@codeastra/proxy 1.0.0

package/bin/codeastra.js

@@ -0,0 +1,475 @@
+#!/usr/bin/env node
+"use strict";
+
+const http = require("http");
+const path = require("path");
+const { program } = require("commander");
+const chalk = require("chalk");
+
+const CODEASTRA_URL = process.env.CODEASTRA_URL || "https://app.codeastra.dev";
+
+const AI_PROVIDERS = {
+  "api.openai.com":                    { name: "OpenAI" },
+  "api.anthropic.com":                 { name: "Anthropic" },
+  "generativelanguage.googleapis.com": { name: "Gemini" },
+  "api.groq.com":                      { name: "Groq" },
+  "api.mistral.ai":                    { name: "Mistral" },
+};
+
+const EXT_TYPE = {
+  jpg:"image",jpeg:"image",png:"image",gif:"image",webp:"image",bmp:"image",tiff:"image",
+  mp3:"audio",wav:"audio",ogg:"audio",m4a:"audio",flac:"audio",aac:"audio",
+  mp4:"video",avi:"video",mov:"video",mkv:"video",webm:"video",
+  js:"code",ts:"code",py:"code",rb:"code",go:"code",java:"code",cs:"code",
+  cpp:"code",c:"code",php:"code",sh:"code",sql:"code",env:"code",
+  yaml:"code",yml:"code",tf:"code",toml:"code",ini:"code",
+  pdf:"document",doc:"document",docx:"document",xls:"document",
+  xlsx:"document",csv:"document",txt:"document",rtf:"document",
+};
+
+const MIME_TYPE = {
+  "image/jpeg":"image","image/png":"image","image/gif":"image","image/webp":"image",
+  "audio/mpeg":"audio","audio/wav":"audio","audio/ogg":"audio","audio/mp4":"audio",
+  "video/mp4":"video","video/webm":"video","video/quicktime":"video",
+  "application/pdf":"document","text/csv":"document","text/plain":"document",
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document":"document",
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet":"document",
+  "application/javascript":"code","text/javascript":"code",
+  "text/x-python":"code","application/json":"code","text/x-sql":"code",
+};
+
+const CREDENTIAL_PATTERNS = [
+  { name:"api_key",       re:/(?:api[_-]?key|apikey)\s*[=:]\s*["']?([a-zA-Z0-9_\-]{20,})["']?/gi, severity:"CRITICAL" },
+  { name:"aws_key",       re:/AKIA[0-9A-Z]{16}/g,                                                    severity:"CRITICAL" },
+  { name:"openai_key",    re:/sk-[a-zA-Z0-9]{20,}/g,                                                 severity:"CRITICAL" },
+  { name:"anthropic_key", re:/sk-ant-[a-zA-Z0-9\-_]{20,}/g,                                          severity:"CRITICAL" },
+  { name:"google_key",    re:/AIza[0-9A-Za-z\-_]{35}/g,                                              severity:"CRITICAL" },
+  { name:"github_token",  re:/ghp_[a-zA-Z0-9]{36}/g,                                                 severity:"CRITICAL" },
+  { name:"stripe_key",    re:/(?:sk|pk)_(?:live|test)_[a-zA-Z0-9]{24,}/g,                           severity:"CRITICAL" },
+  { name:"private_key",   re:/-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/g,                            severity:"CRITICAL" },
+  { name:"password",      re:/(?:password|passwd|pwd)\s*[=:]\s*["']([^"']{8,})["']/gi,               severity:"HIGH" },
+  { name:"db_connection", re:/(?:postgres|mysql|mongodb|redis):\/\/[^:]+:[^@]+@/gi,                   severity:"HIGH" },
+  { name:"jwt",           re:/eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9._-]{10,}/g,                         severity:"HIGH" },
+  { name:"ssn_literal",   re:/['"](?!000|666)\d{3}-(?!00)\d{2}-(?!0000)\d{4}['"]/g,                 severity:"CRITICAL" },
+  { name:"card_literal",  re:/['"]4[0-9]{12}(?:[0-9]{3})?['"]/g,                                    severity:"CRITICAL" },
+];
+
+program
+  .name("codeastra")
+  .description("Zero-code data protection proxy for AI. Text, images, audio, video, code, and documents — all scanned before reaching any LLM.")
