@aion0/bastion 0.1.7

package/dist/plugins/index.js

@@ -0,0 +1,148 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PluginManager = void 0;
+const timeout_js_1 = require("../utils/timeout.js");
+const logger_js_1 = require("../utils/logger.js");
+const log = (0, logger_js_1.createLogger)('plugins');
+class PluginManager {
+    plugins = [];
+    disabledPlugins = new Set();
+    timeoutMs;
+    failMode;
+    constructor(timeoutMs = 50, failMode = 'open') {
+        this.timeoutMs = timeoutMs;
+        this.failMode = failMode;
+    }
+    setFailMode(mode) {
+        this.failMode = mode;
+        log.info('Fail mode updated', { failMode: mode });
+    }
+    register(plugin) {
+        this.plugins.push(plugin);
+        this.plugins.sort((a, b) => a.priority - b.priority);
+        log.info('Plugin registered', { name: plugin.name, priority: plugin.priority });
+    }
+    getPlugins() {
+        return [...this.plugins];
+    }
+    disable(name) {
+        const plugin = this.plugins.find((p) => p.name === name);
+        if (!plugin)
+            return false;
+        this.disabledPlugins.add(name);
+        log.info('Plugin disabled', { name });
+        return true;
+    }
+    enable(name) {
+        const existed = this.disabledPlugins.delete(name);
+        if (existed) {
+            log.info('Plugin enabled', { name });
+        }
+        return existed;
+    }
+    isDisabled(name) {
+        return this.disabledPlugins.has(name);
+    }
+    async runOnRequest(context) {
+        const result = {};
+        for (const plugin of this.plugins) {
+            if (!plugin.onRequest || this.disabledPlugins.has(plugin.name))
+                continue;
+            try {
+                const pluginResult = await (0, timeout_js_1.withTimeout)(plugin.onRequest(context), this.timeoutMs);
+                if (pluginResult) {
+                    // Short-circuit takes priority
+                    if (pluginResult.shortCircuit) {
+                        log.info('Plugin short-circuited request', { plugin: plugin.name });
+                        return pluginResult;
+                    }
+                    // Block takes second priority
+                    if (pluginResult.blocked) {
+                        log.info('Plugin blocked request', { plugin: plugin.name, reason: pluginResult.blocked.reason });
+                        return pluginResult;
+                    }
+                    // Accumulate body modifications
+                    if (pluginResult.modifiedBody) {
+                        result.modifiedBody = pluginResult.modifiedBody;
+                        // Update context body for next plugin
+                        context.body = pluginResult.modifiedBody;
+                    }
+                }
+            }
+            catch (err) {
+                const reason = err instanceof timeout_js_1.TimeoutError
+                    ? 'timeout'
+                    : err.message;
+                if (this.failMode === 'closed') {
+                    log.error('Plugin failed in fail-closed mode, rejecting request', { plugin: plugin.name, reason });
+                    return { pluginError: { pluginName: plugin.name, reason } };
+                }
+                if (err instanceof timeout_js_1.TimeoutError) {
+                    log.warn('Plugin timed out, skipping', { plugin: plugin.name });
+                }
+                else {
+                    log.warn('Plugin error, skipping', { plugin: plugin.name, error: reason });
+                }
+            }
+        }
+        return result;
+    }
+    async runOnResponse(context) {
+        const result = {};
+        for (const plugin of this.plugins) {
+            if (!plugin.onResponse || this.disabledPlugins.has(plugin.name))
+                continue;
+            try {
+                const pluginResult = await (0, timeout_js_1.withTimeout)(plugin.onResponse(context), this.timeoutMs * 100);
+                if (pluginResult) {
+                    if (pluginResult.blocked) {
+                        log.info('Plugin blocked response', { plugin: plugin.name, reason: pluginResult.blocked.reason });
+                        return pluginResult;
+                    }
+                    if (pluginResult.modifiedBody) {
+                        result.modifiedBody = pluginResult.modifiedBody;
+                        context.body = pluginResult.modifiedBody;
+                    }
+                }
+            }
+            catch (err) {
+                const reason = err instanceof timeout_js_1.TimeoutError
+                    ? 'timeout'
+                    : err.message;
+                if (this.failMode === 'closed') {
+                    log.error('Plugin onResponse failed in fail-closed mode, rejecting', { plugin: plugin.name, reason });
+                    return { pluginError: { pluginName: plugin.name, reason } };
+                }
+                if (err instanceof timeout_js_1.TimeoutError) {
+                    log.warn('Plugin onResponse timed out, skipping', { plugin: plugin.name });
+                }
+                else {
+                    log.warn('Plugin onResponse error, skipping', { plugin: plugin.name, error: reason });
+                }
+            }
+        }
+        return result;
+    }
+    async runOnResponseComplete(context) {
+        for (const plugin of this.plugins) {
+            if (!plugin.onResponseComplete || this.disabledPlugins.has(plugin.name))
+                continue;
+            try {
+                await (0, timeout_js_1.withTimeout)(plugin.onResponseComplete(context), this.timeoutMs * 10);
+            }
+            catch (err) {
+                if (err instanceof timeout_js_1.TimeoutError) {
+                    log.warn('Plugin onResponseComplete timed out, skipping', { plugin: plugin.name });
+                }
+                else {
+                    log.warn('Plugin onResponseComplete error, skipping', {
+                        plugin: plugin.name,
+                        error: err.message,
+                    });
+                }
+            }
+        }
+    }
+}
+exports.PluginManager = PluginManager;
+//# sourceMappingURL=index.js.map

