@aictrl/hush 0.1.0 → 0.1.6

package/scripts/e2e-mock-upstream.mjs

@@ -0,0 +1,55 @@
+/**
+ * Mock ZhipuAI upstream server for E2E testing.
+ * Captures the request body sent by the Hush gateway so we can verify PII was redacted.
+ */
+import http from 'node:http';
+import fs from 'node:fs';
+
+const PORT = parseInt(process.env.MOCK_PORT || '4111');
+const CAPTURE_FILE = process.env.CAPTURE_FILE || '/tmp/hush-e2e-captured-body.json';
+
+const server = http.createServer((req, res) => {
+  if (req.method === 'POST' && req.url === '/api/paas/v4/chat/completions') {
+    let body = '';
+    req.on('data', chunk => { body += chunk; });
+    req.on('end', () => {
+      // Save the captured request body for later verification
+      fs.writeFileSync(CAPTURE_FILE, body);
+
+      const parsed = JSON.parse(body);
+      // Echo back the last user message content so we can verify rehydration
+      const lastMessage = parsed.messages?.[parsed.messages.length - 1]?.content || '';
+
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        id: 'chatcmpl-e2e-mock-001',
+        model: 'glm-5',
+        choices: [{
+          index: 0,
+          message: { role: 'assistant', content: `Echoing back: ${lastMessage}` },
+          finish_reason: 'stop'
+        }],
+        usage: { prompt_tokens: 50, completion_tokens: 20, total_tokens: 70 }
+      }));
+    });
+  } else if (req.method === 'GET' && req.url === '/captured') {
+    try {
+      const captured = fs.readFileSync(CAPTURE_FILE, 'utf8');
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(captured);
+    } catch {
+      res.writeHead(404);
+      res.end('{}');
+    }
+  } else if (req.method === 'GET' && req.url === '/health') {
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ status: 'mock-running' }));
+  } else {
+    res.writeHead(404);
+    res.end('Not found');
+  }
+});
+
+server.listen(PORT, '127.0.0.1', () => {
+  console.log(`Mock ZhipuAI upstream listening on http://127.0.0.1:${PORT}`);
+});

package/scripts/e2e-opencode.sh

@@ -0,0 +1,217 @@
+#!/usr/bin/env bash
+#
+# E2E test: Verify Hush gateway intercepts PII from OpenCode/GLM-5 requests
+#
+# This script:
+#   1. Starts a mock ZhipuAI upstream that captures the request body
+#   2. Starts a Hush gateway harness pointed at the mock upstream
+#   3. Sends a GLM-5 chat completion request containing PII through the gateway
+#   4. Verifies PII was redacted in the request that reached the mock upstream
+#   5. Verifies the response was rehydrated back to original PII
+#   6. Verifies the vault captured tokens (via /health endpoint)
+#
+# Usage: ./scripts/e2e-opencode.sh
+# Requirements: node, npm (dependencies must be installed)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+MOCK_PORT=4111
+GATEWAY_PORT=4222
+MOCK_PID=""
+GATEWAY_PID=""
+PASS_COUNT=0
+FAIL_COUNT=0
+CAPTURE_FILE="/tmp/hush-e2e-captured-body.json"
+
+cleanup() {
+  echo ""
+  echo -e "${CYAN}Cleaning up...${NC}"
+  [ -n "$MOCK_PID" ] && kill "$MOCK_PID" 2>/dev/null || true
+  [ -n "$GATEWAY_PID" ] && kill "$GATEWAY_PID" 2>/dev/null || true
+  rm -f "$CAPTURE_FILE"
+  wait 2>/dev/null || true
+}
+trap cleanup EXIT
+
+pass() {
+  PASS_COUNT=$((PASS_COUNT + 1))
+  echo -e "  ${GREEN}PASS${NC} $1"
+}
+
+fail() {
+  FAIL_COUNT=$((FAIL_COUNT + 1))
+  echo -e "  ${RED}FAIL${NC} $1"
+}
+
+assert_contains() {
+  local haystack="$1" needle="$2" msg="$3"
+  if echo "$haystack" | grep -qF "$needle"; then
+    pass "$msg"
+  else
+    fail "$msg (expected to find '$needle')"
+  fi
+}
+
+assert_not_contains() {
+  local haystack="$1" needle="$2" msg="$3"
+  if echo "$haystack" | grep -qF "$needle"; then
+    fail "$msg (found '$needle' which should have been redacted)"
+  else
+    pass "$msg"
+  fi
+}
+
+wait_for_port() {
+  local port=$1 label=$2 max_attempts=${3:-20}
+  for i in $(seq 1 "$max_attempts"); do
+    if curl -sf "http://127.0.0.1:${port}/health" > /dev/null 2>&1; then
+      return 0
+    fi
+    sleep 0.5
+  done
+  echo -e "${RED}${label} failed to start on :${port}${NC}"
+  return 1
+}
+
+echo -e "${CYAN}================================================${NC}"
+echo -e "${CYAN}  Hush Gateway E2E: OpenCode + GLM-5 PII Test  ${NC}"
+echo -e "${CYAN}================================================${NC}"
+echo ""
+
+cd "$PROJECT_DIR"
+
+# --- Step 1: Start mock ZhipuAI upstream ---
+echo -e "${YELLOW}[1/5] Starting mock ZhipuAI upstream on :${MOCK_PORT}...${NC}"
+
+MOCK_PORT=$MOCK_PORT CAPTURE_FILE=$CAPTURE_FILE node scripts/e2e-mock-upstream.mjs &
+MOCK_PID=$!
