@openape/proxy 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024-2025 Patrick Hofmann
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/PLAN.md

@@ -0,0 +1,261 @@
+# openape-proxy — Agent HTTP Gateway
+
+## Übersicht
+
+Ein HTTP-Forward-Proxy der den gesamten ausgehenden Traffic eines Agents kontrolliert. Agents haben keinen direkten Internet-Zugang — alles läuft durch den Proxy, der Grants prüft, Requests filtert und alles loggt.
+
+## Architektur
+
+```
+┌─────────┐    HTTP_PROXY    ┌──────────────┐    HTTPS    ┌──────────┐
+│  Agent   │ ──────────────→ │ openape-proxy │ ─────────→ │ Internet │
+│          │                 │              │             │          │
+│ (HTTP    │  ← 403 oder ─── │  • Auth      │             └──────────┘
+│  Client) │    Grant-Request │  • Grants    │
+└─────────┘                  │  • Audit     │
+                             │  • Rules     │
+                             └──────┬───────┘
+                                    │ Grant-API
+                                    ▼
+                             ┌──────────────┐
+                             │   IdP        │
+                             │ (id.office.  │
+                             │  or.at)      │
+                             └──────────────┘
+```
+
+## Agent-Integration
+
+Null-Config für den Agent:
+```bash
+export HTTP_PROXY=http://localhost:9090
+export HTTPS_PROXY=http://localhost:9090
+```
+
+Jeder HTTP-Client (curl, fetch, axios, Python requests, etc.) respektiert diese Env-Vars automatisch.
+
+## Authentifizierung
+
+Agent identifiziert sich am Proxy via Proxy-Authorization Header:
+```
+CONNECT api.github.com:443 HTTP/1.1
+Proxy-Authorization: Bearer <agent-jwt>
+```
+
+Das Agent-JWT kommt aus dem bestehenden Ed25519 Challenge-Response Flow.
+
+## Grant-Matching
+
+### Regel-Hierarchie
+
+1. **Deny-List** — immer blockiert (z.B. interne Netzwerke, IdP selbst)
+2. **Allow without Grant** — immer erlaubt (z.B. DNS, NTP)
+3. **Standing Grants** — Agent hat `allow_always` für Domain+Method
+4. **TTL Grants** — Agent hat zeitlich begrenzten Grant
+5. **Prompt for Grant** — kein Grant vorhanden → Optionen:
+   a. `block` — sofort 403
+   b. `request` — Grant-Request erstellen, auf Approval warten (blocking)
+   c. `request-async` — Grant-Request erstellen, sofort 403, Agent kann später retry
+
+### Regel-Konfiguration
+
+```toml
+[proxy]
+listen = "127.0.0.1:9090"
+idp_url = "https://id.office.or.at"
+agent_key = "/etc/apes/agent.key"
+agent_id = "mini-claw@office.or.at"
+default_action = "request"   # block | request | request-async
+audit_log = "/var/log/openape-proxy/audit.jsonl"
+
+# Immer erlaubt (kein Grant nötig)
+[[allow]]
+domain = "*.openape.at"
+
+[[allow]]
+domain = "api.github.com"
+methods = ["GET"]
+
+# Immer blockiert
+[[deny]]
+domain = "169.254.169.254"    # AWS metadata
+note = "cloud metadata endpoint"
+
+[[deny]]
+domain = "*.internal"
+
+# Grant-gesteuert (Domain + Method + Path)
+[[grant_required]]
+domain = "api.github.com"
+path = "/repos/*/issues"
+methods = ["POST"]
+grant_type = "once"           # jeder neue Issue braucht Genehmigung
+
+[[grant_required]]
+domain = "api.github.com"
+methods = ["PUT", "DELETE", "PATCH"]
+grant_type = "once"           # alle anderen Writes auch
