poke-gate 0.2.0 → 0.2.2

package/README.md

@@ -241,7 +241,7 @@ Poke Gate supports three access modes that control what your agent can do:
 
 | Mode | Description |
 |------|-------------|
-| **Full** (default) | All tools available. Risky actions (commands, file writes, screenshots) require chat approval. |
+| **Full** (default) | All tools available with no approval required. The agent can run commands, write files, and take screenshots directly. |
 | **Limited** | Read-only tools plus a curated set of safe commands (`ls`, `cat`, `grep`, `curl`, etc.). `write_file` and `take_screenshot` are disabled. |
 | **Sandbox** | Broader command support than Limited, but writes are restricted to `~/Downloads` and `/tmp` via macOS `sandbox-exec`. |
 

package/clients/Poke macOS Gate/Poke macOS Gate/GateService.swift

@@ -32,9 +32,9 @@ class GateService: ObservableObject {
 
         var subtitle: String {
             switch self {
-            case .full: return "All tools are available, subject to chat approval."
-            case .limited: return "Safe tools and curated command families only."
-            case .sandbox: return "Broader command support, but strictly limited by macOS sandbox-exec policies."
+            case .full: return "All tools enabled. Risky actions require chat approval."
+            case .limited: return "Read-only tools and safe commands (ls, cat, grep, curl…). File writes and screenshots disabled."
+            case .sandbox: return "Commands like brew, node, python, ffmpeg allowed. Writes restricted to ~/Downloads and /tmp."
             }
         }
     }
@@ -91,6 +91,7 @@ class GateService: ObservableObject {
 
     @Published var status: Status = .stopped
     @Published var logs: [String] = []
+    @Published var processLogs: [String] = []
     @Published var terminalPreviews: [TerminalPreview] = []
     @Published var userName: String? = nil
     @Published var permissionMode: PermissionMode
@@ -108,10 +109,26 @@ class GateService: ObservableObject {
     private var activeTerminalPreviewId: UUID?
     private var permissionPollingTimer: Timer?
 
+    private var appActiveObserver: NSObjectProtocol?
+
     init() {
         self.permissionMode = Self.loadPermissionModeStatic()
         self.hasCompletedSetup = Self.loadHasCompletedSetupStatic()
         refreshSystemPermissions()
+
+        appActiveObserver = NotificationCenter.default.addObserver(
+            forName: NSApplication.didBecomeActiveNotification,
+            object: nil,
+            queue: .main
+        ) { [weak self] _ in
+            self?.refreshSystemPermissions()
+        }
+    }
+
+    deinit {
+        if let observer = appActiveObserver {
+            NotificationCenter.default.removeObserver(observer)
+        }
     }
 
     var hasSystemPermissionsGranted: Bool {
@@ -177,20 +194,24 @@ class GateService: ObservableObject {
         }
 
         let requested = missingSystemPermissions.map { $0.title }.joined(separator: ", ")
-        appendLog("Opening macOS settings for: \(requested).")
+        appendLog("Requesting macOS permissions: \(requested).")
 
         for permission in missingSystemPermissions {
-            guard let url = URL(string: permission.settingsURL) else { continue }
-            NSWorkspace.shared.open(url)
+            openSystemPermission(permission)
         }
-
-        appendLog("Opened Privacy settings for missing permissions.")
     }
 
     func refreshSystemPermissions() {
+        let previous = systemPermissionStatuses
         systemPermissionStatuses = SystemPermission.allCases.map { permission in
             SystemPermissionStatus(permission: permission, isGranted: isPermissionGranted(permission))
         }
+        for status in systemPermissionStatuses {
+            let was = previous.first(where: { $0.permission == status.permission })
+            if was == nil || was?.isGranted != status.isGranted {
+                appendLog("\(status.permission.title): \(status.isGranted ? "granted" : "not granted")")
+            }
+        }
     }
 
     func startPermissionPolling() {
@@ -208,8 +229,11 @@ class GateService: ObservableObject {
     }
 
