npm - @openape/proxy - Versions diffs - 0.2.14 → 0.3.0 - Mend

@openape/proxy 0.2.14 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/dist/index.cjs +833 -0
package/dist/index.cjs.map +1 -0
package/dist/index.js +832 -0
package/dist/index.js.map +1 -0
package/package.json +7 -2
package/.nvmrc +0 -1
package/CHANGELOG.md +0 -140
package/PLAN.md +0 -261
package/bun.lock +0 -229
package/config.toml +0 -35
package/src/audit.ts +0 -20
package/src/auth.ts +0 -57
package/src/config.ts +0 -84
package/src/connect.ts +0 -111
package/src/grants-client.ts +0 -129
package/src/index.ts +0 -69
package/src/matcher.ts +0 -80
package/src/proxy.ts +0 -401
package/src/ssrf.ts +0 -85
package/src/types.ts +0 -65
package/test/auth.test.ts +0 -57
package/test/connect.test.ts +0 -131
package/test/matcher.test.ts +0 -46
package/test/multi-agent.test.ts +0 -122
package/test/ssrf.test.ts +0 -73
package/tsconfig.json +0 -21
package/tsup.config.ts +0 -9
package/vitest.config.ts +0 -18

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts","../src/config.ts","../src/proxy.ts","../src/matcher.ts","../src/auth.ts","../src/grants-client.ts","../src/audit.ts","../src/ssrf.ts","../src/connect.ts"],"sourcesContent":["#!/usr/bin/env node\nimport { createServer } from 'node:http'\nimport { parseArgs } from 'node:util'\nimport { loadMultiAgentConfig } from './config.js'\nimport { createNodeHandler } from './proxy.js'\nimport { initAudit } from './audit.js'\n\nconst { values } = parseArgs({\n options: {\n config: { type: 'string', short: 'c', default: 'config.toml' },\n 'dry-run': { type: 'boolean', default: false },\n 'mandatory-auth': { type: 'boolean', default: false },\n },\n})\n\nconst configPath = values.config!\n\nconsole.log(`[openape-proxy] Loading config from ${configPath}`)\nconst config = loadMultiAgentConfig(configPath, {\n mandatoryAuth: values['mandatory-auth'] || undefined,\n})\n\n// Init audit log\ninitAudit(config.proxy.audit_log)\n\nif (values['dry-run']) {\n console.log('[openape-proxy] DRY RUN mode — logging only, not blocking')\n console.log('[openape-proxy] Config loaded:')\n console.log(` Listen: ${config.proxy.listen}`)\n console.log(` Default action: ${config.proxy.default_action}`)\n console.log(` Mandatory auth: ${config.proxy.mandatory_auth ?? false}`)\n console.log(` Agents: ${config.agents.length}`)\n for (const agent of config.agents) {\n const allowCount = agent.allow?.length ?? 0\n const denyCount = agent.deny?.length ?? 0\n const grantCount = agent.grant_required?.length ?? 0\n console.log(` ${agent.email} (${agent.idp_url}) — ${allowCount} allow, ${denyCount} deny, ${grantCount} grant`)\n }\n process.exit(0)\n}\n\nconst handler = createNodeHandler(config)\n\nconst port = Number.parseInt(config.proxy.listen.split(':')[1] || '9090')\nconst hostname = config.proxy.listen.split(':')[0] || '127.0.0.1'\n\nconst server = createServer(handler.handleRequest)\nserver.on('connect', handler.handleConnect)\n\nserver.listen(port, hostname, () => {\n // When configured with port 0, the OS assigns a free port — use the actual\n // bound port for the log line so external orchestrators (apes proxy --) can\n // grep this line to discover where to connect.\n const addr = server.address()\n const actualPort = typeof addr === 'object' && addr ? addr.port : port\n console.log(`[openape-proxy] Listening on http://${hostname}:${actualPort}`)\n console.log(`[openape-proxy] CONNECT tunneling enabled`)\n console.log(`[openape-proxy] Mandatory auth: ${config.proxy.mandatory_auth ?? false}`)\n console.log(`[openape-proxy] Agents: ${config.agents.map(a => a.email).join(', ')}`)\n console.log(`[openape-proxy] Default action: ${config.proxy.default_action}`)\n})\n\n// Graceful shutdown\nprocess.on('SIGINT', () => {\n console.log('\\n[openape-proxy] Shutting down...')\n server.close()\n process.exit(0)\n})\n\nprocess.on('SIGTERM', () => {\n console.log('[openape-proxy] Shutting down...')\n server.close()\n process.exit(0)\n})\n","import { readFileSync } from 'node:fs'\nimport { parse as parseTOML } from 'smol-toml'\nimport type { AgentConfig, MultiAgentProxyConfig, ProxyConfig } from './types.js'\n\nexport function loadConfig(path: string): ProxyConfig {\n const raw = readFileSync(path, 'utf-8')\n\n let parsed: Record<string, unknown>\n if (path.endsWith('.json')) {\n parsed = JSON.parse(raw)\n }\n else {\n parsed = parseTOML(raw) as Record<string, unknown>\n }\n\n const proxy = parsed.proxy as ProxyConfig['proxy']\n if (!proxy?.listen || !proxy?.idp_url || !proxy?.agent_email) {\n throw new Error('Config must have [proxy] with listen, idp_url, and agent_email')\n }\n\n proxy.default_action ??= 'block'\n\n return {\n proxy,\n allow: (parsed.allow ?? []) as ProxyConfig['allow'],\n deny: (parsed.deny ?? []) as ProxyConfig['deny'],\n grant_required: (parsed.grant_required ?? []) as ProxyConfig['grant_required'],\n }\n}\n\n/**\n * Load config as multi-agent format.\n * If the config has an `agents` array, use it directly.\n * Otherwise, convert single-agent format to multi-agent for backward-compat.\n */\nexport function loadMultiAgentConfig(path: string, overrides?: { mandatoryAuth?: boolean }): MultiAgentProxyConfig {\n const raw = readFileSync(path, 'utf-8')\n\n let parsed: Record<string, unknown>\n if (path.endsWith('.json')) {\n parsed = JSON.parse(raw)\n }\n else {\n parsed = parseTOML(raw) as Record<string, unknown>\n }\n\n const proxy = parsed.proxy as Record<string, unknown>\n if (!proxy?.listen) {\n throw new Error('Config must have [proxy] with listen')\n }\n\n const baseProxy: MultiAgentProxyConfig['proxy'] = {\n listen: proxy.listen as string,\n default_action: (proxy.default_action as MultiAgentProxyConfig['proxy']['default_action']) ?? 'block',\n audit_log: proxy.audit_log as string | undefined,\n mandatory_auth: overrides?.mandatoryAuth ?? (proxy.mandatory_auth as boolean | undefined),\n }\n\n // Multi-agent format: has agents array\n if (Array.isArray(parsed.agents)) {\n return {\n proxy: baseProxy,\n agents: parsed.agents as AgentConfig[],\n }\n }\n\n // Single-agent format: convert to multi-agent\n const idpUrl = proxy.idp_url as string\n const agentEmail = proxy.agent_email as string\n if (!idpUrl || !agentEmail) {\n throw new Error('Single-agent config requires proxy.idp_url and proxy.agent_email')\n }\n\n return {\n proxy: baseProxy,\n agents: [{\n email: agentEmail,\n idp_url: idpUrl,\n allow: (parsed.allow ?? []) as AgentConfig['allow'],\n deny: (parsed.deny ?? []) as AgentConfig['deny'],\n grant_required: (parsed.grant_required ?? []) as AgentConfig['grant_required'],\n }],\n }\n}\n","import type { IncomingMessage, ServerResponse } from 'node:http'\nimport type { Socket } from 'node:net'\nimport { createHash } from 'node:crypto'\nimport type { AgentConfig, AuditEntry, MultiAgentProxyConfig, ProxyConfig } from './types.js'\nimport { evaluateRules } from './matcher.js'\nimport { AuthError, verifyAgentAuth } from './auth.js'\nimport { GrantsClient } from './grants-client.js'\nimport { writeAudit } from './audit.js'\nimport { isPrivateOrLoopback } from './ssrf.js'\nimport { handleConnect } from './connect.js'\n\n/**\n * Compute a request hash that uniquely identifies the intent.\n * hash = sha256(METHOD + \" \" + FULL_URL + \"\\n\" + BODY)\n * This binds the grant to the exact request — no bait-and-switch.\n */\nasync function computeRequestHash(method: string, targetUrl: string, body: ArrayBuffer | null): Promise<string> {\n const hash = createHash('sha256')\n hash.update(`${method} ${targetUrl}\\n`)\n if (body && body.byteLength > 0) {\n hash.update(new Uint8Array(body))\n }\n return hash.digest('hex')\n}\n\n/** Legacy single-agent proxy */\nexport function createProxy(config: ProxyConfig) {\n const multiConfig: MultiAgentProxyConfig = {\n proxy: {\n listen: config.proxy.listen,\n default_action: config.proxy.default_action,\n audit_log: config.proxy.audit_log,\n mandatory_auth: config.proxy.mandatory_auth,\n },\n agents: [{\n email: config.proxy.agent_email,\n idp_url: config.proxy.idp_url,\n allow: config.allow,\n deny: config.deny,\n grant_required: config.grant_required,\n }],\n }\n return createMultiAgentProxy(multiConfig)\n}\n\n/**\n * Build the per-agent GrantsClient map used by both the HTTP forward-proxy\n * handler (in this file's `createMultiAgentProxy`) and the CONNECT handler\n * (in `connect.ts`). Exposed so `createNodeHandler` can share a single map\n * instead of letting each handler construct its own — keeps any future\n * per-agent token state coherent.\n */\nexport function buildGrantsClients(config: MultiAgentProxyConfig): Map<string, GrantsClient> {\n const grantsClients = new Map<string, GrantsClient>()\n for (const agent of config.agents) {\n grantsClients.set(agent.email, new GrantsClient(agent.idp_url))\n }\n return grantsClients\n}\n\n/** Multi-agent proxy with SSRF protection and mandatory auth */\nexport function createMultiAgentProxy(\n config: MultiAgentProxyConfig,\n grantsClients: Map<string, GrantsClient> = buildGrantsClients(config),\n) {\n // Backwards-compat: if caller didn't pre-build the map, we build our own.\n // createNodeHandler always passes one in so the CONNECT handler can share it.