chatpanel-gateway 0.1.0

package/src/anthropic.js

@@ -0,0 +1,75 @@
+// Anthropic-protocol adapter: /v1/messages (what Claude Code speaks). Same shape
+// as the OpenAI adapter — collect in-place text segments from the request,
+// restore tokens in a non-streaming response. Streaming is handled generically.
+
+import { segment } from './redact.js';
+import { restoreDeep } from './stream.js';
+
+export function matches(pathname) {
+  return /\/messages$/.test(pathname);
+}
+
+// Push segments for a content field that may be a string or an array of blocks
+// ({type:'text',text}, {type:'tool_result',content}, …).
+function collectContent(content, segs) {
+  if (typeof content === 'string') {
+    // Can't set a primitive in place; caller wraps string content separately.
+    return;
+  }
+  if (!Array.isArray(content)) return;
+  for (const block of content) {
+    if (!block) continue;
+    if (block.type === 'text' && typeof block.text === 'string') {
+      segs.push(segment(() => block.text, (v) => { block.text = v; }));
+    } else if (block.type === 'tool_result') {
+      collectContent(block.content, segs);
+    }
+  }
+}
+
+export function collectSegments(body, redactionCfg) {
+  const segs = [];
+
+  // Top-level system prompt: string or array of {type:'text',text} blocks.
+  if (redactionCfg.redactSystem !== false && body) {
+    if (typeof body.system === 'string') {
+      segs.push(segment(() => body.system, (v) => { body.system = v; }));
+    } else if (Array.isArray(body.system)) {
+      collectContent(body.system, segs);
+    }
+  }
+
+  for (const m of Array.isArray(body?.messages) ? body.messages : []) {
+    if (!m) continue;
+    if (typeof m.content === 'string') {
+      segs.push(segment(() => m.content, (v) => { m.content = v; }));
+    } else {
+      collectContent(m.content, segs);
+    }
+  }
+  return segs;
+}
+
+// Extract the conversation for the bridge backend. Anthropic carries the system
+// prompt at the top level (string or text blocks) — flatten it to a string.
+export function toTurn(body) {
+  let system = '';
+  if (typeof body?.system === 'string') system = body.system;
+  else if (Array.isArray(body?.system)) {
+    system = body.system.filter((b) => b?.type === 'text' && typeof b.text === 'string').map((b) => b.text).join('\n');
+  }
+  return { messages: Array.isArray(body?.messages) ? body.messages : [], system };
+}
+
+// Restore a buffered response: text blocks + tool_use input objects.
+export function restoreResponse(json, vault) {
+  for (const block of json?.content || []) {
+    if (!block) continue;
+    if (block.type === 'text' && typeof block.text === 'string') {
+      block.text = restoreDeep(block.text, vault);
+    } else if (block.type === 'tool_use' && block.input) {
+      block.input = restoreDeep(block.input, vault);
+    }
+  }
+  return json;
+}

