fbi-proxy 1.14.0 → 1.16.0

package/rs/tls.rs

@@ -0,0 +1,243 @@
+//! Self-signed TLS support for `--tls` mode (Phase 1: no system trust
+//! install). Generates a self-signed certificate for the configured
+//! domain (with `*.<domain>` SAN) and persists it under
+//! `~/.config/fbi-proxy/certs/` so the same fingerprint survives
+//! restarts — browsers can "remember the exception" once.
+//!
+//! The browser warning is expected in this phase. Use Phase 2
+//! (`fbi-proxy trust`) to install a local CA into the system trust
+//! store for a clean lock-icon experience.
+
+use std::path::{Path, PathBuf};
+use std::sync::Arc;
+
+use rcgen::{CertificateParams, DnType, DistinguishedName, KeyPair, SanType};
+use tokio_rustls::TlsAcceptor;
+use tokio_rustls::rustls::ServerConfig;
+use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject};
+
+pub type BoxError = Box<dyn std::error::Error + Send + Sync>;
+
+/// Where on-disk certs live. Layout: `{base}/certs/{domain}.{pem,key}`.
+pub fn default_cert_dir() -> PathBuf {
+    let base = std::env::var_os("XDG_CONFIG_HOME")
+        .map(PathBuf::from)
+        .or_else(|| std::env::var_os("HOME").map(|h| PathBuf::from(h).join(".config")))
+        .unwrap_or_else(|| PathBuf::from("."));
+    base.join("fbi-proxy").join("certs")
+}
+
+/// Path to the cert file for a given domain (sibling `.key` lives at
+/// the same stem). Use this when you need to install the cert into a
+/// system trust store after `build_acceptor` has materialized it.
+pub fn cert_pem_path(domain: &str, cert_dir: &Path) -> PathBuf {
+    let slug = if domain.is_empty() { "localhost" } else { domain };
+    cert_dir.join(format!("{slug}.pem"))
+}
+
+/// Whether the given cert is currently a trusted anchor on this
+/// system. Returns `false` if the check itself can't be performed
+/// (unsupported platform, missing tool) — callers should treat that
+/// as "no, attempt install."
+pub fn is_trusted(cert_path: &Path) -> bool {
+    #[cfg(target_os = "macos")]
+    {
+        std::process::Command::new("security")
+            .args(["verify-cert", "-c"])
+            .arg(cert_path)
+            .stdout(std::process::Stdio::null())
+            .stderr(std::process::Stdio::null())
+            .status()
+            .map(|s| s.success())
+            .unwrap_or(false)
+    }
+    #[cfg(not(target_os = "macos"))]
+    {
+        let _ = cert_path;
+        false
+    }
+}
+
+/// Install `cert_path` as a trusted root anchor in the system trust
+/// store. Idempotent — checks `is_trusted` first and returns `Ok(false)`
+/// if no install was performed.
+///
+/// Requires root on macOS (writes to `/Library/Keychains/System.keychain`).
+/// On other platforms this is a no-op for now (Linux / Windows is a
+/// follow-up — see TODO.md).
+pub fn install_to_system_trust(cert_path: &Path) -> Result<bool, BoxError> {
+    if is_trusted(cert_path) {
+        return Ok(false);
+    }
+
+    #[cfg(target_os = "macos")]
+    {
+        log::info!("installing {} to System.keychain", cert_path.display());
+        let status = std::process::Command::new("security")
+            .args([
+                "add-trusted-cert",
+                "-d",
+                "-r",
+                "trustRoot",
+                "-k",
+                "/Library/Keychains/System.keychain",
+            ])
+            .arg(cert_path)
+            .status()?;
+        if !status.success() {
+            return Err(format!(
+                "security add-trusted-cert failed (exit {:?}); needs root (sudo)",
+                status.code(),
+            )
+            .into());
+        }
+        Ok(true)
+    }
+    #[cfg(not(target_os = "macos"))]
+    {
+        let _ = cert_path;
+        log::warn!("auto-trust-install: only macOS supported in this build");
+        Ok(false)
+    }
+}
+
+/// Build a `TlsAcceptor` for the given domain, reusing a persisted
+/// cert if one exists or generating + writing a fresh one if not.
+///
+/// `domain` is the apex (e.g. `"fbi.com"`); the cert SAN includes both
+/// the apex and `*.{domain}` so any subdomain validates. If `domain`
+/// is empty or `"localhost"`, only `localhost` + `127.0.0.1` are
+/// covered.
+pub fn build_acceptor(domain: &str, cert_dir: &Path) -> Result<TlsAcceptor, BoxError> {
+    let (cert_pem, key_pem) = load_or_generate(domain, cert_dir)?;
+
+    let cert_chain: Vec<CertificateDer<'static>> = CertificateDer::pem_slice_iter(cert_pem.as_bytes())
+        .collect::<Result<Vec<_>, _>>()?;
