@bothat-io/molenkopf 0.1.2

package/packages/proxy/src/http/local-api-identity.ts

@@ -0,0 +1,194 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { hashPasswordAsync, passwordTooLong } from "../../../core/src/auth/password.ts";
+import { normalizeBudget } from "../../../core/src/identity/budget.ts";
+import { viewUser, type Budget, type KeyPermissions, type Role, type Team, type User } from "../../../core/src/identity/types.ts";
+import type { RuntimeState } from "./runtime-state.ts";
+import { readJson, writeJson } from "./local-api-io.ts";
+import { isValidSlugId, isValidUserId } from "./identity-id.ts";
+import { isWeakPassword } from "./password-policy.ts";
+
+export function listIdentity(_req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const id = state.identity;
+  if (!id) return writeJson(res, 200, { users: [], teams: [], pricing: {}, orgBudget: undefined });
+  writeJson(res, 200, {
+    users: id.listUsers().map(viewUser),
+    teams: id.listTeams(),
+    pricing: id.data.pricing ?? {},
+    orgBudget: id.data.orgBudget
+  });
+}
+export async function putIdentityUser(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const id = state.identity;
+  if (!id) return writeJson(res, 400, { error: "identity_unavailable" });
+  const body = await readJson(req);
+  const userId = typeof body.id === "string" ? body.id.trim() : "";
+  if (!isValidUserId(userId)) return writeJson(res, 400, { error: "invalid_user_id" });
+  const existing = id.getUser(userId);
+  if (isWeakPassword(body.password)) return writeJson(res, 400, { error: "weak_password" });
+  const rawPassword = typeof body.password === "string" && body.password ? body.password : "";
+  if (rawPassword && passwordTooLong(rawPassword)) return writeJson(res, 400, { error: "password_too_long" });
+  const password = rawPassword ? await hashPasswordAsync(rawPassword) : existing?.password;
+  const disabled = typeof body.disabled === "boolean" ? body.disabled : existing?.disabled;
+  const loginDisabled = typeof body.loginDisabled === "boolean" ? body.loginDisabled : (rawPassword ? false : (password ? (existing?.loginDisabled ?? false) : true));
+  if (!password && loginDisabled === false) return writeJson(res, 400, { error: "password_required" });
+  const teamIds = userTeamIds(body, existing?.teamIds ?? [], id);
+  if (teamIds === false) return writeJson(res, 400, { error: "invalid_team_id" });
+  const budget = nextBudget(body, existing?.budget);
+  if (budget === false) return writeJson(res, 400, { error: "invalid_budget" });
+  const user: User = {
+    id: userId,
+    displayName: typeof body.displayName === "string" && body.displayName.trim() ? body.displayName.trim() : userId,
+    role: body.role === undefined ? (existing?.role ?? "member") : parseRole(body.role),
+    password,
+    loginDisabled,
+    teamIds,
+    keyPermissions: parseKeyPermissions(body.keyPermissions, existing?.keyPermissions),
+    budget,
+    disabled,
+    sessionVersion: nextSessionVersion(existing, { passwordChanged: Boolean(rawPassword), role: parseRole(body.role ?? existing?.role), disabled, loginDisabled }),
+    createdAt: existing?.createdAt ?? new Date().toISOString()
+  };
+  if (existing && isLastEnabledAdminWithPassword(id, existing) && !enabledAdminWithPassword(user)) {
+    return writeJson(res, 409, { error: "last_admin_required" });
+  }
+  const saved = await id.putUser(user);
+  writeJson(res, 200, { ok: true, user: viewUser(saved) });
+}
+export async function removeIdentityUser(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const id = state.identity;
+  if (!id) return writeJson(res, 400, { error: "identity_unavailable" });
+  const body = await readJson(req);
+  const userId = typeof body.id === "string" ? body.id : "";
+  const existing = id.getUser(userId);
+  if (existing && isLastEnabledAdminWithPassword(id, existing)) return writeJson(res, 409, { error: "last_admin_required" });
+  const ok = await id.removeUser(userId);
+  writeJson(res, ok ? 200 : 404, ok ? { ok: true } : { error: "unknown_user" });
+}
+export async function putIdentityTeam(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const id = state.identity;
+  if (!id) return writeJson(res, 400, { error: "identity_unavailable" });
+  const body = await readJson(req);
+  const teamId = typeof body.id === "string" && body.id.trim() ? body.id.trim() : generatedTeamId(id, typeof body.name === "string" ? body.name : "");
+  if (!isValidSlugId(teamId)) return writeJson(res, 400, { error: "invalid_team_id" });
+  const existing = id.getTeam(teamId);
+  const allowed = body.allowedProviders;
+  const budget = nextBudget(body, existing?.budget);
