chatpanel-gateway 0.1.0

package/src/redact.js

@@ -0,0 +1,57 @@
+// Gateway-level redaction: blind an arbitrary set of text segments into one
+// shared vault, so [[PERSON_1]] means the same entity across every message in a
+// request. Protocol adapters (openai.js / anthropic.js) extract the text, call
+// redactSegments, and splice the redacted strings back in.
+//
+// A fresh vault per request is correct here: coding agents resend the full
+// history each turn and the engine assigns tokens by first-appearance, so the
+// mapping is self-consistent within the request. (Same reasoning as the
+// extension's pii-pipeline.)
+
+import { createVault, redactText, detectEntities, effectiveTier, gatedDictionary } from 'chatpanel-pii';
+
+// tier: 'basic' | 'full'. For 'full' we run the local detector over the combined
+// text to harvest names/orgs, then redact every segment against that entity set.
+// `isPro` applies the SAME free/Pro gating as the extension (shared package):
+// free → deterministic 'basic' tier + a capped dictionary; Pro → full tier.
+export async function redactSegments(segments, redactionCfg, { signal, isPro = true } = {}) {
+  const vault = createVault();
+  const texts = segments.map((s) => s.get()).filter((t) => typeof t === 'string' && t);
+  if (texts.length === 0) return { vault, count: 0 };
+
+  // effectiveTier downgrades 'full'→'basic' for free; gatedDictionary trims to the
+  // free limit. This reuses chatpanel-pii's gating so the gateway and extension
+  // enforce free/Pro identically.
+  const tier = effectiveTier({ tier: redactionCfg.tier }, isPro);
+  const dictionary = gatedDictionary(redactionCfg, isPro);
+
+  let entities = [];
+  if (tier === 'full' && redactionCfg.detection?.backend && redactionCfg.detection.backend !== 'off') {
+    // One detection pass over the joined text — the detector is cached + fail-open,
+    // so a slow/broken NER service never blocks the request (deterministic layer
+    // still runs).
+    try {
+      entities = await detectEntities(texts.join('\n\n'), { detection: redactionCfg.detection }, { signal });
+    } catch {
+      entities = [];
+    }
+  }
+
+  const opts = { tier, entities, dictionary };
+
+  let count = 0;
+  for (const seg of segments) {
+    const before = seg.get();
+    if (typeof before !== 'string' || !before) continue;
+    const after = redactText(before, vault, opts);
+    if (after !== before) count++;
+    seg.set(after);
+  }
+  return { vault, count };
+}
+
+// A `segment` is a tiny getter/setter over wherever the text lives in the parsed
+// request body, so we can redact in place without rebuilding the structure.
+export function segment(getter, setter) {
+  return { get: getter, set: setter };
+}

package/src/responses.js

@@ -0,0 +1,74 @@
+// OpenAI Responses API adapter: /v1/responses (what the Codex CLI and newer
+// OpenAI SDKs use — a different body shape from chat/completions). Without this,
+// Codex traffic would pass through un-redacted. Forwarded to the OpenAI upstream.
+
+import { segment } from './redact.js';
+import { restoreDeep } from './stream.js';
+
+export function matches(pathname) {
+  return /\/responses$/.test(pathname);
+}
+
+// Redactable text in a Responses request lives in `instructions` (system) and
+// `input` (a string, or an array of items whose content parts carry text).
+function collectInputItem(item, segs) {
+  if (!item || typeof item !== 'object') return;
+  if (typeof item.content === 'string') {
+    segs.push(segment(() => item.content, (v) => { item.content = v; }));
+  } else if (Array.isArray(item.content)) {
+    for (const part of item.content) {
+      if (part && typeof part.text === 'string' && /text$/.test(part.type || 'text')) {
+        segs.push(segment(() => part.text, (v) => { part.text = v; }));
+      }
+    }
+  }
+  // function_call_output items carry a plain `output` string.
