of output.split("\n")) {
+    proc.stdout.on("data", (data) => {
+      const text = data.toString();
+      for (const line of text.split("\n")) {
         const trimmed = line.trim();
         if (trimmed) {
           outputLines.push(trimmed);
           if (onOutput) onOutput(trimmed, "stdout");
         }
       }
+    });
 
-      log.info(`Build succeeded in ${duration}s`);
-      resolve({
-        success: true,
-        output: outputLines.join("\n"),
-        duration,
-        outputPath: outputPath ? path.resolve(projectPath, outputPath) : null,
-        framework: projectInfo.framework,
-        platform,
-      });
-    } catch (err) {
-      const duration = Math.round((Date.now() - startTime) / 1000);
-      const stderr = err.stderr?.toString() || "";
-      const stdout = err.stdout?.toString() || "";
-      const allOutput = (stdout + "\n" + stderr).trim();
-
-      // Stream output lines to callback
-      for (const line of allOutput.split("\n")) {
+    proc.stderr.on("data", (data) => {
+      const text = data.toString();
+      for (const line of text.split("\n")) {
         const trimmed = line.trim();
         if (trimmed) {
           outputLines.push(trimmed);
           if (onOutput) onOutput(trimmed, "stderr");
         }
       }
+    });
 
-      const tail = outputLines.slice(-15).join("\n");
-      log.error(`Build failed (exit code ${err.status}) after ${duration}s`);
-      reject(new Error(`Build failed (exit code ${err.status})\n${tail}`));
-    }
+    proc.on("error", (err) => {
+      clearTimeout(buildTimeout);
+      reject(new Error(`Build process error: ${err.message}`));
+    });
+
+    proc.on("close", (code) => {
+      clearTimeout(buildTimeout);
+      const duration = Math.round((Date.now() - startTime) / 1000);
+      const outputPath =
+        projectInfo.outputPaths[platform] ||
+        projectInfo.outputPaths.web ||
+        projectInfo.outputPaths.default ||
+        null;
+
+      if (code === 0) {
+        log.info(`Build succeeded in ${duration}s`);
+        resolve({
+          success: true,
+          output: outputLines.join("\n"),
+          duration,
+          outputPath: outputPath ? path.resolve(projectPath, outputPath) : null,
+          framework: projectInfo.framework,
+          platform,
+        });
+      } else {
+        const tail = outputLines.slice(-15).join("\n");
+        log.error(`Build failed (exit code ${code})`);
+        reject(new Error(`Build failed (exit code ${code})\n${tail}`));
+      }
+    });
+
+    proc.on("error", (err) => {
+      log.error(`Build process error: ${err.message}`);
+      reject(new Error(`Build process error: ${err.message}`));
+    });
   });
 }
 
@@ -698,6 +726,124 @@ export function startFirebaseLogin() {
   return { pid: proc.pid };
 }
 
+// ---------------------------------------------------------------------------
+// Cloudflare Pages Deploy
+// ---------------------------------------------------------------------------
+
+import { homedir } from "os";
+import { join as joinPath } from "path";
+
+/** Read Cloudflare API token + account ID from ~/.forge-remote/config.json. */
+function getCloudflareCreds() {
+  const configPath = joinPath(homedir(), ".forge-remote", "config.json");
+  if (!existsSync(configPath)) {
+    throw new Error(
+      "Cloudflare not configured. Save your API token via the mobile app: " +
+        "Settings → Integrations → Cloudflare.",
+    );
+  }
+  const cfg = JSON.parse(readFileSync(configPath, "utf-8"));
+  const token = cfg.cloudflareApiToken;
+  const accountId = cfg.cloudflareAccountId;
+  if (!token) {
+    throw new Error(
+      "Cloudflare API token missing. Add it via the mobile app: " +
+        "Settings → Integrations → Cloudflare.",
+    );
+  }
+  return { token, accountId };
+}
+
+/** Persist Cloudflare creds to ~/.forge-remote/config.json. */
+export function saveCloudflareCreds({ token, accountId }) {
+  const configPath = joinPath(homedir(), ".forge-remote", "config.json");
+  let cfg = {};
+  if (existsSync(configPath)) {
+    cfg = JSON.parse(readFileSync(configPath, "utf-8"));
+  }
+  if (token !== undefined) cfg.cloudflareApiToken = token;
+  if (accountId !== undefined) cfg.cloudflareAccountId = accountId;
+  writeFileSync(configPath, JSON.stringify(cfg, null, 2));
+}
+
+/**
+ * Slugify a project name for Cloudflare Pages.
+ * Lowercase, alphanumeric + hyphens, max 58 chars (Pages limit).
+ */
+export function slugifyForCloudflarePages(name) {
+  let slug = (name || "")
+    .toLowerCase()
+    .replace(/[^a-z0-9-]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    .replace(/-{2,}/g, "-");
+  if (slug.length === 0) slug = "forge-remote-app";
+  if (slug.length > 58) slug = slug.slice(0, 58).replace(/-$/, "");
+  return slug;
+}
+
+/**
+ * Deploy a built static site to Cloudflare Pages via Wrangler.
+ *
+ * Uses spawnSync with array args (no shell) — no injection surface.
+ *
+ * @param {string} buildPath — absolute path to the built static directory
+ * @param {string} projectSlug — Cloudflare Pages project name (already slugified)
+ * @returns {Promise<{ url: string|null, output: string, projectSlug: string }>}
+ */
+export async function deployToCloudflarePages(buildPath, projectSlug) {
+  if (!existsSync(buildPath)) {
+    throw new Error(`Build path does not exist: ${buildPath}`);
+  }
+  const safeSlug = slugifyForCloudflarePages(projectSlug);
+  const { token, accountId } = getCloudflareCreds();
+
+  // npx fetches Wrangler on first use (~50MB cache); subsequent deploys are fast.
+  const args = [
+    "--yes",
+    "wrangler@latest",
+    "pages",
+    "deploy",
+    buildPath,
+    `--project-name=${safeSlug}`,
+    "--commit-dirty=true",
+  ];
+
+  log.info(
+    `Deploying to Cloudflare Pages (${safeSlug}): npx ${args.join(" ")}`,
+  );
+
+  const result = spawnSync("npx", args, {
+    timeout: 240_000,
+    encoding: "utf-8",
+    env: {
+      ...process.env,
+      CLOUDFLARE_API_TOKEN: token,
+      ...(accountId ? { CLOUDFLARE_ACCOUNT_ID: accountId } : {}),
+      WRANGLER_SEND_METRICS: "false",
+    },
+  });
+
+  if (result.error) throw result.error;
+  const stdout = result.stdout || "";
+  const stderr = result.stderr || "";
+  const combined = stdout + "\n" + stderr;
+
+  if (result.status !== 0) {
+    throw new Error(
+      `Wrangler exited with code ${result.status}: ${combined.slice(0, 500)}`,
+    );
+  }
+
+  // Parse deployment URL.
+  const aliasMatch = combined.match(/alias URL:\s+(https?:\/\/[^\s]+)/i);
+  const previewMatch = combined.match(/(https?:\/\/[a-z0-9-]+\.pages\.dev)/i);
+  const url =
+    aliasMatch?.[1] || previewMatch?.[1] || `https://${safeSlug}.pages.dev`;
+
+  log.info(`Cloudflare Pages deployed: ${url}`);
+  return { url, output: combined, projectSlug: safeSlug };
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------