+  if (budget === false) return writeJson(res, 400, { error: "invalid_budget" });
+  const allowedProviders = providerList(allowed, existing?.allowedProviders ?? "*", state);
+  if (allowedProviders === false) return writeJson(res, 400, { error: "invalid_provider" });
+  const managerIds = managerList(body.managerIds, existing?.managerIds ?? [], id);
+  if (managerIds === false) return writeJson(res, 400, { error: "invalid_manager" });
+  const team: Team = {
+    id: teamId,
+    name: typeof body.name === "string" && body.name.trim() ? body.name.trim() : teamId,
+    allowedProviders,
+    managerIds,
+    budget,
+    createdAt: existing?.createdAt ?? new Date().toISOString()
+  };
+  if (Array.isArray(body.memberIds)) {
+    const memberIds = memberList(body.memberIds, id);
+    if (memberIds === false) return writeJson(res, 400, { error: "invalid_member" });
+    const previous = structuredClone(id.data);
+    try {
+      id.data.teams[team.id] = team;
+      for (const user of id.listUsers()) {
+        const current = new Set(user.teamIds);
+        if (team.id === "everyone" || memberIds.has(user.id)) current.add(team.id);
+        else current.delete(team.id);
+        user.teamIds = [...current];
+      }
+      await id.save();
+    } catch {
+      id.data = previous;
+      return writeJson(res, 500, { error: "persist_failed" });
+    }
+  } else {
+    await id.putTeam(team);
+  }
+  writeJson(res, 200, { ok: true, team });
+}
+export async function removeIdentityTeam(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const id = state.identity;
+  if (!id) return writeJson(res, 400, { error: "identity_unavailable" });
+  const body = await readJson(req);
+  const teamId = typeof body.id === "string" ? body.id : "";
+  if (teamId === "everyone") return writeJson(res, 409, { error: "cannot_remove_default_team" });
+  const ok = await id.removeTeam(teamId);
+  writeJson(res, ok ? 200 : 404, ok ? { ok: true } : { error: "unknown_team" });
+}
+function parseRole(value: unknown): Role { return value === "admin" ? "admin" : value === "manager" ? "manager" : "member"; }
+function nextSessionVersion(existing: User | undefined, next: { passwordChanged: boolean; role: Role; disabled?: boolean; loginDisabled?: boolean }): number {
+  if (!existing) return 0;
+  const changed = next.passwordChanged || existing.role !== next.role || existing.disabled !== next.disabled || existing.loginDisabled !== next.loginDisabled;
+  return (existing.sessionVersion ?? 0) + (changed ? 1 : 0);
+}
+function isLastEnabledAdminWithPassword(store: { listUsers(): User[] }, user: User): boolean {
+  if (!enabledAdminWithPassword(user)) return false;
+  return !store.listUsers().some((item) => item.id !== user.id && enabledAdminWithPassword(item));
+}
+function enabledAdminWithPassword(user: User): boolean {
+  return user.role === "admin" && user.disabled !== true && user.loginDisabled !== true && Boolean(user.password);
+}
+function nextBudget(body: Record<string, unknown>, existing: Budget | undefined): Budget | undefined | false {
+  if (!Object.hasOwn(body, "budget")) return existing;
+  const parsed = normalizeBudget(body.budget);
+  return parsed.ok ? parsed.budget : false;
+}
+function userTeamIds(body: Record<string, unknown>, existing: string[], store: { getTeam(id: string): Team | undefined }): string[] | false {
+  if (!Array.isArray(body.teamIds)) return existing;
+  const out: string[] = [];
+  for (const value of body.teamIds) {
+    if (typeof value !== "string" || !store.getTeam(value)) return false;
+    if (!out.includes(value)) out.push(value);
+  }
+  return out;
+}
+function managerList(value: unknown, existing: string[], store: { getUser(id: string): User | undefined }): string[] | false {
+  if (!Array.isArray(value)) return existing;
+  const out: string[] = [];
+  for (const id of value) {
+    if (typeof id !== "string" || !store.getUser(id)) return false;
+    if (!out.includes(id)) out.push(id);
+  }
+  return out;
+}
+function memberList(value: unknown[], store: { getUser(id: string): User | undefined }): Set<string> | false {
+  const out = new Set<string>();
+  for (const id of value) {
+    if (typeof id !== "string" || !store.getUser(id)) return false;
+    out.add(id);
+  }
+  return out;
+}
+function providerList(value: unknown, existing: Team["allowedProviders"], state: RuntimeState): Team["allowedProviders"] | false {
+  if (value === undefined) return existing;
+  if (value === "*") return "*";
+  if (!Array.isArray(value)) return false;
+  const out: string[] = [];
+  for (const id of value) {
+    if (typeof id !== "string" || !state.providers.some((provider) => provider.id === id && provider.enabled !== false)) return false;