+
+[[grant_required]]
+domain = "api.openai.com"
+grant_type = "always"         # Standing Grant, einmal genehmigen reicht
+
+[[grant_required]]
+domain = "*"                  # alles andere
+grant_type = "once"
+```
+
+## Request-Lifecycle
+
+```
+1. Agent sendet CONNECT api.github.com:443
+2. Proxy prüft Agent-JWT (Proxy-Authorization)
+3. Proxy extrahiert: domain=api.github.com, method=POST, path=/repos/x/issues
+4. Regel-Matching:
+   a. In deny-list? → 403 Blocked
+   b. In allow-list? → Tunnel aufbauen, weiterleiten
+   c. Aktiver Grant vorhanden? → Tunnel aufbauen, weiterleiten
+   d. Kein Grant → default_action ausführen:
+      - "block": 403
+      - "request": Grant-Request an IdP, warte auf Approval, dann weiterleiten
+      - "request-async": Grant-Request erstellen, 407 Proxy Authentication Required
+5. Audit-Log schreiben (JSONL)
+```
+
+## Audit-Log Format
+
+```jsonl
+{"ts":"2026-02-23T22:30:00Z","agent":"mini-claw@office.or.at","action":"allow","domain":"api.github.com","method":"GET","path":"/repos/x/issues","grant_id":null,"rule":"allow-list"}
+{"ts":"2026-02-23T22:30:05Z","agent":"mini-claw@office.or.at","action":"grant_approved","domain":"api.github.com","method":"POST","path":"/repos/x/issues","grant_id":"abc123","rule":"grant_required","waited_ms":12000}
+{"ts":"2026-02-23T22:30:10Z","agent":"mini-claw@office.or.at","action":"denied","domain":"169.254.169.254","method":"GET","path":"/latest/meta-data","grant_id":null,"rule":"deny-list"}
+```
+
+## Implementierung
+
+### Sprache: Rust
+
+- Wie `apes` — konsistent im Ökosystem
+- Performant für Proxy-Workload (viele gleichzeitige Connections)
+- `tokio` + `hyper` für async HTTP
+- Kein TLS-Aufbrechen nötig: CONNECT-Tunnel ist opak (nur Domain sichtbar, nicht der Inhalt)
+
+### Crates
+
+- `hyper` — HTTP Server/Client
+- `tokio` — Async Runtime
+- `tokio-rustls` — TLS für Upstream-Verbindung zum IdP
+- `serde` + `toml` — Config
+- `tracing` — Structured Logging
+
+### Proxy-Modus: Application-Level (nicht CONNECT-Tunnel)
+
+Ein klassischer HTTPS CONNECT-Tunnel sieht nur die Domain — Method, Path und Body sind verschlüsselt. Das reicht nicht für granulare Kontrolle.
+
+Stattdessen: **Application-Level Forward Proxy**. Der Agent schickt den Request unverschlüsselt an den lokalen Proxy, der Proxy macht den HTTPS-Call zum Ziel:
+
+```
+Agent ──HTTP──→ openape-proxy ──HTTPS──→ api.github.com
+  (lokal, plaintext)    (sieht alles)     (TLS zum Internet)
+```
+
+**Was der Proxy sieht:**
+- ✅ Domain
+- ✅ HTTP Method (GET, POST, DELETE, ...)
+- ✅ Full Path (`/repos/x/issues`)
+- ✅ Headers
+- ✅ Body (kann `cmd_hash` darüber bilden!)
+
+**Sicherheit:** Die unverschlüsselte Strecke Agent → Proxy ist `localhost` — gleiche Maschine, kein Netzwerk. Kein Risiko.
+
+**Kompatibilität:** Standard `HTTP_PROXY` Env-Var funktioniert — jeder HTTP-Client schickt den vollen Request an den Proxy wenn die Ziel-URL HTTPS ist und `HTTP_PROXY` gesetzt ist.
+
+Damit können Rules auf **Domain + Method + Path-Pattern** matchen:
+
+```toml
+[[grant_required]]
+domain = "api.github.com"
+path = "/repos/*/issues"
+methods = ["POST"]
+grant_type = "once"           # jeder neue Issue braucht Approval
+
+[[allow]]
+domain = "api.github.com"
+path = "/repos/*/issues"