package/dist/plugins/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/plugins/index.ts"],"names":[],"mappings":";;;AACA,oDAAgE;AAChE,kDAAkD;AAElD,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,SAAS,CAAC,CAAC;AAEpC,MAAa,aAAa;IAChB,OAAO,GAAa,EAAE,CAAC;IACvB,eAAe,GAAgB,IAAI,GAAG,EAAE,CAAC;IACzC,SAAS,CAAS;IAClB,QAAQ,CAAoB;IAEpC,YAAY,YAAoB,EAAE,EAAE,WAA8B,MAAM;QACtE,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,WAAW,CAAC,IAAuB;QACjC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACrB,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,QAAQ,CAAC,MAAc;QACrB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QACrD,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,UAAU;QACR,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,CAAC,IAAY;QAClB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC/B,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,IAAY;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClD,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,UAAU,CAAC,IAAY;QACrB,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAuB;QACxC,MAAM,MAAM,GAAwB,EAAE,CAAC;QAEvC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEzE,IAAI,CAAC;gBACH,MAAM,YAAY,GAAG,MAAM,IAAA,wBAAW,EACpC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,EACzB,IAAI,CAAC,SAAS,CACf,CAAC;gBAEF,IAAI,YAAY,EAAE,CAAC;oBACjB,+BAA+B;oBAC/B,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;wBAC9B,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;wBACpE,OAAO,YAAY,CAAC;oBACtB,CAAC;oBACD,8BAA8B;oBAC9B,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;wBACzB,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;wBACjG,OAAO,YAAY,CAAC;oBACtB,CAAC;oBACD,gCAAgC;oBAChC,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;wBAC9B,MAAM,CAAC,YAAY,GAAG,YAAY,CAAC,YAAY,CAAC;wBAChD,sCAAsC;wBACtC,OAAO,CAAC,IAAI,GAAG,YAAY,CAAC,YAAY,CAAC;oBAC3C,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,GAAG,GAAG,YAAY,yBAAY;oBACxC,CAAC,CAAC,SAAS;oBACX,CAAC,CAAE,GAAa,CAAC,OAAO,CAAC;gBAE3B,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAC/B,GAAG,CAAC,KAAK,CAAC,sDAAsD,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;oBACnG,OAAO,EAAE,WAAW,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC;gBAC9D,CAAC;gBAED,IAAI,GAAG,YAAY,yBAAY,EAAE,CAAC;oBAChC,GAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBAClE,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC7E,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAiC;QACnD,MAAM,MAAM,GAAyB,EAAE,CAAC;QAExC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBAAE,SAAS;YAE1E,IAAI,CAAC;gBACH,MAAM,YAAY,GAAG,MAAM,IAAA,wBAAW,EACpC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAC1B,IAAI,CAAC,SAAS,GAAG,GAAG,CACrB,CAAC;gBAEF,IAAI,YAAY,EAAE,CAAC;oBACjB,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;wBACzB,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;wBAClG,OAAO,YAAY,CAAC;oBACtB,CAAC;oBACD,IAAI,YAAY,CAAC,YAAY,EAAE,CAAC;wBAC9B,MAAM,CAAC,YAAY,GAAG,YAAY,CAAC,YAAY,CAAC;wBAChD,OAAO,CAAC,IAAI,GAAG,YAAY,CAAC,YAAY,CAAC;oBAC3C,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,GAAG,GAAG,YAAY,yBAAY;oBACxC,CAAC,CAAC,SAAS;oBACX,CAAC,CAAE,GAAa,CAAC,OAAO,CAAC;gBAE3B,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAC/B,GAAG,CAAC,KAAK,CAAC,yDAAyD,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;oBACtG,OAAO,EAAE,WAAW,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC;gBAC9D,CAAC;gBAED,IAAI,GAAG,YAAY,yBAAY,EAAE,CAAC;oBAChC,GAAG,CAAC,IAAI,CAAC,uCAAuC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7E,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,IAAI,CAAC,mCAAmC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;gBACxF,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,OAAgC;QAC1D,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,kBAAkB,IAAI,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBAAE,SAAS;YAElF,IAAI,CAAC;gBACH,MAAM,IAAA,wBAAW,EACf,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,EAClC,IAAI,CAAC,SAAS,GAAG,EAAE,CACpB,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,yBAAY,EAAE,CAAC;oBAChC,GAAG,CAAC,IAAI,CAAC,+CAA+C,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBACrF,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,IAAI,CAAC,2CAA2C,EAAE;wBACpD,MAAM,EAAE,MAAM,CAAC,IAAI;wBACnB,KAAK,EAAG,GAAa,CAAC,OAAO;qBAC9B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAjKD,sCAiKC"}