package/src/bridge.js

@@ -0,0 +1,118 @@
+// Bridge backend: drive the ChatPanel bridge's subscription-authed CLI agents
+// (codex / claude / opencode / pi) instead of a pay-per-token provider API. This
+// is what lets opencode talk to codex-behind-your-ChatGPT-login THROUGH the
+// gateway, with redaction in the middle.
+//
+//   gateway  →  POST http://127.0.0.1:4319/chat  { agent, messages, system }
+//            ←  SSE { type:'delta'|'tool'|'reasoning'|'status'|'done'|'error' }
+//
+// We only surface the model's *text* (delta/done) to the caller; the agent's own
+// tool/reasoning events are its local side effects. Auth uses the bridge's
+// per-install bearer token (~/.chatpanel/bridge-token), the same token a
+// non-browser local client is expected to present.
+
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import os from 'node:os';
+
+const DEFAULT_TOKEN_PATH = join(os.homedir(), '.chatpanel', 'bridge-token');
+
+export function readBridgeToken(cfgToken, tokenPath = DEFAULT_TOKEN_PATH) {
+  if (cfgToken) return cfgToken;
+  try {
+    if (existsSync(tokenPath)) return readFileSync(tokenPath, 'utf8').trim();
+  } catch { /* ignore */ }
+  return '';
+}
+
+// Flatten an OpenAI/Anthropic message's content (string | parts[]) to plain text
+// for the bridge, which expects string content. Image parts are dropped here (the
+// bridge takes images separately; wire that later if needed).
+function flattenContent(content) {
+  if (typeof content === 'string') return content;
+  if (Array.isArray(content)) {
+    return content
+      .map((p) => (typeof p === 'string' ? p : (typeof p?.text === 'string' ? p.text : '')))
+      .filter(Boolean)
+      .join('\n');
+  }
+  return '';
+}
+
+export function toBridgeMessages(messages) {
+  return (messages || [])
+    .filter((m) => m && (m.role === 'user' || m.role === 'assistant' || m.role === 'system'))
+    .map((m) => ({ role: m.role, content: flattenContent(m.content) }));
+}
+
+// Stream a turn through the bridge. Calls onText(restorableChunk) for each delta
+// of model text and returns the full (un-restored) text. Throws on bridge error.
+export async function streamBridgeChat({ bridgeUrl, agent, token, messages, system, options, signal }, onText) {
+  const res = await fetch(`${bridgeUrl.replace(/\/$/, '')}/chat`, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      ...(token ? { authorization: `Bearer ${token}` } : {}),
+    },
+    body: JSON.stringify({
+      agent,
+      messages: toBridgeMessages(messages),
+      system: system || '',
+      options: options || {},
+    }),
+    signal,
+  });
+
+  if (!res.ok || !res.body) {
+    const detail = await res.text().catch(() => '');
+    throw new Error(`bridge /chat HTTP ${res.status}${detail ? `: ${detail.slice(0, 200)}` : ''}`);
+  }
+
+  const reader = res.body.getReader();
+  const decoder = new TextDecoder();
+  let buf = '';
+  let full = '';
+  let streamed = false;
+  let err = null;
+
+  const handleEvent = (block) => {
+    // SSE: lines of "data: <json>" (the bridge emits one JSON object per event).
+    for (const line of block.split('\n')) {
+      const s = line.trim();
+      if (!s.startsWith('data:')) continue;
+      const payload = s.slice(5).trim();
+      if (!payload || payload === '[DONE]') continue;
+      let evt;
+      try { evt = JSON.parse(payload); } catch { continue; }
+      if (evt.type === 'delta' && typeof evt.text === 'string') {
+        streamed = true;
+        full += evt.text;
+        onText(evt.text);
+      } else if (evt.type === 'done') {
+        // Some engines only deliver the full text at the end (not streamed).
+        if (!streamed && typeof evt.text === 'string' && evt.text) {
+          full += evt.text;
+          onText(evt.text);
+        }
+      } else if (evt.type === 'error') {
+        err = new Error(evt.error || 'bridge error');
+      }
+      // tool / reasoning / status events are the agent's local side effects — ignore.
+    }
+  };
+
+  for (;;) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    buf += decoder.decode(value, { stream: true });
+    let idx;
+    // Events are separated by a blank line.
+    while ((idx = buf.indexOf('\n\n')) !== -1) {
+      handleEvent(buf.slice(0, idx));
+      buf = buf.slice(idx + 2);
+    }
+  }
+  if (buf.trim()) handleEvent(buf);
+  if (err) throw err;
+  return full;
+}

