npm - forkoff - Versions diffs - 1.0.17 → 1.0.18 - Mend

forkoff 1.0.17 → 1.0.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/dist/approval.d.ts +1 -0
package/dist/approval.js +9 -0
package/dist/config.d.ts +3 -0
package/dist/config.js +62 -16
package/dist/crypto/e2eeManager.d.ts +49 -52
package/dist/crypto/e2eeManager.js +256 -181
package/dist/crypto/encryption.d.ts +8 -10
package/dist/crypto/encryption.js +29 -94
package/dist/crypto/index.d.ts +10 -0
package/dist/crypto/index.js +22 -0
package/dist/crypto/keyExchange.d.ts +6 -20
package/dist/crypto/keyExchange.js +18 -110
package/dist/crypto/keyGeneration.d.ts +2 -13
package/dist/crypto/keyGeneration.js +14 -88
package/dist/crypto/keyStorage.d.ts +32 -5
package/dist/crypto/keyStorage.js +152 -8
package/dist/crypto/sessionPersistence.d.ts +7 -13
package/dist/crypto/sessionPersistence.js +108 -33
package/dist/crypto/types.d.ts +24 -3
package/dist/crypto/types.js +2 -1
package/dist/crypto/websocketE2EE.d.ts +6 -17
package/dist/crypto/websocketE2EE.js +21 -38
package/dist/index.js +203 -280
package/dist/integration.d.ts +0 -1
package/dist/integration.js +2 -4
package/dist/logger.d.ts +15 -0
package/dist/logger.js +209 -1
package/dist/server.d.ts +30 -0
package/dist/server.js +162 -0
package/dist/startup.js +15 -6
package/dist/terminal.d.ts +1 -0
package/dist/terminal.js +94 -1
package/dist/tools/claude-process.d.ts +8 -0
package/dist/tools/claude-process.js +199 -26
package/dist/tools/claude-sessions.d.ts +1 -0
package/dist/tools/claude-sessions.js +36 -10
package/dist/tools/detector.js +11 -3
package/dist/tools/permission-hook.js +94 -27
package/dist/tools/permission-ipc.d.ts +1 -0
package/dist/tools/permission-ipc.js +61 -14
package/dist/transcript-streamer.d.ts +1 -0
package/dist/transcript-streamer.js +18 -4
package/dist/usage-tracker.d.ts +45 -0
package/dist/usage-tracker.js +243 -0
package/dist/websocket.d.ts +43 -12
package/dist/websocket.js +418 -214
package/package.json +4 -3
package/dist/__tests__/cli-commands.test.d.ts +0 -6
package/dist/__tests__/cli-commands.test.d.ts.map +0 -1
package/dist/__tests__/cli-commands.test.js +0 -213
package/dist/__tests__/cli-commands.test.js.map +0 -1
package/dist/__tests__/crypto/e2e-integration.test.d.ts +0 -17
package/dist/__tests__/crypto/e2e-integration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/e2e-integration.test.js +0 -338
package/dist/__tests__/crypto/e2e-integration.test.js.map +0 -1
package/dist/__tests__/crypto/e2eeManager.test.d.ts +0 -2
package/dist/__tests__/crypto/e2eeManager.test.d.ts.map +0 -1
package/dist/__tests__/crypto/e2eeManager.test.js +0 -242
package/dist/__tests__/crypto/e2eeManager.test.js.map +0 -1
package/dist/__tests__/crypto/encryption.test.d.ts +0 -2
package/dist/__tests__/crypto/encryption.test.d.ts.map +0 -1
package/dist/__tests__/crypto/encryption.test.js +0 -116
package/dist/__tests__/crypto/encryption.test.js.map +0 -1
package/dist/__tests__/crypto/keyExchange.test.d.ts +0 -2
package/dist/__tests__/crypto/keyExchange.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyExchange.test.js +0 -84
package/dist/__tests__/crypto/keyExchange.test.js.map +0 -1
package/dist/__tests__/crypto/keyGeneration.test.d.ts +0 -2
package/dist/__tests__/crypto/keyGeneration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyGeneration.test.js +0 -61
package/dist/__tests__/crypto/keyGeneration.test.js.map +0 -1
package/dist/__tests__/crypto/keyStorage.test.d.ts +0 -2
package/dist/__tests__/crypto/keyStorage.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyStorage.test.js +0 -133
package/dist/__tests__/crypto/keyStorage.test.js.map +0 -1
package/dist/__tests__/crypto/websocketIntegration.test.d.ts +0 -2
