npm - forkoff - Versions diffs - 1.0.17 → 1.0.18 - Mend

forkoff 1.0.17 → 1.0.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/dist/approval.d.ts +1 -0
package/dist/approval.js +9 -0
package/dist/config.d.ts +3 -0
package/dist/config.js +62 -16
package/dist/crypto/e2eeManager.d.ts +49 -52
package/dist/crypto/e2eeManager.js +256 -181
package/dist/crypto/encryption.d.ts +8 -10
package/dist/crypto/encryption.js +29 -94
package/dist/crypto/index.d.ts +10 -0
package/dist/crypto/index.js +22 -0
package/dist/crypto/keyExchange.d.ts +6 -20
package/dist/crypto/keyExchange.js +18 -110
package/dist/crypto/keyGeneration.d.ts +2 -13
package/dist/crypto/keyGeneration.js +14 -88
package/dist/crypto/keyStorage.d.ts +32 -5
package/dist/crypto/keyStorage.js +152 -8
package/dist/crypto/sessionPersistence.d.ts +7 -13
package/dist/crypto/sessionPersistence.js +108 -33
package/dist/crypto/types.d.ts +24 -3
package/dist/crypto/types.js +2 -1
package/dist/crypto/websocketE2EE.d.ts +6 -17
package/dist/crypto/websocketE2EE.js +21 -38
package/dist/index.js +203 -280
package/dist/integration.d.ts +0 -1
package/dist/integration.js +2 -4
package/dist/logger.d.ts +15 -0
package/dist/logger.js +209 -1
package/dist/server.d.ts +30 -0
package/dist/server.js +162 -0
package/dist/startup.js +15 -6
package/dist/terminal.d.ts +1 -0
package/dist/terminal.js +94 -1
package/dist/tools/claude-process.d.ts +8 -0
package/dist/tools/claude-process.js +199 -26
package/dist/tools/claude-sessions.d.ts +1 -0
package/dist/tools/claude-sessions.js +36 -10
package/dist/tools/detector.js +11 -3
package/dist/tools/permission-hook.js +94 -27
package/dist/tools/permission-ipc.d.ts +1 -0
package/dist/tools/permission-ipc.js +61 -14
package/dist/transcript-streamer.d.ts +1 -0
package/dist/transcript-streamer.js +18 -4
package/dist/usage-tracker.d.ts +45 -0
package/dist/usage-tracker.js +243 -0
package/dist/websocket.d.ts +43 -12
package/dist/websocket.js +418 -214
package/package.json +4 -3
package/dist/__tests__/cli-commands.test.d.ts +0 -6
package/dist/__tests__/cli-commands.test.d.ts.map +0 -1
package/dist/__tests__/cli-commands.test.js +0 -213
package/dist/__tests__/cli-commands.test.js.map +0 -1
package/dist/__tests__/crypto/e2e-integration.test.d.ts +0 -17
package/dist/__tests__/crypto/e2e-integration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/e2e-integration.test.js +0 -338
package/dist/__tests__/crypto/e2e-integration.test.js.map +0 -1
package/dist/__tests__/crypto/e2eeManager.test.d.ts +0 -2
package/dist/__tests__/crypto/e2eeManager.test.d.ts.map +0 -1
package/dist/__tests__/crypto/e2eeManager.test.js +0 -242
package/dist/__tests__/crypto/e2eeManager.test.js.map +0 -1
package/dist/__tests__/crypto/encryption.test.d.ts +0 -2
package/dist/__tests__/crypto/encryption.test.d.ts.map +0 -1
package/dist/__tests__/crypto/encryption.test.js +0 -116
package/dist/__tests__/crypto/encryption.test.js.map +0 -1
package/dist/__tests__/crypto/keyExchange.test.d.ts +0 -2
package/dist/__tests__/crypto/keyExchange.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyExchange.test.js +0 -84
package/dist/__tests__/crypto/keyExchange.test.js.map +0 -1
package/dist/__tests__/crypto/keyGeneration.test.d.ts +0 -2
package/dist/__tests__/crypto/keyGeneration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyGeneration.test.js +0 -61
package/dist/__tests__/crypto/keyGeneration.test.js.map +0 -1
package/dist/__tests__/crypto/keyStorage.test.d.ts +0 -2
package/dist/__tests__/crypto/keyStorage.test.d.ts.map +0 -1
package/dist/__tests__/crypto/keyStorage.test.js +0 -133
package/dist/__tests__/crypto/keyStorage.test.js.map +0 -1
package/dist/__tests__/crypto/websocketIntegration.test.d.ts +0 -2
