@openclaw/proxyline 0.1.0 → 0.2.0

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## Unreleased
+
+## 0.2.0 - 2026-05-14
+
+- Added ambient Node proxy helper exports and replaced the `proxy-agent` dependency with Proxyline's scoped HTTP/HTTPS Node agent.
+- Added a native Node coverage command and `pnpm check` coverage gates for source lines, branches, and functions.
+- Expanded CI to run the coverage-gated check across Ubuntu, macOS, and Windows on Node 20.18.1, 22, 24, and 26.
+- Hardened ambient proxy routing, CONNECT target validation, undici dispatcher cleanup, and generated package output after the runtime module split.
+- Added managed-mode `bypassPolicy` support so trusted callers can intentionally route selected loopback/control-plane traffic directly while keeping the rest of managed traffic proxied.
+- Stopped versioning generated `dist/` output in git; release and package dry-run flows now build `dist/` during `prepack` and still publish generated JavaScript, declarations, and declaration maps.
+
 ## 0.1.0 - 2026-05-11
 
 - Initial public release of `@openclaw/proxyline` for process-global proxy routing in Node.js.
@@ -12,4 +23,3 @@
 - Added credential-safe proxy authorization handling for proxy URLs with userinfo.
 - Added in-process proxy lab coverage for HTTP, HTTPS, CONNECT, WebSocket, undici/fetch, proxy auth, loopback blocking, HTTPS proxies, TLS preservation, and IPv6 `NO_PROXY`.
 - Added full documentation for getting started, modes, surfaces, API reference, environment variables, proxy TLS, observability, security, troubleshooting, and testing.
-

package/README.md

@@ -1,23 +1,25 @@
 # Proxyline
 
-[![npm](https://img.shields.io/npm/v/@openclaw/proxyline.svg)](https://www.npmjs.com/package/@openclaw/proxyline)
-[![node](https://img.shields.io/node/v/@openclaw/proxyline.svg)](https://nodejs.org/)
-[![license](https://img.shields.io/npm/l/@openclaw/proxyline.svg)](./LICENSE)
+[![npm](https://img.shields.io/npm/v/%40openclaw%2Fproxyline.svg)](https://www.npmjs.com/package/@openclaw/proxyline)
+[![node](https://img.shields.io/node/v/%40openclaw%2Fproxyline.svg)](https://nodejs.org/)
+[![license](https://img.shields.io/npm/l/%40openclaw%2Fproxyline.svg)](./LICENSE)
 
-Process-global proxy routing for Node.js. One install replaces `node:http`, `node:https`, the undici/fetch global dispatcher, and routes WebSocket and explicit HTTP CONNECT traffic through the same policy.
+Process-global proxy routing for Node.js. One install replaces `node:http`, `node:https`, the undici/fetch global dispatcher, and provides WebSocket and explicit HTTP CONNECT helpers for the same policy.
 
 Proxyline exists to make proxy behavior **explicit, observable, and hard to bypass accidentally** — so that "all egress goes through this gateway" is something you encode in code rather than hope for from environment variables.
 
+Proxyline's runtime assurances assume it is installed before application and plugin networking code is loaded. Code that captured networking functions before installation, uses raw sockets, or owns a private/native transport stack is outside the normal Proxyline model.
+
 Website: [proxyline.dev](https://proxyline.dev)
 