+  if (typeof item.output === 'string') {
+    segs.push(segment(() => item.output, (v) => { item.output = v; }));
+  }
+}
+
+export function collectSegments(body, redactionCfg) {
+  const segs = [];
+  if (redactionCfg.redactSystem !== false && typeof body?.instructions === 'string') {
+    segs.push(segment(() => body.instructions, (v) => { body.instructions = v; }));
+  }
+  if (typeof body?.input === 'string') {
+    segs.push(segment(() => body.input, (v) => { body.input = v; }));
+  } else if (Array.isArray(body?.input)) {
+    for (const item of body.input) collectInputItem(item, segs);
+  }
+  return segs;
+}
+
+// Extract the conversation for the bridge backend. Responses carries the system
+// prompt as `instructions` and the turn as `input` (string or item array).
+export function toTurn(body) {
+  const system = typeof body?.instructions === 'string' ? body.instructions : '';
+  let messages = [];
+  if (typeof body?.input === 'string') {
+    messages = [{ role: 'user', content: body.input }];
+  } else if (Array.isArray(body?.input)) {
+    messages = body.input.map((it) => ({
+      role: it?.role || 'user',
+      content: it?.content != null ? it.content : (typeof it?.output === 'string' ? it.output : ''),
+    }));
+  }
+  return { messages, system };
+}
+
+// Restore a buffered response: output[].content[].text, function_call args, and
+// the `output_text` convenience field some SDKs add.
+export function restoreResponse(json, vault) {
+  if (typeof json?.output_text === 'string') json.output_text = restoreDeep(json.output_text, vault);
+  for (const item of json?.output || []) {
+    if (!item) continue;
+    if (Array.isArray(item.content)) {
+      for (const part of item.content) {
+        if (part && typeof part.text === 'string') part.text = restoreDeep(part.text, vault);
+      }
+    }
+    if (typeof item.arguments === 'string') item.arguments = restoreDeep(item.arguments, vault);
+  }
+  return json;
+}

package/src/server.js

@@ -0,0 +1,297 @@
+// ChatPanel Privacy Gateway — a localhost server that redacts PII out of every
+// LLM request, then restores the placeholders in the reply. The model only ever
+// sees [[PERSON_1]] / [[EMAIL_2]] — the real values never leave the machine.
+//
+// Two backends (see config.js):
+//   'bridge' — drive the ChatPanel bridge's subscription-authed CLI agents
+//              (codex/claude/opencode/pi). This is the privacy-bridge-between-
+//              agents path: opencode → gateway (redact) → bridge → codex → restore.
+//   'api'    — forward redacted traffic to a native provider API (local models,
+//              BYO keys). The client's own auth header is passed through verbatim.
+//
+//   GET  /health               → { ok, version, backend, tier }
+//   GET  /v1/models            → list the agent(s) this gateway exposes
+//   POST /v1/chat/completions   → OpenAI protocol
+//   POST /v1/responses          → OpenAI Responses protocol (Codex)
+//   POST /v1/messages           → Anthropic protocol
+//
+// Binds 127.0.0.1 only and enforces a loopback Host (anti DNS-rebinding).
+
+import { createServer } from 'node:http';
+import { loadConfig } from './config.js';
+import { redactSegments } from './redact.js';
+import { pipeRestoredStream, makeTokenRestorer } from './stream.js';
+import { restoreText } from 'chatpanel-pii';
+import { streamBridgeChat, readBridgeToken } from './bridge.js';
+import { shaperFor } from './shape.js';
+import { startNer } from './ner.js';
+import { resolvePro, meter, usage } from './freegate.js';
+import { publicConfig, applyConfigPatch, persistConfig, configPath } from './configstore.js';
+import * as openai from './openai.js';
+import * as responses from './responses.js';
+import * as anthropic from './anthropic.js';
+
+export const VERSION = '0.1.0';
+
+const KNOWN_AGENTS = new Set(['codex', 'claude', 'opencode', 'pi', 'kiro', 'antigravity']);
+
+const HOP_BY_HOP = new Set([
+  'host', 'connection', 'content-length', 'transfer-encoding',
+  'accept-encoding', 'content-encoding', 'keep-alive',
+]);
+
+function isLoopbackHost(host) {
+  if (!host) return false;
+  const name = host.replace(/:\d+$/, '').replace(/^\[|\]$/g, '');
+  return name === 'localhost' || name === '127.0.0.1' || name === '::1';
+}
+
+// Local CLI clients send no Origin; browsers always do. We allow the trusted
+// local UIs (the ChatPanel extension + localhost) and anything the operator
+// allowlists — and reject every other web origin, so a malicious page can't drive
+// the gateway (and thus codex). Mirrors the bridge's origin model.