package/dist/plugins/loader.d.ts

@@ -0,0 +1,14 @@
+import type Database from 'better-sqlite3';
+import type { Plugin } from './types.js';
+import type { PluginEventBus } from './event-bus.js';
+export interface ExternalPluginConfig {
+    package: string;
+    enabled: boolean;
+    config?: Record<string, unknown>;
+}
+export declare function loadExternalPlugins(externalConfigs: ExternalPluginConfig[], db: Database.Database, eventBus: PluginEventBus): Promise<{
+    plugins: Plugin[];
+    destroyCallbacks: Array<() => Promise<void>>;
+    getPluginState: (pluginName: string, key: string) => unknown | undefined;
+}>;
+//# sourceMappingURL=loader.d.ts.map

package/dist/plugins/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/plugins/loader.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAG3C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAQrD,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,wBAAsB,mBAAmB,CACvC,eAAe,EAAE,oBAAoB,EAAE,EACvC,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACrB,QAAQ,EAAE,cAAc,GACvB,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,gBAAgB,EAAE,KAAK,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAAC,cAAc,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,GAAG,SAAS,CAAA;CAAE,CAAC,CAwGxJ"}

package/dist/plugins/loader.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadExternalPlugins = loadExternalPlugins;
+const index_js_1 = require("../plugin-api/index.js");
+const plugin_events_js_1 = require("../storage/repositories/plugin-events.js");
+const context_js_1 = require("./context.js");
+const adapter_js_1 = require("./adapter.js");
+const logger_js_1 = require("../utils/logger.js");
+const log = (0, logger_js_1.createLogger)('plugin-loader');
+async function loadExternalPlugins(externalConfigs, db, eventBus) {
+    const plugins = [];
+    const destroyCallbacks = [];
+    const contextMap = new Map();
+    const repo = new plugin_events_js_1.PluginEventsRepository(db);
+    let priorityCounter = 50;
+    for (const cfg of externalConfigs) {
+        if (cfg.enabled === false) {
+            log.info('External plugin disabled, skipping', { package: cfg.package });
+            continue;
+        }
+        // Dynamic import
+        let mod;
+        try {
+            mod = await import(cfg.package);
+        }
+        catch (err) {
+            log.warn('Failed to import external plugin package', {
+                package: cfg.package,
+                error: err.message,
+            });
+            continue;
+        }
+        // Find register() export (ESM default or CJS)
+        const registerFn = (mod.register ?? mod.default?.register);
+        if (typeof registerFn !== 'function') {
+            log.warn('External plugin package has no register() export', { package: cfg.package });
+            continue;
+        }
+        // Call register()
+        let manifest;
+        try {
+            manifest = registerFn();
+        }
+        catch (err) {
+            log.warn('External plugin register() threw', {
+                package: cfg.package,
+                error: err.message,
+            });
+            continue;
+        }
+        // Process each plugin from the manifest
+        for (const externalPlugin of manifest.plugins) {
+            // Validate apiVersion
+            if (externalPlugin.apiVersion !== index_js_1.PLUGIN_API_VERSION) {
+                log.warn('External plugin apiVersion mismatch, skipping', {
+                    plugin: externalPlugin.name,
+                    expected: index_js_1.PLUGIN_API_VERSION,
+                    got: externalPlugin.apiVersion,
+                });
+                continue;
+            }
+            // Create context and call onInit
+            const context = (0, context_js_1.createPluginContext)(externalPlugin.name, cfg.config ?? {}, repo, eventBus);
+            contextMap.set(externalPlugin.name, context);
+            try {
+                if (externalPlugin.onInit) {
+                    await externalPlugin.onInit(context);
+                }
+            }
+            catch (err) {
+                log.warn('External plugin onInit failed, skipping', {