+  .version("2.0.0");
+
+program
+  .command("proxy")
+  .description("Start the data protection proxy")
+  .option("--target <url>",   "Your app URL to forward requests to")
+  .option("--port <port>",    "Port to listen on", "4000")
+  .option("--api-key <key>",  "Codeastra API key (or set CODEASTRA_API_KEY)")
+  .option("--template <id>",  "Compliance template: hipaa | pci_dss | gdpr | soc2 | legal")
+  .option("--passthrough",    "Fail-open: allow requests if Codeastra unreachable", false)
+  .option("--verbose",        "Show per-item scan detail", false)
+  .option("--block-images",   "Block all image uploads", false)
+  .option("--block-audio",    "Block all audio uploads", false)
+  .option("--block-video",    "Block all video uploads", false)
+  .option("--block-code",     "Block all code uploads", false)
+  .action(runProxy);
+
+program.parse();
+
+async function runProxy(opts) {
+  const apiKey = opts.apiKey || process.env.CODEASTRA_API_KEY;
+  const port   = parseInt(opts.port, 10);
+
+  console.log();
+  console.log(chalk.bold.cyan("  🛡  Codeastra Data Protection Proxy  v2.0.0"));
+  console.log(chalk.dim("  ─────────────────────────────────────────────────────"));
+  console.log(`  ${chalk.bold("Listening")}  →  ${chalk.cyan("http://localhost:" + port)}`);
+  if (opts.target) console.log(`  ${chalk.bold("Target")}     →  ${chalk.cyan(opts.target)}`);
+  if (opts.template) console.log(`  ${chalk.bold("Template")}   →  ${chalk.cyan(opts.template.toUpperCase())}`);
+  console.log();
+  console.log(chalk.dim("  Scanning:  📝 Text  🖼 Images  🎵 Audio  🎬 Video  💻 Code  📄 Documents"));
+  console.log();
+
+  if (!apiKey) {
+    console.log(chalk.red("  ✗ No API key. Set CODEASTRA_API_KEY or pass --api-key sk-guard-YOUR_KEY\n"));
+    process.exit(1);
+  }
+  console.log(chalk.green("  ✓") + " API key loaded\n");
+
+  const server = http.createServer(async (req, res) => {
+    const start = Date.now();
+    const chunks = [];
+    for await (const chunk of req) chunks.push(chunk);
+    const rawBody    = Buffer.concat(chunks);
+    const contentType = req.headers["content-type"] || "";
+    const host        = (req.headers["host"] || "").split(":")[0];
+    const provider    = AI_PROVIDERS[host] || null;
+
+    let scanResult = { blocked: false, findings: [], contentTypes: [], redactedBody: rawBody };
+
+    try {
+      scanResult = await scanAllContent(rawBody, contentType, apiKey, opts);
+    } catch (err) {
+      console.log(chalk.yellow("  ⚠ Scan error: " + err.message));
+      if (!opts.passthrough) {
+        res.writeHead(503, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "scan_unavailable", message: err.message }));
+        return;
+      }
+    }
+
+    const ms       = Date.now() - start;
+    const types    = [...new Set(scanResult.contentTypes)];
+    const typeStr  = types.length ? chalk.dim(" [" + types.join(",") + "]") : "";
+    const findStr  = scanResult.findings.length
+      ? chalk.yellow(" " + scanResult.findings.length + " finding(s)")
+      : chalk.dim(" clean");
+    const provStr  = provider ? chalk.dim(" → " + provider.name) : "";
+    const icon     = scanResult.blocked ? chalk.red("✗ BLOCKED") : chalk.green("✓ CLEAN  ");
+
+    console.log("  " + icon + typeStr + findStr + provStr + "  " + chalk.dim(ms + "ms"));
+
+    if (scanResult.blocked) {
+      res.writeHead(403, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        error: "blocked_by_compliance",
+        reason: scanResult.blockReason,
+        findings: scanResult.findings,
+      }));
+      return;
+    }
+
+    const target = opts.target || (provider ? "https://" + host : null);
