fbi-proxy 1.15.0 → 1.16.0

package/ts/cli.ts

@@ -1,4 +1,6 @@
 #!/usr/bin/env bun
+import { existsSync } from "node:fs";
+import { spawnSync } from "node:child_process";
 import getPort from "get-port";
 import hotMemo from "hot-memo";
 import path from "path";
@@ -29,6 +31,41 @@ import {
 } from "./auth/spawnCaddy";
 
 const originalCwd = process.cwd();
+
+// Subcommand routing & default behavior
+//
+// `fbi-proxy setup` (or `fbi-proxy` with no escape-hatch flags) runs the
+// one-shot setup orchestrator: registers an oxmgr daemon, generates+trusts
+// a TLS cert, installs a pf :443→:8443 forward, and verifies https://<domain>.
+//
+// Old foreground modes (Caddy, dev, raw TLS, auth wizard) are preserved by
+// flags below — explicit opt-in keeps the existing surface intact for users
+// who rely on it.
+{
+  const rawArgs = hideBin(process.argv);
+  const firstPositional = rawArgs.find((a) => !a.startsWith("-"));
+  const FOREGROUND_FLAGS = [
+    "--dev",
+    "--with-caddy",
+    "--with-auth",
+    "--tls",
+    "--reconfigure",
+  ];
+  const wantsForeground = rawArgs.some((a) =>
+    FOREGROUND_FLAGS.some((f) => a === f || a.startsWith(`${f}=`)),
+  );
+  const hasExplicitPortEnv = !!process.env.FBI_PROXY_PORT;
+  const isSetupCmd = firstPositional === "setup";
+  const isDefault = !firstPositional && !wantsForeground && !hasExplicitPortEnv;
+
+  if (isSetupCmd || isDefault) {
+    const { runSetup } = await import("./setup");
+    const passArgs = rawArgs.filter((a) => a !== "setup");
+    await runSetup(passArgs, { originalCwd });
+    process.exit(0);
+  }
+}
+
 process.chdir(path.resolve(import.meta.dir, ".."));
 
 const argv = await yargs(hideBin(process.argv))
@@ -71,12 +108,33 @@ const argv = await yargs(hideBin(process.argv))
     description:
       "TLS strategy for --with-caddy. 'auto' uses ACME (Let's Encrypt); 'internal' uses Caddy's local CA. Defaults to 'internal' for fbi.com, 'auto' otherwise.",
   })
+  .option("tls", {
+    type: "boolean",
+    default: false,
+    description:
+      "Terminate TLS in the Rust proxy using a self-signed cert (no Caddy). Browser warning expected (Phase 1 — no system trust install). Use with --port 443 + sudo to serve standard HTTPS.",
+  })
   .help().argv;
 
-console.log("Preparing Binaries");
+if (argv.tls && argv["with-caddy"]) {
+  console.error(
+    "[fbi-proxy] --tls and --with-caddy are mutually exclusive (Caddy already terminates TLS).",
+  );
+  process.exit(2);
+}
 
 const FBI_PROXY_PORT =
-  process.env.FBI_PROXY_PORT || String(await getPort({ port: 2432 }));
+  process.env.FBI_PROXY_PORT ||
+  (argv.tls ? "443" : String(await getPort({ port: 2432 })));
+
+if (argv.tls) {
+  await ensureRootIfTlsNeedsIt({
+    domain: argv.domain,
+    port: Number(FBI_PROXY_PORT),
+  });
+}
+
+console.log("Preparing Binaries");
 
 const proxyProcess = await hotMemo(async () => {
   const proxy = await getFbiProxyBinary({ originalCwd });
@@ -85,6 +143,17 @@ const proxyProcess = await hotMemo(async () => {
     env: {
       ...process.env,
       FBI_PROXY_PORT,
+      ...(argv.tls
+        ? {
+            FBI_PROXY_TLS: "true",
+            FBI_PROXY_DOMAIN: argv.domain,
+            // Forward CERT_DIR if the sudo wrapper set it (so the elevated
+            // Rust binary writes to the original user's $HOME, not /var/root)
+            ...(process.env.FBI_PROXY_CERT_DIR
+              ? { FBI_PROXY_CERT_DIR: process.env.FBI_PROXY_CERT_DIR }
+              : {}),
+          }
+        : {}),
     },
   })`${proxy}`.process;
 
@@ -136,6 +205,83 @@ process.on("uncaughtException", (err) => {
   exit();
 });
 
