wrap_it_ruby 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: bcdd8a5fa91589bc96243a96ae809d92cbe0f585ab9a58175213644fe1cd798a
+  data.tar.gz: 2199f6305cba48c81d659cedeeafc31d1a95c73380a94601dcd182bc8520deea
+SHA512:
+  metadata.gz: 2818a78eab5310065a3b4b90bc712778db8c5c5b19db5cfd2e175a12761bc2233efa0a194bf20575695030c837e263a241861d13cb489efb87e15ed503d58b3e
+  data.tar.gz: 9f9cf00ff131d17f691599527468b9686b8751a6c9748d849c25ff5ef70d8894fe1e9d2d790d39a9d5d3bb4424e9f9d9a5abc938333e985582d820c052f3e379

data/Rakefile

@@ -0,0 +1,11 @@
+require "bundler/setup"
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+  t.verbose = false
+end
+
+task default: :test

data/app/assets/javascripts/wrap_it_ruby/interception.js

@@ -0,0 +1,172 @@
+// interception.js — Injected into proxied HTML by ScriptInjectionMiddleware.
+//
+// Rewrites cross-origin URLs through /_proxy/{host} and stamps
+// X-Proxy-Host on fetch/XHR so RootRelativeProxyMiddleware can route
+// root-relative requests.
+//
+// Intercepts: fetch, XMLHttpRequest, WebSocket, EventSource,
+//             <a> clicks, <form> submissions.
+//
+(function (window) {
+  'use strict';
+
+  var PROXY_BASE = '/_proxy';
+
+  console.log('[interception]', 'loaded');
+
+  var _fetch        = window.fetch;
+  var _XHR          = window.XMLHttpRequest;
+  var _xhrOpen      = _XHR.prototype.open;
+  var _xhrSend      = _XHR.prototype.send;
+  var _xhrSetHeader = _XHR.prototype.setRequestHeader;
+  var _WebSocket    = window.WebSocket;
+  var _EventSource  = window.EventSource;
+
+  const PROXY_HOST = window.__proxyHost;
+
+  const rewriteUrl = (url) => {
+    if (typeof url !== 'string') return url
+    try {
+      const parsed = new URL(url)
+      if (parsed.host === window.__hostingSite) return url
+      return `/_proxy/${parsed.host}${parsed.pathname}${parsed.search}${parsed.hash}`
+    } catch {
+      return url
+    }
+  }
+
+  // =========================== Navigation ====================================
+  //
+  document.addEventListener('click', (event) => {
+    const link = event.target.closest('a')
+    if (!link) return
+
+    const raw = link.getAttribute('href')
+    const url = raw.startsWith('/') ? `/_proxy/${window.__proxyHost}${raw}` : rewriteUrl(raw)
+
+    event.preventDefault()
+    window.location.href = url
+  }, true)
+
+  document.addEventListener('submit', (event) => {
+    event.preventDefault()
+    const form = event.target
+    const raw = form.getAttribute('action') || ''
+    const url = raw.startsWith('/') ? `/_proxy/${window.__proxyHost}${raw}` : rewriteUrl(raw)
+
+    form.setAttribute('action', url)
+    event.target.submit()
+  }, true)
+
+  //document.addEventListener('submit', (event) => {
+  //  event.preventDefault()
+  //  const form = event.target
+  //  const raw = form.getAttribute('action') || ''
+  //  const url = raw.startsWith('/') ? `/_proxy/${window.__proxyHost}${raw}` : rewriteUrl(raw)
+
+  //  fetch(url, { method: form.method || 'POST', body: new FormData(form) })
+  //    .then(res => res.text())
+  //    .then(html => document.documentElement.innerHTML = html)
+  //}, true)
+
+  //document.addEventListener('click', (event) => {
+  //  const link = event.target.closest('a')
+  //  if (!link) return
+
+  //  event.preventDefault()
+  //  const raw = link.getAttribute('href')
+  //  console.log('[interception] click', { raw })
+
+  //  // Relative URLs need the proxy prefix added
+  //  const url = raw.startsWith('/') ? `/_proxy/${window.__proxyHost}${raw}` : rewriteUrl(raw)
+
+  //  fetch(url)