+sleep 1
+
+if ! kill -0 "$MOCK_PID" 2>/dev/null; then
+  echo -e "${RED}Mock upstream failed to start${NC}"
+  exit 1
+fi
+echo -e "  Mock upstream PID: ${MOCK_PID}"
+
+# --- Step 2: Start Hush gateway (E2E harness pointing at mock) ---
+echo -e "${YELLOW}[2/5] Starting Hush gateway on :${GATEWAY_PORT} -> mock :${MOCK_PORT}...${NC}"
+
+GATEWAY_PORT=$GATEWAY_PORT MOCK_PORT=$MOCK_PORT npx tsx scripts/e2e-gateway-harness.ts &
+GATEWAY_PID=$!
+
+wait_for_port "$GATEWAY_PORT" "Gateway" || exit 1
+echo -e "  Gateway PID: ${GATEWAY_PID}"
+
+# --- Step 3: Send a GLM-5 request with PII through the gateway ---
+echo -e "${YELLOW}[3/5] Sending GLM-5 chat completion with PII through gateway...${NC}"
+
+# These are the PII values we'll send (mimicking what an OpenCode session would contain)
+PII_EMAIL="testuser@example-corp.com"
+PII_IP="10.42.99.7"
+PII_SECRET="api_key=secret_test_a1b2c3d4e5f6g7h8i9j0k1l2"
+
+RESPONSE=$(curl -sf -X POST "http://127.0.0.1:${GATEWAY_PORT}/api/paas/v4/chat/completions" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer test-e2e-key" \
+  -d "{
+    \"model\": \"glm-5\",
+    \"messages\": [{
+      \"role\": \"user\",
+      \"content\": \"My email is ${PII_EMAIL} and server IP is ${PII_IP}. Credentials: ${PII_SECRET}\"
+    }]
+  }")
+
+echo -e "  Response received ($(echo "$RESPONSE" | wc -c) bytes)"
+
+# --- Step 4: Verify PII interception ---
+echo ""
+echo -e "${YELLOW}[4/5] Verifying PII interception...${NC}"
+echo ""
+
+# 4a. Check what the mock upstream received
+CAPTURED=$(curl -sf "http://127.0.0.1:${MOCK_PORT}/captured" || echo "{}")
+
+echo -e "  ${CYAN}What ZhipuAI upstream received (should have tokens, NOT real PII):${NC}"
+echo "  $(echo "$CAPTURED" | python3 -m json.tool 2>/dev/null | head -20 || echo "$CAPTURED" | head -c 600)"
+echo ""
+
+# Verify PII was REDACTED in upstream request
+assert_not_contains "$CAPTURED" "$PII_EMAIL" "Email NOT sent to ZhipuAI upstream"
+assert_not_contains "$CAPTURED" "$PII_IP" "IP address NOT sent to ZhipuAI upstream"
+
+# Verify tokens were substituted (format-agnostic: matches [USER_EMAIL_1] or [HUSH_EML_*] etc.)