+    if (!out.includes(id)) out.push(id);
+  }
+  return out;
+}
+function parseKeyPermissions(value: unknown, existing: KeyPermissions | undefined): KeyPermissions | undefined {
+  if (!value || typeof value !== "object") return existing;
+  const permissions = value as Record<string, unknown>;
+  return { create: permissions.create !== false, revoke: permissions.revoke !== false };
+}
+function generatedTeamId(store: { getTeam(id: string): Team | undefined }, name: string): string {
+  const base = slugFromName(name || "team");
+  if (!store.getTeam(base)) return base;
+  for (let index = 2; index < 100; index++) {
+    const id = `${base}-${index}`;
+    if (!store.getTeam(id)) return id;
+  }
+  return `${base}-${Date.now().toString(36)}`;
+}
+function slugFromName(value: string): string {
+  const slug = value.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 48);
+  if (isValidSlugId(slug)) return slug;
+  const fallback = slug ? `team-${slug}` : "team";
+  return fallback.slice(0, 64);
+}

package/packages/proxy/src/http/local-api-io.ts

@@ -0,0 +1,82 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { CONTROL_PLANE_LIMITS } from "./runtime-state.ts";
+
+export class LocalApiError extends Error {
+  status: number;
+  code: string;
+  constructor(status: number, code: string) {
+    super(code);
+    this.status = status;
+    this.code = code;
+  }
+}
+
+export async function readJson(req: IncomingMessage, maxBytes = CONTROL_PLANE_LIMITS.requestBodyBytes): Promise<Record<string, unknown>> {
+  const body = await new Promise<string>((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    let size = 0;
+    let settled = false;
+    const cleanup = () => {
+      req.off("data", onData);
+      req.off("error", onError);
+      req.off("end", onEnd);
+    };
+    const fail = (error: Error) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      req.pause();
+      reject(error);
+    };
+    const onData = (chunk: string | Buffer) => {
+      const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+      size += buffer.byteLength;
+      if (size > maxBytes) return fail(new LocalApiError(413, "json_too_large"));
+      chunks.push(buffer);
+    };
+    const onError = (error: Error) => fail(error);
+    const onEnd = () => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      resolve(Buffer.concat(chunks).toString("utf8"));
+    };
+    req.on("data", onData);
+    req.on("error", onError);
+    req.on("end", onEnd);
+  });
+  if (!body) return {};
+  try {
+    const parsed = JSON.parse(body);
+    if (!parsed || Array.isArray(parsed) || typeof parsed !== "object") throw new Error("invalid");
+    return parsed as Record<string, unknown>;
+  } catch {
+    throw new LocalApiError(400, "invalid_json");
+  }
+}
+
+export function writeJson(res: ServerResponse, status: number, data: unknown): void {
+  res.writeHead(status, jsonHeaders());
+  res.end(JSON.stringify(data));
+}
+
+export function jsonHeaders(headers: Record<string, string> = {}): Record<string, string> {
+  return securityHeaders({ "content-type": "application/json", "cache-control": "no-store", pragma: "no-cache", expires: "0", ...headers });
+}
+
+export function writeHtml(res: ServerResponse, html: string): void {
+  res.writeHead(200, securityHeaders({
+    "content-type": "text/html; charset=utf-8",
+    "cache-control": "no-store",
+    "content-security-policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; base-uri 'none'; frame-ancestors 'none'",
+  }));
+  res.end(html);
+}
+
+function securityHeaders(headers: Record<string, string>): Record<string, string> {
+  return {
+    ...headers,
+    "referrer-policy": "no-referrer",
+    "x-content-type-options": "nosniff"
+  };
+}

package/packages/proxy/src/http/local-api-keys.ts

@@ -0,0 +1,126 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { cleanKeyLabel, cleanKeyProject, issueApiKey, listKeys, revokeKey } from "../../../core/src/identity/api-keys.ts";
+import { normalizeBudget } from "../../../core/src/identity/budget.ts";
+import { canCreateOwnKey, canRevokeOwnKey } from "../../../core/src/identity/key-permissions.ts";
+import { viewKey, viewUser, type User } from "../../../core/src/identity/types.ts";
+import { emptyUsage, orgCostUsed, orgTokensUsed, usageForPeriod, userUsageKey, type RuntimeState } from "./runtime-state.ts";
+import { canManage, type AuthUser } from "./auth-state.ts";
+import { readJson, writeJson } from "./local-api-io.ts";
+
+// Key management + scoped usage. Admin/open mode manages any owner; a logged-in
+// member manages only their own keys and sees only their own scope.