 ## Highlights
 
 - **Two modes.** `managed` forces traffic through a configured proxy and fails closed on bad config. `ambient` reads `HTTP_PROXY` / `HTTPS_PROXY` / `ALL_PROXY` / `NO_PROXY` for tooling that needs environment compatibility.
 - **Covers the surfaces that matter.** `http.request`, `http.get`, `https.request`, `https.get`, both global agents, the undici global dispatcher, and helpers for WebSocket agents and HTTP CONNECT sockets.
-- **Replaces caller agents.** In managed mode, a per-request `http.Agent` passed by a library does not bypass the proxy. TLS options on the caller agent (`ca`, `cert`, `key`, `rejectUnauthorized`, …) are preserved so destination TLS still validates.
+- **Replaces caller agents.** In managed mode and active ambient mode, a per-request `http.Agent` passed by a library does not bypass the proxy. TLS options on the caller agent (`ca`, `cert`, `key`, `rejectUnauthorized`, …) are preserved so destination TLS still validates.
 - **Scoped proxy CA trust.** `proxyTls.ca` / `proxyTls.caFile` trust a private CA for the proxy endpoint only — no `NODE_EXTRA_CA_CERTS` and no `NODE_TLS_REJECT_UNAUTHORIZED=0`.
 - **Observable.** `proxy.explain(url)` returns a structured decision (`proxied` / `direct` with a `reason`), and an `onEvent` callback receives `runtime.installed`, `runtime.stopped`, and per-decision events. Proxy URLs are credential-redacted.
-- **Restoreable.** `proxy.stop()` restores the captured Node HTTP(S) methods, global agents, and undici dispatcher. The runtime is a process-wide singleton — a second install throws `RUNTIME_ALREADY_ACTIVE`.
+- **Restoreable.** `proxy.stop()` restores the captured Node HTTP(S) methods, global agents, undici dispatcher, and fetch globals. The runtime is a process-wide singleton — a second install throws `RUNTIME_ALREADY_ACTIVE`.
 
 ## Install
 
@@ -27,7 +29,7 @@ pnpm add @openclaw/proxyline
 npm install @openclaw/proxyline
 ```
 
-Requires Node 20+.
+Requires Node 20.18.1+.
 
 ## Quick start
 
@@ -81,15 +83,29 @@ const socket = await openProxyConnectTunnel({
 });
 ```
 
+### Conditional Node agent
+
+```ts
+import { createAmbientNodeProxyAgent } from "@openclaw/proxyline";
+
+const agent = createAmbientNodeProxyAgent({
+  protocol: "https",
+  proxyTls: { caFile: "/etc/proxy-ca.pem" },
+});
+```
+
+The helper returns `undefined` when ambient proxy env is not configured, so callers can pass an agent only when needed.
+It uses Proxyline's built-in HTTP/HTTPS Node agent, and `proxyTls` applies only to HTTPS proxy endpoints. SOCKS and PAC proxy schemes remain unsupported.
+
 ## Feature matrix
 
 | Surface | Covered | Notes |
 | --- | --- | --- |
 | `http.request` / `http.get` | yes | global method patch + global agent swap |
 | `https.request` / `https.get` | yes | global method patch + global agent swap |
-| `fetch` / undici global dispatcher | yes | `setGlobalDispatcher` |
+| `fetch` / undici global dispatcher | yes | `globalThis.fetch` patch + `setGlobalDispatcher` |
 | WebSocket clients accepting a Node `agent` | yes | `proxy.createWebSocketAgent()` |
-| Caller-built `http.Agent` / `https.Agent` | overridden in managed mode | TLS options preserved |
+| Caller-built `http.Agent` / `https.Agent` | overridden in managed and active ambient mode | TLS options preserved |
 | Explicit HTTP CONNECT socket | yes | `openProxyConnectTunnel()` |
 | Raw `net.connect` / `tls.connect` | no | out of scope, see [Security](./docs/security.md) |
 | Native or private transport stacks | no | out of scope, see [Security](./docs/security.md) |

package/dist/connect.d.ts

@@ -9,6 +9,7 @@ export type OpenProxyConnectTunnelOptions = Readonly<{
     timeoutMs?: number;
 }>;
 type ProxySocket = net.Socket | tls.TLSSocket;
+export declare function formatConnectAuthority(targetHost: string, targetPort: number): string;
 export declare function openProxyConnectTunnel(options: OpenProxyConnectTunnelOptions): Promise<ProxySocket>;
 export {};
 //# sourceMappingURL=connect.d.ts.map