+  //    .then(res => res.text())
+  //    .then(html => document.documentElement.innerHTML = html)
+  //}, true)
+
+  // ============================== fetch ======================================
+
+  window.fetch = (input, init = {}) => {
+    const isReq = input instanceof Request
+    const url = isReq ? input.url : String(input instanceof URL ? input.href : input)
+
+    const headers = new Headers(init.headers || (isReq ? input.headers : {}))
+    headers.set('x-proxy-host', '_proxy')
+
+    const newInit = {
+      method: init.method || (isReq ? input.method : 'GET'),
+      headers,
+      body: 'body' in init ? init.body : (isReq ? input.body : null),
+    }
+
+    const passthrough = ['credentials', 'mode', 'cache', 'redirect', 'referrer',
+      'referrerPolicy', 'integrity', 'keepalive', 'signal']
+    for (const key of passthrough) {
+      if (key in init) newInit[key] = init[key]
+    }
+
+    if (newInit.body instanceof ReadableStream) newInit.duplex = 'half'
+
+    return _fetch.call(window, rewriteUrl(url), newInit).catch((err) => {
+      console.warn('Proxied fetch failed, retrying without modifications:', err)
+      return _fetch.call(window, input, init)
+    })
+  }
+
+  // =========================== XMLHttpRequest ================================
+
+  // Patch open() to stash the original args — we need them to re-open
+  // with a rewritten URL since XHR won't let you change it after open()
+  XMLHttpRequest.prototype.open = function (method, url, ...rest) {
+    this._proxyMeta = { method, url: String(url), openArgs: rest }
+    return _xhrOpen.call(this, method, url, ...rest)
+  }
+
+  XMLHttpRequest.prototype.send = function (body) {
+    const meta = this._proxyMeta
+    if (!meta) return _xhrSend.call(this, body)
+
+    const rewritten = rewriteUrl(meta.url)
+
+    // If the URL changed, we have to re-call open() with the new URL
+    if (rewritten !== meta.url) {
+      _xhrOpen.call(this, meta.method, rewritten, ...meta.openArgs)
+    }
+
+    _xhrSetHeader.call(this, 'x-proxy-host', '_proxy')
+    return _xhrSend.call(this, body)
+  }
+
+  // ============================= WebSocket ===================================
+
+  //window.WebSocket = function (url, protocols) {
+  //  var req = { type: 'websocket', url: rewriteUrl(url), originalUrl: url,
+  //              method: 'GET', headers: {}, body: null };
+  //  runRequestHooks(req);
+  //  if (protocols !== undefined) return new _WebSocket(req.url, protocols);
+  //  return new _WebSocket(req.url);
+  //};
+  //window.WebSocket.prototype  = _WebSocket.prototype;
+  //window.WebSocket.CONNECTING = _WebSocket.CONNECTING;
+  //window.WebSocket.OPEN       = _WebSocket.OPEN;
+  //window.WebSocket.CLOSING    = _WebSocket.CLOSING;
+  //window.WebSocket.CLOSED     = _WebSocket.CLOSED;
+
+  //// ============================ EventSource ==================================
+
+  //if (_EventSource) {
+  //  window.EventSource = function (url, dict) {
+  //    var raw = typeof url === 'string' ? url : url.href;
+  //    var req = { type: 'eventsource', url: rewriteUrl(raw), originalUrl: raw,
+  //                method: 'GET', headers: {}, body: null };
+  //    runRequestHooks(req);
+  //    return new _EventSource(req.url, dict);
+  //  };
+  //  window.EventSource.prototype  = _EventSource.prototype;
+  //  window.EventSource.CONNECTING = _EventSource.CONNECTING;
+  //  window.EventSource.OPEN       = _EventSource.OPEN;
+  //  window.EventSource.CLOSED     = _EventSource.CLOSED;
+  //}
+
+})(window);