+
+function ownerScope(state: RuntimeState, user: AuthUser | undefined): string | undefined {
+  return canManage(state, user) ? undefined : user?.id; // undefined => all
+}
+
+export function listKeysHandler(_req: IncomingMessage, res: ServerResponse, state: RuntimeState, user: AuthUser | undefined) {
+  if (!state.identity) return writeJson(res, 200, { items: [] });
+  writeJson(res, 200, { items: listKeys(state.identity, ownerScope(state, user)) });
+}
+
+export async function issueKeyHandler(req: IncomingMessage, res: ServerResponse, state: RuntimeState, user: AuthUser | undefined) {
+  if (!state.identity) return writeJson(res, 400, { error: "identity_unavailable" });
+  const body = await readJson(req);
+  const scope = ownerScope(state, user);
+  const explicitOwner = typeof body.owner === "string" ? body.owner.trim() : "";
+  const owner = scope ?? (explicitOwner || user?.id || "");
+  if (!owner) return writeJson(res, 400, { error: "owner_required" });
+  if (scope && owner !== scope) return writeJson(res, 403, { error: "forbidden" });
+  if (scope && !canCreateOwnKey(user)) return writeJson(res, 403, { error: "key_create_forbidden" });
+  const project = typeof body.project === "string" ? cleanKeyProject(body.project) : undefined;
+  if (!project) return writeJson(res, 400, { error: "project_required" });
+  const teamId = validKeyTeam(state, owner, body.teamId);
+  if (teamId === false) return writeJson(res, 400, { error: "invalid_key_team" });
+  if (teamId === undefined && requiresExplicitTeam(state, owner)) return writeJson(res, 400, { error: "team_required" });
+  const budget = normalizeBudget(body.budget);
+  if (!budget.ok) return writeJson(res, 400, { error: "invalid_budget" });
+  const issued = await issueApiKey(state.identity, owner, {
+    agentLabel: typeof body.agentLabel === "string" ? body.agentLabel : undefined,
+    project,
+    teamId,
+    scopes: Array.isArray(body.scopes) ? body.scopes : undefined,
+    budget: budget.budget
+  });
+  if (!issued) return writeJson(res, 404, { error: "unknown_owner" });
+  writeJson(res, 200, { ok: true, secret: issued.secret, key: issued.view });
+}
+
+export async function revokeKeyHandler(req: IncomingMessage, res: ServerResponse, state: RuntimeState, user: AuthUser | undefined) {
+  if (!state.identity) return writeJson(res, 400, { error: "identity_unavailable" });
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id : "";
+  const key = state.identity.data.keys[id];
+  if (!key) return writeJson(res, 404, { error: "unknown_key" });
+  const scope = ownerScope(state, user);
+  if (scope && key.ownerUserId !== scope) return writeJson(res, 403, { error: "forbidden" });
+  if (scope && !canRevokeOwnKey(user)) return writeJson(res, 403, { error: "key_revoke_forbidden" });
+  await revokeKey(state.identity, id);
+  writeJson(res, 200, { ok: true });
+}
+
+export async function updateKeyHandler(req: IncomingMessage, res: ServerResponse, state: RuntimeState, user: AuthUser | undefined) {
+  if (!state.identity) return writeJson(res, 400, { error: "identity_unavailable" });
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id : "";
+  const key = state.identity.data.keys[id];
+  if (!key) return writeJson(res, 404, { error: "unknown_key" });
+  const scope = ownerScope(state, user);
+  if (scope && key.ownerUserId !== scope) return writeJson(res, 403, { error: "forbidden" });
+  const project = typeof body.project === "string" ? cleanKeyProject(body.project) : undefined;
