@bothat-io/molenkopf 0.1.2

package/packages/proxy/src/http/client-identity.ts

@@ -0,0 +1,51 @@
+import { createHash } from "node:crypto";
+import type { ProviderAllowlist } from "./provider-access.ts";
+
+export type ClientIdentity = {
+  id: string;
+  label: string;
+  source: "user" | "agent" | "api_key" | "unattributed";
+  userId?: string;
+  agentId?: string;
+  keyAgentLabel?: string;
+  teamIds?: string[];
+  keyId?: string;
+  project?: string;
+  allowedProviderIds?: ProviderAllowlist;
+};
+
+export function deriveClientIdentity(headers: Headers): ClientIdentity {
+  const agent = agentIdFromHeaders(headers);
+  if (agent) return { id: clientIdForAgent(agent), label: `agent:${safeSubjectId(agent)}`, source: "agent", agentId: agent };
+  const credential = headers.get("authorization") || headers.get("x-api-key");
+  if (credential) {
+    const hash = createHash("sha256").update(credential).digest("hex").slice(0, 12);
+    return { id: `api-key:${hash}`, label: `api-key sha256:${hash}`, source: "api_key" };
+  }
+  return { id: "unattributed", label: "unattributed client", source: "unattributed" };
+}
+
+export function clientIdForAgent(agentId: string): string {
+  return `agent:${safeSubjectId(agentId)}`;
+}
+
+export function agentIdFromHeaders(headers: Headers): string | undefined {
+  return clean(headers.get("x-molenkopf-agent"));
+}
+
+function clean(value: string | null): string | undefined {
+  const normalized = value?.replace(/[^\w .@-]/g, "").trim().slice(0, 48);
+  return normalized || undefined;
+}
+
+export function safeSubjectId(value: string): string {
+  return looksSensitive(value) ? createHash("sha256").update(value).digest("hex").slice(0, 12) : slug(value);
+}
+
+function looksSensitive(value: string): boolean {
+  return /@|\s/.test(value);
+}
+
+function slug(value: string): string {
+  return value.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-|-$/g, "").slice(0, 48) || "unknown";
+}