package/dist/connect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../src/connect.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,EAAkB,KAAK,mBAAmB,EAAqC,MAAM,aAAa,CAAC;AAE1G,MAAM,MAAM,6BAA6B,GAAG,QAAQ,CAAC;IACnD,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC;IACvB,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC,CAAC;AAIH,KAAK,WAAW,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC;AA6D9C,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,WAAW,CAAC,CA6GtB"}
+{"version":3,"file":"connect.d.ts","sourceRoot":"","sources":["../src/connect.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,EAAkB,KAAK,mBAAmB,EAAqC,MAAM,aAAa,CAAC;AAE1G,MAAM,MAAM,6BAA6B,GAAG,QAAQ,CAAC;IACnD,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC;IACvB,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC,CAAC;AAMH,KAAK,WAAW,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC;AAsB9C,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAqBrF;AAkDD,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,WAAW,CAAC,CA8GtB"}

package/dist/connect.js

@@ -2,6 +2,8 @@ import net from "node:net";
 import tls from "node:tls";
 import { ProxylineError, redactProxyUrl, resolveProxyTlsCa } from "./shared.js";
 const MAX_CONNECT_RESPONSE_HEADER_BYTES = 16 * 1024;
+const INVALID_CONNECT_AUTHORITY_PATTERN = /[\u0000-\u0020\u007f]/;
+const INVALID_CONNECT_HOST_DELIMITER_PATTERN = /[/:?#@\\]/;
 function resolveProxyHost(proxy) {
     return (proxy.hostname || proxy.host).replace(/^\[|\]$/g, "");
 }
@@ -19,6 +21,27 @@ function resolveProxyAuthorization(proxy) {
     const password = decodeURIComponent(proxy.password);
     return `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`;
 }
+export function formatConnectAuthority(targetHost, targetPort) {
+    if (!Number.isInteger(targetPort) || targetPort < 1 || targetPort > 65_535) {
+        throw new ProxylineError("INVALID_CONNECT_TARGET", `Invalid CONNECT target port: ${targetPort}`);
+    }
+    if (!targetHost || INVALID_CONNECT_AUTHORITY_PATTERN.test(targetHost)) {
+        throw new ProxylineError("INVALID_CONNECT_TARGET", "CONNECT target host is empty or unsafe.");
+    }
+    const unbracketedHost = targetHost.startsWith("[") && targetHost.endsWith("]")
+        ? targetHost.slice(1, -1)
+        : targetHost;
+    if (net.isIP(unbracketedHost) === 6) {
+        return `[${unbracketedHost}]:${targetPort}`;
+    }
+    if (targetHost.includes("[") || targetHost.includes("]")) {
+        throw new ProxylineError("INVALID_CONNECT_TARGET", "CONNECT target host has invalid brackets.");
+    }
+    if (targetHost.includes(":") || INVALID_CONNECT_HOST_DELIMITER_PATTERN.test(targetHost)) {
+        throw new ProxylineError("INVALID_CONNECT_TARGET", "CONNECT target host is not a host name.");
+    }
+    return `${targetHost}:${targetPort}`;
+}
 function connectToProxy(proxy, proxyTls) {
     const host = resolveProxyHost(proxy);
     const connectOptions = {
@@ -40,6 +63,11 @@ function connectToProxy(proxy, proxyTls) {
     }
     throw new ProxylineError("UNSUPPORTED_PROXY_PROTOCOL", `CONNECT tunnels support http:// and https:// proxy endpoints: ${proxy.protocol}`);
 }
+function assertSupportedConnectProxyProtocol(proxy) {
+    if (proxy.protocol !== "http:" && proxy.protocol !== "https:") {
+        throw new ProxylineError("UNSUPPORTED_PROXY_PROTOCOL", `CONNECT tunnels support http:// and https:// proxy endpoints: ${proxy.protocol}`);
+    }
+}
 function writeConnectRequest(socket, proxy, target) {
     const headers = [`CONNECT ${target} HTTP/1.1`, `Host: ${target}`, "Proxy-Connection: Keep-Alive"];
     const authorization = resolveProxyAuthorization(proxy);
@@ -54,7 +82,8 @@ function failConnect(proxy, error) {
 }
 export async function openProxyConnectTunnel(options) {
     const proxy = options.proxyUrl instanceof URL ? new URL(options.proxyUrl.href) : new URL(options.proxyUrl);
-    const target = `${options.targetHost}:${options.targetPort}`;
+    assertSupportedConnectProxyProtocol(proxy);
+    const target = formatConnectAuthority(options.targetHost, options.targetPort);
     return await new Promise((resolve, reject) => {
         let settled = false;
         let responseBuffer = Buffer.alloc(0);