+methods = ["GET"]             # Issues lesen immer erlaubt
+```
+
+## Phasen
+
+### Phase 1 — MVP (1-2 Tage)
+Ziel: Ein Agent kann nur ins Internet wenn ein Mensch es erlaubt hat.
+
+- [ ] Application-Level Forward Proxy (TypeScript/Bun)
+- [ ] HTTP + HTTPS Forwarding (Proxy macht TLS zum Ziel)
+- [ ] WebSocket + SSE Support (Grant-Check beim Aufbau, dann Tunnel)
+- [ ] Agent-Auth (JWT Verification via Proxy-Authorization)
+- [ ] Config-Datei (TOML oder JSON)
+- [ ] Deny/Allow/Grant-Required Regeln (Domain + Method + Path-Pattern)
+- [ ] Grant-Check gegen IdP API (`@openape/grants` direkt importiert)
+- [ ] Blocking Grant-Request (warte auf Approval)
+- [ ] Audit-Log (JSONL)
+
+### Phase 2 — Multi-Agent & Caching (1-2 Tage)
+Ziel: Produktionsreif für mehrere Agents auf einem Server.
+
+- [ ] Multiple Agent Support (verschiedene Keys, verschiedene Regeln)
+- [ ] Per-Agent Config Profiles
+- [ ] Grant-Caching (Standing Grants + TTL-Grants lokal cachen, kein IdP-Call pro Request)
+- [ ] Connection Pooling (Keep-Alive zu häufig genutzten Upstreams)
+- [ ] Wildcard-Domains + Glob-Patterns in Rules (`*.github.com`, `/repos/*/issues`)
+- [ ] Graceful Shutdown + Auto-Restart
+- [ ] Health Endpoint (`/healthz`)
+- [ ] Systemd / launchd Service Unit
+
+### Phase 3 — Observability & Compliance (1-2 Tage)
+Ziel: Volle Transparenz über Agent-Aktivität im Web.
+
+- [ ] Dashboard UI (Nuxt-App oder in IdP integriert)
+  - Welcher Agent nutzt welche Domains
+  - Traffic-Volumen pro Agent/Domain
+  - Grant-Nutzung (wie oft, wann, welche)
+  - Blocked Requests (was wurde verweigert)
+- [ ] Request/Response-Logging (opt-in, für Audit/Compliance)
+- [ ] Body-Hashing (`cmd_hash` über Request-Body für exakte Bindung)
+- [ ] Metrics-Export (Prometheus/OpenTelemetry)
+- [ ] Rate Limiting (pro Agent, pro Domain — Schutz vor Runaway-Agents)
+- [ ] Alerting (Webhook/Telegram wenn Agent ungewöhnlich viele Requests macht)
+
+### Phase 4 — Ecosystem-Integration
+Ziel: Nahtlose Einbindung in OpenApe und Agent-Runtimes.
+
+- [ ] `@openape/proxy` npm Package (programmatisch starten/konfigurieren)
+- [ ] Integration mit `apes` (ein Setup: Proxy + sudo gemeinsam konfiguriert)
+- [ ] OpenClaw Plugin (Proxy automatisch starten wenn Agent startet)
+- [ ] Agent-Runtime SDKs (Python, Go) — für Agents die nicht auf HTTP_PROXY setzen
+- [ ] Auto-Discovery (Agent fragt IdP: "Welche Domains darf ich?" → Config generieren)
+- [ ] Temporary Bypass Token (Admin kann zeitlich begrenzten "Proxy-Skip" geben für Debugging)
+
+## CLI
+
+```bash
+# Starten
+openape-proxy --config /etc/openape-proxy/config.toml
+
+# Test-Modus (loggt nur, blockiert nicht)
+openape-proxy --config config.toml --dry-run
+
+# Status
+openape-proxy --status
+```
+
+## Zusammenspiel mit dem Ökosystem
+
+| Komponente | Rolle |
+|---|---|
+| `openape-proxy` | Kontrolliert ausgehenden Agent-Traffic |
+| `apes` (openape-sudo) | Kontrolliert lokale Privilege Elevation |
+| `@openape/grants` | Grant-Logik (shared zwischen Proxy und sudo) |
+| `@openape/nuxt-grants` | Web-UI für Grant-Approval |
+| IdP (id.office.or.at) | Zentrale Autorität für Agents + Grants |
+
+**Zusammen:** Ein Agent kann weder lokal (apes) noch im Web (proxy) etwas tun, ohne dass ein Mensch es erlaubt hat.