+    let key = PrivateKeyDer::from_pem_slice(key_pem.as_bytes())?;
+
+    let config = ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key)?;
+
+    Ok(TlsAcceptor::from(Arc::new(config)))
+}
+
+fn load_or_generate(domain: &str, cert_dir: &Path) -> Result<(String, String), BoxError> {
+    let slug = if domain.is_empty() { "localhost" } else { domain };
+    let cert_path = cert_dir.join(format!("{slug}.pem"));
+    let key_path = cert_dir.join(format!("{slug}.key"));
+
+    if cert_path.exists() && key_path.exists() {
+        let cert = std::fs::read_to_string(&cert_path)?;
+        let key = std::fs::read_to_string(&key_path)?;
+        return Ok((cert, key));
+    }
+
+    let (cert_pem, key_pem) = generate_self_signed(domain)?;
+    std::fs::create_dir_all(cert_dir)?;
+    std::fs::write(&cert_path, &cert_pem)?;
+    // 0600 on the key — std::fs::write opens 0644 by default
+    write_private(&key_path, key_pem.as_bytes())?;
+
+    Ok((cert_pem, key_pem))
+}
+
+#[cfg(unix)]
+fn write_private(path: &Path, bytes: &[u8]) -> std::io::Result<()> {
+    use std::io::Write;
+    use std::os::unix::fs::OpenOptionsExt;
+    let mut f = std::fs::OpenOptions::new()
+        .write(true)
+        .create(true)
+        .truncate(true)
+        .mode(0o600)
+        .open(path)?;
+    f.write_all(bytes)?;
+    Ok(())
+}
+
+#[cfg(not(unix))]
+fn write_private(path: &Path, bytes: &[u8]) -> std::io::Result<()> {
+    std::fs::write(path, bytes)
+}
+
+/// Generate a SAN-only self-signed cert valid for ~1 year. Returns
+/// `(cert_pem, key_pem)`. The Common Name is intentionally left blank
+/// — modern browsers ignore CN and only honor SAN entries.
+pub fn generate_self_signed(domain: &str) -> Result<(String, String), BoxError> {
+    let mut sans: Vec<SanType> = Vec::new();
+    if domain.is_empty() || domain == "localhost" {
+        sans.push(SanType::DnsName("localhost".try_into()?));
+        sans.push(SanType::IpAddress("127.0.0.1".parse()?));
+    } else {
+        sans.push(SanType::DnsName(domain.try_into()?));
+        sans.push(SanType::DnsName(format!("*.{domain}").try_into()?));
+    }
+
+    let mut params = CertificateParams::default();
+    params.subject_alt_names = sans;
+
+    // Browsers ignore CN, but a non-empty DN avoids some tooling
+    // warnings. Use OrganizationName so the CN stays empty.
+    let mut dn = DistinguishedName::new();
+    dn.push(DnType::OrganizationName, "fbi-proxy (self-signed)");
+    params.distinguished_name = dn;
+
+    let now = time::OffsetDateTime::now_utc();
+    params.not_before = now - time::Duration::days(1);
+    params.not_after = now + time::Duration::days(365);
+
+    let key_pair = KeyPair::generate()?;
+    let cert = params.self_signed(&key_pair)?;
+
+    Ok((cert.pem(), key_pair.serialize_pem()))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn generates_pem_with_domain_san() {
+        let (cert, key) = generate_self_signed("fbi.com").unwrap();
+        assert!(cert.contains("BEGIN CERTIFICATE"));
+        assert!(key.contains("BEGIN PRIVATE KEY"));
+
+        // Parse the cert and check SAN entries
+        let der = CertificateDer::pem_slice_iter(cert.as_bytes())
+            .next()
+            .unwrap()
+            .unwrap();
+        // We don't fully x509-parse here — but the cert+key should be
+        // accepted by rustls' single-cert builder, which is what the
+        // real server uses. That's the real-world contract.
+        let key_der = PrivateKeyDer::from_pem_slice(key.as_bytes()).unwrap();
+        let config = ServerConfig::builder()
+            .with_no_client_auth()
+            .with_single_cert(vec![der], key_der);
+        assert!(config.is_ok(), "rustls should accept generated cert+key");
+    }
+
+    #[test]
+    fn generates_for_localhost_fallback() {
+        let (cert, _key) = generate_self_signed("").unwrap();
+        assert!(cert.contains("BEGIN CERTIFICATE"));
+    }
+
+    #[test]
+    fn load_or_generate_round_trips_persisted_certs() {
+        let tmp = std::env::temp_dir().join(format!(
+            "fbi-tls-test-{}",
+            std::process::id()
+        ));
+        let _ = std::fs::remove_dir_all(&tmp);
+
+        let (cert1, key1) = load_or_generate("test.dev", &tmp).unwrap();
+        // Second call should return the same content (loaded from disk)
+        let (cert2, key2) = load_or_generate("test.dev", &tmp).unwrap();
+        assert_eq!(cert1, cert2);
+        assert_eq!(key1, key2);
+
+        let _ = std::fs::remove_dir_all(&tmp);
+    }
+}

