haechi 0.4.0 → 0.6.0

package/packages/proxy/index.mjs

@@ -1,31 +1,71 @@
 import { createServer } from "node:http";
 import { createHash, randomUUID } from "node:crypto";
+import { inspectResponseStream } from "../stream-filter/index.mjs";
 
 export const DEFAULT_PROXY_PORT = 1016;
 
 export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "127.0.0.1", allowRemoteBind = false }) {
   assertSafeProxyBind({ host, allowRemoteBind });
   const { haechi, config, protocolAdapter } = runtime;
+  const rateLimiter = createRateLimiter();
 
   const server = createServer(async (request, response) => {
     try {
       if (request.method === "GET" && request.url === "/__haechi/health") {
+        // Intentionally unauthenticated; exposes only the mode.
         writeJson(response, 200, { ok: true, mode: config.mode });
         return;
       }
 
       assertRelativeProxyTarget(request.url);
       const routeContext = protocolAdapter.classifyRequest(request);
+
+      // Authenticate, resolve the policy profile, and rate-limit BEFORE reading
+      // the body, so a denied/throttled request cannot stream a large body.
+      const gate = await authorizeRequest({ runtime, request, routeContext, rateLimiter });
+      if (gate.denied) {
+        writeJson(response, gate.denied.status, {
+          error: gate.denied.error,
+          message: gate.denied.message
+        });
+        return;
+      }
+      const { identity, profile, policyEngine, modelAllowlist } = gate;
+      const authContext = { identity, profile, policyEngine };
+
       const body = await readBody(request, {
         maxBytes: config.limits.maxRequestBytes
       });
       const json = parseJsonBody(body);
 
+      // Model allowlist runs after body read (the model field is in the body).
+      if (modelAllowlist && typeof json?.model === "string" && !modelAllowlist.includes(json.model)) {
+        await recordProxyDecision({
+          runtime, routeContext, identity, profile,
+          decision: "model_not_allowed",
+          reason: `model:${json.model}`,
+          enforced: true,
+          blocked: true
+        });
+        writeJson(response, 403, {
+          error: "haechi_model_not_allowed",
+          message: `Model not allowed: ${json.model}`
+        });
+        return;
+      }
+
       if (isStreamingRequest(json, routeContext)) {
+        if (config.streaming.requestMode === "inspect") {
+          await handleInspectedStream({ runtime, request, response, routeContext, json, authContext });
+          return;
+        }
+
         if (config.streaming.requestMode === "pass-through") {
           await recordProxyDecision({
             runtime,
             routeContext,
+            identity,
+            profile,
             decision: "streaming_request_pass_through",
             reason: "streaming_request_pass_through",
             enforced: false,
@@ -45,7 +85,7 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
 
         writeJson(response, 501, {
           error: "haechi_streaming_unsupported",
-          message: "Streaming requests are blocked unless streaming.requestMode is explicitly set to pass-through"
+          message: "Streaming requests are blocked unless streaming.requestMode is set to pass-through or inspect"
         });
         return;
       }
@@ -53,6 +93,7 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
       const result = routeContext.protectRequest
         ? await haechi.protectJson(json, {
           ...routeContext,
+          ...authContext,
           operation: `request:${routeContext.operation}`,
           direction: "request",
           mode: config.policy.mode ?? config.mode
@@ -79,6 +120,7 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
         upstreamResponse,
         routeContext,
         runtime,
+        authContext,
         issuedTokens: result.issuedTokens ?? []
       });
 
@@ -114,7 +156,196 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
   };
 }
 
