npm - @openape/proxy - Versions diffs - 0.2.13 → 0.2.15 - Mend

@openape/proxy 0.2.13 → 0.2.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/dist/index.cjs +711 -0
package/dist/index.cjs.map +1 -0
package/dist/index.js +710 -0
package/dist/index.js.map +1 -0
package/package.json +9 -4
package/.nvmrc +0 -1
package/CHANGELOG.md +0 -132
package/PLAN.md +0 -261
package/bun.lock +0 -229
package/config.toml +0 -35
package/src/audit.ts +0 -20
package/src/auth.ts +0 -57
package/src/config.ts +0 -84
package/src/connect.ts +0 -111
package/src/grants-client.ts +0 -129
package/src/index.ts +0 -69
package/src/matcher.ts +0 -80
package/src/proxy.ts +0 -401
package/src/ssrf.ts +0 -85
package/src/types.ts +0 -65
package/test/auth.test.ts +0 -57
package/test/connect.test.ts +0 -131
package/test/matcher.test.ts +0 -46
package/test/multi-agent.test.ts +0 -122
package/test/ssrf.test.ts +0 -73
package/tsconfig.json +0 -21
package/tsup.config.ts +0 -9
package/vitest.config.ts +0 -18

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts","../src/config.ts","../src/proxy.ts","../src/matcher.ts","../src/auth.ts","../src/grants-client.ts","../src/audit.ts","../src/ssrf.ts","../src/connect.ts"],"sourcesContent":["#!/usr/bin/env node\nimport { createServer } from 'node:http'\nimport { parseArgs } from 'node:util'\nimport { loadMultiAgentConfig } from './config.js'\nimport { createNodeHandler } from './proxy.js'\nimport { initAudit } from './audit.js'\n\nconst { values } = parseArgs({\n options: {\n config: { type: 'string', short: 'c', default: 'config.toml' },\n 'dry-run': { type: 'boolean', default: false },\n 'mandatory-auth': { type: 'boolean', default: false },\n },\n})\n\nconst configPath = values.config!\n\nconsole.log(`[openape-proxy] Loading config from ${configPath}`)\nconst config = loadMultiAgentConfig(configPath, {\n mandatoryAuth: values['mandatory-auth'] || undefined,\n})\n\n// Init audit log\ninitAudit(config.proxy.audit_log)\n\nif (values['dry-run']) {\n console.log('[openape-proxy] DRY RUN mode — logging only, not blocking')\n console.log('[openape-proxy] Config loaded:')\n console.log(` Listen: ${config.proxy.listen}`)\n console.log(` Default action: ${config.proxy.default_action}`)\n console.log(` Mandatory auth: ${config.proxy.mandatory_auth ?? false}`)\n console.log(` Agents: ${config.agents.length}`)\n for (const agent of config.agents) {\n const allowCount = agent.allow?.length ?? 0\n const denyCount = agent.deny?.length ?? 0\n const grantCount = agent.grant_required?.length ?? 0\n console.log(` ${agent.email} (${agent.idp_url}) — ${allowCount} allow, ${denyCount} deny, ${grantCount} grant`)\n }\n process.exit(0)\n}\n\nconst handler = createNodeHandler(config)\n\nconst port = Number.parseInt(config.proxy.listen.split(':')[1] || '9090')\nconst hostname = config.proxy.listen.split(':')[0] || '127.0.0.1'\n\nconst server = createServer(handler.handleRequest)\nserver.on('connect', handler.handleConnect)\n\nserver.listen(port, hostname, () => {\n // When configured with port 0, the OS assigns a free port — use the actual\n // bound port for the log line so external orchestrators (apes proxy --) can\n // grep this line to discover where to connect.\n const addr = server.address()\n const actualPort = typeof addr === 'object' && addr ? addr.port : port\n console.log(`[openape-proxy] Listening on http://${hostname}:${actualPort}`)\n console.log(`[openape-proxy] CONNECT tunneling enabled`)\n console.log(`[openape-proxy] Mandatory auth: ${config.proxy.mandatory_auth ?? false}`)\n console.log(`[openape-proxy] Agents: ${config.agents.map(a => a.email).join(', ')}`)\n console.log(`[openape-proxy] Default action: ${config.proxy.default_action}`)\n})\n\n// Graceful shutdown\nprocess.on('SIGINT', () => {\n console.log('\\n[openape-proxy] Shutting down...')\n server.close()\n process.exit(0)\n})\n\nprocess.on('SIGTERM', () => {\n console.log('[openape-proxy] Shutting down...')\n server.close()\n process.exit(0)\n})\n","import { readFileSync } from 'node:fs'\nimport { parse as parseTOML } from 'smol-toml'\nimport type { AgentConfig, MultiAgentProxyConfig, ProxyConfig } from './types.js'\n\nexport function loadConfig(path: string): ProxyConfig {\n const raw = readFileSync(path, 'utf-8')\n\n let parsed: Record<string, unknown>\n if (path.endsWith('.json')) {\n parsed = JSON.parse(raw)\n }\n else {\n parsed = parseTOML(raw) as Record<string, unknown>\n }\n\n const proxy = parsed.proxy as ProxyConfig['proxy']\n if (!proxy?.listen || !proxy?.idp_url || !proxy?.agent_email) {\n throw new Error('Config must have [proxy] with listen, idp_url, and agent_email')\n }\n\n proxy.default_action ??= 'block'\n\n return {\n proxy,\n allow: (parsed.allow ?? []) as ProxyConfig['allow'],\n deny: (parsed.deny ?? []) as ProxyConfig['deny'],\n grant_required: (parsed.grant_required ?? []) as ProxyConfig['grant_required'],\n }\n}\n\n/**\n * Load config as multi-agent format.\n * If the config has an `agents` array, use it directly.\n * Otherwise, convert single-agent format to multi-agent for backward-compat.\n */\nexport function loadMultiAgentConfig(path: string, overrides?: { mandatoryAuth?: boolean }): MultiAgentProxyConfig {\n const raw = readFileSync(path, 'utf-8')\n\n let parsed: Record<string, unknown>\n if (path.endsWith('.json')) {\n parsed = JSON.parse(raw)\n }\n else {\n parsed = parseTOML(raw) as Record<string, unknown>\n }\n\n const proxy = parsed.proxy as Record<string, unknown>\n if (!proxy?.listen) {\n throw new Error('Config must have [proxy] with listen')\n }\n\n const baseProxy: MultiAgentProxyConfig['proxy'] = {\n listen: proxy.listen as string,\n default_action: (proxy.default_action as MultiAgentProxyConfig['proxy']['default_action']) ?? 