package/ts/auth/authConfig.ts

@@ -10,15 +10,21 @@ export type FirebaseSubConfig = {
   authDomain?: string;
 };
 
+export type LocalSubConfig = {
+  email: string;
+  name?: string;
+};
+
 export type AuthConfigShape = {
   version: 1;
   domain: string;
   cookieDomain: string;
   ssoHost: string;
-  provider: "google" | "firebase" | "snolab";
+  provider: "google" | "firebase" | "snolab" | "local";
   clientId?: string;
   clientSecret?: string;
   firebase?: FirebaseSubConfig;
+  local?: LocalSubConfig;
   sessionSecret: string;
   allowlist: {
     emails?: string[];
@@ -63,10 +69,16 @@ export function configFromEnv(domain: string): AuthConfigShape | null {
     (process.env.FBI_AUTH_PROVIDER as AuthConfigShape["provider"]) ?? "google";
   const clientId = process.env.FBI_AUTH_CLIENT_ID;
   const firebaseProjectId = process.env.FBI_AUTH_FIREBASE_PROJECT_ID;
+  const localUser = process.env.FBI_AUTH_LOCAL_USER;
 
   if (provider === "firebase") {
     if (!firebaseProjectId) return null;
+  } else if (provider === "snolab") {
+    // snolab uses baked-in defaults; nothing required beyond the provider name
+  } else if (provider === "local") {
+    if (!localUser) return null;
   } else {
+    // google (default)
     if (!clientId) return null;
   }
 
@@ -86,6 +98,12 @@ export function configFromEnv(domain: string): AuthConfigShape | null {
           authDomain: process.env.FBI_AUTH_FIREBASE_AUTH_DOMAIN,
         }
       : undefined,
+    local: localUser
+      ? {
+          email: localUser,
+          name: process.env.FBI_AUTH_LOCAL_NAME,
+        }
+      : undefined,
     sessionSecret:
       process.env.FBI_AUTH_SESSION_SECRET ??
       randomBytes(32).toString("base64url"),

package/ts/cli.ts

@@ -1,4 +1,6 @@
 #!/usr/bin/env bun
+import { existsSync } from "node:fs";
+import { spawnSync } from "node:child_process";
 import getPort from "get-port";
 import hotMemo from "hot-memo";
 import path from "path";
@@ -29,6 +31,41 @@ import {
 } from "./auth/spawnCaddy";
 