+    if (!target) {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "no_target", message: "Pass --target <url>" }));
+      return;
+    }
+
+    const headers = buildHeaders(req.headers, host);
+    headers["content-length"] = scanResult.redactedBody.length.toString();
+
+    const upstream = await forwardRequest(target, req.method, req.url, headers, scanResult.redactedBody);
+
+    res.writeHead(upstream.status, {
+      "content-type":   upstream.headers["content-type"] || "application/json",
+      "x-codeastra":    "protected",
+      "x-scan-result":  scanResult.contentTypes.join(",") || "text",
+    });
+    res.end(upstream.body);
+  });
+
+  server.on("error", (err) => {
+    console.log(chalk.red("  ✗ " + (err.code === "EADDRINUSE" ? "Port " + port + " in use. Try --port " + (port+1) : err.message)));
+    process.exit(1);
+  });
+
+  server.listen(port, () => console.log(chalk.green("  ✓ Proxy ready\n")));
+  process.on("SIGINT", () => { console.log(chalk.dim("\n  Stopping...\n")); server.close(() => process.exit(0)); });
+}
+
+async function scanAllContent(rawBody, contentType, apiKey, opts) {
+  const result = { blocked: false, blockReason: "", findings: [], contentTypes: [], redactedBody: rawBody };
+
+  if (contentType.includes("multipart/form-data")) {
+    const boundary = (contentType.match(/boundary=([^\s;]+)/) || [])[1];
+    if (boundary) {
+      const parts = parseMultipart(rawBody, boundary);
+      const scannedParts = [];
+      for (const part of parts) {
+        const r = await scanPart(part, apiKey, opts);
+        result.findings.push(...r.findings);
+        result.contentTypes.push(...r.contentTypes);
+        if (r.blocked) { result.blocked = true; result.blockReason = r.blockReason; return result; }
+        scannedParts.push(r.redactedPart || part);
+      }
+      result.redactedBody = rebuildMultipart(scannedParts, boundary);
+    }
+    return result;
+  }
+
+  if (contentType.includes("application/json") || (rawBody[0] === 0x7b)) {
+    let body = {};
+    try { body = JSON.parse(rawBody.toString()); } catch {}
+
+    const images = extractBase64Images(body);
+    for (const img of images) {
+      result.contentTypes.push("image");
+      if (opts.blockImages) { result.blocked = true; result.blockReason = "Image uploads blocked by policy"; return result; }
+      const r = await scanImageViaBackend(img.data, img.mimeType, apiKey);
+      result.findings.push(...r.findings);
+      if (r.blocked) { result.blocked = true; result.blockReason = r.blockReason; return result; }
+    }
+
+    const text = extractText(body);
+    if (text) {
+      result.contentTypes.push("text");
+      const r = await classifyText(apiKey, text);
+      result.findings.push(...(r.findings_summary || []));
+      if (r.blocked) { result.blocked = true; result.blockReason = r.block_reason || r.explanation; return result; }
+      if (r.finding_count > 0 && r.redacted_text) {
+        result.redactedBody = Buffer.from(JSON.stringify(replaceText(body, r.redacted_text)));
+      }
+    }
+    return result;
+  }
+
+  const mime = contentType.split(";")[0].trim();
+  const ctype = MIME_TYPE[mime];
+  if (ctype) {
+    result.contentTypes.push(ctype);
+    if (ctype === "image" && opts.blockImages) { result.blocked = true; result.blockReason = "Image uploads blocked"; return result; }
+    if (ctype === "audio" && opts.blockAudio)  { result.blocked = true; result.blockReason = "Audio uploads blocked"; return result; }
+    if (ctype === "video" && opts.blockVideo)  { result.blocked = true; result.blockReason = "Video uploads blocked"; return result; }
+    if (ctype === "code"  && opts.blockCode)   { result.blocked = true; result.blockReason = "Code uploads blocked"; return result; }