data/app/assets/stylesheets/wrap_it_ruby/application.css

@@ -0,0 +1,52 @@
+/*
+ * WrapItRuby engine styles — full layout + iframe proxy.
+ */
+
+html, body {
+  height: 100%;
+  margin: 0;
+  background-color: white;
+}
+
+#site-wrapper {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+  width: 100%;
+
+  #site-menu {
+    .ui.menu {
+      border: none;
+    }
+  }
+
+  #site-content {
+    flex-grow: 1;
+    margin: 7px;
+    margin-top: 0px;
+    border-radius: 15px;
+    background-color: grey;
+    overflow: hidden;
+  }
+}
+
+#proxy-content {
+  height: 100%;
+
+  .iframe-wrapper {
+    height: 100%;
+    position: relative;
+
+    iframe {
+      border: 0;
+      display: block;
+      position: absolute;
+      width: 100%;
+      height: 100%;
+      top: 0;
+      bottom: 0;
+      left: 0;
+      right: 0;
+    }
+  }
+}

data/app/controllers/wrap_it_ruby/application_controller.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  class ApplicationController < ::ApplicationController
+    include WrapItRuby::Menu
+
+    layout "wrap_it_ruby/application"
+  end
+end

data/app/controllers/wrap_it_ruby/home_controller.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  class HomeController < ApplicationController
+    before_action :authenticate_user!
+
+    def index
+    end
+  end
+end

data/app/controllers/wrap_it_ruby/proxy_controller.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  class ProxyController < ApplicationController
+    before_action :authenticate_user!
+
+    def show
+      get_menu_item.then do |menu_item|
+        target_path   = request.path.delete_prefix(menu_item["route"])
+        target_domain = menu_item["url"]
+
+        target_url  = "#{target_domain}/#{target_path}"
+        @iframe_src = "/_proxy/#{target_url}"
+      end
+    end
+
+    private
+
+      def get_menu_item
+        path = request.path
+        all_proxy_menu_items.find { |item| path.start_with?(item["route"]) }
+      end
+  end
+end

data/app/helpers/wrap_it_ruby/iframe_helper.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  module IframeHelper
+    def iframe(**)
+      tag.div(class: "iframe-wrapper") do
+        tag.iframe(**)
+      end
+    end
+  end
+end

data/app/helpers/wrap_it_ruby/menu_helper.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  # View helper that exposes menu_config and related queries to templates.
+  # Delegates to WrapItRuby::Menu for the actual loading logic.
+  module MenuHelper
+    include WrapItRuby::Menu
+  end
+end