+                    plugin: externalPlugin.name,
+                    error: err.message,
+                });
+                continue;
+            }
+            // Adapt to internal Plugin interface
+            const adapted = (0, adapter_js_1.adaptPlugin)(externalPlugin, priorityCounter, repo, cfg.package);
+            priorityCounter += 1;
+            plugins.push(adapted);
+            // Collect destroy callbacks
+            if (externalPlugin.onDestroy) {
+                destroyCallbacks.push(externalPlugin.onDestroy.bind(externalPlugin));
+            }
+            log.info('External plugin loaded', {
+                plugin: externalPlugin.name,
+                version: externalPlugin.version,
+                priority: adapted.priority,
+            });
+        }
+    }
+    function getPluginState(pluginName, key) {
+        const ctx = contextMap.get(pluginName);
+        return ctx ? ctx._getState(key) : undefined;
+    }
+    return { plugins, destroyCallbacks, getPluginState };
+}
+//# sourceMappingURL=loader.js.map

package/dist/plugins/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/plugins/loader.ts"],"names":[],"mappings":";;AAkBA,kDA4GC;AA5HD,qDAA4D;AAG5D,+EAAkF;AAClF,6CAA+E;AAC/E,6CAA2C;AAC3C,kDAAkD;AAElD,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,eAAe,CAAC,CAAC;AAQnC,KAAK,UAAU,mBAAmB,CACvC,eAAuC,EACvC,EAAqB,EACrB,QAAwB;IAExB,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,gBAAgB,GAA+B,EAAE,CAAC;IACxD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAiC,CAAC;IAC5D,MAAM,IAAI,GAAG,IAAI,yCAAsB,CAAC,EAAE,CAAC,CAAC;IAC5C,IAAI,eAAe,GAAG,EAAE,CAAC;IAEzB,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QAClC,IAAI,GAAG,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC1B,GAAG,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACzE,SAAS;QACX,CAAC;QAED,iBAAiB;QACjB,IAAI,GAA4B,CAAC;QACjC,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,0CAA0C,EAAE;gBACnD,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,KAAK,EAAG,GAAa,CAAC,OAAO;aAC9B,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,8CAA8C;QAC9C,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,QAAQ,IAAK,GAAG,CAAC,OAAmC,EAAE,QAAQ,CAEzE,CAAC;QAEd,IAAI,OAAO,UAAU,KAAK,UAAU,EAAE,CAAC;YACrC,GAAG,CAAC,IAAI,CAAC,kDAAkD,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACvF,SAAS;QACX,CAAC;QAED,kBAAkB;QAClB,IAAI,QAAuD,CAAC;QAC5D,IAAI,CAAC;YACH,QAAQ,GAAG,UAAU,EAAE,CAAC;QAC1B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,kCAAkC,EAAE;gBAC3C,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,KAAK,EAAG,GAAa,CAAC,OAAO;aAC9B,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,wCAAwC;QACxC,KAAK,MAAM,cAAc,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC9C,sBAAsB;YACtB,IAAI,cAAc,CAAC,UAAU,KAAK,6BAAkB,EAAE,CAAC;gBACrD,GAAG,CAAC,IAAI,CAAC,+CAA+C,EAAE;oBACxD,MAAM,EAAE,cAAc,CAAC,IAAI;oBAC3B,QAAQ,EAAE,6BAAkB;oBAC5B,GAAG,EAAE,cAAc,CAAC,UAAU;iBAC/B,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,iCAAiC;YACjC,MAAM,OAAO,GAAG,IAAA,gCAAmB,EACjC,cAAc,CAAC,IAAI,EACnB,GAAG,CAAC,MAAM,IAAI,EAAE,EAChB,IAAI,EACJ,QAAQ,CACT,CAAC;YACF,UAAU,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAE7C,IAAI,CAAC;gBACH,IAAI,cAAc,CAAC,MAAM,EAAE,CAAC;oBAC1B,MAAM,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,yCAAyC,EAAE;oBAClD,MAAM,EAAE,cAAc,CAAC,IAAI;oBAC3B,KAAK,EAAG,GAAa,CAAC,OAAO;iBAC9B,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,cAAc,EAAE,eAAe,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YAChF,eAAe,IAAI,CAAC,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEtB,4BAA4B;YAC5B,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;gBAC7B,gBAAgB,CAAC,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;YACvE,CAAC;YAED,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE;gBACjC,MAAM,EAAE,cAAc,CAAC,IAAI;gBAC3B,OAAO,EAAE,cAAc,CAAC,OAAO;gBAC/B,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,SAAS,cAAc,CAAC,UAAkB,EAAE,GAAW;QACrD,MAAM,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACvC,OAAO,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9C,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,CAAC;AACvD,CAAC"}

