@openape/proxy 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/.changeset/README.md +3 -0
  2. package/.changeset/config.json +10 -0
  3. package/.github/workflows/ci.yml +47 -0
  4. package/.github/workflows/release.yml +53 -0
  5. package/.github/workflows/security.yml +46 -0
  6. package/.nvmrc +1 -0
  7. package/LICENSE +242 -21
  8. package/README.md +141 -2
  9. package/bun.lock +229 -0
  10. package/config.toml +35 -0
  11. package/eslint.config.mjs +32 -0
  12. package/package.json +16 -4
  13. package/pnpm-workspace.yaml +7 -0
  14. package/src/auth.ts +23 -4
  15. package/src/config.ts +58 -2
  16. package/src/connect.ts +111 -0
  17. package/src/grants-client.ts +22 -9
  18. package/src/index.ts +30 -23
  19. package/src/proxy.ts +212 -30
  20. package/src/ssrf.ts +85 -0
  21. package/src/types.ts +22 -1
  22. package/test/auth.test.ts +57 -0
  23. package/test/connect.test.ts +131 -0
  24. package/test/matcher.test.ts +46 -0
  25. package/test/multi-agent.test.ts +122 -0
  26. package/test/ssrf.test.ts +73 -0
  27. package/vitest.config.ts +7 -0
package/bun.lock ADDED
@@ -0,0 +1,229 @@
1
+ {
2
+ "lockfileVersion": 1,
3
+ "configVersion": 1,
4
+ "workspaces": {
5
+ "": {
6
+ "name": "@openape/proxy",
7
+ "dependencies": {
8
+ "@openape/core": "^0.1.0",
9
+ "@openape/grants": "^0.1.0",
10
+ "jose": "^5.9.0",
11
+ "smol-toml": "^1.3.0",
12
+ },
13
+ "devDependencies": {
14
+ "@types/node": "^22.0.0",
15
+ "tsup": "^8.3.0",
16
+ "typescript": "^5.7.0",
17
+ },
18
+ },
19
+ },
20
+ "packages": {
21
+ "@esbuild/aix-ppc64": ["@esbuild/aix-ppc64@0.27.3", "", { "os": "aix", "cpu": "ppc64" }, "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg=="],
22
+
23
+ "@esbuild/android-arm": ["@esbuild/android-arm@0.27.3", "", { "os": "android", "cpu": "arm" }, "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA=="],
24
+
25
+ "@esbuild/android-arm64": ["@esbuild/android-arm64@0.27.3", "", { "os": "android", "cpu": "arm64" }, "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg=="],
26
+
27
+ "@esbuild/android-x64": ["@esbuild/android-x64@0.27.3", "", { "os": "android", "cpu": "x64" }, "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ=="],
28
+
29
+ "@esbuild/darwin-arm64": ["@esbuild/darwin-arm64@0.27.3", "", { "os": "darwin", "cpu": "arm64" }, "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg=="],
30
+
31
+ "@esbuild/darwin-x64": ["@esbuild/darwin-x64@0.27.3", "", { "os": "darwin", "cpu": "x64" }, "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg=="],
32
+
33
+ "@esbuild/freebsd-arm64": ["@esbuild/freebsd-arm64@0.27.3", "", { "os": "freebsd", "cpu": "arm64" }, "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w=="],
34
+
35
+ "@esbuild/freebsd-x64": ["@esbuild/freebsd-x64@0.27.3", "", { "os": "freebsd", "cpu": "x64" }, "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA=="],
36
+
37
+ "@esbuild/linux-arm": ["@esbuild/linux-arm@0.27.3", "", { "os": "linux", "cpu": "arm" }, "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw=="],
38
+
39
+ "@esbuild/linux-arm64": ["@esbuild/linux-arm64@0.27.3", "", { "os": "linux", "cpu": "arm64" }, "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg=="],
40
+
41
+ "@esbuild/linux-ia32": ["@esbuild/linux-ia32@0.27.3", "", { "os": "linux", "cpu": "ia32" }, "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg=="],
42
+
43
+ "@esbuild/linux-loong64": ["@esbuild/linux-loong64@0.27.3", "", { "os": "linux", "cpu": "none" }, "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA=="],
44
+
45
+ "@esbuild/linux-mips64el": ["@esbuild/linux-mips64el@0.27.3", "", { "os": "linux", "cpu": "none" }, "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw=="],
46
+
47
+ "@esbuild/linux-ppc64": ["@esbuild/linux-ppc64@0.27.3", "", { "os": "linux", "cpu": "ppc64" }, "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA=="],
48
+
49
+ "@esbuild/linux-riscv64": ["@esbuild/linux-riscv64@0.27.3", "", { "os": "linux", "cpu": "none" }, "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ=="],
50
+
51