package/dist/__tests__/crypto/websocketIntegration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/websocketIntegration.test.js +0 -259
package/dist/__tests__/crypto/websocketIntegration.test.js.map +0 -1
package/dist/__tests__/startup.test.d.ts +0 -11
package/dist/__tests__/startup.test.d.ts.map +0 -1
package/dist/__tests__/startup.test.js +0 -241
package/dist/__tests__/startup.test.js.map +0 -1
package/dist/__tests__/tools/claude-process.test.d.ts +0 -8
package/dist/__tests__/tools/claude-process.test.d.ts.map +0 -1
package/dist/__tests__/tools/claude-process.test.js +0 -430
package/dist/__tests__/tools/claude-process.test.js.map +0 -1
package/dist/__tests__/tools/permission-hook.test.d.ts +0 -17
package/dist/__tests__/tools/permission-hook.test.d.ts.map +0 -1
package/dist/__tests__/tools/permission-hook.test.js +0 -616
package/dist/__tests__/tools/permission-hook.test.js.map +0 -1
package/dist/__tests__/tools/permission-ipc.test.d.ts +0 -11
package/dist/__tests__/tools/permission-ipc.test.d.ts.map +0 -1
package/dist/__tests__/tools/permission-ipc.test.js +0 -612
package/dist/__tests__/tools/permission-ipc.test.js.map +0 -1
package/dist/__tests__/websocket.test.d.ts +0 -13
package/dist/__tests__/websocket.test.d.ts.map +0 -1
package/dist/__tests__/websocket.test.js +0 -204
package/dist/__tests__/websocket.test.js.map +0 -1
package/dist/api.d.ts +0 -44
package/dist/api.d.ts.map +0 -1
package/dist/api.js +0 -76
package/dist/api.js.map +0 -1
package/dist/approval.d.ts.map +0 -1
package/dist/approval.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/crypto/e2eeManager.d.ts.map +0 -1
package/dist/crypto/e2eeManager.js.map +0 -1
package/dist/crypto/encryption.d.ts.map +0 -1
package/dist/crypto/encryption.js.map +0 -1
package/dist/crypto/keyExchange.d.ts.map +0 -1
package/dist/crypto/keyExchange.js.map +0 -1
package/dist/crypto/keyGeneration.d.ts.map +0 -1
package/dist/crypto/keyGeneration.js.map +0 -1
package/dist/crypto/keyStorage.d.ts.map +0 -1
package/dist/crypto/keyStorage.js.map +0 -1
package/dist/crypto/sessionPersistence.d.ts.map +0 -1
package/dist/crypto/sessionPersistence.js.map +0 -1
package/dist/crypto/types.d.ts.map +0 -1
package/dist/crypto/types.js.map +0 -1
package/dist/crypto/websocketE2EE.d.ts.map +0 -1
package/dist/crypto/websocketE2EE.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/integration.d.ts.map +0 -1
package/dist/integration.js.map +0 -1
package/dist/logger.d.ts.map +0 -1
package/dist/logger.js.map +0 -1
package/dist/startup.d.ts.map +0 -1
package/dist/startup.js.map +0 -1
package/dist/terminal.d.ts.map +0 -1
package/dist/terminal.js.map +0 -1
package/dist/tools/__tests__/claude-sessions.test.d.ts +0 -2
package/dist/tools/__tests__/claude-sessions.test.d.ts.map +0 -1
package/dist/tools/__tests__/claude-sessions.test.js +0 -306
package/dist/tools/__tests__/claude-sessions.test.js.map +0 -1
package/dist/tools/claude-hooks.d.ts.map +0 -1
package/dist/tools/claude-hooks.js.map +0 -1
package/dist/tools/claude-process.d.ts.map +0 -1
package/dist/tools/claude-process.js.map +0 -1
package/dist/tools/claude-sessions.d.ts.map +0 -1
package/dist/tools/claude-sessions.js.map +0 -1
package/dist/tools/detector.d.ts.map +0 -1
package/dist/tools/detector.js.map +0 -1
package/dist/tools/index.d.ts.map +0 -1
package/dist/tools/index.js.map +0 -1
package/dist/tools/permission-hook.d.ts.map +0 -1
package/dist/tools/permission-hook.js.map +0 -1
package/dist/tools/permission-ipc.d.ts.map +0 -1
package/dist/tools/permission-ipc.js.map +0 -1
package/dist/transcript-streamer.d.ts.map +0 -1
package/dist/transcript-streamer.js.map +0 -1
package/dist/websocket.d.ts.map +0 -1
package/dist/websocket.js.map +0 -1
package/jest.config.js +0 -18

