@kylindc/ccxray 1.2.0

package/server/restore.js

@@ -0,0 +1,141 @@
+'use strict';
+
+const crypto = require('crypto');
+const config = require('./config');
+const store = require('./store');
+const { calculateCost } = require('./pricing');
+const { extractAgentType, splitB2IntoBlocks } = require('./system-prompt');
+
+// ── Lazy-load req/res from disk on demand ────────────────────────────
+
+function loadEntryReqRes(entry) {
+  if (entry._loaded) return Promise.resolve();
+  if (entry._loadingPromise) return entry._loadingPromise;
+  entry._loadingPromise = (async () => {
+    if (entry._writePromise) await entry._writePromise.catch(() => {});
+    try {
+      const stripped = JSON.parse(await config.storage.read(entry.id, '_req.json'));
+      const sys = stripped.sysHash
+        ? await config.storage.readShared(`sys_${stripped.sysHash}.json`).then(JSON.parse).catch(() => null)
+        : null;
+      const tools = stripped.toolsHash
+        ? await config.storage.readShared(`tools_${stripped.toolsHash}.json`).then(JSON.parse).catch(() => null)
+        : null;
+      entry.req = { ...stripped, system: sys, tools };
+      delete entry.req.sysHash;
+      delete entry.req.toolsHash;
+    } catch { entry.req = null; }
+    try {
+      const raw = await config.storage.read(entry.id, '_res.json');
+      try { entry.res = JSON.parse(raw); } catch { entry.res = raw; }
+    } catch { entry.res = null; }
+    entry._loaded = true;
+    entry._loadingPromise = null;
+  })();
+  return entry._loadingPromise;
+}
+
+// ── Restore entries from index.ndjson on startup ─────────────────────
+
+async function restoreFromLogs() {
+  console.time('restore:total');
+
+  // 1. Read the lightweight index (one file read for all metadata)
+  console.time('restore:index');
+  const indexContent = await config.storage.readIndex();
+  console.timeEnd('restore:index');
+
+  if (!indexContent) {
+    console.timeEnd('restore:total');
+    return;
+  }
+
+  // 2. Parse index lines and filter by RESTORE_DAYS
+  console.time('restore:parse');
+  let cutoffStr = null;
+  if (config.RESTORE_DAYS > 0) {
+    const cutoff = new Date();
+    cutoff.setDate(cutoff.getDate() - config.RESTORE_DAYS);
+    cutoffStr = cutoff.toLocaleString('sv-SE', { timeZone: 'Asia/Taipei' }).slice(0, 10);
+  }
+
+  const lines = indexContent.split('\n').filter(Boolean);
+  let restored = 0;
+
+  for (const line of lines) {
+    let meta;
+    try { meta = JSON.parse(line); } catch { continue; }
+
+    if (cutoffStr && meta.id.slice(0, 10) < cutoffStr) continue;
+
+    store.entries.push({ ...meta, req: null, res: null, _loaded: false });
+
+    // Track earliest timestamp per sysHash for version dating
+    if (meta.sysHash && meta.id) {
+      const existing = store._sysHashDates && store._sysHashDates.get(meta.sysHash);
+      if (!existing || meta.id < existing) {
+        if (!store._sysHashDates) store._sysHashDates = new Map();
+        store._sysHashDates.set(meta.sysHash, meta.id.slice(0, 10));
+      }
+    }
+
+    if (meta.sessionId) {
+      if (!store.sessionMeta[meta.sessionId]) store.sessionMeta[meta.sessionId] = {};
+      if (meta.cwd) store.sessionMeta[meta.sessionId].cwd = meta.cwd;
+      if (meta.receivedAt) store.sessionMeta[meta.sessionId].lastSeenAt = meta.receivedAt;
+    }
+    if (meta.cost?.cost != null && meta.sessionId) {
+      store.sessionCosts.set(meta.sessionId, (store.sessionCosts.get(meta.sessionId) || 0) + meta.cost.cost);
+    }
+    restored++;
+  }
+  store.trimEntries();
+  console.timeEnd('restore:parse');
+
+  // 3. Build version index from shared/ system prompts (scans a handful of small files)
+  console.time('restore:versions');