package/README.md

@@ -0,0 +1,13 @@
+# @openape/proxy
+
+OpenAPE agent HTTP gateway — forward proxy with grant-based access control.
+
+## Installation
+
+```bash
+npm install @openape/proxy
+```
+
+## License
+
+MIT

package/config.example.toml

@@ -0,0 +1,48 @@
+[proxy]
+listen = "127.0.0.1:9090"
+idp_url = "https://id.office.or.at"
+agent_email = "mini-claw@office.or.at"
+default_action = "request"     # block | request | request-async
+audit_log = "./audit.jsonl"
+
+# Always allowed (no grant needed)
+[[allow]]
+domain = "*.openape.at"
+
+[[allow]]
+domain = "api.github.com"
+methods = ["GET"]
+
+[[allow]]
+domain = "registry.npmjs.org"
+
+# Always blocked
+[[deny]]
+domain = "169.254.169.254"
+note = "AWS/cloud metadata endpoint"
+
+[[deny]]
+domain = "*.internal"
+note = "internal network"
+
+# Grant-controlled access
+[[grant_required]]
+domain = "api.github.com"
+methods = ["POST", "PUT", "DELETE", "PATCH"]
+grant_type = "once"
+permissions = ["github:write"]
+
+[[grant_required]]
+domain = "api.openai.com"
+grant_type = "always"
+permissions = ["openai:api"]
+
+[[grant_required]]
+domain = "smtp.gmail.com"
+grant_type = "once"
+permissions = ["email:send"]
+
+# Catch-all: everything else needs a one-time grant
+[[grant_required]]
+domain = "*"
+grant_type = "once"

package/eslint.config.mjs

@@ -0,0 +1,18 @@
+import antfu from '@antfu/eslint-config'
+
+export default antfu({
+  typescript: true,
+  ignores: [
+    '**/dist/**',
+    '**/.nuxt/**',
+    '**/.output/**',
+    '**/.turbo/**',
+    '**/.data/**',
+    '**/target/**',
+  ],
+  rules: {
+    'node/prefer-global/process': 'off',
+    'node/prefer-global/buffer': 'off',
+    'no-new': 'off',
+  },
+})

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@openape/proxy",
+  "type": "module",
+  "version": "0.1.0",
+  "description": "OpenAPE agent HTTP gateway — forward proxy with grant-based access control",
+  "author": "Patrick Hofmann",
+  "license": "MIT",
+  "bin": {
+    "openape-proxy": "./src/index.ts"
+  },
+  "scripts": {
+    "start": "bun run src/index.ts",
+    "dev": "bun run --watch src/index.ts",
+    "build": "tsup",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint ."
+  },
+  "dependencies": {
+    "@openape/core": "^0.1.0",
+    "@openape/grants": "^0.1.0",
+    "jose": "^5.9.0",
+    "smol-toml": "^1.3.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsup": "^8.3.0",
+    "typescript": "^5.7.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/openape-ai/proxy.git"
+  }
+}

package/src/audit.ts

@@ -0,0 +1,20 @@
+import { appendFileSync } from 'node:fs'
+import type { AuditEntry } from './types.js'
+
+let auditPath: string | undefined
+
+export function initAudit(path?: string): void {
+  auditPath = path
+}
+
+export function writeAudit(entry: AuditEntry): void {
+  const line = JSON.stringify(entry)
+
+  // Always log to stderr
+  console.error(`[audit] ${entry.action} ${entry.method} ${entry.domain}${entry.path}${entry.grant_id ? ` grant=${entry.grant_id}` : ''}`)
+
+  // Write to file if configured
+  if (auditPath) {
+    appendFileSync(auditPath, line + '\n')
+  }
+}

package/src/auth.ts

@@ -0,0 +1,38 @@
+import { verifyJWT, createRemoteJWKS } from '@openape/core'
+
+export interface AgentIdentity {
+  email: string
+  act: 'agent'
+}
+
+/**
+ * Verify agent JWT from Proxy-Authorization header.
+ * Returns the agent identity or null if invalid.
+ */
+export async function verifyAgentAuth(
+  authHeader: string | null,
+  idpUrl: string,
+): Promise<AgentIdentity | null> {
+  if (!authHeader) return null
+
+  const match = authHeader.match(/^Bearer\s+(.+)$/i)
+  if (!match) return null
+
+  const token = match[1]
+
+  try {
+    const jwks = createRemoteJWKS(`${idpUrl}/.well-known/jwks.json`)
+    const { payload } = await verifyJWT(token, jwks, { issuer: idpUrl })
+
+    if (payload.act !== 'agent' || !payload.sub) {
+      return null
+    }
+
+    return {
+      email: payload.sub as string,
+      act: 'agent',
+    }
+  } catch {
+    return null
+  }
+}