+ "@esbuild/linux-s390x": ["@esbuild/linux-s390x@0.27.3", "", { "os": "linux", "cpu": "s390x" }, "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw=="],
52
+
53
+ "@esbuild/linux-x64": ["@esbuild/linux-x64@0.27.3", "", { "os": "linux", "cpu": "x64" }, "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA=="],
54
+
55
+ "@esbuild/netbsd-arm64": ["@esbuild/netbsd-arm64@0.27.3", "", { "os": "none", "cpu": "arm64" }, "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA=="],
56
+
57
+ "@esbuild/netbsd-x64": ["@esbuild/netbsd-x64@0.27.3", "", { "os": "none", "cpu": "x64" }, "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA=="],
58
+
59
+ "@esbuild/openbsd-arm64": ["@esbuild/openbsd-arm64@0.27.3", "", { "os": "openbsd", "cpu": "arm64" }, "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw=="],
60
+
61
+ "@esbuild/openbsd-x64": ["@esbuild/openbsd-x64@0.27.3", "", { "os": "openbsd", "cpu": "x64" }, "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ=="],
62
+
63
+ "@esbuild/openharmony-arm64": ["@esbuild/openharmony-arm64@0.27.3", "", { "os": "none", "cpu": "arm64" }, "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g=="],
64
+
65
+ "@esbuild/sunos-x64": ["@esbuild/sunos-x64@0.27.3", "", { "os": "sunos", "cpu": "x64" }, "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA=="],
66
+
67
+ "@esbuild/win32-arm64": ["@esbuild/win32-arm64@0.27.3", "", { "os": "win32", "cpu": "arm64" }, "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA=="],
68
+
69
+ "@esbuild/win32-ia32": ["@esbuild/win32-ia32@0.27.3", "", { "os": "win32", "cpu": "ia32" }, "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q=="],
70
+
71
+ "@esbuild/win32-x64": ["@esbuild/win32-x64@0.27.3", "", { "os": "win32", "cpu": "x64" }, "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA=="],
72
+
73
+ "@jridgewell/gen-mapping": ["@jridgewell/gen-mapping@0.3.13", "", { "dependencies": { "@jridgewell/sourcemap-codec": "1.5.5", "@jridgewell/trace-mapping": "0.3.31" } }, "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA=="],
74
+
75
+ "@jridgewell/resolve-uri": ["@jridgewell/resolve-uri@3.1.2", "", {}, "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw=="],
76
+
77
+ "@jridgewell/sourcemap-codec": ["@jridgewell/sourcemap-codec@1.5.5", "", {}, "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og=="],
78
+
79
+ "@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "3.1.2", "@jridgewell/sourcemap-codec": "1.5.5" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="],
80
+
81
+ "@openape/core": ["@openape/core@0.1.0", "", { "dependencies": { "jose": "5.10.0" } }, "sha512-+mxUHuhgVAcwoNkWsefDLLfyiK+RK42GfuK8+XIK22bpL2d3pavFBTG2l+c2gnEOp+mJIPdLoOqeVvA42qLOmw=="],
82
+
83
+ "@openape/grants": ["@openape/grants@0.1.0", "", { "dependencies": { "@openape/core": "0.1.0", "jose": "5.10.0" } }, "sha512-qVUyXx4qWAd26uK+BnQnswXTN1v2UttI+/zMg6mzjf8H9c9OLd3rrFaSCuSDpSivxD96LO8N3QAerR3Hf+EiNQ=="],
84
+
85
+ "@rollup/rollup-android-arm-eabi": ["@rollup/rollup-android-arm-eabi@4.59.0", "", { "os": "android", "cpu": "arm" }, "sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg=="],
86
+
87
+ "@rollup/rollup-android-arm64": ["@rollup/rollup-android-arm64@4.59.0", "", { "os": "android", "cpu": "arm64" }, "sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q=="],
88
+
89
+ "@rollup/rollup-darwin-arm64": ["@rollup/rollup-darwin-arm64@4.59.0", "", { "os": "darwin", "cpu": "arm64" }, "sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg=="],
90
+
91
+ "@rollup/rollup-darwin-x64": ["@rollup/rollup-darwin-x64@4.59.0", "", { "os": "darwin", "cpu": "x64" }, "sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w=="],
92
+
93
+ "@rollup/rollup-freebsd-arm64": ["@rollup/rollup-freebsd-arm64@4.59.0", "", { "os": "freebsd", "cpu": "arm64" }, "sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA=="],
94
+
95
+ "@rollup/rollup-freebsd-x64": ["@rollup/rollup-freebsd-x64@4.59.0", "", { "os": "freebsd", "cpu": "x64" }, "sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg=="],
96
+
97
+ "@rollup/rollup-linux-arm-gnueabihf": ["@rollup/rollup-linux-arm-gnueabihf@4.59.0", "", { "os": "linux", "cpu": "arm" }, "sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw=="],