package/packages/proxy/src/http/communication-graph.ts

@@ -0,0 +1,139 @@
+import type { AuditManifest } from "../../../core/src/manifest/audit-store.ts";
+
+export type CommunicationNode = { id: string; label: string; kind: string; detail: string; count: number };
+export type CommunicationEdge = { from: string; to: string; label: string; count: number };
+export type CommunicationGraph = { nodes: CommunicationNode[]; edges: CommunicationEdge[]; updatedAt?: string };
+
+const MAX_GRAPH_NODES = 80;
+const MAX_GRAPH_EDGES = 180;
+const MAX_ID = 140;
+const MAX_TEXT = 96;
+const MAX_COUNT = 99999;
+
+export function createCommunicationGraph(): CommunicationGraph {
+  return { nodes: [], edges: [] };
+}
+
+export function buildCommunicationGraph(manifests: AuditManifest[]): CommunicationGraph {
+  const graph = createCommunicationGraph();
+  for (const manifest of manifests) recordCommunicationGraph(graph, manifest);
+  return graph;
+}
+
+export function recordCommunicationGraph(graph: CommunicationGraph, manifest: AuditManifest) {
+  const path = safePath(manifest.path);
+  if (!path) return;
+  const source = safeClient(manifest.client);
+  const sourceId = `source:${source.source}:${source.id}`;
+  const host = safeHost(manifest.targetHost);
+  const method = safeMethod(manifest.method);
+  const status = safeStatus(manifest.statusCode);
+  const providerId = `provider:${host}`;
+  const endpointId = `endpoint:${method}:${path}`;
+  const statusId = `status:${status.label}`;
+
+  upsert(graph, sourceId, source.label, source.kind, "captured from proxied traffic");
+  upsert(graph, providerId, host, "provider", "active upstream");
+  upsert(graph, endpointId, `${method} ${path}`, "request", "path and status only");
+  upsert(graph, statusId, `${status.label} responses`, "status", status.detail);
+  link(graph, sourceId, endpointId, "sends");
+  link(graph, endpointId, providerId, "routes to");
+  link(graph, endpointId, statusId, "returns");
+
+  if (manifest.compressedItems > 0 || manifest.retrievalIds.length > 0) {
+    upsert(graph, "plugin:compression", "Context compression", "plugin", `${manifest.compressedItems} items`);
+    link(graph, endpointId, "plugin:compression", "compresses");
+  }
+  if (manifest.retrievalIds.length > 0) {
+    upsert(graph, "store:retrieval", "Local retrieval store", "store", "retrieval IDs only");
+    link(graph, "plugin:compression", "store:retrieval", "stores");
+  }
+  graph.updatedAt = manifest.timestamp;
+}
+
+function safeClient(client: AuditManifest["client"]): { id: string; label: string; source: string; kind: string } {
+  if (!client) return { id: "unattributed", label: "unattributed client", source: "unattributed", kind: "agent" };
+  const source = client.source === "user" || client.source === "agent" || client.source === "api_key" ? client.source : "unattributed";
+  return {
+    id: safeGraphId(client.id || client.label || source),
+    label: trim(client.label || client.id || source, 80),
+    source,
+    kind: source === "api_key" ? "metadata" : "agent"
+  };
+}
+
+function safeGraphId(value: string): string {
+  const clean = String(value ?? "unattributed").toLowerCase().replace(/[^a-z0-9._:-]+/g, "-");
+  return trim(clean || "unattributed", 80);
+}
+
+function safePath(path: string): string | undefined {
+  let pathname: string;
+  try {
+    pathname = new URL(String(path ?? ""), "http://local").pathname;
+  } catch {
+    return undefined;
+  }
+  if (pathname === "/" || pathname === "/favicon.ico" || pathname === "/src/App.jsx") return undefined;
+  if (pathname.startsWith("/.well-known/") || pathname.startsWith("/__molenkopf/")) return undefined;
+  const safe = pathname.split("/").map(safePathSegment).join("/").replace(/\/+/g, "/");
+  return safe === "/" ? undefined : trim(safe, MAX_TEXT);
+}
+
+function safePathSegment(segment: string): string {
+  if (!segment) return "";
+  let decoded = segment;
+  try {
+    decoded = decodeURIComponent(segment);
+  } catch {
+    return ":value";
+  }
+  if (/\s/.test(decoded) || /^(?:token|secret|password|credential|prompt|api[-_]?key|key)$/i.test(decoded)) return ":value";
+  const clean = decoded.replace(/[^A-Za-z0-9._:-]/g, "-");
+  if (!clean || clean.length > 28 || /^[A-Za-z0-9_-]{24,}$/.test(clean)) return ":value";
+  return clean;
+}
+
+function safeHost(value: string): string {
+  try {
+    const text = String(value ?? "");
+    const host = new URL(text.includes("://") ? text : `http://${text}`).hostname;
+    return trim(host || "unknown-host", 80);
+  } catch {
+    return "unknown-host";
+  }
+}
+
+function safeMethod(value: string): string {
+  const method = String(value ?? "").toUpperCase().replace(/[^A-Z]/g, "").slice(0, 12);
+  return method || "REQUEST";
+}
+
+function safeStatus(statusCode: AuditManifest["statusCode"]): { label: string; detail: string } {
+  const code = Number(statusCode);
+  if (!Number.isInteger(code) || code < 100 || code > 599) return { label: "unknown", detail: "not captured" };
+  return { label: `${Math.floor(code / 100)}xx`, detail: String(code) };
+}
+
+function upsert(graph: CommunicationGraph, id: string, label: string, kind: string, detail: string) {
+  const found = graph.nodes.find((node) => node.id === id);
+  if (found) {
+    found.count = Math.min(MAX_COUNT, found.count + 1);
+    found.detail = trim(detail, MAX_TEXT);
+  } else {
+    if (graph.nodes.length >= MAX_GRAPH_NODES) return;
+    graph.nodes.push({ id: trim(id, MAX_ID), label: trim(label, 80), kind: trim(kind, 24), detail: trim(detail, MAX_TEXT), count: 1 });
+  }
+}
+
+function link(graph: CommunicationGraph, from: string, to: string, label: string) {
+  if (!graph.nodes.some((node) => node.id === from) || !graph.nodes.some((node) => node.id === to)) return;
+  const found = graph.edges.find((edge) => edge.from === from && edge.to === to && edge.label === label);
+  if (found) found.count = Math.min(MAX_COUNT, found.count + 1);
+  else if (graph.edges.length < MAX_GRAPH_EDGES) graph.edges.push({ from, to, label: trim(label, 48), count: 1 });
+}
+
+function trim(value: string, max: number): string {
+  const text = String(value ?? "");
+  return text.length <= max ? text : `${text.slice(0, max - 3)}...`;
+}