package/dist/__tests__/crypto/websocketIntegration.test.d.ts.map +0 -1
package/dist/__tests__/crypto/websocketIntegration.test.js +0 -259
package/dist/__tests__/crypto/websocketIntegration.test.js.map +0 -1
package/dist/__tests__/startup.test.d.ts +0 -11
package/dist/__tests__/startup.test.d.ts.map +0 -1
package/dist/__tests__/startup.test.js +0 -241
package/dist/__tests__/startup.test.js.map +0 -1
package/dist/__tests__/tools/claude-process.test.d.ts +0 -8
package/dist/__tests__/tools/claude-process.test.d.ts.map +0 -1
package/dist/__tests__/tools/claude-process.test.js +0 -430
package/dist/__tests__/tools/claude-process.test.js.map +0 -1
package/dist/__tests__/tools/permission-hook.test.d.ts +0 -17
package/dist/__tests__/tools/permission-hook.test.d.ts.map +0 -1
package/dist/__tests__/tools/permission-hook.test.js +0 -616
package/dist/__tests__/tools/permission-hook.test.js.map +0 -1
package/dist/__tests__/tools/permission-ipc.test.d.ts +0 -11
package/dist/__tests__/tools/permission-ipc.test.d.ts.map +0 -1
package/dist/__tests__/tools/permission-ipc.test.js +0 -612
package/dist/__tests__/tools/permission-ipc.test.js.map +0 -1
package/dist/__tests__/websocket.test.d.ts +0 -13
package/dist/__tests__/websocket.test.d.ts.map +0 -1
package/dist/__tests__/websocket.test.js +0 -204
package/dist/__tests__/websocket.test.js.map +0 -1
package/dist/api.d.ts +0 -44
package/dist/api.d.ts.map +0 -1
package/dist/api.js +0 -76
package/dist/api.js.map +0 -1
package/dist/approval.d.ts.map +0 -1
package/dist/approval.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/crypto/e2eeManager.d.ts.map +0 -1
package/dist/crypto/e2eeManager.js.map +0 -1
package/dist/crypto/encryption.d.ts.map +0 -1
package/dist/crypto/encryption.js.map +0 -1
package/dist/crypto/keyExchange.d.ts.map +0 -1
package/dist/crypto/keyExchange.js.map +0 -1
package/dist/crypto/keyGeneration.d.ts.map +0 -1
package/dist/crypto/keyGeneration.js.map +0 -1
package/dist/crypto/keyStorage.d.ts.map +0 -1
package/dist/crypto/keyStorage.js.map +0 -1
package/dist/crypto/sessionPersistence.d.ts.map +0 -1
package/dist/crypto/sessionPersistence.js.map +0 -1
package/dist/crypto/types.d.ts.map +0 -1
package/dist/crypto/types.js.map +0 -1
package/dist/crypto/websocketE2EE.d.ts.map +0 -1
package/dist/crypto/websocketE2EE.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/integration.d.ts.map +0 -1
package/dist/integration.js.map +0 -1
package/dist/logger.d.ts.map +0 -1
package/dist/logger.js.map +0 -1
package/dist/startup.d.ts.map +0 -1
package/dist/startup.js.map +0 -1
package/dist/terminal.d.ts.map +0 -1
package/dist/terminal.js.map +0 -1
package/dist/tools/__tests__/claude-sessions.test.d.ts +0 -2
package/dist/tools/__tests__/claude-sessions.test.d.ts.map +0 -1
package/dist/tools/__tests__/claude-sessions.test.js +0 -306
package/dist/tools/__tests__/claude-sessions.test.js.map +0 -1
package/dist/tools/claude-hooks.d.ts.map +0 -1
package/dist/tools/claude-hooks.js.map +0 -1
package/dist/tools/claude-process.d.ts.map +0 -1
package/dist/tools/claude-process.js.map +0 -1
package/dist/tools/claude-sessions.d.ts.map +0 -1
package/dist/tools/claude-sessions.js.map +0 -1
package/dist/tools/detector.d.ts.map +0 -1
package/dist/tools/detector.js.map +0 -1
package/dist/tools/index.d.ts.map +0 -1
package/dist/tools/index.js.map +0 -1
package/dist/tools/permission-hook.d.ts.map +0 -1
package/dist/tools/permission-hook.js.map +0 -1
package/dist/tools/permission-ipc.d.ts.map +0 -1
package/dist/tools/permission-ipc.js.map +0 -1
package/dist/transcript-streamer.d.ts.map +0 -1
package/dist/transcript-streamer.js.map +0 -1
package/dist/websocket.d.ts.map +0 -1
package/dist/websocket.js.map +0 -1
package/jest.config.js +0 -18