+  if (!project) return writeJson(res, 400, { error: "project_required" });
+  const previous = { ...key };
+  if (typeof body.agentLabel === "string") key.agentLabel = cleanKeyLabel(body.agentLabel);
+  key.project = project;
+  if ("teamId" in body) {
+    const teamId = validKeyTeam(state, key.ownerUserId, body.teamId);
+    if (teamId === false) return writeJson(res, 400, { error: "invalid_key_team" });
+    if (teamId === undefined && requiresExplicitTeam(state, key.ownerUserId)) return writeJson(res, 400, { error: "team_required" });
+    key.teamId = teamId;
+  }
+  try { await state.identity.save(); } catch {
+    state.identity.data.keys[id] = previous;
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, { ok: true, key: viewKey(key) });
+}
+
+export function usageHandler(_req: IncomingMessage, res: ServerResponse, state: RuntimeState, user: AuthUser | undefined) {
+  if (!state.identity) return writeJson(res, 200, { org: emptyUsage(), users: [], teams: [], keys: [] });
+  const id = state.identity;
+  const scope = ownerScope(state, user);
+  const scopedUser = scope ? id.getUser(scope) : undefined;
+  const users = id.listUsers()
+    .filter((u) => !scope || u.id === scope)
+    .map((u) => ({ ...viewUser(u), usage: usageForPeriod(state.usageByUser[userUsageKey(u.id)], u.budget?.period) }));
+  const teams = id.listTeams()
+    .filter((t) => !scope || readableTeam(scopedUser, t.id, t.managerIds))
+    .map((t) => ({ id: t.id, name: t.name, budget: t.budget, usage: usageForPeriod(state.usageByTeam[t.id], t.budget?.period), members: id.usersInTeam(t.id).length }));
+  const keys = listKeys(id, scope).map((k) => ({ ...k, usage: usageForPeriod(state.usageByKey[k.id], id.data.keys[k.id]?.budget?.period) }));
+  const org = scope ? undefined : { tokens: orgTokensUsed(state, id.data.orgBudget?.period), costEur: orgCostUsed(state, id.data.orgBudget?.period) };
+  writeJson(res, 200, { scope: scope ?? "all", org, users, teams, keys });
+}
+
+function validKeyTeam(state: RuntimeState, owner: string, value: unknown): string | undefined | false {
+  if (value === undefined || value === null || value === "") return undefined;
+  if (typeof value !== "string") return false;
+  const team = state.identity?.getTeam(value.trim());
+  const user = state.identity?.getUser(owner);
+  if (team?.id === "everyone" && nonDefaultTeamIds(user?.teamIds ?? []).length) return false;
+  return team && user?.teamIds.includes(team.id) ? team.id : false;
+}
+
+function requiresExplicitTeam(state: RuntimeState, owner: string): boolean {
+  const teamIds = state.identity?.getUser(owner)?.teamIds ?? [];
+  return nonDefaultTeamIds(teamIds).length > 1;
+}
+
+function nonDefaultTeamIds(teamIds: string[]): string[] {
+  return teamIds.filter((id) => id !== "everyone");
+}
+
+function readableTeam(user: User | undefined, teamId: string, managerIds: string[]): boolean {
+  if (!user) return false;
+  if (user.teamIds.includes(teamId)) return true;
+  return user.role === "manager" && managerIds.includes(user.id);
+}

package/packages/proxy/src/http/local-api-pipeline.ts

@@ -0,0 +1,41 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { staticPluginPipeline } from "../../../core/src/plugins/static-pipeline.ts";
+import type { RuntimeState } from "./runtime-state.ts";
+import { readJson, writeJson } from "./local-api-io.ts";
+import { persistRuntimeSettings } from "./runtime-settings.ts";
+
+// Optional plugin middleware order. Core request safety is not represented here.