package/packages/proxy/src/http/control-plane-guard.ts

@@ -0,0 +1,56 @@
+import type { IncomingMessage } from "node:http";
+import type { RuntimeState } from "./runtime-state.ts";
+import { isLoopbackBindHost } from "./public-bind.ts";
+
+const WRITE_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+
+export type ControlPlaneGuardResult = { ok: true } | { ok: false; status: number; error: string };
+
+export function checkControlPlaneWrite(req: IncomingMessage, path: string, state: RuntimeState): ControlPlaneGuardResult {
+  if (!WRITE_METHODS.has(req.method ?? "GET")) return { ok: true };
+  if (!originAllowed(req.headers.origin, req.headers.host, process.env.MOLENKOPF_DASHBOARD_DEV_ORIGIN)) {
+    return { ok: false, status: 403, error: "bad_origin" };
+  }
+  if (!req.headers.origin && !isLoopbackBindHost(state.host) && hasSessionCookie(req.headers.cookie)) {
+    return { ok: false, status: 403, error: "bad_origin" };
+  }
+  if (!isJsonContentType(req.headers["content-type"])) {
+    return { ok: false, status: 415, error: "json_required" };
+  }
+  return { ok: true };
+}
+
+function hasSessionCookie(value: string | string[] | undefined): boolean {
+  return typeof value === "string" && /(?:^|;\s*)molenkopf_session=/.test(value);
+}
+
+function originAllowed(origin: string | string[] | undefined, host: string | string[] | undefined, dashboardDevOrigin?: string): boolean {
+  if (!origin) return true;
+  if (Array.isArray(origin) || Array.isArray(host) || !host) return false;
+  try {
+    const parsed = new URL(origin);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return false;
+    if (parsed.host.toLowerCase() === host.toLowerCase()) return true;
+    if (!dashboardDevOrigin) return false;
+    const allowedDev = new URL(dashboardDevOrigin);
+    return parsed.protocol === allowedDev.protocol && sameOriginHost(parsed, allowedDev);
+  } catch {
+    return false;
+  }
+}
+
+function sameOriginHost(actual: URL, expected: URL): boolean {
+  if (actual.host.toLowerCase() === expected.host.toLowerCase()) return true;
+  return actual.port === expected.port && isLoopbackName(actual.hostname) && isLoopbackName(expected.hostname);
+}
+
+function isLoopbackName(hostname: string): boolean {
+  const value = hostname.toLowerCase();
+  return value === "localhost" || value === "127.0.0.1" || value === "[::1]";
+}
+
+function isJsonContentType(value: string | string[] | undefined): boolean {
+  if (Array.isArray(value) || !value) return false;
+  const mediaType = value.split(";")[0].trim().toLowerCase();
+  return mediaType === "application/json" || mediaType.endsWith("+json");
+}