+  await buildVersionIndex();
+  console.timeEnd('restore:versions');
+
+  console.timeEnd('restore:total');
+  if (restored) {
+    const msg = config.RESTORE_DAYS > 0
+      ? `Restored ${restored} entries from last ${config.RESTORE_DAYS} days`
+      : `Restored ${restored} entries from index`;
+    console.log(`\x1b[90m   ${msg}\x1b[0m`);
+  }
+}
+
+async function buildVersionIndex() {
+  let sharedFiles;
+  try { sharedFiles = await config.storage.listShared(); } catch { return; }
+
+  for (const filename of sharedFiles) {
+    if (!filename.startsWith('sys_')) continue;
+    try {
+      const sys = JSON.parse(await config.storage.readShared(filename));
+      if (!Array.isArray(sys) || sys.length < 3) continue;
+      const b0 = sys[0]?.text || '';
+      const b2 = sys[2]?.text || '';
+      const m = b0.match(/cc_version=(\S+?)[; ]/);
+      const ver = m ? m[1] : null;
+      const { key: agentKey, label: agentLabel } = extractAgentType(sys);
+      if (ver && b2.length >= 500) {
+        const idxKey = `${agentKey}::${ver}`;
+        const existing = store.versionIndex.get(idxKey);
+        if (!existing || b2.length > existing.b2Len) {
+          const coreText = splitB2IntoBlocks(b2).coreInstructions || '';
+          const coreLen = coreText.length;
+          const coreHash = crypto.createHash('md5').update(coreText).digest('hex').slice(0, 12);
+          store.versionIndex.set(idxKey, {
+            reqId: null, sharedFile: filename, b2Len: b2.length, coreLen, coreHash,
+            firstSeen: filename.slice(4, 14) || '?',
+            agentKey, agentLabel, version: ver,
+          });
+        }
+      }
+    } catch {}
+  }
+}
+
+module.exports = { loadEntryReqRes, restoreFromLogs };

package/server/routes/api.js

@@ -0,0 +1,123 @@
+'use strict';
+
+const config = require('../config');
+const store = require('../store');
+const { summarizeEntry } = require('../sse-broadcast');
+const { loadEntryReqRes } = require('../restore');
+const { tokenizeRequest } = require('../helpers');
+const { computeBlockDiff } = require('../system-prompt');
+
+function handleApiRoutes(clientReq, clientRes) {
+  if (clientReq.url === '/_api/config') {
+    clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+    clientRes.end(JSON.stringify({ bedrockMode: !!config.IS_BEDROCK_MODE }));
+    return true;
+  }
+
+  if (clientReq.url === '/_api/entries') {
+    clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+    clientRes.end(JSON.stringify(store.entries.map(summarizeEntry)));
+    return true;
+  }
+
+  if (clientReq.url.startsWith('/_api/sysprompt/versions')) {
+    const urlParams = new URLSearchParams(clientReq.url.split('?')[1] || '');
+    const filterAgent = urlParams.get('agent') || null;
+    const allAgents = [...new Set([...store.versionIndex.values()].map(v => v.agentKey))].sort();
+    const vEntries = [...store.versionIndex.values()]
+      .filter(v => !filterAgent || v.agentKey === filterAgent)
+      .sort((a, b) => b.version.localeCompare(a.version));
+    const versions = vEntries.map(({ version, reqId, b2Len, coreLen, firstSeen, agentKey, agentLabel }) => ({ version, reqId, b2Len, coreLen, firstSeen, agentKey, agentLabel }));
+    clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+    clientRes.end(JSON.stringify({ versions, agents: allAgents.map(k => ({ key: k, label: store.versionIndex.get([...store.versionIndex.keys()].find(ik => ik.startsWith(k + '::')))?.agentLabel || k })) }));
+    return true;
+  }
+
+  const diffMatch = clientReq.url.match(/^\/_api\/sysprompt\/diff\?(.+)$/);
+  if (diffMatch) {
+    const params = new URLSearchParams(diffMatch[1]);
+    const verA = params.get('a'), verB = params.get('b');