\n for (const agent of config.agents) {\n if (!grantsClients.has(agent.email)) {\n grantsClients.set(agent.email, new GrantsClient(agent.idp_url))\n }\n }\n\n const mandatoryAuth = config.proxy.mandatory_auth ?? false\n\n return {\n port: Number.parseInt(config.proxy.listen.split(':')[1] || '9090'),\n hostname: config.proxy.listen.split(':')[0] || '127.0.0.1',\n\n async fetch(req: Request): Promise<Response> {\n const url = new URL(req.url)\n const startTime = Date.now()\n\n // Health endpoint\n if (url.pathname === '/healthz') {\n return Response.json({\n status: 'ok',\n agents: config.agents.map(a => a.email),\n })\n }\n\n // Parse target URL from the path\n const targetUrl = url.pathname.slice(1) + url.search\n let targetParsed: URL\n try {\n targetParsed = new URL(targetUrl)\n }\n catch {\n return new Response(\n 'Invalid target URL. Send requests as: http://proxy:port/https://target.com/path',\n { status: 400 },\n )\n }\n\n const domain = targetParsed.hostname\n const method = req.method\n const path = targetParsed.pathname\n\n // SSRF protection — block private/loopback IPs before any rule evaluation\n if (await isPrivateOrLoopback(domain)) {\n return new Response('Blocked: private/loopback IP', { status: 403 })\n }\n\n // Read body once (needed for hash + forwarding)\n const bodyBuffer = req.body ? await req.arrayBuffer() : null\n\n // Verify agent identity — find IdP URL from first agent (for JWKS verification)\n // In multi-agent mode, we need the JWT to identify the agent first.\n // We try verification against each agent's IdP until one succeeds.\n let agentIdentity: { email: string, act: 'agent' } | null = null\n try {\n for (const agentConf of config.agents) {\n agentIdentity = await verifyAgentAuth(\n req.headers.get('proxy-authorization'),\n agentConf.idp_url,\n mandatoryAuth && config.agents.length === 1,\n )\n if (agentIdentity) break\n }\n\n // If mandatory auth and no identity found from any IdP\n if (mandatoryAuth && !agentIdentity) {\n throw new AuthError('JWT required')\n }\n }\n catch (err) {\n if (err instanceof AuthError) {\n return new Response(`Unauthorized: ${err.message}`, { status: 401 })\n }\n throw err\n }\n\n // Find the matching agent config\n const agentEmail = agentIdentity?.email\n let agentConf: AgentConfig | undefined\n\n if (agentEmail) {\n agentConf = config.agents.find(a => a.email === agentEmail)\n if (!agentConf) {\n return new Response(`Forbidden: unknown agent ${agentEmail}`, { status: 403 })\n }\n }\n else if (config.agents.length === 1) {\n // Non-mandatory auth, single agent: use the only agent config\n agentConf = config.agents[0]\n }\n else {\n return new Response('Unauthorized: JWT required for multi-agent proxy', { status: 401 })\n }\n\n const effectiveEmail = agentEmail ?? agentConf.email\n const grantsClient = grantsClients.get(agentConf.email)!\n\n // Build a ProxyConfig-shaped object for evaluateRules\n const rulesConfig: ProxyConfig = {\n proxy: {\n listen: config.proxy.listen,\n idp_url: agentConf.idp_url,\n agent_email: agentConf.email,\n default_action: config.proxy.default_action,\n },\n allow: agentConf.allow ?? [],\n deny: agentConf.deny ?? [],\n grant_required: agentConf.grant_required ?? [],\n }\n\n // Evaluate rules\n const action = evaluateRules(rulesConfig, domain, method, path)\n\n const baseAudit: Omit<AuditEntry, 'action' | 'rule'> = {\n ts: new Date().toISOString(),\n agent: effectiveEmail,\n domain,\n method,\n path,\n }\n\n // DENY\n if (action.type === 'deny') {\n writeAudit({ ...baseAudit, action: 'deny', rule: 'deny-list', grant_id: null })\n return new Response(`Blocked: ${action.note || 'deny rule'}`, { status: 403 })\n }\n\n // ALLOW (no grant needed)\n if (action.type === 'allow') {\n writeAudit({ ...baseAudit, action: 'allow', rule: 'allow-list', grant_id: null })\n return forwardRequest(req, targetUrl, bodyBuffer)\n }\n\n // GRANT REQUIRED\n const rule = action.rule\n const permissions = rule.permissions ?? [`${method.toLowerCase()}:${domain}`]\n\n // Compute request hash — binds grant to exact method + URL + body\n const requestHash = await computeRequestHash(method, targetUrl, bodyBuffer)\n\n // Check for existing grant\n const existing = await grantsClient.findExistingGrant(\n effectiveEmail,\n domain,\n 'proxy',\n permissions,\n ).catch(() => null)\n\n if (existing) {\n writeAudit({\n ...baseAudit,\n action: 'grant_approved',\n rule: 'standing-grant',\n grant_id: existing.id,\n request_hash: requestHash,\n })\n return forwardRequest(req, targetUrl, bodyBuffer)\n }\n\n // No existing grant — behavior depends on default_action\n if (config.proxy.default_action === 'block') {\n writeAudit({ ...baseAudit, action: 'deny', rule: 'no-grant (block mode)', grant_id: null })\n return new Response('No grant — blocked', { status: 403 })\n }\n\n if (config.proxy.default_action === 'request-async') {\n // Create grant request, return 407 immediately\n const grant = await grantsClient.requestGrant({\n requester: effectiveEmail,\n targetHost: domain,\n audience: 'ape-proxy',\n grantType: rule.grant_type,\n permissions,\n reason: `${method} ${targetUrl}`,\n requestHash,\n duration: rule.duration,\n }).catch(() => null)\n\n writeAudit({\n ...baseAudit,\n action: 'grant_denied',\n rule: 'grant_required (async)',\n grant_id: grant?.id ?? null,\n })\n\n return new Response(\n JSON.stringify({\n error: 'Grant required',\n grant_id: grant?.id,\n message: 'Grant request created. Retry after approval.',\n }),\n { status: 407, headers: { 'Content-Type': 'application/json' } },\n )\n }\n\n // BLOCKING mode: create grant request and wait\n console.error(`[proxy] Requesting grant for ${method} ${domain}${path} — waiting for approval...`)\n\n try {\n const grant = await grantsClient.requestGrant({\n requester: effectiveEmail,\n targetHost: domain,\n audience: 'ape-proxy',\n grantType: rule.grant_type,\n permissions,\n reason: `${method} ${targetUrl}`,\n requestHash,\n duration: rule.duration,\n })\n\n const approved = await grantsClient.waitForApproval(grant.id)\n\n const waitedMs = Date.now() - startTime\n\n if (approved.status === 'approved') {\n writeAudit({\n ...baseAudit,\n action: 'grant_approved',\n rule: 'grant_required',\n grant_id: approved.id,\n request_hash: requestHash,\n waited_ms: waitedMs,\n })\n return forwardRequest(req, targetUrl, bodyBuffer)\n }\n\n writeAudit({\n ...baseAudit,\n action: 'grant_denied',\n rule: 'grant_required',\n grant_id: approved.id,\n waited_ms: waitedMs,\n })\n return new Response(`Grant denied by ${approved.decided_by}`, { status: 403 })\n }\n catch (err) {\n const msg = err instanceof Error ? err.message : 'Unknown error'\n writeAudit({\n ...baseAudit,\n action: 'grant_timeout',\n rule: 'grant_required',\n error: msg,\n })\n return new Response(`Grant request failed: ${msg}`, { status: 504 })\n }\n },\n }\n}\n\n/**\n * Create a node:http compatible handler for use with http.createServer().\n * Returns both a request handler and a CONNECT handler.\n */\nexport function createNodeHandler(config: MultiAgentProxyConfig): {\n handleRequest: (req: IncomingMessage, res: ServerResponse) => void\n handleConnect: (req: IncomingMessage, socket: Socket, head: Buffer) => void\n} {\n // Build grantsClients once; share with both forward-proxy fetch path\n // (createMultiAgentProxy) and the CONNECT path (handleConnect). Without\n // sharing, CONNECT-time grant_required rules couldn't reach the IdP in\n // multi-agent mode without duplicating constructor work.\n const grantsClients = buildGrantsClients(config)\n const proxy = createMultiAgentProxy(config, grantsClients)\n\n return {\n handleRequest(req: IncomingMessage, res: ServerResponse) {\n // Standard HTTP_PROXY clients (curl, gh, git, npm) send the target as\n // an absolute URL in the request line for cleartext forward-proxying:\n // `GET http://example.com/path HTTP/1.1`\n // node:http surfaces that absolute URL via `req.url`. The legacy\n // `proxy.fetch` extraction expects a path-encoded form\n // (`/<full-target-url>`), so we adapt here: when `req.url` is\n // absolute, prefix it with a slash so `pathname.slice(1)` recovers\n // the same target string. Path-form clients (legacy) keep working.\n const reqUrl = req.url || '/'\n const isAbsolute = reqUrl.startsWith('http://') || reqUrl.startsWith('https://')\n const proxyHost = req.headers.host || 'localhost'\n const url = isAbsolute\n ? `http://${proxyHost}/${reqUrl}`\n : `http://${proxyHost}${reqUrl}`\n const chunks: Buffer[] = []\n\n req.on('data', (chunk: Buffer) => chunks.push(chunk))\n req.on('end', async () => {\n try {\n const body = chunks.length > 0 ? Buffer.concat(chunks) : undefined\n const headers = new Headers()\n for (const [key, value] of Object.entries(req.headers)) {\n if (value) {\n headers.set(key, Array.isArray(value) ? value.join(', ') : value)\n }\n }\n\n const request = new Request(url, {\n method: req.method,\n headers,\n body: body && req.method !== 'GET' && req.method !