data/app/javascript/wrap_it_ruby/controllers/iframe_proxy_controller.js

@@ -0,0 +1,87 @@
+// wrap_it_ruby/controllers/iframe_proxy_controller.js
+//
+// Manages browser history <-> iframe URL synchronisation.
+//
+// The proxy host and route segment differ:
+//   iframe:  /_proxy/github.com/n-at-han-k
+//   browser: /github/n-at-han-k
+//
+// `host` is used when working with iframe paths (github.com)
+// `current` is used when building browser paths (github)
+//
+// - History sync:  on iframe load, translates the /_proxy prefixed
+//                  iframe path back to the browser path and pushes state.
+// - Breakout:      if navigation inside the iframe lands on a path
+//                  belonging to a DIFFERENT menu route, Turbo.visit
+//                  swaps the frame to the new route.
+//
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static values = {
+    paths:   Array,   // iframe menu paths, e.g. ["/grafana", "/argocd"]
+    current: String,  // route segment, e.g. "github"
+    host:    String,  // proxy host, e.g. "github.com"
+  }
+
+  connect() {
+    this.element.addEventListener("load", this.onLoad)
+    window.addEventListener("popstate", this.onPopstate)
+  }
+
+  disconnect() {
+    this.element.removeEventListener("load", this.onLoad)
+    window.removeEventListener("popstate", this.onPopstate)
+  }
+
+  onLoad = () => {
+    const { pathname, search } = this.element.contentWindow.location
+    if (pathname === "about:blank") return
+
+    const iframePath = pathname + search
+    const breakout = this.#detectBreakout(iframePath)
+
+    if (breakout) {
+      Turbo.visit(breakout, { action: "advance" })
+    } else {
+      this.#syncHistory(iframePath)
+    }
+  }
+
+  onPopstate = (event) => {
+    const src = event.state?.iframeSrc
+    if (src) this.element.contentWindow.location.replace(src)
+  }
+
+  // ---- private ----
+
+  // iframe path: /_proxy/github.com/n-at-han-k/repo
+  // Extract the host from the proxy path and check if it belongs to
+  // a different menu route.
+  #detectBreakout(iframePath) {
+    if (!iframePath.startsWith("/_proxy/")) return null
+
+    // Pull the host out: "github.com"
+    const afterProxy = iframePath.slice("/_proxy/".length)
+    const iframeHost = afterProxy.split("/")[0]
+
+    if (iframeHost === this.hostValue) return null
+
+    // Check if this host belongs to another menu route
+    // (would need host->route mapping; skip for now)
+    return null
+  }
+
+  #syncHistory(iframePath) {
+    const proxyBase = `/_proxy/${this.hostValue}`
+    const subPath = iframePath.startsWith(proxyBase)
+      ? iframePath.slice(proxyBase.length)
+      : iframePath
+
+    const browserPath = `/${this.currentValue}${subPath}`
+
+    if (browserPath !== window.location.pathname + window.location.search) {
+      history.pushState({ iframeSrc: iframePath }, "", browserPath)
+    }
+  }
+}

data/app/views/wrap_it_ruby/home/index.html.erb

@@ -0,0 +1 @@
+<p>Welcome, <%= current_user&.display_name || current_user&.uid %>.</p>

data/app/views/wrap_it_ruby/layouts/application.html.erb

@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title><%= content_for(:title) || site_title %></title>
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <meta name="apple-mobile-web-app-capable" content="yes">
+    <meta name="application-name" content="<%= site_title %>">
+    <meta name="mobile-web-app-capable" content="yes">
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <%= yield :head %>
+
+    <link rel="icon" href="/icon.png" type="image/png">
+    <link rel="icon" href="/icon.svg" type="image/svg+xml">
+    <link rel="apple-touch-icon" href="/icon.png">
+
+    <%= stylesheet_link_tag "semantic.min.css", "data-turbo-track": "reload" %>
+    <%= stylesheet_link_tag "wrap_it_ruby/application", "data-turbo-track": "reload" %>
+    <%= fui_javascript_tags %>
+    <%= javascript_importmap_tags %>
+  </head>
+
+  <body>
+    <div id="site-wrapper">
+      <div id="site-menu"><%= render "wrap_it_ruby/shared/navbar" %></div>
+      <div id="site-content"><%= yield %></div>
+    </div>
+  </body>
+</html>

data/app/views/wrap_it_ruby/proxy/show.html.ruby

@@ -0,0 +1,5 @@
+output_buffer << turbo_frame_tag("proxy-content") do
+  tag.div(class: 'iframe-wrapper') do
+    tag.iframe( src: @iframe_src )
+  end
+end

data/app/views/wrap_it_ruby/shared/_navbar.html.ruby

@@ -0,0 +1,11 @@
+Menu(attached: true) {
+  WrapItRuby::Menu.menu_config.each do |group|
+    if group["items"]
+      group["items"].each do |item|
+        MenuItem(href: item["route"]) { text item["label"] }
+      end
+    else
+      MenuItem(href: group["route"]) { text group["label"] }
+    end
+  end
+}

data/config/importmap.rb

@@ -0,0 +1,6 @@
+# Importmap pins for the WrapItRuby engine.
+# These get merged into the host app's importmap via the engine initializer.
+
+pin_all_from WrapItRuby::Engine.root.join("app/javascript/wrap_it_ruby/controllers"),
+  under: "controllers/wrap_it_ruby",
+  to: "wrap_it_ruby/controllers"