+    const agentKey = params.get('agent') || 'claude-code';
+    const entA = store.versionIndex.get(`${agentKey}::${verA}`), entB = store.versionIndex.get(`${agentKey}::${verB}`);
+    if (!entA || !entB) {
+      clientRes.writeHead(404, { 'Content-Type': 'application/json' });
+      clientRes.end(JSON.stringify({ error: 'version not found' }));
+      return true;
+    }
+    const loadB2 = async (ent) => {
+      // Try reqId first, fallback to shared file
+      if (ent.reqId) {
+        try {
+          const raw = await config.storage.read(ent.reqId, '_req.json');
+          const body = JSON.parse(raw);
+          return Array.isArray(body.system) && body.system[2] ? (body.system[2].text || '') : '';
+        } catch {}
+      }
+      if (ent.sharedFile) {
+        try {
+          const sys = JSON.parse(await config.storage.readShared(ent.sharedFile));
+          return Array.isArray(sys) && sys[2] ? (sys[2].text || '') : '';
+        } catch {}
+      }
+      return '';
+    };
+    (async () => {
+      const [b2A, b2B] = await Promise.all([loadB2(entA), loadB2(entB)]);
+      const blockDiff = computeBlockDiff(b2A, b2B, verA, verB);
+      clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+      clientRes.end(JSON.stringify({
+        a: { version: verA, b2Len: entA.b2Len },
+        b: { version: verB, b2Len: entB.b2Len },
+        blockDiff
+      }));
+    })().catch(e => {
+      if (!clientRes.headersSent) clientRes.writeHead(500);
+      clientRes.end(JSON.stringify({ error: e.message }));
+    });
+    return true;
+  }
+
+  // Full entry data (req + res) — lazy loaded
+  const entryMatch = clientReq.url.match(/^\/_api\/entry\/(.+)$/);
+  if (entryMatch) {
+    const id = decodeURIComponent(entryMatch[1]);
+    const entry = store.entries.find(e => e.id === id);
+    if (!entry) { clientRes.writeHead(404); clientRes.end('Not found'); return true; }
+    (async () => {
+      await loadEntryReqRes(entry);
+      const snapshot = { req: entry.req, res: entry.res, receivedAt: entry.receivedAt || null };
+      if (entry.elapsed === '?') { entry.req = null; entry.res = null; entry._loaded = false; }
+      clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+      clientRes.end(JSON.stringify(snapshot));
+    })().catch(e => {
+      if (!clientRes.headersSent) clientRes.writeHead(500);
+      clientRes.end(JSON.stringify({ error: e.message }));
+    });
+    return true;
+  }
+
+  // Lazy tokenization endpoint
+  const tokMatch = clientReq.url.match(/^\/_api\/tokens\/(.+)$/);
+  if (tokMatch) {
+    const id = decodeURIComponent(tokMatch[1]);
+    const entry = store.entries.find(e => e.id === id);
+    if (!entry) { clientRes.writeHead(404); clientRes.end('Not found'); return true; }
+    (async () => {
+      if (!entry.tokens) {
+        await loadEntryReqRes(entry);
+        if (entry.req) entry.tokens = tokenizeRequest(entry.req);
+        if (entry.elapsed === '?') { entry.req = null; entry.res = null; entry._loaded = false; }
+      }
+      clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+      clientRes.end(JSON.stringify(entry.tokens));
+    })().catch(e => {
+      if (!clientRes.headersSent) clientRes.writeHead(500);
+      clientRes.end(JSON.stringify({ error: e.message }));
+    });
+    return true;
+  }
+
+  return false;
+}
+
+module.exports = { handleApiRoutes };

package/server/routes/costs.js

@@ -0,0 +1,124 @@
+'use strict';
+
+const store = require('../store');
+const { getCostsCacheOrNull, calculateBurnRate, TOKEN_LIMIT } = require('../cost-budget');
+const { pricingTable } = require('../pricing');
+
+// Helper: return loading response if cache not ready (triggers background computation)