98
+
99
+ "@rollup/rollup-linux-arm-musleabihf": ["@rollup/rollup-linux-arm-musleabihf@4.59.0", "", { "os": "linux", "cpu": "arm" }, "sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA=="],
100
+
101
+ "@rollup/rollup-linux-arm64-gnu": ["@rollup/rollup-linux-arm64-gnu@4.59.0", "", { "os": "linux", "cpu": "arm64" }, "sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA=="],
102
+
103
+ "@rollup/rollup-linux-arm64-musl": ["@rollup/rollup-linux-arm64-musl@4.59.0", "", { "os": "linux", "cpu": "arm64" }, "sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA=="],
104
+
105
+ "@rollup/rollup-linux-loong64-gnu": ["@rollup/rollup-linux-loong64-gnu@4.59.0", "", { "os": "linux", "cpu": "none" }, "sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg=="],
106
+
107
+ "@rollup/rollup-linux-loong64-musl": ["@rollup/rollup-linux-loong64-musl@4.59.0", "", { "os": "linux", "cpu": "none" }, "sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q=="],
108
+
109
+ "@rollup/rollup-linux-ppc64-gnu": ["@rollup/rollup-linux-ppc64-gnu@4.59.0", "", { "os": "linux", "cpu": "ppc64" }, "sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA=="],
110
+
111
+ "@rollup/rollup-linux-ppc64-musl": ["@rollup/rollup-linux-ppc64-musl@4.59.0", "", { "os": "linux", "cpu": "ppc64" }, "sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA=="],
112
+
113
+ "@rollup/rollup-linux-riscv64-gnu": ["@rollup/rollup-linux-riscv64-gnu@4.59.0", "", { "os": "linux", "cpu": "none" }, "sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg=="],
114
+
115
+ "@rollup/rollup-linux-riscv64-musl": ["@rollup/rollup-linux-riscv64-musl@4.59.0", "", { "os": "linux", "cpu": "none" }, "sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg=="],
116
+
117
+ "@rollup/rollup-linux-s390x-gnu": ["@rollup/rollup-linux-s390x-gnu@4.59.0", "", { "os": "linux", "cpu": "s390x" }, "sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w=="],
118
+
119
+ "@rollup/rollup-linux-x64-gnu": ["@rollup/rollup-linux-x64-gnu@4.59.0", "", { "os": "linux", "cpu": "x64" }, "sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg=="],
120
+
121
+ "@rollup/rollup-linux-x64-musl": ["@rollup/rollup-linux-x64-musl@4.59.0", "", { "os": "linux", "cpu": "x64" }, "sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg=="],
122
+
123
+ "@rollup/rollup-openbsd-x64": ["@rollup/rollup-openbsd-x64@4.59.0", "", { "os": "openbsd", "cpu": "x64" }, "sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ=="],
124
+
125
+ "@rollup/rollup-openharmony-arm64": ["@rollup/rollup-openharmony-arm64@4.59.0", "", { "os": "none", "cpu": "arm64" }, "sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA=="],
126
+
127
+ "@rollup/rollup-win32-arm64-msvc": ["@rollup/rollup-win32-arm64-msvc@4.59.0", "", { "os": "win32", "cpu": "arm64" }, "sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A=="],
128
+
129
+ "@rollup/rollup-win32-ia32-msvc": ["@rollup/rollup-win32-ia32-msvc@4.59.0", "", { "os": "win32", "cpu": "ia32" }, "sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA=="],
130
+
131
+ "@rollup/rollup-win32-x64-gnu": ["@rollup/rollup-win32-x64-gnu@4.59.0", "", { "os": "win32", "cpu": "x64" }, "sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA=="],
132
+
133
+ "@rollup/rollup-win32-x64-msvc": ["@rollup/rollup-win32-x64-msvc@4.59.0", "", { "os": "win32", "cpu": "x64" }, "sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA=="],
134
+
135
+ "@types/estree": ["@types/estree@1.0.8", "", {}, "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w=="],
136
+
137
+ "@types/node": ["@types/node@22.19.11", "", { "dependencies": { "undici-types": "6.21.0" } }, "sha512-BH7YwL6rA93ReqeQS1c4bsPpcfOmJasG+Fkr6Y59q83f9M1WcBRHR2vM+P9eOisYRcN3ujQoiZY8uk5W+1WL8w=="],
138
+
139
+ "acorn": ["acorn@8.16.0", "", { "bin": { "acorn": "bin/acorn" } }, "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw=="],
140
+
141
+ "any-promise": ["any-promise@1.3.0", "", {}, "sha512-7UvmKalWRt1wgjL1RrGxoSJW/0QZFIegpeGvZG9kjp8vrRu55XTHbwnqq2GpXm9uLbcuhxm3IqX9OB4MZR1b2A=="],
142
+
143