+async function ensureRootIfTlsNeedsIt(opts: {
+  domain: string;
+  port: number;
+}): Promise<void> {
+  if (process.platform !== "darwin") {
+    // Linux/Windows trust install is a follow-up. The Rust side prints a
+    // friendly fallback message if untrusted.
+    return;
+  }
+  if (process.getuid?.() === 0) return;
+
+  const home = process.env.HOME ?? "";
+  const certDir =
+    process.env.FBI_PROXY_CERT_DIR ??
+    path.join(home, ".config/fbi-proxy/certs");
+  const slug = opts.domain || "localhost";
+  const certPath = path.join(certDir, `${slug}.pem`);
+
+  const needsPortBind = opts.port < 1024;
+  const certMissing = !existsSync(certPath);
+  const certUntrusted = !certMissing && !isMacosCertTrusted(certPath);
+  const needsTrustInstall = certMissing || certUntrusted;
+
+  if (!needsPortBind && !needsTrustInstall) return;
+
+  const reasons = [
+    needsPortBind && `bind :${opts.port}`,
+    needsTrustInstall && "install cert to system trust",
+  ]
+    .filter(Boolean)
+    .join(" + ");
+  console.log(`[fbi-proxy] --tls needs root to: ${reasons}`);
+
+  // Preserve HOME and CERT_DIR so the elevated process writes cert/auth
+  // files into the original user's directory, not /var/root.
+  const sudoArgs = [
+    `HOME=${home}`,
+    `FBI_PROXY_CERT_DIR=${certDir}`,
+    process.execPath,
+    ...process.argv.slice(1),
+  ];
+
+  // Prefer terminal sudo when a TTY is attached; otherwise fall back to the
+  // macOS GUI authentication dialog via osascript so non-TTY contexts (agent
+  // shells, oxmgr-spawned children) can still escalate with a single password
+  // prompt instead of erroring out with "a terminal is required".
+  const hasTty = !!process.stdin.isTTY;
+  if (hasTty) {
+    console.log(
+      `[fbi-proxy] re-launching via sudo (terminal password prompt)…`,
+    );
+    const result = spawnSync("sudo", sudoArgs, { stdio: "inherit" });
+    process.exit(result.status ?? 1);
+  }
+
+  console.log(`[fbi-proxy] no TTY — opening macOS authentication dialog…`);
+  const shellCmd = sudoArgs.map(shellQuote).join(" ");
+  const script = `do shell script ${appleScriptQuote(shellCmd)} with administrator privileges`;
+  const result = spawnSync("osascript", ["-e", script], { stdio: "inherit" });
+  process.exit(result.status ?? 1);
+}
+
+function shellQuote(s: string): string {
+  return `'${s.replace(/'/g, `'\\''`)}'`;
+}
+
+function appleScriptQuote(s: string): string {
+  return `"${s.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+
+function isMacosCertTrusted(certPath: string): boolean {
+  const result = spawnSync("security", ["verify-cert", "-c", certPath], {
+    stdio: "ignore",
+  });
+  return result.status === 0;
+}
+
 async function startFbiAuth(opts: {
   domain: string;
   reconfigure: boolean;