+if echo "$CAPTURED" | grep -qE '\[.*EMAIL'; then
+  pass "Email replaced with redaction token"
+else
+  fail "Email replaced with redaction token (no EMAIL token found)"
+fi
+
+if echo "$CAPTURED" | grep -qE '\[.*IP'; then
+  pass "IP replaced with redaction token"
+else
+  fail "IP replaced with redaction token (no IP token found)"
+fi
+
+if echo "$CAPTURED" | grep -qE '\[.*SECRET'; then
+  pass "Secret replaced with redaction token"
+else
+  fail "Secret replaced with redaction token (no SECRET token found)"
+fi
+
+echo ""
+
+# 4b. Check gateway response (should contain REHYDRATED original PII)
+echo -e "  ${CYAN}What the client (OpenCode) receives back (should have original PII):${NC}"
+ASSISTANT_CONTENT=$(echo "$RESPONSE" | python3 -c "
+import sys, json
+data = json.load(sys.stdin)
+print(data['choices'][0]['message']['content'])
+" 2>/dev/null || echo "$RESPONSE")
+echo "  ${ASSISTANT_CONTENT:0:300}"
+echo ""
+
+assert_contains "$ASSISTANT_CONTENT" "$PII_EMAIL" "Email rehydrated in response to client"
+assert_contains "$ASSISTANT_CONTENT" "$PII_IP" "IP address rehydrated in response to client"
+
+echo ""
+
+# 4c. Check vault via /health endpoint
+HEALTH=$(curl -sf "http://127.0.0.1:${GATEWAY_PORT}/health")
+VAULT_SIZE=$(echo "$HEALTH" | python3 -c "import sys, json; print(json.load(sys.stdin).get('vaultSize', 0))")
+echo -e "  ${CYAN}Gateway vault size: ${VAULT_SIZE}${NC}"
+
+if [ "$VAULT_SIZE" -gt 0 ]; then
+  pass "Vault contains ${VAULT_SIZE} token(s) - PII intercepted and stored"
+else
+  fail "Vault is empty (expected > 0 tokens)"
+fi
+
+# --- Step 5: Summary ---
+echo ""
+echo -e "${CYAN}================================================${NC}"
+TOTAL=$((PASS_COUNT + FAIL_COUNT))
+if [ "$FAIL_COUNT" -eq 0 ]; then
+  echo -e "${GREEN}  ALL ${TOTAL} CHECKS PASSED${NC}"
+  echo ""
+  echo -e "  ${GREEN}PII was intercepted by Hush gateway before${NC}"
+  echo -e "  ${GREEN}reaching the ZhipuAI/GLM-5 upstream server.${NC}"
+  echo -e "  ${GREEN}Client received rehydrated original values.${NC}"
+  echo ""
+  echo -e "  This confirms OpenCode + GLM-5 is safe to use"
+  echo -e "  through the Hush Semantic Security Gateway."
+else
+  echo -e "${RED}  ${FAIL_COUNT}/${TOTAL} CHECKS FAILED${NC}"
+fi
+echo -e "${CYAN}================================================${NC}"
+
+exit "$FAIL_COUNT"

package/src/cli.ts

@@ -0,0 +1,20 @@
+#!/usr/bin/env node
+import { app } from './index.js';
+import { createLogger } from './lib/logger.js';
+
+const log = createLogger('hush-cli');
+const PORT = process.env.PORT || 4000;
+
+const server = app.listen(PORT, () => {
+  log.info(`Hush Semantic Gateway is listening on http://localhost:${PORT}`);
+  log.info(`Routes: /v1/messages → Anthropic, /v1/chat/completions → OpenAI, /api/paas/v4/** → ZhipuAI, * → Google`);
+});
+
+server.on('error', (err: NodeJS.ErrnoException) => {
+  if (err.code === 'EADDRINUSE') {
+    log.error(`Port ${PORT} is already in use. Stop the other process or use PORT=<number> hush`);
+  } else {
+    log.error({ err }, 'Failed to start server');
+  }
+  process.exit(1);
+});

package/src/index.ts

@@ -0,0 +1,261 @@
+import express from 'express';
+import cors from 'cors';
+import { createLogger } from './lib/logger.js';
+import { Redactor } from './middleware/redactor.js';
+import { TokenVault } from './vault/token-vault.js';
+import { Dashboard } from './lib/dashboard.js';
+
+const log = createLogger('hush-proxy');
+const redactor = new Redactor();
+const vault = new TokenVault();
+
+// Lazy-initialize dashboard to ensure it captures flags set by CLI or ENV
+let _dashboard: Dashboard | null = null;
+function getDashboard(): Dashboard | null {
+  if (_dashboard) return _dashboard;
+  if (process.env.HUSH_DASHBOARD === 'true' || process.argv.includes('--dashboard')) {
+    _dashboard = new Dashboard();
+  }
+  return _dashboard;
+}
+
+// Force immediate initialization if dashboard flag is present
+getDashboard();
+
+export const app = express();
+
+// Security: Bind only to localhost by default to prevent network exposure
+const BIND_ADDRESS = process.env.HUSH_HOST || '127.0.0.1';