package/src/config.js

@@ -0,0 +1,120 @@
+// Gateway configuration.
+//
+// Loads, in order of precedence: a JSON file (CHATPANEL_GATEWAY_CONFIG or
+// ./gateway.config.json) < environment variables. The gateway forwards the
+// CLIENT's own auth header upstream (it stores no provider keys), so config here
+// is only routing + the redaction policy.
+
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+
+const DEFAULTS = {
+  host: '127.0.0.1',
+  port: 4320,
+
+  // 'bridge' = drive the ChatPanel bridge's subscription-authed CLI agents
+  //            (codex/claude/opencode/pi) — the privacy-bridge-between-agents use
+  //            case (opencode → gateway → codex). No API keys; uses your login.
+  // 'api'    = forward redacted traffic to a native provider API (local models,
+  //            BYO keys, OpenRouter, …). Client passes its own auth through.
+  backend: 'bridge',
+
+  // Security: legitimate clients (opencode/pi/codex/SDKs) are local processes that
+  // send NO Origin header. A browser always attaches one. So we REJECT any request
+  // bearing an Origin not in this allowlist — this stops a malicious web page from
+  // POSTing to the gateway and driving codex (drive-by / CSRF). Leave empty to
+  // block all browser-origin traffic. `maxBodyBytes` caps request size (DoS guard).
+  allowedOrigins: [],
+  maxBodyBytes: 26214400,
+
+  // Monetization: the gateway is free to try, paid to rely on. Free = deterministic
+  // redaction (basic tier) + a daily request cap. Paste a ChatPanel Pro entitlement
+  // token (the same offline-signed token the extension/bridge use) to unlock
+  // full-tier redaction (NER names/orgs + full dictionary) and unlimited usage.
+  pro: {
+    entitlementToken: '',
+    free: {
+      maxRequestsPerDay: 25,
+    },
+  },
+
+  bridge: {
+    url: 'http://127.0.0.1:4319',
+    // Default agent the bridge drives. A request's `model` field may also name an
+    // agent (codex/claude/opencode/pi) to override per-call.
+    agent: 'codex',
+    // Bearer token for the bridge's privileged /chat route. Empty = read the
+    // per-install token from ~/.chatpanel/bridge-token.
+    token: '',
+  },
+
+  upstreams: {
+    // Used only when backend === 'api'. Override to point OpenAI-protocol traffic
+    // at a local model, Azure, OpenRouter, etc. Auth is passed through from the
+    // client, so no key lives here.
+    openai: { baseUrl: 'https://api.openai.com' },
+    anthropic: { baseUrl: 'https://api.anthropic.com' },
+  },
+  redaction: {
+    // 'basic' = deterministic regex (emails/phones/cards/SSNs/keys/IPs).
+    // 'full'  = basic + entity detection (names/orgs via the local detector below)
+    //           + the custom dictionary.
+    tier: 'basic',
+    // { value|pattern, type, alias? } — see pii-redact.js. `alias` pseudonymizes
+    // permanently (upstream + the agent both see the alias).
+    dictionary: [],
+    // Local entity detector, passed straight to pii-detect.detectEntities.
+    //   backend: 'off' | 'endpoint' (POST {text}->{entities}) | 'openai' (local LLM)
+    //   url, model, timeoutMs, maxChars
+    // When `ner.autostart` is on (below), the gateway launches the bundled spaCy
+    // NER server and points detection at it automatically — leave this `off`.
+    detection: { backend: 'off' },
+    // Per-request convenience: also redact the system prompt / system blocks.
+    redactSystem: true,
+  },
+  // Bundled local NER server (spaCy). When autostart is on, `npm start` also
+  // launches ./ner on this port and wires `redaction.detection` to it, so name/
+  // org redaction works out of the box with one command. Fails open: if Python/
+  // spaCy isn't set up, the gateway logs a hint and runs deterministic-only.
+  ner: {
+    autostart: true,
+    port: 9009,
+    // Auto-bump redaction.tier to 'full' once NER is up (names/orgs need it).
+    enableFullTier: true,
+  },
+
+  // Log one line per request (method, tokens redacted) without any raw values.
+  logRequests: true,
+};
+
+function deepMerge(base, over) {
+  if (Array.isArray(over)) return over;
+  if (over && typeof over === 'object' && base && typeof base === 'object') {
+    const out = { ...base };
+    for (const k of Object.keys(over)) out[k] = deepMerge(base[k], over[k]);
+    return out;
+  }
+  return over === undefined ? base : over;
+}
+
+export function loadConfig(env = process.env) {
+  let cfg = DEFAULTS;
+
+  const path = env.CHATPANEL_GATEWAY_CONFIG || join(process.cwd(), 'gateway.config.json');
+  if (existsSync(path)) {
+    try {
+      cfg = deepMerge(cfg, JSON.parse(readFileSync(path, 'utf8')));
+    } catch (e) {
+      throw new Error(`bad config file ${path}: ${e.message}`);
+    }
+  }
+
+  // Env overrides (handy for Docker/CI where a file is awkward).
+  if (env.CHATPANEL_GATEWAY_HOST) cfg = deepMerge(cfg, { host: env.CHATPANEL_GATEWAY_HOST });
+  if (env.CHATPANEL_GATEWAY_PORT) cfg = deepMerge(cfg, { port: Number(env.CHATPANEL_GATEWAY_PORT) });
+  if (env.OPENAI_BASE_URL) cfg = deepMerge(cfg, { upstreams: { openai: { baseUrl: env.OPENAI_BASE_URL } } });
+  if (env.ANTHROPIC_BASE_URL) cfg = deepMerge(cfg, { upstreams: { anthropic: { baseUrl: env.ANTHROPIC_BASE_URL } } });
+  if (env.CHATPANEL_REDACTION_TIER) cfg = deepMerge(cfg, { redaction: { tier: env.CHATPANEL_REDACTION_TIER } });
+
+  return cfg;
+}