'block',\n audit_log: proxy.audit_log as string | undefined,\n mandatory_auth: overrides?.mandatoryAuth ?? (proxy.mandatory_auth as boolean | undefined),\n }\n\n // Multi-agent format: has agents array\n if (Array.isArray(parsed.agents)) {\n return {\n proxy: baseProxy,\n agents: parsed.agents as AgentConfig[],\n }\n }\n\n // Single-agent format: convert to multi-agent\n const idpUrl = proxy.idp_url as string\n const agentEmail = proxy.agent_email as string\n if (!idpUrl || !agentEmail) {\n throw new Error('Single-agent config requires proxy.idp_url and proxy.agent_email')\n }\n\n return {\n proxy: baseProxy,\n agents: [{\n email: agentEmail,\n idp_url: idpUrl,\n allow: (parsed.allow ?? []) as AgentConfig['allow'],\n deny: (parsed.deny ?? []) as AgentConfig['deny'],\n grant_required: (parsed.grant_required ?? []) as AgentConfig['grant_required'],\n }],\n }\n}\n","import type { IncomingMessage, ServerResponse } from 'node:http'\nimport type { Socket } from 'node:net'\nimport { createHash } from 'node:crypto'\nimport type { AgentConfig, AuditEntry, MultiAgentProxyConfig, ProxyConfig } from './types.js'\nimport { evaluateRules } from './matcher.js'\nimport { AuthError, verifyAgentAuth } from './auth.js'\nimport { GrantsClient } from './grants-client.js'\nimport { writeAudit } from './audit.js'\nimport { isPrivateOrLoopback } from './ssrf.js'\nimport { handleConnect } from './connect.js'\n\n/**\n * Compute a request hash that uniquely identifies the intent.\n * hash = sha256(METHOD + \" \" + FULL_URL + \"\\n\" + BODY)\n * This binds the grant to the exact request — no bait-and-switch.\n */\nasync function computeRequestHash(method: string, targetUrl: string, body: ArrayBuffer | null): Promise<string> {\n const hash = createHash('sha256')\n hash.update(`${method} ${targetUrl}\\n`)\n if (body && body.byteLength > 0) {\n hash.update(new Uint8Array(body))\n }\n return hash.digest('hex')\n}\n\n/** Legacy single-agent proxy */\nexport function createProxy(config: ProxyConfig) {\n const multiConfig: MultiAgentProxyConfig = {\n proxy: {\n listen: config.proxy.listen,\n default_action: config.proxy.default_action,\n audit_log: config.proxy.audit_log,\n mandatory_auth: config.proxy.mandatory_auth,\n },\n agents: [{\n email: config.proxy.agent_email,\n idp_url: config.proxy.idp_url,\n allow: config.allow,\n deny: config.deny,\n grant_required: config.grant_required,\n }],\n }\n return createMultiAgentProxy(multiConfig)\n}\n\n/** Multi-agent proxy with SSRF protection and mandatory auth */\nexport function createMultiAgentProxy(config: MultiAgentProxyConfig) {\n const grantsClients = new Map<string, GrantsClient>()\n for (const agent of config.agents) {\n grantsClients.set(agent.email, new GrantsClient(agent.idp_url))\n }\n\n const mandatoryAuth = config.proxy.mandatory_auth ?? false\n\n return {\n port: Number.parseInt(config.proxy.listen.split(':')[1] || '9090'),\n hostname: config.proxy.listen.split(':')[0] || '127.0.0.1',\n\n async fetch(req: Request): Promise<Response> {\n const url = new URL(req.url)\n const startTime = Date.now()\n\n // Health endpoint\n if (url.pathname === '/healthz') {\n return Response.json({\n status: 'ok',\n agents: config.agents.map(a => a.email),\n })\n }\n\n // Parse target URL from the path\n const targetUrl = url.pathname.slice(1) + url.search\n let targetParsed: URL\n try {\n targetParsed = new URL(targetUrl)\n }\n catch {\n return new Response(\n 'Invalid target URL. Send requests as: http://proxy:port/https://target.com/path',\n { status: 400 },\n )\n }\n\n const domain = targetParsed.hostname\n const method = req.method\n const path = targetParsed.pathname\n\n // SSRF protection — block private/loopback IPs before any rule evaluation\n if (await isPrivateOrLoopback(domain)) {\n return new Response('Blocked: private/loopback IP', { status: 403 })\n }\n\n // Read body once (needed for hash + forwarding)\n const bodyBuffer = req.body ? await req.arrayBuffer() : null\n\n // Verify agent identity — find IdP URL from first agent (for JWKS verification)\n // In multi-agent mode, we need the JWT to identify the agent first.\n // We try verification against each agent's IdP until one succeeds.\n let agentIdentity: { email: string, act: 'agent' } | null = null\n try {\n for (const agentConf of config.agents) {\n agentIdentity = await verifyAgentAuth(\n req.headers.get('proxy-authorization'),\n agentConf.idp_url,\n mandatoryAuth && config.agents.length === 1,\n )\n if (agentIdentity) break\n }\n\n // If mandatory auth and no identity found from any IdP\n if (mandatoryAuth && !agentIdentity) {\n throw new AuthError('JWT required')\n }\n }\n catch (err) {\n if (err instanceof AuthError) {\n return new Response(`Unauthorized: ${err.message}`, { status: 401 })\n }\n throw err\n }\n\n // Find the matching agent config\n const agentEmail = agentIdentity?.email\n let agentConf: AgentConfig | undefined\n\n if (agentEmail) {\n agentConf = config.agents.find(a => a.email === agentEmail)\n if (!agentConf) {\n return new Response(`Forbidden: unknown agent ${agentEmail}`, { status: 403 })\n }\n }\n else if (config.agents.length === 1) {\n // Non-mandatory auth, single agent: use the only agent config\n agentConf = config.agents[0]\n }\n else {\n return new Response('Unauthorized: JWT required for multi-agent proxy', { status: 401 })\n }\n\n const effectiveEmail = agentEmail ?? agentConf.email\n const grantsClient = grantsClients.get(agentConf.email)!