     func openSystemPermission(_ permission: SystemPermission) {
-        guard let url = URL(string: permission.settingsURL) else { return }
-        NSWorkspace.shared.open(url)
+        switch permission {
+        case .accessibility:
+            let options = [kAXTrustedCheckOptionPrompt.takeUnretainedValue(): true] as CFDictionary
+            _ = AXIsProcessTrustedWithOptions(options)
+        }
     }
 
     func captureAndSend() {
@@ -466,11 +490,21 @@ class GateService: ObservableObject {
         outputPipe?.fileHandleForReading.readabilityHandler = nil
         process = nil
         outputPipe = nil
+        killOrphanedProcesses()
+    }
+
+    private func killOrphanedProcesses() {
+        let task = Process()
+        task.executableURL = URL(fileURLWithPath: "/usr/bin/pkill")
+        task.arguments = ["-f", "poke-gate"]
+        try? task.run()
+        task.waitUntilExit()
     }
 
     private func handleOutput(_ raw: String) {
         for line in raw.components(separatedBy: .newlines) where !line.isEmpty {
             appendLog(line)
+            appendProcessLog(line)
             parseTerminalPreviewLine(line)
 
             if line.contains("Tunnel connected") || line.contains("Ready") {
@@ -487,6 +521,15 @@ class GateService: ObservableObject {
         }
     }
 
+    private func appendProcessLog(_ line: String) {
+        let stripped = stripToolTimestamp(from: line)
+        guard !stripped.isEmpty else { return }
+        processLogs.append(stripped)
+        if processLogs.count > maxLogs {
+            processLogs.removeFirst(processLogs.count - maxLogs)
+        }
+    }
+
     private func handleTermination(exitCode: Int32) {
         appendLog("Process exited with code \(exitCode)")
         stopHealthCheck()
@@ -637,7 +680,19 @@ class GateService: ObservableObject {
     private func isPermissionGranted(_ permission: SystemPermission) -> Bool {
         switch permission {
         case .accessibility:
-            return AXIsProcessTrusted()
+            if AXIsProcessTrusted() { return true }
+            // AXIsProcessTrusted() can return false despite the toggle being ON
+            // in System Settings when the TCC entry's code signature doesn't match
+            // the running binary (ad-hoc signing, rebuild from Xcode, etc.).
+            // Probe the API directly as a fallback.
+            let systemWide = AXUIElementCreateSystemWide()
+            var value: AnyObject?
+            let result = AXUIElementCopyAttributeValue(
+                systemWide,
+                kAXFocusedApplicationAttribute as CFString,
+                &value
+            )
+            return result == .success || result == .noValue || result == .attributeUnsupported
         }
     }
 

package/clients/Poke macOS Gate/Poke macOS Gate/Poke_macOS_GateApp.swift

@@ -176,11 +176,7 @@ struct PopoverContent: View {
         VStack(alignment: .leading, spacing: 6) {
             sectionTitle("Recent activity")
 
-            if service.terminalPreviews.isEmpty {
-                Text("No activity yet")
-                    .font(.caption)
-                    .foregroundStyle(.secondary)
-            } else {
+            if !service.terminalPreviews.isEmpty {
                 ForEach(Array(service.terminalPreviews.suffix(4).enumerated()), id: \.element.id) { _, entry in
                     HStack(spacing: 6) {
                         Circle()
@@ -193,6 +189,18 @@ struct PopoverContent: View {
                             .truncationMode(.tail)
                     }
                 }
+            } else if !service.processLogs.isEmpty {
+                ForEach(Array(service.processLogs.suffix(4).enumerated()), id: \.offset) { _, entry in
+                    Text(entry)
+                        .font(.system(size: 9, design: .monospaced))
+                        .foregroundStyle(.tertiary)
+                        .lineLimit(1)
+                        .truncationMode(.tail)
+                }
+            } else {
+                Text("No activity yet")
+                    .font(.caption)
+                    .foregroundStyle(.secondary)
             }
         }
         .frame(maxWidth: .infinity, alignment: .leading)
@@ -228,6 +236,11 @@ struct PopoverContent: View {
                 }
             }
 