+function originAllowed(origin, cfg) {
+  if (!origin) return true; // no Origin → a local process (opencode/codex/SDK)
+  if (/^chrome-extension:\/\//.test(origin) || /^moz-extension:\/\//.test(origin)) return true;
+  if (/^http:\/\/(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/.test(origin)) return true;
+  return Array.isArray(cfg.allowedOrigins) && cfg.allowedOrigins.includes(origin);
+}
+
+function setCors(res, origin) {
+  res.setHeader('Access-Control-Allow-Origin', origin || '*');
+  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-ChatPanel-Token');
+  res.setHeader('Vary', 'Origin');
+}
+
+const STARTED_AT = Date.now();
+
+// Classify a request: which protocol kind + adapter, whether it's a redactable
+// chat endpoint, and (api backend) which upstream base URL.
+function route(pathname, headers, cfg) {
+  if (anthropic.matches(pathname) || 'anthropic-version' in headers) {
+    return { kind: 'anthropic', adapter: anthropic, redactable: anthropic.matches(pathname), base: cfg.upstreams.anthropic.baseUrl };
+  }
+  if (responses.matches(pathname)) {
+    return { kind: 'responses', adapter: responses, redactable: true, base: cfg.upstreams.openai.baseUrl };
+  }
+  return { kind: 'openai', adapter: openai, redactable: openai.matches(pathname), base: cfg.upstreams.openai.baseUrl };
+}
+
+function pickAgent(model, cfg) {
+  return KNOWN_AGENTS.has(model) ? model : cfg.bridge.agent;
+}
+
+async function readBody(req, maxBytes) {
+  const chunks = [];
+  let size = 0;
+  for await (const c of req) {
+    size += c.length;
+    if (maxBytes && size > maxBytes) { const e = new Error('payload too large'); e.code = 413; throw e; }
+    chunks.push(c);
+  }
+  return Buffer.concat(chunks);
+}
+
+function sendJson(res, status, obj) {
+  res.writeHead(status, { 'content-type': 'application/json' });
+  res.end(JSON.stringify(obj));
+}
+
+function forwardHeaders(headers, base) {
+  const out = {};
+  for (const [k, v] of Object.entries(headers)) {
+    if (!HOP_BY_HOP.has(k.toLowerCase())) out[k] = v;
+  }
+  out['accept-encoding'] = 'identity'; // must read plain text to restore tokens
+  try { out.host = new URL(base).host; } catch { /* leave unset */ }
+  return out;
+}
+
+// ---- backend: bridge -------------------------------------------------------
+
+async function handleBridge(req, res, { kind, adapter, redactable, pathname }, body, vault, cfg) {
+  if (!redactable) {
+    if (/\/models$/.test(pathname)) {
+      const agents = [...new Set([cfg.bridge.agent, 'codex', 'claude', 'opencode', 'pi'])];
+      return sendJson(res, 200, { object: 'list', data: agents.map((id) => ({ id, object: 'model', owned_by: 'chatpanel-bridge' })) });
+    }
+    return sendJson(res, 404, { error: `endpoint ${pathname} not supported by the bridge backend` });
+  }
+
+  const { messages, system } = adapter.toTurn(body);
+  const agent = pickAgent(body?.model, cfg);
+  const wantStream = body?.stream === true;
+  const shaper = shaperFor(kind, body?.model || agent);
+  const token = readBridgeToken(cfg.bridge.token);
+  const ac = new AbortController();