package/src/configstore.js

@@ -0,0 +1,65 @@
+// Read/write the gateway's on-disk config so the extension's "Gateway" tab can
+// configure it live over the localhost API (GET/POST /config). The gateway stays
+// authoritative — the extension is just a UI client.
+
+import { writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+export function configPath(env = process.env) {
+  return env.CHATPANEL_GATEWAY_CONFIG || join(process.cwd(), 'gateway.config.json');
+}
+
+// Persist the user-editable subset (not derived runtime state).
+export function persistConfig(cfg, path = configPath()) {
+  const out = {
+    host: cfg.host, port: cfg.port, backend: cfg.backend,
+    bridge: cfg.bridge, upstreams: cfg.upstreams, redaction: cfg.redaction,
+    ner: cfg.ner, allowedOrigins: cfg.allowedOrigins, maxBodyBytes: cfg.maxBodyBytes,
+    pro: cfg.pro, logRequests: cfg.logRequests,
+  };
+  writeFileSync(path, JSON.stringify(out, null, 2));
+}
+
+// Safe view for GET /config — never leak secrets (the entitlement + bridge tokens
+// are write-only; the UI shows whether Pro is unlocked, not the token).
+export function publicConfig(cfg, { proUnlocked = false } = {}) {
+  return {
+    backend: cfg.backend,
+    bridge: { url: cfg.bridge?.url, agent: cfg.bridge?.agent, hasToken: !!cfg.bridge?.token },
+    upstreams: cfg.upstreams,
+    redaction: {
+      tier: cfg.redaction?.tier,
+      redactSystem: cfg.redaction?.redactSystem !== false,
+      detection: cfg.redaction?.detection || { backend: 'off' },
+      dictionary: Array.isArray(cfg.redaction?.dictionary) ? cfg.redaction.dictionary : [],
+    },
+    ner: cfg.ner,
+    allowedOrigins: Array.isArray(cfg.allowedOrigins) ? cfg.allowedOrigins : [],
+    pro: { unlocked: proUnlocked, hasToken: !!cfg.pro?.entitlementToken, free: cfg.pro?.free },
+    logRequests: !!cfg.logRequests,
+  };
+}
+
+// Merge an editable patch into the live cfg. Only known fields; ignores the rest.
+export function applyConfigPatch(cfg, patch = {}) {
+  if (patch.backend === 'bridge' || patch.backend === 'api') cfg.backend = patch.backend;
+  if (patch.bridge && typeof patch.bridge === 'object') {
+    if (typeof patch.bridge.url === 'string') cfg.bridge.url = patch.bridge.url;
+    if (typeof patch.bridge.agent === 'string') cfg.bridge.agent = patch.bridge.agent;
+  }
+  if (patch.redaction && typeof patch.redaction === 'object') {
+    const r = patch.redaction;
+    if (r.tier === 'basic' || r.tier === 'full') cfg.redaction.tier = r.tier;
+    if ('redactSystem' in r) cfg.redaction.redactSystem = !!r.redactSystem;
+    if (Array.isArray(r.dictionary)) cfg.redaction.dictionary = r.dictionary;
+    if (r.detection && typeof r.detection === 'object') cfg.redaction.detection = r.detection;
+  }
+  if (Array.isArray(patch.allowedOrigins)) cfg.allowedOrigins = patch.allowedOrigins;
+  if (patch.pro && typeof patch.pro === 'object') {
+    if (typeof patch.pro.entitlementToken === 'string') cfg.pro.entitlementToken = patch.pro.entitlementToken;
+    const cap = patch.pro.free?.maxRequestsPerDay;
+    if (Number.isFinite(cap) && cap >= 0) cfg.pro.free.maxRequestsPerDay = cap;
+  }
+  if (typeof patch.logRequests === 'boolean') cfg.logRequests = patch.logRequests;
+  return cfg;
+}