+export function pluginOrder(state: RuntimeState): string[] {
+  const order = state.pluginOrder?.filter((id) => (staticPluginPipeline as readonly string[]).includes(id)) ?? [];
+  for (const id of staticPluginPipeline) if (!order.includes(id)) order.push(id);
+  return order;
+}
+
+export function orderIndex(state: RuntimeState, id: string): number {
+  const i = pluginOrder(state).indexOf(id);
+  return i < 0 ? Number.MAX_SAFE_INTEGER : i;
+}
+
+export function redactionBeforeCompression(_state: RuntimeState): boolean {
+  return true;
+}
+
+export async function reorderPlugin(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id : "";
+  const dir = body.direction === "up" ? -1 : body.direction === "down" ? 1 : 0;
+  const order = pluginOrder(state);
+  const i = order.indexOf(id);
+  if (i < 0 || dir === 0) return writeJson(res, 400, { error: "bad_reorder" });
+  const j = i + dir;
+  if (j < 0 || j >= order.length) return writeJson(res, 200, { ok: true, order });
+  const next = [...order];
+  [next[i], next[j]] = [next[j], next[i]];
+  const previous = state.pluginOrder;
+  state.pluginOrder = next;
+  try { await persistRuntimeSettings(state); } catch {
+    state.pluginOrder = previous;
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, { ok: true, order: next });
+}

package/packages/proxy/src/http/local-api-plugin-actions.ts

@@ -0,0 +1,31 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { findPlugin } from "../../../core/src/plugins/plugin-catalog.ts";
+import { pluginView } from "./local-api-state.ts";
+import { readJson, writeJson } from "./local-api-io.ts";
+import { persistRuntimeSettings } from "./runtime-settings.ts";
+import type { PluginHost } from "./plugin-host.ts";
+import type { RuntimeState } from "./runtime-state.ts";
+
+export async function togglePlugin(req: IncomingMessage, res: ServerResponse, state: RuntimeState, pluginHost?: PluginHost) {
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id : "";
+  const plugin = findPlugin(id);
+  if (!plugin) return writeJson(res, 404, { error: "unknown_plugin" });
+  if (typeof body.enabled !== "boolean") return writeJson(res, 400, { error: "invalid_enabled" });
+  const previousEnabled = state.pluginEnabled[id], previousUpdated = state.pluginUpdatedAt[id];
+  state.pluginEnabled[id] = body.enabled;
+  state.pluginUpdatedAt[id] = new Date().toISOString();
+  try { await persistRuntimeSettings(state); } catch {
+    restorePluginState(state, id, previousEnabled, previousUpdated);
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  if (pluginHost) await (body.enabled ? pluginHost.enable(id) : pluginHost.disable(id));
+  writeJson(res, 200, pluginView(plugin, state));
+}
+
+function restorePluginState(state: RuntimeState, id: string, enabled: boolean | undefined, updatedAt: string | undefined): void {
+  if (enabled === undefined) delete state.pluginEnabled[id];
+  else state.pluginEnabled[id] = enabled;
+  if (updatedAt === undefined) delete state.pluginUpdatedAt[id];
+  else state.pluginUpdatedAt[id] = updatedAt;
+}

package/packages/proxy/src/http/local-api-provider-actions.ts

@@ -0,0 +1,181 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { validateProviderTarget } from "../../../core/src/security/target-policy.ts";
+import type { ProviderConfig } from "../../../core/src/providers/provider-catalog.ts";
+import { distributionEligible, providerWeight, repairActiveProvider, type RuntimeState } from "./runtime-state.ts";
+import { buildProviderStatus } from "./local-api-state.ts";
+import { readJson, writeJson } from "./local-api-io.ts";
+import { persistRuntimeAuthProvider, persistRuntimeAuthSelection, removeRuntimeAuthProvider } from "./runtime-auth-registry.ts";
+import { persistRuntimeSettings } from "./runtime-settings.ts";
+import { restoreProviderRouting, snapshotProviderRouting } from "./provider-routing-snapshot.ts";
+import { buildProviderFromInput, validEnv } from "./provider-input.ts";
+
+export async function selectProvider(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id : "";
+  const provider = state.providers.find((item) => item.id === id);
+  if (!provider) return writeJson(res, 404, { error: "unknown_provider" });
+  if (provider.enabled === false) return writeJson(res, 409, { error: "provider_disabled" });
+  const previous = snapshotProviderRouting(state);
+  state.activeProviderId = provider.id;
+  state.providerSelectedAt = new Date().toISOString();