data/config/routes.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+WrapItRuby::Engine.routes.draw do
+  root "home#index"
+
+  get "/*path", to: "proxy#show", constraints: ->(req) {
+    WrapItRuby::Menu.proxy_paths.any? { |p| req.path.start_with?(p) }
+  }
+end

data/lib/generators/wrap_it_ruby/install/install_generator.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      desc "Install WrapItRuby into the host application"
+
+      def copy_menu_config
+        template "menu.yml", "config/menu.yml"
+      end
+
+      def mount_engine_routes
+        route 'mount WrapItRuby::Engine, at: "/"'
+      end
+
+      def show_post_install_message
+        say ""
+        say "WrapItRuby installed!", :green
+        say ""
+        say "  1. Edit config/menu.yml to configure your proxy routes"
+        say "  2. Make sure your ApplicationController defines authenticate_user!"
+        say "  3. Include wrap_it_ruby/application.css in your stylesheet"
+        say ""
+      end
+    end
+  end
+end

data/lib/generators/wrap_it_ruby/install/templates/menu.yml

@@ -0,0 +1,16 @@
+# config/menu.yml
+#
+# Menu configuration for WrapItRuby.
+#
+# route: local path in this app (e.g. /grafana)
+# url:   upstream host to proxy (e.g. grafana.example.com)
+#
+# type:
+#   proxy   - proxied service rendered inside an iframe
+#   link    - standard navigation within the app
+
+- label: Example
+  route: /example
+  url: example.com
+  icon: globe
+  type: proxy

data/lib/wrap_it_ruby/engine.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "wrap_it_ruby/middleware/proxy_middleware"
+require "wrap_it_ruby/middleware/root_relative_proxy_middleware"
+require "wrap_it_ruby/middleware/script_injection_middleware"
+
+module WrapItRuby
+  class Engine < ::Rails::Engine
+    isolate_namespace WrapItRuby
+
+    # Insert proxy middleware early — before Rails routing — so /_proxy/*
+    # requests never hit ActionDispatch at all.
+    #
+    # Order: RootRelativeProxy -> ScriptInjection -> Proxy
+    #   1. RootRelativeProxy rewrites root-relative paths to /_proxy/{host}
+    #   2. ScriptInjection strips Accept-Encoding, passes to Proxy,
+    #      then injects <base> + interception.js into HTML responses
+    #   3. Proxy does the actual upstream proxying
+    initializer "wrap_it_ruby.middleware" do |app|
+      app.middleware.insert_before ActionDispatch::Static, WrapItRuby::Middleware::RootRelativeProxyMiddleware
+      app.middleware.insert_after  WrapItRuby::Middleware::RootRelativeProxyMiddleware, WrapItRuby::Middleware::ScriptInjectionMiddleware
+      app.middleware.insert_after  WrapItRuby::Middleware::ScriptInjectionMiddleware,   WrapItRuby::Middleware::ProxyMiddleware
+    end
+
+    # Register importmap pins for the Stimulus controller
+    initializer "wrap_it_ruby.importmap", before: "importmap" do |app|
+      if app.config.respond_to?(:importmap)
+        app.config.importmap.paths << Engine.root.join("config/importmap.rb")
+        app.config.importmap.cache_sweepers << Engine.root.join("app/javascript")
+      end
+    end
+
+    # Add engine assets to the asset load path (for propshaft/sprockets)
+    initializer "wrap_it_ruby.assets" do |app|
+      app.config.assets.paths << Engine.root.join("app/assets/javascripts")
+      app.config.assets.paths << Engine.root.join("app/assets/stylesheets")
+    end
+  end
+end

