@undefineds.co/xpod 0.1.7 → 0.2.0

package/dist/runtime/Proxy.js

@@ -6,7 +6,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.GatewayProxy = void 0;
 const http_proxy_1 = __importDefault(require("http-proxy"));
 const http_1 = __importDefault(require("http"));
+const net_1 = __importDefault(require("net"));
 const global_logger_factory_1 = require("global-logger-factory");
+const socket_utils_1 = require("./socket-utils");
 // CORS configuration matching CSS CorsHandler defaults
 const CORS_CONFIG = {
     methods: ['GET', 'HEAD', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE'],
@@ -22,12 +24,16 @@ const CORS_CONFIG = {
     ],
 };
 class GatewayProxy {
-    constructor(port, supervisor, bindHost = '0.0.0.0') {
+    constructor(port, supervisor, bindHost = '0.0.0.0', options = {}) {
         this.port = port;
         this.supervisor = supervisor;
         this.bindHost = bindHost;
         this.logger = (0, global_logger_factory_1.getLoggerFor)(this);
         this.targets = {};
+        this.socketPath = options.socketPath;
+        this.exitOnStop = options.exitOnStop ?? false;
+        this.shutdownHandler = options.shutdownHandler;
+        this.baseUrl = options.baseUrl;
         this.proxy = http_proxy_1.default.createProxyServer({
             xfwd: true,
         });
@@ -38,15 +44,32 @@ class GatewayProxy {
                 res.end(JSON.stringify({ error: 'Service Unavailable', details: err.message }));
             }
         });
+        this.proxy.on('proxyRes', (proxyRes, req, res) => {
+            const interceptedRequest = req;
+            const outgoing = res;
+            if (!interceptedRequest.__xpodInspectRootMutation || !outgoing || outgoing.headersSent) {
+                return;
+            }
+            const chunks = [];
+            proxyRes.on('data', (chunk) => {
+                chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+            });
+            proxyRes.on('end', () => {
+                const originalBody = Buffer.concat(chunks);
+                const rewritten = this.normalizeRootMutationProxyResponse(proxyRes, originalBody);
+                outgoing.writeHead(rewritten.statusCode, rewritten.headers);
+                outgoing.end(rewritten.body);
+            });
+        });
         this.server = http_1.default.createServer(this.handleRequest.bind(this));
         this.server.on('upgrade', (req, socket, head) => {
             const url = req.url ?? '/';
             // Route /ws/* WebSocket connections to API server
             if (url.startsWith('/ws/') && this.targets.api) {
-                this.proxy.ws(req, socket, head, { target: this.targets.api });
+                this.proxy.ws(req, socket, head, { target: this.toProxyTarget(this.targets.api) });
             }
             else if (this.targets.css) {
-                this.proxy.ws(req, socket, head, { target: this.targets.css });
+                this.proxy.ws(req, socket, head, { target: this.toProxyTarget(this.targets.css) });
             }
             else {
                 socket.destroy();
@@ -54,17 +77,41 @@ class GatewayProxy {
         });
     }
     setTargets(targets) {
-        this.targets = targets;
+        this.targets = {
+            css: this.normalizeTarget(targets.css),
+            api: this.normalizeTarget(targets.api),
+        };
     }
-    start() {
-        this.server.listen(this.port, this.bindHost, () => {
-            this.logger.info(`Listening on http://${this.bindHost}:${this.port}`);
+    async start() {
+        return new Promise((resolve, reject) => {
+            this.server.once('error', reject);
+            if (this.socketPath) {
+                (0, socket_utils_1.prepareSocketPath)(this.socketPath);
+                this.server.listen(this.socketPath, () => {
+                    this.logger.info(`Listening on unix://${this.socketPath}`);
+                    resolve();
+                });
+                return;
+            }
+            this.server.listen(this.port, this.bindHost, () => {
+                this.logger.info(`Listening on http://${this.bindHost}:${this.port}`);
+                resolve();
+            });
         });
     }
     stop() {
         return new Promise((resolve, reject) => {
             this.proxy.close();
-            this.server.close((err) => (err ? reject(err) : resolve()));
+            this.server.close((err) => {
+                if (err) {
+                    reject(err);
+                    return;
+                }
+                if (this.socketPath) {
+                    (0, socket_utils_1.removeSocketPath)(this.socketPath);
+                }
+                resolve();
+            });
         });
     }
     handleRequest(req, res) {
@@ -73,7 +120,7 @@ class GatewayProxy {
         // Store original host for x-forwarded-host before any rewrites
         const originalHost = req.headers.host;
         // Set x-forwarded-proto based on CSS_BASE_URL
-        const baseUrl = process.env.CSS_BASE_URL || '';
+        const baseUrl = this.baseUrl ?? process.env.CSS_BASE_URL ?? '';
         if (baseUrl.startsWith('https')) {
             req.headers['x-forwarded-proto'] = 'https';
         }
@@ -109,22 +156,65 @@ class GatewayProxy {
         // 2. API Server Routing (/v1 or /api)
         // 2a. Dashboard UI is served by API server under /dashboard/*
         if ((url === '/dashboard' || url.startsWith('/dashboard/')) && this.targets.api) {
-            this.proxy.web(req, res, { target: this.targets.api });
+            this.proxy.web(req, res, { target: this.toProxyTarget(this.targets.api) });
             return;
         }
-        if ((url.startsWith('/v1/') || url.startsWith('/api/')) && this.targets.api) {
-            this.proxy.web(req, res, { target: this.targets.api });
+        if ((url.startsWith('/v1/') || url.startsWith('/api/') || url.startsWith('/provision/')) && this.targets.api) {
+            this.proxy.web(req, res, { target: this.toProxyTarget(this.targets.api) });
             return;
         }
         // 3. CSS Routing (Default)
         if (this.targets.css) {
-            this.proxy.web(req, res, { target: this.targets.css });
+            const interceptedRequest = req;
+            interceptedRequest.__xpodInspectRootMutation = this.shouldInspectRootMutation(req);
+            this.proxy.web(req, res, {
+                target: this.toProxyTarget(this.targets.css),
+                ...(interceptedRequest.__xpodInspectRootMutation ? { selfHandleResponse: true } : {}),
+            });
         }
         else {
             res.writeHead(503);
             res.end('CSS Service Not Available');
         }
     }
+    shouldInspectRootMutation(req) {
+        const method = (req.method ?? 'GET').toUpperCase();