+
+// Security: Optional Bearer Token for the proxy itself
+const HUSH_TOKEN = process.env.HUSH_AUTH_TOKEN;
+
+app.use(cors({ origin: 'http://localhost' })); // Restrict CORS
+app.use(express.json({ limit: '50mb' }));
+
+/**
+ * Security Middleware: Local Proxy Authentication
+ */
+app.use((req, res, next) => {
+  if (req.path === '/health') return next();
+  
+  if (HUSH_TOKEN) {
+    const authHeader = req.headers['x-hush-token'] || req.headers['authorization'];
+    const providedToken = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+    
+    if (!providedToken || (providedToken !== HUSH_TOKEN && providedToken !== `Bearer ${HUSH_TOKEN}`)) {
+      log.warn({ ip: req.ip }, 'Unauthorized access attempt');
+      return res.status(401).json({ error: 'Unauthorized: Invalid HUSH_AUTH_TOKEN' });
+    }
+  }
+  next();
+});
+
+/**
+ * Helper to handle proxying with optional streaming
+ */
+async function proxyRequest(
+  req: express.Request,
+  res: express.Response,
+  targetUrl: string,
+  headers: Record<string, string>
+) {
+  const startTime = performance.now();
+  const dashboard = getDashboard();
+  
+  const hasBody = ['POST', 'PUT', 'PATCH'].includes(req.method);
+
+  // 1. Redact Request Body (Prompts, Tool Results) — only for methods with a body
+  let redactedBody: any;
+  let tokens = new Map<string, string>();
+  let hasRedacted = false;
+
+  if (hasBody) {
+    const result = redactor.redact(req.body);
+    redactedBody = result.content;
+    tokens = result.tokens;
+    hasRedacted = result.hasRedacted;
+  }
+
+  const redactionDuration = Math.round(performance.now() - startTime);
+
+  // Log all requests to dashboard
+  if (dashboard) {
+    dashboard.logRequest(req.path, redactionDuration);
+  }
+
+  if (hasRedacted) {
+    log.info({ path: req.path, tokenCount: tokens.size, duration: redactionDuration }, 'Redacted sensitive data from request');
+    vault.saveTokens(tokens);
+
+    // Log redaction events
+    if (dashboard) {
+      tokens.forEach((value, token) => {
+        const type = token.split('_')[1] ?? 'UNK'; // Extract type from [HUSH_TYPE_ID]
+        dashboard!.logRedaction(type, token);
+      });
+    }
+  }
+
+  try {
+    const fetchHeaders: Record<string, string> = { ...headers };
+    if (hasBody) fetchHeaders['Content-Type'] = 'application/json';
+
+    const response = await fetch(targetUrl, {
+      method: req.method,
+      headers: fetchHeaders,
+      body: hasBody ? JSON.stringify(redactedBody) : undefined,
+      signal: AbortSignal.timeout(30000), // 30s timeout
+    });
+
+    // Handle Upstream Errors (4xx, 5xx)
+    if (!response.ok) {
+      log.error({ status: response.status, path: req.path }, 'Upstream provider returned an error');
+      const errorData = await response.text();
+      return res.status(response.status).send(errorData);
+    }
+
+    // Case A: Streaming
+    const isStreaming = req.body?.stream === true || req.body?.stream === 'true';
+    if (isStreaming && response.body) {
+      log.info({ path: req.path }, 'Starting stream proxy');
+      res.setHeader('Content-Type', 'text/event-stream');
+      res.setHeader('Cache-Control', 'no-cache');
+      res.setHeader('Connection', 'keep-alive');
+
+      const reader = response.body.getReader();
+      const decoder = new TextDecoder();
+      
+      // Security: Use stateful rehydrator to handle tokens split across chunks
+      const rehydrateChunk = vault.createStreamingRehydrator();
+
+      try {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+
+          const chunk = decoder.decode(value, { stream: true });
+          const rehydratedChunk = rehydrateChunk(chunk);
+          
+          if (rehydratedChunk) {
+            const canWrite = res.write(rehydratedChunk);
+            // Handle backpressure
+            if (!canWrite) {
+              await new Promise((resolve) => res.once('drain', resolve));
+            }
+          }
+        }
+      } finally {
+        reader.releaseLock();
+      }
+      res.end();
+      return;
+    }
+
+    // Case B: Regular JSON
+    const data = await response.json();
