@aikidosec/broker-client 0.0.1 → 0.0.3

package/README.md

@@ -1,3 +1,95 @@
 # Aikido Broker Client
 
-Prepare for publishing first package version. 
+A secure broker client that runs in your internal network to forward requests from the Aikido platform to your internal resources via WebSocket connections.
+
+Securely connect internal resources to Aikido's platform. Each resource gets a unique subdomain: `https://{resource_id}.aikidobroker.com`
+
+## Installation
+
+### Via npm
+
+```bash
+npm install @aikidosec/broker-client
+```
+
+### Via Docker (Recommended)
+
+```bash
+docker compose up -d
+```
+
+## Quick Start
+
+1. **Generate CLIENT_SECRET in Aikido UI**:
+   - Navigate to: Settings → Broker Clients → Add New Client
+   - Copy the generated `CLIENT_SECRET`
+
+2. **Configure environment** (`.env`):
+```bash
+CLIENT_SECRET=your_client_secret_here
+```
+
+3. **Start client**:
+```bash
+# Using Docker
+docker compose up -d
+
+# Using Node.js directly
+npm start
+```
+
+4. **Register resources via Aikido UI** - resources are managed through the Aikido platform
+
+5. **Access resources from aikido via subdomain URLs:**
+
+```bash
+https://abc-123.aikidobroker.com/api/endpoint
+```
+
+Resource IDs are displayed in the Aikido UI when you register them.
+
+## Environment Variables
+
+**Required:**
+- `CLIENT_SECRET` - Unique client identifier (generate in Aikido UI: Settings → Broker Clients → Add New Client)
+
+**Optional:**
+- `ALLOWED_INTERNAL_SUBNETS` - Comma-separated subnet whitelist (e.g., `10.0.0.0/8,172.16.0.0/12`)
+- `DNS_SERVERS` - Custom DNS servers for internal hostname resolution
+- `CUSTOM_CA_BUNDLE` - Path to CA cert for self-signed certificates
+- `HTTP_PROXY` - HTTP proxy for outbound requests to internal resources (e.g., `http://proxy.company.local:8080`)
+
+## How It Works
+
+1. **Client Generation**: Generate a CLIENT_SECRET in the Aikido UI before deployment
+2. **Client Registration**: On first startup, the client registers with the broker using the CLIENT_SECRET
+3. **Resource Management**: Resources are registered via the Aikido UI and synced to the client
+4. **Subdomain Mapping**: Each resource gets a unique subdomain for external access
+5. **Secure Proxying**: All requests are authenticated and proxied to your internal services
+
+## Example Configuration
+
+```bash
+# .env file
+CLIENT_SECRET=aikido_broker_123_123_123456789
+ALLOWED_INTERNAL_SUBNETS=10.0.0.0/8,172.16.0.0/12
+HTTP_PROXY=http://proxy.company.local:8080
+```
+
+After registering resources through the Aikido UI, they will be accessible via subdomains like:
+- `https://xyz-123.aikidobroker.com` → routes to your registered internal API
+- `https://abc-456.aikidobroker.com` → routes to your registered internal service
+
+## Troubleshooting
+
+```bash
+# View logs
+docker compose logs -f
+
+# Check synced resources
+docker compose exec broker-client cat /config/client_resources.json
+
+# Verify connection
+docker compose logs | grep "Connected to broker"
+```
+

package/app/client.js

@@ -0,0 +1,529 @@
+#!/usr/bin/env node
+
+/**
+ * Broker Client - client that runs in customer network, receives requests via WebSocket
+ * and forwards them to internal resources
+ */
+
+import { io } from 'socket.io-client';
+import axios from 'axios';
+import { URL } from 'url';
+import { Address4, Address6 } from 'ip-address';
+import dns from 'native-dns';
+import fs from 'fs';
+import { ResourceManager } from './resourceManager.js';
+
+// Configure logging
+const log = {