package/src/config.ts

@@ -0,0 +1,28 @@
+import { readFileSync } from 'node:fs'
+import { parse as parseTOML } from 'smol-toml'
+import type { ProxyConfig } from './types.js'
+
+export function loadConfig(path: string): ProxyConfig {
+  const raw = readFileSync(path, 'utf-8')
+
+  let parsed: Record<string, unknown>
+  if (path.endsWith('.json')) {
+    parsed = JSON.parse(raw)
+  } else {
+    parsed = parseTOML(raw) as Record<string, unknown>
+  }
+
+  const proxy = parsed.proxy as ProxyConfig['proxy']
+  if (!proxy?.listen || !proxy?.idp_url || !proxy?.agent_email) {
+    throw new Error('Config must have [proxy] with listen, idp_url, and agent_email')
+  }
+
+  proxy.default_action ??= 'block'
+
+  return {
+    proxy,
+    allow: (parsed.allow ?? []) as ProxyConfig['allow'],
+    deny: (parsed.deny ?? []) as ProxyConfig['deny'],
+    grant_required: (parsed.grant_required ?? []) as ProxyConfig['grant_required'],
+  }
+}

package/src/grants-client.ts

@@ -0,0 +1,118 @@
+import type { OpenApeGrant, GrantType } from '@openape/core'
+
+/**
+ * Client for the IdP's grant management API.
+ * Creates grant requests and polls for approval.
+ */
+export class GrantsClient {
+  private idpUrl: string
+  private agentToken: string | undefined
+
+  constructor(idpUrl: string) {
+    this.idpUrl = idpUrl.replace(/\/$/, '')
+  }
+
+  setAgentToken(token: string): void {
+    this.agentToken = token
+  }
+
+  private headers(): Record<string, string> {
+    const h: Record<string, string> = { 'Content-Type': 'application/json' }
+    if (this.agentToken) {
+      h['Authorization'] = `Bearer ${this.agentToken}`
+    }
+    return h
+  }
+
+  /**
+   * Create a grant request on the IdP.
+   */
+  async requestGrant(opts: {
+    requester: string
+    target: string
+    grantType: GrantType
+    permissions?: string[]
+    reason?: string
+    duration?: number
+  }): Promise<OpenApeGrant> {
+    const res = await fetch(`${this.idpUrl}/api/grants`, {
+      method: 'POST',
+      headers: this.headers(),
+      body: JSON.stringify({
+        requester: opts.requester,
+        target: opts.target,
+        grant_type: opts.grantType,
+        permissions: opts.permissions,
+        reason: opts.reason,
+        duration: opts.duration,
+      }),
+    })
+
+    if (!res.ok) {
+      throw new Error(`Grant request failed: ${res.status} ${await res.text()}`)
+    }
+
+    return res.json() as Promise<OpenApeGrant>
+  }
+
+  /**
+   * Poll a grant until it's approved, denied, or timeout.
+   */
+  async waitForApproval(
+    grantId: string,
+    timeoutMs: number = 300_000,
+    pollIntervalMs: number = 2_000,
+  ): Promise<OpenApeGrant> {
+    const deadline = Date.now() + timeoutMs
+
+    while (Date.now() < deadline) {
+      const res = await fetch(`${this.idpUrl}/api/grants/${grantId}`, {
+        headers: this.headers(),
+      })
+
+      if (!res.ok) {
+        throw new Error(`Grant poll failed: ${res.status}`)
+      }
+
+      const grant = await res.json() as OpenApeGrant
+      if (grant.status !== 'pending') {
+        return grant
+      }
+
+      await new Promise(r => setTimeout(r, pollIntervalMs))
+    }
+
+    throw new Error(`Grant approval timed out after ${timeoutMs}ms`)
+  }
+
+  /**
+   * Check if there's an existing approved grant for a domain+permissions combo.
+   */
+  async findExistingGrant(
+    requester: string,
+    target: string,
+    permissions?: string[],
+  ): Promise<OpenApeGrant | null> {
+    const params = new URLSearchParams({
+      requester,
+      target,
+      status: 'approved',
+    })
+    if (permissions?.length) {
+      params.set('permissions', permissions.join(','))
+    }
+
+    const res = await fetch(`${this.idpUrl}/api/grants?${params}`, {
+      headers: this.headers(),
+    })
+
+    if (!res.ok) return null
+
+    const grants = await res.json() as OpenApeGrant[]
+    // Return first active grant
+    return grants.find(g =>
+      g.status === 'approved' &&
+      (!g.expires_at || g.expires_at > Math.floor(Date.now() / 1000))
+    ) ?? null
+  }
+}