+ "bundle-require": ["bundle-require@5.1.0", "", { "dependencies": { "load-tsconfig": "0.2.5" }, "peerDependencies": { "esbuild": "0.27.3" } }, "sha512-3WrrOuZiyaaZPWiEt4G3+IffISVC9HYlWueJEBWED4ZH4aIAC2PnkdnuRrR94M+w6yGWn4AglWtJtBI8YqvgoA=="],
144
+
145
+ "cac": ["cac@6.7.14", "", {}, "sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ=="],
146
+
147
+ "chokidar": ["chokidar@4.0.3", "", { "dependencies": { "readdirp": "4.1.2" } }, "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA=="],
148
+
149
+ "commander": ["commander@4.1.1", "", {}, "sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA=="],
150
+
151
+ "confbox": ["confbox@0.1.8", "", {}, "sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w=="],
152
+
153
+ "consola": ["consola@3.4.2", "", {}, "sha512-5IKcdX0nnYavi6G7TtOhwkYzyjfJlatbjMjuLSfE2kYT5pMDOilZ4OvMhi637CcDICTmz3wARPoyhqyX1Y+XvA=="],
154
+
155
+ "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="],
156
+
157
+ "esbuild": ["esbuild@0.27.3", "", { "optionalDependencies": { "@esbuild/aix-ppc64": "0.27.3", "@esbuild/android-arm": "0.27.3", "@esbuild/android-arm64": "0.27.3", "@esbuild/android-x64": "0.27.3", "@esbuild/darwin-arm64": "0.27.3", "@esbuild/darwin-x64": "0.27.3", "@esbuild/freebsd-arm64": "0.27.3", "@esbuild/freebsd-x64": "0.27.3", "@esbuild/linux-arm": "0.27.3", "@esbuild/linux-arm64": "0.27.3", "@esbuild/linux-ia32": "0.27.3", "@esbuild/linux-loong64": "0.27.3", "@esbuild/linux-mips64el": "0.27.3", "@esbuild/linux-ppc64": "0.27.3", "@esbuild/linux-riscv64": "0.27.3", "@esbuild/linux-s390x": "0.27.3", "@esbuild/linux-x64": "0.27.3", "@esbuild/netbsd-arm64": "0.27.3", "@esbuild/netbsd-x64": "0.27.3", "@esbuild/openbsd-arm64": "0.27.3", "@esbuild/openbsd-x64": "0.27.3", "@esbuild/openharmony-arm64": "0.27.3", "@esbuild/sunos-x64": "0.27.3", "@esbuild/win32-arm64": "0.27.3", "@esbuild/win32-ia32": "0.27.3", "@esbuild/win32-x64": "0.27.3" }, "bin": { "esbuild": "bin/esbuild" } }, "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg=="],
158
+
159
+ "fdir": ["fdir@6.5.0", "", { "optionalDependencies": { "picomatch": "4.0.3" } }, "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg=="],
160
+
161
+ "fix-dts-default-cjs-exports": ["fix-dts-default-cjs-exports@1.0.1", "", { "dependencies": { "magic-string": "0.30.21", "mlly": "1.8.0", "rollup": "4.59.0" } }, "sha512-pVIECanWFC61Hzl2+oOCtoJ3F17kglZC/6N94eRWycFgBH35hHx0Li604ZIzhseh97mf2p0cv7vVrOZGoqhlEg=="],
162
+
163
+ "fsevents": ["fsevents@2.3.3", "", { "os": "darwin" }, "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw=="],
164
+
165
+ "jose": ["jose@5.10.0", "", {}, "sha512-s+3Al/p9g32Iq+oqXxkW//7jk2Vig6FF1CFqzVXoTUXt2qz89YWbL+OwS17NFYEvxC35n0FKeGO2LGYSxeM2Gg=="],
166
+
167
+ "joycon": ["joycon@3.1.1", "", {}, "sha512-34wB/Y7MW7bzjKRjUKTa46I2Z7eV62Rkhva+KkopW7Qvv/OSWBqvkSY7vusOPrNuZcUG3tApvdVgNB8POj3SPw=="],
168
+
169
+ "lilconfig": ["lilconfig@3.1.3", "", {}, "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw=="],
170
+
171
+ "lines-and-columns": ["lines-and-columns@1.2.4", "", {}, "sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg=="],
172
+
173
+ "load-tsconfig": ["load-tsconfig@0.2.5", "", {}, "sha512-IXO6OCs9yg8tMKzfPZ1YmheJbZCiEsnBdcB03l0OcfK9prKnJb96siuHCr5Fl37/yo9DnKU+TLpxzTUspw9shg=="],
174
+
175
+ "magic-string": ["magic-string@0.30.21", "", { "dependencies": { "@jridgewell/sourcemap-codec": "1.5.5" } }, "sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ=="],
176
+
177
+ "mlly": ["mlly@1.8.0", "", { "dependencies": { "acorn": "8.16.0", "pathe": "2.0.3", "pkg-types": "1.3.1", "ufo": "1.6.3" } }, "sha512-l8D9ODSRWLe2KHJSifWGwBqpTZXIXTeo8mlKjY+E2HAakaTeNpqAyBZ8GSqLzHgw4XmHmC8whvpjJNMbFZN7/g=="],
178
+
179
+ "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
180
+
181
+ "mz": ["mz@2.7.0", "", { "dependencies": { "any-promise": "1.3.0", "object-assign": "4.1.1", "thenify-all": "1.6.0" } }, "sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q=="],
182
+
183
+ "object-assign": ["object-assign@4.1.1", "", {}, "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="],
184
+
185