package/packages/proxy/src/http/dashboard-assets.ts

@@ -0,0 +1,115 @@
+import { createReadStream, existsSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { dirname, join, normalize, resolve, sep } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const here = dirname(fileURLToPath(import.meta.url));
+const dashboardRoot = resolve(here, "..", "..", "..", "dashboard");
+const defaultDist = join(dashboardRoot, "dist");
+const routePrefix = "/__molenkopf/dashboard";
+
+export function isDashboardRequest(url: string | undefined): boolean {
+  const path = routePath(url);
+  return path === routePrefix || path.startsWith(`${routePrefix}/`);
+}
+
+export async function handleDashboardRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {
+  const path = parsePath(req.url);
+  if (req.method !== "GET" && req.method !== "HEAD") {
+    writeText(res, 405, "method not allowed");
+    return;
+  }
+  const devOrigin = process.env.MOLENKOPF_DASHBOARD_DEV_ORIGIN;
+  if (devOrigin) {
+    await proxyDevDashboard(req, res, devOrigin);
+    return;
+  }
+  if (!path) return writeText(res, 400, "bad request");
+  if (path.startsWith(`${routePrefix}/assets/`)) return serveDistPath(path.slice(routePrefix.length + 1), true, res);
+  if (path === `${routePrefix}/favicon.png` || path === `${routePrefix}/molenkopf-logo.png`) return serveDistPath(path.slice(routePrefix.length + 1), true, res);
+  if (hasExtension(path)) return writeText(res, 404, "not found");
+  return serveIndex(res);
+}
+
+async function serveIndex(res: ServerResponse) {
+  const file = join(distDir(), "index.html");
+  if (!existsSync(file)) return writeText(res, 503, missingBuildHtml(), "text/html; charset=utf-8");
+  res.writeHead(200, { "content-type": "text/html; charset=utf-8", "cache-control": "no-store" });
+  res.end(await readFile(file));
+}
+
+function serveDistPath(routePath: string, immutable: boolean, res: ServerResponse) {
+  const safe = safeRelative(routePath);
+  if (!safe) return writeText(res, 400, "bad request");
+  const file = normalize(join(distDir(), safe));
+  const root = distDir();
+  if (!(file.startsWith(`${root}${sep}`)) || !existsSync(file)) return writeText(res, 404, "not found");
+  res.writeHead(200, { "content-type": contentType(file), "cache-control": immutable ? "public, max-age=31536000, immutable" : "no-store" });
+  createReadStream(file).pipe(res);
+}
+
+async function proxyDevDashboard(req: IncomingMessage, res: ServerResponse, origin: string) {
+  try {
+    const incoming = parseIncoming(req.url);
+    if (!incoming) return writeText(res, 400, "bad request");
+    const target = new URL(`${incoming.pathname}${incoming.search}`, origin);
+    if (target.pathname === routePrefix) target.pathname = `${routePrefix}/`;
+    const upstream = await fetch(target, { method: req.method });
+    const headers: Record<string, string> = {};
+    upstream.headers.forEach((value, key) => { headers[key] = value; });
+    res.writeHead(upstream.status, headers);
+    if (req.method === "HEAD") return res.end();
+    res.end(Buffer.from(await upstream.arrayBuffer()));
+  } catch {
+    writeText(res, 503, "dashboard dev server is starting");
+  }
+}
+
+function parseIncoming(url: string | undefined): URL | undefined {
+  const raw = url ?? "/";
+  if (!raw.startsWith("/") || raw.startsWith("//") || /^[a-z][a-z0-9+.-]*:/i.test(raw)) return undefined;
+  try { return new URL(raw, "http://local"); } catch { return undefined; }
+}
+
+function parsePath(url: string | undefined): string {
+  return parseIncoming(url)?.pathname ?? "";
+}
+
+function routePath(url: string | undefined): string {
+  try { return new URL(url ?? "/", "http://local").pathname; } catch { return ""; }
+}
+
+function safeRelative(routePath: string): string | undefined {
+  let decoded: string;
+  try { decoded = decodeURIComponent(routePath); } catch { return undefined; }
+  if (!decoded || decoded.includes("\\") || decoded.split("/").some((part) => !part || part === "." || part === "..")) return undefined;
+  return decoded;
+}
+
+function hasExtension(path: string): boolean {
+  return /\/[^/]+\.[a-z0-9]+$/i.test(path);
+}
+
+function distDir() {
+  return process.env.MOLENKOPF_DASHBOARD_DIST || defaultDist;
+}
+
+function contentType(file: string): string {
+  if (file.endsWith(".js")) return "text/javascript; charset=utf-8";
+  if (file.endsWith(".css")) return "text/css; charset=utf-8";
+  if (file.endsWith(".svg")) return "image/svg+xml";
+  if (file.endsWith(".png")) return "image/png";
+  if (file.endsWith(".ico")) return "image/x-icon";
+  if (file.endsWith(".woff2")) return "font/woff2";
+  return "application/octet-stream";
+}
+
+function writeText(res: ServerResponse, status: number, body: string, type = "text/plain; charset=utf-8") {
+  res.writeHead(status, { "content-type": type, "cache-control": "no-store" });
+  res.end(body);
+}
+
+function missingBuildHtml() {
+  return "<!doctype html><html><body><div id=\"root\">Dashboard build missing. Run npm --prefix packages/dashboard run build.</div></body></html>";
+}

