npm - @intranefr/superbackend - Versions diffs - 1.5.0 → 1.5.2 - Mend

@intranefr/superbackend 1.5.0 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (198) hide show

package/.env.example +15 -0
package/README.md +11 -0
package/analysis-only.skill +0 -0
package/index.js +23 -0
package/package.json +8 -2
package/src/admin/endpointRegistry.js +120 -0
package/src/controllers/admin.controller.js +90 -6
package/src/controllers/adminBlockDefinitions.controller.js +127 -0
package/src/controllers/adminBlockDefinitionsAi.controller.js +54 -0
package/src/controllers/adminCache.controller.js +342 -0
package/src/controllers/adminContextBlockDefinitions.controller.js +141 -0
package/src/controllers/adminCrons.controller.js +388 -0
package/src/controllers/adminDbBrowser.controller.js +124 -0
package/src/controllers/adminEjsVirtual.controller.js +13 -3
package/src/controllers/adminExperiments.controller.js +200 -0
package/src/controllers/adminHeadless.controller.js +9 -2
package/src/controllers/adminHealthChecks.controller.js +570 -0
package/src/controllers/adminI18n.controller.js +51 -29
package/src/controllers/adminLlm.controller.js +126 -2
package/src/controllers/adminPages.controller.js +720 -0
package/src/controllers/adminPagesContextBlocksAi.controller.js +54 -0
package/src/controllers/adminProxy.controller.js +113 -0
package/src/controllers/adminRateLimits.controller.js +138 -0
package/src/controllers/adminRbac.controller.js +803 -0
package/src/controllers/adminScripts.controller.js +126 -4
package/src/controllers/adminSeoConfig.controller.js +71 -48
package/src/controllers/blogAdmin.controller.js +279 -0
package/src/controllers/blogAiAdmin.controller.js +224 -0
package/src/controllers/blogAutomationAdmin.controller.js +141 -0
package/src/controllers/blogInternal.controller.js +26 -0
package/src/controllers/blogPublic.controller.js +89 -0
package/src/controllers/experiments.controller.js +85 -0
package/src/controllers/fileManager.controller.js +190 -0
package/src/controllers/fileManagerStoragePolicy.controller.js +23 -0
package/src/controllers/healthChecksPublic.controller.js +196 -0
package/src/controllers/internalExperiments.controller.js +17 -0
package/src/controllers/metrics.controller.js +64 -4
package/src/controllers/orgAdmin.controller.js +80 -0
package/src/helpers/mongooseHelper.js +258 -0
package/src/helpers/scriptBase.js +230 -0
package/src/helpers/scriptRunner.js +335 -0
package/src/middleware/rbac.js +62 -0
package/src/middleware.js +810 -48
package/src/models/BlockDefinition.js +27 -0
package/src/models/BlogAutomationLock.js +14 -0
package/src/models/BlogAutomationRun.js +39 -0
package/src/models/BlogPost.js +42 -0
package/src/models/CacheEntry.js +26 -0
package/src/models/ConsoleEntry.js +32 -0
package/src/models/ConsoleLog.js +23 -0
package/src/models/ContextBlockDefinition.js +33 -0
package/src/models/CronExecution.js +47 -0
package/src/models/CronJob.js +70 -0
package/src/models/Experiment.js +75 -0
package/src/models/ExperimentAssignment.js +23 -0
package/src/models/ExperimentEvent.js +26 -0
package/src/models/ExperimentMetricBucket.js +30 -0
package/src/models/ExternalDbConnection.js +49 -0
package/src/models/FileEntry.js +22 -0
package/src/models/GlobalSetting.js +1 -2
package/src/models/HealthAutoHealAttempt.js +57 -0
package/src/models/HealthCheck.js +132 -0
package/src/models/HealthCheckRun.js +51 -0
package/src/models/HealthIncident.js +49 -0
package/src/models/Page.js +95 -0
package/src/models/PageCollection.js +42 -0
package/src/models/ProxyEntry.js +66 -0
package/src/models/RateLimitCounter.js +19 -0
package/src/models/RateLimitMetricBucket.js +20 -0
package/src/models/RbacGrant.js +25 -0
package/src/models/RbacGroup.js +16 -0
package/src/models/RbacGroupMember.js +13 -0
package/src/models/RbacGroupRole.js +13 -0
package/src/models/RbacRole.js +25 -0