package/dist/integration.d.ts CHANGED Viewed

@@ -25,6 +25,5 @@ export { wsClient } from './websocket';
 export { approvalManager } from './approval';
 export { terminalManager } from './terminal';
 export { config } from './config';
-export { api } from './api';
 export { claudeSessionDetector } from './tools';
 //# sourceMappingURL=integration.d.ts.map

package/dist/integration.js CHANGED Viewed

@@ -6,7 +6,7 @@
  * It handles approval requests and terminal output streaming.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.claudeSessionDetector = exports.api = exports.config = exports.terminalManager = exports.approvalManager = exports.wsClient = void 0;
+exports.claudeSessionDetector = exports.config = exports.terminalManager = exports.approvalManager = exports.wsClient = void 0;
 exports.createIntegration = createIntegration;
 const websocket_1 = require("./websocket");
 const approval_1 = require("./approval");
@@ -30,7 +30,7 @@ function createIntegration() {
             if (!config_1.config.isPaired) {
                 throw new Error('Device not paired. Run "forkoff pair" and scan the QR code.');
             }
-            await websocket_1.wsClient.connect();
+            await websocket_1.wsClient.startServer(config_1.config.relayPort);
         },
         disconnect: () => {
             websocket_1.wsClient.disconnect();
@@ -77,8 +77,6 @@ var terminal_1 = require("./terminal");
 Object.defineProperty(exports, "terminalManager", { enumerable: true, get: function () { return terminal_1.terminalManager; } });
 var config_2 = require("./config");
 Object.defineProperty(exports, "config", { enumerable: true, get: function () { return config_2.config; } });
-var api_1 = require("./api");
-Object.defineProperty(exports, "api", { enumerable: true, get: function () { return api_1.api; } });
 var tools_2 = require("./tools");
 Object.defineProperty(exports, "claudeSessionDetector", { enumerable: true, get: function () { return tools_2.claudeSessionDetector; } });
 //# sourceMappingURL=integration.js.map

package/dist/logger.d.ts CHANGED Viewed

@@ -1,5 +1,20 @@
 import ora from 'ora';
 export declare function setQuiet(value: boolean): void;
+/**
+ * Enable debug mode: tee all console output to a timestamped log file.
+ * Also enables process.env.DEBUG for verbose logging throughout the codebase.
+ */
+export declare function setDebug(value: boolean): void;
 export declare function isQuiet(): boolean;
+export declare function isDebug(): boolean;
+export declare function getLogFilePath(): string | null;
+/**
+ * Flush and close the debug log stream. Call on process exit.
+ */
+export declare function closeDebugLog(): void;
+/**
+ * Clean up old debug log files, keeping only the most recent N.
+ */
+export declare function cleanupOldLogs(keepCount?: number): void;
 export declare function createSpinner(text: string): ora.Ora;
 //# sourceMappingURL=logger.d.ts.map