package/packages/proxy/src/http/encoded-usage-meter.ts

@@ -0,0 +1,32 @@
+import { createBrotliDecompress, createGunzip, createInflate, type BrotliDecompress, type Gunzip, type Inflate } from "node:zlib";
+import { createUsageMeter, type UsageTotals as MeterTotals } from "../../../core/src/manifest/usage-meter.ts";
+
+type DecodeStream = BrotliDecompress | Gunzip | Inflate;
+
+export type ResponseUsageScanner = {
+  feed(chunk: Buffer): void;
+  finish(): Promise<MeterTotals>;
+};
+
+export function createResponseUsageScanner(encoding: string | undefined): ResponseUsageScanner {
+  const meter = createUsageMeter();
+  const decoder = decoderFor(encoding);
+  if (!decoder) return { feed: (chunk) => meter.feed(chunk), finish: async () => meter.result() };
+  const done = new Promise<void>((resolve) => {
+    decoder.on("data", (chunk: Buffer) => meter.feed(chunk));
+    decoder.on("end", resolve);
+    decoder.on("error", resolve);
+  });
+  return {
+    feed(chunk) { decoder.write(chunk); },
+    async finish() { decoder.end(); await done; return meter.result(); }
+  };
+}
+
+function decoderFor(encoding: string | undefined): DecodeStream | undefined {
+  const name = encoding?.split(",")[0]?.trim().toLowerCase();
+  if (name === "gzip") return createGunzip();
+  if (name === "br") return createBrotliDecompress();
+  if (name === "deflate") return createInflate();
+  return undefined;
+}