+  req.on('close', () => ac.abort());
+
+  const turn = { bridgeUrl: cfg.bridge.url, agent, token, messages, system, signal: ac.signal };
+
+  if (!wantStream) {
+    try {
+      let full = '';
+      await streamBridgeChat(turn, (t) => { full += t; });
+      res.writeHead(200, { 'content-type': shaper.contentType });
+      return res.end(shaper.full(restoreText(full, vault)));
+    } catch (e) {
+      return sendJson(res, 502, { error: { message: `bridge backend failed: ${e.message}`, type: 'bridge_error' } });
+    }
+  }
+
+  res.writeHead(200, { 'content-type': 'text/event-stream', 'cache-control': 'no-cache', connection: 'keep-alive' });
+  res.write(shaper.sseHead());
+  const restorer = makeTokenRestorer(vault);
+  try {
+    await streamBridgeChat(turn, (chunk) => {
+      const restored = restorer.push(chunk);
+      if (restored) res.write(shaper.sseDelta(restored));
+    });
+    const tail = restorer.flush();
+    if (tail) res.write(shaper.sseDelta(tail));
+    res.write(shaper.sseTail());
+  } catch (e) {
+    res.write(`data: ${JSON.stringify({ error: { message: e.message, type: 'bridge_error' } })}\n\n`);
+  }
+  res.end();
+}
+
+// ---- backend: api ----------------------------------------------------------
+
+async function handleApi(req, res, { adapter, pathname, search, base }, outBody, vault) {
+  let upstream;
+  try {
+    upstream = await fetch(base.replace(/\/$/, '') + pathname + search, {
+      method: req.method,
+      headers: forwardHeaders(req.headers, base),
+      body: ['GET', 'HEAD'].includes(req.method) ? undefined : outBody,
+    });
+  } catch (e) {
+    return sendJson(res, 502, { error: `upstream fetch failed: ${e.message}` });
+  }
+
+  const ct = upstream.headers.get('content-type') || '';
+  const resHeaders = {};
+  upstream.headers.forEach((v, k) => { if (!HOP_BY_HOP.has(k.toLowerCase())) resHeaders[k] = v; });
+
+  if (ct.includes('text/event-stream') && upstream.body) {
+    res.writeHead(upstream.status, resHeaders);
+    return pipeRestoredStream(upstream.body, res, vault);
+  }
+
+  const buf = Buffer.from(await upstream.arrayBuffer());
+  if (vault && ct.includes('application/json')) {
+    try {
+      const json = adapter.restoreResponse(JSON.parse(buf.toString('utf8')), vault);
+      res.writeHead(upstream.status, { ...resHeaders, 'content-type': 'application/json' });
+      return res.end(Buffer.from(JSON.stringify(json), 'utf8'));
+    } catch { /* fall through */ }
+  }
+  res.writeHead(upstream.status, resHeaders);
+  res.end(buf);
+}
+
+// ---- server ----------------------------------------------------------------
+
+export function createGateway(cfg = loadConfig()) {
+  return createServer(async (req, res) => {
+    const url = new URL(req.url, 'http://127.0.0.1');
+    const pathname = url.pathname;
+
+    if (!isLoopbackHost(req.headers.host)) return sendJson(res, 403, { error: 'loopback only' });
+    if (!originAllowed(req.headers.origin, cfg)) return sendJson(res, 403, { error: 'origin not allowed' });
+
+    // CORS for the trusted local UIs (extension/localhost). Preflight ends here.