package/dist/logger.js CHANGED Viewed

@@ -1,13 +1,57 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.setQuiet = setQuiet;
+exports.setDebug = setDebug;
 exports.isQuiet = isQuiet;
+exports.isDebug = isDebug;
+exports.getLogFilePath = getLogFilePath;
+exports.closeDebugLog = closeDebugLog;
+exports.cleanupOldLogs = cleanupOldLogs;
 exports.createSpinner = createSpinner;
 const ora_1 = __importDefault(require("ora"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
 let quiet = false;
+let debugMode = false;
+let logFilePath = null;
+let logStream = null;
 const originalConsole = {
     log: console.log,
     error: console.error,
@@ -15,9 +59,41 @@ const originalConsole = {
     info: console.info,
     debug: console.debug,
 };
+/**
+ * Format a log line with ISO timestamp and level prefix.
+ */
+function formatLogLine(level, args) {
+    const timestamp = new Date().toISOString();
+    const message = args.map(a => {
+        if (typeof a === 'string')
+            return a;
+        try {
+            return JSON.stringify(a);
+        }
+        catch {
+            return String(a);
+        }
+    }).join(' ');
+    // Strip ANSI color codes for clean log files
+    const clean = message.replace(/\x1B\[[0-9;]*m/g, '');
+    return `[${timestamp}] [${level}] ${clean}\n`;
+}
+/**
+ * Write a line to the debug log file (if open).
+ */
+function writeToLogFile(level, args) {
+    if (!logStream)
+        return;
+    try {
+        logStream.write(formatLogLine(level, args));
+    }
+    catch {
+        // Swallow write errors — don't crash the CLI for logging
+    }
+}
 function setQuiet(value) {
     quiet = value;
-    if (value) {
+    if (value && !debugMode) {
         const noop = () => { };
         console.log = noop;
         console.error = noop;
@@ -25,6 +101,14 @@ function setQuiet(value) {
         console.info = noop;
         console.debug = noop;
     }
+    else if (value && debugMode) {
+        // Quiet + debug: suppress terminal output but still write to log file
+        console.log = (...args) => writeToLogFile('LOG', args);
+        console.error = (...args) => writeToLogFile('ERROR', args);
+        console.warn = (...args) => writeToLogFile('WARN', args);
+        console.info = (...args) => writeToLogFile('INFO', args);
+        console.debug = (...args) => writeToLogFile('DEBUG', args);
+    }
     else {
         console.log = originalConsole.log;
         console.error = originalConsole.error;
@@ -33,9 +117,133 @@ function setQuiet(value) {
         console.debug = originalConsole.debug;
     }
 }
+/**
+ * Enable debug mode: tee all console output to a timestamped log file.
+ * Also enables process.env.DEBUG for verbose logging throughout the codebase.
+ */
+function setDebug(value) {
+    debugMode = value;
+    if (!value) {
+        // Disable debug mode
+        if (logStream) {
+            logStream.end();
+            logStream = null;
+        }
+        logFilePath = null;
+        process.env.DEBUG = '';
+        return;
+    }
+    // Enable DEBUG env var so existing DEBUG-gated logs activate
+    process.env.DEBUG = '1';
+    // Create log directory
+    const logDir = path.join(os.homedir(), '.forkoff-cli', 'logs');
+    try {
+        fs.mkdirSync(logDir, { recursive: true, mode: 0o700 });
+    }
+    catch {
+        originalConsole.error('[Debug] Failed to create log directory:', logDir);
+        return;
+    }
+    // Create timestamped log file
+    const now = new Date();
+    const stamp = now.toISOString().replace(/[:.]/g, '-').replace('T', '_').slice(0, 19);
+    logFilePath = path.join(logDir, `debug-${stamp}.log`);
+    try {
+        // SECURITY: Check for pre-existing symlink at the log path
+        if (fs.existsSync(logFilePath)) {
+            const stat = fs.lstatSync(logFilePath);
+            if (stat.isSymbolicLink()) {
+                originalConsole.error('[Debug] Symlink detected at log path, refusing to write');
+                logFilePath = null;
+                return;
+            }
+        }
+        logStream = fs.createWriteStream(logFilePath, { flags: 'w', mode: 0o600 });
+    }
+    catch {
+        originalConsole.error('[Debug] Failed to create log file');
+        logFilePath = null;
+        return;
+    }
+    // Write system info header
+    const header = [
+        `=== ForkOff CLI Debug Log ===`,
+        `Date: ${now.toISOString()}`,
+        `Platform: ${os.platform()} ${os.release()} (${os.arch()})`,
+        `Node: ${process.version}`,
+        `PID: ${process.pid}`,
+        `User: ${os.userInfo().username}`,
+        `Home: ${os.homedir()}`,
+        `===`,
+        '',
+    ].join('\n');
+    logStream.write(header + '\n');
+    // Wrap console methods to tee to both terminal and log file
+    console.log = (...args) => {
+        originalConsole.log(...args);
+        writeToLogFile('LOG', args);
+    };
+    console.error = (...args) => {
+        originalConsole.error(...args);
+        writeToLogFile('ERROR', args);
+    };
+    console.warn = (...args) => {
+        originalConsole.warn(...args);
+        writeToLogFile('WARN', args);
+    };
+    console.info = (...args) => {
+        originalConsole.info(...args);
+        writeToLogFile('INFO', args);
+    };
+    console.debug = (...args) => {
+        originalConsole.debug(...args);
+        writeToLogFile('DEBUG', args);
+    };
+    originalConsole.log(`[Debug] Logging to: ${logFilePath}`);
+}
 function isQuiet() {
     return quiet;
 }
+function isDebug() {
+    return debugMode;
+}
+function getLogFilePath() {
+    return logFilePath;
+}
+/**
+ * Flush and close the debug log stream. Call on process exit.
+ */
+function closeDebugLog() {
+    if (logStream) {
+        logStream.write(formatLogLine('LOG', ['=== Debug log closed ===']));
+        logStream.end();
+        logStream = null;
+    }
+}
+/**
+ * Clean up old debug log files, keeping only the most recent N.
+ */
+function cleanupOldLogs(keepCount = 10) {
+    const logDir = path.join(os.homedir(), '.forkoff-cli', 'logs');
+    try {
+        const files = fs.readdirSync(logDir)
+            .filter(f => f.startsWith('debug-') && f.endsWith('.log'))
+            .sort()
+            .reverse();
+        // Delete files beyond keepCount
+        for (let i = keepCount; i < files.length; i++) {
+            try {
+                fs.unlinkSync(path.join(logDir, files[i]));
+            }
+            catch {
+                // Ignore deletion errors
+            }
+        }
+    }
+    catch {
+        // Log directory may not exist
+    }
+}
 function createSpinner(text) {
     return (0, ora_1.default)({ text, isSilent: quiet });
 }