+function sendLoadingOrData(clientRes, dataFn) {
+  const data = getCostsCacheOrNull();
+  if (!data) {
+    clientRes.writeHead(202, { 'Content-Type': 'application/json' });
+    clientRes.end(JSON.stringify({ loading: true }));
+    return;
+  }
+  dataFn(data);
+}
+
+function handleCostRoutes(clientReq, clientRes) {
+  if (clientReq.url === '/_api/costs/current-block') {
+    sendLoadingOrData(clientRes, data => {
+      const now = Date.now();
+      const activeBlock = data.blocks.find(b => b.isActive);
+      if (!activeBlock) {
+        const lastBlock = data.blocks[data.blocks.length - 1];
+        if (!lastBlock) {
+          clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+          clientRes.end(JSON.stringify({ active: false }));
+          return;
+        }
+        clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+        clientRes.end(JSON.stringify({
+          active: false,
+          lastBlock: {
+            startTime: lastBlock.startTime,
+            endTime: lastBlock.endTime,
+            totalTokens: lastBlock.totalTokens,
+            costUSD: Math.round(lastBlock.costUSD * 100) / 100,
+            models: lastBlock.models,
+            minutesAgo: Math.round((now - lastBlock._lastTs) / 60000),
+          },
+        }));
+        return;
+      }
+      const br = calculateBurnRate(activeBlock);
+      const minutesRemaining = Math.round((activeBlock._endMs - now) / 60_000);
+      const rawRateLimitState = store.getRateLimitState();
+      // Ignore stale rate limit data: must be within current block and <10min old
+      const rateLimitState = rawRateLimitState
+        && rawRateLimitState.updatedAt > activeBlock._startMs
+        && (now - rawRateLimitState.updatedAt) < 600_000
+        ? rawRateLimitState : null;
+      const liveLimit = rateLimitState && rateLimitState.tokensLimit;
+      const liveRemaining = rateLimitState && rateLimitState.tokensRemaining;
+      const tokenLimit = liveLimit || TOKEN_LIMIT;
+      const tokensUsed = liveLimit ? (liveLimit - liveRemaining) : activeBlock.totalTokens;
+      const percentUsed = Math.round((tokensUsed / tokenLimit) * 1000) / 10;
+      const resetTime = rateLimitState && rateLimitState.inputReset || activeBlock.endTime;
+      const windowStartMs = activeBlock._startMs;
+      const windowEndMs = activeBlock._endMs;
+      const windowDurationMs = windowEndMs - windowStartMs;
+      const minutesElapsed = Math.round((now - windowStartMs) / 60_000);
+      const timePct = Math.round(Math.min(100, Math.max(0, (now - windowStartMs) / windowDurationMs * 100) * 10)) / 10;
+      const resp = {
+        active: true,
+        startTime: activeBlock.startTime,
+        endTime: resetTime,
+        totalTokens: tokensUsed,
+        tokenLimit,
+        percentUsed,
+        costUSD: Math.round(activeBlock.costUSD * 100) / 100,
+        models: activeBlock.models,
+        burnRate: br ? br.burnRate : null,
+        projection: br ? br.projection : null,
+        minutesRemaining: rateLimitState && rateLimitState.inputReset
+          ? Math.round((new Date(rateLimitState.inputReset).getTime() - now) / 60_000)
+          : minutesRemaining,
+        minutesElapsed,
+        timePct,
+        source: rateLimitState ? 'live' : 'jsonl',
+      };
+      clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+      clientRes.end(JSON.stringify(resp));
+    });
+    return true;
+  }
+
+  if (clientReq.url === '/_api/costs/daily') {
+    sendLoadingOrData(clientRes, data => {
+      clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+      clientRes.end(JSON.stringify(data.daily));
+    });