+        if (!['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+            return false;
+        }
+        const pathname = new URL(req.url ?? '/', 'http://localhost').pathname;
+        const segments = pathname.split('/').filter(Boolean);
+        return segments.length === 1 && !segments[0].startsWith('.');
+    }
+    normalizeRootMutationProxyResponse(proxyRes, body) {
+        const headers = { ...proxyRes.headers };
+        const statusCode = proxyRes.statusCode ?? 500;
+        const contentType = typeof proxyRes.headers['content-type'] === 'string'
+            ? proxyRes.headers['content-type']
+            : Array.isArray(proxyRes.headers['content-type'])
+                ? proxyRes.headers['content-type'][0] ?? ''
+                : '';
+        const bodyText = contentType.includes('application/json') ? body.toString('utf8') : '';
+        if (statusCode === 500 &&
+            bodyText.includes('Cannot obtain the parent of') &&
+            bodyText.includes('because it is a root container')) {
+            const normalizedBody = Buffer.from(JSON.stringify({
+                name: 'ForbiddenHttpError',
+                message: 'Write to server root is not allowed.',
+                statusCode: 403,
+                errorCode: 'H403',
+                details: { cause: 'root-container-write' },
+            }));
+            delete headers['content-length'];
+            delete headers['transfer-encoding'];
+            headers['content-type'] = 'application/json';
+            headers['content-length'] = String(normalizedBody.byteLength);
+            return { statusCode: 403, headers, body: normalizedBody };
+        }
+        delete headers['transfer-encoding'];
+        headers['content-length'] = String(body.byteLength);
+        return { statusCode, headers, body };
+    }
     handleCorsPreflightRequest(res, origin) {
         this.addCorsHeaders(res, origin);
         res.writeHead(204);
@@ -170,7 +260,14 @@ class GatewayProxy {
             if (pathname === '/service/stop' && req.method === 'POST') {
                 res.writeHead(200, { 'Content-Type': 'application/json' });
                 res.end(JSON.stringify({ ok: true }));
-                setImmediate(() => this.supervisor.stopAll().then(() => process.exit(0)));
+                setImmediate(() => {
+                    const shutdown = this.shutdownHandler ?? (() => this.supervisor.stopAll());
+                    void shutdown().then(() => {
+                        if (this.exitOnStop) {
+                            process.exit(0);
+                        }
+                    });
+                });
                 return;
             }
             res.writeHead(404);
@@ -189,33 +286,55 @@ class GatewayProxy {
             return true;
         }
         try {
-            // NOTE: CSS is configured with public `baseUrl` pointing at the gateway,
-            // so probing the internal CSS port can fail identifier-space checks.
-            // We probe through the gateway itself to mirror real client traffic.
-            const gatewayBase = `http://127.0.0.1:${this.port}/`;
-            const candidates = [
-                // CSS OIDC lives under /.oidc/*
-                new URL('.oidc/.well-known/openid-configuration', gatewayBase).toString(),
-                // Some deployments expose the well-known at root
-                new URL('.well-known/openid-configuration', gatewayBase).toString(),
-            ];
-            for (const probeUrl of candidates) {
-                try {
-                    const response = await fetch(probeUrl, { signal: AbortSignal.timeout(1500) });
-                    if (response.ok) {
-                        return true;
-                    }
-                }
-                catch {
-                    // Try next candidate.
-                }
+            const cssTarget = this.targets.css;
+            const socketPath = cssTarget.socketPath;
+            if (socketPath) {
+                return await new Promise((resolve) => {
+                    const socket = new net_1.default.Socket();
+                    socket.setTimeout(1500);
+                    socket.once('connect', () => { socket.destroy(); resolve(true); });
+                    socket.once('error', () => { socket.destroy(); resolve(false); });
+                    socket.once('timeout', () => { socket.destroy(); resolve(false); });
+                    socket.connect(socketPath);
+                });
             }
-            return false;
+            // TCP connect to the CSS internal port to check if it's listening.
+            // HTTP probes fail because CSS enforces identifier-space checks and
+            // the internal port differs from the public CSS_BASE_URL port.
+            const url = new URL(cssTarget.url);
+            const port = parseInt(url.port || '80', 10);
+            const host = url.hostname;
+            return await new Promise((resolve) => {
+                const socket = new net_1.default.Socket();
+                socket.setTimeout(1500);
+                socket.once('connect', () => { socket.destroy(); resolve(true); });
+                socket.once('error', () => { socket.destroy(); resolve(false); });
+                socket.once('timeout', () => { socket.destroy(); resolve(false); });
+                socket.connect(port, host);
+            });
         }
         catch {
             return false;
         }
     }
+    normalizeTarget(target) {
+        if (!target) {
+            return undefined;
+        }
+        if (typeof target === 'string') {
+            return { url: target };
+        }
+        return target;
+    }
+    toProxyTarget(target) {
+        if (target.socketPath) {
+            return {
+                socketPath: target.socketPath,
+                protocol: 'http:',
+            };
+        }
+        return target.url;
+    }
 }
 exports.GatewayProxy = GatewayProxy;
 //# sourceMappingURL=Proxy.js.map

package/dist/runtime/Proxy.js.map

@@ -1 +1 @@