package/src/index.ts

@@ -0,0 +1,62 @@
+#!/usr/bin/env bun
+import { parseArgs } from 'node:util'
+import { loadConfig } from './config.js'
+import { createProxy } from './proxy.js'
+import { initAudit } from './audit.js'
+
+const { values } = parseArgs({
+  options: {
+    config: { type: 'string', short: 'c', default: 'config.toml' },
+    'dry-run': { type: 'boolean', default: false },
+  },
+})
+
+const configPath = values.config!
+
+console.log(`[openape-proxy] Loading config from ${configPath}`)
+const config = loadConfig(configPath)
+
+// Init audit log
+initAudit(config.proxy.audit_log)
+
+if (values['dry-run']) {
+  console.log('[openape-proxy] DRY RUN mode — logging only, not blocking')
+  // In dry-run mode, we could override deny rules to just log
+  // For now, just print config and exit
+  console.log('[openape-proxy] Config loaded:')
+  console.log(`  Listen: ${config.proxy.listen}`)
+  console.log(`  IdP: ${config.proxy.idp_url}`)
+  console.log(`  Agent: ${config.proxy.agent_email}`)
+  console.log(`  Default action: ${config.proxy.default_action}`)
+  console.log(`  Allow rules: ${config.allow.length}`)
+  console.log(`  Deny rules: ${config.deny.length}`)
+  console.log(`  Grant rules: ${config.grant_required.length}`)
+  process.exit(0)
+}
+
+const proxy = createProxy(config)
+
+const server = Bun.serve({
+  port: proxy.port,
+  hostname: proxy.hostname,
+  fetch: proxy.fetch,
+})
+
+console.log(`[openape-proxy] 🐾 Listening on http://${server.hostname}:${server.port}`)
+console.log(`[openape-proxy] IdP: ${config.proxy.idp_url}`)
+console.log(`[openape-proxy] Agent: ${config.proxy.agent_email}`)
+console.log(`[openape-proxy] Rules: ${config.allow.length} allow, ${config.deny.length} deny, ${config.grant_required.length} grant-required`)
+console.log(`[openape-proxy] Default action: ${config.proxy.default_action}`)
+
+// Graceful shutdown
+process.on('SIGINT', () => {
+  console.log('\n[openape-proxy] Shutting down...')
+  server.stop()
+  process.exit(0)
+})
+
+process.on('SIGTERM', () => {
+  console.log('[openape-proxy] Shutting down...')
+  server.stop()
+  process.exit(0)
+})

package/src/matcher.ts

@@ -0,0 +1,80 @@
+import type { ProxyConfig, RuleAction, RuleEntry } from './types.js'
+
+/**
+ * Match a glob pattern against a string.
+ * Supports * (any segment) and ** (any number of segments).
+ */
+function globMatch(pattern: string, value: string): boolean {
+  // Simple glob: convert * to regex
+  const regex = new RegExp(
+    '^' +
+    pattern
+      .replace(/[.+^${}()|[\]\\]/g, '\\$&')  // escape regex chars except *
+      .replace(/\*\*/g, '<<<DOUBLESTAR>>>')
+      .replace(/\*/g, '[^/]*')
+      .replace(/<<<DOUBLESTAR>>>/g, '.*')
+    + '$'
+  )
+  return regex.test(value)
+}
+
+function matchesRule(rule: RuleEntry, domain: string, method: string, path: string): boolean {
+  // Domain match (supports wildcards like *.github.com)
+  if (!globMatch(rule.domain, domain)) return false
+
+  // Method match (if specified)
+  if (rule.methods && rule.methods.length > 0) {
+    if (!rule.methods.includes(method.toUpperCase())) return false
+  }
+
+  // Path match (if specified)
+  if (rule.path) {
+    if (!globMatch(rule.path, path)) return false
+  }
+
+  return true
+}
+
+/**
+ * Evaluate rules in order: deny → allow → grant_required → default_action
+ */
+export function evaluateRules(
+  config: ProxyConfig,
+  domain: string,
+  method: string,
+  path: string,
+): RuleAction {
+  // 1. Check deny list first
+  for (const rule of config.deny) {
+    if (matchesRule(rule, domain, method, path)) {
+      return { type: 'deny', note: rule.note }
+    }
+  }
+
+  // 2. Check allow list
+  for (const rule of config.allow) {
+    if (matchesRule(rule, domain, method, path)) {
+      return { type: 'allow' }
+    }
+  }
+
+  // 3. Check grant_required rules (most specific first)
+  for (const rule of config.grant_required) {
+    if (matchesRule(rule, domain, method, path)) {
+      return { type: 'grant_required', rule }
+    }
+  }
+
+  // 4. Default: treat as grant_required with 'once'
+  if (config.proxy.default_action === 'block') {
+    return { type: 'deny', note: 'No matching rule (default: block)' }
+  }
+
+  return {
+    type: 'grant_required',
+    rule: {
+      domain: '*',
+      grant_type: 'once',
+    },
+  }
+}