package/src/models/RbacUserRole.js +13 -0
package/src/models/ScriptDefinition.js +1 -0
package/src/models/Webhook.js +2 -0
package/src/routes/admin.routes.js +2 -0
package/src/routes/adminBlog.routes.js +21 -0
package/src/routes/adminBlogAi.routes.js +16 -0
package/src/routes/adminBlogAutomation.routes.js +27 -0
package/src/routes/adminCache.routes.js +20 -0
package/src/routes/adminConsoleManager.routes.js +302 -0
package/src/routes/adminCrons.routes.js +25 -0
package/src/routes/adminDbBrowser.routes.js +65 -0
package/src/routes/adminEjsVirtual.routes.js +2 -1
package/src/routes/adminExperiments.routes.js +29 -0
package/src/routes/adminHeadless.routes.js +2 -1
package/src/routes/adminHealthChecks.routes.js +28 -0
package/src/routes/adminI18n.routes.js +4 -3
package/src/routes/adminLlm.routes.js +4 -2
package/src/routes/adminPages.routes.js +55 -0
package/src/routes/adminProxy.routes.js +15 -0
package/src/routes/adminRateLimits.routes.js +17 -0
package/src/routes/adminRbac.routes.js +38 -0
package/src/routes/adminSeoConfig.routes.js +5 -4
package/src/routes/adminUiComponents.routes.js +2 -1
package/src/routes/blogInternal.routes.js +14 -0
package/src/routes/blogPublic.routes.js +9 -0
package/src/routes/experiments.routes.js +30 -0
package/src/routes/fileManager.routes.js +62 -0
package/src/routes/fileManagerStoragePolicy.routes.js +9 -0
package/src/routes/healthChecksPublic.routes.js +9 -0
package/src/routes/internalExperiments.routes.js +15 -0
package/src/routes/log.routes.js +43 -60
package/src/routes/metrics.routes.js +4 -2
package/src/routes/orgAdmin.routes.js +1 -0
package/src/routes/pages.routes.js +123 -0
package/src/routes/proxy.routes.js +46 -0
package/src/routes/rbac.routes.js +47 -0
package/src/routes/webhook.routes.js +2 -1
package/src/routes/workflows.routes.js +4 -0
package/src/services/blockDefinitionsAi.service.js +247 -0
package/src/services/blog.service.js +99 -0
package/src/services/blogAutomation.service.js +978 -0
package/src/services/blogCronsBootstrap.service.js +185 -0
package/src/services/blogPublishing.service.js +58 -0
package/src/services/cacheLayer.service.js +696 -0
package/src/services/consoleManager.service.js +738 -0
package/src/services/consoleOverride.service.js +7 -1
package/src/services/cronScheduler.service.js +350 -0
package/src/services/dbBrowser.service.js +536 -0
package/src/services/ejsVirtual.service.js +102 -32
package/src/services/experiments.service.js +273 -0
package/src/services/experimentsAggregation.service.js +308 -0
package/src/services/experimentsCronsBootstrap.service.js +118 -0
package/src/services/experimentsRetention.service.js +43 -0
package/src/services/experimentsWs.service.js +134 -0
package/src/services/fileManager.service.js +475 -0
package/src/services/fileManagerStoragePolicy.service.js +285 -0
package/src/services/globalSettings.service.js +15 -0
package/src/services/healthChecks.service.js +650 -0
package/src/services/healthChecksBootstrap.service.js +109 -0
package/src/services/healthChecksScheduler.service.js +106 -0
package/src/services/jsonConfigs.service.js +2 -2
package/src/services/llmDefaults.service.js +190 -0
package/src/services/migrationAssets/s3.js +2 -2
package/src/services/pages.service.js +602 -0
package/src/services/pagesContext.service.js +331 -0
package/src/services/pagesContextBlocksAi.service.js +349 -0
package/src/services/proxy.service.js +535 -0
package/src/services/rateLimiter.service.js +623 -0
package/src/services/rbac.service.js +212 -0
package/src/services/scriptsRunner.service.js +215 -15
package/src/services/uiComponentsAi.service.js +6 -19
package/src/services/workflow.service.js +23 -8
package/src/utils/orgRoles.js +14 -0
package/src/utils/rbac/engine.js +60 -0
package/src/utils/rbac/rightsRegistry.js +33 -0
package/views/admin-blog-automation.ejs +877 -0
package/views/admin-blog-edit.ejs +542 -0