+    const rehydratedData = vault.rehydrate(data);
+    res.status(response.status).json(rehydratedData);
+
+  } catch (error) {
+    log.error({ err: error, path: req.path }, 'Failed to forward request');
+    res.status(500).json({ error: 'Gateway forwarding failed' });
+  }
+}
+
+/**
+ * Handle Anthropic /messages proxy
+ */
+app.post('/v1/messages', async (req, res) => {
+  const apiKey = req.headers['x-api-key'];
+  const auth = req.headers['authorization'];
+  if (!apiKey && !auth) return res.status(401).json({ error: 'Missing Anthropic API Key or Authorization header' });
+
+  const headers: Record<string, string> = {
+    'anthropic-version': req.headers['anthropic-version'] as string || '2023-06-01',
+  };
+  if (req.headers['anthropic-beta']) headers['anthropic-beta'] = req.headers['anthropic-beta'] as string;
+  if (apiKey) headers['x-api-key'] = apiKey as string;
+  if (auth) headers['Authorization'] = auth as string;
+
+  await proxyRequest(req, res, 'https://api.anthropic.com/v1/messages', headers);
+});
+
+/**
+ * Handle OpenAI /chat/completions proxy
+ */
+app.post('/v1/chat/completions', async (req, res) => {
+  const auth = req.headers['authorization'];
+  if (!auth) return res.status(401).json({ error: 'Missing OpenAI Authorization' });
+
+  await proxyRequest(req, res, 'https://api.openai.com/v1/chat/completions', {
+    'Authorization': auth as string,
+  });
+});
+
+/**
+ * Handle ZhipuAI GLM API proxy (OpenCode + GLM-5)
+ * Supports both regular and coding plan endpoints:
+ *   /api/paas/v4/chat/completions        → https://api.z.ai/api/paas/v4/chat/completions
+ *   /api/coding/paas/v4/chat/completions  → https://api.z.ai/api/coding/paas/v4/chat/completions
+ */
+app.post('/api/paas/v4/chat/completions', async (req, res) => {
+  const auth = req.headers['authorization'];
+  if (!auth) return res.status(401).json({ error: 'Missing ZhipuAI Authorization' });
+
+  await proxyRequest(req, res, 'https://api.z.ai/api/paas/v4/chat/completions', {
+    'Authorization': auth as string,
+  });
+});
+
+app.post('/api/coding/paas/v4/chat/completions', async (req, res) => {
+  const auth = req.headers['authorization'];
+  if (!auth) return res.status(401).json({ error: 'Missing ZhipuAI Authorization' });
+
+  await proxyRequest(req, res, 'https://api.z.ai/api/coding/paas/v4/chat/completions', {
+    'Authorization': auth as string,
+  });
+});
+
+/**
+ * Handle Google Gemini API proxy
+ * Supports: /v1beta/models/{model}:generateContent
+ */
+app.post('/v1beta/models/:modelAndAction', async (req, res) => {
+  const apiKey = req.headers['x-goog-api-key'] || req.query.key;
+  if (!apiKey) return res.status(401).json({ error: 'Missing Google API Key' });
+
+  const targetUrl = `https://generativelanguage.googleapis.com/v1beta/models/${req.params.modelAndAction}${req.url.includes('?') ? '?' + req.url.split('?')[1] : ''}`;
+
+  await proxyRequest(req, res, targetUrl, {
+    'x-goog-api-key': apiKey as string,
+  });
+});
+
+// Health check (must be before catch-all)
+app.get('/health', (req, res) => {
+  const response: any = { status: 'running' };
+  if (process.env.DEBUG === 'true') {
+    response.vaultSize = vault.size;
+  }
+  res.json(response);
+});
+
+/**
+ * Catch-all Handler: Forward unmatched requests with redaction/rehydration.
+ * Uses HUSH_UPSTREAM if set, otherwise falls back to Google.
+ */
+app.all('/*path', async (req, res) => {
+  const targetBase = 'https://generativelanguage.googleapis.com';
+  const targetUrl = `${targetBase}${req.url}`;
+
+  log.info({ path: req.path, method: req.method, upstream: targetBase }, 'Forwarding to upstream');
+
+  // Collect auth headers to pass through
+  const headers: Record<string, string> = {};
+  if (req.headers['authorization']) headers['Authorization'] = req.headers['authorization'] as string;
+  if (req.headers['x-api-key']) headers['x-api-key'] = req.headers['x-api-key'] as string;
+  if (req.headers['x-goog-api-key']) headers['x-goog-api-key'] = req.headers['x-goog-api-key'] as string;
+
+  await proxyRequest(req, res, targetUrl, headers);
+});