== 'HEAD' ? body : undefined,\n duplex: 'half',\n } as RequestInit)\n\n const response = await proxy.fetch(request)\n\n res.writeHead(response.status, response.statusText, Object.fromEntries(response.headers))\n if (response.body) {\n const reader = response.body.getReader()\n const pump = async (): Promise<void> => {\n const { done, value } = await reader.read()\n if (done) {\n res.end()\n return\n }\n res.write(value)\n return pump()\n }\n await pump()\n }\n else {\n res.end()\n }\n }\n catch {\n res.writeHead(502)\n res.end('Proxy error')\n }\n })\n },\n\n handleConnect(req: IncomingMessage, socket: Socket, head: Buffer) {\n handleConnect(config, grantsClients, req, socket, head)\n },\n }\n}\n\n/**\n * Forward a request to the target URL.\n * Strips proxy-specific headers, preserves the rest.\n */\nasync function forwardRequest(originalReq: Request, targetUrl: string, cachedBody?: ArrayBuffer | null): Promise<Response> {\n const headers = new Headers(originalReq.headers)\n // Remove proxy-specific headers\n headers.delete('proxy-authorization')\n headers.delete('proxy-connection')\n // Don't send host of the proxy\n headers.delete('host')\n\n const body = cachedBody && cachedBody.byteLength > 0 ? cachedBody : null\n\n try {\n const res = await fetch(targetUrl, {\n method: originalReq.method,\n headers,\n body,\n duplex: 'half',\n redirect: 'manual',\n })\n\n // Stream the response back\n const responseHeaders = new Headers(res.headers)\n // Remove hop-by-hop headers\n responseHeaders.delete('transfer-encoding')\n responseHeaders.delete('connection')\n\n return new Response(res.body, {\n status: res.status,\n statusText: res.statusText,\n headers: responseHeaders,\n })\n }\n catch (err) {\n const msg = err instanceof Error ? err.message : 'Upstream error'\n return new Response(`Proxy error: ${msg}`, { status: 502 })\n }\n}\n","import type { ProxyConfig, RuleAction, RuleEntry } from './types.js'\n\n/**\n * Match a glob pattern against a string.\n * Supports * (any segment) and ** (any number of segments).\n */\nfunction globMatch(pattern: string, value: string): boolean {\n // Simple glob: convert * to regex\n const regex = new RegExp(\n `^${\n pattern\n .replace(/[.+^${}()|[\\]\\\\]/g, '\\\\$&') // escape regex chars except *\n .replace(/\\*\\*/g, '<<<DOUBLESTAR>>>')\n .replace(/\\*/g, '[^/]*')\n .replace(/<<<DOUBLESTAR>>>/g, '.*')\n }$`,\n )\n return regex.test(value)\n}\n\nfunction matchesRule(rule: RuleEntry, domain: string, method: string, path: string): boolean {\n // Domain match (supports wildcards like *.github.com)\n if (!globMatch(rule.domain, domain)) return false\n\n // Method match (if specified)\n if (rule.methods && rule.methods.length > 0) {\n if (!rule.methods.includes(method.toUpperCase())) return false\n }\n\n // Path match (if specified)\n if (rule.path) {\n if (!globMatch(rule.path, path)) return false\n }\n\n return true\n}\n\n/**\n * Evaluate rules in order: deny → allow → grant_required → default_action\n */\nexport function evaluateRules(\n config: ProxyConfig,\n domain: string,\n method: string,\n path: string,\n): RuleAction {\n // 1. Check deny list first\n for (const rule of config.deny) {\n if (matchesRule(rule, domain, method, path)) {\n return { type: 'deny', note: rule.note }\n }\n }\n\n // 2. Check allow list\n for (const rule of config.allow) {\n if (matchesRule(rule, domain, method, path)) {\n return { type: 'allow' }\n }\n }\n\n // 3. Check grant_required rules (most specific first)\n for (const rule of config.grant_required) {\n if (matchesRule(rule, domain, method, path)) {\n return { type: 'grant_required', rule }\n }\n }\n\n // 4. Default action for unmatched hosts. Conceptually the proxy-side\n // counterpart of the IdP's per-agent YOLO policy — both decide what\n // happens when no specific rule matches, both live server-side (proxy or\n // IdP), neither leaks the decision to the agent. Differences:\n // - IdP YOLO is per-agent, evaluated at grant time, can have deny-patterns\n // and an expiry window.\n // - Proxy default_action is per-proxy-instance, evaluated at request time,\n // binary outcome (allow/deny/request-grant).\n //\n // Modes:\n // - 'block': hard deny — paranoid agent profile.\n // - 'allow': hard pass — transparent-audit profile (log every call,\n // enforce nothing). Equivalent role to a YOLO policy without a\n // deny-list.\n // - 'request' / 'request-async' (OpenApe-default): treat as\n // grant_required with a once-grant catch-all so every new host\n // surfaces an interactive grant decision.\n if (config.proxy.default_action === 'block') {\n return { type: 'deny', note: 'No matching rule (default: block)' }\n }\n if (config.proxy.default_action === 'allow') {\n return { type: 'allow' }\n }\n\n return {\n type: 'grant_required',\n rule: {\n domain: '*',\n grant_type: 'once',\n },\n }\n}\n","import { verifyJWT, createRemoteJWKS } from '@openape/core'\n\nexport interface AgentIdentity {\n email: string\n act: 'agent'\n}\n\nexport class AuthError extends Error {\n constructor(message: string) {\n super(message)\n this.name = 'AuthError'\n }\n}\n\n/**\n * Verify agent JWT from Proxy-Authorization header.\n * Returns the agent identity or null if invalid/missing.\n * When mandatory is true, throws AuthError if no valid JWT is provided.\n */\nexport async function verifyAgentAuth(\n authHeader: string | null,\n idpUrl: string,\n mandatory: boolean = false,\n): Promise<AgentIdentity | null> {\n if (!authHeader) {\n if (mandatory) throw new AuthError('JWT required')\n return null\n }\n\n const match = authHeader.match(/^Bearer (.+)$/i)\n if (!match) {\n if (mandatory) throw new AuthError('Invalid authorization header')\n return null\n }\n\n const token = match[1]\n\n try {\n const jwks = createRemoteJWKS(`${idpUrl}/.well-known/jwks.json`)\n const { payload } = await verifyJWT(token, jwks, { issuer: idpUrl })\n\n if (payload.act !== 'agent' || !payload.sub) {\n if (mandatory) throw new AuthError('Invalid agent token')\n return null\n }\n\n return {\n email: payload.sub as string,\n act: 'agent',\n }\n }\n catch (err) {\n if (err instanceof AuthError) throw err\n if (mandatory) throw new AuthError('JWT verification failed')\n return null\n }\n}\n","import type { OpenApeGrant, GrantType } from '@openape/core'\n\n/**\n * Client for the IdP's grant management API.\n * Creates grant requests and polls for approval.\n */\nexport class GrantsClient {\n private idpUrl: string\n private agentToken: string | undefined\n\n constructor(idpUrl: string) {\n this.idpUrl = idpUrl.replace(/\\/$/, '')\n }\n\n setAgentToken(token: string): void {\n this.agentToken = token\n }\n\n private headers(): Record<string, string> {\n const h: Record<string, string> = { 'Content-Type': 'application/json' }\n if (this.agentToken) {\n h.Authorization = `Bearer ${this.agentToken}`\n }\n return h\n }\n\n /**\n * Create a grant request on the IdP.\n */\n async requestGrant(opts: {\n requester: string\n targetHost: string\n audience: string\n grantType: GrantType\n permissions?: string[]\n reason?: string\n requestHash?: string\n duration?: number\n }): Promise<OpenApeGrant> {\n const res = await fetch(`${this.idpUrl}/api/grants`, {\n method: 'POST',\n headers: this.headers(),\n body: JSON.stringify({\n requester: opts.requester,\n target_host: opts.targetHost,\n audience: opts.audience,\n grant_type: opts.grantType,\n permissions: opts.permissions,\n reason: opts.reason,\n request_hash: opts.requestHash,\n duration: opts.duration,\n }),\n })\n\n if (!res.ok) {\n throw new Error(`Grant request failed: ${res.status} ${await res.text()}`)\n }\n\n return res.json() as Promise<OpenApeGrant>\n }\n\n /**\n * Poll a grant until it's approved, denied, or timeout.\n */\n async waitForApproval(\n grantId: string,\n timeoutMs: number = 300_000,\n pollIntervalMs: number = 2_000,\n ): Promise<OpenApeGrant> {\n const deadline = Date.now() + timeoutMs\n\n while (Date.now() < deadline) {\n const res = await fetch(`${this.idpUrl}/api/grants/${grantId}`, {\n headers: this.headers(),\n })\n\n if (!res.ok) {\n throw new Error(`Grant poll failed: ${res.status}`)\n }\n\n const grant = await res.json() as OpenApeGrant\n if (grant.status !== 'pending') {\n return grant\n }\n\n await new Promise(r => setTimeout(r, pollIntervalMs))\n }\n\n throw new Error(`Grant approval timed out after ${timeoutMs}ms`)\n }\n\n /**\n * Check if there's an existing approved grant for a host+audience+permissions combo.\n * Ignores `once` grants (they're single-use).\n */\n async findExistingGrant(\n requester: string,\n targetHost: string,\n audience: string,\n permissions?: string[],\n ): Promise<OpenApeGrant | null> {\n const params = new URLSearchParams({\n requester,\n status: 'approved',\n })\n\n const res = await fetch(`${this.idpUrl}/api/grants?${params}`, {\n headers: this.headers(),\n })\n\n if (!res.ok) return null\n\n const grants = await res.json() as OpenApeGrant[]\n const now = Math.floor(Date.now() / 1000)\n\n return grants.find((g) => {\n if (g.status !== 'approved') return false\n if (g.expires_at && g.expires_at <= now) return false\n if (g.request?.grant_type === 'once') return false\n if (g.request?.target_host !== targetHost) return false\n if (g.request?.audience !