+  info: (msg) => console.log(`[INFO] ${new Date().toISOString()} - ${msg}`),
+  warn: (msg) => console.warn(`[WARN] ${new Date().toISOString()} - ${msg}`),
+  error: (msg) => console.error(`[ERROR] ${new Date().toISOString()} - ${msg}`),
+  debug: (msg) => console.log(`[DEBUG] ${new Date().toISOString()} - ${msg}`)
+};
+
+// Broker Server Configuration
+const SERVER_URL = "https://broker.aikidobroker.com";
+
+// Client Configuration (from environment)
+const CLIENT_SECRET = process.env.CLIENT_SECRET;
+const ALLOWED_SUBNETS = process.env.ALLOWED_INTERNAL_SUBNETS
+  ? process.env.ALLOWED_INTERNAL_SUBNETS.split(',').map(s => s.trim()).filter(s => s)
+  : [];
+
+// Optional: Custom DNS servers for internal hostname resolution
+const DNS_SERVERS = process.env.DNS_SERVERS
+  ? process.env.DNS_SERVERS.split(',').map(s => s.trim()).filter(s => s)
+  : null;
+
+// Optional: Custom CA certificate bundle for self-signed certificates
+const CUSTOM_CA_BUNDLE = process.env.CUSTOM_CA_BUNDLE || null;
+
+// Optional: HTTP proxy for outbound requests to internal resources
+const HTTP_PROXY = process.env.HTTP_PROXY || null;
+
+// Determine TLS verification setting
+let httpsAgent = null;
+if (CUSTOM_CA_BUNDLE) {
+  const https = await import('https');
+  const ca = fs.readFileSync(CUSTOM_CA_BUNDLE);
+  httpsAgent = new https.Agent({ ca });
+  log.info(`Using custom CA bundle: ${CUSTOM_CA_BUNDLE}`);
+} else {
+  log.info("Using system CA certificates for TLS verification");
+}
+
+// Configure axios defaults
+const axiosConfig = {
+  timeout: 30000,
+  maxRedirects: 5,
+  httpsAgent
+};
+
+if (HTTP_PROXY) {
+  const proxyUrl = new URL(HTTP_PROXY);
+  axiosConfig.proxy = {
+    host: proxyUrl.hostname,
+    port: proxyUrl.port || 80,
+    protocol: proxyUrl.protocol
+  };
+  log.info(`Using HTTP proxy for internal requests: ${HTTP_PROXY}`);
+} else {
+  log.info("No HTTP proxy configured for internal requests");
+}
+
+// Create axios instance for internal requests
+const internalHttpClient = axios.create(axiosConfig);
+
+// Initialize ResourceManager
+const resourceManager = new ResourceManager();
+
+// Cache for client_id
+let _clientIdCache = null;
+
+/**
+ * Get the client ID from cache or read from file.
+ * Returns null if not registered yet.
+ */
+function getClientId() {
+  if (_clientIdCache !== null) {
+    return _clientIdCache;
+  }
+  
+  const clientIdPath = '/config/client_id';
+  if (fs.existsSync(clientIdPath)) {
+    try {
+      _clientIdCache = fs.readFileSync(clientIdPath, 'utf8').trim();
+      return _clientIdCache;
+    } catch (e) {
+      log.error(`Failed to read client_id: ${e.message}`);
+    }
+  }
+  
+  return null;
+}
+
+/**
+ * Resolve hostname using custom DNS servers if configured.
+ * Falls back to system DNS if DNS_SERVERS not set.
+ */
+async function resolveInternalHostname(hostname) {
+  if (!DNS_SERVERS || DNS_SERVERS.length === 0) {
+    // Use system DNS (default behavior)
+    try {
+      const dnsPromises = await import('dns/promises');
+      const result = await dnsPromises.resolve4(hostname);
+      const ip = result[0];
+      log.debug(`Resolved ${hostname} to ${ip} (system DNS)`);
+      return ip;
+    } catch (e) {
+      log.error(`Failed to resolve ${hostname}: ${e.message}`);
+      throw new Error(`Could not resolve hostname: ${hostname}`);
+    }
+  }
+  
+  // Use custom DNS servers
+  return new Promise((resolve, reject) => {
+    const question = dns.Question({
+      name: hostname,
+      type: 'A',
+    });
+    
+    const req = dns.Request({