package/src/entitlement.js

@@ -0,0 +1,81 @@
+// Offline Pro/Team entitlement verification — the HARD gate for paid features
+// (e.g. custom "bring your own CLI" agents).
+//
+// The license server (Cloudflare Worker) signs a compact entitlement token with
+// an ECDSA P-256 private key that lives ONLY there. The bridge ships the matching
+// PUBLIC key and verifies the signature locally — no network, no secret. A forked
+// client or a raw `curl` to the bridge can't forge entitlement without the
+// private key, so this is a real cryptographic gate, not a UI check.
+//
+// Token format (identical to the extension's, extension/js/license.js):
+//   token   = base64url(JSON payload) + "." + base64url(raw ECDSA signature)
+//   signed over UTF-8(head); payload = { typ:'ent', plan, install_id, sub, exp }
+//
+// Keep ENTITLEMENT_PUBLIC_JWK in sync with the extension's copy.
+
+import { webcrypto } from 'node:crypto';
+
+const ENTITLEMENT_PUBLIC_JWK = {
+  kty: 'EC',
+  crv: 'P-256',
+  x: 'CmgKLC4e3xDMvwhbjVqF7jbDe1JhC1KKQi8JN3qVX_4',
+  y: 'r40l6fQiyCcJYqW-SvB4VoSyn4F36yhSt82ZAOSo78E',
+};
+
+const PRO_PLANS = new Set(['pro', 'team']);
+
+const b64urlToBytes = (s) => {
+  const norm = s.replace(/-/g, '+').replace(/_/g, '/');
+  return new Uint8Array(Buffer.from(norm, 'base64'));
+};
+
+let keyPromise = null;
+function publicKey() {
+  if (!keyPromise) {
+    keyPromise = webcrypto.subtle.importKey(
+      'jwk',
+      ENTITLEMENT_PUBLIC_JWK,
+      { name: 'ECDSA', namedCurve: 'P-256' },
+      false,
+      ['verify'],
+    );
+  }
+  return keyPromise;
+}
+
+// Verify a server entitlement token. Returns its payload, or null. Checks the
+// ECDSA signature (unforgeable without the private key), the token type, and
+// expiry. install_id binding is the extension's concern — for the bridge gate the
+// signature is what matters.
+export async function verifyEntitlement(token) {
+  if (!token || typeof token !== 'string' || token.indexOf('.') < 0) return null;
+  const [head, sig] = token.split('.');
+  const enc = new TextEncoder();
+  let ok = false;
+  try {
+    ok = await webcrypto.subtle.verify(
+      { name: 'ECDSA', hash: 'SHA-256' },
+      await publicKey(),
+      b64urlToBytes(sig),
+      enc.encode(head),
+    );
+  } catch {
+    return null;
+  }
+  if (!ok) return null;
+  let payload;
+  try {
+    payload = JSON.parse(new TextDecoder().decode(b64urlToBytes(head)));
+  } catch {
+    return null;
+  }
+  if (payload.typ !== 'ent') return null;
+  if (payload.exp && Date.now() > payload.exp) return null;
+  return payload;
+}
+
+// True when `token` is a valid, unexpired Pro (or Team) entitlement.
+export async function isProEntitled(token) {
+  const p = await verifyEntitlement(token);
+  return !!(p && PRO_PLANS.has(p.plan));
+}