+    return true;
+  }
+
+  if (clientReq.url === '/_api/costs/monthly') {
+    sendLoadingOrData(clientRes, data => {
+      const now = new Date();
+      const currentMonth = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, '0')}`;
+      const currentMonthData = data.monthly.find(m => m.month === currentMonth) || { month: currentMonth, totalTokens: 0, costUSD: 0, models: [] };
+      clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+      clientRes.end(JSON.stringify({ monthly: data.monthly, currentMonth: currentMonthData }));
+    });
+    return true;
+  }
+
+  if (clientReq.url === '/_api/pricing') {
+    const result = {};
+    for (const [model, rates] of Object.entries(pricingTable)) {
+      result[model] = {
+        input_cost_per_mtok: rates.input,
+        output_cost_per_mtok: rates.output,
+        cache_read_cost_per_mtok: rates.cache_read,
+        cache_creation_cost_per_mtok: rates.cache_create,
+      };
+    }
+    clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+    clientRes.end(JSON.stringify(result));
+    return true;
+  }
+
+  return false;
+}
+
+module.exports = { handleCostRoutes };

package/server/routes/intercept.js

@@ -0,0 +1,89 @@
+'use strict';
+
+const store = require('../store');
+const { taipeiTime } = require('../helpers');
+const { broadcastInterceptToggle, broadcastInterceptRemoved, broadcastSessionStatus } = require('../sse-broadcast');
+const { forwardRequest } = require('../forward');
+
+function handleInterceptRoutes(clientReq, clientRes) {
+  if (clientReq.url === '/_api/intercept/toggle' && clientReq.method === 'POST') {
+    const chunks = []; clientReq.on('data', c => chunks.push(c));
+    clientReq.on('end', () => {
+      try {
+        const { sessionId } = JSON.parse(Buffer.concat(chunks).toString());
+        if (!sessionId) { clientRes.writeHead(400); clientRes.end('missing sessionId'); return; }
+        const enabled = !store.interceptSessions.has(sessionId);
+        if (enabled) store.interceptSessions.add(sessionId); else store.interceptSessions.delete(sessionId);
+        broadcastInterceptToggle(sessionId, enabled);
+        console.log(`\x1b[33m${enabled ? '⏸' : '▶'} INTERCEPT ${enabled ? 'ON' : 'OFF'} for session ${sessionId.slice(0, 8)}\x1b[0m`);
+        clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+        clientRes.end(JSON.stringify({ sessionId, enabled }));
+      } catch { clientRes.writeHead(400); clientRes.end('bad json'); }
+    });
+    return true;
+  }
+
+  const approveMatch = clientReq.url.match(/^\/_api\/intercept\/(.+)\/approve$/);
+  if (approveMatch && clientReq.method === 'POST') {
+    const reqId = decodeURIComponent(approveMatch[1]);
+    const pending = store.pendingRequests.get(reqId);
+    if (!pending) { clientRes.writeHead(404); clientRes.end('not found'); return true; }
+    const chunks = []; clientReq.on('data', c => chunks.push(c));
+    clientReq.on('end', () => {
+      clearTimeout(pending.timer);
+      store.pendingRequests.delete(reqId);
+      broadcastInterceptRemoved(reqId);
+      try {
+        const payload = Buffer.concat(chunks).toString();
+        if (payload) {
+          const { body } = JSON.parse(payload);
+          if (body) { pending.parsedBody = body; pending.bodyModified = true; }
+        }
+      } catch {}
+      console.log(`\x1b[32m✓ INTERCEPT APPROVED [${taipeiTime()}] ${reqId}\x1b[0m`);
+      forwardRequest(pending);
+      clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+      clientRes.end(JSON.stringify({ ok: true }));
+    });
+    return true;
+  }
+
+  const rejectMatch = clientReq.url.match(/^\/_api\/intercept\/(.+)\/reject$/);
+  if (rejectMatch && clientReq.method === 'POST') {