 const originalCwd = process.cwd();
+
+// Subcommand routing & default behavior
+//
+// `fbi-proxy setup` (or `fbi-proxy` with no escape-hatch flags) runs the
+// one-shot setup orchestrator: registers an oxmgr daemon, generates+trusts
+// a TLS cert, installs a pf :443→:8443 forward, and verifies https://<domain>.
+//
+// Old foreground modes (Caddy, dev, raw TLS, auth wizard) are preserved by
+// flags below — explicit opt-in keeps the existing surface intact for users
+// who rely on it.
+{
+  const rawArgs = hideBin(process.argv);
+  const firstPositional = rawArgs.find((a) => !a.startsWith("-"));
+  const FOREGROUND_FLAGS = [
+    "--dev",
+    "--with-caddy",
+    "--with-auth",
+    "--tls",
+    "--reconfigure",
+  ];
+  const wantsForeground = rawArgs.some((a) =>
+    FOREGROUND_FLAGS.some((f) => a === f || a.startsWith(`${f}=`)),
+  );
+  const hasExplicitPortEnv = !!process.env.FBI_PROXY_PORT;
+  const isSetupCmd = firstPositional === "setup";
+  const isDefault = !firstPositional && !wantsForeground && !hasExplicitPortEnv;
+
+  if (isSetupCmd || isDefault) {
+    const { runSetup } = await import("./setup");
+    const passArgs = rawArgs.filter((a) => a !== "setup");
+    await runSetup(passArgs, { originalCwd });
+    process.exit(0);
+  }
+}
+
 process.chdir(path.resolve(import.meta.dir, ".."));
 
 const argv = await yargs(hideBin(process.argv))
@@ -71,12 +108,33 @@ const argv = await yargs(hideBin(process.argv))
     description:
       "TLS strategy for --with-caddy. 'auto' uses ACME (Let's Encrypt); 'internal' uses Caddy's local CA. Defaults to 'internal' for fbi.com, 'auto' otherwise.",
   })
+  .option("tls", {
+    type: "boolean",
+    default: false,
+    description:
+      "Terminate TLS in the Rust proxy using a self-signed cert (no Caddy). Browser warning expected (Phase 1 — no system trust install). Use with --port 443 + sudo to serve standard HTTPS.",
+  })
   .help().argv;
 
-console.log("Preparing Binaries");
+if (argv.tls && argv["with-caddy"]) {
+  console.error(
+    "[fbi-proxy] --tls and --with-caddy are mutually exclusive (Caddy already terminates TLS).",
+  );
+  process.exit(2);
+}
 
 const FBI_PROXY_PORT =
-  process.env.FBI_PROXY_PORT || String(await getPort({ port: 2432 }));
+  process.env.FBI_PROXY_PORT ||
+  (argv.tls ? "443" : String(await getPort({ port: 2432 })));
+
+if (argv.tls) {
+  await ensureRootIfTlsNeedsIt({
+    domain: argv.domain,
+    port: Number(FBI_PROXY_PORT),
+  });
+}
+
+console.log("Preparing Binaries");
 
 const proxyProcess = await hotMemo(async () => {
   const proxy = await getFbiProxyBinary({ originalCwd });
@@ -85,6 +143,17 @@ const proxyProcess = await hotMemo(async () => {
     env: {
       ...process.env,
       FBI_PROXY_PORT,
+      ...(argv.tls
+        ? {
+            FBI_PROXY_TLS: "true",
+            FBI_PROXY_DOMAIN: argv.domain,
+            // Forward CERT_DIR if the sudo wrapper set it (so the elevated
+            // Rust binary writes to the original user's $HOME, not /var/root)
+            ...(process.env.FBI_PROXY_CERT_DIR
+              ? { FBI_PROXY_CERT_DIR: process.env.FBI_PROXY_CERT_DIR }
+              : {}),
+          }
+        : {}),
     },
   })`${proxy}`.process;
 
@@ -136,6 +205,83 @@ process.on("uncaughtException", (err) => {
   exit();
 });
 