package/dist/plugins/types.d.ts

@@ -0,0 +1,91 @@
+export interface RequestContext {
+    id: string;
+    provider: string;
+    model: string;
+    method: string;
+    path: string;
+    headers: Record<string, string>;
+    body: string;
+    parsedBody: Record<string, unknown>;
+    isStreaming: boolean;
+    startTime: number;
+    sessionId?: string;
+    sessionSource?: string;
+    apiKeyHash?: string;
+    /** Set by DLP scanner during onRequest/onResponse for downstream plugins */
+    dlpHit?: boolean;
+    dlpAction?: string;
+    dlpFindings?: number;
+    /** Set by tool-guard plugin during onResponseComplete */
+    toolGuardHit?: boolean;
+    toolGuardFindings?: number;
+    /** Internal: set by tool-guard onResponse to skip duplicate recording in onResponseComplete */
+    _toolGuardRecorded?: boolean;
+    /** Internal: set by tool-guard onRequest to enable streaming interception in forwarder.
+     *  Value is the blockMinSeverity threshold. */
+    _toolGuardStreamBlock?: string;
+    /** Internal: DB-loaded rules for streaming guard (set by tool-guard onRequest) */
+    _toolGuardRules?: import('../tool-guard/rules.js').ToolGuardRule[];
+}
+export interface ResponseCompleteContext {
+    request: RequestContext;
+    statusCode: number;
+    body: string;
+    parsedBody: Record<string, unknown> | null;
+    usage: {
+        inputTokens: number;
+        outputTokens: number;
+        cacheCreationTokens: number;
+        cacheReadTokens: number;
+    };
+    latencyMs: number;
+    isStreaming: boolean;
+    /** Pre-parsed SSE events from streaming responses (avoids re-parsing body) */
+    sseEvents?: Record<string, unknown>[];
+}
+export interface ShortCircuitResponse {
+    statusCode: number;
+    headers: Record<string, string>;
+    body: string;
+}
+export interface PluginRequestResult {
+    shortCircuit?: ShortCircuitResponse;
+    blocked?: {
+        reason: string;
+    };
+    pluginError?: {
+        pluginName: string;
+        reason: string;
+    };
+    modifiedBody?: string;
+}
+export interface ResponseInterceptContext {
+    request: RequestContext;
+    statusCode: number;
+    headers: Record<string, string>;
+    body: string;
+    parsedBody: Record<string, unknown> | null;
+    isStreaming: boolean;
+}
+export interface PluginResponseResult {
+    blocked?: {
+        reason: string;
+    };
+    pluginError?: {
+        pluginName: string;
+        reason: string;
+    };
+    modifiedBody?: string;
+}
+export interface Plugin {
+    name: string;
+    priority: number;
+    version?: string;
+    apiVersion?: number;
+    source?: 'builtin' | 'external';
+    packageName?: string;
+    onRequest?(context: RequestContext): Promise<PluginRequestResult | void>;
+    onResponse?(context: ResponseInterceptContext): Promise<PluginResponseResult | void>;
+    onResponseComplete?(context: ResponseCompleteContext): Promise<void>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/plugins/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/plugins/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yDAAyD;IACzD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,+FAA+F;IAC/F,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;mDAC+C;IAC/C,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kFAAkF;IAClF,eAAe,CAAC,EAAE,OAAO,wBAAwB,EAAE,aAAa,EAAE,CAAC;CACpE;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,cAAc,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,EAAE;QACL,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,mBAAmB,EAAE,MAAM,CAAC;QAC5B,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,OAAO,CAAC;IACrB,8EAA8E;IAC9E,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,mBAAmB;IAClC,YAAY,CAAC,EAAE,oBAAoB,CAAC;IACpC,OAAO,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7B,WAAW,CAAC,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACrD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,cAAc,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC3C,WAAW,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7B,WAAW,CAAC,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACrD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;IACzE,UAAU,CAAC,CAAC,OAAO,EAAE,wBAAwB,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IACrF,kBAAkB,CAAC,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACtE"}