package/dist/approval.d.ts CHANGED Viewed

@@ -10,6 +10,7 @@ export interface PendingApproval {
     status: 'pending' | 'approved' | 'rejected';
 }
 declare class ApprovalManager extends EventEmitter {
+    private static readonly MAX_PENDING_APPROVALS;
     private pendingApprovals;
     private approvalCounter;
     /**

package/dist/approval.js CHANGED Viewed

@@ -24,6 +24,14 @@ class ApprovalManager extends events_1.EventEmitter {
             createdAt: new Date(),
             status: 'pending',
         };
+        // Evict oldest if at cap
+        while (this.pendingApprovals.size >= ApprovalManager.MAX_PENDING_APPROVALS) {
+            const oldestKey = this.pendingApprovals.keys().next().value;
+            if (oldestKey)
+                this.pendingApprovals.delete(oldestKey);
+            else
+                break;
+        }
         this.pendingApprovals.set(id, approval);
         // Send to mobile app via WebSocket
         websocket_1.wsClient.sendApprovalRequest({
@@ -114,6 +122,7 @@ class ApprovalManager extends events_1.EventEmitter {
         }
     }
 }
+ApprovalManager.MAX_PENDING_APPROVALS = 50;
 exports.approvalManager = new ApprovalManager();
 exports.default = exports.approvalManager;
 //# sourceMappingURL=approval.js.map

package/dist/config.d.ts CHANGED Viewed

@@ -23,7 +23,10 @@ declare class Config {
     set startupEnabled(value: boolean | null);
     get startupBinaryPath(): string | null;
     set startupBinaryPath(value: string | null);
+    get relayPort(): number;
+    set relayPort(value: number);
     get isPaired(): boolean;
+    ensureDeviceId(): string;
     getMachineId(): string;
     getDeviceInfo(): {
         name: string;