package/src/freegate.js

@@ -0,0 +1,44 @@
+// Free vs Pro for the gateway runtime — the "taste" gate.
+//
+// Free (no entitlement token): deterministic redaction only (basic tier) + a
+// capped number of metered requests per day, so anyone can try it. Pro (a valid
+// ChatPanel entitlement token — the same offline-signed token the extension and
+// bridge use) unlocks full-tier redaction (names/orgs via NER + full dictionary)
+// and unlimited usage. The cryptographic check (entitlement.js) means a forked UI
+// can't unlock it — only the configured/paid token does.
+
+import { isProEntitled } from './entitlement.js';
+
+const proCache = { token: null, val: false };
+const counts = { day: '', n: 0 };
+
+// Today's metered usage — for the gateway's /status (the extension's monitoring).
+export function usage(cfg) {
+  return { day: counts.day, used: counts.n, cap: cfg.pro?.free?.maxRequestsPerDay ?? 25 };
+}
+
+export async function resolvePro(token) {
+  if (!token) return false;
+  if (proCache.token === token) return proCache.val;
+  const val = await isProEntitled(token).catch(() => false);
+  proCache.token = token;
+  proCache.val = val;
+  return val;
+}
+
+// UTC day bucket. (Runtime — Date is available here, unlike workflow scripts.)
+function dayKey() {
+  return new Date().toISOString().slice(0, 10);
+}
+
+// Meter one redactable request. Pro = always allowed. Free = allowed until the
+// daily cap, then refused so the client gets a clear upsell.
+export function meter(cfg, isPro) {
+  if (isPro) return { allowed: true, remaining: Infinity, isPro: true };
+  const cap = cfg.pro?.free?.maxRequestsPerDay ?? 25;
+  const d = dayKey();
+  if (counts.day !== d) { counts.day = d; counts.n = 0; }
+  if (counts.n >= cap) return { allowed: false, remaining: 0, cap, isPro: false };
+  counts.n += 1;
+  return { allowed: true, remaining: cap - counts.n, cap, isPro: false };
+}