+            Text(activeModeDescription)
+                .font(.caption2)
+                .foregroundStyle(.secondary)
+                .fixedSize(horizontal: false, vertical: true)
+
             if service.permissionMode == .full || pendingFullMode {
                 AccessibilityPermissionView(service: service)
             }
@@ -237,6 +250,18 @@ struct PopoverContent: View {
         .macPanelStyle(.neutral, cornerRadius: 12)
     }
 
+    private var activeModeDescription: String {
+        let mode = pendingFullMode ? GateService.PermissionMode.full : service.permissionMode
+        switch mode {
+        case .full:
+            return "All tools enabled. Risky actions require chat approval."
+        case .limited:
+            return "Read-only tools and safe commands only (ls, cat, grep, curl…). File writes and screenshots are disabled."
+        case .sandbox:
+            return "Broader commands (brew, node, python, ffmpeg…) but file writes restricted to ~/Downloads and /tmp via macOS sandbox."
+        }
+    }
+
     private var actionsSection: some View {
         HStack(spacing: 12) {
             ActionButton(icon: "text.alignleft", label: "Logs") {

package/clients/Poke macOS Gate/Poke macOS Gate/SettingsView.swift

@@ -44,6 +44,8 @@ struct SettingsView: View {
         }
         .padding(20)
         .frame(width: 430)
+        .onAppear { service.startPermissionPolling() }
+        .onDisappear { service.stopPermissionPolling() }
     }
 
     private var authenticationSection: some View {

package/clients/Poke macOS Gate/Poke macOS Gate.xcodeproj/project.pbxproj

@@ -174,7 +174,7 @@
 				COPY_PHASE_STRIP = NO;
 				DEAD_CODE_STRIPPING = YES;
 				DEBUG_INFORMATION_FORMAT = dwarf;
-				DEVELOPMENT_TEAM = RJA7656U34;
+				DEVELOPMENT_TEAM = "";
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_TESTABILITY = YES;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
@@ -240,7 +240,7 @@
 				COPY_PHASE_STRIP = NO;
 				DEAD_CODE_STRIPPING = YES;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
-				DEVELOPMENT_TEAM = RJA7656U34;
+				DEVELOPMENT_TEAM = "";
 				ENABLE_NS_ASSERTIONS = NO;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
@@ -272,7 +272,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1;
 				DEAD_CODE_STRIPPING = YES;
-				DEVELOPMENT_TEAM = RJA7656U34;
+				DEVELOPMENT_TEAM = "";
 				ENABLE_APP_SANDBOX = NO;
 				ENABLE_HARDENED_RUNTIME = NO;
 				ENABLE_PREVIEWS = YES;
@@ -286,7 +286,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 15.0;
-				MARKETING_VERSION = 0.1.8;
+				MARKETING_VERSION = 0.2.1;
 				PRODUCT_BUNDLE_IDENTIFIER = "dev.fka.Poke-macOS-Gate";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;
@@ -322,7 +322,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 15.0;
-				MARKETING_VERSION = 0.1.9;
+				MARKETING_VERSION = 0.2.1;
 				PRODUCT_BUNDLE_IDENTIFIER = "dev.fka.Poke-macOS-Gate";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				REGISTER_APP_GROUPS = YES;

package/docs/security.md

@@ -10,7 +10,7 @@ Poke Gate supports three access modes that control what tools your agent can use
 
 ### Full (default)
 
-All tools are available. Risky actions (`run_command`, `write_file`, `take_screenshot`) require **chat approval** — the agent must ask you in chat before executing, and you approve with a signed token.
+All tools are available with no approval required. The agent can run commands, write files, and take screenshots directly.
 
 ### Limited
 
@@ -48,13 +48,15 @@ POKE_GATE_PERMISSION_MODE=sandbox npx poke-gate
 
 ## Tool approval flow
 
-In **full** mode, risky tools (`run_command`, `write_file`, `take_screenshot`) use an HMAC-signed approval flow:
+In **limited** and **sandbox** modes, risky tools (`run_command`, `write_file`, `take_screenshot`) use an HMAC-signed approval flow:
 
 1. The agent calls the tool — Poke Gate returns `AWAITING_APPROVAL` with a signed token
 2. The agent asks you in chat to approve
 3. You approve — the agent re-calls the tool with the approval token
 4. Optionally, you can `remember_in_session` (same command) or `remember_all_risky` (all risky tools for the session)
 