-{"version":3,"file":"Proxy.js","sourceRoot":"","sources":["../../src/runtime/Proxy.ts"],"names":[],"mappings":";;;;;;AAAA,4DAAmC;AACnC,gDAAwB;AACxB,iEAAqD;AAGrD,uDAAuD;AACvD,MAAM,WAAW,GAAG;IAClB,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC;IACrE,WAAW,EAAE,IAAI;IACjB,cAAc,EAAE;QACd,eAAe,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ;QAC3D,kBAAkB,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM;KAChE;IACD,cAAc,EAAE;QACd,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,OAAO,EAAE,eAAe;QACrE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa;QAC1D,WAAW,EAAE,kBAAkB,EAAE,cAAc;KAChD;CACF,CAAC;AAEF,MAAa,YAAY;IAMvB,YAAoB,IAAY,EAAU,UAAsB,EAAU,WAAW,SAAS;QAA1E,SAAI,GAAJ,IAAI,CAAQ;QAAU,eAAU,GAAV,UAAU,CAAY;QAAU,aAAQ,GAAR,QAAQ,CAAY;QAL7E,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAGrC,YAAO,GAAmC,EAAE,CAAC;QAGnD,IAAI,CAAC,KAAK,GAAG,oBAAS,CAAC,iBAAiB,CAAC;YACvC,IAAI,EAAE,IAAI;SACX,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;YACxC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;YACvC,IAAI,GAAG,IAAI,WAAW,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAClD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAClF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,GAAG,cAAI,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAE/D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE;YAC9C,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;YAE3B,kDAAkD;YAClD,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC/C,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YACjE,CAAC;iBAAM,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC5B,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YACjE,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEM,UAAU,CAAC,OAAuC;QACvD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAEM,KAAK;QACV,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE;YAChD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;IACL,CAAC;IAEM,IAAI;QACT,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,aAAa,CAAC,GAAyB,EAAE,GAAwB;QACvE,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;QAC3B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;QAElC,+DAA+D;QAC/D,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;QAEtC,8CAA8C;QAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAAC;QAC7C,CAAC;QAED,+DAA+D;QAC/D,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;gBACvC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC;gBACtC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC;YACvD,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBACrC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,YAAY,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC5C,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,YAAY,CAAC;QACjD,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,sBAAsB,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,qBAAqB,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,SAAS,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAC1J,CAAC;QAEF,gCAAgC;QAChC,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC7B,IAAI,CAAC,0BAA0B,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBAC7C,OAAO;YACT,CAAC;YACD,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACnC,CAAC;YACD,KAAK,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QAED,sCAAsC;QAEtC,8DAA8D;QAC9D,IAAI,CAAC,GAAG,KAAK,YAAY,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAChF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAC5E,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,2BAA2B;QAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACrB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAEO,0BAA0B,CAChC,GAAwB,EACxB,MAA0B;QAE1B,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnB,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,GAAwB,EAAE,MAA0B;QACzE,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,MAAM,IAAI,GAAG,CAAC,CAAC;QAC5D,GAAG,CAAC,SAAS,CAAC,kCAAkC,EAAE,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC;QACnF,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9E,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACrF,GAAG,CAAC,SAAS,CAAC,+BAA+B,EAAE,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACxF,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,GAAyB,EAAE,GAAwB;QACjF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAEjC,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;gBACnC,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;gBAC9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;gBACzC,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAClC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC5D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;gBACjC,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC;gBAC5D,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC;gBAC9D,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACpD,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBAEhE,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;oBACnC,KAAK;oBACL,MAAM;oBACN,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAe,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;iBAC5D,CAAC,CAAC;gBAEH,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC9B,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,KAAK,eAAe,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC1D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;gBACtC,YAAY,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1E,OAAO;YACT,CAAC;YAED,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC7D,CAAC;YACD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,yEAAyE;YACzE,qEAAqE;YACrE,qEAAqE;YACrE,MAAM,WAAW,GAAG,oBAAoB,IAAI,CAAC,IAAI,GAAG,CAAC;YACrD,MAAM,UAAU,GAAG;gBACjB,gCAAgC;gBAChC,IAAI,GAAG,CAAC,wCAAwC,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE;gBACzE,iDAAiD;gBACjD,IAAI,GAAG,CAAC,kCAAkC,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE;aACpE,CAAC;YAEF,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;gBAClC,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBAC9E,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;wBAChB,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,sBAAsB;gBACxB,CAAC;YACH,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AA9ND,oCA8NC","sourcesContent":["import httpProxy from 'http-proxy';\nimport http from 'http';\nimport { getLoggerFor } from 'global-logger-factory';\nimport type { Supervisor } from '../supervisor/Supervisor';\n\n// CORS configuration matching CSS CorsHandler defaults\nconst CORS_CONFIG = {\n  methods: ['GET', 'HEAD', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE'],\n  credentials: true,\n  allowedHeaders: [\n    'Authorization', 'Content-Type', 'Accept', 'DPoP', 'Origin',\n    'X-Requested-With', 'If-Match', 'If-None-Match', 'Slug', 'Link',\n  ],\n  exposedHeaders: [\n    'Accept-Patch', 'Accept-Post', 'Accept-Put', 'Allow', 'Content-Range',\n    'ETag', 'Last-Modified', 'Link', 'Location', 'Updates-Via',\n    'WAC-Allow', 'Www-Authenticate', 'X-Request-Id',\n  ],\n};\n\nexport class GatewayProxy {\n  private readonly logger = getLoggerFor(this);\n  private proxy: httpProxy;\n  private server: http.Server;\n  private targets: { css?: string; api?: string } = {};\n\n  constructor(private port: number, private supervisor: Supervisor, private bindHost = '0.0.0.0') {\n    this.proxy = httpProxy.createProxyServer({\n      xfwd: true,\n    });\n\n    this.proxy.on('error', (err, _req, res) => {\n      this.logger.error('Proxy error:', err);\n      if (res && 'writeHead' in res && !res.headersSent) {\n        res.writeHead(502, { 'Content-Type': 'application/json' });\n        