@openape/proxy 0.1.1 → 0.2.0

package/src/grants-client.ts

@@ -33,6 +33,7 @@ export class GrantsClient {
     grantType: GrantType
     permissions?: string[]
     reason?: string
+    requestHash?: string
     duration?: number
   }): Promise<OpenApeGrant> {
     const res = await fetch(`${this.idpUrl}/api/grants`, {
@@ -44,6 +45,7 @@ export class GrantsClient {
         grant_type: opts.grantType,
         permissions: opts.permissions,
         reason: opts.reason,
+        request_hash: opts.requestHash,
         duration: opts.duration,
       }),
     })
@@ -87,6 +89,8 @@ export class GrantsClient {
 
   /**
    * Check if there's an existing approved grant for a domain+permissions combo.
+   * Only matches grants whose target matches the requested domain and that
+   * have matching permissions. Ignores `allow_once` grants (they're single-use).
    */
   async findExistingGrant(
     requester: string,
@@ -95,12 +99,8 @@ export class GrantsClient {
   ): Promise<OpenApeGrant | null> {
     const params = new URLSearchParams({
       requester,
-      target,
       status: 'approved',
     })
-    if (permissions?.length) {
-      params.set('permissions', permissions.join(','))
-    }
 
     const res = await fetch(`${this.idpUrl}/api/grants?${params}`, {
       headers: this.headers(),
@@ -109,10 +109,23 @@ export class GrantsClient {
     if (!res.ok) return null
 
     const grants = await res.json() as OpenApeGrant[]
-    // Return first active grant
-    return grants.find(g =>
-      g.status === 'approved' &&
-      (!g.expires_at || g.expires_at > Math.floor(Date.now() / 1000))
-    ) ?? null
+    const now = Math.floor(Date.now() / 1000)
+
+    return grants.find((g) => {
+      // Must be approved
+      if (g.status !== 'approved') return false
+      // Must not be expired
+      if (g.expires_at && g.expires_at <= now) return false
+      // allow_once grants are single-use — don't reuse them
+      if (g.request?.grant_type === 'once') return false
+      // Target must match the requested domain
+      if (g.request?.target !== target) return false
+      // If permissions specified, grant must cover them
+      if (permissions?.length && g.request?.permissions?.length) {
+        const grantedPerms = new Set(g.request.permissions)
+        if (!permissions.every(p => grantedPerms.has(p))) return false
+      }
+      return true
+    }) ?? null
   }
 }

package/src/index.ts

@@ -1,62 +1,69 @@
 #!/usr/bin/env bun
+import { createServer } from 'node:http'
 import { parseArgs } from 'node:util'
-import { loadConfig } from './config.js'
-import { createProxy } from './proxy.js'
+import { loadMultiAgentConfig } from './config.js'
+import { createNodeHandler } from './proxy.js'
 import { initAudit } from './audit.js'
 
 const { values } = parseArgs({
   options: {
     config: { type: 'string', short: 'c', default: 'config.toml' },
     'dry-run': { type: 'boolean', default: false },
+    'mandatory-auth': { type: 'boolean', default: false },
   },
 })
 
 const configPath = values.config!
 
 console.log(`[openape-proxy] Loading config from ${configPath}`)
-const config = loadConfig(configPath)
+const config = loadMultiAgentConfig(configPath, {
+  mandatoryAuth: values['mandatory-auth'] || undefined,
+})
 
 // Init audit log
 initAudit(config.proxy.audit_log)
 