package/dist/plugins/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/plugins/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/plugins/types.ts"],"names":[],"mappings":""}

package/dist/proxy/certs.d.ts

@@ -0,0 +1,10 @@
+export declare function getCACertPath(): string;
+export declare function ensureCA(): {
+    key: string;
+    cert: string;
+};
+export declare function getHostCert(hostname: string): {
+    key: string;
+    cert: string;
+};
+//# sourceMappingURL=certs.d.ts.map

package/dist/proxy/certs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"certs.d.ts","sourceRoot":"","sources":["../../src/proxy/certs.ts"],"names":[],"mappings":"AAeA,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,wBAAgB,QAAQ,IAAI;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAqDxD;AAKD,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAkD3E"}

package/dist/proxy/certs.js

@@ -0,0 +1,110 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCACertPath = getCACertPath;
+exports.ensureCA = ensureCA;
+exports.getHostCert = getHostCert;
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const node_forge_1 = __importDefault(require("node-forge"));
+const paths_js_1 = require("../config/paths.js");
+const logger_js_1 = require("../utils/logger.js");
+const log = (0, logger_js_1.createLogger)('certs');
+const CA_KEY_PATH = (0, node_path_1.join)(paths_js_1.paths.bastionDir, 'ca.key');
+const CA_CERT_PATH = (0, node_path_1.join)(paths_js_1.paths.bastionDir, 'ca.crt');
+const CERTS_DIR = (0, node_path_1.join)(paths_js_1.paths.bastionDir, 'certs');
+const IS_WIN = (0, node_os_1.platform)() === 'win32';
+function getCACertPath() {
+    return CA_CERT_PATH;
+}
+function ensureCA() {
+    (0, node_fs_1.mkdirSync)(paths_js_1.paths.bastionDir, { recursive: true });
+    if ((0, node_fs_1.existsSync)(CA_KEY_PATH) && (0, node_fs_1.existsSync)(CA_CERT_PATH)) {
+        return {
+            key: (0, node_fs_1.readFileSync)(CA_KEY_PATH, 'utf-8'),
+            cert: (0, node_fs_1.readFileSync)(CA_CERT_PATH, 'utf-8'),
+        };
+    }
+    log.info('Generating local CA certificate');
+    // Use Node's native crypto for fast RSA key generation
+    const { privateKey: keyPem, publicKey: pubPem } = (0, node_crypto_1.generateKeyPairSync)('rsa', {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
+    });
+    // Use node-forge to create the X.509 CA certificate
+    const privateKey = node_forge_1.default.pki.privateKeyFromPem(keyPem);
+    const publicKey = node_forge_1.default.pki.publicKeyFromPem(pubPem);
+    const cert = node_forge_1.default.pki.createCertificate();
+    cert.publicKey = publicKey;
+    cert.serialNumber = (0, node_crypto_1.randomBytes)(16).toString('hex');
+    cert.validity.notBefore = new Date();
+    cert.validity.notAfter = new Date();
+    cert.validity.notAfter.setDate(cert.validity.notAfter.getDate() + 825);
+    const attrs = [