== audience) return false\n if (permissions?.length && g.request?.permissions?.length) {\n const grantedPerms = new Set(g.request.permissions)\n if (!permissions.every(p => grantedPerms.has(p))) return false\n }\n return true\n }) ?? null\n }\n}\n","import { appendFileSync } from 'node:fs'\nimport type { AuditEntry } from './types.js'\n\nlet auditPath: string | undefined\n\nexport function initAudit(path?: string): void {\n auditPath = path\n}\n\nexport function writeAudit(entry: AuditEntry): void {\n const line = JSON.stringify(entry)\n\n // Always log to stderr\n console.error(`[audit] ${entry.action} ${entry.method} ${entry.domain}${entry.path}${entry.grant_id ? ` grant=${entry.grant_id}` : ''}`)\n\n // Write to file if configured\n if (auditPath) {\n appendFileSync(auditPath, `${line}\\n`)\n }\n}\n","import { resolve4, resolve6 } from 'node:dns/promises'\nimport { isIP } from 'node:net'\n\nconst PRIVATE_RANGES_V4 = [\n { prefix: 0x7F000000, mask: 0xFF000000 }, // 127.0.0.0/8\n { prefix: 0x0A000000, mask: 0xFF000000 }, // 10.0.0.0/8\n { prefix: 0xAC100000, mask: 0xFFF00000 }, // 172.16.0.0/12\n { prefix: 0xC0A80000, mask: 0xFFFF0000 }, // 192.168.0.0/16\n { prefix: 0xA9FE0000, mask: 0xFFFF0000 }, // 169.254.0.0/16\n { prefix: 0x00000000, mask: 0xFF000000 }, // 0.0.0.0/8\n]\n\nfunction ipv4ToNumber(ip: string): number {\n const parts = ip.split('.').map(Number)\n return ((parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]) >>> 0\n}\n\nfunction isPrivateIPv4(ip: string): boolean {\n const num = ipv4ToNumber(ip)\n return PRIVATE_RANGES_V4.some(r => ((num & r.mask) >>> 0) === r.prefix)\n}\n\nfunction isPrivateIPv6(ip: string): boolean {\n const normalized = ip.toLowerCase()\n\n // Loopback ::1\n if (normalized === '::1') return true\n\n // Unspecified ::\n if (normalized === '::') return true\n\n // Link-local fe80::/10\n if (normalized.startsWith('fe8') || normalized.startsWith('fe9')\n || normalized.startsWith('fea') || normalized.startsWith('feb')) {\n return true\n }\n\n // Unique local fd00::/8\n if (normalized.startsWith('fd')) return true\n\n // IPv4-mapped ::ffff:x.x.x.x\n const v4mapped = normalized.match(/^::ffff:(\\d+\\.\\d+\\.\\d+\\.\\d+)$/)\n if (v4mapped) return isPrivateIPv4(v4mapped[1])\n\n return false\n}\n\nfunction isPrivateIP(ip: string): boolean {\n if (isIP(ip) === 4) return isPrivateIPv4(ip)\n if (isIP(ip) === 6) return isPrivateIPv6(ip)\n return false\n}\n\n/**\n * Check if a hostname resolves to a private or loopback IP.\n * If the hostname is already an IP literal, check directly.\n * Otherwise, resolve via DNS and check all results.\n */\nexport async function isPrivateOrLoopback(hostname: string): Promise<boolean> {\n // Direct IP literal\n if (isIP(hostname)) {\n return isPrivateIP(hostname)\n }\n\n // localhost shortcut\n if (hostname === 'localhost') return true\n\n // DNS resolution — check both A and AAAA records\n try {\n const [v4, v6] = await Promise.allSettled([\n resolve4(hostname),\n resolve6(hostname),\n ])\n const addrs: string[] = []\n if (v4.status === 'fulfilled') addrs.push(...v4.value)\n if (v6.status === 'fulfilled') addrs.push(...v6.value)\n\n if (addrs.length === 0) return true // no records — block to be safe\n return addrs.some(addr => isPrivateIP(addr))\n }\n catch {\n // DNS failure — block to be safe\n return true\n }\n}\n","import type { IncomingMessage } from 'node:http'\nimport type { Socket } from 'node:net'\nimport { connect } from 'node:net'\nimport type { AgentConfig, MultiAgentProxyConfig, ProxyConfig } from './types.js'\nimport { AuthError, verifyAgentAuth } from './auth.js'\nimport { isPrivateOrLoopback } from './ssrf.js'\nimport { writeAudit } from './audit.js'\nimport { evaluateRules } from './matcher.js'\nimport type { GrantsClient } from './grants-client.js'\n\n/**\n * Handle HTTP CONNECT requests for tunneling (used by HTTP_PROXY clients).\n * Flow: Auth → SSRF → host-based rule evaluation (allow / deny / grant_required)\n * → TCP connect → bidirectional pipe.\n *\n * For HTTPS via CONNECT we only see the hostname (the TLS payload is opaque).\n * Rules with `methods` or `path` filters cannot be enforced at CONNECT time and\n * are skipped — they'd only match if the client also carried the same hostname\n * over cleartext-HTTP forward-proxy. This is intentional: there's no honest way\n * to gate a method we can't observe.\n */\nexport async function handleConnect(\n config: MultiAgentProxyConfig,\n grantsClients: Map<string, GrantsClient>,\n req: IncomingMessage,\n clientSocket: Socket,\n _head: Buffer,\n): Promise<void> {\n const target = req.url ?? ''\n const [host, portStr] = target.split(':')\n const port = Number.parseInt(portStr || '443')\n\n if (!host || !port) {\n clientSocket.write('HTTP/1.1 400 Bad Request\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n\n // SYSTEM BYPASS: outbound to any configured IdP host is unconditionally\n // allowed. The proxy itself talks to the IdP for JWT verification + grant\n // approval, and any process inside the proxy boundary may need to call the\n // IdP for `apes login` / `apes whoami` / token-exchange BEFORE it can ever\n // produce a valid Proxy-Authorization JWT. Blocking IdP traffic would\n // either deadlock the grant flow or lock users out of authentication.\n // We therefore skip auth (no JWT yet for first-login), SSRF (local-dev IdPs\n // can live at 127.0.0.1), and policy rules (operator must not be able to\n // override this system invariant).\n const idpHosts = new Set(\n config.agents\n .map((a) => {\n try {\n return new URL(a.idp_url).hostname.toLowerCase()\n }\n catch {\n return ''\n }\n })\n .filter(h => h.length > 0),\n )\n if (idpHosts.has(host.toLowerCase())) {\n writeAudit({\n ts: new Date().toISOString(),\n agent: 'system',\n action: 'allow',\n domain: host,\n method: 'CONNECT',\n path: target,\n rule: 'idp-system-bypass',\n })\n tunnel(host, port, clientSocket)\n return\n }\n\n const mandatoryAuth = config.proxy.mandatory_auth ?? false\n\n // Auth check — CONNECT always requires auth in mandatory mode\n let agentEmail: string | undefined\n try {\n const authHeader = req.headers['proxy-authorization'] as string | undefined\n let identity: { email: string, act: 'agent' } | null = null\n\n for (const agentConf of config.agents) {\n identity = await verifyAgentAuth(\n authHeader ?? null,\n agentConf.idp_url,\n mandatoryAuth && config.agents.length === 1,\n )\n if (identity) break\n }\n\n if (mandatoryAuth && !identity) {\n throw new AuthError('JWT required')\n }\n\n agentEmail = identity?.email\n\n // Verify agent is known\n if (agentEmail) {\n const known = config.agents.find(a => a.email === agentEmail)\n if (!known) {\n clientSocket.write('HTTP/1.1 403 Forbidden\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n }\n else if (config.agents.length > 1) {\n throw new AuthError('JWT required for multi-agent proxy')\n }\n }\n catch (err) {\n if (err instanceof AuthError) {\n clientSocket.write('HTTP/1.1 401 Unauthorized\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n throw err\n }\n\n // SSRF check\n if (await isPrivateOrLoopback(host)) {\n writeAudit({\n ts: new Date().toISOString(),\n agent: agentEmail ?? config.agents[0]?.email ?? 'unknown',\n action: 'deny',\n domain: host,\n method: 'CONNECT',\n path: target,\n rule: 'ssrf-blocked',\n })\n clientSocket.write('HTTP/1.1 403 Forbidden\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n\n // Host-based rule evaluation. Pick the agent's config: in single-agent or\n // unauth mode this is just config.agents[0]; in multi-agent mode we use the\n // identity established above.\n const agentConf: AgentConfig | undefined = agentEmail\n ? config.agents.find(a => a.email === agentEmail)\n : config.agents[0]\n if (!agentConf) {\n clientSocket.write('HTTP/1.1 403 Forbidden\\r\\n\\r\\n')\n clientSocket.destroy()\n return\n }\n const effectiveEmail = agentEmail ?? agentConf.email\n\n const rulesConfig: ProxyConfig = {\n proxy: {\n listen: config.proxy.listen,\n idp_url: agentConf.idp_url,\n agent_email: agentConf.email,\n default_action: config.proxy.default_action,\n },\n allow: agentConf.allow ?? [],\n deny: agentConf.deny ?? [],\n grant_required: agentConf.grant_required ?? [],\n }\n\n // CONNECT carries no method/path beyond host:port. Pass 'CONNECT' as method\n // and '/' as path so rules with method-filters (which we can't enforce here)\n // simply don't match — operator must specify method-less rules to gate\n // HTTPS hosts.\n const action = evaluateRules(rulesConfig, host, 'CONNECT', '/')\n const baseAudit = {\n ts: new Date().toISOString(),\n agent: effectiveEmail,\n domain: host,\n method: 'CONNECT',\n path: target,\n } as const\n\n if (action.type === 'deny') {\n writeAudit({ ...baseAudit, action: 'deny', rule: 'deny-list' })\n const note = action.note ? ` ${action.note}` : ''\n clientSocket.write(`HTTP/1.1 403 Forbidden\\r\\nContent-Type: text/plain\\r\\n\\r\\nBlocked:${note}\\r\\n`)\n clientSocket.destroy()\n return\n }\n\n if (action.type === 'grant_required') {\n const grantsClient = grantsClients.get(agentConf.email)\n if (!grantsClient) {\n writeAudit({ ...baseAudit, action: 'deny', rule: 'grant_required (no client)' })\n clientSocket.write('HTTP/1.1 500 Internal Server Error\\r\\n\\r\\nNo grants client for agent\\r\\n')\n clientSocket.destroy()\n return\n }\n\n // Async-mode (`request-async`) is meaningful for HTTP forward-proxy where\n // the client can re-issue the request after approval. CONNECT clients\n // (curl, gh, …) won't transparently retry on 407 mid-handshake, so we\n // always block the tunnel until the grant resolves. Operator can shorten\n // the wait via per-rule `duration` or via the IdP's grant TTL.