+async function ensureRootIfTlsNeedsIt(opts: {
+  domain: string;
+  port: number;
+}): Promise<void> {
+  if (process.platform !== "darwin") {
+    // Linux/Windows trust install is a follow-up. The Rust side prints a
+    // friendly fallback message if untrusted.
+    return;
+  }
+  if (process.getuid?.() === 0) return;
+
+  const home = process.env.HOME ?? "";
+  const certDir =
+    process.env.FBI_PROXY_CERT_DIR ??
+    path.join(home, ".config/fbi-proxy/certs");
+  const slug = opts.domain || "localhost";
+  const certPath = path.join(certDir, `${slug}.pem`);
+
+  const needsPortBind = opts.port < 1024;
+  const certMissing = !existsSync(certPath);
+  const certUntrusted = !certMissing && !isMacosCertTrusted(certPath);
+  const needsTrustInstall = certMissing || certUntrusted;
+
+  if (!needsPortBind && !needsTrustInstall) return;
+
+  const reasons = [
+    needsPortBind && `bind :${opts.port}`,
+    needsTrustInstall && "install cert to system trust",
+  ]
+    .filter(Boolean)
+    .join(" + ");
+  console.log(`[fbi-proxy] --tls needs root to: ${reasons}`);
+
+  // Preserve HOME and CERT_DIR so the elevated process writes cert/auth
+  // files into the original user's directory, not /var/root.
+  const sudoArgs = [
+    `HOME=${home}`,
+    `FBI_PROXY_CERT_DIR=${certDir}`,
+    process.execPath,
+    ...process.argv.slice(1),
+  ];
+
+  // Prefer terminal sudo when a TTY is attached; otherwise fall back to the
+  // macOS GUI authentication dialog via osascript so non-TTY contexts (agent
+  // shells, oxmgr-spawned children) can still escalate with a single password
+  // prompt instead of erroring out with "a terminal is required".
+  const hasTty = !!process.stdin.isTTY;
+  if (hasTty) {
+    console.log(
+      `[fbi-proxy] re-launching via sudo (terminal password prompt)…`,
+    );
+    const result = spawnSync("sudo", sudoArgs, { stdio: "inherit" });
+    process.exit(result.status ?? 1);
+  }
+
+  console.log(`[fbi-proxy] no TTY — opening macOS authentication dialog…`);
+  const shellCmd = sudoArgs.map(shellQuote).join(" ");
+  const script = `do shell script ${appleScriptQuote(shellCmd)} with administrator privileges`;
+  const result = spawnSync("osascript", ["-e", script], { stdio: "inherit" });
+  process.exit(result.status ?? 1);
+}
+
+function shellQuote(s: string): string {
+  return `'${s.replace(/'/g, `'\\''`)}'`;
+}
+
+function appleScriptQuote(s: string): string {
+  return `"${s.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+
+function isMacosCertTrusted(certPath: string): boolean {
+  const result = spawnSync("security", ["verify-cert", "-c", certPath], {
+    stdio: "ignore",
+  });
+  return result.status === 0;
+}
+
 async function startFbiAuth(opts: {
   domain: string;
   reconfigure: boolean;