+ "pathe": ["pathe@2.0.3", "", {}, "sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w=="],
186
+
187
+ "picocolors": ["picocolors@1.1.1", "", {}, "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="],
188
+
189
+ "picomatch": ["picomatch@4.0.3", "", {}, "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q=="],
190
+
191
+ "pirates": ["pirates@4.0.7", "", {}, "sha512-TfySrs/5nm8fQJDcBDuUng3VOUKsd7S+zqvbOTiGXHfxX4wK31ard+hoNuvkicM/2YFzlpDgABOevKSsB4G/FA=="],
192
+
193
+ "pkg-types": ["pkg-types@1.3.1", "", { "dependencies": { "confbox": "0.1.8", "mlly": "1.8.0", "pathe": "2.0.3" } }, "sha512-/Jm5M4RvtBFVkKWRu2BLUTNP8/M2a+UwuAX+ae4770q1qVGtfjG+WTCupoZixokjmHiry8uI+dlY8KXYV5HVVQ=="],
194
+
195
+ "postcss-load-config": ["postcss-load-config@6.0.1", "", { "dependencies": { "lilconfig": "3.1.3" } }, "sha512-oPtTM4oerL+UXmx+93ytZVN82RrlY/wPUV8IeDxFrzIjXOLF1pN+EmKPLbubvKHT2HC20xXsCAH2Z+CKV6Oz/g=="],
196
+
197
+ "readdirp": ["readdirp@4.1.2", "", {}, "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg=="],
198
+
199
+ "resolve-from": ["resolve-from@5.0.0", "", {}, "sha512-qYg9KP24dD5qka9J47d0aVky0N+b4fTU89LN9iDnjB5waksiC49rvMB0PrUJQGoTmH50XPiqOvAjDfaijGxYZw=="],
200
+
201
+ "rollup": ["rollup@4.59.0", "", { "dependencies": { "@types/estree": "1.0.8" }, "optionalDependencies": { "@rollup/rollup-android-arm-eabi": "4.59.0", "@rollup/rollup-android-arm64": "4.59.0", "@rollup/rollup-darwin-arm64": "4.59.0", "@rollup/rollup-darwin-x64": "4.59.0", "@rollup/rollup-freebsd-arm64": "4.59.0", "@rollup/rollup-freebsd-x64": "4.59.0", "@rollup/rollup-linux-arm-gnueabihf": "4.59.0", "@rollup/rollup-linux-arm-musleabihf": "4.59.0", "@rollup/rollup-linux-arm64-gnu": "4.59.0", "@rollup/rollup-linux-arm64-musl": "4.59.0", "@rollup/rollup-linux-loong64-gnu": "4.59.0", "@rollup/rollup-linux-loong64-musl": "4.59.0", "@rollup/rollup-linux-ppc64-gnu": "4.59.0", "@rollup/rollup-linux-ppc64-musl": "4.59.0", "@rollup/rollup-linux-riscv64-gnu": "4.59.0", "@rollup/rollup-linux-riscv64-musl": "4.59.0", "@rollup/rollup-linux-s390x-gnu": "4.59.0", "@rollup/rollup-linux-x64-gnu": "4.59.0", "@rollup/rollup-linux-x64-musl": "4.59.0", "@rollup/rollup-openbsd-x64": "4.59.0", "@rollup/rollup-openharmony-arm64": "4.59.0", "@rollup/rollup-win32-arm64-msvc": "4.59.0", "@rollup/rollup-win32-ia32-msvc": "4.59.0", "@rollup/rollup-win32-x64-gnu": "4.59.0", "@rollup/rollup-win32-x64-msvc": "4.59.0", "fsevents": "2.3.3" }, "bin": { "rollup": "dist/bin/rollup" } }, "sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg=="],
202
+
203
+ "smol-toml": ["smol-toml@1.6.0", "", {}, "sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw=="],
204
+
205
+ "source-map": ["source-map@0.7.6", "", {}, "sha512-i5uvt8C3ikiWeNZSVZNWcfZPItFQOsYTUAOkcUPGd8DqDy1uOUikjt5dG+uRlwyvR108Fb9DOd4GvXfT0N2/uQ=="],
206
+
207
+ "sucrase": ["sucrase@3.35.1", "", { "dependencies": { "@jridgewell/gen-mapping": "0.3.13", "commander": "4.1.1", "lines-and-columns": "1.2.4", "mz": "2.7.0", "pirates": "4.0.7", "tinyglobby": "0.2.15", "ts-interface-checker": "0.1.13" }, "bin": { "sucrase": "bin/sucrase", "sucrase-node": "bin/sucrase-node" } }, "sha512-DhuTmvZWux4H1UOnWMB3sk0sbaCVOoQZjv8u1rDoTV0HTdGem9hkAZtl4JZy8P2z4Bg0nT+YMeOFyVr4zcG5Tw=="],
208
+
209
+ "thenify": ["thenify@3.3.1", "", { "dependencies": { "any-promise": "1.3.0" } }, "sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw=="],
210
+
211
+ "thenify-all": ["thenify-all@1.6.0", "", { "dependencies": { "thenify": "3.3.1" } }, "sha512-RNxQH/qI8/t3thXJDwcstUO4zeqo64+Uy/+sNVRBx4Xn2OX+OZ9oP+iJnNFqplFra2ZUVeKCSa2oVWi3T4uVmA=="],
212
+
213
+ "tinyexec": ["tinyexec@0.3.2", "", {}, "sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA=="],
214
+
215
+ "tinyglobby": ["tinyglobby@0.2.15", "", { "dependencies": { "fdir": "6.5.0", "picomatch": "4.0.3" } }, "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ=="],
216
+
217
+ "tree-kill": ["tree-kill@1.2.2", "", { "bin": { "tree-kill": "cli.js" } }, "sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A=="],
218
+
219
+ "ts-interface-checker": ["ts-interface-checker@0.1.13", "", {}, "sha512-Y/arvbn+rrz3JCKl9C4kVNfTfSm2/mEp5FSz5EsZSANGPSlQrpRI5M4PKF+mJnE52jOO90PnPSc3Ur3bTQw0gA=="],
