haechi 0.5.0 → 0.7.0

package/packages/proxy/index.mjs

@@ -7,24 +7,56 @@ export const DEFAULT_PROXY_PORT = 1016;
 export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "127.0.0.1", allowRemoteBind = false }) {
   assertSafeProxyBind({ host, allowRemoteBind });
   const { haechi, config, protocolAdapter } = runtime;
+  const rateLimiter = createRateLimiter();
 
   const server = createServer(async (request, response) => {
     try {
       if (request.method === "GET" && request.url === "/__haechi/health") {
+        // Intentionally unauthenticated; exposes only the mode.
         writeJson(response, 200, { ok: true, mode: config.mode });
         return;
       }
 
       assertRelativeProxyTarget(request.url);
       const routeContext = protocolAdapter.classifyRequest(request);
+
+      // Authenticate, resolve the policy profile, and rate-limit BEFORE reading
+      // the body, so a denied/throttled request cannot stream a large body.
+      const gate = await authorizeRequest({ runtime, request, routeContext, rateLimiter });
+      if (gate.denied) {
+        writeJson(response, gate.denied.status, {
+          error: gate.denied.error,
+          message: gate.denied.message
+        });
+        return;
+      }
+      const { identity, profile, policyEngine, modelAllowlist } = gate;
+      const authContext = { identity, profile, policyEngine };
+
       const body = await readBody(request, {
         maxBytes: config.limits.maxRequestBytes
       });
       const json = parseJsonBody(body);
 
+      // Model allowlist runs after body read (the model field is in the body).
+      if (modelAllowlist && typeof json?.model === "string" && !modelAllowlist.includes(json.model)) {
+        await recordProxyDecision({
+          runtime, routeContext, identity, profile,
+          decision: "model_not_allowed",
+          reason: `model:${json.model}`,
+          enforced: true,
+          blocked: true
+        });
+        writeJson(response, 403, {
+          error: "haechi_model_not_allowed",
+          message: `Model not allowed: ${json.model}`
+        });
+        return;
+      }
+
       if (isStreamingRequest(json, routeContext)) {
         if (config.streaming.requestMode === "inspect") {
-          await handleInspectedStream({ runtime, request, response, routeContext, json });
+          await handleInspectedStream({ runtime, request, response, routeContext, json, authContext });
           return;
         }
 
@@ -32,6 +64,8 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
           await recordProxyDecision({
             runtime,
             routeContext,
+            identity,
+            profile,
             decision: "streaming_request_pass_through",
             reason: "streaming_request_pass_through",
             enforced: false,
@@ -59,6 +93,7 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
       const result = routeContext.protectRequest
         ? await haechi.protectJson(json, {
           ...routeContext,
+          ...authContext,
           operation: `request:${routeContext.operation}`,
           direction: "request",
           mode: config.policy.mode ?? config.mode
@@ -85,6 +120,7 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
         upstreamResponse,
         routeContext,
         runtime,
+        authContext,
         issuedTokens: result.issuedTokens ?? []
       });
 
@@ -120,7 +156,89 @@ export function createHaechiProxy({ runtime, port = DEFAULT_PROXY_PORT, host = "
   };
 }
 