+      question,
+      server: { address: DNS_SERVERS[0], port: 53, type: 'udp' },
+      timeout: 5000,
+    });
+    
+    req.on('timeout', () => {
+      reject(new Error('DNS resolution timeout'));
+    });
+    
+    req.on('message', (err, answer) => {
+      if (err) {
+        reject(err);
+        return;
+      }
+      
+      const addresses = answer.answer
+        .filter(a => a.type === 1) // A records
+        .map(a => a.address);
+      
+      if (addresses.length > 0) {
+        log.info(`Resolved ${hostname} to ${addresses[0]} (custom DNS: ${DNS_SERVERS})`);
+        resolve(addresses[0]);
+      } else {
+        reject(new Error(`No A records found for ${hostname}`));
+      }
+    });
+    
+    req.send();
+  });
+}
+
+/**
+ * Check if URL points to internal resource
+ */
+function isInternalUrl(url) {
+  try {
+    const parsedUrl = new URL(url);
+    const hostname = parsedUrl.hostname;
+    
+    if (!hostname) {
+      return false;
+    }
+    
+    // Check if hostname is already an IP address
+    let ip;
+    try {
+      const addr4 = new Address4(hostname);
+      if (addr4.isValid()) {
+        ip = hostname;
+        log.info(`Hostname ${hostname} is already an IP address`);
+      }
+    } catch (e) {
+      // Not IPv4, try IPv6
+      try {
+        const addr6 = new Address6(hostname);
+        if (addr6.isValid()) {
+          ip = hostname;
+          log.info(`Hostname ${hostname} is already an IPv6 address`);
+        }
+      } catch (e2) {
+        // Not an IP, allow it through if we have custom DNS configured
+        // The actual resolution will happen in the forward_request handler
+        if (DNS_SERVERS !== null && DNS_SERVERS.length > 0) {
+          log.debug(`Hostname ${hostname} will be resolved with custom DNS during forward`);
+          return true;
+        }
+        
+        // For system DNS, we can't do synchronous lookup here
+        // Allow all private hostnames through and validate during forward
+        log.debug(`Hostname ${hostname} will be validated during forward`);
+        return true;
+      }
+    }
+    
+    // If we have an IP, validate it
+    if (ip) {
+      const addr = new Address4(ip);
+      
+      // Block external/public IPs (only allow RFC 1918 private IPs)
+      if (!addr.isPrivate()) {
+        log.warn(`Blocked external/public IP: ${ip}`);
+        return false;
+      }
+      
+      // Block cloud metadata endpoints (link-local addresses)
+      if (addr.isLinkLocal()) {
+        log.warn(`Blocked link-local/metadata IP: ${ip} (169.254.x.x)`);
+        return false;
+      }
+      
+      // If no allowed subnets defined, allow all private IPs (except link-local)
+      if (ALLOWED_SUBNETS.length === 0) {
+        log.info("No ALLOWED_SUBNETS defined, allowing all private IPs");
+        return true;
+      }
+      
+      // Check if IP is in allowed subnets
+      for (const subnetStr of ALLOWED_SUBNETS) {
+        const subnet = new Address4(subnetStr.trim());
+        if (addr.isInSubnet(subnet)) {
+          log.info(`IP ${ip} is in allowed subnet ${subnetStr}`);
+          return true;
+        }
+      }
+      
+      log.warn(`IP ${ip} not in allowed subnets`);
+      return false;
+    }
+    
+    // Hostname that needs resolution - allow it through for now
+    return true;
+  } catch (e) {
+    log.error(`Error checking if URL is internal: ${e.message}`);
+    return false;
+  }
+}
+
+/**
+ * Check if a resource is registered with the broker.