\n\n // Build a ProxyConfig-shaped object for evaluateRules\n const rulesConfig: ProxyConfig = {\n proxy: {\n listen: config.proxy.listen,\n idp_url: agentConf.idp_url,\n agent_email: agentConf.email,\n default_action: config.proxy.default_action,\n },\n allow: agentConf.allow ?? [],\n deny: agentConf.deny ?? [],\n grant_required: agentConf.grant_required ?? [],\n }\n\n // Evaluate rules\n const action = evaluateRules(rulesConfig, domain, method, path)\n\n const baseAudit: Omit<AuditEntry, 'action' | 'rule'> = {\n ts: new Date().toISOString(),\n agent: effectiveEmail,\n domain,\n method,\n path,\n }\n\n // DENY\n if (action.type === 'deny') {\n writeAudit({ ...baseAudit, action: 'deny', rule: 'deny-list', grant_id: null })\n return new Response(`Blocked: ${action.note || 'deny rule'}`, { status: 403 })\n }\n\n // ALLOW (no grant needed)\n if (action.type === 'allow') {\n writeAudit({ ...baseAudit, action: 'allow', rule: 'allow-list', grant_id: null })\n return forwardRequest(req, targetUrl, bodyBuffer)\n }\n\n // GRANT REQUIRED\n const rule = action.rule\n const permissions = rule.permissions ?? [`${method.toLowerCase()}:${domain}`]\n\n // Compute request hash — binds grant to exact method + URL + body\n const requestHash = await computeRequestHash(method, targetUrl, bodyBuffer)\n\n // Check for existing grant\n const existing = await grantsClient.findExistingGrant(\n effectiveEmail,\n domain,\n 'proxy',\n permissions,\n ).catch(() => null)\n\n if (existing) {\n writeAudit({\n ...baseAudit,\n action: 'grant_approved',\n rule: 'standing-grant',\n grant_id: existing.id,\n request_hash: requestHash,\n })\n return forwardRequest(req, targetUrl, bodyBuffer)\n }\n\n // No existing grant — behavior depends on default_action\n if (config.proxy.default_action === 'block') {\n writeAudit({ ...baseAudit, action: 'deny', rule: 'no-grant (block mode)', grant_id: null })\n return new Response('No grant — blocked', { status: 403 })\n }\n\n if (config.proxy.default_action === 'request-async') {\n // Create grant request, return 407 immediately\n const grant = await grantsClient.requestGrant({\n requester: effectiveEmail,\n targetHost: domain,\n audience: 'proxy',\n grantType: rule.grant_type,\n permissions,\n reason: `${method} ${targetUrl}`,\n requestHash,\n duration: rule.duration,\n }).catch(() => null)\n\n writeAudit({\n ...baseAudit,\n action: 'grant_denied',\n rule: 'grant_required (async)',\n grant_id: grant?.id ?? null,\n })\n\n return new Response(\n JSON.stringify({\n error: 'Grant required',\n grant_id: grant?.id,\n message: 'Grant request created. Retry after approval.',\n }),\n { status: 407, headers: { 'Content-Type': 'application/json' } },\n )\n }\n\n // BLOCKING mode: create grant request and wait\n console.error(`[proxy] Requesting grant for ${method} ${domain}${path} — waiting for approval...`)\n\n try {\n const grant = await grantsClient.requestGrant({\n requester: effectiveEmail,\n targetHost: domain,\n audience: 'proxy',\n grantType: rule.grant_type,\n permissions,\n reason: `${method} ${targetUrl}`,\n requestHash,\n duration: rule.duration,\n })\n\n const approved = await grantsClient.waitForApproval(grant.id)\n\n const waitedMs = Date.now() - startTime\n\n if (approved.status === 'approved') {\n writeAudit({\n ...baseAudit,\n action: 'grant_approved',\n rule: 'grant_required',\n grant_id: approved.id,\n request_hash: requestHash,\n waited_ms: waitedMs,\n })\n return forwardRequest(req, targetUrl, bodyBuffer)\n }\n\n writeAudit({\n ...baseAudit,\n action: 'grant_denied',\n rule: 'grant_required',\n grant_id: approved.id,\n waited_ms: waitedMs,\n })\n return new Response(`Grant denied by ${approved.decided_by}`, { status: 403 })\n }\n catch (err) {\n const msg = err instanceof Error ? err.message : 'Unknown error'\n writeAudit({\n ...baseAudit,\n action: 'grant_timeout',\n rule: 'grant_required',\n error: msg,\n })\n return new Response(`Grant request failed: ${msg}`, { status: 504 })\n }\n },\n }\n}\n\n/**\n * Create a node:http compatible handler for use with http.createServer().\n * Returns both a request handler and a CONNECT handler.\n */\nexport function createNodeHandler(config: MultiAgentProxyConfig): {\n handleRequest: (req: IncomingMessage, res: ServerResponse) => void\n handleConnect: (req: IncomingMessage, socket: Socket, head: Buffer) => void\n} {\n const proxy = createMultiAgentProxy(config)\n\n return {\n handleRequest(req: IncomingMessage, res: ServerResponse) {\n // Convert IncomingMessage to Request and use existing fetch logic\n const url = `http://${req.headers.host || 'localhost'}${req.url || '/'}`\n const chunks: Buffer[] = []\n\n req.on('data', (chunk: Buffer) => chunks.push(chunk))\n req.on('end', async () => {\n try {\n const body = chunks.length > 0 ? Buffer.concat(chunks) : undefined\n const headers = new Headers()\n for (const [key, value] of Object.entries(req.headers)) {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value)\n }\n }\n\n const request = new Request(url, {\n method: req.method,\n headers,\n body: body && req.method !== 'GET' && req.method !== 'HEAD' ? body : undefined,\n duplex: 'half',\n } as RequestInit)\n\n const response = await proxy.fetch(request)\n\n res.writeHead(response.status, response.statusText, Object.fromEntries(response.headers))\n if (response.body) {\n const reader = response.body.getReader()\n const pump = async (): Promise<void> => {\n const { done, value } = await reader.read()\n if (done) {\n res.end()\n return\n }\n res.write(value)\n return pump()\n }\n await pump()\n }\n else {\n res.end()\n }\n }\n catch {\n res.writeHead(502)\n res.end('Proxy error')\n }\n })\n },\n\n handleConnect(req: IncomingMessage, socket: Socket, head: Buffer) {\n handleConnect(config, req, socket, head)\n },\n }\n}\n\n/**\n * Forward a request to the target URL.\n * Strips proxy-specific headers, preserves the rest.\n */\nasync function forwardRequest(originalReq: Request, targetUrl: string, cachedBody?: ArrayBuffer | null): Promise<Response> {\n const headers = new Headers(originalReq.headers)\n // Remove proxy-specific headers\n headers.delete('proxy-authorization')\n headers.delete('proxy-connection')\n // Don't send host of the proxy\n headers.delete('host')\n\n const body = cachedBody && cachedBody.byteLength > 0 ? cachedBody : null\n\n try {\n const res = await fetch(targetUrl, {\n method: originalReq.method,\n headers,\n body,\n duplex: 'half',\n redirect: 'manual',\n })\n\n // Stream the response back\n const responseHeaders = new Headers(res.headers)\n // Remove hop-by-hop headers\n responseHeaders.delete('transfer-encoding')\n responseHeaders.delete('connection')\n\n return new Response(res.body, {\n status: res.status,\n statusText: res.statusText,\n headers: responseHeaders,\n })\n }\n catch (err) {\n const msg = err instanceof Error ? err.message : 'Upstream error'\n return new Response(`Proxy error: ${msg}`, { status: 502 })\n }\n}\n","import type { ProxyConfig, RuleAction, RuleEntry } from './types.js'\n\n/**\n * Match a glob pattern against a string.