+    if (req.headers.origin) setCors(res, req.headers.origin);
+    if (req.method === 'OPTIONS') { res.writeHead(204); return res.end(); }
+
+    if (req.method === 'GET' && pathname === '/health') {
+      return sendJson(res, 200, { ok: true, version: VERSION, backend: cfg.backend, tier: cfg.redaction.tier });
+    }
+
+    // --- Config API (the extension's "Gateway" tab is a client of these) ---
+    if (pathname === '/status' && req.method === 'GET') {
+      const proUnlocked = await resolvePro(cfg.pro?.entitlementToken);
+      const nerOn = cfg.redaction?.detection?.backend && cfg.redaction.detection.backend !== 'off';
+      return sendJson(res, 200, {
+        ok: true, version: VERSION, backend: cfg.backend, tier: cfg.redaction.tier,
+        ner: { autostart: !!cfg.ner?.autostart, ready: !!nerOn },
+        pro: { unlocked: proUnlocked }, usage: usage(cfg),
+        uptimeSeconds: Math.floor((Date.now() - STARTED_AT) / 1000),
+      });
+    }
+    if (pathname === '/config' && req.method === 'GET') {
+      const proUnlocked = await resolvePro(cfg.pro?.entitlementToken);
+      return sendJson(res, 200, publicConfig(cfg, { proUnlocked }));
+    }
+    if (pathname === '/config' && req.method === 'POST') {
+      let patch = null;
+      try { patch = JSON.parse((await readBody(req, cfg.maxBodyBytes)).toString('utf8')); } catch { patch = null; }
+      if (!patch || typeof patch !== 'object') return sendJson(res, 400, { error: 'invalid config patch' });
+      applyConfigPatch(cfg, patch);
+      try { persistConfig(cfg, configPath()); } catch (e) { return sendJson(res, 500, { error: `could not persist config: ${e.message}` }); }
+      const proUnlocked = await resolvePro(cfg.pro?.entitlementToken);
+      return sendJson(res, 200, publicConfig(cfg, { proUnlocked }));
+    }
+
+    const r = route(pathname, req.headers, cfg);
+    let raw;
+    try {
+      raw = await readBody(req, cfg.maxBodyBytes);
+    } catch (e) {
+      sendJson(res, e.code === 413 ? 413 : 400, { error: e.code === 413 ? 'payload too large' : 'bad request' });
+      req.destroy(); // stop reading an oversized/aborted upload; don't leave the socket half-open
+      return;
+    }
+
+    // Redact the request body for the known chat endpoints.
+    let vault = null;
+    let body = null;
+    let outBody = raw;
+    if (r.redactable && req.method === 'POST' && raw.length) {
+      try { body = JSON.parse(raw.toString('utf8')); } catch { body = null; }
+      if (body) {
+        // Free/Pro gate: meter the request and pick the effective tier.
+        const isPro = await resolvePro(cfg.pro?.entitlementToken);
+        const allow = meter(cfg, isPro);
+        if (!allow.allowed) {
+          return sendJson(res, 402, { error: {
+            message: `ChatPanel Gateway free limit reached (${allow.cap}/day). Add a ChatPanel Pro entitlement token to unlock unlimited usage + full-tier redaction (names/orgs).`,
+            type: 'free_limit_reached',
+          } });
+        }
+        const segs = r.adapter.collectSegments(body, cfg.redaction);
+        const ac = new AbortController();
+        req.on('close', () => ac.abort());
+        const { vault: v, count } = await redactSegments(segs, cfg.redaction, { signal: ac.signal, isPro });
+        vault = v;
+        outBody = Buffer.from(JSON.stringify(body), 'utf8');
+        if (cfg.logRequests) console.log(`[gateway] ${req.method} ${pathname} · redacted ${count}/${segs.length} segment(s) · ${cfg.backend}`);
+      }
+    } else if (cfg.logRequests) {
+      console.log(`[gateway] ${req.method} ${pathname} · ${cfg.backend}`);