\n const startTs = Date.now()\n try {\n const grant = await grantsClient.requestGrant({\n requester: effectiveEmail,\n targetHost: host,\n audience: 'ape-proxy',\n grantType: action.rule.grant_type,\n permissions: action.rule.permissions,\n reason: `CONNECT ${host}:${port}`,\n duration: action.rule.duration,\n })\n const decided = await grantsClient.waitForApproval(grant.id)\n const waitedMs = Date.now() - startTs\n if (decided.status === 'approved') {\n writeAudit({ ...baseAudit, action: 'grant_approved', rule: 'grant_required', grant_id: decided.id, waited_ms: waitedMs })\n // Fall through to the TCP connect below.\n }\n else {\n writeAudit({ ...baseAudit, action: 'grant_denied', rule: 'grant_required', grant_id: decided.id, waited_ms: waitedMs })\n clientSocket.write(`HTTP/1.1 403 Forbidden\\r\\n\\r\\nGrant denied by ${decided.decided_by ?? 'policy'}\\r\\n`)\n clientSocket.destroy()\n return\n }\n }\n catch (err) {\n const msg = err instanceof Error ? err.message : 'Unknown error'\n writeAudit({ ...baseAudit, action: 'grant_timeout', rule: 'grant_required', error: msg })\n clientSocket.write(`HTTP/1.1 504 Gateway Timeout\\r\\n\\r\\nGrant request failed: ${msg}\\r\\n`)\n clientSocket.destroy()\n return\n }\n }\n else {\n // 'allow' — log and continue.\n writeAudit({ ...baseAudit, action: 'allow', rule: 'allow-list' })\n }\n\n tunnel(host, port, clientSocket)\n}\n\n/**\n * Open a TCP socket to host:port and bidirectionally pipe it with the client\n * socket. Used by both the policy-pass path (auth + rules approved) and the\n * IdP system-bypass path (no auth/policy involved).\n */\nfunction tunnel(host: string, port: number, clientSocket: Socket): void {\n const targetSocket = connect(port, host, () => {\n clientSocket.write('HTTP/1.1 200 Connection Established\\r\\n\\r\\n')\n targetSocket.pipe(clientSocket)\n clientSocket.pipe(targetSocket)\n })\n\n targetSocket.on('error', () => {\n clientSocket.write('HTTP/1.1 502 Bad Gateway\\r\\n\\r\\n')\n clientSocket.destroy()\n })\n\n clientSocket.on('error', () => {\n targetSocket.destroy()\n })\n\n clientSocket.on('close', () => targetSocket.destroy())\n targetSocket.on('close', () => clientSocket.destroy())\n}\n"],"mappings":";;;AACA,SAAS,oBAAoB;AAC7B,SAAS,iBAAiB;;;ACF1B,SAAS,oBAAoB;AAC7B,SAAS,SAAS,iBAAiB;AAkC5B,SAAS,qBAAqB,MAAc,WAAgE;AACjH,QAAM,MAAM,aAAa,MAAM,OAAO;AAEtC,MAAI;AACJ,MAAI,KAAK,SAAS,OAAO,GAAG;AAC1B,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,OACK;AACH,aAAS,UAAU,GAAG;AAAA,EACxB;AAEA,QAAM,QAAQ,OAAO;AACrB,MAAI,CAAC,OAAO,QAAQ;AAClB,UAAM,IAAI,MAAM,sCAAsC;AAAA,EACxD;AAEA,QAAM,YAA4C;AAAA,IAChD,QAAQ,MAAM;AAAA,IACd,gBAAiB,MAAM,kBAAuE;AAAA,IAC9F,WAAW,MAAM;AAAA,IACjB,gBAAgB,WAAW,iBAAkB,MAAM;AAAA,EACrD;AAGA,MAAI,MAAM,QAAQ,OAAO,MAAM,GAAG;AAChC,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ,OAAO;AAAA,IACjB;AAAA,EACF;AAGA,QAAM,SAAS,MAAM;AACrB,QAAM,aAAa,MAAM;AACzB,MAAI,CAAC,UAAU,CAAC,YAAY;AAC1B,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AAEA,SAAO;AAAA,IACL,OAAO;AAAA,IACP,QAAQ,CAAC;AAAA,MACP,OAAO;AAAA,MACP,SAAS;AAAA,MACT,OAAQ,OAAO,SAAS,CAAC;AAAA,MACzB,MAAO,OAAO,QAAQ,CAAC;AAAA,MACvB,gBAAiB,OAAO,kBAAkB,CAAC;AAAA,IAC7C,CAAC;AAAA,EACH;AACF;;;ACjFA,SAAS,kBAAkB;;;ACI3B,SAAS,UAAU,SAAiB,OAAwB;AAE1D,QAAM,QAAQ,IAAI;AAAA,IAChB,IACE,QACG,QAAQ,qBAAqB,MAAM,EACnC,QAAQ,SAAS,kBAAkB,EACnC,QAAQ,OAAO,OAAO,EACtB,QAAQ,qBAAqB,IAAI,CACtC;AAAA,EACF;AACA,SAAO,MAAM,KAAK,KAAK;AACzB;AAEA,SAAS,YAAY,MAAiB,QAAgB,QAAgB,MAAuB;AAE3F,MAAI,CAAC,UAAU,KAAK,QAAQ,MAAM,EAAG,QAAO;AAG5C,MAAI,KAAK,WAAW,KAAK,QAAQ,SAAS,GAAG;AAC3C,QAAI,CAAC,KAAK,QAAQ,SAAS,OAAO,YAAY,CAAC,EAAG,QAAO;AAAA,EAC3D;AAGA,MAAI,KAAK,MAAM;AACb,QAAI,CAAC,UAAU,KAAK,MAAM,IAAI,EAAG,QAAO;AAAA,EAC1C;AAEA,SAAO;AACT;AAKO,SAAS,cACdA,SACA,QACA,QACA,MACY;AAEZ,aAAW,QAAQA,QAAO,MAAM;AAC9B,QAAI,YAAY,MAAM,QAAQ,QAAQ,IAAI,GAAG;AAC3C,aAAO,EAAE,MAAM,QAAQ,MAAM,KAAK,KAAK;AAAA,IACzC;AAAA,EACF;AAGA,aAAW,QAAQA,QAAO,OAAO;AAC/B,QAAI,YAAY,MAAM,QAAQ,QAAQ,IAAI,GAAG;AAC3C,aAAO,EAAE,MAAM,QAAQ;AAAA,IACzB;AAAA,EACF;AAGA,aAAW,QAAQA,QAAO,gBAAgB;AACxC,QAAI,YAAY,MAAM,QAAQ,QAAQ,IAAI,GAAG;AAC3C,aAAO,EAAE,MAAM,kBAAkB,KAAK;AAAA,IACxC;AAAA,EACF;AAmBA,MAAIA,QAAO,MAAM,mBAAmB,SAAS;AAC3C,WAAO,EAAE,MAAM,QAAQ,MAAM,oCAAoC;AAAA,EACnE;AACA,MAAIA,QAAO,MAAM,mBAAmB,SAAS;AAC3C,WAAO,EAAE,MAAM,QAAQ;AAAA,EACzB;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM;AAAA,MACJ,QAAQ;AAAA,MACR,YAAY;AAAA,IACd;AAAA,EACF;AACF;;;AClGA,SAAS,WAAW,wBAAwB;AAOrC,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAOA,eAAsB,gBACpB,YACA,QACA,YAAqB,OACU;AAC/B,MAAI,CAAC,YAAY;AACf,QAAI,UAAW,OAAM,IAAI,UAAU,cAAc;AACjD,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,WAAW,MAAM,gBAAgB;AAC/C,MAAI,CAAC,OAAO;AACV,QAAI,UAAW,OAAM,IAAI,UAAU,8BAA8B;AACjE,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,MAAM,CAAC;AAErB,MAAI;AACF,UAAM,OAAO,iBAAiB,GAAG,MAAM,wBAAwB;AAC/D,UAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM,EAAE,QAAQ,OAAO,CAAC;AAEnE,QAAI,QAAQ,QAAQ,WAAW,CAAC,QAAQ,KAAK;AAC3C,UAAI,UAAW,OAAM,IAAI,UAAU,qBAAqB;AACxD,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,MACL,OAAO,QAAQ;AAAA,MACf,KAAK;AAAA,IACP;AAAA,EACF,SACO,KAAK;AACV,QAAI,eAAe,UAAW,OAAM;AACpC,QAAI,UAAW,OAAM,IAAI,UAAU,yBAAyB;AAC5D,WAAO;AAAA,EACT;AACF;;;AClDO,IAAM,eAAN,MAAmB;AAAA,EAChB;AAAA,EACA;AAAA,EAER,YAAY,QAAgB;AAC1B,SAAK,SAAS,OAAO,QAAQ,OAAO,EAAE;AAAA,EACxC;AAAA,EAEA,cAAc,OAAqB;AACjC,SAAK,aAAa;AAAA,EACpB;AAAA,EAEQ,UAAkC;AACxC,UAAM,IAA4B,EAAE,gBAAgB,mBAAmB;AACvE,QAAI,KAAK,YAAY;AACnB,QAAE,gBAAgB,UAAU,KAAK,UAAU;AAAA,IAC7C;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,MASO;AACxB,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,MAAM,eAAe;AAAA,MACnD,QAAQ;AAAA,MACR,SAAS,KAAK,QAAQ;AAAA,MACtB,MAAM,KAAK,UAAU;AAAA,QACnB,WAAW,KAAK;AAAA,QAChB,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK;AAAA,QACf,YAAY,KAAK;AAAA,QACjB,aAAa,KAAK;AAAA,QAClB,QAAQ,KAAK;AAAA,QACb,cAAc,KAAK;AAAA,QACnB,UAAU,KAAK;AAAA,MACjB,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,IAAI,MAAM,IAAI,KAAK,CAAC,EAAE;AAAA,IAC3E;AAEA,WAAO,IAAI,KAAK;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBACJ,SACA,YAAoB,KACpB,iBAAyB,KACF;AACvB,UAAM,WAAW,KAAK,IAAI,IAAI;AAE9B,WAAO,KAAK,IAAI,IAAI,UAAU;AAC5B,YAAM,MAAM,MAAM,MAAM,GAAG,KAAK,MAAM,eAAe,OAAO,IAAI;AAAA,QAC9D,SAAS,KAAK,QAAQ;AAAA,MACxB,CAAC;AAED,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI,MAAM,sBAAsB,IAAI,MAAM,EAAE;AAAA,MACpD;AAEA,YAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAI,MAAM,WAAW,WAAW;AAC9B,eAAO;AAAA,MACT;AAEA,YAAM,IAAI,QAAQ,OAAK,WAAW,GAAG,cAAc,CAAC;AAAA,IACtD;AAEA,UAAM,IAAI,MAAM,kCAAkC,SAAS,IAAI;AAAA,EACjE;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,kBACJ,WACA,YACA,UACA,aAC8B;AAC9B,UAAM,SAAS,IAAI,gBAAgB;AAAA,MACjC;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,MAAM,eAAe,MAAM,IAAI;AAAA,MAC7D,SAAS,KAAK,QAAQ;AAAA,IACxB,CAAC;AAED,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,SAAS,MAAM,IAAI,KAAK;AAC9B,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,WAAO,OAAO,KAAK,CAAC,MAAM;AACxB,UAAI,EAAE,WAAW,WAAY,QAAO;AACpC,UAAI,EAAE,cAAc,EAAE,cAAc,IAAK,QAAO;AAChD,UAAI,EAAE,SAAS,eAAe,OAAQ,QAAO;AAC7C,UAAI,EAAE,SAAS,gBAAgB,WAAY,QAAO;AAClD,UAAI,EAAE,SAAS,aAAa,SAAU,QAAO;AAC7C,UAAI,aAAa,UAAU,EAAE,SAAS,aAAa,QAAQ;AACzD,cAAM,eAAe,IAAI,IAAI,EAAE,QAAQ,WAAW;AAClD,YAAI,CAAC,YAAY,MAAM,OAAK,aAAa,IAAI,CAAC,CAAC,EAAG,QAAO;AAAA,MAC3D;AACA,aAAO;AAAA,IACT,CAAC,KAAK;AAAA,EACR;AACF;;;AChIA,SAAS,sBAAsB;AAG/B,IAAI;AAEG,SAAS,UAAU,MAAqB;AAC7C,cAAY;AACd;AAEO,SAAS,WAAW,OAAyB;AAClD,QAAM,OAAO,KAAK,UAAU,KAAK;AAGjC,UAAQ,MAAM,WAAW,MAAM,MAAM,IAAI,MAAM,MAAM,IAAI,MAAM,MAAM,GAAG,MAAM,IAAI,GAAG,MAAM,WAAW,UAAU,MAAM,QAAQ,KAAK,EAAE,EAAE;AAGvI,MAAI,WAAW;AACb,mBAAe,WAAW,GAAG,IAAI;AAAA,CAAI;AAAA,EACvC;AACF;;;ACnBA,SAAS,UAAU,gBAAgB;AACnC,SAAS,YAAY;AAErB,IAAM,oBAAoB;AAAA,EACxB,EAAE,QAAQ,YAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,WAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,YAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,YAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,YAAY,MAAM,WAAW;AAAA;AAAA,EACvC,EAAE,QAAQ,GAAY,MAAM,WAAW;AAAA;AACzC;AAEA,SAAS,aAAa,IAAoB;AACxC,QAAM,QAAQ,GAAG,MAAM,GAAG,EAAE,IAAI,MAAM;AACtC,UAAS,MAAM,CAAC,KAAK,KAAO,MAAM,CAAC,KAAK,KAAO,MAAM,CAAC,KAAK,IAAK,MAAM,CAAC,OAAO;AAChF;AAEA,SAAS,cAAc,IAAqB;AAC1C,QAAM,MAAM,aAAa,EAAE;AAC3B,SAAO,kBAAkB,KAAK,QAAO,MAAM,EAAE,UAAU,MAAO,EAAE,MAAM;AACxE;AAEA,SAAS,cAAc,IAAqB;AAC1C,QAAM,aAAa,GAAG,YAAY;AAGlC,MAAI,eAAe,MAAO,QAAO;AAGjC,MAAI,eAAe,KAAM,QAAO;AAGhC,MAAI,WAAW,WAAW,KAAK,KAAK,WAAW,WAAW,KAAK,KAC1D,WAAW,WAAW,KAAK,KAAK,WAAW,WAAW,KAAK,GAAG;AACjE,WAAO;AAAA,EACT;AAGA,MAAI,WAAW,WAAW,IAAI,EAAG,QAAO;AAGxC,QAAM,WAAW,WAAW,MAAM,+BAA+B;AACjE,MAAI,SAAU,QAAO,cAAc,SAAS,CAAC,CAAC;AAE9C,SAAO;AACT;AAEA,SAAS,YAAY,IAAqB;AACxC,MAAI,KAAK,EAAE,MAAM,EAAG,QAAO,cAAc,EAAE;AAC3C,MAAI,KAAK,EAAE,MAAM,EAAG,QAAO,cAAc,EAAE;AAC3C,SAAO;AACT;AAOA,eAAsB,oBAAoBC,WAAoC;AAE5E,MAAI,KAAKA,SAAQ,GAAG;AAClB,WAAO,YAAYA,SAAQ;AAAA,EAC7B;AAGA,MAAIA,cAAa,YAAa,QAAO;AAGrC,MAAI;AACF,UAAM,CAAC,IAAI,EAAE,IAAI,MAAM,QAAQ,WAAW;AAAA,MACxC,SAASA,SAAQ;AAAA,MACjB,SAASA,SAAQ;AAAA,IACnB,CAAC;AACD,UAAM,QAAkB,CAAC;AACzB,QAAI,GAAG,WAAW,YAAa,OAAM,KAAK,GAAG,GAAG,KAAK;AACrD,QAAI,GAAG,WAAW,YAAa,OAAM,KAAK,GAAG,GAAG,KAAK;AAErD,QAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,WAAO,MAAM,KAAK,UAAQ,YAAY,IAAI,CAAC;AAAA,EAC7C,QACM;AAEJ,WAAO;AAAA,EACT;AACF;;;AClFA,SAAS,eAAe;AAmBxB,eAAsB,cACpBC,SACA,eACA,KACA,cACA,OACe;AACf,QAAM,SAAS,IAAI,OAAO;AAC1B,QAAM,CAAC,MAAM,OAAO,IAAI,OAAO,MAAM,GAAG;AACxC,QAAMC,QAAO,OAAO,SAAS,WAAW,KAAK;AAE7C,MAAI,CAAC,QAAQ,CAACA,OAAM;AAClB,iBAAa,MAAM,kCAAkC;AACrD,iBAAa,QAAQ;AACrB;AAAA,EACF;AAWA,QAAM,WAAW,IAAI;AAAA,IACnBD,QAAO,OACJ,IAAI,CAAC,MAAM;AACV,UAAI;AACF,eAAO,IAAI,IAAI,EAAE,OAAO,EAAE,SAAS,YAAY;AAAA,MACjD,QACM;AACJ,eAAO;AAAA,MACT;AAAA,IACF,CAAC,EACA,OAAO,OAAK,EAAE,SAAS,CAAC;AAAA,EAC7B;AACA,MAAI,SAAS,IAAI,KAAK,YAAY,CAAC,GAAG;AACpC,eAAW;AAAA,MACT,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC3B,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,MAAM;AAAA,IACR,CAAC;AACD,WAAO,MAAMC,OAAM,YAAY;AAC/B;AAAA,EACF;AAEA,QAAM,gBAAgBD,QAAO,MAAM,kBAAkB;AAGrD,MAAI;AACJ,MAAI;AACF,UAAM,aAAa,IAAI,QAAQ,qBAAqB;AACpD,QAAI,WAAmD;AAEvD,eAAWE,cAAaF,QAAO,QAAQ;AACrC,iBAAW,MAAM;AAAA,QACf,cAAc;AAAA,QACdE,WAAU;AAAA,QACV,iBAAiBF,QAAO,OAAO,WAAW;AAAA,MAC5C;AACA,UAAI,SAAU;AAAA,IAChB;AAEA,QAAI,iBAAiB,CAAC,UAAU;AAC9B,YAAM,IAAI,UAAU,cAAc;AAAA,IACpC;AAEA,iBAAa,UAAU;AAGvB,QAAI,YAAY;AACd,YAAM,QAAQA,QAAO,OAAO,KAAK,OAAK,EAAE,UAAU,UAAU;AAC5D,UAAI,CAAC,OAAO;AACV,qBAAa,MAAM,gCAAgC;AACnD,qBAAa,QAAQ;AACrB;AAAA,MACF;AAAA,IACF,WACSA,QAAO,OAAO,SAAS,GAAG;AACjC,YAAM,IAAI,UAAU,oCAAoC;AAAA,IAC1D;AAAA,EACF,SACO,KAAK;AACV,QAAI,eAAe,WAAW;AAC5B,mBAAa,MAAM,mCAAmC;AACtD,mBAAa,QAAQ;AACrB;AAAA,IACF;AACA,UAAM;AAAA,EACR;AAGA,MAAI,MAAM,oBAAoB,IAAI,GAAG;AACnC,eAAW;AAAA,MACT,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC3B,OAAO,cAAcA,QAAO,OAAO,CAAC,GAAG,SAAS;AAAA,MAChD,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,MAAM;AAAA,IACR,CAAC;AACD,iBAAa,MAAM,gCAAgC;AACnD,iBAAa,QAAQ;AACrB;AAAA,EACF;AAKA,QAAM,YAAqC,aACvCA,QAAO,OAAO,KAAK,OAAK,EAAE,UAAU,UAAU,IAC9CA,QAAO,OAAO,CAAC;AACnB,MAAI,CAAC,WAAW;AACd,iBAAa,MAAM,gCAAgC;AACnD,iBAAa,QAAQ;AACrB;AAAA,EACF;AACA,QAAM,iBAAiB,cAAc,UAAU;AAE/C,QAAM,cAA2B;AAAA,IAC/B,OAAO;AAAA,MACL,QAAQA,QAAO,MAAM;AAAA,MACrB,SAAS,UAAU;AAAA,MACnB,aAAa,UAAU;AAAA,MACvB,gBAAgBA,QAAO,MAAM;AAAA,IAC/B;AAAA,IACA,OAAO,UAAU,SAAS,CAAC;AAAA,IAC3B,MAAM,UAAU,QAAQ,CAAC;AAAA,IACzB,gBAAgB,UAAU,kBAAkB,CAAC;AAAA,EAC/C;AAMA,QAAM,SAAS,cAAc,aAAa,MAAM,WAAW,GAAG;AAC9D,QAAM,YAAY;AAAA,IAChB,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC3B,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,MAAM;AAAA,EACR;AAEA,MAAI,OAAO,SAAS,QAAQ;AAC1B,eAAW,EAAE,GAAG,WAAW,QAAQ,QAAQ,MAAM,YAAY,CAAC;AAC9D,UAAM,OAAO,OAAO,OAAO,IAAI,OAAO,IAAI,KAAK;AAC/C,iBAAa,MAAM;AAAA;AAAA;AAAA,UAAqE,IAAI;AAAA,CAAM;AAClG,iBAAa,QAAQ;AACrB;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,kBAAkB;AACpC,UAAM,eAAe,cAAc,IAAI,UAAU,KAAK;AACtD,QAAI,CAAC,cAAc;AACjB,iBAAW,EAAE,GAAG,WAAW,QAAQ,QAAQ,MAAM,6BAA6B,CAAC;AAC/E,mBAAa,MAAM,0EAA0E;AAC7F,mBAAa,QAAQ;AACrB;AAAA,IACF;AAOA,UAAM,UAAU,KAAK,IAAI;AACzB,QAAI;AACF,YAAM,QAAQ,MAAM,aAAa,aAAa;AAAA,QAC5C,WAAW;AAAA,QACX,YAAY;AAAA,QACZ,UAAU;AAAA,QACV,WAAW,OAAO,KAAK;AAAA,QACvB,aAAa,OAAO,KAAK;AAAA,QACzB,QAAQ,WAAW,IAAI,IAAIC,KAAI;AAAA,QAC/B,UAAU,OAAO,KAAK;AAAA,MACxB,CAAC;AACD,YAAM,UAAU,MAAM,aAAa,gBAAgB,MAAM,EAAE;AAC3D,YAAM,WAAW,KAAK,IAAI,IAAI;AAC9B,UAAI,QAAQ,WAAW,YAAY;AACjC,mBAAW,EAAE,GAAG,WAAW,QAAQ,kBAAkB,MAAM,kBAAkB,UAAU,QAAQ,IAAI,WAAW,SAAS,CAAC;AAAA,MAE1H,OACK;AACH,mBAAW,EAAE,GAAG,WAAW,QAAQ,gBAAgB,MAAM,kBAAkB,UAAU,QAAQ,IAAI,WAAW,SAAS,CAAC;AACtH,qBAAa,MAAM;AAAA;AAAA,kBAAiD,QAAQ,cAAc,QAAQ;AAAA,CAAM;AACxG,qBAAa,QAAQ;AACrB;AAAA,MACF;AAAA,IACF,SACO,KAAK;AACV,YAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AACjD,iBAAW,EAAE,GAAG,WAAW,QAAQ,iBAAiB,MAAM,kBAAkB,OAAO,IAAI,CAAC;AACxF,mBAAa,MAAM;AAAA;AAAA,wBAA6D,GAAG;AAAA,CAAM;AACzF,mBAAa,QAAQ;AACrB;AAAA,IACF;AAAA,EACF,OACK;AAEH,eAAW,EAAE,GAAG,WAAW,QAAQ,SAAS,MAAM,aAAa,CAAC;AAAA,EAClE;AAEA,SAAO,MAAMA,OAAM,YAAY;AACjC;AAOA,SAAS,OAAO,MAAcA,OAAc,cAA4B;AACtE,QAAM,eAAe,QAAQA,OAAM,MAAM,MAAM;AAC7C,iBAAa,MAAM,6CAA6C;AAChE,iBAAa,KAAK,YAAY;AAC9B,iBAAa,KAAK,YAAY;AAAA,EAChC,CAAC;AAED,eAAa,GAAG,SAAS,MAAM;AAC7B,iBAAa,MAAM,kCAAkC;AACrD,iBAAa,QAAQ;AAAA,EACvB,CAAC;AAED,eAAa,GAAG,SAAS,MAAM;AAC7B,iBAAa,QAAQ;AAAA,EACvB,CAAC;AAED,eAAa,GAAG,SAAS,MAAM,aAAa,QAAQ,CAAC;AACrD,eAAa,GAAG,SAAS,MAAM,aAAa,QAAQ,CAAC;AACvD;;;ANjPA,eAAe,mBAAmB,QAAgB,WAAmB,MAA2C;AAC9G,QAAM,OAAO,WAAW,QAAQ;AAChC,OAAK,OAAO,GAAG,MAAM,IAAI,SAAS;AAAA,CAAI;AACtC,MAAI,QAAQ,KAAK,aAAa,GAAG;AAC/B,SAAK,OAAO,IAAI,WAAW,IAAI,CAAC;AAAA,EAClC;AACA,SAAO,KAAK,OAAO,KAAK;AAC1B;AA6BO,SAAS,mBAAmBE,SAA0D;AAC3F,QAAM,gBAAgB,oBAAI,IAA0B;AACpD,aAAW,SAASA,QAAO,QAAQ;AACjC,kBAAc,IAAI,MAAM,OAAO,IAAI,aAAa,MAAM,OAAO,CAAC;AAAA,EAChE;AACA,SAAO;AACT;AAGO,SAAS,sBACdA,SACA,gBAA2C,mBAAmBA,OAAM,GACpE;AAGA,aAAW,SAASA,QAAO,QAAQ;AACjC,QAAI,CAAC,cAAc,IAAI,MAAM,KAAK,GAAG;AACnC,oBAAc,IAAI,MAAM,OAAO,IAAI,aAAa,MAAM,OAAO,CAAC;AAAA,IAChE;AAAA,EACF;AAEA,QAAM,gBAAgBA,QAAO,MAAM,kBAAkB;AAErD,SAAO;AAAA,IACL,MAAM,OAAO,SAASA,QAAO,MAAM,OAAO,MAAM,GAAG,EAAE,CAAC,KAAK,MAAM;AAAA,IACjE,UAAUA,QAAO,MAAM,OAAO,MAAM,GAAG,EAAE,CAAC,KAAK;AAAA,IAE/C,MAAM,MAAM,KAAiC;AAC3C,YAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,YAAM,YAAY,KAAK,IAAI;AAG3B,UAAI,IAAI,aAAa,YAAY;AAC/B,eAAO,SAAS,KAAK;AAAA,UACnB,QAAQ;AAAA,UACR,QAAQA,QAAO,OAAO,IAAI,OAAK,EAAE,KAAK;AAAA,QACxC,CAAC;AAAA,MACH;AAGA,YAAM,YAAY,IAAI,SAAS,MAAM,CAAC,IAAI,IAAI;AAC9C,UAAI;AACJ,UAAI;AACF,uBAAe,IAAI,IAAI,SAAS;AAAA,MAClC,QACM;AACJ,eAAO,IAAI;AAAA,UACT;AAAA,UACA,EAAE,QAAQ,IAAI;AAAA,QAChB;AAAA,MACF;AAEA,YAAM,SAAS,aAAa;AAC5B,YAAM,SAAS,IAAI;AACnB,YAAM,OAAO,aAAa;AAG1B,UAAI,MAAM,oBAAoB,MAAM,GAAG;AACrC,eAAO,IAAI,SAAS,gCAAgC,EAAE,QAAQ,IAAI,CAAC;AAAA,MACrE;AAGA,YAAM,aAAa,IAAI,OAAO,MAAM,IAAI,YAAY,IAAI;AAKxD,UAAI,gBAAwD;AAC5D,UAAI;AACF,mBAAWC,cAAaD,QAAO,QAAQ;AACrC,0BAAgB,MAAM;AAAA,YACpB,IAAI,QAAQ,IAAI,qBAAqB;AAAA,YACrCC,WAAU;AAAA,YACV,iBAAiBD,QAAO,OAAO,WAAW;AAAA,UAC5C;AACA,cAAI,cAAe;AAAA,QACrB;AAGA,YAAI,iBAAiB,CAAC,eAAe;AACnC,gBAAM,IAAI,UAAU,cAAc;AAAA,QACpC;AAAA,MACF,SACO,KAAK;AACV,YAAI,eAAe,WAAW;AAC5B,iBAAO,IAAI,SAAS,iBAAiB,IAAI,OAAO,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,QACrE;AACA,cAAM;AAAA,MACR;AAGA,YAAM,aAAa,eAAe;AAClC,UAAI;AAEJ,UAAI,YAAY;AACd,oBAAYA,QAAO,OAAO,KAAK,OAAK,EAAE,UAAU,UAAU;AAC1D,YAAI,CAAC,WAAW;AACd,iBAAO,IAAI,SAAS,4BAA4B,UAAU,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,QAC/E;AAAA,MACF,WACSA,QAAO,OAAO,WAAW,GAAG;AAEnC,oBAAYA,QAAO,OAAO,CAAC;AAAA,MAC7B,OACK;AACH,eAAO,IAAI,SAAS,oDAAoD,EAAE,QAAQ,IAAI,CAAC;AAAA,MACzF;AAEA,YAAM,iBAAiB,cAAc,UAAU;AAC/C,YAAM,eAAe,cAAc,IAAI,UAAU,KAAK;AAGtD,YAAM,cAA2B;AAAA,QAC/B,OAAO;AAAA,UACL,QAAQA,QAAO,MAAM;AAAA,UACrB,SAAS,UAAU;AAAA,UACnB,aAAa,UAAU;AAAA,UACvB,gBAAgBA,QAAO,MAAM;AAAA,QAC/B;AAAA,QACA,OAAO,UAAU,SAAS,CAAC;AAAA,QAC3B,MAAM,UAAU,QAAQ,CAAC;AAAA,QACzB,gBAAgB,UAAU,kBAAkB,CAAC;AAAA,MAC/C;AAGA,YAAM,SAAS,cAAc,aAAa,QAAQ,QAAQ,IAAI;AAE9D,YAAM,YAAiD;AAAA,QACrD,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC3B,OAAO;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAGA,UAAI,OAAO,SAAS,QAAQ;AAC1B,mBAAW,EAAE,GAAG,WAAW,QAAQ,QAAQ,MAAM,aAAa,UAAU,KAAK,CAAC;AAC9E,eAAO,IAAI,SAAS,YAAY,OAAO,QAAQ,WAAW,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC/E;AAGA,UAAI,OAAO,SAAS,SAAS;AAC3B,mBAAW,EAAE,GAAG,WAAW,QAAQ,SAAS,MAAM,cAAc,UAAU,KAAK,CAAC;AAChF,eAAO,eAAe,KAAK,WAAW,UAAU;AAAA,MAClD;AAGA,YAAM,OAAO,OAAO;AACpB,YAAM,cAAc,KAAK,eAAe,CAAC,GAAG,OAAO,YAAY,CAAC,IAAI,MAAM,EAAE;AAG5E,YAAM,cAAc,MAAM,mBAAmB,QAAQ,WAAW,UAAU;AAG1E,YAAM,WAAW,MAAM,aAAa;AAAA,QAClC;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,EAAE,MAAM,MAAM,IAAI;AAElB,UAAI,UAAU;AACZ,mBAAW;AAAA,UACT,GAAG;AAAA,UACH,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,UAAU,SAAS;AAAA,UACnB,cAAc;AAAA,QAChB,CAAC;AACD,eAAO,eAAe,KAAK,WAAW,UAAU;AAAA,MAClD;AAGA,UAAIA,QAAO,MAAM,mBAAmB,SAAS;AAC3C,mBAAW,EAAE,GAAG,WAAW,QAAQ,QAAQ,MAAM,yBAAyB,UAAU,KAAK,CAAC;AAC1F,eAAO,IAAI,SAAS,2BAAsB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC3D;AAEA,UAAIA,QAAO,MAAM,mBAAmB,iBAAiB;AAEnD,cAAM,QAAQ,MAAM,aAAa,aAAa;AAAA,UAC5C,WAAW;AAAA,UACX,YAAY;AAAA,UACZ,UAAU;AAAA,UACV,WAAW,KAAK;AAAA,UAChB;AAAA,UACA,QAAQ,GAAG,MAAM,IAAI,SAAS;AAAA,UAC9B;AAAA,UACA,UAAU,KAAK;AAAA,QACjB,CAAC,EAAE,MAAM,MAAM,IAAI;AAEnB,mBAAW;AAAA,UACT,GAAG;AAAA,UACH,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,UAAU,OAAO,MAAM;AAAA,QACzB,CAAC;AAED,eAAO,IAAI;AAAA,UACT,KAAK,UAAU;AAAA,YACb,OAAO;AAAA,YACP,UAAU,OAAO;AAAA,YACjB,SAAS;AAAA,UACX,CAAC;AAAA,UACD,EAAE,QAAQ,KAAK,SAAS,EAAE,gBAAgB,mBAAmB,EAAE;AAAA,QACjE;AAAA,MACF;AAGA,cAAQ,MAAM,gCAAgC,MAAM,IAAI,MAAM,GAAG,IAAI,iCAA4B;AAEjG,UAAI;AACF,cAAM,QAAQ,MAAM,aAAa,aAAa;AAAA,UAC5C,WAAW;AAAA,UACX,YAAY;AAAA,UACZ,UAAU;AAAA,UACV,WAAW,KAAK;AAAA,UAChB;AAAA,UACA,QAAQ,GAAG,MAAM,IAAI,SAAS;AAAA,UAC9B;AAAA,UACA,UAAU,KAAK;AAAA,QACjB,CAAC;AAED,cAAM,WAAW,MAAM,aAAa,gBAAgB,MAAM,EAAE;AAE5D,cAAM,WAAW,KAAK,IAAI,IAAI;AAE9B,YAAI,SAAS,WAAW,YAAY;AAClC,qBAAW;AAAA,YACT,GAAG;AAAA,YACH,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,UAAU,SAAS;AAAA,YACnB,cAAc;AAAA,YACd,WAAW;AAAA,UACb,CAAC;AACD,iBAAO,eAAe,KAAK,WAAW,UAAU;AAAA,QAClD;AAEA,mBAAW;AAAA,UACT,GAAG;AAAA,UACH,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,UAAU,SAAS;AAAA,UACnB,WAAW;AAAA,QACb,CAAC;AACD,eAAO,IAAI,SAAS,mBAAmB,SAAS,UAAU,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC/E,SACO,KAAK;AACV,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