res.end(JSON.stringify({ error: 'Service Unavailable', details: err.message }));\n      }\n    });\n\n    this.server = http.createServer(this.handleRequest.bind(this));\n\n    this.server.on('upgrade', (req, socket, head) => {\n      const url = req.url ?? '/';\n\n      // Route /ws/* WebSocket connections to API server\n      if (url.startsWith('/ws/') && this.targets.api) {\n        this.proxy.ws(req, socket, head, { target: this.targets.api });\n      } else if (this.targets.css) {\n        this.proxy.ws(req, socket, head, { target: this.targets.css });\n      } else {\n        socket.destroy();\n      }\n    });\n  }\n\n  public setTargets(targets: { css?: string; api?: string }): void {\n    this.targets = targets;\n  }\n\n  public start(): void {\n    this.server.listen(this.port, this.bindHost, () => {\n      this.logger.info(`Listening on http://${this.bindHost}:${this.port}`);\n    });\n  }\n\n  public stop(): Promise<void> {\n    return new Promise((resolve, reject) => {\n      this.proxy.close();\n      this.server.close((err) => (err ? reject(err) : resolve()));\n    });\n  }\n\n  private handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {\n    const url = req.url ?? '/';\n    const origin = req.headers.origin;\n\n    // Store original host for x-forwarded-host before any rewrites\n    const originalHost = req.headers.host;\n\n    // Set x-forwarded-proto based on CSS_BASE_URL\n    const baseUrl = process.env.CSS_BASE_URL || '';\n    if (baseUrl.startsWith('https')) {\n      req.headers['x-forwarded-proto'] = 'https';\n    }\n\n    // Rewrite Host header to match CSS_BASE_URL for proper routing\n    if (baseUrl) {\n      try {\n        const parsedBaseUrl = new URL(baseUrl);\n        req.headers.host = parsedBaseUrl.host;\n        req.headers['x-forwarded-host'] = parsedBaseUrl.host;\n      } catch {\n        if (!req.headers['x-forwarded-host']) {\n          req.headers['x-forwarded-host'] = originalHost;\n        }\n      }\n    } else if (!req.headers['x-forwarded-host']) {\n      req.headers['x-forwarded-host'] = originalHost;\n    }\n\n    this.logger.debug(\n      `${req.method} ${url} x-forwarded-proto=${req.headers['x-forwarded-proto']} x-forwarded-host=${req.headers['x-forwarded-host']} host=${req.headers.host}`,\n    );\n\n    // 1. Internal service endpoints\n    if (url.startsWith('/service/')) {\n      if (req.method === 'OPTIONS') {\n        this.handleCorsPreflightRequest(res, origin);\n        return;\n      }\n      if (origin) {\n        this.addCorsHeaders(res, origin);\n      }\n      void this.handleInternalApi(req, res);\n      return;\n    }\n\n    // 2. API Server Routing (/v1 or /api)\n\n    // 2a. Dashboard UI is served by API server under /dashboard/*\n    if ((url === '/dashboard' || url.startsWith('/dashboard/')) && this.targets.api) {\n      this.proxy.web(req, res, { target: this.targets.api });\n      return;\n    }\n\n    if ((url.startsWith('/v1/') || url.startsWith('/api/')) && this.targets.api) {\n      this.proxy.web(req, res, { target: this.targets.api });\n      return;\n    }\n\n    // 3. CSS Routing (Default)\n    if (this.targets.css) {\n      this.proxy.web(req, res, { target: this.targets.css });\n    } else {\n      res.writeHead(503);\n      res.end('CSS Service Not Available');\n    }\n  }\n\n  private handleCorsPreflightRequest(\n    res: http.ServerResponse,\n    origin: string | undefined,\n  ): void {\n    this.addCorsHeaders(res, origin);\n    res.writeHead(204);\n    res.end();\n  }\n\n  /**\n   * Add CORS headers matching CSS CorsHandler configuration\n   */\n  private addCorsHeaders(res: http.ServerResponse, origin: string | undefined): void {\n    res.setHeader('Access-Control-Allow-Origin', origin || '*');\n    res.setHeader('Access-Control-Allow-Credentials', String(CORS_CONFIG.credentials));\n    res.setHeader('Access-Control-Allow-Methods', CORS_CONFIG.methods.join(', '));\n    res.setHeader('Access-Control-Allow-Headers', CORS_CONFIG.allowedHeaders.join(', '));\n    res.setHeader('Access-Control-Expose-Headers', CORS_CONFIG.exposedHeaders.join(', '));\n  }\n\n  private async handleInternalApi(req: http.IncomingMessage, res: http.ServerResponse): Promise<void> {\n    try {\n      const reqUrl = req.url ?? '/';\n      const parsed = new URL(reqUrl, 'http://localhost');\n      const pathname = parsed.pathname;\n\n      if (pathname === '/service/status') {\n        const status = this.supervisor.getAllStatus();\n        const cssReady = await this.isCssReady();\n        const code = cssReady ? 200 : 503;\n        res.writeHead(code, { 'Content-Type': 'application/json' });\n        res.end(JSON.stringify(status));\n        return;\n      }\n\n      if (pathname === '/service/logs') {\n        const level = parsed.searchParams.get('level') ?? undefined;\n        const source = parsed.searchParams.get('source') ?? undefined;\n        const limitValue = parsed.searchParams.get('limit');\n        const limit = limitValue ? parseInt(limitValue, 10) : undefined;\n\n        const logs = this.supervisor.getLogs({\n          level,\n          source,\n          limit: Number.isFinite(limit as number) ? limit : undefined,\n        });\n\n        res.writeHead(200, { 'Content-Type': 'application/json' });\n        res.end(JSON.stringify(logs));\n        return;\n      }\n\n      if (pathname === '/service/stop' && req.method === 'POST') {\n        res.writeHead(200, { 'Content-Type': 'application/json' });\n        res.end(JSON.stringify({ ok: true }));\n        setImmediate(() => this.supervisor.stopAll().then(() => process.exit(0)));\n        return;\n      }\n\n      res.writeHead(404);\n      res.end('Not Found');\n    } catch (error) {\n      this.logger.error('Internal service endpoint failed:', error);\n      if (!res.headersSent) {\n        res.writeHead(500, { 'Content-Type': 'application/json' });\n      }\n      res.end(JSON.stringify({ error: 'Internal Server Error' }));\n    }\n  }\n\n  private async isCssReady(): Promise<boolean> {\n    if (!this.targets.css) {\n      return true;\n    }\n\n    try {\n      // NOTE: CSS is configured with public `baseUrl` pointing at the gateway,\n      // so probing the internal CSS port can fail identifier-space checks.\n      // We probe through the gateway itself to mirror real client traffic.\n      const gatewayBase = `http://127.0.0.1:${this.port}/`;\n      const candidates = [\n        // CSS OIDC lives under /.oidc/*\n        new URL('.oidc/.well-known/openid-configuration', gatewayBase).toString(),\n        // Some deployments expose the well-known at root\n        new URL('.well-known/openid-configuration', gatewayBase).toString(),\n      ];\n\n      for (const probeUrl of candidates) {\n        try {\n          const response = await fetch(probeUrl, { signal: AbortSignal.timeout(1500) });\n          if (response.ok) {\n            return true;\n          }\n        } catch {\n          // Try next candidate.\n        }\n      }\n\n      return false;\n    } catch {\n      return false;\n    }\n  }\n}\n"]}