\n * Supports * (any segment) and ** (any number of segments).\n */\nfunction globMatch(pattern: string, value: string): boolean {\n // Simple glob: convert * to regex\n const regex = new RegExp(\n `^${\n pattern\n .replace(/[.+^${}()|[\\]\\\\]/g, '\\\\$&') // escape regex chars except *\n .replace(/\\*\\*/g, '<<<DOUBLESTAR>>>')\n .replace(/\\*/g, '[^/]*')\n .replace(/<<<DOUBLESTAR>>>/g, '.*')\n }$`,\n )\n return regex.test(value)\n}\n\nfunction matchesRule(rule: RuleEntry, domain: string, method: string, path: string): boolean {\n // Domain match (supports wildcards like *.github.com)\n if (!globMatch(rule.domain, domain)) return false\n\n // Method match (if specified)\n if (rule.methods && rule.methods.length > 0) {\n if (!rule.methods.includes(method.toUpperCase())) return false\n }\n\n // Path match (if specified)\n if (rule.path) {\n if (!globMatch(rule.path, path)) return false\n }\n\n return true\n}\n\n/**\n * Evaluate rules in order: deny → allow → grant_required → default_action\n */\nexport function evaluateRules(\n config: ProxyConfig,\n domain: string,\n method: string,\n path: string,\n): RuleAction {\n // 1. Check deny list first\n for (const rule of config.deny) {\n if (matchesRule(rule, domain, method, path)) {\n return { type: 'deny', note: rule.note }\n }\n }\n\n // 2. Check allow list\n for (const rule of config.allow) {\n if (matchesRule(rule, domain, method, path)) {\n return { type: 'allow' }\n }\n }\n\n // 3. Check grant_required rules (most specific first)\n for (const rule of config.grant_required) {\n if (matchesRule(rule, domain, method, path)) {\n return { type: 'grant_required', rule }\n }\n }\n\n // 4. Default: treat as grant_required with 'once'\n if (config.proxy.default_action === 'block') {\n return { type: 'deny', note: 'No matching rule (default: block)' }\n }\n\n return {\n type: 'grant_required',\n rule: {\n domain: '*',\n grant_type: 'once',\n },\n }\n}\n","import { verifyJWT, createRemoteJWKS } from '@openape/core'\n\nexport interface AgentIdentity {\n email: string\n act: 'agent'\n}\n\nexport class AuthError extends Error {\n constructor(message: string) {\n super(message)\n this.name = 'AuthError'\n }\n}\n\n/**\n * Verify agent JWT from Proxy-Authorization header.\n * Returns the agent identity or null if invalid/missing.\n * When mandatory is true, throws AuthError if no valid JWT is provided.\n */\nexport async function verifyAgentAuth(\n authHeader: string | null,\n idpUrl: string,\n mandatory: boolean = false,\n): Promise<AgentIdentity | null> {\n if (!authHeader) {\n if (mandatory) throw new AuthError('JWT required')\n return null\n }\n\n const match = authHeader.match(/^Bearer (.+)$/i)\n if (!match) {\n if (mandatory) throw new AuthError('Invalid authorization header')\n return null\n }\n\n const token = match[1]\n\n try {\n const jwks = createRemoteJWKS(`${idpUrl}/.well-known/jwks.json`)\n const { payload } = await verifyJWT(token, jwks, { issuer: idpUrl })\n\n if (payload.act !== 'agent' || !payload.sub) {\n if (mandatory) throw new AuthError('Invalid agent token')\n return null\n }\n\n return {\n email: payload.sub as string,\n act: 'agent',\n }\n }\n catch (err) {\n if (err instanceof AuthError) throw err\n if (mandatory) throw new AuthError('JWT verification failed')\n return null\n }\n}\n","import type { OpenApeGrant, GrantType } from '@openape/core'\n\n/**\n * Client for the IdP's grant management API.\n * Creates grant requests and polls for approval.\n */\nexport class GrantsClient {\n private idpUrl: string\n private agentToken: string | undefined\n\n constructor(idpUrl: string) {\n this.idpUrl = idpUrl.replace(/\\/$/, '')\n }\n\n setAgentToken(token: string): void {\n this.agentToken = token\n }\n\n private headers(): Record<string, string> {\n const h: Record<string, string> = { 'Content-Type': 'application/json' }\n if (this.agentToken) {\n h.Authorization = `Bearer ${this.agentToken}`\n }\n return h\n }\n\n /**\n * Create a grant request on the IdP.\n */\n async requestGrant(opts: {\n requester: string\n targetHost: string\n audience: string\n grantType: GrantType\n permissions?: string[]\n reason?: string\n requestHash?: string\n duration?: number\n }): Promise<OpenApeGrant> {\n const res = await fetch(`${this.idpUrl}/api/grants`, {\n method: 'POST',\n headers: this.headers(),\n body: JSON.stringify({\n requester: opts.requester,\n target_host: opts.targetHost,\n audience: opts.audience,\n grant_type: opts.grantType,\n permissions: opts.permissions,\n reason: opts.reason,\n request_hash: opts.requestHash,\n duration: opts.duration,\n }),\n })\n\n if (!res.ok) {\n throw new Error(`Grant request failed: ${res.status} ${await res.text()}`)\n }\n\n return res.json() as Promise<OpenApeGrant>\n }\n\n /**\n * Poll a grant until it's approved, denied, or timeout.\n */\n async waitForApproval(\n grantId: string,\n timeoutMs: number = 300_000,\n pollIntervalMs: number = 2_000,\n ): Promise<OpenApeGrant> {\n const deadline = Date.now() + timeoutMs\n\n while (Date.now() < deadline) {\n const res = await fetch(`${this.idpUrl}/api/grants/${grantId}`, {\n headers: this.headers(),\n })\n\n if (!res.ok) {\n throw new Error(`Grant poll failed: ${res.status}`)\n }\n\n const grant = await res.json() as OpenApeGrant\n if (grant.status !== 'pending') {\n return grant\n }\n\n await new Promise(r => setTimeout(r, pollIntervalMs))\n }\n\n throw new Error(`Grant approval timed out after ${timeoutMs}ms`)\n }\n\n /**\n * Check if there's an existing approved grant for a host+audience+permissions combo.\n * Ignores `once` grants (they're single-use).