AACjD,mBAAW;AAAA,UACT,GAAG;AAAA,UACH,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,OAAO;AAAA,QACT,CAAC;AACD,eAAO,IAAI,SAAS,yBAAyB,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,MACrE;AAAA,IACF;AAAA,EACF;AACF;AAMO,SAAS,kBAAkBA,SAGhC;AAKA,QAAM,gBAAgB,mBAAmBA,OAAM;AAC/C,QAAM,QAAQ,sBAAsBA,SAAQ,aAAa;AAEzD,SAAO;AAAA,IACL,cAAc,KAAsB,KAAqB;AASvD,YAAM,SAAS,IAAI,OAAO;AAC1B,YAAM,aAAa,OAAO,WAAW,SAAS,KAAK,OAAO,WAAW,UAAU;AAC/E,YAAM,YAAY,IAAI,QAAQ,QAAQ;AACtC,YAAM,MAAM,aACR,UAAU,SAAS,IAAI,MAAM,KAC7B,UAAU,SAAS,GAAG,MAAM;AAChC,YAAM,SAAmB,CAAC;AAE1B,UAAI,GAAG,QAAQ,CAAC,UAAkB,OAAO,KAAK,KAAK,CAAC;AACpD,UAAI,GAAG,OAAO,YAAY;AACxB,YAAI;AACF,gBAAM,OAAO,OAAO,SAAS,IAAI,OAAO,OAAO,MAAM,IAAI;AACzD,gBAAM,UAAU,IAAI,QAAQ;AAC5B,qBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,IAAI,OAAO,GAAG;AACtD,gBAAI,OAAO;AACT,sBAAQ,IAAI,KAAK,MAAM,QAAQ,KAAK,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK;AAAA,YAClE;AAAA,UACF;AAEA,gBAAM,UAAU,IAAI,QAAQ,KAAK;AAAA,YAC/B,QAAQ,IAAI;AAAA,YACZ;AAAA,YACA,MAAM,QAAQ,IAAI,WAAW,SAAS,IAAI,WAAW,SAAS,OAAO;AAAA,YACrE,QAAQ;AAAA,UACV,CAAgB;AAEhB,gBAAM,WAAW,MAAM,MAAM,MAAM,OAAO;AAE1C,cAAI,UAAU,SAAS,QAAQ,SAAS,YAAY,OAAO,YAAY,SAAS,OAAO,CAAC;AACxF,cAAI,SAAS,MAAM;AACjB,kBAAM,SAAS,SAAS,KAAK,UAAU;AACvC,kBAAM,OAAO,YAA2B;AACtC,oBAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,KAAK;AAC1C,kBAAI,MAAM;AACR,oBAAI,IAAI;AACR;AAAA,cACF;AACA,kBAAI,MAAM,KAAK;AACf,qBAAO,KAAK;AAAA,YACd;AACA,kBAAM,KAAK;AAAA,UACb,OACK;AACH,gBAAI,IAAI;AAAA,UACV;AAAA,QACF,QACM;AACJ,cAAI,UAAU,GAAG;AACjB,cAAI,IAAI,aAAa;AAAA,QACvB;AAAA,MACF,CAAC;AAAA,IACH;AAAA,IAEA,cAAc,KAAsB,QAAgB,MAAc;AAChE,oBAAcA,SAAQ,eAAe,KAAK,QAAQ,IAAI;AAAA,IACxD;AAAA,EACF;AACF;AAMA,eAAe,eAAe,aAAsB,WAAmB,YAAoD;AACzH,QAAM,UAAU,IAAI,QAAQ,YAAY,OAAO;AAE/C,UAAQ,OAAO,qBAAqB;AACpC,UAAQ,OAAO,kBAAkB;AAEjC,UAAQ,OAAO,MAAM;AAErB,QAAM,OAAO,cAAc,WAAW,aAAa,IAAI,aAAa;AAEpE,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,WAAW;AAAA,MACjC,QAAQ,YAAY;AAAA,MACpB;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,CAAC;AAGD,UAAM,kBAAkB,IAAI,QAAQ,IAAI,OAAO;AAE/C,oBAAgB,OAAO,mBAAmB;AAC1C,oBAAgB,OAAO,YAAY;AAEnC,WAAO,IAAI,SAAS,IAAI,MAAM;AAAA,MAC5B,QAAQ,IAAI;AAAA,MACZ,YAAY,IAAI;AAAA,MAChB,SAAS;AAAA,IACX,CAAC;AAAA,EACH,SACO,KAAK;AACV,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AACjD,WAAO,IAAI,SAAS,gBAAgB,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5D;AACF;;;AF/aA,IAAM,EAAE,OAAO,IAAI,UAAU;AAAA,EAC3B,SAAS;AAAA,IACP,QAAQ,EAAE,MAAM,UAAU,OAAO,KAAK,SAAS,cAAc;AAAA,IAC7D,WAAW,EAAE,MAAM,WAAW,SAAS,MAAM;AAAA,IAC7C,kBAAkB,EAAE,MAAM,WAAW,SAAS,MAAM;AAAA,EACtD;AACF,CAAC;AAED,IAAM,aAAa,OAAO;AAE1B,QAAQ,IAAI,uCAAuC,UAAU,EAAE;AAC/D,IAAM,SAAS,qBAAqB,YAAY;AAAA,EAC9C,eAAe,OAAO,gBAAgB,KAAK;AAC7C,CAAC;AAGD,UAAU,OAAO,MAAM,SAAS;AAEhC,IAAI,OAAO,SAAS,GAAG;AACrB,UAAQ,IAAI,gEAA2D;AACvE,UAAQ,IAAI,gCAAgC;AAC5C,UAAQ,IAAI,aAAa,OAAO,MAAM,MAAM,EAAE;AAC9C,UAAQ,IAAI,qBAAqB,OAAO,MAAM,cAAc,EAAE;AAC9D,UAAQ,IAAI,qBAAqB,OAAO,MAAM,kBAAkB,KAAK,EAAE;AACvE,UAAQ,IAAI,aAAa,OAAO,OAAO,MAAM,EAAE;AAC/C,aAAW,SAAS,OAAO,QAAQ;AACjC,UAAM,aAAa,MAAM,OAAO,UAAU;AAC1C,UAAM,YAAY,MAAM,MAAM,UAAU;AACxC,UAAM,aAAa,MAAM,gBAAgB,UAAU;AACnD,YAAQ,IAAI,OAAO,MAAM,KAAK,KAAK,MAAM,OAAO,YAAO,UAAU,WAAW,SAAS,UAAU,UAAU,QAAQ;AAAA,EACnH;AACA,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,UAAU,kBAAkB,MAAM;AAExC,IAAM,OAAO,OAAO,SAAS,OAAO,MAAM,OAAO,MAAM,GAAG,EAAE,CAAC,KAAK,MAAM;AACxE,IAAM,WAAW,OAAO,MAAM,OAAO,MAAM,GAAG,EAAE,CAAC,KAAK;AAEtD,IAAM,SAAS,aAAa,QAAQ,aAAa;AACjD,OAAO,GAAG,WAAW,QAAQ,aAAa;AAE1C,OAAO,OAAO,MAAM,UAAU,MAAM;AAIlC,QAAM,OAAO,OAAO,QAAQ;AAC5B,QAAM,aAAa,OAAO,SAAS,YAAY,OAAO,KAAK,OAAO;AAClE,UAAQ,IAAI,uCAAuC,QAAQ,IAAI,UAAU,EAAE;AAC3E,UAAQ,IAAI,2CAA2C;AACvD,UAAQ,IAAI,mCAAmC,OAAO,MAAM,kBAAkB,KAAK,EAAE;AACrF,UAAQ,IAAI,2BAA2B,OAAO,OAAO,IAAI,OAAK,EAAE,KAAK,EAAE,KAAK,IAAI,CAAC,EAAE;AACnF,UAAQ,IAAI,mCAAmC,OAAO,MAAM,cAAc,EAAE;AAC9E,CAAC;AAGD,QAAQ,GAAG,UAAU,MAAM;AACzB,UAAQ,IAAI,oCAAoC;AAChD,SAAO,MAAM;AACb,UAAQ,KAAK,CAAC;AAChB,CAAC;AAED,QAAQ,GAAG,WAAW,MAAM;AAC1B,UAAQ,IAAI,kCAAkC;AAC9C,SAAO,MAAM;AACb,UAAQ,KAAK,CAAC;AAChB,CAAC;","names":["config","hostname","config","port","agentConf","config","agentConf"]}

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@openape/proxy",
   "type": "module",
-  "version": "0.2.14",
+  "version": "0.3.0",
   "turbo": {
     "tags": [
       "publishable"
@@ -11,8 +11,13 @@
   "author": "Patrick Hofmann",
   "license": "MIT",
   "bin": {
-    "openape-proxy": "./src/index.ts"
+    "openape-proxy": "./dist/index.js"
   },
+  "files": [
+    "dist",
+    "config.example.toml",
+    "README.md"
+  ],
   "dependencies": {
     "jose": "^5.9.0",
     "smol-toml": "^1.3.0",

package/.nvmrc DELETED Viewed

	@@ -1 +0,0 @@
1	- 22

package/CHANGELOG.md DELETED Viewed

@@ -1,140 +0,0 @@
-# @openape/proxy
-## 0.2.14
-### Patch Changes
-- Updated dependencies [[`d7f78fa`](https://github.com/openape-ai/openape/commit/d7f78fa68478f295202351e15bfada8ce849c4db)]:
-  - @openape/core@0.13.2
-  - @openape/grants@0.11.2
-## 0.2.13
-### Patch Changes
-- Updated dependencies [[`ed1ad3f`](https://github.com/openape-ai/openape/commit/ed1ad3f6cd7d8ed2c9309cabda503d3ecf6453ff)]:
-  - @openape/core@0.13.1
-  - @openape/grants@0.11.1
-## 0.2.12
-### Patch Changes
-- Updated dependencies [[`d1c8f5a`](https://github.com/openape-ai/openape/commit/d1c8f5a711b088ac160c92d67a532f6f4d77d437)]:
-  - @openape/grants@0.11.0
-## 0.2.11
-### Patch Changes
-- Updated dependencies [[`d8e1516`](https://github.com/openape-ai/openape/commit/d8e15161d7edda67139633ec18c959a2cc8a57bd)]:
-  - @openape/grants@0.10.0
-## 0.2.10
-### Patch Changes
-- Updated dependencies [[`03edf70`](https://github.com/openape-ai/openape/commit/03edf70c9aa73a362cc3376d3a8f8e041620d054)]:
-  - @openape/core@0.13.0
-  - @openape/grants@0.9.0
-## 0.2.9
-### Patch Changes
-- Updated dependencies [[`6c0cbad`](https://github.com/openape-ai/openape/commit/6c0cbada5165dc4e45381ffdaca847cd9dfc1d02)]:
-  - @openape/grants@0.8.0
-## 0.2.8
-### Patch Changes
-- Fix ReDoS-vulnerable regex in proxy auth header parsing. Fix lint violations across packages. Update import paths for CLI permissions moved to @openape/grants.
-- Updated dependencies []:
-  - @openape/core@0.12.0
-  - @openape/grants@0.7.0
-## 0.2.7
-### Patch Changes
-- Updated dependencies []:
-  - @openape/core@0.11.0
-  - @openape/grants@0.6.0
-## 0.2.6
-### Patch Changes
-- Updated dependencies [[`da8a5ac`](https://github.com/openape-ai/openape/commit/da8a5acf82542810ecddf4ad7a9ac8b7b1cfd287)]:
-  - @openape/core@0.10.0
-  - @openape/grants@0.5.3
-## 0.2.5
-### Patch Changes
-- Updated dependencies [[`bd1eb0d`](https://github.com/openape-ai/openape/commit/bd1eb0d83f700f1c289d21a545d3d62ced7f44d6)]:
-  - @openape/core@0.8.0
-  - @openape/grants@0.5.2
-## 0.2.4
-### Patch Changes
-- Relicense from AGPL-3.0-or-later to MIT, rename OpenAPE to OpenApe
-- Updated dependencies []:
-  - @openape/grants@0.5.1
-  - @openape/core@0.7.1
-## 0.2.3
-### Patch Changes
-- Updated dependencies []:
-  - @openape/core@0.7.0
-  - @openape/grants@0.5.0
-## 0.2.2
-### Patch Changes
-- [#1](https://github.com/openape-ai/openape/pull/1) [`3f0a62f`](https://github.com/openape-ai/openape/commit/3f0a62f25b07623d13f4e450683133415807358f) Thanks [@patrick-hofmann](https://github.com/patrick-hofmann)! - Align implementation with DDISA spec v1.0-draft
-  **@openape/core:**
-  - **BREAKING:** `OpenApeGrantRequest.target` → `target_host` (host/domain), `audience` now REQUIRED
-  - `OpenApeAuthZClaims` gets `target_host` as REQUIRED claim
-  - Fix error status codes: `invalid_audience`/`invalid_nonce` → 401, `grant_not_approved` → 400, `grant_already_used` → 410
-  - Add missing error types: `policyDenied`, `invalidPkce`, `invalidState`
-  **@openape/grants:**
-  - **BREAKING:** `issueAuthzJWT` sets `aud` from `audience` (not `target`), adds `target_host` + `run_as` claims
-  **@openape/nuxt-auth-idp:**
-  - Grant creation validates `target_host` + `audience` (REQUIRED)
-  - Fix `ddisa_version` from `'ddisa1'` to `'1.0'`
-  - Fix `ddisa_auth_methods_supported` from `'passkey'` to `'webauthn'`
-  - Grant/Delegation create now returns HTTP 201
-  - Batch endpoint: `body.actions` → `body.operations`, response includes `success` boolean
-  - Delegation validate returns `{ valid, delegation, scopes }` instead of ProblemDetails
-  - **BREAKING:** `authzJWT` → `authz_jwt` in approve/token API responses (snake_case per OAuth2)
-  - Delegation list supports `?role=delegator|delegate` query parameter
-  **@openape/grapes:**
-  - **BREAKING:** Replace `exec` command with audience-first `run` command
-  - `request` command uses `--audience` + `--host` instead of `--for`
-  - Remove `defaults.for` from config
-  **@openape/proxy:**
-  - Update `GrantsClient` to use `targetHost` + `audience` parameters
-- Updated dependencies [[`3f0a62f`](https://github.com/openape-ai/openape/commit/3f0a62f25b07623d13f4e450683133415807358f)]:
-  - @openape/core@0.6.0
-  - @openape/grants@0.4.0

package/PLAN.md DELETED Viewed

@@ -1,261 +0,0 @@
-# openape-proxy — Agent HTTP Gateway
-## Übersicht
-Ein HTTP-Forward-Proxy der den gesamten ausgehenden Traffic eines Agents kontrolliert. Agents haben keinen direkten Internet-Zugang — alles läuft durch den Proxy, der Grants prüft, Requests filtert und alles loggt.