 if (values['dry-run']) {
   console.log('[openape-proxy] DRY RUN mode — logging only, not blocking')
-  // In dry-run mode, we could override deny rules to just log
-  // For now, just print config and exit
   console.log('[openape-proxy] Config loaded:')
   console.log(`  Listen: ${config.proxy.listen}`)
-  console.log(`  IdP: ${config.proxy.idp_url}`)
-  console.log(`  Agent: ${config.proxy.agent_email}`)
   console.log(`  Default action: ${config.proxy.default_action}`)
-  console.log(`  Allow rules: ${config.allow.length}`)
-  console.log(`  Deny rules: ${config.deny.length}`)
-  console.log(`  Grant rules: ${config.grant_required.length}`)
+  console.log(`  Mandatory auth: ${config.proxy.mandatory_auth ?? false}`)
+  console.log(`  Agents: ${config.agents.length}`)
+  for (const agent of config.agents) {
+    const allowCount = agent.allow?.length ?? 0
+    const denyCount = agent.deny?.length ?? 0
+    const grantCount = agent.grant_required?.length ?? 0
+    console.log(`    ${agent.email} (${agent.idp_url}) — ${allowCount} allow, ${denyCount} deny, ${grantCount} grant`)
+  }
   process.exit(0)
 }
 
-const proxy = createProxy(config)
+const handler = createNodeHandler(config)
 
-const server = Bun.serve({
-  port: proxy.port,
-  hostname: proxy.hostname,
-  fetch: proxy.fetch,
-})
+const port = Number.parseInt(config.proxy.listen.split(':')[1] || '9090')
+const hostname = config.proxy.listen.split(':')[0] || '127.0.0.1'
 
-console.log(`[openape-proxy] 🐾 Listening on http://${server.hostname}:${server.port}`)
-console.log(`[openape-proxy] IdP: ${config.proxy.idp_url}`)
-console.log(`[openape-proxy] Agent: ${config.proxy.agent_email}`)
-console.log(`[openape-proxy] Rules: ${config.allow.length} allow, ${config.deny.length} deny, ${config.grant_required.length} grant-required`)
-console.log(`[openape-proxy] Default action: ${config.proxy.default_action}`)
+const server = createServer(handler.handleRequest)
+server.on('connect', handler.handleConnect)
+
+server.listen(port, hostname, () => {
+  console.log(`[openape-proxy] Listening on http://${hostname}:${port}`)
+  console.log(`[openape-proxy] CONNECT tunneling enabled`)
+  console.log(`[openape-proxy] Mandatory auth: ${config.proxy.mandatory_auth ?? false}`)
+  console.log(`[openape-proxy] Agents: ${config.agents.map(a => a.email).join(', ')}`)
+  console.log(`[openape-proxy] Default action: ${config.proxy.default_action}`)
+})
 
 // Graceful shutdown
 process.on('SIGINT', () => {
   console.log('\n[openape-proxy] Shutting down...')
-  server.stop()
+  server.close()
   process.exit(0)
 })
 
 process.on('SIGTERM', () => {
   console.log('[openape-proxy] Shutting down...')
-  server.stop()
+  server.close()
   process.exit(0)
 })

package/src/proxy.ts

@@ -1,14 +1,59 @@
-import type { ProxyConfig, AuditEntry } from './types.js'
+import type { IncomingMessage, ServerResponse } from 'node:http'
+import type { Socket } from 'node:net'
+import { createHash } from 'node:crypto'
+import type { AgentConfig, AuditEntry, MultiAgentProxyConfig, ProxyConfig } from './types.js'
 import { evaluateRules } from './matcher.js'
-import { verifyAgentAuth } from './auth.js'
+import { AuthError, verifyAgentAuth } from './auth.js'
 import { GrantsClient } from './grants-client.js'
 import { writeAudit } from './audit.js'
+import { isPrivateOrLoopback } from './ssrf.js'
+import { handleConnect } from './connect.js'
 