package/dist/config.js CHANGED Viewed

@@ -44,17 +44,17 @@ function isLocalUrl(url) {
     try {
         const parsed = new URL(url);
         const host = parsed.hostname.toLowerCase();
-        return host === 'localhost' ||
-            host === '127.0.0.1' ||
-            host.startsWith('192.168.') ||
-            host.startsWith('10.') ||
-            host.startsWith('172.16.') ||
-            host.startsWith('172.17.') ||
-            host.startsWith('172.18.') ||
-            host.startsWith('172.19.') ||
-            host.startsWith('172.2') ||
-            host.startsWith('172.30.') ||
-            host.startsWith('172.31.');
+        if (host === 'localhost' || host === '127.0.0.1' ||
+            host.startsWith('192.168.') || host.startsWith('10.')) {
+            return true;
+        }
+        // Check 172.16.0.0 - 172.31.255.255
+        if (host.startsWith('172.')) {
+            const secondOctet = parseInt(host.split('.')[1], 10);
+            if (secondOctet >= 16 && secondOctet <= 31)
+                return true;
+        }
+        return false;
     }
     catch {
         return false;
@@ -81,6 +81,7 @@ const defaultConfig = {
     deviceName: os.hostname(),
     apiUrl: 'https://api.forkoff.app/api',
     wsUrl: 'wss://api.forkoff.app',
+    relayPort: 3000,
     pairingCode: null,
     pairedAt: null,
     userId: null,
@@ -97,15 +98,30 @@ class Config {
             ? path.join(process.env.APPDATA || os.homedir(), 'forkoff-cli')
             : path.join(os.homedir(), '.config', 'forkoff-cli');
         if (!fs.existsSync(configDir)) {
-            fs.mkdirSync(configDir, { recursive: true });
+            fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
         }
         return path.join(configDir, 'config.json');
     }
     load() {
         try {
             if (fs.existsSync(this.configPath)) {
-                const content = fs.readFileSync(this.configPath, 'utf-8');
-                return { ...defaultConfig, ...JSON.parse(content) };
+                // SECURITY: Atomic symlink check — open fd then fstat to avoid TOCTOU
+                const fd = fs.openSync(this.configPath, 'r');
+                try {
+                    const stat = fs.fstatSync(fd);
+                    // If the file was replaced with a symlink between open and fstat,
+                    // fstat returns the symlink target info. Check lstat separately.
+                    const lstat = fs.lstatSync(this.configPath);
+                    if (lstat.isSymbolicLink()) {
+                        console.error('[Security] Symlink detected at config file, refusing to read');
+                        return { ...defaultConfig };
+                    }
+                    const content = fs.readFileSync(fd, 'utf-8');
+                    return { ...defaultConfig, ...JSON.parse(content) };
+                }
+                finally {
+                    fs.closeSync(fd);
+                }
             }
         }
         catch (error) {
@@ -114,7 +130,22 @@ class Config {
         return { ...defaultConfig };
     }
     save() {
-        fs.writeFileSync(this.configPath, JSON.stringify(this.data, null, 2));
+        // SECURITY: Atomic write via temp file + rename to prevent TOCTOU
+        const tmpPath = this.configPath + '.tmp.' + process.pid;
+        try {
+            // Write to temp file with restrictive permissions
+            fs.writeFileSync(tmpPath, JSON.stringify(this.data, null, 2), { encoding: 'utf-8', mode: 0o600 });
+            // Atomic rename (same filesystem)
+            fs.renameSync(tmpPath, this.configPath);
+        }
+        catch (err) {
+            // Clean up temp file on error
+            try {
+                fs.unlinkSync(tmpPath);
+            }
+            catch { /* ignore */ }
+            console.error('[Security] Failed to save config:', err.message);
+        }
     }
     get deviceId() {
         return this.data.deviceId;
@@ -183,8 +214,23 @@ class Config {
         this.data.startupBinaryPath = value;
         this.save();
     }
+    get relayPort() {
+        return this.data.relayPort;
+    }
+    set relayPort(value) {
+        this.data.relayPort = value;
+        this.save();
+    }
     get isPaired() {
-        return !!this.userId && !!this.deviceId;
+        return !!this.deviceId && !!this.pairedAt;
+    }
+    // Ensure deviceId exists, generating one if needed
+    ensureDeviceId() {
+        if (!this.data.deviceId) {
+            this.data.deviceId = this.getMachineId();
+            this.save();
+        }
+        return this.data.deviceId;
     }
     // Get unique machine identifier
     getMachineId() {