+    }
+
+    if (cfg.backend === 'bridge') {
+      return handleBridge(req, res, { ...r, pathname }, body, vault, cfg);
+    }
+    if (!r.base) return sendJson(res, 502, { error: 'no upstream configured' });
+    return handleApi(req, res, { ...r, pathname, search: url.search }, outBody, vault);
+  });
+}
+
+export function start(cfg = loadConfig()) {
+  const server = createGateway(cfg);
+  const ner = startNer(cfg); // may mutate cfg.redaction when it comes up
+  server.listen(cfg.port, cfg.host, () => {
+    console.log(`ChatPanel Privacy Gateway v${VERSION} on http://${cfg.host}:${cfg.port}`);
+    console.log(`  backend  : ${cfg.backend}` + (cfg.backend === 'bridge' ? ` (agent: ${cfg.bridge.agent}, via ${cfg.bridge.url})` : ''));
+    console.log(`  redaction: ${cfg.redaction.tier}` + (cfg.redaction.detection?.backend && cfg.redaction.detection.backend !== 'off'
+      ? ` + ${cfg.redaction.detection.backend} detector` : (cfg.ner?.autostart ? ' (+ NER starting…)' : '')));
+  });
+  const shutdown = () => { ner?.stop(); server.close(() => process.exit(0)); };
+  process.on('SIGINT', shutdown);
+  process.on('SIGTERM', shutdown);
+  return server;
+}

package/src/service.js

@@ -0,0 +1,145 @@
+// Background auto-start for the ChatPanel Privacy Gateway — same approach as the
+// bridge, so it can run as an always-on login process with no terminal.
+//
+//   chatpanel-gateway --install     register login auto-start + start now
+//   chatpanel-gateway --uninstall   remove it
+//   chatpanel-gateway --status      is it registered?
+//
+// macOS → LaunchAgent · Windows → HKCU Run (hidden VBS) · Linux → systemd user.
+
+import os from 'node:os';
+import path from 'node:path';
+import { mkdirSync, writeFileSync, rmSync, existsSync } from 'node:fs';
+import { spawnSync } from 'node:child_process';
+
+const LABEL = 'net.chatpanel.gateway';
+const DISPLAY = 'ChatPanel Privacy Gateway';
+
+// The command that launches THIS gateway. A compiled single-file binary launches
+// itself; running under node launches the interpreter + the bin entry.
+export function resolveLaunch() {
+  const exe = process.execPath;
+  const base = path.basename(exe).toLowerCase();
+  const underInterpreter = base.startsWith('node') || base.startsWith('bun');
+  if (underInterpreter && process.argv[1]) {
+    return { program: exe, args: [path.resolve(process.argv[1])] };
+  }
+  return { program: exe, args: [] };
+}
+
+function logPaths() {
+  const dir = path.join(os.homedir(), '.chatpanel');
+  mkdirSync(dir, { recursive: true });
+  return { out: path.join(dir, 'gateway.log'), err: path.join(dir, 'gateway.err.log') };
+}
+
+function run(cmd, args, opts = {}) {
+  return spawnSync(cmd, args, { encoding: 'utf8', ...opts });
+}
+
+// ---------------------------------------------------------------- macOS
+const macPlist = () => path.join(os.homedir(), 'Library', 'LaunchAgents', `${LABEL}.plist`);
+
+function macInstall() {
+  const { program, args } = resolveLaunch();
+  const { out, err } = logPaths();
+  const progArgs = [program, ...args].map((a) => `      <string>${a}</string>`).join('\n');
+  const plist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>Label</key><string>${LABEL}</string>
+    <key>ProgramArguments</key>
+    <array>
+${progArgs}
+    </array>
+    <key>RunAtLoad</key><true/>
+    <key>KeepAlive</key><true/>
+    <key>StandardOutPath</key><string>${out}</string>
+    <key>StandardErrorPath</key><string>${err}</string>
+  </dict>
+</plist>
+`;
+  const p = macPlist();
+  mkdirSync(path.dirname(p), { recursive: true });