+/**
+ * Compute a request hash that uniquely identifies the intent.
+ * hash = sha256(METHOD + " " + FULL_URL + "\n" + BODY)
+ * This binds the grant to the exact request — no bait-and-switch.
+ */
+async function computeRequestHash(method: string, targetUrl: string, body: ArrayBuffer | null): Promise<string> {
+  const hash = createHash('sha256')
+  hash.update(`${method} ${targetUrl}\n`)
+  if (body && body.byteLength > 0) {
+    hash.update(new Uint8Array(body))
+  }
+  return hash.digest('hex')
+}
+
+/** Legacy single-agent proxy */
 export function createProxy(config: ProxyConfig) {
-  const grantsClient = new GrantsClient(config.proxy.idp_url)
+  const multiConfig: MultiAgentProxyConfig = {
+    proxy: {
+      listen: config.proxy.listen,
+      default_action: config.proxy.default_action,
+      audit_log: config.proxy.audit_log,
+      mandatory_auth: config.proxy.mandatory_auth,
+    },
+    agents: [{
+      email: config.proxy.agent_email,
+      idp_url: config.proxy.idp_url,
+      allow: config.allow,
+      deny: config.deny,
+      grant_required: config.grant_required,
+    }],
+  }
+  return createMultiAgentProxy(multiConfig)
+}
+
+/** Multi-agent proxy with SSRF protection and mandatory auth */
+export function createMultiAgentProxy(config: MultiAgentProxyConfig) {
+  const grantsClients = new Map<string, GrantsClient>()
+  for (const agent of config.agents) {
+    grantsClients.set(agent.email, new GrantsClient(agent.idp_url))
+  }
+
+  const mandatoryAuth = config.proxy.mandatory_auth ?? false
 
   return {
-    port: parseInt(config.proxy.listen.split(':')[1] || '9090'),
+    port: Number.parseInt(config.proxy.listen.split(':')[1] || '9090'),
     hostname: config.proxy.listen.split(':')[0] || '127.0.0.1',
 
     async fetch(req: Request): Promise<Response> {
@@ -17,17 +62,19 @@ export function createProxy(config: ProxyConfig) {
 
       // Health endpoint
       if (url.pathname === '/healthz') {
-        return Response.json({ status: 'ok', agent: config.proxy.agent_email })
+        return Response.json({
+          status: 'ok',
+          agents: config.agents.map(a => a.email),
+        })
       }
 
-      // Parse target URL from the path.
-      // The agent sends: http://proxy:9090/https://api.github.com/repos/x/issues
-      // So the target URL is everything after the first /
+      // Parse target URL from the path
       const targetUrl = url.pathname.slice(1) + url.search
       let targetParsed: URL
       try {
         targetParsed = new URL(targetUrl)
-      } catch {
+      }
+      catch {
         return new Response(
           'Invalid target URL. Send requests as: http://proxy:port/https://target.com/path',
           { status: 400 },
@@ -38,20 +85,80 @@ export function createProxy(config: ProxyConfig) {
       const method = req.method
       const path = targetParsed.pathname
 
-      // Verify agent identity
-      const agent = await verifyAgentAuth(
-        req.headers.get('proxy-authorization'),
-        config.proxy.idp_url,
-      )
+      // SSRF protection — block private/loopback IPs before any rule evaluation
+      if (await isPrivateOrLoopback(domain)) {
+        return new Response('Blocked: private/loopback IP', { status: 403 })
+      }
+
+      // Read body once (needed for hash + forwarding)
+      const bodyBuffer = req.body ? await req.arrayBuffer() : null
 
-      const agentEmail = agent?.email ?? config.proxy.agent_email
+      // Verify agent identity — find IdP URL from first agent (for JWKS verification)
+      // In multi-agent mode, we need the JWT to identify the agent first.
+      // We try verification against each agent's IdP until one succeeds.
+      let agentIdentity: { email: string, act: 'agent' } | null = null
+      try {
+        for (const agentConf of config.agents) {
+          agentIdentity = await verifyAgentAuth(
+            req.headers.get('proxy-authorization'),
+            agentConf.idp_url,
+            mandatoryAuth && config.agents.length === 1,
+          )
+          if (agentIdentity) break
+        }
+
+        // If mandatory auth and no identity found from any IdP
+        if (mandatoryAuth && !agentIdentity) {
+          throw new AuthError('JWT required')
+        }
+      }
+      catch (err) {
+        if (err instanceof AuthError) {
+          return new Response(`Unauthorized: ${err.message}`, { status: 401 })
+        }
+        throw err
+      }
+
+      // Find the matching agent config
+      const agentEmail = agentIdentity?.email
+      let agentConf: AgentConfig | undefined
+
+      if (agentEmail) {
+        agentConf = config.agents.find(a => a.email === agentEmail)
+        if (!agentConf) {
+          return new Response(`Forbidden: unknown agent ${agentEmail}`, { status: 403 })
+        }
+      }
+      else if (config.agents.length === 1) {
+        // Non-mandatory auth, single agent: use the only agent config
+        agentConf = config.agents[0]
+      }
+      else {
+        return new Response('Unauthorized: JWT required for multi-agent proxy', { status: 401 })
+      }
+
+      const effectiveEmail = agentEmail ?? agentConf.email
+      const grantsClient = grantsClients.get(agentConf.email)!
+
+      // Build a ProxyConfig-shaped object for evaluateRules
+      const rulesConfig: ProxyConfig = {
+        proxy: {
+          listen: config.proxy.listen,
+          idp_url: agentConf.idp_url,
+          agent_email: agentConf.email,
+          default_action: config.proxy.default_action,
+        },
+        allow: agentConf.allow ?? [],
+        deny: agentConf.deny ?? [],
+        grant_required: agentConf.grant_required ?? [],
+      }
 