220
+
221
+ "tsup": ["tsup@8.5.1", "", { "dependencies": { "bundle-require": "5.1.0", "cac": "6.7.14", "chokidar": "4.0.3", "consola": "3.4.2", "debug": "4.4.3", "esbuild": "0.27.3", "fix-dts-default-cjs-exports": "1.0.1", "joycon": "3.1.1", "picocolors": "1.1.1", "postcss-load-config": "6.0.1", "resolve-from": "5.0.0", "rollup": "4.59.0", "source-map": "0.7.6", "sucrase": "3.35.1", "tinyexec": "0.3.2", "tinyglobby": "0.2.15", "tree-kill": "1.2.2" }, "optionalDependencies": { "typescript": "5.9.3" }, "bin": { "tsup": "dist/cli-default.js", "tsup-node": "dist/cli-node.js" } }, "sha512-xtgkqwdhpKWr3tKPmCkvYmS9xnQK3m3XgxZHwSUjvfTjp7YfXe5tT3GgWi0F2N+ZSMsOeWeZFh7ZZFg5iPhing=="],
222
+
223
+ "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
224
+
225
+ "ufo": ["ufo@1.6.3", "", {}, "sha512-yDJTmhydvl5lJzBmy/hyOAA0d+aqCBuwl818haVdYCRrWV84o7YyeVm4QlVHStqNrrJSTb6jKuFAVqAFsr+K3Q=="],
226
+
227
+ "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
228
+ }
229
+ }
package/config.toml ADDED
@@ -0,0 +1,35 @@
1
+ [proxy]
2
+ listen = "127.0.0.1:9090"
3
+ idp_url = "https://id.test.openape.at"
4
+ agent_email = "openclaw@macmini.local"
5
+ default_action = "block"
6
+ audit_log = "/tmp/openape-proxy-audit.log"
7
+
8
+ # Free access - no grant needed
9
+ [[allow]]
10
+ domain = "httpbin.org"
11
+ methods = ["GET"]
12
+ note = "Test endpoint - GET always allowed"
13
+
14
+ [[allow]]
15
+ domain = "api.github.com"
16
+ methods = ["GET"]
17
+ note = "GitHub API read-only - allowed"
18
+
19
+ # Blocked domains
20
+ [[deny]]
21
+ domain = "evil.example.com"
22
+ note = "Blocked domain"
23
+
24
+ # Needs human approval
25
+ [[grant_required]]
26
+ domain = "api.github.com"
27
+ methods = ["POST", "PUT", "DELETE"]
28
+ grant_type = "allow_once"
29
+ note = "GitHub API write operations need approval"
30
+
31
+ [[grant_required]]
32
+ domain = "httpbin.org"
33
+ methods = ["POST"]
34
+ grant_type = "allow_once"
35
+ note = "POST to httpbin needs approval"
package/eslint.config.mjs CHANGED
@@ -9,10 +9,42 @@ export default antfu({
9
9
  '**/.turbo/**',
10
10
  '**/.data/**',
11
11
  '**/target/**',
12
+ '**/*.md',
13
+ '**/*.toml',
14
+ '**/*.json',
12
15
  ],
13
16
  rules: {
14
17
  'node/prefer-global/process': 'off',
15
18
  'node/prefer-global/buffer': 'off',
16
19
  'no-new': 'off',
20
+ 'no-console': 'off',
21
+ 'no-alert': 'off',
22
+ 'dot-notation': 'off',
23
+ 'prefer-template': 'off',
24
+ 'style/brace-style': 'off',
25
+ 'style/max-statements-per-line': 'off',
26
+ 'style/no-multi-spaces': 'off',
27
+ 'style/quote-props': 'off',
28
+ 'style/operator-linebreak': 'off',
29
+ 'style/indent-binary-ops': 'off',
30
+ 'style/comma-dangle': 'off',
31
+ 'style/padded-blocks': 'off',
32
+ 'style/member-delimiter-style': 'off',
33
+ 'antfu/if-newline': 'off',
34
+ 'antfu/top-level-function': 'off',
35
+ 'antfu/consistent-list-newline': 'off',
36
+ 'ts/method-signature-style': 'off',
37
+ 'unused-imports/no-unused-imports': 'off',
38
+ 'regexp/no-super-linear-backtracking': 'off',
39
+ 'perfectionist/sort-imports': 'off',
40
+ 'perfectionist/sort-named-imports': 'off',
41
+ 'perfectionist/sort-named-exports': 'off',
42
+ 'perfectionist/sort-exports': 'off',
43
+ 'import/no-duplicates': 'off',
44
+ 'unicorn/prefer-number-properties': 'off',
45
+ 'jsonc/sort-keys': 'off',
46
+ 'markdown/fenced-code-language': 'off',
47
+ 'toml/array-bracket-spacing': 'off',
48
+ 'toml/array-element-newline': 'off',
17
49
  },
18
50
  })
package/package.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "name": "@openape/proxy",
3
3
  "type": "module",
4
- "version": "0.1.1",
4
+ "version": "0.2.0",
5
5
  "description": "OpenApe agent HTTP gateway — forward proxy with grant-based access control",
6
6
  "author": "Patrick Hofmann",
7
- "license": "MIT",
7
+ "license": "AGPL-3.0-or-later",
8
8
  "bin": {
9
9
  "openape-proxy": "./src/index.ts"
10
10
  },
@@ -13,7 +13,11 @@
13
13
  "dev": "bun run --watch src/index.ts",
14
14
  "build": "tsup",
15
15
  "typecheck": "tsc --noEmit",
16
- "lint": "eslint ."