+    if (ctype === "code") {
+      const codeText = rawBody.toString("utf-8");
+      const creds    = scanCredentials(codeText, "upload");
+      result.findings.push(...creds);
+      if (creds.some(f => f.severity === "CRITICAL")) {
+        result.blocked = true;
+        result.blockReason = "Hardcoded credentials detected: " + creds[0].name;
+        return result;
+      }
+    }
+    if (ctype === "document" && mime.includes("text")) {
+      const text = rawBody.toString("utf-8");
+      const r    = await classifyText(apiKey, text);
+      result.findings.push(...(r.findings_summary || []));
+      if (r.blocked) { result.blocked = true; result.blockReason = r.block_reason; return result; }
+    }
+  }
+  return result;
+}
+
+async function scanPart(part, apiKey, opts) {
+  const result = { findings: [], contentTypes: [], blocked: false, blockReason: "", redactedPart: part };
+  const ext    = path.extname(part.filename || "").replace(".", "").toLowerCase();
+  const ctype  = EXT_TYPE[ext] || MIME_TYPE[part.contentType] || "unknown";
+  result.contentTypes.push(ctype);
+
+  if (ctype === "image" && opts.blockImages) return { ...result, blocked: true, blockReason: "Image uploads blocked: " + part.filename };
+  if (ctype === "audio" && opts.blockAudio)  return { ...result, blocked: true, blockReason: "Audio uploads blocked: " + part.filename };
+  if (ctype === "video" && opts.blockVideo)  return { ...result, blocked: true, blockReason: "Video uploads blocked: " + part.filename };
+  if (ctype === "code"  && opts.blockCode)   return { ...result, blocked: true, blockReason: "Code uploads blocked: " + part.filename };
+
+  if (ctype === "code") {
+    const text  = part.data.toString("utf-8");
+    const creds = scanCredentials(text, part.filename);
+    result.findings.push(...creds);
+    if (creds.some(f => f.severity === "CRITICAL")) {
+      result.blocked     = true;
+      result.blockReason = "Hardcoded credentials in " + part.filename + ": " + creds[0].name;
+      return result;
+    }
+    const textScan = await classifyText(apiKey, text);
+    result.findings.push(...(textScan.findings_summary || []));
+    if (textScan.finding_count > 0 && textScan.redacted_text) {
+      result.redactedPart = { ...part, data: Buffer.from(textScan.redacted_text) };
+    }
+    return result;
+  }
+
+  if (ctype === "image") {
+    const r = await scanImageViaBackend(part.data.toString("base64"), part.contentType, apiKey);
+    result.findings.push(...r.findings);
+    if (r.blocked) { result.blocked = true; result.blockReason = r.blockReason; }
+    return result;
+  }
+
+  if (ctype === "document") {
+    if (part.contentType && (part.contentType.includes("text") || part.contentType.includes("csv"))) {
+      const text = part.data.toString("utf-8");
+      const r    = await classifyText(apiKey, text);
+      result.findings.push(...(r.findings_summary || []));
+      if (r.blocked) { result.blocked = true; result.blockReason = r.block_reason; }
+    } else {
+      const r = await scanDocViaBackend(part.data.toString("base64"), part.contentType, part.filename, apiKey);
+      result.findings.push(...r.findings);
+      if (r.blocked) { result.blocked = true; result.blockReason = r.blockReason; }
+    }
+    return result;
+  }
+
+  if (ctype === "audio" || ctype === "video") {
+    result.findings.push({
+      type: ctype, pattern: ctype + "_upload", severity: "MEDIUM",
+      detail: ctype + " file intercepted: " + part.filename + " — sent to backend for analysis",
+    });
+    const r = await scanMediaViaBackend(part.data.toString("base64"), part.contentType, ctype, part.filename, apiKey);
+    result.findings.push(...r.findings);