+ */
+function isResourceAllowed(resource) {
+  const registeredResources = resourceManager.getResources();
+  
+  // If no resources registered yet, deny (customer must register resources first)
+  if (Object.keys(registeredResources).length === 0) {
+    log.warn("No resources registered - customer must register resources via setup mode");
+    return false;
+  }
+  
+  // Normalize the target URL for comparison
+  const resourceParsed = new URL(resource);
+  const resourceNormalized = `${resourceParsed.protocol}//${resourceParsed.host}${resourceParsed.pathname || '/'}`;
+  
+  // Check if the exact base_url is registered
+  for (const baseUrl of Object.keys(registeredResources)) {
+    const baseParsed = new URL(baseUrl);
+    const baseNormalized = `${baseParsed.protocol}//${baseParsed.host}${baseParsed.pathname || '/'}`;
+    
+    // Allow if target URL starts with registered base URL
+    if (resourceNormalized.startsWith(baseNormalized)) {
+      log.info(`Resource ${resource} matches registered base_url ${baseUrl}`);
+      return true;
+    }
+  }
+  
+  log.warn(`Resource ${resource} not found in registered resources: ${Object.keys(registeredResources)}`);
+  return false;
+}
+
+// Create Socket.IO client
+const socket = io(SERVER_URL, {
+  auth: {
+    client_secret: CLIENT_SECRET
+  },
+  transports: ['websocket', 'polling'],
+  reconnection: true,
+  reconnectionAttempts: Infinity,
+  reconnectionDelay: 1000,
+  reconnectionDelayMax: 30000,
+  randomizationFactor: 0.5
+});
+
+// Socket.IO event handlers
+socket.on('connect', async () => {
+  log.info('✓ Connected to broker server');
+  
+  const clientId = getClientId();
+  
+  if (clientId) {
+    // Configure ResourceManager for broker sync
+    resourceManager.configureSync(SERVER_URL, clientId, CLIENT_SECRET);
+    
+    // Sync resources from broker on connect
+    await resourceManager.syncFromBroker();
+  } else {
+    log.warn("No client_id found, skipping resource sync");
+  }
+});
+
+socket.on('disconnect', () => {
+  log.warn("Disconnected from broker server");
+});
+
+socket.on('forward_request', async (data, callback) => {
+  /**
+   * Receive request from broker server and forward to internal resource
+   * Uses customer's internal DNS for resolution
+   * Returns response via Socket.IO acknowledgement (callback)
+   */
+  const requestId = data.request_id;
+  const targetUrl = data.target_url;
+  const method = data.method || 'GET';
+  const headers = data.headers || {};
+  const body = data.body;
+
+  log.info(`Received forward request ${requestId} for ${targetUrl}`);
+
+  // Security: Only allow requests to internal resources and allowed resources
+  if (!isInternalUrl(targetUrl)) {
+    callback({
+      request_id: requestId,
+      status_code: 403,
+      headers: {},
+      body: 'Target URL is not an allowed internal resource'
+    });
+    return;
+  }
+
+  if (!isResourceAllowed(targetUrl)) {
+    callback({
+      request_id: requestId,
+      status_code: 403,
+      headers: {},
+      body: 'Target URL is not in the allowed resources list'
+    });
+    return;
+  }
+
+  try {
+    // Resolve DNS if custom DNS servers configured
+    const parsed = new URL(targetUrl);
+    let resolvedUrl = targetUrl;
+    
+    if (DNS_SERVERS && parsed.hostname) {
+      try {
+        const resolvedIp = await resolveInternalHostname(parsed.hostname);
+        // Replace hostname with resolved IP
+        resolvedUrl = targetUrl.replace(parsed.hostname, resolvedIp);
+        log.info(`Using resolved URL: ${resolvedUrl}`);
+      } catch (e) {
+        log.warn(`DNS resolution failed, trying original URL: ${e.message}`);
+      }
+    }
+    
+    // Forward the request to the internal resource
+    const response = await internalHttpClient.request({
+      method,
+      url: resolvedUrl,
+      headers,
+      data: body,
+      validateStatus: () => true // Accept any status code
+    });
+    
+    log.info(`Successfully forwarded request ${requestId} to ${targetUrl}, status: ${response.status}`);
+    
+    // Return response via acknowledgement
+    callback({
+      request_id: requestId,
+      status_code: response.status,
+      headers: response.headers,
+      body: typeof response.data === 'string' ? response.data : JSON.stringify(response.data)
+    });
+    
+  } catch (error) {
+    log.error(`Error forwarding request ${requestId} to ${targetUrl}: ${error.message}`);
+    callback({
+      request_id: requestId,
+      status_code: 502,
+      headers: {},
+      body: `Error reaching internal resource: ${error.message}`
+    });
+  }
+});
+
+/**
+ * Register this client with the broker server
+ */
+async function registerWithServer() {
+  // Check if already registered
+  if (getClientId() !== null) {
+    log.info("✓ Client already registered (client_id file exists)");