-async function maybeProtectResponse({ upstreamResponse, routeContext, runtime, issuedTokens = [] }) {
+// Authenticate → resolve policy profile → rate-limit. Returns the request's
+// identity/profile/policyEngine/modelAllowlist, or a denial. Auth is required
+// exactly when an authProvider is configured (auth.provider !== "none").
+async function authorizeRequest({ runtime, request, routeContext, rateLimiter }) {
+  const { authProvider, policyProfiles } = runtime;
+  let identity = null;
+
+  if (authProvider) {
+    try {
+      identity = await authProvider.authenticate(request);
+    } catch {
+      await recordAuthDenied({ runtime, routeContext, reason: "provider_error" });
+      return { denied: { status: 401, error: "haechi_auth_denied", message: "Authentication failed" } };
+    }
+    if (!identity) {
+      const reason = hasBearerHeader(request) ? "invalid_token" : "no_token";
+      await recordAuthDenied({ runtime, routeContext, reason });
+      return { denied: { status: 401, error: "haechi_auth_denied", message: "Authentication required" } };
+    }
+  }
+
+  const resolved = policyProfiles.resolve(identity);
+
+  if (resolved.rate && resolved.rate.requestsPerMinute) {
+    const key = identity?.id ?? "anonymous";
+    if (!rateLimiter.allow(key, resolved.rate.requestsPerMinute)) {
+      await recordProxyDecision({
+        runtime, routeContext, identity, profile: resolved.profile,
+        decision: "rate_limited",
+        reason: `rate:${resolved.rate.requestsPerMinute}`,
+        enforced: true,
+        blocked: true
+      });
+      return { denied: { status: 429, error: "haechi_rate_limited", message: "Rate limit exceeded" } };
+    }
+  }
+
+  return {
+    identity,
+    profile: resolved.profile,
+    policyEngine: resolved.policyEngine,
+    modelAllowlist: resolved.modelAllowlist
+  };
+}
+
+function hasBearerHeader(request) {
+  const header = request?.headers?.authorization ?? request?.headers?.Authorization;
+  return typeof header === "string" && /^Bearer\s+/i.test(header.trim());
+}
+
+function createRateLimiter() {
+  // In-memory fixed-window counter. Per-process: resets on restart, not shared
+  // across replicas — acceptable for a single-process self-hosted preview.
+  const windows = new Map();
+  const windowMs = 60000;
+  return {
+    allow(key, limit) {
+      const now = Date.now();
+      const slot = windows.get(key);
+      if (!slot || now - slot.windowStart >= windowMs) {
+        windows.set(key, { windowStart: now, count: 1 });
+        return true;
+      }
+      if (slot.count >= limit) {
+        return false;
+      }
+      slot.count += 1;
+      return true;
+    }
+  };
+}
+
+async function recordAuthDenied({ runtime, routeContext, reason }) {
+  await recordProxyDecision({
+    runtime, routeContext, identity: null, profile: null,
+    decision: "auth_denied",
+    reason,
+    enforced: true,
+    blocked: true
+  });
+}
+
+async function handleInspectedStream({ runtime, request, response, routeContext, json, authContext = {} }) {
+  const { haechi, config } = runtime;
+
+  // Inspection needs to know the wire format and delta channel for this route.
+  if (!routeContext.streaming) {
+    writeJson(response, 501, {
+      error: "haechi_streaming_uninspectable_route",
+      message: `streaming.requestMode is "inspect" but route ${routeContext.routeId} has no known streaming format`
+    });
+    return;
+  }
+
+  // The request body is ordinary JSON even when the response streams, so it is
+  // protected like any other request.
+  const requestResult = routeContext.protectRequest
+    ? await haechi.protectJson(json, {
+      ...routeContext,
+      ...authContext,
+      operation: `request:${routeContext.operation}`,
+      direction: "request",
+      mode: config.policy.mode ?? config.mode
+    })
+    : { payload: json, blocked: false };
+
+  if (requestResult.blocked) {
+    writeJson(response, 403, {
+      error: "haechi_policy_block",
+      summary: requestResult.summary,
+      auditId: requestResult.auditEvent.id
+    });
+    return;
+  }
+
+  const upstreamResponse = await forward({
+    upstream: config.target.upstream,
+    request,
+    body: JSON.stringify(requestResult.payload),
+    timeoutMs: config.limits.upstreamTimeoutMs
+  });
+
+  const streamMode = config.streaming.responseMode ?? config.responseProtection.mode ?? config.policy.mode ?? config.mode;
+  const protector = haechi.createStreamProtector({
+    ...routeContext,
+    ...authContext,
+    operation: `response-stream:${routeContext.operation}`,
+    direction: "response",
+    mode: streamMode,
+    maxMatchBytes: config.streaming.maxMatchBytes
+  });
+
+  response.writeHead(upstreamResponse.status, streamingResponseHeaders(upstreamResponse));
+
+  const { blocked, summary } = await inspectResponseStream({
+    source: upstreamResponse.body ?? emptyAsyncIterable(),
+    sink: nodeResponseSink(response),
+    streaming: routeContext.streaming,
+    protector
+  });
+
+  await recordStreamDecision({
+    runtime, routeContext, blocked, summary, mode: streamMode,
+    identity: authContext.identity ?? null, profile: authContext.profile ?? null
+  });
+  response.end();
+}
+
+function streamingResponseHeaders(upstreamResponse) {
+  const headers = Object.fromEntries(upstreamResponse.headers.entries());
+  delete headers["content-length"];
+  delete headers["content-encoding"];
+  return headers;
+}
+
+function nodeResponseSink(response) {
+  return {
+    write(text) {
+      response.write(text);
+    }
+  };
+}
+
+async function* emptyAsyncIterable() {
+  // No upstream body to inspect.
+}
+
+async function recordStreamDecision({ runtime, routeContext, blocked, summary, mode, identity = null, profile = null }) {
+  if (typeof runtime.auditSink?.record !== "function") {
+    return;
+  }
+  await runtime.auditSink.record({
+    id: randomUUID(),
+    timestamp: new Date().toISOString(),
+    protocol: routeContext?.protocol ?? "proxy",
+    operation: `response-stream:${routeContext?.operation ?? "unknown"}`,
+    mode,
+    identity,
+    profile,
+    enforced: !["dry-run", "report-only"].includes(mode),
+    blocked,
+    decision: blocked ? "stream_blocked" : "stream_inspected",
+    reason: blocked ? "stream_policy_block" : "stream_inspected",
+    routeId: routeContext?.routeId ?? "unknown",
+    pathHash: routeContext?.path ? shortHash(routeContext.path) : null,
+    summary
+  });
+}
+
+async function maybeProtectResponse({ upstreamResponse, routeContext, runtime, authContext = {}, issuedTokens = [] }) {
   const headers = Object.fromEntries(upstreamResponse.headers.entries());
 