package/views/admin-blog.ejs +399 -0
package/views/admin-cache.ejs +681 -0
package/views/admin-console-manager.ejs +680 -0
package/views/admin-crons.ejs +645 -0
package/views/admin-dashboard.ejs +28 -8
package/views/admin-db-browser.ejs +445 -0
package/views/admin-ejs-virtual.ejs +16 -10
package/views/admin-experiments.ejs +91 -0
package/views/admin-file-manager.ejs +942 -0
package/views/admin-health-checks.ejs +725 -0
package/views/admin-i18n.ejs +59 -5
package/views/admin-llm.ejs +99 -1
package/views/admin-organizations.ejs +163 -1
package/views/admin-pages.ejs +2424 -0
package/views/admin-proxy.ejs +491 -0
package/views/admin-rate-limiter.ejs +625 -0
package/views/admin-rbac.ejs +1331 -0
package/views/admin-scripts.ejs +597 -3
package/views/admin-seo-config.ejs +61 -7
package/views/admin-ui-components.ejs +57 -25
package/views/admin-workflows.ejs +7 -7
package/views/file-manager.ejs +866 -0
package/views/pages/blocks/contact.ejs +27 -0
package/views/pages/blocks/cta.ejs +18 -0
package/views/pages/blocks/faq.ejs +20 -0
package/views/pages/blocks/features.ejs +19 -0
package/views/pages/blocks/hero.ejs +13 -0
package/views/pages/blocks/html.ejs +5 -0
package/views/pages/blocks/image.ejs +14 -0
package/views/pages/blocks/testimonials.ejs +26 -0
package/views/pages/blocks/text.ejs +10 -0
package/views/pages/layouts/default.ejs +51 -0
package/views/pages/layouts/minimal.ejs +42 -0
package/views/pages/layouts/sidebar.ejs +54 -0
package/views/pages/partials/footer.ejs +13 -0
package/views/pages/partials/header.ejs +12 -0
package/views/pages/partials/sidebar.ejs +8 -0
package/views/pages/runtime/page.ejs +10 -0
package/views/pages/templates/article.ejs +20 -0
package/views/pages/templates/default.ejs +12 -0
package/views/pages/templates/landing.ejs +14 -0
package/views/pages/templates/listing.ejs +15 -0
package/views/partials/admin-image-upload-modal.ejs +221 -0
package/views/partials/dashboard/nav-items.ejs +12 -0
package/views/partials/dashboard/palette.ejs +5 -3
package/views/partials/llm-provider-model-picker.ejs +183 -0
package/src/routes/llmUi.routes.js +0 -26

package/src/services/proxy.service.js ADDED Viewed

@@ -0,0 +1,535 @@
+const crypto = require('crypto');
+const axios = require('axios');
+const { VM } = require('vm2');
+const ProxyEntry = require('../models/ProxyEntry');
+const cacheLayer = require('./cacheLayer.service');
+const rateLimiter = require('./rateLimiter.service');
+const { logAuditSync } = require('./auditLogger');
+function sha256(value) {
+  return crypto.createHash('sha256').update(String(value || ''), 'utf8').digest('hex');
+}
+function safeJsonParse(bufOrString) {
+  try {
+    if (Buffer.isBuffer(bufOrString)) {
+      return JSON.parse(bufOrString.toString('utf8'));
+    }
+    return JSON.parse(String(bufOrString || ''));
+  } catch {
+    return null;
+  }
+}
+function normalizeForAudit(value, depth = 0) {
+  if (depth > 6) return null;
+  if (value === null || value === undefined) return value;
+  if (typeof value !== 'object') return value;
+  if (Array.isArray(value)) {
+    return {
+      __arrayLength: value.length,
+      items: value.length > 0 ? [normalizeForAudit(value[0], depth + 1)] : [],
+    };
+  }
+  const out = {};
+  for (const [k, v] of Object.entries(value)) {
+    out[k] = normalizeForAudit(v, depth + 1);
+  }
+  return out;
+}
+function stripHopByHopHeaders(headers) {
+  const hopByHop = new Set([
+    'connection',
+    'keep-alive',
+    'proxy-authenticate',
+    'proxy-authorization',
+    'te',
+    'trailer',
+    'transfer-encoding',
+    'upgrade',
+    'host',
+  ]);
+  const out = {};
+  for (const [k, v] of Object.entries(headers || {})) {
+    const key = String(k).toLowerCase();
+    if (hopByHop.has(key)) continue;
+    if (v === undefined) continue;
+    out[key] = v;
+  }
+  return out;
+}