+        { name: 'commonName', value: 'Bastion Local CA' },
+        { name: 'organizationName', value: 'Bastion AI Gateway' },
+    ];
+    cert.setSubject(attrs);
+    cert.setIssuer(attrs);
+    cert.setExtensions([
+        { name: 'basicConstraints', cA: true },
+        { name: 'keyUsage', keyCertSign: true, digitalSignature: true, cRLSign: true },
+    ]);
+    cert.sign(privateKey, node_forge_1.default.md.sha256.create());
+    const certPem = node_forge_1.default.pki.certificateToPem(cert);
+    (0, node_fs_1.writeFileSync)(CA_KEY_PATH, keyPem);
+    if (!IS_WIN)
+        (0, node_fs_1.chmodSync)(CA_KEY_PATH, 0o600);
+    (0, node_fs_1.writeFileSync)(CA_CERT_PATH, certPem);
+    log.info('CA certificate created', { path: CA_CERT_PATH });
+    return { key: keyPem, cert: certPem };
+}
+// In-memory cache for generated host certs
+const certCache = new Map();
+function getHostCert(hostname) {
+    const cached = certCache.get(hostname);
+    if (cached)
+        return cached;
+    (0, node_fs_1.mkdirSync)(CERTS_DIR, { recursive: true });
+    // Generate host key pair (native crypto — fast)
+    const { privateKey: hostKeyPem, publicKey: hostPubPem } = (0, node_crypto_1.generateKeyPairSync)('rsa', {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
+    });
+    // Load CA key + cert
+    const caKey = node_forge_1.default.pki.privateKeyFromPem((0, node_fs_1.readFileSync)(CA_KEY_PATH, 'utf-8'));
+    const caCert = node_forge_1.default.pki.certificateFromPem((0, node_fs_1.readFileSync)(CA_CERT_PATH, 'utf-8'));
+    // Create host certificate signed by CA
+    const hostKey = node_forge_1.default.pki.publicKeyFromPem(hostPubPem);
+    const cert = node_forge_1.default.pki.createCertificate();
+    cert.publicKey = hostKey;
+    cert.serialNumber = (0, node_crypto_1.randomBytes)(16).toString('hex');
+    cert.validity.notBefore = new Date();
+    cert.validity.notAfter = new Date();
+    cert.validity.notAfter.setDate(cert.validity.notAfter.getDate() + 825);
+    cert.setSubject([{ name: 'commonName', value: hostname }]);
+    cert.setIssuer(caCert.subject.attributes);
+    cert.setExtensions([
+        { name: 'subjectAltName', altNames: [{ type: 2, value: hostname }] },
+    ]);
+    cert.sign(caKey, node_forge_1.default.md.sha256.create());
+    const result = {
+        key: hostKeyPem,
+        cert: node_forge_1.default.pki.certificateToPem(cert),
+    };
+    // Optionally cache to disk (for debugging), always cache in memory
+    const keyPath = (0, node_path_1.join)(CERTS_DIR, `${hostname}.key`);
+    const certPath = (0, node_path_1.join)(CERTS_DIR, `${hostname}.crt`);
+    (0, node_fs_1.writeFileSync)(keyPath, result.key);
+    (0, node_fs_1.writeFileSync)(certPath, result.cert);
+    certCache.set(hostname, result);
+    log.debug('Generated host certificate', { hostname });
+    return result;
+}
+//# sourceMappingURL=certs.js.map