data/lib/wrap_it_ruby/menu.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require "yaml"
+
+module WrapItRuby
+  # Loads and queries the menu configuration from the host app's
+  # config/menu.yml file.
+  #
+  # Can be used as a module (extend self) or included in controllers/helpers.
+  #
+  module Menu
+    def menu_config = load_menu
+
+    def all_menu_items
+      menu_config.flat_map { |item| [item, *item.fetch("items", [])] }
+    end
+
+    def all_proxy_menu_items
+      all_menu_items.select { |item| item["type"] == "proxy" }
+    end
+
+    def proxy_paths
+      all_menu_items
+        .select { |item| item["type"] == "proxy" }
+        .map    { |item| item["route"] }
+    end
+
+    extend self
+
+    private
+
+      def menu_file
+        Rails.root.join("config/menu.yml")
+      end
+
+      def load_menu
+        @menu_config ||= YAML.load_file(menu_file)
+      end
+  end
+end

data/lib/wrap_it_ruby/middleware/proxy_middleware.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+
+require "async/http/client"
+require "async/http/endpoint"
+require "async/websocket/adapters/rack"
+
+module WrapItRuby
+  module Middleware
+    # Rack middleware that proxies /_proxy/{host}/{path} to the upstream host.
+    #
+    # Strips frame-blocking headers so responses render inside an iframe.
+    # Rewrites Location headers so redirects stay within the proxy.
+    # Detects WebSocket upgrades and pipes frames bidirectionally.
+    #
+    class ProxyMiddleware
+      PATTERN = %r{\A/_proxy/(?<host>[^/]+)(?<path>/.*)?\z}
+
+      HOP_HEADERS = %w[
+        connection
+        keep-alive
+        proxy-authenticate
+        proxy-authorization
+        te
+        trailers
+        transfer-encoding
+        upgrade
+      ].freeze
+
+      def initialize(app)
+        @app     = app
+        @clients = {}
+      end
+
+      def call(env)
+        PATTERN.match(env["PATH_INFO"].to_s).then do |match|
+          if match
+            host = match[:host]
+            path = match[:path] || "/"
+
+            if websocket?(env)
+              proxy_websocket(env, host, path)
+            else
+              proxy_http(env, host, path)
+            end
+          else
+            @app.call(env)
+          end
+        end
+      end
+
+      private
+
+      # ---- HTTP ----
+
+      def proxy_http(env, host, path)
+        client = client_for(host)
+
+        query     = env["QUERY_STRING"]
+        full_path = query && !query.empty? ? "#{path}?#{query}" : path
+        headers   = forwarded_headers(env, host)
+        body      = read_body(env)
+
+        request = Protocol::HTTP::Request.new(
+          "https", host, env["REQUEST_METHOD"], full_path, nil, headers, body
+        )
+
+        response = client.call(request)
+
+        rack_body = Enumerator.new do |y|
+          while (chunk = response.body&.read)
+            y << chunk
+          end
+        ensure
+          response.body&.close
+        end
+
+        rack_headers = strip_headers(response.headers, host)
+        [response.status, rack_headers, rack_body]
+      end
+
+      # ---- WebSocket ----
+
+      def websocket?(env)
+        Async::WebSocket::Adapters::Rack.websocket?(env)
+        false
+      end
+
+      # ---- Helpers ----
+
+      def client_for(host)
+        @clients[host] ||= Async::HTTP::Client.new(
+          Async::HTTP::Endpoint.parse("https://#{host}"),
+          retries: 0
+        )
+      end
+
+      def forwarded_headers(env, host)
+        headers = Protocol::HTTP::Headers.new
+
+        env.each do |key, value|
+          next unless key.start_with?("HTTP_")
+          name = key.delete_prefix("HTTP_").downcase.tr("_", "-")
+          next if name == "host" || HOP_HEADERS.include?(name)
+          headers.add(name, value)
+        end
+
+        headers.add("content-type", env["CONTENT_TYPE"])     if env["CONTENT_TYPE"]
+        headers.add("content-length", env["CONTENT_LENGTH"]) if env["CONTENT_LENGTH"]
+        headers.add("host", host)
+
+        headers
+      end
+
+      def strip_headers(upstream_headers, host)
+        result = {}
+        upstream_headers.each do |name, value|
+          key = name.downcase
+          next if key == "x-frame-options"
+          next if key == "content-security-policy"
+          next if key == "content-security-policy-report-only"
+          next if key == "content-encoding"
+          next if HOP_HEADERS.include?(key)
+          result[name] = value
+        end
+
+        # Rewrite Location headers so redirects stay within the proxy
+        if (location = result["location"] || result["Location"])
+          result_key = result.key?("location") ? "location" : "Location"
+          begin
+            uri = URI.parse(location)
+            if uri.host == host || uri.host&.end_with?(".#{host}")
+              redirect_host = uri.host || host
+              result[result_key] = "/_proxy/#{redirect_host}#{uri.path}#{"?#{uri.query}" if uri.query}"
+            elsif uri.relative?
+              result[result_key] = "/_proxy/#{host}#{location}"
+            end
+          rescue URI::InvalidURIError
+            # leave it alone
+          end
+        end
+
+        result
+      end
+
+      def read_body(env)
+        input = env["rack.input"]
+        return nil unless input
+        body = input.read
+        input.rewind rescue nil
+        body && !body.empty? ? Protocol::HTTP::Body::Buffered.wrap(body) : nil
+      end
+    end
+  end
+end