+  writeFileSync(p, plist);
+  run('launchctl', ['unload', p]);
+  const r = run('launchctl', ['load', '-w', p]);
+  if (r.status !== 0) throw new Error((r.stderr || '').trim() || 'launchctl load failed');
+}
+function macUninstall() {
+  const p = macPlist();
+  run('launchctl', ['unload', '-w', p]);
+  if (existsSync(p)) rmSync(p);
+}
+function macStatus() {
+  return (run('launchctl', ['list']).stdout || '').includes(LABEL);
+}
+
+// ---------------------------------------------------------------- Windows
+const WIN_RUN_KEY = 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run';
+const WIN_RUN_NAME = 'ChatPanelGateway';
+const winVbs = () => path.join(os.homedir(), '.chatpanel', 'gateway-launch.vbs');
+
+function winInstall() {
+  const { program, args } = resolveLaunch();
+  const parts = [program, ...args].map((p) => `""${p}""`).join(' ');
+  const vbs = winVbs();
+  mkdirSync(path.dirname(vbs), { recursive: true });
+  writeFileSync(vbs, `CreateObject("WScript.Shell").Run "${parts}", 0, False\r\n`);
+  const r = run('reg', ['add', WIN_RUN_KEY, '/v', WIN_RUN_NAME, '/t', 'REG_SZ', '/d', `wscript.exe "${vbs}"`, '/f']);
+  if (r.status !== 0) throw new Error((r.stderr || '').trim() || 'reg add failed');
+  run('wscript.exe', [vbs]);
+}
+function winUninstall() {
+  run('reg', ['delete', WIN_RUN_KEY, '/v', WIN_RUN_NAME, '/f']);
+  run('taskkill', ['/IM', 'chatpanel-gateway.exe', '/F']);
+}
+function winStatus() {
+  return run('reg', ['query', WIN_RUN_KEY, '/v', WIN_RUN_NAME]).status === 0;
+}
+
+// ---------------------------------------------------------------- Linux (systemd user)
+const linUnit = () => path.join(os.homedir(), '.config', 'systemd', 'user', 'chatpanel-gateway.service');
+
+function linInstall() {
+  const { program, args } = resolveLaunch();
+  const exec = [program, ...args].map((a) => (/\s/.test(a) ? `"${a}"` : a)).join(' ');
+  const unit = `[Unit]
+Description=${DISPLAY}
+After=network.target
+
+[Service]
+ExecStart=${exec}
+Restart=on-failure
+
+[Install]
+WantedBy=default.target
+`;
+  const p = linUnit();
+  mkdirSync(path.dirname(p), { recursive: true });
+  writeFileSync(p, unit);
+  run('systemctl', ['--user', 'daemon-reload']);
+  const r = run('systemctl', ['--user', 'enable', '--now', 'chatpanel-gateway']);
+  if (r.status !== 0) throw new Error((r.stderr || '').trim() || 'systemctl enable failed');
+}
+function linUninstall() {
+  run('systemctl', ['--user', 'disable', '--now', 'chatpanel-gateway']);
+  const p = linUnit();
+  if (existsSync(p)) rmSync(p);
+}
+function linStatus() {
+  return (run('systemctl', ['--user', 'is-enabled', 'chatpanel-gateway']).stdout || '').trim() === 'enabled';
+}
+
+// ---------------------------------------------------------------- dispatch
+function byPlatform(mac, win, lin) {
+  if (process.platform === 'darwin') return mac();
+  if (process.platform === 'win32') return win();
+  if (process.platform === 'linux') return lin();
+  throw new Error(`Auto-start isn't supported on ${process.platform} yet — run the gateway directly.`);
+}
+
+export function installService() { return byPlatform(macInstall, winInstall, linInstall); }
+export function uninstallService() { return byPlatform(macUninstall, winUninstall, linUninstall); }
+export function serviceStatus() { return byPlatform(macStatus, winStatus, linStatus); }

package/src/shape.js

@@ -0,0 +1,97 @@
+// Shape bridge text (already restored) into each client protocol — both a
+// non-streaming body and an SSE event sequence. Used only by the bridge backend,
+// where the gateway synthesizes the provider response itself.