+function applyHeaderPolicy(entry, incoming) {
+  const cfg = entry?.headers || {};
+  const allowList = Array.isArray(cfg.allowList) ? cfg.allowList.map((h) => String(h).toLowerCase()) : [];
+  const denyList = Array.isArray(cfg.denyList) ? cfg.denyList.map((h) => String(h).toLowerCase()) : [];
+  const out = {};
+  const base = stripHopByHopHeaders(incoming);
+  for (const [k, v] of Object.entries(base)) {
+    const key = String(k).toLowerCase();
+    if (key === 'authorization' && cfg.forwardAuthorization === false) continue;
+    if (key === 'cookie' && cfg.forwardCookie === false) continue;
+    if (denyList.includes(key)) continue;
+    if (allowList.length > 0 && !allowList.includes(key)) continue;
+    out[key] = v;
+  }
+  return out;
+}
+function matchValueForRule(rule, { targetUrl, host, path }) {
+  const applyTo = String(rule.applyTo || 'targetUrl');
+  if (applyTo === 'host') return host;
+  if (applyTo === 'path') return path;
+  return targetUrl;
+}
+function ruleMatches(rule, ctx) {
+  if (!rule || rule.enabled === false) return false;
+  const type = String(rule.type || '').toLowerCase();
+  const value = String(rule.value || '');
+  const input = String(matchValueForRule(rule, ctx) || '');
+  if (type === 'contains') {
+    return input.toLowerCase().includes(value.toLowerCase());
+  }
+  if (type === 'regexp') {
+    try {
+      const flags = String(rule.flags || 'i');
+      const re = new RegExp(value, flags);
+      return re.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function entryMatches(entry, ctx) {
+  const match = entry?.match || {};
+  const type = String(match.type || 'contains').toLowerCase();
+  const value = String(match.value || '');
+  const applyTo = String(match.applyTo || 'host');
+  const input = applyTo === 'path'
+    ? String(ctx.path || '')
+    : (applyTo === 'targetUrl' ? String(ctx.targetUrl || '') : String(ctx.host || ''));
+  if (!value) return false;
+  if (type === 'exact') {
+    return input.toLowerCase() === value.toLowerCase();
+  }
+  if (type === 'contains') {
+    return input.toLowerCase().includes(value.toLowerCase());
+  }
+  if (type === 'regexp') {
+    try {
+      const flags = String(match.flags || 'i');
+      const re = new RegExp(value, flags);
+      return re.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function compareEntriesSpecificity(a, b) {
+  const order = { exact: 3, contains: 2, regexp: 1 };
+  const ta = String(a?.match?.type || 'contains').toLowerCase();
+  const tb = String(b?.match?.type || 'contains').toLowerCase();
+  const oa = order[ta] || 0;
+  const ob = order[tb] || 0;
+  if (oa !== ob) return ob - oa;
+  const va = String(a?.match?.value || '');
+  const vb = String(b?.match?.value || '');
+  return vb.length - va.length;
+}
+async function upsertDiscovery({ targetUrl, host, path }) {
+  const ns = 'proxy:discoveries';
+  const key = sha256(`${host}|${path}|${targetUrl}`);
+  const existing = await cacheLayer.get(key, { namespace: ns }).catch(() => null);
+  const next = existing && typeof existing === 'object'
+    ? { ...existing }
+    : {
+      key,
+      targetUrl,
+      host,
+      path,
+      firstSeenAt: new Date().toISOString(),
+      lastSeenAt: new Date().toISOString(),
+      count: 0,
+    };
+  next.lastSeenAt = new Date().toISOString();
+  next.count = Number(next.count || 0) + 1;
+  await cacheLayer.set(key, next, { namespace: ns, ttlSeconds: 24 * 60 * 60 }).catch(() => {});
+  return next;
+}
+async function listDiscoveries() {
+  const ns = 'proxy:discoveries';
+  const keys = await cacheLayer.listKeys({ namespace: ns }).catch(() => null);
+  const items = [];
+  const list = Array.isArray(keys)
+    ? keys
+    : [
+      ...((keys && Array.isArray(keys.memory)) ? keys.memory : []),
+      ...((keys && Array.isArray(keys.mongo)) ? keys.mongo : []),
+    ];