data/lib/wrap_it_ruby/middleware/root_relative_proxy_middleware.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  module Middleware
+    # Handles root-relative requests (e.g. /logo.png, /api/data) that originate
+    # from within a proxied iframe page.
+    #
+    # Detects the proxy host from two sources (in priority order):
+    #
+    #   1. X-Proxy-Host header -- set by the interception script on fetch/XHR.
+    #      Signals the request came from inside the proxy. The actual upstream
+    #      host is resolved from the Referer header.
+    #
+    #   2. Referer header -- contains /_proxy/{host}/... for requests where the
+    #      browser sends the full path. Works for both scripted requests and
+    #      asset loads (<img>, <link>, <script>).
+    #
+    # Rewrites PATH_INFO to /_proxy/{host}{path} so ProxyMiddleware handles it.
+    # Must be inserted BEFORE ProxyMiddleware in the Rack stack.
+    #
+    class RootRelativeProxyMiddleware
+      PROXY_PREFIX = "/_proxy"
+      PROXY_HOST_HEADER = "HTTP_X_PROXY_HOST"
+      REFERER_PATTERN = %r{/_proxy/(?<host>[^/]+)}
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        path = env["PATH_INFO"].to_s
+
+        unless path.start_with?(PROXY_PREFIX)
+          host = extract_proxy_host(env)
+          if host
+            env["PATH_INFO"] = "#{PROXY_PREFIX}/#{host}#{path}"
+          end
+        end
+
+        @app.call(env)
+      end
+
+      private
+
+      def extract_proxy_host(env)
+        referer = env["HTTP_REFERER"]
+        match = REFERER_PATTERN.match(referer) if referer
+        match[:host] if match
+      end
+    end
+  end
+end