16
+ "lint": "eslint .",
17
+ "test": "vitest run --passWithNoTests",
18
+ "changeset": "changeset",
19
+ "version-packages": "changeset version",
20
+ "release": "npm pack --dry-run && npm publish --provenance --access public"
17
21
  },
18
22
  "dependencies": {
19
23
  "@openape/core": "^0.1.0",
@@ -22,9 +26,14 @@
22
26
  "smol-toml": "^1.3.0"
23
27
  },
24
28
  "devDependencies": {
29
+ "@antfu/eslint-config": "^7.6.1",
30
+ "@changesets/cli": "^2.29.7",
31
+ "@types/bun": "^1.3.10",
25
32
  "@types/node": "^22.0.0",
33
+ "eslint": "^9.35.0",
26
34
  "tsup": "^8.3.0",
27
- "typescript": "^5.7.0"
35
+ "typescript": "^5.7.0",
36
+ "vitest": "^3.2.4"
28
37
  },
29
38
  "publishConfig": {
30
39
  "access": "public"
@@ -32,5 +41,8 @@
32
41
  "repository": {
33
42
  "type": "git",
34
43
  "url": "https://github.com/openape-ai/proxy.git"
44
+ },
45
+ "engines": {
46
+ "node": ">=22"
35
47
  }
36
48
  }
package/pnpm-workspace.yaml ADDED
@@ -0,0 +1,7 @@
1
+ shellEmulator: true
2
+
3
+ trustPolicy: no-downgrade
4
+
5
+ overrides:
6
+ '@openape/core': link:../core
7
+ '@openape/grants': link:../grants
package/src/auth.ts CHANGED
@@ -5,18 +5,33 @@ export interface AgentIdentity {
5
5
  act: 'agent'
6
6
  }
7
7
 
8
+ export class AuthError extends Error {
9
+ constructor(message: string) {
10
+ super(message)
11
+ this.name = 'AuthError'
12
+ }
13
+ }
14
+
8
15
  /**
9
16
  * Verify agent JWT from Proxy-Authorization header.
10
- * Returns the agent identity or null if invalid.
17
+ * Returns the agent identity or null if invalid/missing.
18
+ * When mandatory is true, throws AuthError if no valid JWT is provided.
11
19
  */
12
20
  export async function verifyAgentAuth(
13
21
  authHeader: string | null,
14
22
  idpUrl: string,
23
+ mandatory: boolean = false,
15
24
  ): Promise<AgentIdentity | null> {
16
- if (!authHeader) return null
25
+ if (!authHeader) {
26
+ if (mandatory) throw new AuthError('JWT required')
27
+ return null
28
+ }
17
29
 
18
30
  const match = authHeader.match(/^Bearer\s+(.+)$/i)
19
- if (!match) return null
31
+ if (!match) {
32
+ if (mandatory) throw new AuthError('Invalid authorization header')
33
+ return null
34
+ }
20
35
 
21
36
  const token = match[1]
22
37
 
@@ -25,6 +40,7 @@ export async function verifyAgentAuth(
25
40
  const { payload } = await verifyJWT(token, jwks, { issuer: idpUrl })
26
41
 
27
42
  if (payload.act !== 'agent' || !payload.sub) {
43
+ if (mandatory) throw new AuthError('Invalid agent token')
28
44
  return null
29
45
  }
30
46
 
@@ -32,7 +48,10 @@ export async function verifyAgentAuth(
32
48
  email: payload.sub as string,
33
49
  act: 'agent',
34
50
  }
35
- } catch {
51
+ }
52
+ catch (err) {
53
+ if (err instanceof AuthError) throw err
54
+ if (mandatory) throw new AuthError('JWT verification failed')
36
55
  return null
37
56
  }
38
57
  }
package/src/config.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { readFileSync } from 'node:fs'
2
2
  import { parse as parseTOML } from 'smol-toml'
3
- import type { ProxyConfig } from './types.js'
3
+ import type { AgentConfig, MultiAgentProxyConfig, ProxyConfig } from './types.js'
4
4
 
5
5
  export function loadConfig(path: string): ProxyConfig {
6
6
  const raw = readFileSync(path, 'utf-8')
@@ -8,7 +8,8 @@ export function loadConfig(path: string): ProxyConfig {
8
8
  let parsed: Record<string, unknown>
9
9
  if (path.endsWith('.json')) {
10
10
  parsed = JSON.parse(raw)
11
- } else {
11
+ }
12
+ else {
12
13
  parsed = parseTOML(raw) as Record<string, unknown>
13
14
  }
14
15
 
@@ -26,3 +27,58 @@ export function loadConfig(path: string): ProxyConfig {
26
27
  grant_required: (parsed.grant_required ?? []) as ProxyConfig['grant_required'],
27
28
  }
28
29
  }
30
+
31
+ /**
32
+ * Load config as multi-agent format.
33
+ * If the config has an `agents` array, use it directly.
34
+ * Otherwise, convert single-agent format to multi-agent for backward-compat.