package/packages/proxy/src/http/header-utils.ts

@@ -0,0 +1,65 @@
+import type { ProviderConfig } from "../../../core/src/providers/provider-catalog.ts";
+
+const hopByHop = new Set(["connection", "keep-alive", "proxy-authenticate", "proxy-authorization", "te", "trailer", "transfer-encoding", "upgrade", "host"]);
+const sensitive = new Set(["authorization", "cookie", "set-cookie", "x-api-key"]);
+const providerAuth = new Set(["authorization", "x-api-key"]);
+const blockedRequest = new Set(["set-cookie", "forwarded", "proxy-connection", "x-forwarded-for", "x-forwarded-host", "x-forwarded-proto"]);
+
+export function buildForwardHeaders(headers: Headers, provider?: ProviderConfig, env: Record<string, string | undefined> = process.env): Headers {
+  const out = new Headers();
+  const usesProviderCredential = hasProviderCredentialRef(provider);
+  const forwardsClientCredential = forwardsClientAuth(provider);
+  const credential = usesProviderCredential ? providerCredential(provider, env) : undefined;
+  headers.forEach((value, key) => {
+    const lower = key.toLowerCase();
+    if (blockedRequest.has(lower)) return;
+    if (hopByHop.has(lower) || lower.startsWith("x-molenkopf-")) return;
+    if (lower === "cookie") return;
+    if (providerAuth.has(lower) && usesProviderCredential) return;
+    if (providerAuth.has(lower) && stripsClientAuth(provider) && !provider?.allowClientCredentialForwarding) return;
+    if (providerAuth.has(lower) && !forwardsClientCredential) return;
+    out.set(key, value);
+  });
+  if (credential) setProviderCredential(out, provider?.authScheme, credential);
+  return out;
+}
+
+export function missingProviderCredential(provider: ProviderConfig | undefined, env: Record<string, string | undefined> = process.env): boolean {
+  return Boolean(hasProviderCredentialRef(provider) && provider?.authScheme !== "none" && !providerCredential(provider, env));
+}
+
+function hasProviderCredentialRef(provider: ProviderConfig | undefined): boolean {
+  if (!provider) return false;
+  if (provider.credentialValue) return true;
+  if (provider.credentialEnv) return true;
+  return Boolean(provider.credentialRef && provider.credentialRef !== "none");
+}
+
+function stripsClientAuth(provider: ProviderConfig | undefined): boolean {
+  if (!provider || provider.id === "default") return false;
+  return provider.authScheme === "none" || provider.kind === "local";
+}
+
+function forwardsClientAuth(provider: ProviderConfig | undefined): boolean {
+  if (!provider) return false;
+  if (provider.allowClientCredentialForwarding) return true;
+  return provider.id === "default" && provider.kind === "api" && provider.authScheme === "none" && !hasProviderCredentialRef(provider);
+}
+
+function providerCredential(provider: ProviderConfig | undefined, env: Record<string, string | undefined>): string | undefined {
+  return provider?.credentialValue ?? (provider?.credentialEnv ? env[provider.credentialEnv] : undefined);
+}
+
+function setProviderCredential(headers: Headers, scheme: ProviderConfig["authScheme"], credential: string) {
+  if (scheme === "none") return;
+  if (scheme === "x-api-key") headers.set("x-api-key", credential);
+  else headers.set("authorization", credential.toLowerCase().startsWith("bearer ") ? credential : `Bearer ${credential}`);
+}
+
+export function sanitizeHeadersForAudit(headers: Headers): Record<string, string> {
+  const out: Record<string, string> = {};
+  headers.forEach((value, key) => {
+    if (!sensitive.has(key.toLowerCase())) out[key] = value;
+  });
+  return out;
+}

package/packages/proxy/src/http/identity-id.ts

@@ -0,0 +1,11 @@
+const SLUG_ID_RE = /^[a-z0-9][a-z0-9._-]{1,63}$/i;
+const EMAIL_ID_RE = /^[a-z0-9._%+-]{1,64}@[a-z0-9.-]{1,190}\.[a-z]{2,24}$/i;
+
+export function isValidUserId(value: string): boolean {
+  const id = value.trim();
+  return SLUG_ID_RE.test(id) || (id.length <= 254 && EMAIL_ID_RE.test(id));
+}
+
+export function isValidSlugId(value: string): boolean {
+  return SLUG_ID_RE.test(value.trim());
+}

package/packages/proxy/src/http/local-api-agent-actions.ts

@@ -0,0 +1,17 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { upsertAgentDraft } from "./agent-drafts.ts";
+import { readJson, writeJson } from "./local-api-io.ts";
+import { persistRuntimeSettings } from "./runtime-settings.ts";
+import type { RuntimeState } from "./runtime-state.ts";
+
+export async function saveAgentDraft(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  const previous = state.agentDrafts.map((draft) => ({ ...draft, enabledPluginIds: [...draft.enabledPluginIds] }));
+  const result = upsertAgentDraft(state, body);
+  if (result.ok === false) return writeJson(res, result.status, { error: result.error, reason: result.reason });
+  try { await persistRuntimeSettings(state); } catch {
+    state.agentDrafts = previous;
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, { item: result.value, tokenPolicy: "hash-only; raw token values rejected" });
+}