package/dist/env.d.ts

@@ -0,0 +1,12 @@
+import type { ProxyResolver } from "./types.js";
+export type ProxyEnvKey = "HTTP_PROXY" | "HTTPS_PROXY" | "ALL_PROXY" | "NO_PROXY" | "http_proxy" | "https_proxy" | "all_proxy" | "no_proxy";
+type LowerProxyEnvKey = "http_proxy" | "https_proxy" | "all_proxy" | "no_proxy";
+export type ProxyEnvSnapshot = Readonly<Record<ProxyEnvKey, string | undefined>>;
+export declare const EMPTY_PROXY_ENV: ProxyEnvSnapshot;
+export declare function readProxyEnv(): ProxyEnvSnapshot;
+export declare function readProxyEnvValue(env: ProxyEnvSnapshot, key: LowerProxyEnvKey): string | undefined;
+export declare function proxyUrlWithDefaultScheme(proxyUrl: string): string;
+export declare function resolveAmbientProxyForUrl(url: string | URL, env: ProxyEnvSnapshot): string | undefined;
+export declare function createAmbientProxyResolver(env: ProxyEnvSnapshot): ProxyResolver;
+export {};
+//# sourceMappingURL=env.d.ts.map

package/dist/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD,MAAM,MAAM,WAAW,GACnB,YAAY,GACZ,aAAa,GACb,WAAW,GACX,UAAU,GACV,YAAY,GACZ,aAAa,GACb,WAAW,GACX,UAAU,CAAC;AAEf,KAAK,gBAAgB,GAAG,YAAY,GAAG,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;AAEhF,MAAM,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;AAEjF,eAAO,MAAM,eAAe,EAAE,gBAS7B,CAAC;AAEF,wBAAgB,YAAY,IAAI,gBAAgB,CAW/C;AAoBD,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,gBAAgB,EACrB,GAAG,EAAE,gBAAgB,GACpB,MAAM,GAAG,SAAS,CAEpB;AAED,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAElE;AAuHD,wBAAgB,yBAAyB,CACvC,GAAG,EAAE,MAAM,GAAG,GAAG,EACjB,GAAG,EAAE,gBAAgB,GACpB,MAAM,GAAG,SAAS,CAsBpB;AAED,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAmC/E"}