package/dist/server.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import { EventEmitter } from 'events';
+export interface EmbeddedServerOptions {
+    port: number;
+    deviceId: string;
+    deviceName: string;
+}
+export declare class EmbeddedRelayServer extends EventEmitter {
+    private httpServer;
+    private io;
+    private mobileSocket;
+    private port;
+    private deviceId;
+    private deviceName;
+    /** The pairing code the CLI generated — validated in-process */
+    private currentPairingCode;
+    constructor(options: EmbeddedServerOptions);
+    /** Set the pairing code for in-process validation */
+    setPairingCode(code: string): void;
+    /** Start the HTTP + Socket.io server */
+    start(): Promise<void>;
+    /** Emit an event to the connected mobile socket */
+    emitToMobile(event: string, data: any): void;
+    /** Check if a mobile client is connected */
+    hasMobileConnection(): boolean;
+    /** Get the connected mobile device ID (for E2EE targeting) */
+    getMobileDeviceId(): string | null;
+    /** Graceful shutdown */
+    stop(): Promise<void>;
+}
+//# sourceMappingURL=server.d.ts.map

package/dist/server.js ADDED Viewed

@@ -0,0 +1,162 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmbeddedRelayServer = void 0;
+/**
+ * Embedded relay server — turns the CLI into a Socket.io server.
+ * Mobile connects directly to the CLI over the local network.
+ * No rooms, no multi-device routing — just one CLI serving mobile connections.
+ */
+const http_1 = require("http");
+const socket_io_1 = require("socket.io");
+const events_1 = require("events");
+/** Events the server forwards from mobile → CLI (internal EventEmitter) */
+const MOBILE_EVENTS = [
+    'terminal_command', 'terminal_create', 'user_message',
+    'claude_start_session', 'claude_resume_session', 'claude_sessions_request',
+    'directory_list', 'read_file', 'transcript_fetch', 'transcript_subscribe',
+    'transcript_unsubscribe', 'approval_response', 'claude_approval_response',
+    'permission_response', 'permission_rules_sync', 'claude_abort', 'tab_complete',
+    'subscribe_device', 'unsubscribe_device',
+    'encrypted_key_exchange_init', 'encrypted_key_exchange_ack', 'encrypted_message',
+];
+class EmbeddedRelayServer extends events_1.EventEmitter {
+    constructor(options) {
+        super();
+        this.httpServer = null;
+        this.io = null;
+        this.mobileSocket = null;
+        /** The pairing code the CLI generated — validated in-process */
+        this.currentPairingCode = null;
+        this.port = options.port;
+        this.deviceId = options.deviceId;
+        this.deviceName = options.deviceName;
+    }
+    /** Set the pairing code for in-process validation */
+    setPairingCode(code) {
+        this.currentPairingCode = code;
+    }
+    /** Start the HTTP + Socket.io server */
+    start() {
+        return new Promise((resolve, reject) => {
+            this.httpServer = (0, http_1.createServer)((req, res) => {
+                if (req.url === '/health' && req.method === 'GET') {
+                    res.writeHead(200, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ status: 'ok', mode: 'embedded' }));
+                    return;
+                }
+                res.writeHead(404);
+                res.end();
+            });
+            this.io = new socket_io_1.Server(this.httpServer, {
+                cors: {
+                    origin: '*',
+                    methods: ['GET', 'POST'],
+                },
+                transports: ['websocket', 'polling'],
+            });
+            // Auth middleware — only accept mobile clients
+            this.io.use((socket, next) => {
+                const auth = socket.handshake.auth;
+                if (auth.clientType !== 'mobile') {
+                    return next(new Error('CLI only accepts mobile connections'));
+                }
+                if (!auth.mobileDeviceId || auth.mobileDeviceId.length < 8) {
+                    return next(new Error('Invalid mobileDeviceId'));
+                }
+                socket.data = {