       // Evaluate rules
-      const action = evaluateRules(config, domain, method, path)
+      const action = evaluateRules(rulesConfig, domain, method, path)
 
       const baseAudit: Omit<AuditEntry, 'action' | 'rule'> = {
         ts: new Date().toISOString(),
-        agent: agentEmail,
+        agent: effectiveEmail,
         domain,
         method,
         path,
@@ -66,16 +173,19 @@ export function createProxy(config: ProxyConfig) {
       // ALLOW (no grant needed)
       if (action.type === 'allow') {
         writeAudit({ ...baseAudit, action: 'allow', rule: 'allow-list', grant_id: null })
-        return forwardRequest(req, targetUrl)
+        return forwardRequest(req, targetUrl, bodyBuffer)
       }
 
       // GRANT REQUIRED
       const rule = action.rule
       const permissions = rule.permissions ?? [`${method.toLowerCase()}:${domain}`]
 
+      // Compute request hash — binds grant to exact method + URL + body
+      const requestHash = await computeRequestHash(method, targetUrl, bodyBuffer)
+
       // Check for existing grant
       const existing = await grantsClient.findExistingGrant(
-        agentEmail,
+        effectiveEmail,
         domain,
         permissions,
       ).catch(() => null)
@@ -86,8 +196,9 @@ export function createProxy(config: ProxyConfig) {
           action: 'grant_approved',
           rule: 'standing-grant',
           grant_id: existing.id,
+          request_hash: requestHash,
         })
-        return forwardRequest(req, targetUrl)
+        return forwardRequest(req, targetUrl, bodyBuffer)
       }
 
       // No existing grant — behavior depends on default_action
@@ -99,11 +210,12 @@ export function createProxy(config: ProxyConfig) {
       if (config.proxy.default_action === 'request-async') {
         // Create grant request, return 407 immediately
         const grant = await grantsClient.requestGrant({
-          requester: agentEmail,
+          requester: effectiveEmail,
           target: domain,
           grantType: rule.grant_type,
           permissions,
-          reason: `${method} ${targetParsed.pathname}`,
+          reason: `${method} ${targetUrl}`,
+          requestHash,
           duration: rule.duration,
         }).catch(() => null)
 
@@ -129,11 +241,12 @@ export function createProxy(config: ProxyConfig) {
 
       try {
         const grant = await grantsClient.requestGrant({
-          requester: agentEmail,
+          requester: effectiveEmail,
           target: domain,
           grantType: rule.grant_type,
           permissions,
-          reason: `${method} ${targetParsed.pathname}`,
+          reason: `${method} ${targetUrl}`,
+          requestHash,
           duration: rule.duration,
         })
 
@@ -147,9 +260,10 @@ export function createProxy(config: ProxyConfig) {
             action: 'grant_approved',
             rule: 'grant_required',
             grant_id: approved.id,
+            request_hash: requestHash,
             waited_ms: waitedMs,
           })
-          return forwardRequest(req, targetUrl)
+          return forwardRequest(req, targetUrl, bodyBuffer)
         }
 
         writeAudit({
@@ -160,8 +274,8 @@ export function createProxy(config: ProxyConfig) {
           waited_ms: waitedMs,
         })
         return new Response(`Grant denied by ${approved.decided_by}`, { status: 403 })
-
-      } catch (err) {
+      }
+      catch (err) {
         const msg = err instanceof Error ? err.message : 'Unknown error'
         writeAudit({
           ...baseAudit,
@@ -175,11 +289,78 @@ export function createProxy(config: ProxyConfig) {
   }
 }
 