package/dist/env.js

@@ -0,0 +1,202 @@
+import { formatUrl, redactProxyUrl } from "./shared.js";
+export const EMPTY_PROXY_ENV = {
+    HTTP_PROXY: undefined,
+    HTTPS_PROXY: undefined,
+    ALL_PROXY: undefined,
+    NO_PROXY: undefined,
+    http_proxy: undefined,
+    https_proxy: undefined,
+    all_proxy: undefined,
+    no_proxy: undefined,
+};
+export function readProxyEnv() {
+    return {
+        HTTP_PROXY: process.env.HTTP_PROXY,
+        HTTPS_PROXY: process.env.HTTPS_PROXY,
+        ALL_PROXY: process.env.ALL_PROXY,
+        NO_PROXY: process.env.NO_PROXY,
+        http_proxy: process.env.http_proxy,
+        https_proxy: process.env.https_proxy,
+        all_proxy: process.env.all_proxy,
+        no_proxy: process.env.no_proxy,
+    };
+}
+function normalizeEnvValue(value) {
+    const trimmed = value?.trim();
+    return trimmed ? trimmed : undefined;
+}
+function upperProxyEnvKey(key) {
+    switch (key) {
+        case "http_proxy":
+            return "HTTP_PROXY";
+        case "https_proxy":
+            return "HTTPS_PROXY";
+        case "all_proxy":
+            return "ALL_PROXY";
+        case "no_proxy":
+            return "NO_PROXY";
+    }
+}
+export function readProxyEnvValue(env, key) {
+    return normalizeEnvValue(env[key]) ?? normalizeEnvValue(env[upperProxyEnvKey(key)]);
+}
+export function proxyUrlWithDefaultScheme(proxyUrl) {
+    return proxyUrl.includes("://") ? proxyUrl : `http://${proxyUrl}`;
+}
+function normalizeAmbientProxyUrl(proxyUrl) {
+    if (proxyUrl === undefined) {
+        return undefined;
+    }
+    try {
+        const url = new URL(proxyUrlWithDefaultScheme(proxyUrl));
+        return url.protocol === "http:" || url.protocol === "https:" ? url.href : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function defaultPort(protocol) {
+    if (protocol === "http:" || protocol === "ws:") {
+        return 80;
+    }
+    if (protocol === "https:" || protocol === "wss:") {
+        return 443;
+    }
+    return 0;
+}
+function matchesNoProxy(url, env) {
+    const rawNoProxy = readProxyEnvValue(env, "no_proxy")?.toLowerCase();
+    if (!rawNoProxy) {
+        return false;
+    }
+    if (rawNoProxy === "*") {
+        return true;
+    }
+    const hostname = normalizeNoProxyHost(url.hostname);
+    const port = Number.parseInt(url.port, 10) || defaultPort(url.protocol);
+    for (const rawEntry of rawNoProxy.split(/[,\s]/)) {
+        if (!rawEntry) {
+            continue;
+        }
+        const { host: parsedHost, port: entryPort } = parseNoProxyEntry(rawEntry);
+        let entryHost = normalizeNoProxyHost(parsedHost);
+        if (entryPort && entryPort !== port) {
+            continue;
+        }
+        if (!/^[.*]/.test(entryHost)) {
+            if (hostname === entryHost) {
+                return true;
+            }
+            continue;
+        }
+        if (entryHost.startsWith("*")) {
+            entryHost = entryHost.slice(1);
+        }
+        if (entryHost.startsWith(".") &&
+            (hostname === entryHost.slice(1) || hostname.endsWith(entryHost))) {
+            return true;
+        }
+        if (!entryHost.startsWith(".") && hostname.endsWith(entryHost)) {
+            return true;
+        }
+    }
+    return false;
+}
+function normalizeNoProxyHost(hostname) {
+    const normalized = hostname.trim().toLowerCase().replace(/\.+$/, "");
+    return normalized.startsWith("[") && normalized.endsWith("]")