+                    clientType: 'mobile',
+                    deviceId: auth.mobileDeviceId,
+                    deviceName: auth.deviceName || 'Mobile',
+                };
+                next();
+            });
+            this.io.on('connection', (socket) => {
+                console.log(`[Server] Mobile connected: ${socket.data.deviceId}`);
+                // Track the mobile socket (only one active connection)
+                if (this.mobileSocket) {
+                    console.log(`[Server] Replacing existing mobile connection`);
+                    this.mobileSocket.disconnect(true);
+                }
+                this.mobileSocket = socket;
+                this.emit('mobile_connected', { deviceId: socket.data.deviceId });
+                // Handle pairing
+                socket.on('pair_device', (data) => {
+                    if (this.currentPairingCode && data.pairingCode === this.currentPairingCode) {
+                        console.log(`[Server] Pairing successful`);
+                        // Notify internal listeners (wsClient)
+                        this.emit('pair_device', { mobileDeviceId: socket.data.deviceId });
+                        // Send ack directly to mobile
+                        socket.emit('pair_device_ack', {
+                            deviceId: this.deviceId,
+                            deviceName: this.deviceName,
+                            platform: process.platform,
+                            mobileDeviceId: socket.data.deviceId,
+                        });
+                    }
+                    else {
+                        console.log(`[Server] Pairing rejected — invalid code`);
+                        socket.emit('pair_device_reject', { reason: 'Invalid pairing code' });
+                    }
+                });
+                // Forward all mobile events → internal EventEmitter
+                for (const event of MOBILE_EVENTS) {
+                    socket.on(event, (data) => {
+                        this.emit(event, data);
+                    });
+                }
+                socket.on('disconnect', (reason) => {
+                    console.log(`[Server] Mobile disconnected: ${reason}`);
+                    if (this.mobileSocket === socket) {
+                        this.mobileSocket = null;
+                    }
+                    this.emit('mobile_disconnected', { deviceId: socket.data.deviceId, reason });
+                });
+            });
+            this.httpServer.on('error', (err) => {
+                if (err.code === 'EADDRINUSE') {
+                    reject(new Error(`Port ${this.port} is already in use. Use "forkoff config --port <port>" to change it.`));
+                }
+                else {
+                    reject(err);
+                }
+            });
+            this.httpServer.listen(this.port, '0.0.0.0', () => {
+                console.log(`[Server] Listening on 0.0.0.0:${this.port}`);
+                resolve();
+            });
+        });
+    }
+    /** Emit an event to the connected mobile socket */
+    emitToMobile(event, data) {
+        if (this.mobileSocket) {
+            this.mobileSocket.emit(event, data);
+        }
+    }
+    /** Check if a mobile client is connected */
+    hasMobileConnection() {
+        return this.mobileSocket !== null && this.mobileSocket.connected;
+    }
+    /** Get the connected mobile device ID (for E2EE targeting) */
+    getMobileDeviceId() {
+        return this.mobileSocket?.data?.deviceId ?? null;
+    }
+    /** Graceful shutdown */
+    stop() {
+        return new Promise((resolve) => {
+            if (this.io) {
+                this.io.close(() => {
+                    this.httpServer?.close(() => resolve());
+                });
+            }
+            else if (this.httpServer) {
+                this.httpServer.close(() => resolve());
+            }
+            else {
+                resolve();
+            }
+            this.mobileSocket = null;
+        });
+    }
+}
+exports.EmbeddedRelayServer = EmbeddedRelayServer;
+//# sourceMappingURL=server.js.map