+/**
+ * Create a node:http compatible handler for use with http.createServer().
+ * Returns both a request handler and a CONNECT handler.
+ */
+export function createNodeHandler(config: MultiAgentProxyConfig): {
+  handleRequest: (req: IncomingMessage, res: ServerResponse) => void
+  handleConnect: (req: IncomingMessage, socket: Socket, head: Buffer) => void
+} {
+  const proxy = createMultiAgentProxy(config)
+
+  return {
+    handleRequest(req: IncomingMessage, res: ServerResponse) {
+      // Convert IncomingMessage to Request and use existing fetch logic
+      const url = `http://${req.headers.host || 'localhost'}${req.url || '/'}`
+      const chunks: Buffer[] = []
+
+      req.on('data', (chunk: Buffer) => chunks.push(chunk))
+      req.on('end', async () => {
+        try {
+          const body = chunks.length > 0 ? Buffer.concat(chunks) : undefined
+          const headers = new Headers()
+          for (const [key, value] of Object.entries(req.headers)) {
+            if (value) {
+              headers.set(key, Array.isArray(value) ? value.join(', ') : value)
+            }
+          }
+
+          const request = new Request(url, {
+            method: req.method,
+            headers,
+            body: body && req.method !== 'GET' && req.method !== 'HEAD' ? body : undefined,
+            duplex: 'half',
+          } as RequestInit)
+
+          const response = await proxy.fetch(request)
+
+          res.writeHead(response.status, response.statusText, Object.fromEntries(response.headers))
+          if (response.body) {
+            const reader = response.body.getReader()
+            const pump = async (): Promise<void> => {
+              const { done, value } = await reader.read()
+              if (done) {
+                res.end()
+                return
+              }
+              res.write(value)
+              return pump()
+            }
+            await pump()
+          }
+          else {
+            res.end()
+          }
+        }
+        catch {
+          res.writeHead(502)
+          res.end('Proxy error')
+        }
+      })
+    },
+
+    handleConnect(req: IncomingMessage, socket: Socket, head: Buffer) {
+      handleConnect(config, req, socket, head)
+    },
+  }
+}
+
 /**
  * Forward a request to the target URL.
  * Strips proxy-specific headers, preserves the rest.
  */
-async function forwardRequest(originalReq: Request, targetUrl: string): Promise<Response> {
+async function forwardRequest(originalReq: Request, targetUrl: string, cachedBody?: ArrayBuffer | null): Promise<Response> {
   const headers = new Headers(originalReq.headers)
   // Remove proxy-specific headers
   headers.delete('proxy-authorization')
@@ -187,12 +368,13 @@ async function forwardRequest(originalReq: Request, targetUrl: string): Promise<
   // Don't send host of the proxy
   headers.delete('host')
 
+  const body = cachedBody && cachedBody.byteLength > 0 ? cachedBody : null
+
   try {
     const res = await fetch(targetUrl, {
       method: originalReq.method,
       headers,
-      body: originalReq.body,
-      // @ts-expect-error Bun supports duplex
+      body,
       duplex: 'half',
       redirect: 'manual',
     })