+{"version":3,"file":"Proxy.js","sourceRoot":"","sources":["../../src/runtime/Proxy.ts"],"names":[],"mappings":";;;;;;AAAA,4DAAmC;AACnC,gDAAwB;AACxB,8CAAsB;AACtB,iEAAqD;AAErD,iDAAqE;AAIrE,uDAAuD;AACvD,MAAM,WAAW,GAAG;IAClB,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC;IACrE,WAAW,EAAE,IAAI;IACjB,cAAc,EAAE;QACd,eAAe,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ;QAC3D,kBAAkB,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM;KAChE;IACD,cAAc,EAAE;QACd,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,OAAO,EAAE,eAAe;QACrE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa;QAC1D,WAAW,EAAE,kBAAkB,EAAE,cAAc;KAChD;CACF,CAAC;AAEF,MAAa,YAAY;IAUvB,YACU,IAAwB,EACxB,UAAsB,EACtB,WAAW,SAAS,EAC5B,UAA+B,EAAE;QAHzB,SAAI,GAAJ,IAAI,CAAoB;QACxB,eAAU,GAAV,UAAU,CAAY;QACtB,aAAQ,GAAR,QAAQ,CAAY;QAZb,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAGrC,YAAO,GAA2D,EAAE,CAAC;QAY3E,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;QAC9C,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QAC/C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,oBAAS,CAAC,iBAAiB,CAAC;YACvC,IAAI,EAAE,IAAI;SACX,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;YACxC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;YACvC,IAAI,GAAG,IAAI,WAAW,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAClD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAClF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;YAC/C,MAAM,kBAAkB,GAAG,GAAyB,CAAC;YACrD,MAAM,QAAQ,GAAG,GAA0B,CAAC;YAC5C,IAAI,CAAC,kBAAkB,CAAC,yBAAyB,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACvF,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;gBAC5B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YACnE,CAAC,CAAC,CAAC;YACH,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACtB,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;gBAC3C,MAAM,SAAS,GAAG,IAAI,CAAC,kCAAkC,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;gBAClF,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;gBAC5D,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,GAAG,cAAI,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAE/D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE;YAC9C,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;YAE3B,kDAAkD;YAClD,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC/C,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAQ,EAAE,CAAC,CAAC;YAC5F,CAAC;iBAAM,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC5B,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAQ,EAAE,CAAC,CAAC;YAC5F,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEM,UAAU,CAAC,OAAiF;QACjG,IAAI,CAAC,OAAO,GAAG;YACb,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC;YACtC,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC;SACvC,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,KAAK;QAChB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAElC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,IAAA,gCAAiB,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBACnC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE;oBACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;oBAC3D,OAAO,EAAE,CAAC;gBACZ,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE;gBAChD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtE,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAEM,IAAI;QACT,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACxB,IAAI,GAAG,EAAE,CAAC;oBACR,MAAM,CAAC,GAAG,CAAC,CAAC;oBACZ,OAAO;gBACT,CAAC;gBACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;oBACpB,IAAA,+BAAgB,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBACpC,CAAC;gBACD,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,aAAa,CAAC,GAAyB,EAAE,GAAwB;QACvE,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;QAC3B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;QAElC,+DAA+D;QAC/D,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;QAEtC,8CAA8C;QAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QAC/D,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAAC;QAC7C,CAAC;QAED,+DAA+D;QAC/D,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;gBACvC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC;gBACtC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC;YACvD,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBACrC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,YAAY,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC5C,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,YAAY,CAAC;QACjD,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,sBAAsB,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,qBAAqB,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,SAAS,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAC1J,CAAC;QAEF,gCAAgC;QAChC,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC7B,IAAI,CAAC,0BAA0B,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;gBAC7C,OAAO;YACT,CAAC;YACD,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACnC,CAAC;YACD,KAAK,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QAED,sCAAsC;QAEtC,8DAA8D;QAC9D,IAAI,CAAC,GAAG,KAAK,YAAY,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAChF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAQ,EAAE,CAAC,CAAC;YAClF,OAAO;QACT,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAC7G,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAQ,EAAE,CAAC,CAAC;YAClF,OAAO;QACT,CAAC;QAED,2BAA2B;QAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,kBAAkB,GAAG,GAAyB,CAAC;YACrD,kBAAkB,CAAC,yBAAyB,GAAG,IAAI,CAAC,yBAAyB,CAAC,GAAG,CAAC,CAAC;YACnF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE;gBACvB,MAAM,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAQ;gBACnD,GAAG,CAAC,kBAAkB,CAAC,yBAAyB,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC,CAAC;QACZ,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAEO,yBAAyB,CAAC,GAAyB;QACzD,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACnD,IAAI,CAAC,CAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;QACtE,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrD,OAAO,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAC/D,CAAC;IAEO,kCAAkC,CACxC,QAA8B,EAC9B,IAAY;QAEZ,MAAM,OAAO,GAA6B,EAAE,GAAG,QAAQ,CAAC,OAAO,EAAE,CAAC;QAClE,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU,IAAI,GAAG,CAAC;QAC9C,MAAM,WAAW,GAAG,OAAO,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,KAAK,QAAQ;YACtE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC;YAClC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;gBAC/C,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;gBAC3C,CAAC,CAAC,EAAE,CAAC;QACT,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAEvF,IACE,UAAU,KAAK,GAAG;YAClB,QAAQ,CAAC,QAAQ,CAAC,6BAA6B,CAAC;YAChD,QAAQ,CAAC,QAAQ,CAAC,gCAAgC,CAAC,EACnD,CAAC;YACD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gBAChD,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,sCAAsC;gBAC/C,UAAU,EAAE,GAAG;gBACf,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE;aAC3C,CAAC,CAAC,CAAC;YACJ,OAAO,OAAO,CAAC,gBAAgB,CAAC,CAAC;YACjC,OAAO,OAAO,CAAC,mBAAmB,CAAC,CAAC;YACpC,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;YAC7C,OAAO,CAAC,gBAAgB,CAAC,GAAG,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;YAC9D,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;QAC5D,CAAC;QAED,OAAO,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACpC,OAAO,CAAC,gBAAgB,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpD,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACvC,CAAC;IAEO,0BAA0B,CAChC,GAAwB,EACxB,MAA0B;QAE1B,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnB,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,GAAwB,EAAE,MAA0B;QACzE,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,MAAM,IAAI,GAAG,CAAC,CAAC;QAC5D,GAAG,CAAC,SAAS,CAAC,kCAAkC,EAAE,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC;QACnF,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9E,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACrF,GAAG,CAAC,SAAS,CAAC,+BAA+B,EAAE,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACxF,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,GAAyB,EAAE,GAAwB;QACjF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAEjC,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;gBACnC,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;gBAC9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;gBACzC,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAClC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC5D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;gBACjC,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC;gBAC5D,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC;gBAC9D,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACpD,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBAEhE,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;oBACnC,KAAK;oBACL,MAAM;oBACN,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAe,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;iBAC5D,CAAC,CAAC;gBAEH,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC9B,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,KAAK,eAAe,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC1D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;gBACtC,YAAY,CAAC,GAAG,EAAE;oBAChB,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC;oBAC3E,KAAK,QAAQ,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;wBACxB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;4BACpB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;wBAClB,CAAC;oBACH,CAAC,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC7D,CAAC;YACD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;YACnC,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC;YACxC,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,MAAM,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;oBAC5C,MAAM,MAAM,GAAG,IAAI,aAAG,CAAC,MAAM,EAAE,CAAC;oBAChC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;oBACxB,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;oBAClE,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;oBACpE,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAC7B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,mEAAmE;YACnE,oEAAoE;YACpE,+DAA+D;YAC/D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAI,CAAC,CAAC;YACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;YAC5C,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC;YAC1B,OAAO,MAAM,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;gBAC5C,MAAM,MAAM,GAAG,IAAI,aAAG,CAAC,MAAM,EAAE,CAAC;gBAChC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;gBACxB,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACnE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClE,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YAC7B,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,MAAoC;QAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;QACzB,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,aAAa,CAAC,MAA0B;QAC9C,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,OAAO;gBACL,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ,EAAE,OAAO;aAClB,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC,GAAI,CAAC;IACrB,CAAC;CACF;AA5WD,oCA4WC","sourcesContent":["import httpProxy from 'http-proxy';\nimport http from 'http';\nimport net from 'net';\nimport { getLoggerFor } from 'global-logger-factory';\nimport type { Supervisor } from '../supervisor/Supervisor';\nimport { prepareSocketPath, removeSocketPath } from './socket-utils';\n\ntype InterceptedRequest = http.IncomingMessage & { __xpodInspectRootMutation?: boolean };\n\n// CORS configuration matching CSS CorsHandler defaults\nconst CORS_CONFIG = {\n  methods: ['GET', 'HEAD', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE'],\n  credentials: true,\n  allowedHeaders: [\n    'Authorization', 'Content-Type', 'Accept', 'DPoP', 'Origin',\n    'X-Requested-With', 'If-Match', 'If-None-Match', 'Slug', 'Link',\n  ],\n  exposedHeaders: [\n    'Accept-Patch', 'Accept-Post', 'Accept-Put', 'Allow', 'Content-Range',\n    'ETag', 'Last-Modified', 'Link', 'Location', 'Updates-Via',\n    'WAC-Allow', 'Www-Authenticate', 'X-Request-Id',\n  ],\n};\n\nexport class GatewayProxy {\n  private readonly logger = getLoggerFor(this);\n  private proxy: httpProxy;\n  private server: http.Server;\n  private targets: { css?: GatewayProxyTarget; api?: GatewayProxyTarget } = {};\n  private readonly socketPath?: string;\n  private readonly exitOnStop: boolean;\n  private readonly shutdownHandler?: () => Promise<void>;\n  private readonly baseUrl?: string;\n\n  constructor(\n    private port: number | undefined,\n    private supervisor: Supervisor,\n    private bindHost = '0.0.0.0',\n    options: GatewayProxyOptions = {},\n  ) {\n    this.socketPath = options.socketPath;\n    this.exitOnStop = options.exitOnStop ?? false;\n    this.shutdownHandler = options.shutdownHandler;\n    this.baseUrl = options.baseUrl;\n    this.proxy = httpProxy.createProxyServer({\n      xfwd: true,\n    });\n\n    this.proxy.on('error', (err, _req, res) => {\n      this.logger.error('Proxy error:', err);\n      if (res && 'writeHead' in res && !res.headersSent) {\n        res.writeHead(502, { 'Content-Type': 'application/json' });\n        res.end(JSON.stringify({ error: 'Service Unavailable', details: err.message }));\n      }\n    });\n\n    this.proxy.on('proxyRes', (proxyRes, req, res) => {\n      const interceptedRequest = req as InterceptedRequest;\n      const outgoing = res as http.ServerResponse;\n      if (!interceptedRequest.