+    const reqId = decodeURIComponent(rejectMatch[1]);
+    const pending = store.pendingRequests.get(reqId);
+    if (!pending) { clientRes.writeHead(404); clientRes.end('not found'); return true; }
+    clearTimeout(pending.timer);
+    store.pendingRequests.delete(reqId);
+    broadcastInterceptRemoved(reqId);
+    if (pending.reqSessionId) {
+      store.activeRequests[pending.reqSessionId] = Math.max(0, (store.activeRequests[pending.reqSessionId] || 1) - 1);
+      broadcastSessionStatus(pending.reqSessionId);
+    }
+    console.log(`\x1b[31m✕ INTERCEPT REJECTED [${taipeiTime()}] ${reqId}\x1b[0m`);
+    if (!pending.clientRes.headersSent) {
+      pending.clientRes.writeHead(499, { 'Content-Type': 'application/json' });
+    }
+    pending.clientRes.end(JSON.stringify({ error: 'request_rejected', message: 'Request rejected by dashboard' }));
+    clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+    clientRes.end(JSON.stringify({ ok: true }));
+    return true;
+  }
+
+  if (clientReq.url === '/_api/intercept/timeout' && clientReq.method === 'POST') {
+    const chunks = []; clientReq.on('data', c => chunks.push(c));
+    clientReq.on('end', () => {
+      try {
+        const { timeout } = JSON.parse(Buffer.concat(chunks).toString());
+        store.setInterceptTimeout(Math.max(30, Math.min(180, Number(timeout) || 120)));
+        clientRes.writeHead(200, { 'Content-Type': 'application/json' });
+        clientRes.end(JSON.stringify({ timeout: store.getInterceptTimeout() }));
+      } catch { clientRes.writeHead(400); clientRes.end('bad json'); }
+    });
+    return true;
+  }
+
+  return false;
+}
+
+module.exports = { handleInterceptRoutes };

package/server/routes/sse.js

@@ -0,0 +1,44 @@
+'use strict';
+
+const store = require('../store');
+
+function handleSSERoute(clientReq, clientRes) {
+  if (clientReq.url !== '/_events') return false;
+
+  clientRes.writeHead(200, {
+    'Content-Type': 'text/event-stream',
+    'Cache-Control': 'no-cache',
+    'Connection': 'keep-alive',
+  });
+  clientRes.write(':\n\n');
+
+  // Send current session statuses
+  for (const [sid, meta] of Object.entries(store.sessionMeta)) {
+    if (meta.lastSeenAt || (store.activeRequests[sid] || 0) > 0) {
+      const active = (store.activeRequests[sid] || 0) > 0;
+      const data = JSON.stringify({ _type: 'session_status', sessionId: sid, active, lastSeenAt: meta.lastSeenAt || null });
+      clientRes.write(`data: ${data}\n\n`);
+    }
+  }
+
+  // Send intercept state
+  for (const sid of store.interceptSessions) {
+    clientRes.write(`data: ${JSON.stringify({ _type: 'intercept_toggled', sessionId: sid, enabled: true })}\n\n`);
+  }
+  for (const [reqId, pending] of store.pendingRequests) {
+    clientRes.write(`data: ${JSON.stringify({ _type: 'pending_request', requestId: reqId, sessionId: pending.reqSessionId, body: pending.parsedBody })}\n\n`);
+  }
+
+  // Send current interceptTimeout
+  clientRes.write(`data: ${JSON.stringify({ _type: 'intercept_timeout', timeout: store.getInterceptTimeout() })}\n\n`);
+
+  store.sseClients.push(clientRes);
+  clientReq.on('close', () => {
+    const idx = store.sseClients.indexOf(clientRes);
+    if (idx >= 0) store.sseClients.splice(idx, 1);
+  });
+
+  return true;
+}
+
+module.exports = { handleSSERoute };

package/server/sigv4.js

@@ -0,0 +1,104 @@
+'use strict';
+
+const crypto = require('crypto');
+
+function hmac(key, data, enc) {
+  return crypto.createHmac('sha256', key).update(data).digest(enc || undefined);
+}
+
+function sha256hex(data) {
+  return crypto.createHash('sha256').update(data).digest('hex');
+}
+
+// Sign a request with AWS Signature Version 4.