package/src/ssrf.ts

@@ -0,0 +1,85 @@
+import { resolve4, resolve6 } from 'node:dns/promises'
+import { isIP } from 'node:net'
+
+const PRIVATE_RANGES_V4 = [
+  { prefix: 0x7F000000, mask: 0xFF000000 }, // 127.0.0.0/8
+  { prefix: 0x0A000000, mask: 0xFF000000 }, // 10.0.0.0/8
+  { prefix: 0xAC100000, mask: 0xFFF00000 }, // 172.16.0.0/12
+  { prefix: 0xC0A80000, mask: 0xFFFF0000 }, // 192.168.0.0/16
+  { prefix: 0xA9FE0000, mask: 0xFFFF0000 }, // 169.254.0.0/16
+  { prefix: 0x00000000, mask: 0xFF000000 }, // 0.0.0.0/8
+]
+
+function ipv4ToNumber(ip: string): number {
+  const parts = ip.split('.').map(Number)
+  return ((parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]) >>> 0
+}
+
+function isPrivateIPv4(ip: string): boolean {
+  const num = ipv4ToNumber(ip)
+  return PRIVATE_RANGES_V4.some(r => ((num & r.mask) >>> 0) === r.prefix)
+}
+
+function isPrivateIPv6(ip: string): boolean {
+  const normalized = ip.toLowerCase()
+
+  // Loopback ::1
+  if (normalized === '::1') return true
+
+  // Unspecified ::
+  if (normalized === '::') return true
+
+  // Link-local fe80::/10
+  if (normalized.startsWith('fe8') || normalized.startsWith('fe9')
+    || normalized.startsWith('fea') || normalized.startsWith('feb')) {
+    return true
+  }
+
+  // Unique local fd00::/8
+  if (normalized.startsWith('fd')) return true
+
+  // IPv4-mapped ::ffff:x.x.x.x
+  const v4mapped = normalized.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/)
+  if (v4mapped) return isPrivateIPv4(v4mapped[1])
+
+  return false
+}
+
+function isPrivateIP(ip: string): boolean {
+  if (isIP(ip) === 4) return isPrivateIPv4(ip)
+  if (isIP(ip) === 6) return isPrivateIPv6(ip)
+  return false
+}
+
+/**
+ * Check if a hostname resolves to a private or loopback IP.
+ * If the hostname is already an IP literal, check directly.
+ * Otherwise, resolve via DNS and check all results.
+ */
+export async function isPrivateOrLoopback(hostname: string): Promise<boolean> {
+  // Direct IP literal
+  if (isIP(hostname)) {
+    return isPrivateIP(hostname)
+  }
+
+  // localhost shortcut
+  if (hostname === 'localhost') return true
+
+  // DNS resolution — check both A and AAAA records
+  try {
+    const [v4, v6] = await Promise.allSettled([
+      resolve4(hostname),
+      resolve6(hostname),
+    ])
+    const addrs: string[] = []
+    if (v4.status === 'fulfilled') addrs.push(...v4.value)
+    if (v6.status === 'fulfilled') addrs.push(...v6.value)
+
+    if (addrs.length === 0) return true // no records — block to be safe
+    return addrs.some(addr => isPrivateIP(addr))
+  }
+  catch {
+    // DNS failure — block to be safe
+    return true
+  }
+}

package/src/types.ts

@@ -1,4 +1,4 @@
-/** Proxy configuration (parsed from TOML/JSON) */
+/** Single-agent proxy configuration (legacy format, parsed from TOML/JSON) */
 export interface ProxyConfig {
   proxy: {
     listen: string
@@ -6,12 +6,32 @@ export interface ProxyConfig {
     agent_email: string
     default_action: 'block' | 'request' | 'request-async'
     audit_log?: string
+    mandatory_auth?: boolean
   }
   allow: RuleEntry[]
   deny: RuleEntry[]
   grant_required: GrantRuleEntry[]
 }
 
+/** Multi-agent proxy configuration */
+export interface MultiAgentProxyConfig {
+  proxy: {
+    listen: string
+    default_action: 'block' | 'request' | 'request-async'
+    audit_log?: string
+    mandatory_auth?: boolean
+  }
+  agents: AgentConfig[]
+}
+
+export interface AgentConfig {
+  email: string
+  idp_url: string
+  allow?: RuleEntry[]
+  deny?: RuleEntry[]
+  grant_required?: GrantRuleEntry[]
+}
+
 export interface RuleEntry {
   domain: string
   methods?: string[]
@@ -38,6 +58,7 @@ export interface AuditEntry {
   method: string
   path: string
   grant_id?: string | null
+  request_hash?: string
   rule: string
   waited_ms?: number
   error?: string