package/dist/crypto/e2eeManager.d.ts CHANGED Viewed

@@ -1,82 +1,79 @@
 import { KeyExchangeInit, KeyExchangeAck, EncryptedMessage } from './types';
-/**
- * E2EE Manager for CLI
- * Orchestrates all end-to-end encryption operations
- */
 export declare class E2EEManager {
     private deviceId;
-    private apiUrl;
-    private authToken;
     private keyPair;
+    private signingKeyPair;
     private initialized;
-    private pendingKeyExchanges;
-    private outgoingCounters;
-    private incomingCounters;
-    private axiosInstance;
-    constructor(deviceId: string, apiUrl: string, authToken: string);
+    private sessions;
+    private static readonly MAX_PENDING_EXCHANGES;
+    private static readonly PENDING_EXCHANGE_TTL_MS;
+    private pendingExchanges;
+    constructor(deviceId: string);
     /**
-     * Initializes E2EE manager
-     * - Loads or generates key pair
-     * - Uploads public key to backend
+     * Initializes E2EE manager: loads or generates identity key pairs (DH + signing).
      */
     initialize(): Promise<void>;
+    /** Get the public key (for uploading to server) */
+    getPublicKey(): string | null;
+    /** Get the signing public key */
+    getSigningPublicKey(): string | null;
+    /** Check if manager is initialized */
+    isInitialized(): boolean;
     /**
-     * Derives X25519 public key from private key
+     * Sign a key exchange payload with our Ed25519 identity key.
+     * The signed message is: "prefix:senderDeviceId:ephemeralPublicKey[:recipientDeviceId]"
      */
-    private derivePublicKeyFromPrivateKey;
+    private signPayload;
     /**
-     * Uploads public key to backend
+     * Verify a peer's signature on a key exchange payload.
+     * Returns true if signature is valid OR if peer has no identity key (unsigned exchange accepted with warning).
+     * Throws if the peer's identity key doesn't match TOFU record (potential MITM).
      */
-    private uploadPublicKey;
+    private verifyPeerSignature;
     /**
-     * Initiates key exchange with target device
-     * Returns payload to send via WebSocket
+     * Create a key exchange initiation to send to a remote device.
+     * Generates an ephemeral key pair and signs it with our identity key.
      */
-    initiateKeyExchange(targetDeviceId: string): Promise<KeyExchangeInit>;
     /**
-     * Handles incoming key exchange init from sender
-     * Returns ack payload to send back via WebSocket
+     * Evict expired or excess pending key exchanges.
      */
-    handleKeyExchangeInit(senderDeviceId: string, senderEphemeralPublicKey: string): Promise<KeyExchangeAck>;
+    private cleanupPendingExchanges;
+    createKeyExchangeInit(targetDeviceId: string): KeyExchangeInit;
     /**
-     * Handles incoming key exchange ack from recipient
-     * Completes the key exchange by deriving the final session key
+     * Handle an incoming key exchange init from a remote device.
+     * Verifies the peer's identity signature (TOFU), computes shared key,
+     * and returns a signed ack.
      */
-    handleKeyExchangeAck(recipientDeviceId: string, recipientEphemeralPublicKey: string): Promise<void>;
+    handleKeyExchangeInit(init: KeyExchangeInit): KeyExchangeAck;
     /**
-     * Attempts to restore a persisted session after reconnection
-     * Useful when IP changes cause WebSocket disconnection
+     * Handle an incoming key exchange ack from a remote device.
+     * Verifies the peer's identity signature (TOFU) and completes the key exchange.
      */
-    restorePersistedSession(targetDeviceId: string): Promise<boolean>;
+    handleKeyExchangeAck(ack: KeyExchangeAck): void;
     /**
-     * Lists all devices with persisted sessions
-     * Useful for auto-reconnection after network changes
+     * Attempts to restore a persisted session after reconnection.
      */
+    restorePersistedSession(targetDeviceId: string): Promise<boolean>;
+    /** Lists all devices with persisted sessions */
     listPersistedDevices(): string[];
-    /**
-     * Encrypts a message for a target device
-     */
-    encryptMessage(plaintext: string, targetDeviceId: string, sessionId: string): EncryptedMessage;
-    /**
-     * Decrypts a message from a sender device
-     */
-    decryptMessage(encryptedMessage: EncryptedMessage, senderDeviceId: string): string;
-    /**
-     * Checks if a session key exists for a device
-     */
+    /** Check if an encrypted session is established with a device */
     hasSessionKey(deviceId: string): boolean;
+    /** Encrypt a message for a specific device */
+    encryptMessage(plaintext: string, recipientDeviceId: string, sessionId: string): EncryptedMessage;
+    /** Decrypt an incoming encrypted message */
+    decryptMessage(message: EncryptedMessage, senderDeviceId: string): string;
+    /** Clear session for a specific device */
+    clearSession(deviceId: string): void;
     /**
-     * Checks if manager is initialized
-     */
-    isInitialized(): boolean;
-    /**
-     * Cleans up all session keys and pending exchanges
-     * @param deletePersisted - Whether to delete persisted sessions from disk (default: false)
+     * Cleans up all session keys and pending exchanges.
+     * @param deletePersisted - Whether to delete persisted sessions from disk
      */
     cleanup(deletePersisted?: boolean): void;
-    /**
-     * Removes a specific persisted session
-     */
+    /** Removes a specific persisted session */
     removePersistedSession(targetDeviceId: string): void;
+    /** Reset TOFU trust for a peer (used on re-pair so new keys are accepted) */
+    resetPeerTrust(targetDeviceId: string): void;
+    /** Light trust reset — only clears TOFU key, preserves pending exchanges in-flight */
+    clearTrustOnly(targetDeviceId: string): void;
 }
 //# sourceMappingURL=e2eeManager.d.ts.map