   if (!runtime.config.responseProtection.enabled || !routeContext.protectResponse) {
@@ -204,6 +435,7 @@ async function maybeProtectResponse({ upstreamResponse, routeContext, runtime, i
 
   const result = await runtime.haechi.protectJson(json, {
     ...routeContext,
+    ...authContext,
     operation: `response:${routeContext.operation}`,
     direction: "response",
     mode: runtime.config.responseProtection.mode ?? runtime.config.policy.mode ?? runtime.config.mode
@@ -488,7 +720,7 @@ async function cancelReader(reader) {
   }
 }
 
-async function recordProxyDecision({ runtime, routeContext, decision, reason, enforced, blocked }) {
+async function recordProxyDecision({ runtime, routeContext, decision, reason, enforced, blocked, identity = null, profile = null }) {
   if (typeof runtime.auditSink?.record !== "function") {
     return;
   }
@@ -499,7 +731,8 @@ async function recordProxyDecision({ runtime, routeContext, decision, reason, en
     protocol: routeContext?.protocol ?? "proxy",
     operation: routeContext ? `proxy:${routeContext.protocol}:${routeContext.routeId ?? "unknown"}` : "proxy",
     mode: runtime.config.policy.mode ?? runtime.config.mode,
-    identity: null,
+    identity,
+    profile,
     enforced,
     blocked,
     decision,