package/src/ner.js

@@ -0,0 +1,99 @@
+// Managed local NER server. When cfg.ner.autostart is on, launching the gateway
+// also spins up the bundled spaCy detector (./ner) and wires redaction.detection
+// at it — so name/org redaction works with a single command, no second terminal.
+//
+// Fail-open by design: if Python/spaCy isn't set up, we log a one-line hint and
+// the gateway keeps running with deterministic-only redaction (the detector layer
+// is already cached + fail-open per request).
+
+import { spawn } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+
+const NER_DIR = join(dirname(fileURLToPath(import.meta.url)), '..', 'ner');
+
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+async function healthy(port, signal) {
+  try {
+    const res = await fetch(`http://127.0.0.1:${port}/health`, { signal });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+
+// Launch + supervise the NER server. Returns { stop() } or null if not started.
+// Mutates cfg.redaction once the server answers /health.
+export function startNer(cfg) {
+  const n = cfg.ner;
+  if (!n || !n.autostart) return null;
+
+  // Respect an explicitly-configured detector — don't double-launch.
+  const det = cfg.redaction?.detection;
+  if (det && det.backend && det.backend !== 'off') {
+    console.log(`[ner] detection already configured (${det.backend}) — not autostarting bundled server`);
+    return null;
+  }
+
+  const port = n.port || 9009;
+  let child;
+  try {
+    child = spawn('bash', ['run.sh'], {
+      cwd: NER_DIR,
+      env: { ...process.env, PORT: String(port) },
+      stdio: ['ignore', 'pipe', 'pipe'],
+    });
+  } catch (e) {
+    console.log(`[ner] could not launch bundled NER (${e.message}) — deterministic redaction only`);
+    return null;
+  }
+
+  let firstRun = true;
+  child.stdout?.on('data', (b) => {
+    const s = b.toString();
+    if (firstRun && /installing dependencies/i.test(s)) {
+      firstRun = false;
+      console.log('[ner] first run: creating venv + installing spaCy (one-time, may take a minute)…');
+    }
+  });
+  child.stderr?.on('data', () => { /* uvicorn logs to stderr; swallow */ });
+  child.on('error', (e) => {
+    console.log(`[ner] failed to start (${e.message}). Is python3 installed? Falling back to deterministic redaction.`);
+  });
+  child.on('exit', (code) => {
+    if (code && code !== 0 && !stopped) {
+      console.log(`[ner] server exited (code ${code}); redaction continues deterministic-only.`);
+    }
+  });
+
+  // Poll for readiness without blocking server start; wire detection when up.
+  const ac = new AbortController();
+  (async () => {
+    const deadline = Date.now() + 120_000; // generous: first run installs deps
+    while (Date.now() < deadline && !stopped) {
+      if (await healthy(port, ac.signal)) {
+        cfg.redaction.detection = {
+          backend: 'endpoint',
+          url: `http://127.0.0.1:${port}/ner`,
+          timeoutMs: 1500,
+          maxChars: 8000,
+        };
+        if (n.enableFullTier && cfg.redaction.tier !== 'full') cfg.redaction.tier = 'full';
+        console.log(`[ner] ready on http://127.0.0.1:${port}/ner — entity redaction active (tier: ${cfg.redaction.tier})`);
+        return;
+      }
+      await sleep(1000);
+    }
+    if (!stopped) console.log('[ner] not ready after 120s — continuing deterministic-only (run ./ner/run.sh manually to debug).');
+  })();
+
+  let stopped = false;
+  const stop = () => {
+    if (stopped) return;
+    stopped = true;
+    ac.abort();
+    try { child.kill('SIGTERM'); } catch { /* ignore */ }
+  };
+  return { stop };
+}

package/src/openai.js

@@ -0,0 +1,53 @@
+// OpenAI-protocol adapter: /v1/chat/completions (what opencode, codex, aider,
+// cursor, and most tools speak). Pulls every redactable text string out of the
+// request body as in-place segments, and restores tokens in a non-streaming
+// response. (Streaming is restored generically in stream.js.)
+
+import { segment } from './redact.js';
+import { restoreDeep } from './stream.js';
+
+export function matches(pathname) {
+  return /\/chat\/completions$/.test(pathname) || /\/completions$/.test(pathname);
+}
+
+// Collect segments from messages[].content (string or multimodal parts). System
+// messages are included unless redactSystem is false.
+export function collectSegments(body, redactionCfg) {
+  const segs = [];
+  const messages = Array.isArray(body?.messages) ? body.messages : [];
+  for (const m of messages) {
+    if (!m) continue;
+    if (m.role === 'system' && redactionCfg.redactSystem === false) continue;
+    if (typeof m.content === 'string') {
+      segs.push(segment(() => m.content, (v) => { m.content = v; }));
+    } else if (Array.isArray(m.content)) {
+      for (const part of m.content) {
+        if (part && part.type === 'text' && typeof part.text === 'string') {
+          segs.push(segment(() => part.text, (v) => { part.text = v; }));
+        }
+      }
+    }
+  }
+  return segs;
+}
+
+// Extract the conversation for the bridge backend. OpenAI carries the system
+// prompt as a role:'system' message, so we pass messages through as-is.
+export function toTurn(body) {
+  return { messages: Array.isArray(body?.messages) ? body.messages : [], system: '' };
+}
+
+// Restore a buffered (non-streaming) response: assistant text + tool-call args.
+export function restoreResponse(json, vault) {
+  for (const choice of json?.choices || []) {
+    const msg = choice?.message;
+    if (!msg) continue;
+    if (typeof msg.content === 'string') msg.content = restoreDeep(msg.content, vault);
+    for (const tc of msg.tool_calls || []) {
+      if (tc?.function && typeof tc.function.arguments === 'string') {
+        tc.function.arguments = restoreDeep(tc.function.arguments, vault);
+      }
+    }
+  }
+  return json;
+}