+        ? normalized.slice(1, -1)
+        : normalized;
+}
+function parseNoProxyEntry(entry) {
+    const bracketedIpv6 = entry.match(/^\[([^\]]+)\](?::(\d+))?$/);
+    if (bracketedIpv6) {
+        return {
+            host: bracketedIpv6[1] ?? "",
+            port: bracketedIpv6[2] ? Number.parseInt(bracketedIpv6[2], 10) : 0,
+        };
+    }
+    const lastColon = entry.lastIndexOf(":");
+    const hasSingleColon = lastColon !== -1 && entry.indexOf(":") === lastColon;
+    if (hasSingleColon) {
+        const possiblePort = entry.slice(lastColon + 1);
+        if (/^\d+$/.test(possiblePort)) {
+            return {
+                host: entry.slice(0, lastColon),
+                port: Number.parseInt(possiblePort, 10),
+            };
+        }
+    }
+    return { host: entry, port: 0 };
+}
+function proxyEnvKeyForProtocol(protocol) {
+    if (protocol === "http:" || protocol === "ws:") {
+        return "http_proxy";
+    }
+    if (protocol === "https:" || protocol === "wss:") {
+        return "https_proxy";
+    }
+    return undefined;
+}
+function supportsProxyForUrlProtocol(protocol) {
+    return protocol === "http:" || protocol === "https:" || protocol === "ws:" || protocol === "wss:";
+}
+function resolveAmbientProxyEnvValue(env, key) {
+    return normalizeAmbientProxyUrl(readProxyEnvValue(env, key));
+}
+export function resolveAmbientProxyForUrl(url, env) {
+    let parsedUrl;
+    try {
+        parsedUrl = url instanceof URL ? new URL(url.href) : new URL(url);
+    }
+    catch {
+        return undefined;
+    }
+    const protocol = parsedUrl.protocol;
+    if (!supportsProxyForUrlProtocol(protocol)) {
+        return undefined;
+    }
+    if (matchesNoProxy(parsedUrl, env)) {
+        return undefined;
+    }
+    const protocolProxyKey = proxyEnvKeyForProtocol(protocol);
+    if (protocolProxyKey === undefined) {
+        return undefined;
+    }
+    return (resolveAmbientProxyEnvValue(env, protocolProxyKey) ??
+        resolveAmbientProxyEnvValue(env, "all_proxy"));
+}
+export function createAmbientProxyResolver(env) {
+    const configuredProxy = resolveAmbientProxyEnvValue(env, "http_proxy") ??
+        resolveAmbientProxyEnvValue(env, "https_proxy") ??
+        resolveAmbientProxyEnvValue(env, "all_proxy");
+    return {
+        active: configuredProxy !== undefined,
+        describeProxy: () => configuredProxy
+            ? redactProxyUrl(proxyUrlWithDefaultScheme(configuredProxy))
+            : undefined,
+        explain: (url, surface) => {
+            const formattedUrl = formatUrl(url);
+            const parsedUrl = new URL(formattedUrl);
+            const proxyUrl = resolveAmbientProxyForUrl(formattedUrl, env);
+            if (proxyUrl !== undefined) {
+                return {
+                    kind: "proxied",
+                    reason: "ambient-proxy-active",
+                    surface,
+                    url: formattedUrl,
+                    proxyUrl: redactProxyUrl(proxyUrl),
+                };
+            }
+            return {
+                kind: "direct",
+                reason: supportsProxyForUrlProtocol(parsedUrl.protocol) && matchesNoProxy(parsedUrl, env)
+                    ? "no-proxy-match"
+                    : "ambient-proxy-not-configured",
+                surface,
+                url: formattedUrl,
+            };
+        },
+        getProxyForUrl: (url) => resolveAmbientProxyForUrl(url, env) ?? "",
+    };
+}