package/dist/startup.js CHANGED Viewed

@@ -124,7 +124,7 @@ async function disableStartup() {
 async function enableStartupWindows(binaryPath) {
     const startupDir = getStartupDir();
     if (!fs.existsSync(startupDir)) {
-        fs.mkdirSync(startupDir, { recursive: true });
+        fs.mkdirSync(startupDir, { recursive: true, mode: 0o700 });
     }
     // Resolve binaryPath to the .cmd shim if it exists (npm global installs create .cmd on Windows)
     let cmdPath = binaryPath;
@@ -134,12 +134,21 @@ async function enableStartupWindows(binaryPath) {
             cmdPath = candidate;
         }
     }
+    // SECURITY: Validate binary path exists
+    if (!fs.existsSync(cmdPath)) {
+        throw new Error(`Startup binary not found: ${cmdPath}`);
+    }
+    // SECURITY: Reject paths with VBScript metacharacters to prevent injection
+    if (/[^a-zA-Z0-9_\-./\\ :]/.test(cmdPath)) {
+        throw new Error(`Startup binary path contains disallowed characters: ${cmdPath}`);
+    }
     // Write a .vbs (VBScript) wrapper that launches the command with a hidden window.
     // A .bat would open a visible cmd.exe window on every login — bad UX.
     // WScript.Shell.Run with windowStyle 0 = hidden, False = don't wait.
     const vbsPath = getVbsPath();
-    const vbsContent = `CreateObject("WScript.Shell").Run """${cmdPath}"" connect --quiet", 0, False\r\n`;
-    fs.writeFileSync(vbsPath, vbsContent);
+    const escapedPath = cmdPath.replace(/"/g, '""');
+    const vbsContent = `CreateObject("WScript.Shell").Run """${escapedPath}"" connect --quiet", 0, False\r\n`;
+    fs.writeFileSync(vbsPath, vbsContent, { mode: 0o600 });
     // Use HKCU Run key — no admin required, runs on user logon
     (0, child_process_1.execSync)(`reg add "${REG_KEY}" /v ${REG_VALUE} /t REG_SZ /d "\\"${vbsPath}\\"" /f`, { stdio: 'pipe' });
 }
@@ -170,7 +179,7 @@ async function enableStartupMacOS(binaryPath) {
     await disableStartupMacOS();
     const configDir = path.join(os.homedir(), '.config', 'forkoff-cli');
     if (!fs.existsSync(configDir)) {
-        fs.mkdirSync(configDir, { recursive: true });
+        fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
     }
     // Use the current node binary explicitly as the first ProgramArgument.
     // Users with nvm/fnm have node outside the default PATH, so launchd
@@ -218,9 +227,9 @@ async function enableStartupMacOS(binaryPath) {
     const plistPath = getPlistPath();
     const launchAgentsDir = path.dirname(plistPath);
     if (!fs.existsSync(launchAgentsDir)) {
-        fs.mkdirSync(launchAgentsDir, { recursive: true });
+        fs.mkdirSync(launchAgentsDir, { recursive: true, mode: 0o700 });
     }
-    fs.writeFileSync(plistPath, plist);
+    fs.writeFileSync(plistPath, plist, { mode: 0o600 });
     try {
         (0, child_process_1.execSync)(`launchctl load "${plistPath}"`, { stdio: 'pipe' });
     }

package/dist/terminal.d.ts CHANGED Viewed

@@ -6,6 +6,7 @@ interface TerminalSession {
     cwd: string;
 }
 declare class TerminalManager extends EventEmitter {
+    private static readonly MAX_SESSIONS;
     private sessions;
     private defaultShell;
     constructor();