+    return;
+  }
+  
+  const serverUrl = `${SERVER_URL}/broker-reserved/register`;
+  
+  log.info(`Attempting to register with server at ${serverUrl}`);
+  
+  const maxRetries = 10;
+  const retryDelay = 5000;
+  
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      const response = await axios.post(serverUrl, {
+        client_secret: CLIENT_SECRET
+      }, {
+        timeout: 10000
+      });
+      
+      if (response.status === 200) {
+        const clientId = response.data.client_id;
+        log.info(`✓ Successfully registered with broker server as ${clientId}`);
+        
+        // Save client_id to file and cache
+        _clientIdCache = clientId;
+        try {
+          fs.mkdirSync('/config', { recursive: true });
+          fs.writeFileSync('/config/client_id', clientId);
+          log.info("💾 Saved client_id to /config/client_id");
+        } catch (e) {
+          log.warn(`Could not save client_id file: ${e.message}`);
+        }
+        return;
+      } else if (response.status === 409) {
+        log.info("✓ Client already registered with server (this is OK)");
+        // Try to extract client_id from response if available
+        try {
+          const clientId = response.data.client_id;
+          if (clientId) {
+            _clientIdCache = clientId;
+            fs.mkdirSync('/config', { recursive: true });
+            fs.writeFileSync('/config/client_id', clientId);
+            log.info("💾 Saved client_id to /config/client_id");
+          }
+        } catch (e) {
+          log.warn(`Could not save client_id file: ${e.message}`);
+        }
+        return;
+      } else {
+        log.warn(`Registration attempt ${attempt + 1} failed: ${response.status} - ${response.data}`);
+      }
+    } catch (error) {
+      log.warn(`Registration attempt ${attempt + 1} failed: ${error.name}: ${error.message}`);
+    }
+    
+    if (attempt < maxRetries - 1) {
+      log.info(`Retrying in ${retryDelay / 1000} seconds...`);
+      await new Promise(resolve => setTimeout(resolve, retryDelay));
+    }
+  }
+  
+  log.error("Failed to register with broker server after all retries");
+}
+
+/**
+ * Background task that syncs resources from broker every 3 minutes.
+ * Runs continuously while client is connected.
+ */
+async function resourceSyncTask() {
+  await new Promise(resolve => setTimeout(resolve, 15000)); // Initial delay before first sync
+
+  while (true) {
+    try {
+      await resourceManager.syncFromBroker();
+    } catch (error) {
+      log.error(`Error in resource_sync_task: ${error.message}`);
+    }
+    
+    // Wait 3 minutes before next sync
+    await new Promise(resolve => setTimeout(resolve, 180000));
+  }
+}
+
+/**
+ * Main client function
+ */
+async function main() {
+  log.info("Starting Broker Client");
+  log.info(`Allowed internal subnets: ${ALLOWED_SUBNETS.join(', ') || 'None'}`);
+  
+  // Load registered resources from ResourceManager
+  const registeredResources = resourceManager.getResources();
+  log.info(`Registered resources: ${Object.keys(registeredResources).length > 0 ? Object.keys(registeredResources).join(', ') : 'None'}`);
+  
+  log.info(`Server URL: ${SERVER_URL}`);
+  if (HTTP_PROXY) {
+    log.info(`HTTP Proxy: ${HTTP_PROXY}`);
+  } else {
+    log.info("HTTP Proxy: Not configured");
+  }
+  
+  // Register with server (creates client_id file)
+  await registerWithServer();
+  
+  // Get client_id after registration
+  const clientId = getClientId();
+  
+  if (clientId) {
+    log.info(`Client ID: ${clientId}`);
+    // Configure ResourceManager for syncing with server
+    resourceManager.configureSync(SERVER_URL, clientId, CLIENT_SECRET);
+  } else {
+    log.warn("No client_id available after registration");
+  }
+  
+  // Start background task to sync resources every 3 minutes
+  resourceSyncTask().catch(err => log.error(`Resource sync task error: ${err.message}`));
+  log.info("Started resource sync background task");
+  
+  // Keep process alive
+  log.info("Client running...");
+}
+
+// Start the client
+main().catch(error => {
+  log.error(`Fatal error: ${error.message}`);
+  process.exit(1);
+});

package/app/resourceManager.js

@@ -0,0 +1,237 @@
+/**
+ * Resource Manager for Client
+ * Manages local resource configuration with JSON persistence.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import axios from 'axios';
+
+const log = {
+  info: (msg) => console.log(`[INFO] ${new Date().toISOString()} - ResourceManager - ${msg}`),
+  warn: (msg) => console.warn(`[WARN] ${new Date().toISOString()} - ResourceManager - ${msg}`),
+  error: (msg) => console.error(`[ERROR] ${new Date().toISOString()} - ResourceManager - ${msg}`),
+  debug: (msg) => console.log(`[DEBUG] ${new Date().toISOString()} - ResourceManager - ${msg}`)
+};
+
+/**
+ * Manages resource configurations for the client.