__xpodInspectRootMutation || !outgoing || outgoing.headersSent) {\n        return;\n      }\n\n      const chunks: Buffer[] = [];\n      proxyRes.on('data', (chunk) => {\n        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));\n      });\n      proxyRes.on('end', () => {\n        const originalBody = Buffer.concat(chunks);\n        const rewritten = this.normalizeRootMutationProxyResponse(proxyRes, originalBody);\n        outgoing.writeHead(rewritten.statusCode, rewritten.headers);\n        outgoing.end(rewritten.body);\n      });\n    });\n\n    this.server = http.createServer(this.handleRequest.bind(this));\n\n    this.server.on('upgrade', (req, socket, head) => {\n      const url = req.url ?? '/';\n\n      // Route /ws/* WebSocket connections to API server\n      if (url.startsWith('/ws/') && this.targets.api) {\n        this.proxy.ws(req, socket, head, { target: this.toProxyTarget(this.targets.api) as any });\n      } else if (this.targets.css) {\n        this.proxy.ws(req, socket, head, { target: this.toProxyTarget(this.targets.css) as any });\n      } else {\n        socket.destroy();\n      }\n    });\n  }\n\n  public setTargets(targets: { css?: string | GatewayProxyTarget; api?: string | GatewayProxyTarget }): void {\n    this.targets = {\n      css: this.normalizeTarget(targets.css),\n      api: this.normalizeTarget(targets.api),\n    };\n  }\n\n  public async start(): Promise<void> {\n    return new Promise((resolve, reject) => {\n      this.server.once('error', reject);\n\n      if (this.socketPath) {\n        prepareSocketPath(this.socketPath);\n        this.server.listen(this.socketPath, () => {\n          this.logger.info(`Listening on unix://${this.socketPath}`);\n          resolve();\n        });\n        return;\n      }\n\n      this.server.listen(this.port, this.bindHost, () => {\n        this.logger.info(`Listening on http://${this.bindHost}:${this.port}`);\n        resolve();\n      });\n    });\n  }\n\n  public stop(): Promise<void> {\n    return new Promise((resolve, reject) => {\n      this.proxy.close();\n      this.server.close((err) => {\n        if (err) {\n          reject(err);\n          return;\n        }\n        if (this.socketPath) {\n          removeSocketPath(this.socketPath);\n        }\n        resolve();\n      });\n    });\n  }\n\n  private handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {\n    const url = req.url ?? '/';\n    const origin = req.headers.origin;\n\n    // Store original host for x-forwarded-host before any rewrites\n    const originalHost = req.headers.host;\n\n    // Set x-forwarded-proto based on CSS_BASE_URL\n    const baseUrl = this.baseUrl ?? process.env.CSS_BASE_URL ?? '';\n    if (baseUrl.startsWith('https')) {\n      req.headers['x-forwarded-proto'] = 'https';\n    }\n\n    // Rewrite Host header to match CSS_BASE_URL for proper routing\n    if (baseUrl) {\n      try {\n        const parsedBaseUrl = new URL(baseUrl);\n        req.headers.host = parsedBaseUrl.host;\n        req.headers['x-forwarded-host'] = parsedBaseUrl.host;\n      } catch {\n        if (!req.headers['x-forwarded-host']) {\n          req.headers['x-forwarded-host'] = originalHost;\n        }\n      }\n    } else if (!req.headers['x-forwarded-host']) {\n      req.headers['x-forwarded-host'] = originalHost;\n    }\n\n    this.logger.debug(\n      `${req.method} ${url} x-forwarded-proto=${req.headers['x-forwarded-proto']} x-forwarded-host=${req.headers['x-forwarded-host']} host=${req.headers.host}`,\n    );\n\n    // 1. Internal service endpoints\n    if (url.startsWith('/service/')) {\n      if (req.method === 'OPTIONS') {\n        this.handleCorsPreflightRequest(res, origin);\n        return;\n      }\n      if (origin) {\n        this.addCorsHeaders(res, origin);\n      }\n      void this.handleInternalApi(req, res);\n      return;\n    }\n\n    // 2. API Server Routing (/v1 or /api)\n\n    // 2a. Dashboard UI is served by API server under /dashboard/*\n    if ((url === '/dashboard' || url.startsWith('/dashboard/')) && this.targets.api) {\n      this.proxy.web(req, res, { target: this.toProxyTarget(this.targets.api) as any });\n      return;\n    }\n\n    if ((url.startsWith('/v1/') || url.startsWith('/api/') || url.startsWith('/provision/')) && this.targets.api) {\n      this.proxy.web(req, res, { target: this.toProxyTarget(this.targets.api) as any });\n      return;\n    }\n\n    // 3. CSS Routing (Default)\n    if (this.targets.css) {\n      const interceptedRequest = req as InterceptedRequest;\n      interceptedRequest.__xpodInspectRootMutation = this.shouldInspectRootMutation(req);\n      this.proxy.web(req, res, {\n        target: this.toProxyTarget(this.targets.css) as any,\n        ...(interceptedRequest.__xpodInspectRootMutation ? { selfHandleResponse: true } : {}),\n      } as any);\n    } else {\n      res.writeHead(503);\n      res.end('CSS Service Not Available');\n    }\n  }\n\n  private shouldInspectRootMutation(req: http.IncomingMessage): boolean {\n    const method = (req.method ?? 'GET').toUpperCase();\n    if (![ 'POST', 'PUT', 'PATCH', 'DELETE' ].includes(method)) {\n      return false;\n    }\n\n    const pathname = new URL(req.url ?? '/', 'http://localhost').pathname;\n    const segments = pathname.split('/').filter(Boolean);\n    return segments.length === 1 && !segments[0].startsWith('.');\n  }\n\n  private normalizeRootMutationProxyResponse(\n    proxyRes: http.IncomingMessage,\n    body: Buffer,\n  ): { statusCode: number; headers: http.OutgoingHttpHeaders; body: Buffer } {\n    const headers: http.OutgoingHttpHeaders = { ...proxyRes.headers };\n    const statusCode = proxyRes.statusCode ?? 500;\n    const contentType = typeof proxyRes.headers['content-type'] === 'string'\n      ? proxyRes.headers['content-type']\n      : Array.isArray(proxyRes.headers['content-type'])\n        ? proxyRes.headers['content-type'][0] ?? ''\n        : '';\n    const bodyText = contentType.includes('application/json') ? body.toString('utf8') : '';\n\n    if (\n      statusCode === 500 &&\n      bodyText.includes('Cannot obtain the parent of') &&\n      bodyText.includes('because it is a root container')\n    ) {\n      const normalizedBody = Buffer.from(JSON.stringify({\n        name: 'ForbiddenHttpError',\n        message: 'Write to server root is not allowed.',\n        statusCode: 403,\n        errorCode: 'H403',\n        details: { cause: 'root-container-write' },\n      }));\n      delete headers['content-length'];\n      delete headers['transfer-encoding'];\n      headers['content-type'] = 'application/json';\n      headers['content-length'] = String(normalizedBody.byteLength);\n      return { statusCode: 403, headers, body: normalizedBody };\n    }\n\n    