data/lib/wrap_it_ruby/middleware/script_injection_middleware.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  module Middleware
+    # Injects interception.js inline into HTML responses from the proxy.
+    #
+    # - Strips Accept-Encoding from proxy requests so upstream sends
+    #   uncompressed HTML (avoids decompress/recompress just to inject).
+    # - Buffers HTML responses and injects the script as the first child
+    #   of <head>.
+    # - Extracts the proxy host from PATH_INFO and injects it as
+    #   window.__proxyHost so the script works even when the browser URL
+    #   doesn't contain /_proxy/ (e.g. after root-relative navigation).
+    # - Injects window.__hostingSite so the interception script knows
+    #   which host is the proxy server itself.
+    # - Reads the script file once and caches it.
+    #
+    class ScriptInjectionMiddleware
+      PROXY_PREFIX = "/_proxy/"
+      SCRIPT_FILE  = File.expand_path("../../../app/assets/javascripts/wrap_it_ruby/interception.js", __dir__).freeze
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        path = env["PATH_INFO"].to_s
+
+        if path.start_with?(PROXY_PREFIX)
+          host = path.delete_prefix(PROXY_PREFIX).split("/", 2).first
+          hosting_site = env["HTTP_HOST"]
+
+          env.delete("HTTP_ACCEPT_ENCODING")
+          status, headers, body = @app.call(env)
+
+          if html_response?(headers)
+            body = inject_script(body, headers, host, hosting_site)
+          end
+
+          [status, headers, body]
+        else
+          @app.call(env)
+        end
+      end
+
+      private
+
+      def script_source
+        @script_source ||= File.read(SCRIPT_FILE)
+      end
+
+      def html_response?(headers)
+        ct = headers["content-type"] || headers["Content-Type"] || ""
+        ct.include?("text/html")
+      end
+
+      def inject_script(body, headers, host, hosting_site)
+        html = +""
+        body.each { |chunk| html << chunk }
+        body.close if body.respond_to?(:close)
+        html.force_encoding("UTF-8")
+
+        tag = "<base href=\"/_proxy/#{host}/\">" \
+          "<script>" \
+          "window.__proxyHost=#{host.to_json};" \
+          "window.__hostingSite=#{hosting_site.to_json};" \
+          "#{script_source}" \
+          "</script>"
+
+        unless html.sub!(%r{(<head[^>]*>)}i, "\\1#{tag}")
+          html.prepend(tag)
+        end
+
+        headers.delete("content-length")
+        headers["content-length"] = html.bytesize.to_s
+        [html]
+      end
+    end
+  end
+end

data/lib/wrap_it_ruby/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module WrapItRuby
+  VERSION = "0.1.0"
+end

data/lib/wrap_it_ruby.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require "wrap_it_ruby/version"
+require "wrap_it_ruby/engine"
+
+module WrapItRuby
+end

metadata

@@ -0,0 +1,150 @@
+--- !ruby/object:Gem::Specification
+name: wrap_it_ruby
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Nathan Kidd
+bindir: bin
+cert_chain: []
+date: 1980-01-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '8.0'
+- !ruby/object:Gem::Dependency
+  name: importmap-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: stimulus-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: async-http
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: async-websocket
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails-active-ui
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Wraps upstream web applications in an iframe via a same-origin reverse
+  proxy. Provides Rack middleware for proxying, script injection, and root-relative
+  URL rewriting, plus Stimulus controllers for browser history synchronisation.
+email:
+- nathankidd@hey.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Rakefile
+- app/assets/javascripts/wrap_it_ruby/interception.js
+- app/assets/stylesheets/wrap_it_ruby/application.css
+- app/controllers/wrap_it_ruby/application_controller.rb
+- app/controllers/wrap_it_ruby/home_controller.rb
+- app/controllers/wrap_it_ruby/proxy_controller.rb
+- app/helpers/wrap_it_ruby/iframe_helper.rb
+- app/helpers/wrap_it_ruby/menu_helper.rb
+- app/javascript/wrap_it_ruby/controllers/iframe_proxy_controller.js
+- app/views/wrap_it_ruby/home/index.html.erb
+- app/views/wrap_it_ruby/layouts/application.html.erb
+- app/views/wrap_it_ruby/proxy/show.html.ruby
+- app/views/wrap_it_ruby/shared/_navbar.html.ruby
+- config/importmap.rb
+- config/routes.rb
+- lib/generators/wrap_it_ruby/install/install_generator.rb
+- lib/generators/wrap_it_ruby/install/templates/menu.yml
+- lib/wrap_it_ruby.rb
+- lib/wrap_it_ruby/engine.rb
+- lib/wrap_it_ruby/menu.rb
+- lib/wrap_it_ruby/middleware/proxy_middleware.rb
+- lib/wrap_it_ruby/middleware/root_relative_proxy_middleware.rb
+- lib/wrap_it_ruby/middleware/script_injection_middleware.rb
+- lib/wrap_it_ruby/version.rb
+homepage: https://github.com/n-at-han-k/wrap-it-ruby
+licenses:
+- Apache-2.0
+metadata: {}
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.7.2
+specification_version: 4
+summary: Rails engine for iframe-based reverse proxy portals
+test_files: []