package/ts/install-port-forward.ts

@@ -0,0 +1,149 @@
+#!/usr/bin/env bun
+import { existsSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+
+const ANCHOR_NAME = "com.snomiao.fbi-proxy";
+const ANCHOR_FILE = `/etc/pf.anchors/${ANCHOR_NAME}`;
+const PLIST_FILE = `/Library/LaunchDaemons/${ANCHOR_NAME}-pf.plist`;
+
+const argv = await yargs(hideBin(process.argv))
+  .option("from", {
+    type: "number",
+    default: 443,
+    description: "Public-facing port to redirect (privileged)",
+  })
+  .option("to", {
+    type: "number",
+    default: 8443,
+    description: "Backend port the oxmgr-managed proxy listens on",
+  })
+  .option("uninstall", {
+    type: "boolean",
+    default: false,
+    description: "Remove the pf rule and LaunchDaemon",
+  })
+  .help().argv;
+
+if (process.platform !== "darwin") {
+  console.error("install-port-forward: macOS only (pf rules)");
+  process.exit(2);
+}
+
+if (argv.uninstall) {
+  const script = [
+    `launchctl unload "${PLIST_FILE}" 2>/dev/null`,
+    `rm -f "${PLIST_FILE}" "${ANCHOR_FILE}"`,
+    `pfctl -a ${ANCHOR_NAME} -F all 2>/dev/null`,
+    "echo uninstalled",
+  ].join("\n");
+  runAsRoot(script);
+  process.exit(0);
+}
+
+// pf-rdr is loopback-only here because fbi.com resolves to 127.0.0.1 via local
+// DNS. If you ever expose this on a real interface, widen the rule.
+const anchorContent = `rdr pass on lo0 inet proto tcp from any to any port ${argv.from} -> 127.0.0.1 port ${argv.to}\n`;
+
+const plistContent = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key><string>${ANCHOR_NAME}-pf</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/bin/sh</string>
+    <string>-c</string>
+    <string>/sbin/pfctl -E 2>/dev/null; /sbin/pfctl -a ${ANCHOR_NAME} -f ${ANCHOR_FILE}</string>
+  </array>
+  <key>RunAtLoad</key><true/>
+  <key>StandardOutPath</key><string>/var/log/${ANCHOR_NAME}-pf.out.log</string>
+  <key>StandardErrorPath</key><string>/var/log/${ANCHOR_NAME}-pf.err.log</string>
+</dict>
+</plist>
+`;
+
+if (alreadyInstalledFor(argv.from, argv.to)) {
+  console.log(
+    `pf forward :${argv.from} -> :${argv.to} already installed and active`,
+  );
+  process.exit(0);
+}
+
+console.log(
+  `installing pf forward :${argv.from} -> :${argv.to} via macOS auth dialog…`,
+);
+
+// Single elevated shell — writes both files, loads the LaunchDaemon, and
+// applies the rule immediately so we don't wait for a reboot.
+const heredoc = (path: string, body: string) =>
+  `cat > "${path}" <<'__FBI_PROXY_PF_EOF__'\n${body}__FBI_PROXY_PF_EOF__`;
+
+const script = [
+  heredoc(ANCHOR_FILE, anchorContent),
+  `chmod 644 "${ANCHOR_FILE}"`,
+  heredoc(PLIST_FILE, plistContent),
+  `chown root:wheel "${PLIST_FILE}"`,
+  `chmod 644 "${PLIST_FILE}"`,
+  `launchctl unload "${PLIST_FILE}" 2>/dev/null || true`,
+  `launchctl load -w "${PLIST_FILE}"`,
+  `/sbin/pfctl -E 2>/dev/null || true`,
+  `/sbin/pfctl -a ${ANCHOR_NAME} -f "${ANCHOR_FILE}"`,
+  `echo OK`,
+].join("\n");
+
+const status = runAsRoot(script);
+if (status !== 0) {
+  console.error(`pf forward install failed (exit ${status})`);
+  process.exit(1);
+}
+
+if (alreadyInstalledFor(argv.from, argv.to)) {
+  console.log(
+    `pf forward :${argv.from} -> :${argv.to} active. LaunchDaemon: ${PLIST_FILE}`,
+  );
+} else {
+  console.warn(
+    `pf forward installed but verification failed — check 'sudo pfctl -a ${ANCHOR_NAME} -s nat'`,
+  );
+}
+
+function runAsRoot(script: string): number {
+  const hasTty = !!process.stdin.isTTY;
+  if (hasTty && process.getuid?.() !== 0) {
+    const result = spawnSync("sudo", ["sh", "-c", script], {
+      stdio: "inherit",
+    });
+    return result.status ?? 1;
+  }
+  if (process.getuid?.() === 0) {
+    const result = spawnSync("sh", ["-c", script], { stdio: "inherit" });
+    return result.status ?? 1;
+  }
+  // GUI password dialog — works without TTY (Claude Code, oxmgr children, etc.)
+  const osascript = `do shell script ${appleScriptQuote(script)} with administrator privileges`;
+  const result = spawnSync("osascript", ["-e", osascript], {
+    stdio: "inherit",
+  });
+  return result.status ?? 1;
+}
+
+function alreadyInstalledFor(from: number, to: number): boolean {
+  if (!existsSync(ANCHOR_FILE) || !existsSync(PLIST_FILE)) return false;
+  // -s nat needs root to read the runtime rule table on most setups
+  const probe = spawnSync(
+    "sudo",
+    ["-n", "/sbin/pfctl", "-a", ANCHOR_NAME, "-s", "nat"],
+    {
+      stdio: ["ignore", "pipe", "ignore"],
+    },
+  );
+  if (probe.status !== 0) return false;
+  const out = probe.stdout?.toString() ?? "";
+  return out.includes(`port = ${from}`) && out.includes(`port ${to}`);
+}
+
+function appleScriptQuote(s: string): string {
+  return `"${s.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}