+  for (const k of list) {
+    const key = String(k?.key || '');
+    if (!key) continue;
+    // eslint-disable-next-line no-await-in-loop
+    const val = await cacheLayer.get(key, { namespace: ns, rehydrate: false }).catch(() => null);
+    if (!val || typeof val !== 'object') continue;
+    items.push(val);
+  }
+  items.sort((a, b) => {
+    const ta = new Date(a.lastSeenAt || 0).getTime();
+    const tb = new Date(b.lastSeenAt || 0).getTime();
+    return tb - ta;
+  });
+  return items;
+}
+async function findMatchingEntry(ctx) {
+  const entries = await ProxyEntry.find({}).lean();
+  const matched = (entries || []).filter((e) => entryMatches(e, ctx));
+  matched.sort(compareEntriesSpecificity);
+  return matched[0] || null;
+}
+function evaluatePolicy(entry, ctx) {
+  const mode = String(entry?.policy?.mode || 'whitelist');
+  const rules = Array.isArray(entry?.policy?.rules) ? entry.policy.rules : [];
+  if (mode === 'allowAll') return { allowed: true, reason: 'ALLOW_ALL' };
+  if (mode === 'denyAll') return { allowed: false, reason: 'DENY_ALL' };
+  const anyMatch = rules.some((r) => ruleMatches(r, ctx));
+  if (mode === 'blacklist') {
+    return anyMatch ? { allowed: false, reason: 'BLACKLIST_MATCH' } : { allowed: true, reason: 'BLACKLIST_DEFAULT_ALLOW' };
+  }
+  // whitelist (default)
+  return anyMatch ? { allowed: true, reason: 'WHITELIST_MATCH' } : { allowed: false, reason: 'WHITELIST_DEFAULT_DENY' };
+}
+function computeCacheKey(entry, { method, targetUrl, query, body, headers }) {
+  const keyParts = entry?.cache?.keyParts || {};
+  const headerAllow = Array.isArray(entry?.cache?.keyHeaderAllowList)
+    ? entry.cache.keyHeaderAllowList.map((h) => String(h).toLowerCase())
+    : [];
+  const parts = [];
+  if (keyParts.url !== false) {
+    parts.push(`u:${targetUrl}`);
+  }
+  if (keyParts.query !== false && query && typeof query === 'object') {
+    try {
+      parts.push(`q:${JSON.stringify(query)}`);
+    } catch {
+    }
+  }
+  if (keyParts.bodyHash !== false) {
+    const buf = body && Buffer.isBuffer(body) ? body : Buffer.from('');
+    const bh = sha256(buf);
+    parts.push(`b:${bh}`);
+  }
+  if (keyParts.headersHash !== false) {
+    const subset = {};
+    const src = headers && typeof headers === 'object' ? headers : {};
+    if (headerAllow.length > 0) {
+      for (const h of headerAllow) {
+        if (src[h] !== undefined) subset[h] = src[h];
+      }
+    }
+    const hh = sha256(JSON.stringify(subset));
+    parts.push(`h:${hh}`);
+  }
+  parts.push(`m:${String(method || '').toUpperCase()}`);
+  return sha256(parts.join('|'));
+}
+function runTransform(entry, ctx) {
+  const cfg = entry?.transform || {};
+  if (!cfg.enabled) return null;
+  const timeoutMs = Math.max(1, Number(cfg.timeoutMs || 200) || 200);
+  const code = String(cfg.code || '');
+  if (!code.trim()) return null;
+  const vm = new VM({ timeout: timeoutMs, sandbox: {} });
+  const fn = vm.run(`(function(){\n${code}\n;\nreturn (typeof transform === 'function') ? transform : null;\n})()`);
+  if (typeof fn !== 'function') {
+    return { error: 'Transform code did not export a function named transform(ctx)' };
+  }
+  const out = fn(ctx);
+  if (!out || typeof out !== 'object') return {};
+  return out;
+}
+async function proxyRequest(req) {
+  const method = String(req.method || 'GET').toUpperCase();
+  const targetUrl = String(req.proxyTargetUrl || '').trim();
+  if (!targetUrl) {
+    return { status: 400, headers: { 'content-type': 'application/json' }, body: Buffer.from(JSON.stringify({ error: 'Missing target URL' })) };
+  }
+  let url;
+  try {
+    url = new URL(targetUrl);
+  } catch {
+    return { status: 400, headers: { 'content-type': 'application/json' }, body: Buffer.from(JSON.stringify({ error: 'Invalid target URL' })) };
+  }
+  if (!['http:', 'https:'].includes(url.protocol)) {