35
+ */
36
+ export function loadMultiAgentConfig(path: string, overrides?: { mandatoryAuth?: boolean }): MultiAgentProxyConfig {
37
+ const raw = readFileSync(path, 'utf-8')
38
+
39
+ let parsed: Record<string, unknown>
40
+ if (path.endsWith('.json')) {
41
+ parsed = JSON.parse(raw)
42
+ }
43
+ else {
44
+ parsed = parseTOML(raw) as Record<string, unknown>
45
+ }
46
+
47
+ const proxy = parsed.proxy as Record<string, unknown>
48
+ if (!proxy?.listen) {
49
+ throw new Error('Config must have [proxy] with listen')
50
+ }
51
+
52
+ const baseProxy: MultiAgentProxyConfig['proxy'] = {
53
+ listen: proxy.listen as string,
54
+ default_action: (proxy.default_action as MultiAgentProxyConfig['proxy']['default_action']) ?? 'block',
55
+ audit_log: proxy.audit_log as string | undefined,
56
+ mandatory_auth: overrides?.mandatoryAuth ?? (proxy.mandatory_auth as boolean | undefined),
57
+ }
58
+
59
+ // Multi-agent format: has agents array
60
+ if (Array.isArray(parsed.agents)) {
61
+ return {
62
+ proxy: baseProxy,
63
+ agents: parsed.agents as AgentConfig[],
64
+ }
65
+ }
66
+
67
+ // Single-agent format: convert to multi-agent
68
+ const idpUrl = proxy.idp_url as string
69
+ const agentEmail = proxy.agent_email as string
70
+ if (!idpUrl || !agentEmail) {
71
+ throw new Error('Single-agent config requires proxy.idp_url and proxy.agent_email')
72
+ }
73
+
74
+ return {
75
+ proxy: baseProxy,
76
+ agents: [{
77
+ email: agentEmail,
78
+ idp_url: idpUrl,
79
+ allow: (parsed.allow ?? []) as AgentConfig['allow'],
80
+ deny: (parsed.deny ?? []) as AgentConfig['deny'],
81
+ grant_required: (parsed.grant_required ?? []) as AgentConfig['grant_required'],
82
+ }],
83
+ }
84
+ }
package/src/connect.ts ADDED
@@ -0,0 +1,111 @@
1
+ import type { IncomingMessage } from 'node:http'
2
+ import type { Socket } from 'node:net'
3
+ import { connect } from 'node:net'
4
+ import type { MultiAgentProxyConfig } from './types.js'
5
+ import { AuthError, verifyAgentAuth } from './auth.js'
6
+ import { isPrivateOrLoopback } from './ssrf.js'
7
+ import { writeAudit } from './audit.js'
8
+
9
+ /**
10
+ * Handle HTTP CONNECT requests for tunneling (used by HTTP_PROXY clients).
11
+ * Flow: Auth check → SSRF check → TCP connect → bidirectional pipe.
12
+ */
13
+ export async function handleConnect(
14
+ config: MultiAgentProxyConfig,
15
+ req: IncomingMessage,
16
+ clientSocket: Socket,
17
+ _head: Buffer,
18
+ ): Promise<void> {
19
+ const target = req.url ?? ''
20
+ const [host, portStr] = target.split(':')
21
+ const port = Number.parseInt(portStr || '443')
22
+
23
+ if (!host || !port) {
24
+ clientSocket.write('HTTP/1.1 400 Bad Request\r\n\r\n')
25
+ clientSocket.destroy()
26
+ return
27
+ }
28
+
29
+ const mandatoryAuth = config.proxy.mandatory_auth ?? false
30
+
31
+ // Auth check — CONNECT always requires auth in mandatory mode
32
+ let agentEmail: string | undefined
33
+ try {
34
+ const authHeader = req.headers['proxy-authorization'] as string | undefined
35
+ let identity: { email: string, act: 'agent' } | null = null
36
+
37
+ for (const agentConf of config.agents) {
38
+ identity = await verifyAgentAuth(
39
+ authHeader ?? null,
40
+ agentConf.idp_url,
41
+ mandatoryAuth && config.agents.length === 1,
42
+ )
43
+ if (identity) break
44
+ }
45
+
46
+ if (mandatoryAuth && !identity) {
47
+ throw new AuthError('JWT required')
48
+ }
49
+
50
+ agentEmail = identity?.email
51
+
52
+ // Verify agent is known
53
+ if (agentEmail) {
54
+ const known = config.agents.find(a => a.email === agentEmail)
55
+ if (!known) {
56
+ clientSocket.write('HTTP/1.1 403 Forbidden\r\n\r\n')
57
+ clientSocket.destroy()
58
+ return
59
+ }
60
+ }
61
+ else if (config.agents.length > 1) {
62
+ throw new AuthError('JWT required for multi-agent proxy')
63
+ }
64
+ }
65
+ catch (err) {
66
+ if (err instanceof AuthError) {
67
+ clientSocket.write('HTTP/1.1 401 Unauthorized\r\n\r\n')
68
+ clientSocket.destroy()
69
+ return
70
+ }
71
+ throw err
72
+ }
73
+
74
+ // SSRF check
75
+ if (await isPrivateOrLoopback(host)) {
76
+ writeAudit({
77
+ ts: new Date().toISOString(),
78
+ agent: agentEmail ?? config.agents[0]?.email ?? 'unknown',
79
+ action: 'deny',
80
+ domain: host,
81
+ method: 'CONNECT',
82
+ path: target,
83
+ rule: 'ssrf-blocked',
84
+ })
85
+ clientSocket.write('HTTP/1.1 403 Forbidden\r\n\r\n')
86
+ clientSocket.destroy()
87
+ return
88
+ }
89
+
90
+ // Connect to target
91
+ const targetSocket = connect(port, host, () => {
92
+ clientSocket.write('HTTP/1.1 200 Connection Established\r\n\r\n')
93
+
94
+ // Bidirectional pipe
95
+ targetSocket.pipe(clientSocket)
96
+ clientSocket.pipe(targetSocket)
97
+ })
98
+
99
+ targetSocket.on('error', () => {
100
+ clientSocket.write('HTTP/1.1 502 Bad Gateway\r\n\r\n')
101
+ clientSocket.destroy()
102
+ })
103
+
104
+ clientSocket.on('error', () => {
105
+ targetSocket.destroy()
106
+ })
107
+
108
+ // Cleanup on close
109
+ clientSocket.on('close', () => targetSocket.destroy())
110
+ targetSocket.on('close', () => clientSocket.destroy())
111
+ }