+//
+// Each shaper exposes:
+//   contentType            'application/json' | 'text/event-stream'
+//   full(text)        -> string   non-streaming JSON body
+//   sseHead()         -> string   opening SSE events (may be '')
+//   sseDelta(text)    -> string   one chunk of text
+//   sseTail()         -> string   closing SSE events
+
+function id(prefix) {
+  // Runtime (not a workflow) — Date.now()/random are fine here.
+  return `${prefix}_${Date.now().toString(36)}${Math.random().toString(36).slice(2, 10)}`;
+}
+const now = () => Math.floor(Date.now() / 1000);
+const sse = (obj) => `data: ${JSON.stringify(obj)}\n\n`;
+const event = (name, obj) => `event: ${name}\n` + sse(obj);
+
+export function openaiChat(model) {
+  const rid = id('chatcmpl');
+  const base = { id: rid, object: 'chat.completion.chunk', created: now(), model };
+  return {
+    contentType: 'application/json',
+    full(text) {
+      return JSON.stringify({
+        id: rid, object: 'chat.completion', created: now(), model,
+        choices: [{ index: 0, message: { role: 'assistant', content: text }, finish_reason: 'stop' }],
+        usage: {},
+      });
+    },
+    sseHead() {
+      return sse({ ...base, choices: [{ index: 0, delta: { role: 'assistant' }, finish_reason: null }] });
+    },
+    sseDelta(text) {
+      return sse({ ...base, choices: [{ index: 0, delta: { content: text }, finish_reason: null }] });
+    },
+    sseTail() {
+      return sse({ ...base, choices: [{ index: 0, delta: {}, finish_reason: 'stop' }] }) + 'data: [DONE]\n\n';
+    },
+  };
+}
+
+export function openaiResponses(model) {
+  const rid = id('resp');
+  return {
+    contentType: 'application/json',
+    full(text) {
+      return JSON.stringify({
+        id: rid, object: 'response', created_at: now(), model, status: 'completed',
+        output: [{ id: id('msg'), type: 'message', role: 'assistant', content: [{ type: 'output_text', text }] }],
+        output_text: text,
+      });
+    },
+    sseHead() {
+      return event('response.created', { type: 'response.created', response: { id: rid, status: 'in_progress', model } });
+    },
+    sseDelta(text) {
+      return event('response.output_text.delta', { type: 'response.output_text.delta', delta: text });
+    },
+    sseTail() {
+      return event('response.completed', { type: 'response.completed', response: { id: rid, status: 'completed', model } });
+    },
+  };
+}
+
+export function anthropicMessages(model) {
+  const rid = id('msg');
+  return {
+    contentType: 'application/json',
+    full(text) {
+      return JSON.stringify({
+        id: rid, type: 'message', role: 'assistant', model,
+        content: [{ type: 'text', text }], stop_reason: 'end_turn', stop_sequence: null, usage: {},
+      });
+    },
+    sseHead() {
+      return event('message_start', { type: 'message_start', message: { id: rid, type: 'message', role: 'assistant', model, content: [], stop_reason: null, usage: {} } })
+        + event('content_block_start', { type: 'content_block_start', index: 0, content_block: { type: 'text', text: '' } });
+    },
+    sseDelta(text) {
+      return event('content_block_delta', { type: 'content_block_delta', index: 0, delta: { type: 'text_delta', text } });
+    },
+    sseTail() {
+      return event('content_block_stop', { type: 'content_block_stop', index: 0 })
+        + event('message_delta', { type: 'message_delta', delta: { stop_reason: 'end_turn' }, usage: {} })
+        + event('message_stop', { type: 'message_stop' });
+    },
+  };
+}
+
+// Pick a shaper for a parsed request + its adapter name.
+export function shaperFor(kind, model) {
+  if (kind === 'anthropic') return anthropicMessages(model);
+  if (kind === 'responses') return openaiResponses(model);
+  return openaiChat(model);
+}