+    return { status: 400, headers: { 'content-type': 'application/json' }, body: Buffer.from(JSON.stringify({ error: 'Only http/https are supported' })) };
+  }
+  const ctx = {
+    targetUrl: url.toString(),
+    host: url.host,
+    path: url.pathname,
+  };
+  const entry = await findMatchingEntry(ctx);
+  if (!entry || entry.enabled !== true) {
+    await upsertDiscovery(ctx).catch(() => {});
+    logAuditSync({
+      req,
+      action: 'proxy.blocked',
+      outcome: 'failure',
+      targetType: 'ProxyRequest',
+      targetId: ctx.targetUrl,
+      details: { reason: 'NO_ENABLED_ENTRY', targetUrl: ctx.targetUrl, host: ctx.host, path: ctx.path },
+    });
+    return { status: 403, headers: { 'content-type': 'application/json' }, body: Buffer.from(JSON.stringify({ error: 'Proxy request blocked' })) };
+  }
+  const decision = evaluatePolicy(entry, ctx);
+  if (!decision.allowed) {
+    logAuditSync({
+      req,
+      action: 'proxy.blocked',
+      outcome: 'failure',
+      targetType: 'ProxyRequest',
+      targetId: ctx.targetUrl,
+      details: { reason: decision.reason, targetUrl: ctx.targetUrl, host: ctx.host, path: ctx.path, entryId: String(entry._id) },
+    });
+    return { status: 403, headers: { 'content-type': 'application/json' }, body: Buffer.from(JSON.stringify({ error: 'Proxy request blocked' })) };
+  }
+  if (entry.rateLimit?.enabled) {
+    const limiterId = String(entry.rateLimit?.limiterId || `proxy:${entry._id}`);
+    const result = await rateLimiter.check(limiterId, { req });
+    if (!result.allowed) {
+      logAuditSync({
+        req,
+        action: 'proxy.rate_limited',
+        outcome: 'failure',
+        targetType: 'ProxyRequest',
+        targetId: ctx.targetUrl,
+        details: { limiterId, targetUrl: ctx.targetUrl, entryId: String(entry._id) },
+      });
+      return { status: 429, headers: { 'content-type': 'application/json' }, body: Buffer.from(JSON.stringify({ error: 'Too many requests' })) };
+    }
+  }
+  const incomingHeaders = req.headers || {};
+  const outgoingHeaders = applyHeaderPolicy(entry, incomingHeaders);
+  const bodyBuf = Buffer.isBuffer(req.body) ? req.body : Buffer.from('');
+  const cacheCfg = entry.cache || {};
+  const cacheEnabled = Boolean(cacheCfg.enabled);
+  const allowedMethods = Array.isArray(cacheCfg.methods) ? cacheCfg.methods.map((m) => String(m).toUpperCase()) : ['GET', 'HEAD'];
+  const cacheAllowedForMethod = cacheEnabled && allowedMethods.includes(method);
+  const cacheNamespace = String(cacheCfg.namespace || 'proxy');
+  if (cacheAllowedForMethod) {
+    const cacheKey = computeCacheKey(entry, {
+      method,
+      targetUrl: ctx.targetUrl,
+      query: Object.fromEntries(url.searchParams.entries()),
+      body: bodyBuf,
+      headers: outgoingHeaders,
+    });
+    const cached = await cacheLayer.get(cacheKey, { namespace: cacheNamespace }).catch(() => null);
+    if (cached && typeof cached === 'object' && cached.bodyBase64) {
+      logAuditSync({
+        req,
+        action: 'proxy.cache.hit',
+        outcome: 'success',
+        targetType: 'ProxyRequest',
+        targetId: ctx.targetUrl,
+        details: { cacheKey, namespace: cacheNamespace, entryId: String(entry._id) },
+      });
+      const resBody = Buffer.from(String(cached.bodyBase64), 'base64');
+      const headers = cached.headers && typeof cached.headers === 'object' ? cached.headers : {};
+      return { status: Number(cached.status || 200) || 200, headers, body: resBody };
+    }
+    logAuditSync({
+      req,
+      action: 'proxy.cache.miss',
+      outcome: 'success',
+      targetType: 'ProxyRequest',
+      targetId: ctx.targetUrl,
+      details: { cacheKey, namespace: cacheNamespace, entryId: String(entry._id) },
+    });
+  }
+  const upstream = await axios({
+    url: ctx.targetUrl,