\n */\n async findExistingGrant(\n requester: string,\n targetHost: string,\n audience: string,\n permissions?: string[],\n ): Promise<OpenApeGrant | null> {\n const params = new URLSearchParams({\n requester,\n status: 'approved',\n })\n\n const res = await fetch(`${this.idpUrl}/api/grants?${params}`, {\n headers: this.headers(),\n })\n\n if (!res.ok) return null\n\n const grants = await res.json() as OpenApeGrant[]\n const now = Math.floor(Date.now() / 1000)\n\n return grants.find((g) => {\n if (g.status !== 'approved') return false\n if (g.expires_at && g.expires_at <= now) return false\n if (g.request?.grant_type === 'once') return false\n if (g.request?.target_host !== targetHost) return false\n if (g.request?.audience !== audience) return false\n if (permissions?.length && g.request?.permissions?.length) {\n const grantedPerms = new Set(g.request.permissions)\n if (!permissions.every(p => grantedPerms.has(p))) return false\n }\n return true\n }) ?? null\n }\n}\n","import { appendFileSync } from 'node:fs'\nimport type { AuditEntry } from './types.js'\n\nlet auditPath: string | undefined\n\nexport function initAudit(path?: string): void {\n auditPath = path\n}\n\nexport function writeAudit(entry: AuditEntry): void {\n const line = JSON.stringify(entry)\n\n // Always log to stderr\n console.error(`[audit] ${entry.action} ${entry.method} ${entry.domain}${entry.path}${entry.grant_id ? ` grant=${entry.grant_id}` : ''}`)\n\n // Write to file if configured\n if (auditPath) {\n appendFileSync(auditPath, `${line}\\n`)\n }\n}\n","import { resolve4, resolve6 } from 'node:dns/promises'\nimport { isIP } from 'node:net'\n\nconst PRIVATE_RANGES_V4 = [\n { prefix: 0x7F000000, mask: 0xFF000000 }, // 127.0.0.0/8\n { prefix: 0x0A000000, mask: 0xFF000000 }, // 10.0.0.0/8\n { prefix: 0xAC100000, mask: 0xFFF00000 }, // 172.16.0.0/12\n { prefix: 0xC0A80000, mask: 0xFFFF0000 }, // 192.168.0.0/16\n { prefix: 0xA9FE0000, mask: 0xFFFF0000 }, // 169.254.0.0/16\n { prefix: 0x00000000, mask: 0xFF000000 }, // 0.0.0.0/8\n]\n\nfunction ipv4ToNumber(ip: string): number {\n const parts = ip.split('.').map(Number)\n return ((parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]) >>> 0\n}\n\nfunction isPrivateIPv4(ip: string): boolean {\n const num = ipv4ToNumber(ip)\n return PRIVATE_RANGES_V4.some(r => ((num & r.mask) >>> 0) === r.prefix)\n}\n\nfunction isPrivateIPv6(ip: string): boolean {\n const normalized = ip.toLowerCase()\n\n // Loopback ::1\n if (normalized === '::1') return true\n\n // Unspecified ::\n if (normalized === '::') return true\n\n // Link-local fe80::/10\n if (normalized.startsWith('fe8') || normalized.startsWith('fe9')\n || normalized.startsWith('fea') || normalized.startsWith('feb')) {\n return true\n }\n\n // Unique local fd00::/8\n if (normalized.startsWith('fd')) return true\n\n // IPv4-mapped ::ffff:x.x.x.x\n const v4mapped = normalized.match(/^::ffff:(\\d+\\.\\d+\\.\\d+\\.\\d+)$/)\n if (v4mapped) return isPrivateIPv4(v4mapped[1])\n\n return false\n}\n\nfunction isPrivateIP(ip: string): boolean {\n if (isIP(ip) === 4) return isPrivateIPv4(ip)\n if (isIP(ip) === 6) return isPrivateIPv6(ip)\n return false\n}\n\n/**\n * Check if a hostname resolves to a private or loopback IP.\n * If the hostname is already an IP literal, check directly.\n * Otherwise, resolve via DNS and check all results.\n */\nexport async function isPrivateOrLoopback(hostname: string): Promise<boolean> {\n // Direct IP literal\n if (isIP(hostname)) {\n return isPrivateIP(hostname)\n }\n\n // localhost shortcut\n if (hostname === 'localhost') return true\n\n // DNS resolution — check both A and AAAA records\n try {\n const [v4, v6] = await Promise.allSettled([\n resolve4(hostname),\n resolve6(hostname),\n ])\n const addrs: string[] = []\n if (v4.status === 'fulfilled') addrs.push(...v4.value)\n if (v6.status === 'fulfilled') addrs.push(...v6.value)\n\n if (addrs.length === 0) return true // no records — block to be safe\n return addrs.some(addr => isPrivateIP(addr))\n }\n catch {\n // DNS failure — block to be safe\n return true\n }\n}\n","import type { IncomingMessage } from 'node:http'\nimport type { Socket } from 'node:net'\nimport { connect } from 'node:net'\nimport type { MultiAgentProxyConfig } from './types.js'\nimport { AuthError, verifyAgentAuth } from './auth.js'\nimport { isPrivateOrLoopback } from './ssrf.js'\nimport { writeAudit } from './audit.js'\n\n/**\n * Handle HTTP CONNECT requests for tunneling (used by HTTP_PROXY clients).\n * Flow: Auth check → SSRF check → TCP connect → bidirectional pipe.\n */\nexport async function handleConnect(\n config: MultiAgentProxyConfig,\n req: IncomingMessage,\n clientSocket: Socket,\n _head: Buffer,\n): Promise<void> {\n const target = req.url ?? ''\n const [host, portStr] = target.split(':')\n const port = Number.parseInt(portStr || '443')\n\n if (!host || !port) {\n clientSocket.write('HTTP/1.1 400 Bad Request\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n\n const mandatoryAuth = config.proxy.mandatory_auth ?? false\n\n // Auth check — CONNECT always requires auth in mandatory mode\n let agentEmail: string | undefined\n try {\n const authHeader = req.headers['proxy-authorization'] as string | undefined\n let identity: { email: string, act: 'agent' } | null = null\n\n for (const agentConf of config.agents) {\n identity = await verifyAgentAuth(\n authHeader ?? null,\n agentConf.idp_url,\n mandatoryAuth && config.agents.length === 1,\n )\n if (identity) break\n }\n\n if (mandatoryAuth && !identity) {\n throw new AuthError('JWT required')\n }\n\n agentEmail = identity?.email\n\n // Verify agent is known\n if (agentEmail) {\n const known = config.agents.find(a => a.email === agentEmail)\n if (!known) {\n clientSocket.write('HTTP/1.1 403 Forbidden\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n }\n else if (config.agents.length > 1) {\n throw new AuthError('JWT required for multi-agent proxy')\n }\n }\n catch (err) {\n if (err instanceof AuthError) {\n clientSocket.write('HTTP/1.1 401 Unauthorized\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n throw err\n }\n\n // SSRF check\n if (await isPrivateOrLoopback(host)) {\n writeAudit({\n ts: new Date().toISOString(),\n agent: agentEmail ?? config.agents[0]?.email ?? 