+    if (r.blocked) { result.blocked = true; result.blockReason = r.blockReason; }
+    return result;
+  }
+
+  return result;
+}
+
+async function classifyText(apiKey, text) {
+  const res = await fetchTimeout(CODEASTRA_URL + "/classify", {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "x-api-key": apiKey },
+    body: JSON.stringify({ text }),
+  }, 8000);
+  if (!res.ok) throw new Error("Classify " + res.status);
+  return res.json();
+}
+
+async function scanImageViaBackend(base64, mimeType, apiKey) {
+  try {
+    const res = await fetchTimeout(CODEASTRA_URL + "/classify/image", {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "x-api-key": apiKey },
+      body: JSON.stringify({ content_base64: base64, mime_type: mimeType }),
+    }, 15000);
+    if (!res.ok) return { findings: [{ type:"image", pattern:"unscanned", severity:"MEDIUM", detail:"Image flagged for review" }], blocked: false };
+    return res.json();
+  } catch { return { findings: [], blocked: false }; }
+}
+
+async function scanDocViaBackend(base64, mimeType, filename, apiKey) {
+  try {
+    const res = await fetchTimeout(CODEASTRA_URL + "/classify/document", {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "x-api-key": apiKey },
+      body: JSON.stringify({ content_base64: base64, mime_type: mimeType, filename }),
+    }, 20000);
+    if (!res.ok) return { findings: [], blocked: false };
+    return res.json();
+  } catch { return { findings: [], blocked: false }; }
+}
+
+async function scanMediaViaBackend(base64, mimeType, mediaType, filename, apiKey) {
+  try {
+    const res = await fetchTimeout(CODEASTRA_URL + "/classify/" + mediaType, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "x-api-key": apiKey },
+      body: JSON.stringify({ content_base64: base64, mime_type: mimeType, filename }),
+    }, 30000);
+    if (!res.ok) return { findings: [], blocked: false };
+    return res.json();
+  } catch { return { findings: [], blocked: false }; }
+}
+
+function scanCredentials(code, filename) {
+  const findings = [];
+  for (const p of CREDENTIAL_PATTERNS) {
+    p.re.lastIndex = 0;
+    for (const m of code.matchAll(p.re)) {
+      findings.push({ type:"code", name: p.name, severity: p.severity, filename, pattern: p.name,
+        detail: p.name + " found in " + filename });
+    }
+  }
+  return findings;
+}
+
+function extractBase64Images(body) {
+  const imgs = [];
+  if (!body || typeof body !== "object") return imgs;
+  if (Array.isArray(body.messages)) {
+    for (const msg of body.messages) {
+      if (Array.isArray(msg.content)) {
+        for (const block of msg.content) {
+          if (block.type === "image_url" && block.image_url?.url?.startsWith("data:")) {
+            const [hdr, data] = block.image_url.url.split(",");
+            imgs.push({ data, mimeType: (hdr.match(/data:([^;]+)/) || [])[1] || "image/jpeg" });
+          }
+          if (block.type === "image" && block.source?.type === "base64") {
+            imgs.push({ data: block.source.data, mimeType: block.source.media_type });
+          }
+        }
+      }
+    }
+  }
+  return imgs;
+}
+
+function extractText(body) {
+  if (!body || typeof body !== "object") return null;
+  if (Array.isArray(body.messages)) {
+    return body.messages.filter(m => m.role === "user").map(m => typeof m.content === "string" ? m.content : "").join("\n") || null;
+  }
+  return body.prompt || body.text || (typeof body.content === "string" ? body.content : null) || body.query || null;
+}
+
+function replaceText(body, redacted) {
+  if (Array.isArray(body.messages)) {
+    const msgs = [...body.messages];
+    for (let i = msgs.length - 1; i >= 0; i--) {
+      if (msgs[i].role === "user") { msgs[i] = { ...msgs[i], content: redacted }; break; }