package/src/proxy.ts

@@ -0,0 +1,215 @@
+import type { ProxyConfig, AuditEntry } from './types.js'
+import { evaluateRules } from './matcher.js'
+import { verifyAgentAuth } from './auth.js'
+import { GrantsClient } from './grants-client.js'
+import { writeAudit } from './audit.js'
+
+export function createProxy(config: ProxyConfig) {
+  const grantsClient = new GrantsClient(config.proxy.idp_url)
+
+  return {
+    port: parseInt(config.proxy.listen.split(':')[1] || '9090'),
+    hostname: config.proxy.listen.split(':')[0] || '127.0.0.1',
+
+    async fetch(req: Request): Promise<Response> {
+      const url = new URL(req.url)
+      const startTime = Date.now()
+
+      // Health endpoint
+      if (url.pathname === '/healthz') {
+        return Response.json({ status: 'ok', agent: config.proxy.agent_email })
+      }
+
+      // Parse target URL from the path.
+      // The agent sends: http://proxy:9090/https://api.github.com/repos/x/issues
+      // So the target URL is everything after the first /
+      const targetUrl = url.pathname.slice(1) + url.search
+      let targetParsed: URL
+      try {
+        targetParsed = new URL(targetUrl)
+      } catch {
+        return new Response(
+          'Invalid target URL. Send requests as: http://proxy:port/https://target.com/path',
+          { status: 400 },
+        )
+      }
+
+      const domain = targetParsed.hostname
+      const method = req.method
+      const path = targetParsed.pathname
+
+      // Verify agent identity
+      const agent = await verifyAgentAuth(
+        req.headers.get('proxy-authorization'),
+        config.proxy.idp_url,
+      )
+
+      const agentEmail = agent?.email ?? config.proxy.agent_email
+
+      // Evaluate rules
+      const action = evaluateRules(config, domain, method, path)
+
+      const baseAudit: Omit<AuditEntry, 'action' | 'rule'> = {
+        ts: new Date().toISOString(),
+        agent: agentEmail,
+        domain,
+        method,
+        path,
+      }
+
+      // DENY
+      if (action.type === 'deny') {
+        writeAudit({ ...baseAudit, action: 'deny', rule: 'deny-list', grant_id: null })
+        return new Response(`Blocked: ${action.note || 'deny rule'}`, { status: 403 })
+      }
+
+      // ALLOW (no grant needed)
+      if (action.type === 'allow') {
+        writeAudit({ ...baseAudit, action: 'allow', rule: 'allow-list', grant_id: null })
+        return forwardRequest(req, targetUrl)
+      }
+
+      // GRANT REQUIRED
+      const rule = action.rule
+      const permissions = rule.permissions ?? [`${method.toLowerCase()}:${domain}`]
+
+      // Check for existing grant
+      const existing = await grantsClient.findExistingGrant(
+        agentEmail,
+        domain,
+        permissions,
+      ).catch(() => null)
+
+      if (existing) {
+        writeAudit({
+          ...baseAudit,
+          action: 'grant_approved',
+          rule: 'standing-grant',
+          grant_id: existing.id,
+        })
+        return forwardRequest(req, targetUrl)
+      }
+
+      // No existing grant — behavior depends on default_action
+      if (config.proxy.default_action === 'block') {
+        writeAudit({ ...baseAudit, action: 'deny', rule: 'no-grant (block mode)', grant_id: null })
+        return new Response('No grant — blocked', { status: 403 })
+      }
+
+      if (config.proxy.default_action === 'request-async') {
+        // Create grant request, return 407 immediately
+        const grant = await grantsClient.requestGrant({
+          requester: agentEmail,
+          target: domain,
+          grantType: rule.grant_type,
+          permissions,
+          reason: `${method} ${targetParsed.pathname}`,
+          duration: rule.duration,
+        }).catch(() => null)
+
+        writeAudit({
+          ...baseAudit,
+          action: 'grant_denied',
+          rule: 'grant_required (async)',
+          grant_id: grant?.id ?? null,
+        })
+
+        return new Response(
+          JSON.stringify({
+            error: 'Grant required',
+            grant_id: grant?.id,
+            message: 'Grant request created. Retry after approval.',
+          }),
+          { status: 407, headers: { 'Content-Type': 'application/json' } },
+        )
+      }
+
+      // BLOCKING mode: create grant request and wait
+      console.error(`[proxy] Requesting grant for ${method} ${domain}${path} — waiting for approval...`)
+
+      try {
+        const grant = await grantsClient.requestGrant({
+          requester: agentEmail,
+          target: domain,
+          grantType: rule.grant_type,
+          permissions,
+          reason: `${method} ${targetParsed.pathname}`,
+          duration: rule.duration,
+        })
+
+        const approved = await grantsClient.waitForApproval(grant.id)
+
+        const waitedMs = Date.now() - startTime
+
+        if (approved.status === 'approved') {
+          writeAudit({
+            ...baseAudit,
+            action: 'grant_approved',
+            rule: 'grant_required',
+            grant_id: approved.id,
+            waited_ms: waitedMs,
+          })
+          return forwardRequest(req, targetUrl)
+        }
+
+        writeAudit({
+          ...baseAudit,
+          action: 'grant_denied',
+          rule: 'grant_required',
+          grant_id: approved.id,
+          waited_ms: waitedMs,
+        })
+        return new Response(`Grant denied by ${approved.decided_by}`, { status: 403 })
+
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : 'Unknown error'
+        writeAudit({
+          ...baseAudit,
+          action: 'grant_timeout',
+          rule: 'grant_required',
+          error: msg,
+        })
+        return new Response(`Grant request failed: ${msg}`, { status: 504 })
+      }
+    },
+  }
+}
+
+/**
+ * Forward a request to the target URL.
+ * Strips proxy-specific headers, preserves the rest.
+ */
+async function forwardRequest(originalReq: Request, targetUrl: string): Promise<Response> {
+  const headers = new Headers(originalReq.headers)
+  // Remove proxy-specific headers
+  headers.delete('proxy-authorization')
+  headers.delete('proxy-connection')
+  // Don't send host of the proxy
+  headers.delete('host')
+
+  try {
+    const res = await fetch(targetUrl, {
+      method: originalReq.method,
+      headers,
+      body: originalReq.body,
+      // @ts-expect-error Bun supports duplex
+      duplex: 'half',
+      redirect: 'manual',
+    })
+
+    // Stream the response back
+    const responseHeaders = new Headers(res.headers)
+    // Remove hop-by-hop headers
+    responseHeaders.delete('transfer-encoding')
+    responseHeaders.delete('connection')
+
+    return new Response(res.body, {
+      status: res.status,
+      statusText: res.statusText,
+      headers: responseHeaders,
+    })
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : 'Upstream error'
+    return new Response(`Proxy error: ${msg}`, { status: 502 })
+  }
+}