package/dist/terminal.js CHANGED Viewed

@@ -38,6 +38,90 @@ const child_process_1 = require("child_process");
 const events_1 = require("events");
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
+function getSafeEnv() {
+    const sensitivePatterns = [
+        /^AWS_/i,
+        /^AZURE_/i,
+        /^GCP_/i,
+        /^GOOGLE_/i,
+        /SECRET/i,
+        /PASSWORD/i,
+        /PRIVATE_KEY/i,
+        /^SUPABASE_SERVICE/i,
+        /^DATABASE_URL$/i,
+        /^ADMIN_API_KEY$/i,
+        // Prevent code injection via environment variables
+        /^NODE_OPTIONS$/i,
+        /^NODE_EXTRA_CA_CERTS$/i,
+        /^LD_PRELOAD$/i,
+        /^LD_LIBRARY_PATH$/i,
+        /^DYLD_INSERT_LIBRARIES$/i,
+        /^DYLD_LIBRARY_PATH$/i,
+        /^ELECTRON_RUN_AS_NODE$/i,
+        // Language-specific code injection vectors
+        /^PYTHONPATH$/i,
+        /^PYTHONSTARTUP$/i,
+        /^RUBYLIB$/i,
+        /^PERL5LIB$/i,
+        /^PERL5OPT$/i,
+        /^JAVA_TOOL_OPTIONS$/i,
+        /^_JAVA_OPTIONS$/i,
+        // Git/SSH injection
+        /^GIT_SSH_COMMAND$/i,
+        /^GIT_EXEC_PATH$/i,
+        // Pager/editor injection
+        /^LESSOPEN$/i,
+        /^LESSCLOSE$/i,
+        // Shell startup injection
+        /^BASH_ENV$/i,
+        /^ENV$/i,
+        /^PROMPT_COMMAND$/i,
+        /^SHELLOPTS$/i,
+        // Field separator injection
+        /^IFS$/i,
+        // Editor/browser auto-launch injection
+        /^EDITOR$/i,
+        /^VISUAL$/i,
+        /^BROWSER$/i,
+        // Proxy injection (MITM child process HTTP traffic)
+        /^HTTPS?_PROXY$/i,
+        /^ALL_PROXY$/i,
+        /^NO_PROXY$/i,
+        // TLS verification bypass
+        /^SSL_CERT_FILE$/i,
+        /^SSL_CERT_DIR$/i,
+        /^NODE_TLS_REJECT_UNAUTHORIZED$/i,
+        // npm config injection
+        /^npm_config_/i,
+        // Pager injection (git, man, etc.)
+        /^PAGER$/i,
+        // Zsh startup injection
+        /^ZDOTDIR$/i,
+        // Curl config injection
+        /^CURL_HOME$/i,
+        // Third-party API keys (defense-in-depth for child processes)
+        /^OPENAI_/i,
+        /^ANTHROPIC_/i,
+        /^GITHUB_TOKEN$/i,
+        /^GITLAB_TOKEN$/i,
+        /^NPM_TOKEN$/i,
+        /^DOCKER_PASSWORD$/i,
+        /^SLACK_TOKEN$/i,
+        /^SLACK_BOT_TOKEN$/i,
+        /^SENDGRID_/i,
+        /^TWILIO_/i,
+        /^DATADOG_/i,
+        /TOKEN$/i,
+        /API_KEY$/i,
+    ];
+    const filtered = {};
+    for (const [key, value] of Object.entries(process.env)) {
+        if (!sensitivePatterns.some(pattern => pattern.test(key))) {
+            filtered[key] = value;
+        }
+    }
+    return filtered;
+}
 class TerminalManager extends events_1.EventEmitter {
     constructor() {
         super();
@@ -51,6 +135,14 @@ class TerminalManager extends events_1.EventEmitter {
         return process.env.SHELL || '/bin/bash';
     }
     createSession(terminalSessionId, cwd) {
+        // Evict oldest session if at cap (FIFO)
+        if (this.sessions.size >= TerminalManager.MAX_SESSIONS) {
+            const oldestKey = this.sessions.keys().next().value;
+            if (oldestKey) {
+                console.warn(`[Terminal] MAX_SESSIONS (${TerminalManager.MAX_SESSIONS}) reached, evicting oldest: ${oldestKey}`);
+                this.closeSession(oldestKey);
+            }
+        }
         // Default to home directory, not process.cwd()
         let resolvedCwd = cwd || os.homedir();
         // Resolve ~ to home directory
@@ -82,7 +174,7 @@ class TerminalManager extends events_1.EventEmitter {
             const shellArgs = isWindows ? ['/c', command] : ['-c', command];
             const proc = (0, child_process_1.spawn)(shell, shellArgs, {
                 cwd: session.cwd,
-                env: process.env,
+                env: getSafeEnv(),
                 shell: false,
             });
             let stdout = '';
@@ -166,6 +258,7 @@ class TerminalManager extends events_1.EventEmitter {
         }
     }
 }
+TerminalManager.MAX_SESSIONS = 50;
 exports.terminalManager = new TerminalManager();
 exports.default = exports.terminalManager;
 //# sourceMappingURL=terminal.js.map