+ * Stores {base_url: resource_id} mappings with JSON persistence.
+ */
+export class ResourceManager {
+  /**
+   * Initialize ResourceManager.
+   * @param {string} configFile - Path to JSON file for persisting resources
+   */
+  constructor(configFile = '/config/client_resources.json') {
+    this.configFile = configFile;
+    this._resources = {}; // {base_url: resource_id}
+    this._serverUrl = null;
+    this._clientId = null;
+    this._clientSecret = null;
+    this._loadFromFile();
+  }
+
+  /**
+   * Configure parameters for syncing with broker server.
+   * @param {string} serverUrl - Broker server URL
+   * @param {string} clientId - Client ID
+   * @param {string} clientSecret - Client secret
+   */
+  configureSync(serverUrl, clientId, clientSecret) {
+    this._serverUrl = serverUrl;
+    this._clientId = clientId;
+    this._clientSecret = clientSecret;
+  }
+
+  /**
+   * Load resources from JSON file if it exists
+   */
+  _loadFromFile() {
+    if (fs.existsSync(this.configFile)) {
+      try {
+        const data = fs.readFileSync(this.configFile, 'utf8');
+        this._resources = JSON.parse(data);
+        log.info(`✓ Loaded ${Object.keys(this._resources).length} resources from ${this.configFile}`);
+      } catch (error) {
+        log.error(`Failed to load resources from ${this.configFile}: ${error.message}`);
+        this._resources = {};
+      }
+    } else {
+      log.info(`No existing resources file at ${this.configFile}, starting fresh`);
+      this._resources = {};
+    }
+  }
+
+  /**
+   * Save resources to JSON file
+   */
+  _saveToFile() {
+    try {
+      // Ensure directory exists
+      const dir = path.dirname(this.configFile);
+      fs.mkdirSync(dir, { recursive: true });
+      
+      fs.writeFileSync(this.configFile, JSON.stringify(this._resources, null, 2));
+      log.info(`💾 Saved ${Object.keys(this._resources).length} resources to ${this.configFile}`);
+    } catch (error) {
+      log.error(`Failed to save resources to ${this.configFile}: ${error.message}`);
+    }
+  }
+
+  /**
+   * Sync resources from Core API data.
+   * @param {Object} resourcesDict - Dictionary of {base_url: resource_id} from Core API
+   */
+  syncFromCore(resourcesDict) {
+    const currentKeys = new Set(Object.keys(this._resources));
+    const newKeys = new Set(Object.keys(resourcesDict));
+    
+    const added = [...newKeys].filter(k => !currentKeys.has(k));
+    const removed = [...currentKeys].filter(k => !newKeys.has(k));
+    const updated = [...newKeys].filter(k => 
+      currentKeys.has(k) && resourcesDict[k] !== this._resources[k]
+    );
+    
+    if (added.length > 0 || removed.length > 0 || updated.length > 0) {
+      log.info(
+        `Resource changes: +${added.length} added, ` +
+        `-${removed.length} removed, ~${updated.length} updated`
+      );
+      
+      this._resources = { ...resourcesDict };
+      this._saveToFile();
+    } else {
+      log.debug("No resource changes detected");
+    }
+  }
+
+  /**
+   * Get all resources.
+   * @returns {Object} Dictionary of {base_url: resource_id}
+   */
+  getResources() {
+    return { ...this._resources };
+  }
+
+  /**
+   * Get resource_id for a base_url.
+   * @param {string} baseUrl - The base URL to look up
+   * @returns {string|null} resource_id if found, null otherwise
+   */
+  getResourceId(baseUrl) {
+    return this._resources[baseUrl] || null;
+  }
+
+  /**
+   * Add or update a resource.
+   * @param {string} baseUrl - The base URL
+   * @param {string} resourceId - The resource UUID
+   */
+  addResource(baseUrl, resourceId) {
+    this._resources[baseUrl] = resourceId;
+    this._saveToFile();
+    log.info(`Added resource: ${baseUrl} → ${resourceId}`);
+  }
+
+  /**
+   * Remove a resource by base_url.