-## Architektur
-```
-┌─────────┐    HTTP_PROXY    ┌──────────────┐    HTTPS    ┌──────────┐
-│  Agent   │ ──────────────→ │ openape-proxy │ ─────────→ │ Internet │
-│          │                 │              │             │          │
-│ (HTTP    │  ← 403 oder ─── │  • Auth      │             └──────────┘
-│  Client) │    Grant-Request │  • Grants    │
-└─────────┘                  │  • Audit     │
-                             │  • Rules     │
-                             └──────┬───────┘
-                                    │ Grant-API
-                                    ▼
-                             ┌──────────────┐
-                             │   IdP        │
-                             │ (id.office.  │
-                             │  or.at)      │
-                             └──────────────┘
-```
-## Agent-Integration
-Null-Config für den Agent:
-```bash
-export HTTP_PROXY=http://localhost:9090
-export HTTPS_PROXY=http://localhost:9090
-```
-Jeder HTTP-Client (curl, fetch, axios, Python requests, etc.) respektiert diese Env-Vars automatisch.
-## Authentifizierung
-Agent identifiziert sich am Proxy via Proxy-Authorization Header:
-```
-CONNECT api.github.com:443 HTTP/1.1
-Proxy-Authorization: Bearer <agent-jwt>
-```
-Das Agent-JWT kommt aus dem bestehenden Ed25519 Challenge-Response Flow.
-## Grant-Matching
-### Regel-Hierarchie
-1. **Deny-List** — immer blockiert (z.B. interne Netzwerke, IdP selbst)
-2. **Allow without Grant** — immer erlaubt (z.B. DNS, NTP)
-3. **Standing Grants** — Agent hat `allow_always` für Domain+Method
-4. **TTL Grants** — Agent hat zeitlich begrenzten Grant
-5. **Prompt for Grant** — kein Grant vorhanden → Optionen:
-   a. `block` — sofort 403
-   b. `request` — Grant-Request erstellen, auf Approval warten (blocking)
-   c. `request-async` — Grant-Request erstellen, sofort 403, Agent kann später retry
-### Regel-Konfiguration
-```toml
-[proxy]
-listen = "127.0.0.1:9090"
-idp_url = "https://id.office.or.at"
-agent_key = "/etc/openape/agent.key"
-agent_id = "mini-claw@office.or.at"
-default_action = "request"   # block | request | request-async
-audit_log = "/var/log/openape-proxy/audit.jsonl"
-# Immer erlaubt (kein Grant nötig)
-[[allow]]
-domain = "*.openape.at"
-[[allow]]
-domain = "api.github.com"
-methods = ["GET"]
-# Immer blockiert
-[[deny]]
-domain = "169.254.169.254"    # AWS metadata
-note = "cloud metadata endpoint"
-[[deny]]
-domain = "*.internal"
-# Grant-gesteuert (Domain + Method + Path)
-[[grant_required]]
-domain = "api.github.com"
-path = "/repos/*/issues"
-methods = ["POST"]
-grant_type = "once"           # jeder neue Issue braucht Genehmigung
-[[grant_required]]
-domain = "api.github.com"
-methods = ["PUT", "DELETE", "PATCH"]
-grant_type = "once"           # alle anderen Writes auch
-[[grant_required]]
-domain = "api.openai.com"
-grant_type = "always"         # Standing Grant, einmal genehmigen reicht
-[[grant_required]]
-domain = "*"                  # alles andere
-grant_type = "once"
-```
-## Request-Lifecycle
-```
-1. Agent sendet CONNECT api.github.com:443
-2. Proxy prüft Agent-JWT (Proxy-Authorization)
-3. Proxy extrahiert: domain=api.github.com, method=POST, path=/repos/x/issues
-4. Regel-Matching:
-   a. In deny-list? → 403 Blocked
-   b. In allow-list? → Tunnel aufbauen, weiterleiten
-   c. Aktiver Grant vorhanden? → Tunnel aufbauen, weiterleiten
-   d. Kein Grant → default_action ausführen:
-      - "block": 403
-      - "request": Grant-Request an IdP, warte auf Approval, dann weiterleiten
-      - "request-async": Grant-Request erstellen, 407 Proxy Authentication Required
-5. Audit-Log schreiben (JSONL)
-```
-## Audit-Log Format
-```jsonl
-{"ts":"2026-02-23T22:30:00Z","agent":"mini-claw@office.or.at","action":"allow","domain":"api.github.com","method":"GET","path":"/repos/x/issues","grant_id":null,"rule":"allow-list"}
-{"ts":"2026-02-23T22:30:05Z","agent":"mini-claw@office.or.at","action":"grant_approved","domain":"api.github.com","method":"POST","path":"/repos/x/issues","grant_id":"abc123","rule":"grant_required","waited_ms":12000}
-{"ts":"2026-02-23T22:30:10Z","agent":"mini-claw@office.or.at","action":"denied","domain":"169.254.169.254","method":"GET","path":"/latest/meta-data","grant_id":null,"rule":"deny-list"}
-```
-## Implementierung
-### Sprache: Rust
-- Wie `escapes` — konsistent im Ökosystem
-- Performant für Proxy-Workload (viele gleichzeitige Connections)
-- `tokio` + `hyper` für async HTTP
-- Kein TLS-Aufbrechen nötig: CONNECT-Tunnel ist opak (nur Domain sichtbar, nicht der Inhalt)
-### Crates
-- `hyper` — HTTP Server/Client
-- `tokio` — Async Runtime
-- `tokio-rustls` — TLS für Upstream-Verbindung zum IdP
-- `serde` + `toml` — Config
-- `tracing` — Structured Logging
-### Proxy-Modus: Application-Level (nicht CONNECT-Tunnel)
-Ein klassischer HTTPS CONNECT-Tunnel sieht nur die Domain — Method, Path und Body sind verschlüsselt. Das reicht nicht für granulare Kontrolle.
-Stattdessen: **Application-Level Forward Proxy**. Der Agent schickt den Request unverschlüsselt an den lokalen Proxy, der Proxy macht den HTTPS-Call zum Ziel:
-```
-Agent ──HTTP──→ openape-proxy ──HTTPS──→ api.github.com
-  (lokal, plaintext)    (sieht alles)     (TLS zum Internet)
-```
-**Was der Proxy sieht:**
-- ✅ Domain
-- ✅ HTTP Method (GET, POST, DELETE, ...)
-- ✅ Full Path (`/repos/x/issues`)
-- ✅ Headers
-- ✅ Body (kann `cmd_hash` darüber bilden!)
-**Sicherheit:** Die unverschlüsselte Strecke Agent → Proxy ist `localhost` — gleiche Maschine, kein Netzwerk. Kein Risiko.
-**Kompatibilität:** Standard `HTTP_PROXY` Env-Var funktioniert — jeder HTTP-Client schickt den vollen Request an den Proxy wenn die Ziel-URL HTTPS ist und `HTTP_PROXY` gesetzt ist.
-Damit können Rules auf **Domain + Method + Path-Pattern** matchen:
-```toml
-[[grant_required]]
-domain = "api.github.com"
-path = "/repos/*/issues"
-methods = ["POST"]
-grant_type = "once"           # jeder neue Issue braucht Approval
-[[allow]]
-domain = "api.github.com"
-path = "/repos/*/issues"
-methods = ["GET"]             # Issues lesen immer erlaubt
-```
-## Phasen
-### Phase 1 — MVP (1-2 Tage)
-Ziel: Ein Agent kann nur ins Internet wenn ein Mensch es erlaubt hat.
-- [ ] Application-Level Forward Proxy (TypeScript/Bun)
-- [ ] HTTP + HTTPS Forwarding (Proxy macht TLS zum Ziel)
-- [ ] WebSocket + SSE Support (Grant-Check beim Aufbau, dann Tunnel)
-- [ ] Agent-Auth (JWT Verification via Proxy-Authorization)
-- [ ] Config-Datei (TOML oder JSON)
-- [ ] Deny/Allow/Grant-Required Regeln (Domain + Method + Path-Pattern)
-- [ ] Grant-Check gegen IdP API (`@openape/grants` direkt importiert)
-- [ ] Blocking Grant-Request (warte auf Approval)
-- [ ] Audit-Log (JSONL)
-### Phase 2 — Multi-Agent & Caching (1-2 Tage)
-Ziel: Produktionsreif für mehrere Agents auf einem Server.
-- [ ] Multiple Agent Support (verschiedene Keys, verschiedene Regeln)
-- [ ] Per-Agent Config Profiles
-- [ ] Grant-Caching (Standing Grants + TTL-Grants lokal cachen, kein IdP-Call pro Request)
-- [ ] Connection Pooling (Keep-Alive zu häufig genutzten Upstreams)
-- [ ] Wildcard-Domains + Glob-Patterns in Rules (`*.github.com`, `/repos/*/issues`)
-- [ ] Graceful Shutdown + Auto-Restart
-- [ ] Health Endpoint (`/healthz`)
-- [ ] Systemd / launchd Service Unit
-### Phase 3 — Observability & Compliance (1-2 Tage)
-Ziel: Volle Transparenz über Agent-Aktivität im Web.
-- [ ] Dashboard UI (Nuxt-App oder in IdP integriert)
-  - Welcher Agent nutzt welche Domains
-  - Traffic-Volumen pro Agent/Domain
-  - Grant-Nutzung (wie oft, wann, welche)
-  - Blocked Requests (was wurde verweigert)
-- [ ] Request/Response-Logging (opt-in, für Audit/Compliance)
-- [ ] Body-Hashing (`cmd_hash` über Request-Body für exakte Bindung)
-- [ ] Metrics-Export (Prometheus/OpenTelemetry)
-- [ ] Rate Limiting (pro Agent, pro Domain — Schutz vor Runaway-Agents)
-- [ ] Alerting (Webhook/Telegram wenn Agent ungewöhnlich viele Requests macht)
-### Phase 4 — Ecosystem-Integration
-Ziel: Nahtlose Einbindung in OpenApe und Agent-Runtimes.
-- [ ] `@openape/proxy` npm Package (programmatisch starten/konfigurieren)
-- [ ] Integration mit `escapes` (ein Setup: Proxy + sudo gemeinsam konfiguriert)
-- [ ] OpenClaw Plugin (Proxy automatisch starten wenn Agent startet)
-- [ ] Agent-Runtime SDKs (Python, Go) — für Agents die nicht auf HTTP_PROXY setzen
-- [ ] Auto-Discovery (Agent fragt IdP: "Welche Domains darf ich?" → Config generieren)
-- [ ] Temporary Bypass Token (Admin kann zeitlich begrenzten "Proxy-Skip" geben für Debugging)
-## CLI
-```bash
-# Starten
-openape-proxy --config /etc/openape-proxy/config.toml
-# Test-Modus (loggt nur, blockiert nicht)
-openape-proxy --config config.toml --dry-run
-# Status
-openape-proxy --status
-```
-## Zusammenspiel mit dem Ökosystem
-| Komponente | Rolle |
-|---|---|
-| `openape-proxy` | Kontrolliert ausgehenden Agent-Traffic |
-| `escapes` (openape-escapes) | Kontrolliert lokale Privilege Elevation |
-| `@openape/grants` | Grant-Logik (shared zwischen Proxy und sudo) |
-| `@openape/nuxt-grants` | Web-UI für Grant-Approval |
-| IdP (id.office.or.at) | Zentrale Autorität für Agents + Grants |
-**Zusammen:** Ein Agent kann weder lokal (escapes) noch im Web (proxy) etwas tun, ohne dass ein Mensch es erlaubt hat.