'unknown',\n action: 'deny',\n domain: host,\n method: 'CONNECT',\n path: target,\n rule: 'ssrf-blocked',\n })\n clientSocket.write('HTTP/1.1 403 Forbidden\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n\n // Connect to target\n const targetSocket = connect(port, host, () => {\n clientSocket.write('HTTP/1.1 200 Connection Established\\r\\n\\r\\n')\n\n // Bidirectional pipe\n targetSocket.pipe(clientSocket)\n clientSocket.pipe(targetSocket)\n })\n\n targetSocket.on('error', () => {\n clientSocket.write('HTTP/1.1 502 Bad Gateway\\r\\n\\r\\n')\n clientSocket.destroy()\n })\n\n clientSocket.on('error', () => {\n targetSocket.destroy()\n })\n\n // Cleanup on close\n clientSocket.on('close', () => targetSocket.destroy())\n targetSocket.on('close', () => clientSocket.destroy())\n}\n"],"mappings":";;;;AACA,uBAA6B;AAC7B,uBAA0B;;;ACF1B,qBAA6B;AAC7B,uBAAmC;AAkC5B,SAAS,qBAAqB,MAAc,WAAgE;AACjH,QAAM,UAAM,6BAAa,MAAM,OAAO;AAEtC,MAAI;AACJ,MAAI,KAAK,SAAS,OAAO,GAAG;AAC1B,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,OACK;AACH,iBAAS,iBAAAA,OAAU,GAAG;AAAA,EACxB;AAEA,QAAM,QAAQ,OAAO;AACrB,MAAI,CAAC,OAAO,QAAQ;AAClB,UAAM,IAAI,MAAM,sCAAsC;AAAA,EACxD;AAEA,QAAM,YAA4C;AAAA,IAChD,QAAQ,MAAM;AAAA,IACd,gBAAiB,MAAM,kBAAuE;AAAA,IAC9F,WAAW,MAAM;AAAA,IACjB,gBAAgB,WAAW,iBAAkB,MAAM;AAAA,EACrD;AAGA,MAAI,MAAM,QAAQ,OAAO,MAAM,GAAG;AAChC,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ,OAAO;AAAA,IACjB;AAAA,EACF;AAGA,QAAM,SAAS,MAAM;AACrB,QAAM,aAAa,MAAM;AACzB,MAAI,CAAC,UAAU,CAAC,YAAY;AAC1B,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AAEA,SAAO;AAAA,IACL,OAAO;AAAA,IACP,QAAQ,CAAC;AAAA,MACP,OAAO;AAAA,MACP,SAAS;AAAA,MACT,OAAQ,OAAO,SAAS,CAAC;AAAA,MACzB,MAAO,OAAO,QAAQ,CAAC;AAAA,MACvB,gBAAiB,OAAO,kBAAkB,CAAC;AAAA,IAC7C,CAAC;AAAA,EACH;AACF;;;ACjFA,yBAA2B;;;ACI3B,SAAS,UAAU,SAAiB,OAAwB;AAE1D,QAAM,QAAQ,IAAI;AAAA,IAChB,IACE,QACG,QAAQ,qBAAqB,MAAM,EACnC,QAAQ,SAAS,kBAAkB,EACnC,QAAQ,OAAO,OAAO,EACtB,QAAQ,qBAAqB,IAAI,CACtC;AAAA,EACF;AACA,SAAO,MAAM,KAAK,KAAK;AACzB;AAEA,SAAS,YAAY,MAAiB,QAAgB,QAAgB,MAAuB;AAE3F,MAAI,CAAC,UAAU,KAAK,QAAQ,MAAM,EAAG,QAAO;AAG5C,MAAI,KAAK,WAAW,KAAK,QAAQ,SAAS,GAAG;AAC3C,QAAI,CAAC,KAAK,QAAQ,SAAS,OAAO,YAAY,CAAC,EAAG,QAAO;AAAA,EAC3D;AAGA,MAAI,KAAK,MAAM;AACb,QAAI,CAAC,UAAU,KAAK,MAAM,IAAI,EAAG,QAAO;AAAA,EAC1C;AAEA,SAAO;AACT;AAKO,SAAS,cACdC,SACA,QACA,QACA,MACY;AAEZ,aAAW,QAAQA,QAAO,MAAM;AAC9B,QAAI,YAAY,MAAM,QAAQ,QAAQ,IAAI,GAAG;AAC3C,aAAO,EAAE,MAAM,QAAQ,MAAM,KAAK,KAAK;AAAA,IACzC;AAAA,EACF;AAGA,aAAW,QAAQA,QAAO,OAAO;AAC/B,QAAI,YAAY,MAAM,QAAQ,QAAQ,IAAI,GAAG;AAC3C,aAAO,EAAE,MAAM,QAAQ;AAAA,IACzB;AAAA,EACF;AAGA,aAAW,QAAQA,QAAO,gBAAgB;AACxC,QAAI,YAAY,MAAM,QAAQ,QAAQ,IAAI,GAAG;AAC3C,aAAO,EAAE,MAAM,kBAAkB,KAAK;AAAA,IACxC;AAAA,EACF;AAGA,MAAIA,QAAO,MAAM,mBAAmB,SAAS;AAC3C,WAAO,EAAE,MAAM,QAAQ,MAAM,oCAAoC;AAAA,EACnE;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM;AAAA,MACJ,QAAQ;AAAA,MACR,YAAY;AAAA,IACd;AAAA,EACF;AACF;;;AC/EA,kBAA4C;AAOrC,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAOA,eAAsB,gBACpB,YACA,QACA,YAAqB,OACU;AAC/B,MAAI,CAAC,YAAY;AACf,QAAI,UAAW,OAAM,IAAI,UAAU,cAAc;AACjD,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,WAAW,MAAM,gBAAgB;AAC/C,MAAI,CAAC,OAAO;AACV,QAAI,UAAW,OAAM,IAAI,UAAU,8BAA8B;AACjE,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,MAAM,CAAC;AAErB,MAAI;AACF,UAAM,WAAO,8BAAiB,GAAG,MAAM,wBAAwB;AAC/D,UAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,MAAM,EAAE,QAAQ,OAAO,CAAC;AAEnE,QAAI,QAAQ,QAAQ,WAAW,CAAC,QAAQ,KAAK;AAC3C,UAAI,UAAW,OAAM,IAAI,UAAU,qBAAqB;AACxD,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,MACL,OAAO,QAAQ;AAAA,MACf,KAAK;AAAA,IACP;AAAA,EACF,SACO,KAAK;AACV,QAAI,eAAe,UAAW,OAAM;AACpC,QAAI,UAAW,OAAM,IAAI,UAAU,yBAAyB;AAC5D,WAAO;AAAA,EACT;AACF;;;AClDO,IAAM,eAAN,MAAmB;AAAA,EAChB;AAAA,EACA;AAAA,EAER,YAAY,QAAgB;AAC1B,SAAK,SAAS,OAAO,QAAQ,OAAO,EAAE;AAAA,EACxC;AAAA,EAEA,cAAc,OAAqB;AACjC,SAAK,aAAa;AAAA,EACpB;AAAA,EAEQ,UAAkC;AACxC,UAAM,IAA4B,EAAE,gBAAgB,mBAAmB;AACvE,QAAI,KAAK,YAAY;AACnB,QAAE,gBAAgB,UAAU,KAAK,UAAU;AAAA,IAC7C;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,MASO;AACxB,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,MAAM,eAAe;AAAA,MACnD,QAAQ;AAAA,MACR,SAAS,KAAK,QAAQ;AAAA,MACtB,MAAM,KAAK,UAAU;AAAA,QACnB,WAAW,KAAK;AAAA,QAChB,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK;AAAA,QACf,YAAY,KAAK;AAAA,QACjB,aAAa,KAAK;AAAA,QAClB,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,QACnB,UAAU,KAAK;AAAA,MACjB,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,IAAI,MAAM,IAAI,KAAK,CAAC,EAAE;AAAA,IAC3E;AAEA,WAAO,IAAI,KAAK;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBACJ,SACA,YAAoB,KACpB,iBAAyB,KACF;AACvB,UAAM,WAAW,KAAK,IAAI,IAAI;AAE9B,WAAO,KAAK,IAAI,IAAI,UAAU;AAC5B,YAAM,MAAM,MAAM,MAAM,GAAG,KAAK,MAAM,eAAe,OAAO,IAAI;AAAA,QAC9D,SAAS,KAAK,QAAQ;AAAA,MACxB,CAAC;AAED,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI,MAAM,sBAAsB,IAAI,MAAM,EAAE;AAAA,MACpD;AAEA,YAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAI,MAAM,WAAW,WAAW;AAC9B,eAAO;AAAA,MACT;AAEA,YAAM,IAAI,QAAQ,OAAK,WAAW,GAAG,cAAc,CAAC;AAAA,IACtD;AAEA,UAAM,IAAI,MAAM,kCAAkC,SAAS,IAAI;AAAA,EACjE;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,kBACJ,WACA,YACA,UACA,aAC8B;AAC9B,UAAM,SAAS,IAAI,gBAAgB;AAAA,MACjC;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,MAAM,eAAe,MAAM,IAAI;AAAA,MAC7D,SAAS,KAAK,QAAQ;AAAA,IACxB,CAAC;AAED,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,SAAS,MAAM,IAAI,KAAK;AAC9B,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,WAAO,OAAO,KAAK,CAAC,MAAM;AACxB,UAAI,EAAE,WAAW,WAAY,QAAO;AACpC,UAAI,EAAE,cAAc,EAAE,cAAc,IAAK,QAAO;AAChD,UAAI,EAAE,SAAS,eAAe,OAAQ,QAAO;AAC7C,UAAI,EAAE,SAAS,gBAAgB,WAAY,QAAO;AAClD,UAAI,EAAE,SAAS,aAAa,SAAU,QAAO;AAC7C,UAAI,aAAa,UAAU,EAAE,SAAS,aAAa,QAAQ;AACzD,cAAM,eAAe,IAAI,IAAI,EAAE,QAAQ,WAAW;AAClD,YAAI,CAAC,YAAY,MAAM,OAAK,aAAa,IAAI,CAAC,CAAC,EAAG,QAAO;AAAA,MAC3D;AACA,aAAO;AAAA,IACT,CAAC,KAAK;AAAA,EACR;AACF;;;AChIA,IAAAC,kBAA+B;AAG/B,IAAI;AAEG,SAAS,UAAU,MAAqB;AAC7C,cAAY;AACd;AAEO,SAAS,