+    method,
+    headers: outgoingHeaders,
+    data: ['GET', 'HEAD'].includes(method) ? undefined : bodyBuf,
+    responseType: 'arraybuffer',
+    validateStatus: () => true,
+    timeout: 30000,
+    maxContentLength: 10 * 1024 * 1024,
+    maxBodyLength: 10 * 1024 * 1024,
+  });
+  const responseHeaders = stripHopByHopHeaders(upstream.headers || {});
+  const responseBody = Buffer.from(upstream.data || Buffer.from(''));
+  const contentType = String(responseHeaders['content-type'] || '');
+  const isJson = contentType.includes('application/json') || contentType.includes('+json');
+  let transformed = null;
+  if (entry.transform?.enabled) {
+    const jsonBody = isJson ? safeJsonParse(responseBody) : null;
+    transformed = runTransform(entry, {
+      request: {
+        method,
+        targetUrl: ctx.targetUrl,
+        headers: outgoingHeaders,
+        bodyBase64: bodyBuf.length ? bodyBuf.toString('base64') : null,
+      },
+      response: {
+        status: upstream.status,
+        headers: responseHeaders,
+        bodyBase64: responseBody.length ? responseBody.toString('base64') : null,
+        json: jsonBody,
+      },
+    });
+  }
+  if (transformed && transformed.error) {
+    logAuditSync({
+      req,
+      action: 'proxy.transform.error',
+      outcome: 'failure',
+      targetType: 'ProxyRequest',
+      targetId: ctx.targetUrl,
+      details: { error: transformed.error, entryId: String(entry._id) },
+    });
+  }
+  let finalStatus = upstream.status;
+  let finalHeaders = { ...responseHeaders };
+  let finalBody = responseBody;
+  if (transformed && typeof transformed === 'object') {
+    if (transformed.status !== undefined) {
+      finalStatus = Number(transformed.status) || finalStatus;
+    }
+    if (transformed.headers && typeof transformed.headers === 'object') {
+      finalHeaders = stripHopByHopHeaders({ ...finalHeaders, ...transformed.headers });
+    }
+    if (transformed.bodyBase64) {
+      finalBody = Buffer.from(String(transformed.bodyBase64), 'base64');
+    } else if (transformed.bodyText !== undefined) {
+      finalBody = Buffer.from(String(transformed.bodyText || ''), 'utf8');
+    } else if (transformed.json !== undefined) {
+      finalHeaders['content-type'] = 'application/json';
+      finalBody = Buffer.from(JSON.stringify(transformed.json), 'utf8');
+    }
+  }
+  if (cacheAllowedForMethod) {
+    const cacheKey = computeCacheKey(entry, {
+      method,
+      targetUrl: ctx.targetUrl,
+      query: Object.fromEntries(url.searchParams.entries()),
+      body: bodyBuf,
+      headers: outgoingHeaders,
+    });
+    if (finalStatus >= 200 && finalStatus < 300) {
+      const toStore = {
+        status: finalStatus,
+        headers: finalHeaders,
+        bodyBase64: finalBody.toString('base64'),
+        storedAt: new Date().toISOString(),
+      };
+      await cacheLayer.set(cacheKey, toStore, { namespace: cacheNamespace, ttlSeconds: cacheCfg.ttlSeconds }).catch(() => {});
+      logAuditSync({
+        req,
+        action: 'proxy.cache.store',
+        outcome: 'success',
+        targetType: 'ProxyRequest',
+        targetId: ctx.targetUrl,
+        details: { cacheKey, namespace: cacheNamespace, entryId: String(entry._id), status: finalStatus },
+      });
+    }
+  }
+  const normalizedBody = isJson ? normalizeForAudit(safeJsonParse(finalBody)) : null;
+  logAuditSync({
+    req,
+    action: 'proxy.response',
+    outcome: finalStatus >= 400 ? 'failure' : 'success',
+    targetType: 'ProxyRequest',
+    targetId: ctx.targetUrl,
+    details: {
+      entryId: String(entry._id),
+      targetUrl: ctx.targetUrl,
+      status: finalStatus,
+      normalizedBody,
+    },
+  });
+  return { status: finalStatus, headers: finalHeaders, body: finalBody };
+}
+module.exports = {
+  proxyRequest,
+  listDiscoveries,
+};