+In **full** mode, all tools execute directly without approval.
+
 ## What protects you
 
 - **Authentication** — only your Poke agent (authenticated via Poke OAuth) can reach the tunnel

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "poke-gate",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Expose your machine to your Poke AI assistant via MCP tunnel",
   "type": "module",
   "bin": {

package/src/app.js

@@ -2,10 +2,23 @@ import { startMcpServer, enableLogging, getPermissionMode } from "./mcp-server.j
 import { startTunnel } from "./tunnel.js";
 import { startAgentScheduler, stopAgentScheduler } from "./agents.js";
 import { Poke, isLoggedIn, login, getToken } from "poke";
+import { execSync } from "node:child_process";
 
 const verbose = process.argv.includes("--verbose") || process.argv.includes("-v");
 enableLogging(verbose);
 
+function killExistingInstances() {
+  const myPid = process.pid;
+  try {
+    const out = execSync("pgrep -f 'poke-gate'", { encoding: "utf-8" }).trim();
+    const pids = out.split("\n").map(Number).filter((p) => p && p !== myPid);
+    for (const pid of pids) {
+      try { process.kill(pid, "SIGTERM"); } catch {}
+    }
+    if (pids.length > 0) log(`Killed ${pids.length} existing poke-gate process(es).`);
+  } catch {}
+}
+
 function log(msg) {
   const ts = new Date().toISOString().slice(11, 19);
   console.log(`[${ts}] ${msg}`);
@@ -102,6 +115,7 @@ function scheduleReconnect(mcpUrl, token) {
 }
 
 async function main() {
+  killExistingInstances();
   log("poke-gate starting...");
   log(`Access mode: ${getPermissionMode()}`);
 
@@ -115,14 +129,38 @@ async function main() {
   await connectWithRetry(mcpUrl, token);
 }
 
+function buildAccessModeMessage(mode) {
+  switch (mode) {
+    case "limited":
+      return (
+        "Access mode: Limited. " +
+        "You can read files, list directories, and run safe read-only commands (ls, cat, grep, curl, jq…). " +
+        "You cannot write files, take screenshots, or run other commands."
+      );
+    case "sandbox":
+      return (
+        "Access mode: Sandbox. " +
+        "You can read files, list directories, and run commands like brew, node, python, ffmpeg, curl, and more. " +
+        "File writes are restricted to ~/Downloads and /tmp by macOS sandbox. Screenshots are disabled."
+      );
+    default:
+      return (
+        "Access mode: Full. " +
+        "You can run any shell command, read and write files, list directories, take screenshots, and check system info. " +
+        "Use the tools directly whenever needed — no approval required."
+      );
+  }
+}
+
 async function notifyPoke(connectionId, token) {
   try {
+    const mode = getPermissionMode();
     const poke = new Poke({ token });
     await poke.sendMessage(
       `Hey! I've connected my computer to you via Poke Gate (tunnel: ${connectionId}). ` +
-      `You can now run commands, read and write files, list directories, take screenshots, and check system info on my machine. ` +
-      `Just use the tools whenever I ask you to do something on my computer.` +
-      `Now reply me with "now I am connected to your computer" but everytime write those replies in most creativev fun way.`
+      `${buildAccessModeMessage(mode)} ` +
+      `Just use the tools whenever I ask you to do something on my computer. ` +
+      `Now reply me with "now I am connected to your computer" but everytime write those replies in most creative fun way.`
     );
     log("Notified Poke agent about connection.");
   } catch (err) {

package/src/mcp-server.js

@@ -565,7 +565,7 @@ function handleToolCall(name, args, context = {}) {
     return blocked;
   }
 
-  if (permissionService.isRisky(name)) {
+  if (PERMISSION_MODE !== "full" && permissionService.isRisky(name)) {
     const commandText = typeof cleanArgs.command === "string" ? cleanArgs.command : "";
     const alreadyAllowed = sessionAutoApproveAllRisky.has(sessionId) ||
       (commandText && permissionService.isAllowedBySessionPattern(sessionId, commandText));