package/packages/proxy/src/http/local-api-auth.ts

@@ -0,0 +1,120 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { verifyPasswordAsync, hashPasswordAsync, passwordTooLong } from "../../../core/src/auth/password.ts";
+import { signSession } from "../../../core/src/auth/session.ts";
+import type { User } from "../../../core/src/identity/types.ts";
+import { authRequired, canManage, currentUser } from "./auth-state.ts";
+import { type RuntimeState } from "./runtime-state.ts";
+import { jsonHeaders, readJson, writeJson } from "./local-api-io.ts";
+import { isValidUserId } from "./identity-id.ts";
+import { MIN_PASSWORD_LENGTH } from "./password-policy.ts";
+
+// Session login backed by the Identity store. Passwords are scrypt-hashed; the
+// session is a signed httpOnly cookie. canManage/teams come from the user's role.
+const COOKIE = "molenkopf_session";
+const MAX_AUTH_FAILURES = 5;
+const AUTH_WINDOW_MS = 15 * 60 * 1000;
+
+export async function login(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const attemptId = attemptKey("login", req, "");
+  if (rateLimited(state, attemptId)) return writeJson(res, 429, { error: "too_many_attempts" });
+  const body = await readJson(req);
+  const username = typeof body.username === "string" ? body.username.trim() : "";
+  const password = typeof body.password === "string" ? body.password : "";
+  const user = state.identity?.getUser(username);
+  if (passwordTooLong(password) || !user || user.disabled || user.loginDisabled || !await verifyPasswordAsync(password, user.password)) {
+    recordFailure(state, attemptId);
+    recordFailure(state, attemptKey("login", req, username));
+    return writeJson(res, 401, { error: "invalid_login" });
+  }
+  clearFailures(state, attemptId);
+  clearFailures(state, attemptKey("login", req, username));
+  const token = signSession(user.id, state.sessionSecret, undefined, undefined, user.sessionVersion ?? 0);
+  res.writeHead(200, authHeaders(req, `${COOKIE}=${token}; HttpOnly; SameSite=Strict; Path=/; Max-Age=43200`));
+  res.end(JSON.stringify({ ok: true, user: meView(state, user) }));
+}
+
+export function logout(req: IncomingMessage, res: ServerResponse) {
+  res.writeHead(200, authHeaders(req, `${COOKIE}=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0`));
+  res.end(JSON.stringify({ ok: true }));
+}
+
+export function me(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  if (!authRequired(state)) return writeJson(res, 200, { open: true, canManage: true, needsSetup: true });
+  const user = currentUser(state, req.headers.cookie ?? null);
+  if (!user) return writeJson(res, 200, {});
+  writeJson(res, 200, { user: meView(state, user) });
+}
+
+// First-run: claim the admin account from the UI when none exists yet. This is
+// the one bootstrap that's allowed in open mode; afterwards login is required.
+export async function setupAdmin(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  if (!state.identity) return writeJson(res, 400, { error: "identity_unavailable" });
+  if (state.bootstrapSetup) {
+    await state.bootstrapSetup;
+    return writeJson(res, 403, { error: "already_initialized" });
+  }
+  if (authRequired(state)) return writeJson(res, 403, { error: "already_initialized" });
+  let release = () => {};
+  state.bootstrapSetup = new Promise<void>((resolve) => { release = resolve; });
+  try {
+  const setupAttempt = attemptKey("setup", req, "");
+  if (rateLimited(state, setupAttempt)) return writeJson(res, 429, { error: "too_many_attempts" });
+  const body = await readJson(req);
+  const id = typeof body.username === "string" ? body.username.trim() : "";
+  if (!isValidUserId(id)) return writeJson(res, 400, { error: "invalid_user_id" });
+  const password = typeof body.password === "string" ? body.password : "";
+  if (password.length < MIN_PASSWORD_LENGTH) {