+   * @param {string} baseUrl - The base URL to remove
+   * @returns {boolean} True if removed, false if not found
+   */
+  removeResource(baseUrl) {
+    if (baseUrl in this._resources) {
+      const resourceId = this._resources[baseUrl];
+      delete this._resources[baseUrl];
+      this._saveToFile();
+      log.info(`Removed resource: ${baseUrl} (was ${resourceId})`);
+      return true;
+    }
+    return false;
+  }
+
+  /**
+   * Fetch and sync resources from broker server.
+   * Called on connect and periodically to stay in sync with Core API.
+   */
+  async syncFromBroker() {
+    if (!this._serverUrl || !this._clientId || !this._clientSecret) {
+      log.warn("ResourceManager not configured for broker sync");
+      return;
+    }
+    
+    try {
+      log.info("Fetching resources from broker...");
+      
+      const url = `${this._serverUrl}/broker_reserved/${this._clientId}/resources`;
+      
+      const response = await axios.get(url, {
+        headers: {
+          "broker-client-secret": this._clientSecret
+        },
+        timeout: 10000
+      });
+      
+      if (response.status === 200) {
+        const resources = response.data.resources || {};
+        
+        // Sync from broker response
+        this.syncFromCore(resources);
+        log.info(`✓ Synced ${Object.keys(resources).length} resources from broker`);
+      } else {
+        log.warn(`Failed to fetch resources: ${response.status} - ${response.data}`);
+      }
+      
+    } catch (error) {
+      log.error(`Error fetching resources from broker: ${error.message}`);
+    }
+  }
+
+  /**
+   * Register a new resource with the broker (which forwards to Core API).
+   * Server generates the UUID to prevent duplicates.
+   * @param {string} baseUrl - The base URL
+   * @returns {Promise<string>} The server-generated resource_id
+   */
+  async registerResourceWithBroker(baseUrl) {
+    if (!this._serverUrl || !this._clientId || !this._clientSecret) {
+      throw new Error("ResourceManager not configured for broker sync");
+    }
+    
+    log.info(`Registering resource with broker: ${baseUrl}`);
+    
+    const url = `${this._serverUrl}/clients/${this._clientId}/resources`;
+    
+    try {
+      const response = await axios.post(
+        url,
+        { base_url: baseUrl },
+        {
+          headers: {
+            "broker-client-secret": this._clientSecret
+          },
+          timeout: 10000
+        }
+      );
+      
+      if (response.status === 200 || response.status === 201) {
+        const resourceId = response.data.resource_id;
+        if (!resourceId) {
+          throw new Error("Server did not return resource_id");
+        }
+        log.info(`✓ Resource registered with broker: ${baseUrl} → ${resourceId}`);
+        return resourceId;
+      } else {
+        const errorText = response.data;
+        log.error(`Failed to register resource: ${response.status} - ${errorText}`);
+        throw new Error(`Broker returned ${response.status}: ${errorText}`);
+      }
+    } catch (error) {
+      if (error.response) {
+        log.error(`Failed to register resource: ${error.response.status} - ${error.response.data}`);
+        throw new Error(`Broker returned ${error.response.status}: ${error.response.data}`);
+      }
+      throw error;
+    }
+  }
+}

package/package.json

@@ -1,6 +1,45 @@
 {
   "name": "@aikidosec/broker-client",
-  "version": "0.0.1",
-  "description": "Prepare for publishing first package version.",
-  "license": "SEE LICENSE IN LICENSE.md"
+  "version": "0.0.3",
+  "description": "Aikido Broker Client - Runs in customer network to forward requests to internal resources",
+  "main": "app/client.js",
+  "type": "module",
+  "scripts": {
+    "start": "node app/client.js",
+    "dev": "node --watch app/client.js"
+  },
+  "keywords": [
+    "broker",
+    "proxy",
+    "websocket",
+    "security",
+    "aikido",
+    "internal-network",
+    "secure-proxy"
+  ],
+  "author": "Aikido Security",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/AikidoSec/broker.git",
+    "directory": "client"
+  },
+  "bugs": {
+    "url": "https://github.com/AikidoSec/broker/issues"
+  },
+  "homepage": "https://github.com/AikidoSec/broker#readme",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "dependencies": {
+    "axios": "1.13.2",
+    "ip-address": "10.0.1",
+    "native-dns": "0.7.0",
+    "socket.io-client": "4.8.1"
+  },
+  "files": [
+    "app/",
+    "README.md",
+    "LICENSE"
+  ]
 }