+// Returns extra headers to add: { authorization, 'x-amz-date', ['x-amz-security-token'] }
+//
+// Parameters:
+//   method      - HTTP method (e.g. 'POST')
+//   urlStr      - Full URL string (e.g. 'https://bedrock-runtime.us-east-1.amazonaws.com/model/...')
+//   headers     - Headers object to be forwarded (host/x-amz-date will be added from here for signing)
+//   body        - Request body (Buffer or string)
+//   credentials - { accessKeyId, secretAccessKey, sessionToken }
+//   region      - AWS region (e.g. 'us-east-1')
+//   service     - AWS service name (e.g. 'bedrock')
+function sign(method, urlStr, headers, body, credentials, region, service) {
+  const url = new URL(urlStr);
+
+  const now = new Date();
+  const amzDate = now.toISOString().replace(/[-:]/g, '').replace(/\.\d{3}Z$/, 'Z');
+  const dateStamp = amzDate.slice(0, 8);
+
+  // Build the set of headers to sign (lowercase names)
+  const signingHeaders = {};
+  for (const [k, v] of Object.entries(headers)) {
+    const lk = k.toLowerCase();
+    // Exclude pseudo-headers that we're replacing
+    if (lk === 'authorization' || lk === 'x-amz-date' || lk === 'x-amz-security-token') continue;
+    signingHeaders[lk] = String(v).trim();
+  }
+  signingHeaders['host'] = url.hostname;
+  signingHeaders['x-amz-date'] = amzDate;
+  if (credentials.sessionToken) {
+    signingHeaders['x-amz-security-token'] = credentials.sessionToken;
+  }
+
+  // Sorted unique lowercase header keys
+  const sortedKeys = [...new Set(Object.keys(signingHeaders).sort())];
+  const canonicalHeaders = sortedKeys.map(k => `${k}:${signingHeaders[k]}\n`).join('');
+  const signedHeaders = sortedKeys.join(';');
+
+  // Canonical URI: percent-encode each path segment (unreserved chars stay as-is)
+  const canonicalUri = url.pathname
+    .split('/')
+    .map(seg => encodeURIComponent(decodeURIComponent(seg)))
+    .join('/') || '/';
+
+  // Canonical query string: sorted key=value pairs
+  const queryEntries = [...url.searchParams.entries()]
+    .sort(([a], [b]) => a < b ? -1 : a > b ? 1 : 0);
+  const canonicalQueryString = queryEntries
+    .map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`)
+    .join('&');
+
+  const payloadHash = sha256hex(body || '');
+
+  const canonicalRequest = [
+    method.toUpperCase(),
+    canonicalUri,
+    canonicalQueryString,
+    canonicalHeaders,
+    signedHeaders,
+    payloadHash,
+  ].join('\n');
+
+  const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
+  const stringToSign = [
+    'AWS4-HMAC-SHA256',
+    amzDate,
+    credentialScope,
+    sha256hex(canonicalRequest),
+  ].join('\n');
+
+  // Derive signing key: HMAC chain AWS4+secret → date → region → service → 'aws4_request'
+  const signingKey = hmac(
+    hmac(
+      hmac(
+        hmac(`AWS4${credentials.secretAccessKey}`, dateStamp),
+        region
+      ),
+      service
+    ),
+    'aws4_request'
+  );
+
+  const signature = hmac(signingKey, stringToSign, 'hex');
+  const authorization = `AWS4-HMAC-SHA256 Credential=${credentials.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+
+  return {
+    authorization,
+    'x-amz-date': amzDate,
+    ...(credentials.sessionToken ? { 'x-amz-security-token': credentials.sessionToken } : {}),
+  };
+}
+
+module.exports = { sign };