WAAW,OAAyB;AAClD,QAAM,OAAO,KAAK,UAAU,KAAK;AAGjC,UAAQ,MAAM,WAAW,MAAM,MAAM,IAAI,MAAM,MAAM,IAAI,MAAM,MAAM,GAAG,MAAM,IAAI,GAAG,MAAM,WAAW,UAAU,MAAM,QAAQ,KAAK,EAAE,EAAE;AAGvI,MAAI,WAAW;AACb,wCAAe,WAAW,GAAG,IAAI;AAAA,CAAI;AAAA,EACvC;AACF;;;ACnBA,sBAAmC;AACnC,sBAAqB;AAErB,IAAM,oBAAoB;AAAA,EACxB,EAAE,QAAQ,YAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,WAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,YAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,YAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,YAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,GAAY,MAAM,WAAW;AAAA;AACzC;AAEA,SAAS,aAAa,IAAoB;AACxC,QAAM,QAAQ,GAAG,MAAM,GAAG,EAAE,IAAI,MAAM;AACtC,UAAS,MAAM,CAAC,KAAK,KAAO,MAAM,CAAC,KAAK,KAAO,MAAM,CAAC,KAAK,IAAK,MAAM,CAAC,OAAO;AAChF;AAEA,SAAS,cAAc,IAAqB;AAC1C,QAAM,MAAM,aAAa,EAAE;AAC3B,SAAO,kBAAkB,KAAK,QAAO,MAAM,EAAE,UAAU,MAAO,EAAE,MAAM;AACxE;AAEA,SAAS,cAAc,IAAqB;AAC1C,QAAM,aAAa,GAAG,YAAY;AAGlC,MAAI,eAAe,MAAO,QAAO;AAGjC,MAAI,eAAe,KAAM,QAAO;AAGhC,MAAI,WAAW,WAAW,KAAK,KAAK,WAAW,WAAW,KAAK,KAC1D,WAAW,WAAW,KAAK,KAAK,WAAW,WAAW,KAAK,GAAG;AACjE,WAAO;AAAA,EACT;AAGA,MAAI,WAAW,WAAW,IAAI,EAAG,QAAO;AAGxC,QAAM,WAAW,WAAW,MAAM,+BAA+B;AACjE,MAAI,SAAU,QAAO,cAAc,SAAS,CAAC,CAAC;AAE9C,SAAO;AACT;AAEA,SAAS,YAAY,IAAqB;AACxC,UAAI,sBAAK,EAAE,MAAM,EAAG,QAAO,cAAc,EAAE;AAC3C,UAAI,sBAAK,EAAE,MAAM,EAAG,QAAO,cAAc,EAAE;AAC3C,SAAO;AACT;AAOA,eAAsB,oBAAoBC,WAAoC;AAE5E,UAAI,sBAAKA,SAAQ,GAAG;AAClB,WAAO,YAAYA,SAAQ;AAAA,EAC7B;AAGA,MAAIA,cAAa,YAAa,QAAO;AAGrC,MAAI;AACF,UAAM,CAAC,IAAI,EAAE,IAAI,MAAM,QAAQ,WAAW;AAAA,UACxC,0BAASA,SAAQ;AAAA,UACjB,0BAASA,SAAQ;AAAA,IACnB,CAAC;AACD,UAAM,QAAkB,CAAC;AACzB,QAAI,GAAG,WAAW,YAAa,OAAM,KAAK,GAAG,GAAG,KAAK;AACrD,QAAI,GAAG,WAAW,YAAa,OAAM,KAAK,GAAG,GAAG,KAAK;AAErD,QAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,WAAO,MAAM,KAAK,UAAQ,YAAY,IAAI,CAAC;AAAA,EAC7C,QACM;AAEJ,WAAO;AAAA,EACT;AACF;;;AClFA,IAAAC,mBAAwB;AAUxB,eAAsB,cACpBC,SACA,KACA,cACA,OACe;AACf,QAAM,SAAS,IAAI,OAAO;AAC1B,QAAM,CAAC,MAAM,OAAO,IAAI,OAAO,MAAM,GAAG;AACxC,QAAMC,QAAO,OAAO,SAAS,WAAW,KAAK;AAE7C,MAAI,CAAC,QAAQ,CAACA,OAAM;AAClB,iBAAa,MAAM,kCAAkC;AACrD,iBAAa,QAAQ;AACrB;AAAA,EACF;AAEA,QAAM,gBAAgBD,QAAO,MAAM,kBAAkB;AAGrD,MAAI;AACJ,MAAI;AACF,UAAM,aAAa,IAAI,QAAQ,qBAAqB;AACpD,QAAI,WAAmD;AAEvD,eAAW,aAAaA,QAAO,QAAQ;AACrC,iBAAW,MAAM;AAAA,QACf,cAAc;AAAA,QACd,UAAU;AAAA,QACV,iBAAiBA,QAAO,OAAO,WAAW;AAAA,MAC5C;AACA,UAAI,SAAU;AAAA,IAChB;AAEA,QAAI,iBAAiB,CAAC,UAAU;AAC9B,YAAM,IAAI,UAAU,cAAc;AAAA,IACpC;AAEA,iBAAa,UAAU;AAGvB,QAAI,YAAY;AACd,YAAM,QAAQA,QAAO,OAAO,KAAK,OAAK,EAAE,UAAU,UAAU;AAC5D,UAAI,CAAC,OAAO;AACV,qBAAa,MAAM,gCAAgC;AACnD,qBAAa,QAAQ;AACrB;AAAA,MACF;AAAA,IACF,WACSA,QAAO,OAAO,SAAS,GAAG;AACjC,YAAM,IAAI,UAAU,oCAAoC;AAAA,IAC1D;AAAA,EACF,SACO,KAAK;AACV,QAAI,eAAe,WAAW;AAC5B,mBAAa,MAAM,mCAAmC;AACtD,mBAAa,QAAQ;AACrB;AAAA,IACF;AACA,UAAM;AAAA,EACR;AAGA,MAAI,MAAM,oBAAoB,IAAI,GAAG;AACnC,eAAW;AAAA,MACT,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC3B,OAAO,cAAcA,QAAO,OAAO,CAAC,GAAG,SAAS;AAAA,MAChD,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,MAAM;AAAA,IACR,CAAC;AACD,iBAAa,MAAM,gCAAgC;AACnD,iBAAa,QAAQ;AACrB;AAAA,EACF;AAGA,QAAM,mBAAe,0BAAQC,OAAM,MAAM,MAAM;AAC7C,iBAAa,MAAM,6CAA6C;AAGhE,iBAAa,KAAK,YAAY;AAC9B,iBAAa,KAAK,YAAY;AAAA,EAChC,CAAC;AAED,eAAa,GAAG,SAAS,MAAM;AAC7B,iBAAa,MAAM,kCAAkC;AACrD,iBAAa,QAAQ;AAAA,EACvB,CAAC;AAED,eAAa,GAAG,SAAS,MAAM;AAC7B,iBAAa,QAAQ;AAAA,EACvB,CAAC;AAGD,eAAa,GAAG,SAAS,MAAM,aAAa,QAAQ,CAAC;AACrD,eAAa,GAAG,SAAS,MAAM,aAAa,QAAQ,CAAC;AACvD;;;AN9FA,eAAe,mBAAmB,QAAgB,WAAmB,MAA2C;AAC9G,QAAM,WAAO,+BAAW,QAAQ;AAChC,OAAK,OAAO,GAAG,MAAM,IAAI,SAAS;AAAA,CAAI;AACtC,MAAI,QAAQ,KAAK,aAAa,GAAG;AAC/B,SAAK,OAAO,IAAI,WAAW,IAAI,CAAC;AAAA,EAClC;AACA,SAAO,KAAK,OAAO,KAAK;AAC1B;AAuBO,SAAS,sBAAsBC,SAA+B;AACnE,QAAM,gBAAgB,oBAAI,IAA0B;AACpD,aAAW,SAASA,QAAO,QAAQ;AACjC,kBAAc,IAAI,MAAM,OAAO,IAAI,aAAa,MAAM,OAAO,CAAC;AAAA,EAChE;AAEA,QAAM,gBAAgBA,QAAO,MAAM,kBAAkB;AAErD,SAAO;AAAA,IACL,MAAM,OAAO,SAASA,QAAO,MAAM,OAAO,MAAM,GAAG,EAAE,CAAC,KAAK,MAAM;AAAA,IACjE,UAAUA,QAAO,MAAM,OAAO,MAAM,GAAG,EAAE,CAAC,KAAK;AAAA,IAE/C,MAAM,MAAM,KAAiC;AAC3C,YAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,YAAM,YAAY,KAAK,IAAI;AAG3B,UAAI,IAAI,aAAa,YAAY;AAC/B,eAAO,SAAS,KAAK;AAAA,UACnB,QAAQ;AAAA,UACR,QAAQA,QAAO,OAAO,IAAI,OAAK,EAAE,KAAK;AAAA,QACxC,CAAC;AAAA,MACH;AAGA,YAAM,YAAY,IAAI,SAAS,MAAM,CAAC,IAAI,IAAI;AAC9C,UAAI;AACJ,UAAI;AACF,uBAAe,IAAI,IAAI,SAAS;AAAA,MAClC,QACM;AACJ,eAAO,IAAI;AAAA,UACT;AAAA,UACA,EAAE,QAAQ,IAAI;AAAA,QAChB;AAAA,MACF;AAEA,YAAM,SAAS,aAAa;AAC5B,YAAM,SAAS,IAAI;AACnB,YAAM,OAAO,aAAa;AAG1B,UAAI,MAAM,oBAAoB,MAAM,GAAG;AACrC,eAAO,IAAI,SAAS,gCAAgC,EAAE,QAAQ,IAAI,CAAC;AAAA,MACrE;AAGA,YAAM,aAAa,IAAI,OAAO,MAAM,IAAI,YAAY,IAAI;AAKxD,UAAI,gBAAwD;AAC5D,UAAI;AACF,mBAAWC,cAAaD,QAAO,QAAQ;AACrC,0BAAgB,MAAM;AAAA,YACpB,IAAI,QAAQ,IAAI,qBAAqB;AAAA,YACrCC,WAAU;AAAA,YACV,iBAAiBD,QAAO,OAAO,WAAW;AAAA,UAC5C;AACA,cAAI,cAAe;AAAA,QACrB;AAGA,YAAI,iBAAiB,CAAC,eAAe;AACnC,gBAAM,IAAI,UAAU,cAAc;AAAA,QACpC;AAAA,MACF,SACO,KAAK;AACV,YAAI,eAAe,WAAW;AAC5B,iBAAO,IAAI,SAAS,iBAAiB,IAAI,OAAO,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,QACrE;AACA,cAAM;AAAA,MACR;AAGA,YAAM,aAAa,eAAe;AAClC,UAAI;AAEJ,UAAI,YAAY;AACd,oBAAYA,QAAO,OAAO,KAAK,OAAK,EAAE,UAAU,UAAU;AAC1D,YAAI,CAAC,WAAW;AACd,iBAAO,IAAI,SAAS,4BAA4B,UAAU,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,QAC/E;AAAA,MACF,WACSA,QAAO,OAAO,WAAW,GAAG;AAEnC,oBAAYA,QAAO,OAAO,CAAC;AAAA,MAC7B,OACK;AACH,eAAO,IAAI,SAAS,oDAAoD,EAAE,QAAQ,IAAI,CAAC;AAAA,MACzF;AAEA,YAAM,iBAAiB,cAAc,UAAU;AAC/C,YAAM,eAAe,cAAc,IAAI,UAAU,KAAK;AAGtD,YAAM,cAA2B;AAAA,QAC/B,OAAO;AAAA,UACL,QAAQA,QAAO,MAAM;AAAA,UACrB,SAAS,UAAU;AAAA,UACnB,aAAa,UAAU;AAAA,UACvB,gBAAgBA,QAAO,MAAM;AAAA,QAC/B;AAAA,QACA,OAAO,UAAU,SAAS,CAAC;AAAA,QAC3B,MAAM,UAAU,QAAQ,CAAC;AAAA,QACzB,gBAAgB,UAAU,kBAAkB,CAAC;AAAA,MAC/C;AAGA,YAAM,SAAS,cAAc,aAAa,QAAQ,QAAQ,IAAI;AAE9D,YAAM,YAAiD;AAAA,QACrD,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC3B,OAAO;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAGA,UAAI,OAAO,SAAS,QAAQ;AAC1B,mBAAW,EAAE,GAAG,WAAW,QAAQ,QAAQ,MAAM,aAAa,UAAU,KAAK,CAAC;AAC9E,eAAO,IAAI,SAAS,YAAY,OAAO,QAAQ,WAAW,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC/E;AAGA,UAAI,OAAO,SAAS,SAAS;AAC3B,mBAAW,EAAE,GAAG,WAAW,QAAQ,SAAS,MAAM,cAAc,UAAU,KAAK,CAAC;AAChF,eAAO,eAAe,KAAK,WAAW,UAAU;AAAA,MAClD;AAGA,YAAM,OAAO,OAAO;AACpB,YAAM,cAAc,KAAK,eAAe,CAAC,GAAG,OAAO,YAAY,CAAC,IAAI,MAAM,EAAE;AAG5E,YAAM,cAAc,MAAM,mBAAmB,QAAQ,WAAW,UAAU;AAG1E,YAAM,WAAW,MAAM,aAAa;AAAA,QAClC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,MAAM,MAAM,IAAI;AAElB,UAAI,UAAU;AACZ,mBAAW;AAAA,UACT,GAAG;AAAA,UACH,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,UAAU,SAAS;AAAA,UACnB,cAAc;AAAA,QAChB,CAAC;AACD,eAAO,eAAe,KAAK,WAAW,UAAU;AAAA,MAClD;AAGA,UAAIA,QAAO,MAAM,mBAAmB,SAAS;AAC3C,mBAAW,EAAE,GAAG,WAAW,QAAQ,QAAQ,MAAM,yBAAyB,UAAU,KAAK,CAAC;AAC1F,eAAO,IAAI,SAAS,2BAAsB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC3D;AAEA,UAAIA,QAAO,MAAM,mBAAmB,iBAAiB;AAEnD,cAAM,QAAQ,MAAM,aAAa,aAAa;AAAA,UAC5C,WAAW;AAAA,UACX,YAAY;AAAA,UACZ,UAAU;AAAA,UACV,WAAW,KAAK;AAAA,UAChB;AAAA,UACA,QAAQ,GAAG,MAAM,IAAI,SAAS;AAAA,UAC9B;AAAA,UACA,UAAU,KAAK;AAAA,QACjB,CAAC,EAAE,MAAM,MAAM,IAAI;AAEnB,mBAAW;AAAA,UACT,GAAG;AAAA,UACH,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,UAAU,OAAO,MAAM;AAAA,QACzB,CAAC;AAED,eAAO,IAAI;AAAA,UACT,KAAK,UAAU;AAAA,YACb,OAAO;AAAA,YACP,UAAU,OAAO;AAAA,YACjB,SAAS;AAAA,UACX,CAAC;AAAA,UACD,EAAE,QAAQ,KAAK,SAAS,EAAE,gBAAgB,mBAAmB,EAAE;AAAA,QACjE;AAAA,MACF;AAGA,cAAQ,MAAM,gCAAgC,MAAM,IAAI,MAAM,GAAG,IAAI,iCAA4B;AAEjG,UAAI;AACF,cAAM,QAAQ,MAAM,aAAa,aAAa;AAAA,UAC5C,WAAW;AAAA,UACX,YAAY;AAAA,UACZ,UAAU;AAAA,UACV,WAAW,KAAK;AAAA,UAChB;AAAA,UACA,QAAQ,GAAG,MAAM,IAAI,SAAS;AAAA,UAC9B;AAAA,UACA,UAAU,KAAK;AAAA,QACjB,CAAC;AAED,cAAM,WAAW,MAAM,aAAa,gBAAgB,MAAM,EAAE;AAE5D,cAAM,WAAW,KAAK,IAAI,IAAI;AAE9B,YAAI,SAAS,WAAW,YAAY;AAClC,qBAAW;AAAA,YACT,GAAG;AAAA,YACH,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,UAAU,SAAS;AAAA,YACnB,cAAc;AAAA,YACd,WAAW;AAAA,UACb,CAAC;AACD,iBAAO,eAAe,KAAK,WAAW,UAAU;AAAA,QAClD;AAEA,mBAAW;AAAA,UACT,GAAG;AAAA,UACH,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,UAAU,SAAS;AAAA,UACnB,WAAW;AAAA,QACb,CAAC;AACD,eAAO,IAAI,SAAS,mBAAmB,SAAS,UAAU,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC/E,SACO,KAAK;AACV,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AACjD,mBAAW;AAAA,UACT,GAAG;AAAA,UACH,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,OAAO;AAAA,QACT,CAAC;AACD,eAAO,IAAI,SAAS,yBAAyB,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,MACrE;AAAA,IACF;AAAA,EACF;AACF;AAMO,SAAS,kBAAkBA,SAGhC;AACA,QAAM,QAAQ,sBAAsBA,OAAM;AAE1C,SAAO;AAAA,IACL,cAAc,KAAsB,KAAqB;AAEvD,YAAM,MAAM,UAAU,IAAI,QAAQ,QAAQ,WAAW,GAAG,IAAI,OAAO,GAAG;AACtE,YAAM,SAAmB,CAAC;AAE1B,UAAI,GAAG,QAAQ,CAAC,UAAkB,OAAO,KAAK,KAAK,CAAC;AACpD,UAAI,GAAG,OAAO,YAAY;AACxB,YAAI;AACF,gBAAM,OAAO,OAAO,SAAS,IAAI,OAAO,OAAO,MAAM,IAAI;AACzD,gBAAM,UAAU,IAAI,QAAQ;AAC5B,qBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,IAAI,OAAO,GAAG;AACtD,gBAAI,OAAO;AACT,sBAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,YAClE;AAAA,UACF;AAEA,gBAAM,UAAU,IAAI,QAAQ,KAAK;AAAA,YAC/B,QAAQ,IAAI;AAAA,YACZ;AAAA,YACA,MAAM,QAAQ,IAAI,WAAW,SAAS,IAAI,WAAW,SAAS,OAAO;AAAA,YACrE,QAAQ;AAAA,UACV,CAAgB;AAEhB,gBAAM,WAAW,MAAM,MAAM,MAAM,OAAO;AAE1C,cAAI,UAAU,SAAS,QAAQ,SAAS,YAAY,OAAO,YAAY,SAAS,OAAO,CAAC;AACxF,cAAI,SAAS,MAAM;AACjB,kBAAM,SAAS,SAAS,KAAK,UAAU;AACvC,kBAAM,OAAO,YAA2B;AACtC,oBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,kBAAI,MAAM;AACR,oBAAI,IAAI;AACR;AAAA,cACF;AACA,kBAAI,MAAM,KAAK;AACf,qBAAO,KAAK;AAAA,YACd;AACA,kBAAM,KAAK;AAAA,UACb,OACK;AACH,gBAAI,IAAI;AAAA,UACV;AAAA,QACF,QACM;AACJ,cAAI,UAAU,GAAG;AACjB,cAAI,IAAI,aAAa;AAAA,QACvB;AAAA,MACF,CAAC;AAAA,IACH;AAAA,IAEA,cAAc,KAAsB,QAAgB,MAAc;AAChE,oBAAcA,SAAQ,KAAK,QAAQ,IAAI;AAAA,IACzC;AAAA,EACF;AACF;AAMA,eAAe,eAAe,aAAsB,WAAmB,YAAoD;AACzH,QAAM,UAAU,IAAI,QAAQ,YAAY,OAAO;AAE/C,UAAQ,OAAO,qBAAqB;AACpC,UAAQ,OAAO,kBAAkB;AAEjC,UAAQ,OAAO,MAAM;AAErB,QAAM,OAAO,cAAc,WAAW,aAAa,IAAI,aAAa;AAEpE,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,WAAW;AAAA,MACjC,QAAQ,YAAY;AAAA,MACpB;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,CAAC;AAGD,UAAM,kBAAkB,IAAI,QAAQ,IAAI,OAAO;AAE/C,oBAAgB,OAAO,mBAAmB;AAC1C,oBAAgB,OAAO,YAAY;AAEnC,WAAO,IAAI,SAAS,IAAI,MAAM;AAAA,MAC5B,QAAQ,IAAI;AAAA,MACZ,YAAY,IAAI;AAAA,MAChB,SAAS;AAAA,IACX,CAAC;AAAA,EACH,SACO,KAAK;AACV,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AACjD,WAAO,IAAI,SAAS,gBAAgB,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5D;AACF;;;AFzYA,IAAM,EAAE,OAAO,QAAI,4BAAU;AAAA,EAC3B,SAAS;AAAA,IACP,QAAQ,EAAE,MAAM,UAAU,OAAO,KAAK,SAAS,cAAc;AAAA,IAC7D,WAAW,EAAE,MAAM,WAAW,SAAS,MAAM;AAAA,IAC7C,kBAAkB,EAAE,MAAM,WAAW,SAAS,MAAM;AAAA,EACtD;AACF,CAAC;AAED,IAAM,aAAa,OAAO;AAE1B,QAAQ,IAAI,uCAAuC,UAAU,EAAE;AAC/D,IAAM,SAAS,qBAAqB,YAAY;AAAA,EAC9C,eAAe,OAAO,gBAAgB,KAAK;AAC7C,CAAC;AAGD,UAAU,OAAO,MAAM,SAAS;AAEhC,IAAI,OAAO,SAAS,GAAG;AACrB,UAAQ,IAAI,gEAA2D;AACvE,UAAQ,IAAI,gCAAgC;AAC5C,UAAQ,IAAI,aAAa,OAAO,MAAM,MAAM,EAAE;AAC9C,UAAQ,IAAI,qBAAqB,OAAO,MAAM,cAAc,EAAE;AAC9D,UAAQ,IAAI,qBAAqB,OAAO,MAAM,kBAAkB,KAAK,EAAE;AACvE,UAAQ,IAAI,aAAa,OAAO,OAAO,MAAM,EAAE;AAC/C,aAAW,SAAS,OAAO,QAAQ;AACjC,UAAM,aAAa,MAAM,OAAO,UAAU;AAC1C,UAAM,YAAY,MAAM,MAAM,UAAU;AACxC,UAAM,aAAa,MAAM,gBAAgB,UAAU;AACnD,YAAQ,IAAI,OAAO,MAAM,KAAK,KAAK,MAAM,OAAO,YAAO,UAAU,WAAW,SAAS,UAAU,UAAU,QAAQ;AAAA,EACnH;AACA,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,UAAU,kBAAkB,MAAM;AAExC,IAAM,OAAO,OAAO,SAAS,OAAO,MAAM,OAAO,MAAM,GAAG,EAAE,CAAC,KAAK,MAAM;AACxE,IAAM,WAAW,OAAO,MAAM,OAAO,MAAM,GAAG,EAAE,CAAC,KAAK;AAEtD,IAAM,aAAS,+BAAa,QAAQ,aAAa;AACjD,OAAO,GAAG,WAAW,QAAQ,aAAa;AAE1C,OAAO,OAAO,MAAM,UAAU,MAAM;AAIlC,QAAM,OAAO,OAAO,QAAQ;AAC5B,QAAM,aAAa,OAAO,SAAS,YAAY,OAAO,KAAK,OAAO;AAClE,UAAQ,IAAI,uCAAuC,QAAQ,IAAI,UAAU,EAAE;AAC3E,UAAQ,IAAI,2CAA2C;AACvD,UAAQ,IAAI,mCAAmC,OAAO,MAAM,kBAAkB,KAAK,EAAE;AACrF,UAAQ,IAAI,2BAA2B,OAAO,OAAO,IAAI,OAAK,EAAE,KAAK,EAAE,KAAK,IAAI,CAAC,EAAE;AACnF,UAAQ,IAAI,mCAAmC,OAAO,MAAM,cAAc,EAAE;AAC9E,CAAC;AAGD,QAAQ,GAAG,UAAU,MAAM;AACzB,UAAQ,IAAI,oCAAoC;AAChD,SAAO,MAAM;AACb,UAAQ,KAAK,CAAC;AAChB,CAAC;AAED,QAAQ,GAAG,WAAW,MAAM;AAC1B,UAAQ,IAAI,kCAAkC;AAC9C,SAAO,MAAM;AACb,UAAQ,KAAK,CAAC;AAChB,CAAC;","names":["parseTOML","config","import_node_fs","hostname","import_node_net","config","port","config","agentConf"]}