+  try { await persistProviderRouting(state); } catch {
+    restoreProviderRouting(state, previous);
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, buildProviderStatus(state));
+}
+
+export async function setProviderWeight(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id : "", provider = state.providers.find((item) => item.id === id);
+  if (!provider) return writeJson(res, 404, { error: "unknown_provider" });
+  if (typeof body.weight !== "number" || !Number.isFinite(body.weight) || body.weight < 0 || body.weight > 1000) return writeJson(res, 400, { error: "invalid_weight" });
+  const weights = { ...state.providerWeights, [id]: body.weight };
+  if (distributionEligible(provider) && !hasPositiveDistributionWeight(state, weights)) return writeJson(res, 409, { error: "last_provider_weight" });
+  const previous = snapshotProviderRouting(state);
+  state.providerWeights[id] = body.weight;
+  try { await persistRuntimeSettings(state); } catch {
+    restoreProviderRouting(state, previous);
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, buildProviderStatus(state));
+}
+
+export async function setProviderWeights(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req), source = body.weights && typeof body.weights === "object" && !Array.isArray(body.weights) ? body.weights as Record<string, unknown> : undefined;
+  if (!source) return writeJson(res, 400, { error: "invalid_weights" });
+  const next: Record<string, number> = {};
+  for (const [id, weight] of Object.entries(source)) {
+    if (!state.providers.some((item) => item.id === id)) return writeJson(res, 404, { error: "unknown_provider" });
+    if (typeof weight !== "number" || !Number.isFinite(weight) || weight < 0 || weight > 1000) return writeJson(res, 400, { error: "invalid_weight" });
+    next[id] = weight;
+  }
+  const merged = { ...state.providerWeights, ...next };
+  if (body.mode === "distribute" && !hasPositiveDistributionWeight(state, merged)) return writeJson(res, 409, { error: "no_weighted_provider" });
+  if (state.routingMode === "distribute" && !hasPositiveDistributionWeight(state, merged)) return writeJson(res, 409, { error: "last_provider_weight" });
+  const previous = snapshotProviderRouting(state);
+  Object.assign(state.providerWeights, next);
+  if (body.mode === "manual" || body.mode === "distribute") state.routingMode = body.mode;
+  try { await persistProviderRouting(state); } catch {
+    restoreProviderRouting(state, previous);
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, { routingMode: state.routingMode, providers: buildProviderStatus(state) });
+}
+
+export async function addProvider(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id.trim() : "";
+  if (!/^[a-z0-9][a-z0-9._:-]{0,63}$/i.test(id)) return writeJson(res, 400, { error: "invalid_provider_id" });
+  if (id.toLowerCase() === "default") return writeJson(res, 400, { error: "reserved_provider_id" });
+  if (state.providers.some((item) => item.id === id)) return writeJson(res, 409, { error: "provider_exists" });
+  const name = typeof body.name === "string" && body.name.trim() ? body.name.trim().slice(0, 80) : id;
+  const built = buildProviderFromInput(id, name, body);
+  if ("error" in built) return writeJson(res, 400, { error: built.error });
+  const previousProviders = state.providers.slice(), previousWeights = { ...state.providerWeights };
+  state.providers.push(built.provider);
+  state.providerWeights[id] = 1;
+  try { await persistRuntimeSettings(state); } catch {
+    state.providers = previousProviders;
+    state.providerWeights = previousWeights;
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, buildProviderStatus(state));
+}
+
+export async function updateProvider(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  const provider = state.providers.find((item) => item.id === body.id);
+  if (!provider) return writeJson(res, 404, { error: "unknown_provider" });
+  const before = { ...provider };
+  const beforeActive = state.activeProviderId, beforeSelected = state.providerSelectedAt;
+  if (typeof body.name === "string" && body.name.trim()) provider.name = body.name.trim().slice(0, 80);
+  if (typeof body.target === "string" && body.target.trim()) {
+    let nextTarget: string;
+    try { nextTarget = validateProviderTarget(body.target.trim(), { path: "provider target", allowPrivate: provider.kind === "local" }); } catch { return writeJson(res, 400, { error: "invalid_target" }); }