package/ts/install-port-forward.ts

@@ -0,0 +1,149 @@
+#!/usr/bin/env bun
+import { existsSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+
+const ANCHOR_NAME = "com.snomiao.fbi-proxy";
+const ANCHOR_FILE = `/etc/pf.anchors/${ANCHOR_NAME}`;
+const PLIST_FILE = `/Library/LaunchDaemons/${ANCHOR_NAME}-pf.plist`;
+
+const argv = await yargs(hideBin(process.argv))
+  .option("from", {
+    type: "number",
+    default: 443,
+    description: "Public-facing port to redirect (privileged)",
+  })
+  .option("to", {
+    type: "number",
+    default: 8443,
+    description: "Backend port the oxmgr-managed proxy listens on",
+  })
+  .option("uninstall", {
+    type: "boolean",
+    default: false,
+    description: "Remove the pf rule and LaunchDaemon",
+  })
+  .help().argv;
+
+if (process.platform !== "darwin") {
+  console.error("install-port-forward: macOS only (pf rules)");
+  process.exit(2);
+}
+
+if (argv.uninstall) {
+  const script = [
+    `launchctl unload "${PLIST_FILE}" 2>/dev/null`,
+    `rm -f "${PLIST_FILE}" "${ANCHOR_FILE}"`,
+    `pfctl -a ${ANCHOR_NAME} -F all 2>/dev/null`,
+    "echo uninstalled",
+  ].join("\n");
+  runAsRoot(script);
+  process.exit(0);
+}
+
+// pf-rdr is loopback-only here because fbi.com resolves to 127.0.0.1 via local
+// DNS. If you ever expose this on a real interface, widen the rule.
+const anchorContent = `rdr pass on lo0 inet proto tcp from any to any port ${argv.from} -> 127.0.0.1 port ${argv.to}\n`;
+
+const plistContent = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key><string>${ANCHOR_NAME}-pf</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/bin/sh</string>
+    <string>-c</string>
+    <string>/sbin/pfctl -E 2>/dev/null; /sbin/pfctl -a ${ANCHOR_NAME} -f ${ANCHOR_FILE}</string>
+  </array>
+  <key>RunAtLoad</key><true/>
+  <key>StandardOutPath</key><string>/var/log/${ANCHOR_NAME}-pf.out.log</string>
+  <key>StandardErrorPath</key><string>/var/log/${ANCHOR_NAME}-pf.err.log</string>
+</dict>
+</plist>
+`;
+
+if (alreadyInstalledFor(argv.from, argv.to)) {
+  console.log(
+    `pf forward :${argv.from} -> :${argv.to} already installed and active`,
+  );
+  process.exit(0);
+}
+
+console.log(
+  `installing pf forward :${argv.from} -> :${argv.to} via macOS auth dialog…`,
+);
+
+// Single elevated shell — writes both files, loads the LaunchDaemon, and
+// applies the rule immediately so we don't wait for a reboot.
+const heredoc = (path: string, body: string) =>
+  `cat > "${path}" <<'__FBI_PROXY_PF_EOF__'\n${body}__FBI_PROXY_PF_EOF__`;
+
+const script = [
+  heredoc(ANCHOR_FILE, anchorContent),
+  `chmod 644 "${ANCHOR_FILE}"`,
+  heredoc(PLIST_FILE, plistContent),
+  `chown root:wheel "${PLIST_FILE}"`,
+  `chmod 644 "${PLIST_FILE}"`,
+  `launchctl unload "${PLIST_FILE}" 2>/dev/null || true`,
+  `launchctl load -w "${PLIST_FILE}"`,
+  `/sbin/pfctl -E 2>/dev/null || true`,
+  `/sbin/pfctl -a ${ANCHOR_NAME} -f "${ANCHOR_FILE}"`,
+  `echo OK`,
+].join("\n");
+
+const status = runAsRoot(script);
+if (status !== 0) {
+  console.error(`pf forward install failed (exit ${status})`);
+  process.exit(1);
+}
+
+if (alreadyInstalledFor(argv.from, argv.to)) {
+  console.log(
+    `pf forward :${argv.from} -> :${argv.to} active. LaunchDaemon: ${PLIST_FILE}`,
+  );
+} else {
+  console.warn(
+    `pf forward installed but verification failed — check 'sudo pfctl -a ${ANCHOR_NAME} -s nat'`,
+  );
+}
+
+function runAsRoot(script: string): number {
+  const hasTty = !!process.stdin.isTTY;
+  if (hasTty && process.getuid?.() !== 0) {
+    const result = spawnSync("sudo", ["sh", "-c", script], {
+      stdio: "inherit",
+    });
+    return result.status ?? 1;
+  }
+  if (process.getuid?.() === 0) {
+    const result = spawnSync("sh", ["-c", script], { stdio: "inherit" });
+    return result.status ?? 1;
+  }
+  // GUI password dialog — works without TTY (Claude Code, oxmgr children, etc.)
+  const osascript = `do shell script ${appleScriptQuote(script)} with administrator privileges`;
+  const result = spawnSync("osascript", ["-e", osascript], {
+    stdio: "inherit",
+  });
+  return result.status ?? 1;
+}
+
+function alreadyInstalledFor(from: number, to: number): boolean {
+  if (!existsSync(ANCHOR_FILE) || !existsSync(PLIST_FILE)) return false;
+  // -s nat needs root to read the runtime rule table on most setups
+  const probe = spawnSync(
+    "sudo",
+    ["-n", "/sbin/pfctl", "-a", ANCHOR_NAME, "-s", "nat"],
+    {
+      stdio: ["ignore", "pipe", "ignore"],
+    },
+  );
+  if (probe.status !== 0) return false;
+  const out = probe.stdout?.toString() ?? "";
+  return out.includes(`port = ${from}`) && out.includes(`port ${to}`);
+}
+
+function appleScriptQuote(s: string): string {
+  return `"${s.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}