+    }
+    return { ...body, messages: msgs };
+  }
+  if (body.prompt) return { ...body, prompt: redacted };
+  if (body.text)   return { ...body, text:   redacted };
+  return body;
+}
+
+function buildHeaders(reqHeaders, host) {
+  const h = { ...reqHeaders };
+  ["connection","keep-alive","te","trailers","transfer-encoding","upgrade"].forEach(k => delete h[k]);
+  h["x-no-training"]       = "true";
+  h["x-data-usage-policy"] = "api-only-no-training";
+  if (host.includes("anthropic")) h["anthropic-beta"] = "no-training-1";
+  return h;
+}
+
+async function forwardRequest(target, method, urlPath, headers, body) {
+  const url = target.replace(/\/$/, "") + urlPath;
+  const res = await fetchTimeout(url, {
+    method,
+    headers,
+    body: ["GET","HEAD"].includes(method.toUpperCase()) ? undefined : body,
+  }, 60000);
+  const respBody    = Buffer.from(await res.arrayBuffer());
+  const respHeaders = {};
+  res.headers.forEach((v, k) => { respHeaders[k] = v; });
+  return { status: res.status, headers: respHeaders, body: respBody };
+}
+
+function parseMultipart(body, boundary) {
+  const parts = []; const delim = Buffer.from("--" + boundary);
+  let offset = 0;
+  while (offset < body.length) {
+    const di = body.indexOf(delim, offset);
+    if (di === -1) break;
+    offset = di + delim.length + 2;
+    if (body.slice(di, di + delim.length + 2).indexOf(Buffer.from("--")) !== -1 && offset > body.length - 10) break;
+    const he = body.indexOf(Buffer.from("\r\n\r\n"), offset);
+    if (he === -1) break;
+    const hstr = body.slice(offset, he).toString();
+    const ds = he + 4;
+    const nd = body.indexOf(delim, ds);
+    const de = nd !== -1 ? nd - 2 : body.length;
+    const dispM = hstr.match(/Content-Disposition: ([^\r\n]+)/i);
+    const typeM = hstr.match(/Content-Type: ([^\r\n]+)/i);
+    parts.push({
+      name: (dispM?.[1].match(/name="([^"]+)"/) || [])[1] || "",
+      filename: (dispM?.[1].match(/filename="([^"]+)"/) || [])[1] || "",
+      contentType: typeM?.[1]?.trim() || "text/plain",
+      data: body.slice(ds, de), headerStr: hstr,
+    });
+    offset = nd !== -1 ? nd : body.length;
+  }
+  return parts;
+}
+
+function rebuildMultipart(parts, boundary) {
+  const chunks = [];
+  for (const p of parts) {
+    chunks.push(Buffer.from("--" + boundary + "\r\n"));
+    chunks.push(Buffer.from(p.headerStr));
+    chunks.push(Buffer.from("\r\n\r\n"));
+    chunks.push(p.data);
+    chunks.push(Buffer.from("\r\n"));
+  }
+  chunks.push(Buffer.from("--" + boundary + "--\r\n"));
+  return Buffer.concat(chunks);
+}
+
+async function fetchTimeout(url, options, timeout) {
+  const ctrl  = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), timeout);
+  try { return await fetch(url, { ...options, signal: ctrl.signal }); }
+  finally { clearTimeout(timer); }
+}

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "@codeastra/proxy",
+  "version": "1.0.0",
+  "description": "Zero-code data protection proxy for AI. PHI, PCI, PII, images, audio, video, code and documents — all scanned and redacted before reaching any LLM.",
+  "main": "bin/codeastra.js",
+  "bin": {
+    "codeastra": "./bin/codeastra.js"
+  },
+  "keywords": [
+    "hipaa",
+    "pci-dss",
+    "gdpr",
+    "pii",
+    "phi",
+    "ai",
+    "llm",
+    "openai",
+    "anthropic",
+    "proxy",
+    "compliance",
+    "data-protection",
+    "security"
+  ],
+  "author": "Codeastra",
+  "license": "MIT",
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "commander": "^11.0.0",
+    "http-proxy": "^1.18.1"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/codeastra/codeastra"
+  },
+  "homepage": "https://app.codeastra.dev"
+}