package/dist/index.d.ts

@@ -1,52 +1,6 @@
-import http from "node:http";
-import { type Dispatcher } from "undici";
-import { type ProxylineTlsOptions } from "./shared.js";
-export { ProxylineError, redactProxyUrl, resolveProxyTlsCa, type ProxylineTlsOptions, } from "./shared.js";
 export { openProxyConnectTunnel, type OpenProxyConnectTunnelOptions } from "./connect.js";
-export type ProxylineMode = "managed" | "ambient";
-export type ProxylineSurface = "node-http" | "node-https" | "undici" | "websocket" | "connect" | "unknown";
-export type ProxylineOptions = Readonly<{
-    mode: ProxylineMode;
-    proxyUrl?: string | URL;
-    proxyTls?: ProxylineTlsOptions;
-    onEvent?: (event: ProxylineEvent) => void;
-}>;
-export type ProxylineDecision = Readonly<{
-    kind: "proxied" | "direct" | "blocked";
-    reason: string;
-    surface: ProxylineSurface;
-    url: string;
-    proxyUrl?: string;
-}>;
-export type ProxylineEvent = Readonly<{
-    type: "runtime.installed";
-    mode: ProxylineMode;
-    active: boolean;
-    proxyUrl?: string;
-}> | Readonly<{
-    type: "runtime.stopped";
-    mode: ProxylineMode;
-}> | Readonly<{
-    type: "decision";
-    decision: ProxylineDecision;
-}> | Readonly<{
-    type: "warning";
-    code: string;
-    message: string;
-}>;
-export type ExplainOptions = Readonly<{
-    surface?: ProxylineSurface;
-}>;
-export type ProxylineHandle = Readonly<{
-    mode: ProxylineMode;
-    active: boolean;
-    proxyUrl?: string;
-    createNodeAgent: () => http.Agent;
-    createUndiciDispatcher: () => Dispatcher;
-    createWebSocketAgent: () => http.Agent;
-    explain: (url: string | URL, options?: ExplainOptions) => ProxylineDecision;
-    stop: () => void;
-}>;
-export declare function installProxyline(options: ProxylineOptions): ProxylineHandle;
-export declare const installGlobalProxy: typeof installProxyline;
+export { createAmbientNodeProxyAgent, hasAmbientNodeProxyConfigured, type AmbientNodeProxyAgentOptions, } from "./node-http.js";
+export { installGlobalProxy, installProxyline } from "./runtime.js";
+export { ProxylineError, redactProxyUrl, resolveProxyTlsCa, type ProxylineTlsOptions, } from "./shared.js";
+export type { ExplainOptions, ProxylineBypassPolicy, ProxylineBypassRequest, ProxylineDecision, ProxylineEvent, ProxylineHandle, ProxylineMode, ProxylineOptions, ProxylineSurface, } from "./types.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAI7B,OAAO,EAEL,KAAK,UAAU,EAKhB,MAAM,QAAQ,CAAC;AAChB,OAAO,EAIL,KAAK,mBAAmB,EACzB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,KAAK,mBAAmB,GACzB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,sBAAsB,EAAE,KAAK,6BAA6B,EAAE,MAAM,cAAc,CAAC;AAE1F,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,SAAS,CAAC;AAElD,MAAM,MAAM,gBAAgB,GACxB,WAAW,GACX,YAAY,GACZ,QAAQ,GACR,WAAW,GACX,SAAS,GACT,SAAS,CAAC;AAEd,MAAM,MAAM,gBAAgB,GAAG,QAAQ,CAAC;IACtC,IAAI,EAAE,aAAa,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,GAAG,GAAG,CAAC;IACxB,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,IAAI,CAAC;CAC3C,CAAC,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,QAAQ,CAAC;IACvC,IAAI,EAAE,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,gBAAgB,CAAC;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,CAAC;AAEH,MAAM,MAAM,cAAc,GACtB,QAAQ,CAAC;IACP,IAAI,EAAE,mBAAmB,CAAC;IAC1B,IAAI,EAAE,aAAa,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC,GACF,QAAQ,CAAC;IACP,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,aAAa,CAAC;CACrB,CAAC,GACF,QAAQ,CAAC;IACP,IAAI,EAAE,UAAU,CAAC;IACjB,QAAQ,EAAE,iBAAiB,CAAC;CAC7B,CAAC,GACF,QAAQ,CAAC;IACP,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC,CAAC;AAEP,MAAM,MAAM,cAAc,GAAG,QAAQ,CAAC;IACpC,OAAO,CAAC,EAAE,gBAAgB,CAAC;CAC5B,CAAC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,QAAQ,CAAC;IACrC,IAAI,EAAE,aAAa,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,IAAI,CAAC,KAAK,CAAC;IAClC,sBAAsB,EAAE,MAAM,UAAU,CAAC;IACzC,oBAAoB,EAAE,MAAM,IAAI,CAAC,KAAK,CAAC;IACvC,OAAO,EAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,OAAO,CAAC,EAAE,cAAc,KAAK,iBAAiB,CAAC;IAC5E,IAAI,EAAE,MAAM,IAAI,CAAC;CAClB,CAAC,CAAC;AAsjBH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,gBAAgB,GAAG,eAAe,CAmF3E;AAED,eAAO,MAAM,kBAAkB,yBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,KAAK,6BAA6B,EAAE,MAAM,cAAc,CAAC;AAC1F,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,KAAK,4BAA4B,GAClC,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EACL,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,KAAK,mBAAmB,GACzB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,cAAc,EACd,qBAAqB,EACrB,sBAAsB,EACtB,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,aAAa,EACb,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,YAAY,CAAC"}