delete headers['transfer-encoding'];\n    headers['content-length'] = String(body.byteLength);\n    return { statusCode, headers, body };\n  }\n\n  private handleCorsPreflightRequest(\n    res: http.ServerResponse,\n    origin: string | undefined,\n  ): void {\n    this.addCorsHeaders(res, origin);\n    res.writeHead(204);\n    res.end();\n  }\n\n  /**\n   * Add CORS headers matching CSS CorsHandler configuration\n   */\n  private addCorsHeaders(res: http.ServerResponse, origin: string | undefined): void {\n    res.setHeader('Access-Control-Allow-Origin', origin || '*');\n    res.setHeader('Access-Control-Allow-Credentials', String(CORS_CONFIG.credentials));\n    res.setHeader('Access-Control-Allow-Methods', CORS_CONFIG.methods.join(', '));\n    res.setHeader('Access-Control-Allow-Headers', CORS_CONFIG.allowedHeaders.join(', '));\n    res.setHeader('Access-Control-Expose-Headers', CORS_CONFIG.exposedHeaders.join(', '));\n  }\n\n  private async handleInternalApi(req: http.IncomingMessage, res: http.ServerResponse): Promise<void> {\n    try {\n      const reqUrl = req.url ?? '/';\n      const parsed = new URL(reqUrl, 'http://localhost');\n      const pathname = parsed.pathname;\n\n      if (pathname === '/service/status') {\n        const status = this.supervisor.getAllStatus();\n        const cssReady = await this.isCssReady();\n        const code = cssReady ? 200 : 503;\n        res.writeHead(code, { 'Content-Type': 'application/json' });\n        res.end(JSON.stringify(status));\n        return;\n      }\n\n      if (pathname === '/service/logs') {\n        const level = parsed.searchParams.get('level') ?? undefined;\n        const source = parsed.searchParams.get('source') ?? undefined;\n        const limitValue = parsed.searchParams.get('limit');\n        const limit = limitValue ? parseInt(limitValue, 10) : undefined;\n\n        const logs = this.supervisor.getLogs({\n          level,\n          source,\n          limit: Number.isFinite(limit as number) ? limit : undefined,\n        });\n\n        res.writeHead(200, { 'Content-Type': 'application/json' });\n        res.end(JSON.stringify(logs));\n        return;\n      }\n\n      if (pathname === '/service/stop' && req.method === 'POST') {\n        res.writeHead(200, { 'Content-Type': 'application/json' });\n        res.end(JSON.stringify({ ok: true }));\n        setImmediate(() => {\n          const shutdown = this.shutdownHandler ?? (() => this.supervisor.stopAll());\n          void shutdown().then(() => {\n            if (this.exitOnStop) {\n              process.exit(0);\n            }\n          });\n        });\n        return;\n      }\n\n      res.writeHead(404);\n      res.end('Not Found');\n    } catch (error) {\n      this.logger.error('Internal service endpoint failed:', error);\n      if (!res.headersSent) {\n        res.writeHead(500, { 'Content-Type': 'application/json' });\n      }\n      res.end(JSON.stringify({ error: 'Internal Server Error' }));\n    }\n  }\n\n  private async isCssReady(): Promise<boolean> {\n    if (!this.targets.css) {\n      return true;\n    }\n\n    try {\n      const cssTarget = this.targets.css;\n      const socketPath = cssTarget.socketPath;\n      if (socketPath) {\n        return await new Promise<boolean>((resolve) => {\n          const socket = new net.Socket();\n          socket.setTimeout(1500);\n          socket.once('connect', () => { socket.destroy(); resolve(true); });\n          socket.once('error', () => { socket.destroy(); resolve(false); });\n          socket.once('timeout', () => { socket.destroy(); resolve(false); });\n          socket.connect(socketPath);\n        });\n      }\n\n      // TCP connect to the CSS internal port to check if it's listening.\n      // HTTP probes fail because CSS enforces identifier-space checks and\n      // the internal port differs from the public CSS_BASE_URL port.\n      const url = new URL(cssTarget.url!);\n      const port = parseInt(url.port || '80', 10);\n      const host = url.hostname;\n      return await new Promise<boolean>((resolve) => {\n        const socket = new net.Socket();\n        socket.setTimeout(1500);\n        socket.once('connect', () => { socket.destroy(); resolve(true); });\n        socket.once('error', () => { socket.destroy(); resolve(false); });\n        socket.once('timeout', () => { socket.destroy(); resolve(false); });\n        socket.connect(port, host);\n      });\n    } catch {\n      return false;\n    }\n  }\n\n  private normalizeTarget(target?: string | GatewayProxyTarget): GatewayProxyTarget | undefined {\n    if (!target) {\n      return undefined;\n    }\n    if (typeof target === 'string') {\n      return { url: target };\n    }\n    return target;\n  }\n\n  private toProxyTarget(target: GatewayProxyTarget): string | { socketPath: string; protocol: string } {\n    if (target.socketPath) {\n      return {\n        socketPath: target.socketPath,\n        protocol: 'http:',\n      };\n    }\n    return target.url!;\n  }\n}\n\nexport interface GatewayProxyTarget {\n  url?: string;\n  socketPath?: string;\n}\n\nexport interface GatewayProxyOptions {\n  socketPath?: string;\n  exitOnStop?: boolean;\n  shutdownHandler?: () => Promise<void>;\n  baseUrl?: string;\n}\n"]}

package/dist/runtime/XpodRuntime.d.ts

@@ -0,0 +1,49 @@
+import type { AuthContext } from '../api/auth/AuthContext';
+import { Supervisor } from '../supervisor/Supervisor';
+export interface XpodRuntimeOptions {
+    mode?: 'local' | 'cloud';
+    open?: boolean;
+    authMode?: 'acp' | 'acl' | 'allow-all';
+    apiOpen?: boolean;
+    authContext?: AuthContext;
+    envFile?: string;
+    env?: Record<string, string | undefined>;
+    shorthand?: Record<string, string | number | boolean>;
+    baseUrl?: string;
+    bindHost?: string;
+    transport?: 'auto' | 'socket' | 'port';
+    runtimeRoot?: string;
+    rootFilePath?: string;
+    sparqlEndpoint?: string;
+    identityDbUrl?: string;
+    usageDbUrl?: string;
+    logLevel?: string;
+    gatewayPort?: number;
+    cssPort?: number;
+    apiPort?: number;
+    gatewaySocketPath?: string;
+    cssSocketPath?: string;
+    apiSocketPath?: string;
+    edgeNodesEnabled?: boolean;
+    centerRegistrationEnabled?: boolean;
+}
+export interface XpodRuntimeHandle {
+    id: string;
+    mode: 'local' | 'cloud';
+    transport: 'socket' | 'port';
+    baseUrl: string;
+    supervisor: Supervisor;
+    ports: {
+        gateway?: number;
+        css?: number;
+        api?: number;
+    };
+    sockets: {
+        gateway?: string;
+        css?: string;
+        api?: string;
+    };
+    fetch: (input: string | URL | Request, init?: RequestInit) => Promise<Response>;
+    stop: () => Promise<void>;
+}
+export declare function startXpodRuntime(options?: XpodRuntimeOptions): Promise<XpodRuntimeHandle>;