+    if (originOf(nextTarget) !== originOf(provider.target)) {
+      if (hasCredential(provider) && body.clearCredential !== true && body.credential === undefined && body.credentialEnv === undefined) return writeJson(res, 409, { error: "credential_origin_change" });
+      provider.credentialValue = undefined;
+      provider.credentialEnv = undefined;
+      provider.credentialRef = "none";
+      provider.authScheme = provider.kind === "local" ? "none" : provider.authScheme;
+    }
+    provider.target = nextTarget;
+  }
+  if (typeof body.credentialEnv === "string") {
+    const env = body.credentialEnv.trim();
+    if (env && !validEnv(env)) return writeJson(res, 400, { error: "invalid_credential_env" });
+    provider.credentialEnv = env || undefined; provider.credentialValue = undefined; provider.credentialRef = provider.credentialEnv ? `env:${provider.credentialEnv}` : "none";
+  }
+  if (typeof body.credential === "string" && body.credential.trim()) { provider.credentialValue = body.credential.trim(); provider.credentialEnv = undefined; provider.credentialRef = "inline"; }
+  if (body.clearCredential === true) { provider.credentialValue = undefined; provider.credentialEnv = undefined; provider.credentialRef = "none"; }
+  if (typeof body.enabled === "boolean") provider.enabled = body.enabled;
+  if (typeof body.allowDistribution === "boolean") provider.allowDistribution = body.allowDistribution;
+  repairActiveProvider(state);
+  try {
+    await persistProviderRouting(state);
+    await persistRuntimeAuthProvider(state.dataDir, provider, state.activeProviderId === provider.id, state.routingMode);
+  } catch {
+    Object.assign(provider, before);
+    state.activeProviderId = beforeActive;
+    state.providerSelectedAt = beforeSelected;
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, buildProviderStatus(state));
+}
+
+export async function removeProvider(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  const id = typeof body.id === "string" ? body.id : "";
+  if (id === "default") return writeJson(res, 409, { error: "cannot_remove_default" });
+  const index = state.providers.findIndex((item) => item.id === id);
+  if (index < 0) return writeJson(res, 404, { error: "unknown_provider" });
+  const previous = snapshotProviderRouting(state);
+  const [removed] = state.providers.splice(index, 1);
+  delete state.providerWeights[id];
+  repairActiveProvider(state);
+  try { await persistProviderRouting(state); } catch {
+    restoreProviderRouting(state, previous);
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  try { await removeRuntimeAuthProvider(removed); } catch {
+    return writeJson(res, 500, { error: "remove_failed" });
+  }
+  writeJson(res, 200, buildProviderStatus(state));
+}
+
+export async function setRoutingMode(req: IncomingMessage, res: ServerResponse, state: RuntimeState) {
+  const body = await readJson(req);
+  if (body.mode !== "manual" && body.mode !== "distribute") return writeJson(res, 400, { error: "invalid_routing_mode" });
+  if (body.mode === "distribute" && !hasPositiveDistributionWeight(state)) return writeJson(res, 409, { error: "no_weighted_provider" });
+  const previous = snapshotProviderRouting(state);
+  state.routingMode = body.mode;
+  try { await persistProviderRouting(state); } catch {
+    restoreProviderRouting(state, previous);
+    return writeJson(res, 500, { error: "persist_failed" });
+  }
+  writeJson(res, 200, { routingMode: state.routingMode, providers: buildProviderStatus(state) });
+}
+
+async function persistProviderRouting(state: RuntimeState): Promise<void> {
+  await Promise.all([
+    persistRuntimeSettings(state),
+    persistRuntimeAuthSelection(state.dataDir, state.activeProviderId, state.routingMode)
+  ]);
+}
+
+function originOf(target: string): string {
+  try { const url = new URL(target); return `${url.protocol}//${url.host}`.toLowerCase(); } catch { return ""; }
+}
+
+function hasCredential(provider: ProviderConfig): boolean {
+  return Boolean(provider.credentialValue || provider.credentialEnv || (provider.credentialRef && provider.credentialRef !== "none"));
+}
+
+function hasPositiveDistributionWeight(state: RuntimeState, weights = state.providerWeights): boolean {
+  return state.providers.some((provider) => {
+    if (!distributionEligible(provider)) return false;
+    const weight = typeof weights[provider.id] === "number" ? weights[provider.id] : providerWeight(state, provider.id);
+    return weight > 0;
+  });
+}