package/dist/proxy/certs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"certs.js","sourceRoot":"","sources":["../../src/proxy/certs.ts"],"names":[],"mappings":";;;;;AAeA,sCAEC;AAED,4BAqDC;AAKD,kCAkDC;AA/HD,6CAA+D;AAC/D,qCAAwF;AACxF,yCAAiC;AACjC,qCAAmC;AACnC,4DAA+B;AAC/B,iDAA2C;AAC3C,kDAAkD;AAElD,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,OAAO,CAAC,CAAC;AAElC,MAAM,WAAW,GAAG,IAAA,gBAAI,EAAC,gBAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;AACrD,MAAM,YAAY,GAAG,IAAA,gBAAI,EAAC,gBAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;AACtD,MAAM,SAAS,GAAG,IAAA,gBAAI,EAAC,gBAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;AAClD,MAAM,MAAM,GAAG,IAAA,kBAAQ,GAAE,KAAK,OAAO,CAAC;AAEtC,SAAgB,aAAa;IAC3B,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAgB,QAAQ;IACtB,IAAA,mBAAS,EAAC,gBAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEjD,IAAI,IAAA,oBAAU,EAAC,WAAW,CAAC,IAAI,IAAA,oBAAU,EAAC,YAAY,CAAC,EAAE,CAAC;QACxD,OAAO;YACL,GAAG,EAAE,IAAA,sBAAY,EAAC,WAAW,EAAE,OAAO,CAAC;YACvC,IAAI,EAAE,IAAA,sBAAY,EAAC,YAAY,EAAE,OAAO,CAAC;SAC1C,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IAE5C,uDAAuD;IACvD,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,IAAA,iCAAmB,EAAC,KAAK,EAAE;QAC3E,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IAEH,oDAAoD;IACpD,MAAM,UAAU,GAAG,oBAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACvD,MAAM,SAAS,GAAG,oBAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAErD,MAAM,IAAI,GAAG,oBAAK,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;IAC3C,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC3B,IAAI,CAAC,YAAY,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACpD,IAAI,CAAC,QAAQ,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,QAAQ,CAAC,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC;IACpC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,CAAC;IAEvE,MAAM,KAAK,GAAG;QACZ,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,kBAAkB,EAAE;QACjD,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,oBAAoB,EAAE;KAC1D,CAAC;IACF,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACvB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAEtB,IAAI,CAAC,aAAa,CAAC;QACjB,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAAE,EAAE,IAAI,EAAE;QACtC,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;KAC/E,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,oBAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAEhD,MAAM,OAAO,GAAG,oBAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAEjD,IAAA,uBAAa,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,IAAA,mBAAS,EAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IAC3C,IAAA,uBAAa,EAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAErC,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;IAE3D,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AACxC,CAAC;AAED,2CAA2C;AAC3C,MAAM,SAAS,GAAG,IAAI,GAAG,EAAyC,CAAC;AAEnE,SAAgB,WAAW,CAAC,QAAgB;IAC1C,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,IAAA,mBAAS,EAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,gDAAgD;IAChD,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,IAAA,iCAAmB,EAAC,KAAK,EAAE;QACnF,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IAEH,qBAAqB;IACrB,MAAM,KAAK,GAAG,oBAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAA,sBAAY,EAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,oBAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAA,sBAAY,EAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;IAEjF,uCAAuC;IACvC,MAAM,OAAO,GAAG,oBAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACvD,MAAM,IAAI,GAAG,oBAAK,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;IAC3C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC;IACzB,IAAI,CAAC,YAAY,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACpD,IAAI,CAAC,QAAQ,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,QAAQ,CAAC,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC;IACpC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,CAAC;IAEvE,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;IAC3D,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAE1C,IAAI,CAAC,aAAa,CAAC;QACjB,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE;KACrE,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,oBAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,UAAU;QACf,IAAI,EAAE,oBAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC;KACvC,CAAC;IAEF,mEAAmE;IACnE,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,GAAG,QAAQ,MAAM,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,GAAG,QAAQ,MAAM,CAAC,CAAC;IACpD,IAAA,uBAAa,EAAC,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IACnC,IAAA,uBAAa,EAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;IAErC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChC,GAAG,CAAC,KAAK,CAAC,4BAA4B,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IAEtD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/proxy/connect.d.ts

@@ -0,0 +1,11 @@
+import * as net from 'node:net';
+import type { PluginManager } from '../plugins/index.js';
+import type { BastionConfig } from '../config/schema.js';
+export declare function getSessionForSocket(socket: net.Socket): string | undefined;
+/**
+ * Attach CONNECT handler to an existing HTTP server.
+ * - API hosts: MITM decrypt → plugin pipeline → forward to real upstream
+ * - All other hosts: plain TCP tunnel (no inspection)
+ */
+export declare function setupConnectHandler(server: net.Server, config: BastionConfig, pluginManager: PluginManager): void;
+//# sourceMappingURL=connect.d.ts.map

package/dist/proxy/connect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../../src/proxy/connect.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAChC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAgCzD,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,GAAG,MAAM,GAAG,SAAS,CAE1E;AA4BD;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,GAAG,CAAC,MAAM,EAClB,MAAM,EAAE,aAAa,EACrB,aAAa,EAAE,aAAa,GAC3B,IAAI,CAmCN"}