package/packages/stream-filter/index.mjs

@@ -0,0 +1,194 @@
+// SSE / NDJSON streaming response inspection.
+//
+// Frames are parsed incrementally, the primary delta-text channel is run
+// through a bounded sliding buffer (cross-frame matches caught up to
+// streaming.maxMatchBytes), and all other string leaves in a frame get
+// within-frame protection. The whole stream is audited once at the end.
+
+const SSE_DONE = "[DONE]";
+
+export async function inspectResponseStream({ source, sink, streaming, protector, format }) {
+  const wireFormat = format ?? streaming?.format ?? "ndjson";
+  const deltaPath = streaming?.deltaPath ?? null;
+  const decoder = new TextDecoder("utf-8");
+  const frames = createFrameSplitter(wireFormat);
+
+  let blocked = false;
+
+  async function handleFrame(raw) {
+    const frame = { raw, body: raw.trim() };
+    const parsed = parseFrame(frame, wireFormat);
+    if (!parsed.ok) {
+      // Non-JSON frame (e.g. `data: [DONE]`, comments, keep-alives): pass
+      // through verbatim — there is nothing to inspect.
+      sink.write(frame.raw);
+      return;
+    }
+
+    const json = parsed.json;
+    let deltaText = null;
+    if (deltaPath) {
+      const found = getByPath(json, deltaPath);
+      if (typeof found === "string") {
+        deltaText = found;
+        setByPath(json, deltaPath, "");
+      }
+    }
+
+    // Within-frame protection for everything except the delta channel.
+    const extras = await protector.protectFrameExtras(json);
+    if (extras.blocked) {
+      blocked = true;
+      return;
+    }
+    const frameObject = extras.value;
+
+    if (deltaText !== null) {
+      const pushed = await protector.push(deltaText);
+      if (pushed.blocked) {
+        blocked = true;
+        return;
+      }
+      setByPath(frameObject, deltaPath, pushed.text);
+    }
+
+    sink.write(serializeFrame(frameObject, wireFormat, frame));
+  }
+
+  for await (const chunk of source) {
+    for (const frame of frames.push(decoder.decode(chunk, { stream: true }))) {
+      await handleFrame(frame);
+      if (blocked) {
+        break;
+      }
+    }
+    if (blocked) {
+      break;
+    }
+  }
+
+  if (!blocked) {
+    for (const frame of frames.end(decoder.decode())) {
+      await handleFrame(frame);
+      if (blocked) {
+        break;
+      }
+    }
+  }
+
+  if (!blocked) {
+    // Flush the held tail of the delta buffer as a synthesized final frame.
+    const flushed = await protector.flush();
+    if (flushed.blocked) {
+      blocked = true;
+    } else if (flushed.text && deltaPath) {
+      sink.write(serializeFrame(buildPathObject(deltaPath, flushed.text), wireFormat, null));
+    }
+  }
+
+  // The caller closes the sink AFTER recording the stream decision, so the
+  // audit write is durable before the client connection ends.
+  return { blocked, summary: protector.summary() };
+}
+
+function createFrameSplitter(format) {
+  const delimiter = format === "sse" ? "\n\n" : "\n";
+  let buffer = "";
+  return {
+    // Append text and return the raw text of every complete frame now
+    // available; the trailing partial is retained for the next push.
+    push(text) {
+      buffer += text;
+      const out = [];
+      let index;
+      while ((index = buffer.indexOf(delimiter)) !== -1) {
+        const raw = buffer.slice(0, index + delimiter.length);
+        buffer = buffer.slice(index + delimiter.length);
+        if (raw.trim()) {
+          out.push(raw);
+        }
+      }
+      return out;
+    },
+    // Flush any trailing partial frame at end of stream.
+    end(text) {
+      buffer += text;
+      const remainder = buffer;
+      buffer = "";
+      return remainder.trim() ? [remainder] : [];
+    }
+  };
+}
+
+function parseFrame(frame, format) {
+  if (!frame) {
+    return { ok: false };
+  }
+  let payload = frame.body;
+  if (format === "sse") {
+    const dataLines = payload
+      .split("\n")
+      .filter((line) => line.startsWith("data:"))
+      .map((line) => line.slice(5).trim());
+    if (dataLines.length === 0) {
+      return { ok: false };
+    }
+    payload = dataLines.join("");
+    if (payload === SSE_DONE) {
+      return { ok: false };
+    }
+  }
+  try {
+    return { ok: true, json: JSON.parse(payload) };
+  } catch {
+    return { ok: false };
+  }
+}
+
+function serializeFrame(json, format, original) {
+  const body = JSON.stringify(json);
+  if (format === "sse") {
+    return `data: ${body}\n\n`;
+  }
+  // NDJSON: preserve the original trailing newline style when available.
+  return original && original.raw.endsWith("\n") ? `${body}\n` : `${body}\n`;
+}
+
+export function getByPath(value, path) {
+  let current = value;
+  for (const part of path) {
+    if (current == null) {
+      return undefined;
+    }
+    current = current[part];
+  }
+  return current;
+}
+
+export function setByPath(value, path, next) {
+  let current = value;
+  for (let index = 0; index < path.length - 1; index += 1) {
+    const part = path[index];
+    if (current[part] == null || typeof current[part] !== "object") {
+      return false;
+    }
+    current = current[part];
+  }
+  if (current == null || typeof current !== "object") {
+    return false;
+  }
+  current[path[path.length - 1]] = next;
+  return true;
+}
+
+export function buildPathObject(path, leaf) {
+  const root = typeof path[0] === "number" ? [] : {};
+  let current = root;
+  for (let index = 0; index < path.length - 1; index += 1) {
+    const nextIsIndex = typeof path[index + 1] === "number";
+    current[path[index]] = nextIsIndex ? [] : {};
+    current = current[path[index]];
+  }
+  current[path[path.length - 1]] = leaf;
+  return root;
+}