+    recordFailure(state, setupAttempt);
+    return writeJson(res, 400, { error: "weak_password" });
+  }
+  if (passwordTooLong(password)) return writeJson(res, 400, { error: "password_too_long" });
+  const createdEveryone = !state.identity.getTeam("everyone");
+  if (createdEveryone) await state.identity.putTeam({ id: "everyone", name: "Everyone", allowedProviders: "*", managerIds: [], createdAt: new Date().toISOString() });
+  const user: User = { id, displayName: typeof body.displayName === "string" && body.displayName.trim() ? body.displayName.trim() : id, role: "admin", password: await hashPasswordAsync(password), teamIds: ["everyone"], sessionVersion: 0, createdAt: new Date().toISOString() };
+  await state.identity.putUser(user);
+  if (createdEveryone) await state.identity.putTeam({ ...state.identity.getTeam("everyone")!, managerIds: [id] });
+  clearFailures(state, setupAttempt);
+  const token = signSession(user.id, state.sessionSecret, undefined, undefined, user.sessionVersion ?? 0);
+  res.writeHead(200, authHeaders(req, `${COOKIE}=${token}; HttpOnly; SameSite=Strict; Path=/; Max-Age=43200`));
+  res.end(JSON.stringify({ ok: true, user: meView(state, user) }));
+  } finally {
+    release();
+    state.bootstrapSetup = undefined;
+  }
+}
+
+function attemptKey(kind: string, req: IncomingMessage, userId: string): string {
+  return `${kind}:${clientAddress(req)}:${userId.trim().toLowerCase()}`;
+}
+
+function clientAddress(req: IncomingMessage): string {
+  return (req.socket.remoteAddress ?? "unknown").replace(/^::ffff:/, "").toLowerCase();
+}
+
+function rateLimited(state: RuntimeState, key: string): boolean {
+  const entry = state.authAttempts[key];
+  if (!entry || entry.resetAt <= Date.now()) return false;
+  return entry.count >= MAX_AUTH_FAILURES;
+}
+
+function recordFailure(state: RuntimeState, key: string): void {
+  const now = Date.now();
+  const current = state.authAttempts[key];
+  state.authAttempts[key] = current && current.resetAt > now ? { count: current.count + 1, resetAt: current.resetAt } : { count: 1, resetAt: now + AUTH_WINDOW_MS };
+}
+
+function clearFailures(state: RuntimeState, key: string): void {
+  delete state.authAttempts[key];
+}
+
+function meView(state: RuntimeState, user: User) {
+  return { id: user.id, displayName: user.displayName, role: user.role, teamIds: user.teamIds, keyPermissions: user.keyPermissions, canManage: canManage(state, user) };
+}
+
+function authHeaders(req: IncomingMessage, cookie: string): Record<string, string> {
+  return jsonHeaders({ "set-cookie": secureCookie(req, cookie) });
+}
+
+function secureCookie(_req: IncomingMessage, cookie: string): string {
+  return process.env.MOLENKOPF_EXTERNAL_SCHEME === "https" ? `${cookie}; Secure` : cookie;
+}

package/packages/proxy/src/http/local-api-consumer-actions.ts

@@ -0,0 +1,20 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { buildConsumers } from "./local-api-state.ts";
+import { readJson, writeJson } from "./local-api-io.ts";
+import { persistRuntimeSettings } from "./runtime-settings.ts";
+import type { RuntimeState } from "./runtime-state.ts";
+
+export async function setConsumerBudget(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id.trim() : "";
+  if (!id) return writeJson(res, 400, { error: "invalid_consumer" });
+  const previous = { ...state.consumerBudgets };
+  if (body.limit === null || body.limit === 0) delete state.consumerBudgets[id];
+  else if (typeof body.limit === "number" && Number.isInteger(body.limit) && body.limit > 0) state.consumerBudgets[id] = body.limit;
+  else return writeJson(res, 400, { error: "invalid_limit" });
+  try { await persistRuntimeSettings(state); } catch {
+    state.consumerBudgets = previous;
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, buildConsumers(state));
+}