package/src/types.ts

@@ -0,0 +1,44 @@
+/** Proxy configuration (parsed from TOML/JSON) */
+export interface ProxyConfig {
+  proxy: {
+    listen: string
+    idp_url: string
+    agent_email: string
+    default_action: 'block' | 'request' | 'request-async'
+    audit_log?: string
+  }
+  allow: RuleEntry[]
+  deny: RuleEntry[]
+  grant_required: GrantRuleEntry[]
+}
+
+export interface RuleEntry {
+  domain: string
+  methods?: string[]
+  path?: string
+  note?: string
+}
+
+export interface GrantRuleEntry extends RuleEntry {
+  grant_type: 'once' | 'timed' | 'always'
+  permissions?: string[]
+  duration?: number
+}
+
+export type RuleAction =
+  | { type: 'allow' }
+  | { type: 'deny'; note?: string }
+  | { type: 'grant_required'; rule: GrantRuleEntry }
+
+export interface AuditEntry {
+  ts: string
+  agent: string
+  action: 'allow' | 'deny' | 'grant_approved' | 'grant_denied' | 'grant_timeout' | 'error'
+  domain: string
+  method: string
+  path: string
+  grant_id?: string | null
+  rule: string
+  waited_ms?: number
+  error?: string
+}

package/tsconfig.json

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ES2022"],
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "outDir": "dist",
+    "rootDir": "src"
+  },
+  "include": ["src"],
+  "exclude": ["node_modules", "dist"]
+}

package/tsup.config.ts

@@ -0,0 +1,9 @@
+import { defineConfig } from 'tsup'
+
+export default defineConfig({
+  entry: ['src/index.ts'],
+  format: ['esm', 'cjs'],
+  dts: false,
+  clean: true,
+  sourcemap: true,
+})