-async function handleInspectedStream({ runtime, request, response, routeContext, json }) {
+// Authenticate → resolve policy profile → rate-limit. Returns the request's
+// identity/profile/policyEngine/modelAllowlist, or a denial. Auth is required
+// exactly when an authProvider is configured (auth.provider !== "none").
+async function authorizeRequest({ runtime, request, routeContext, rateLimiter }) {
+  const { authProvider, policyProfiles } = runtime;
+  let identity = null;
+
+  if (authProvider) {
+    try {
+      identity = await authProvider.authenticate(request);
+    } catch {
+      await recordAuthDenied({ runtime, routeContext, reason: "provider_error" });
+      return { denied: { status: 401, error: "haechi_auth_denied", message: "Authentication failed" } };
+    }
+    if (!identity) {
+      const reason = hasBearerHeader(request) ? "invalid_token" : "no_token";
+      await recordAuthDenied({ runtime, routeContext, reason });
+      return { denied: { status: 401, error: "haechi_auth_denied", message: "Authentication required" } };
+    }
+  }
+
+  const resolved = policyProfiles.resolve(identity);
+
+  if (resolved.rate && resolved.rate.requestsPerMinute) {
+    const key = identity?.id ?? "anonymous";
+    if (!rateLimiter.allow(key, resolved.rate.requestsPerMinute)) {
+      await recordProxyDecision({
+        runtime, routeContext, identity, profile: resolved.profile,
+        decision: "rate_limited",
+        reason: `rate:${resolved.rate.requestsPerMinute}`,
+        enforced: true,
+        blocked: true
+      });
+      return { denied: { status: 429, error: "haechi_rate_limited", message: "Rate limit exceeded" } };
+    }
+  }
+
+  return {
+    identity,
+    profile: resolved.profile,
+    policyEngine: resolved.policyEngine,
+    modelAllowlist: resolved.modelAllowlist
+  };
+}
+
+function hasBearerHeader(request) {
+  const header = request?.headers?.authorization ?? request?.headers?.Authorization;
+  return typeof header === "string" && /^Bearer\s+/i.test(header.trim());
+}
+
+function createRateLimiter() {
+  // In-memory fixed-window counter. Per-process: resets on restart, not shared
+  // across replicas — acceptable for a single-process self-hosted preview.
+  const windows = new Map();
+  const windowMs = 60000;
+  return {
+    allow(key, limit) {
+      const now = Date.now();
+      const slot = windows.get(key);
+      if (!slot || now - slot.windowStart >= windowMs) {
+        windows.set(key, { windowStart: now, count: 1 });
+        return true;
+      }
+      if (slot.count >= limit) {
+        return false;
+      }
+      slot.count += 1;
+      return true;
+    }
+  };
+}
+
+async function recordAuthDenied({ runtime, routeContext, reason }) {
+  await recordProxyDecision({
+    runtime, routeContext, identity: null, profile: null,
+    decision: "auth_denied",
+    reason,
+    enforced: true,
+    blocked: true
+  });
+}
+
+async function handleInspectedStream({ runtime, request, response, routeContext, json, authContext = {} }) {
   const { haechi, config } = runtime;
 
   // Inspection needs to know the wire format and delta channel for this route.
@@ -137,6 +255,7 @@ async function handleInspectedStream({ runtime, request, response, routeContext,
   const requestResult = routeContext.protectRequest
     ? await haechi.protectJson(json, {
       ...routeContext,
+      ...authContext,
       operation: `request:${routeContext.operation}`,
       direction: "request",
       mode: config.policy.mode ?? config.mode
@@ -162,6 +281,7 @@ async function handleInspectedStream({ runtime, request, response, routeContext,
   const streamMode = config.streaming.responseMode ?? config.responseProtection.mode ?? config.policy.mode ?? config.mode;
   const protector = haechi.createStreamProtector({
     ...routeContext,
+    ...authContext,
     operation: `response-stream:${routeContext.operation}`,
     direction: "response",
     mode: streamMode,
@@ -177,7 +297,10 @@ async function handleInspectedStream({ runtime, request, response, routeContext,
     protector
   });
 
-  await recordStreamDecision({ runtime, routeContext, blocked, summary, mode: streamMode });
+  await recordStreamDecision({
+    runtime, routeContext, blocked, summary, mode: streamMode,
+    identity: authContext.identity ?? null, profile: authContext.profile ?? null
+  });
   response.end();
 }
 
@@ -200,7 +323,7 @@ async function* emptyAsyncIterable() {
   // No upstream body to inspect.
 }
 
-async function recordStreamDecision({ runtime, routeContext, blocked, summary, mode }) {
+async function recordStreamDecision({ runtime, routeContext, blocked, summary, mode, identity = null, profile = null }) {
   if (typeof runtime.auditSink?.record !== "function") {
     return;
   }
@@ -210,7 +333,8 @@ async function recordStreamDecision({ runtime, routeContext, blocked, summary, m
     protocol: routeContext?.protocol ?? "proxy",
     operation: `response-stream:${routeContext?.operation ?? "unknown"}`,
     mode,
-    identity: null,
+    identity,
+    profile,
     enforced: !["dry-run", "report-only"].includes(mode),
     blocked,
     decision: blocked ? "stream_blocked" : "stream_inspected",
@@ -221,7 +345,7 @@ async function recordStreamDecision({ runtime, routeContext, blocked, summary, m
   });
 }
 
-async function maybeProtectResponse({ upstreamResponse, routeContext, runtime, issuedTokens = [] }) {
+async function maybeProtectResponse({ upstreamResponse, routeContext, runtime, authContext = {}, issuedTokens = [] }) {
   const headers = Object.fromEntries(upstreamResponse.headers.entries());
 
   if (!runtime.config.responseProtection.enabled || !routeContext.protectResponse) {
@@ -311,6 +435,7 @@ async function maybeProtectResponse({ upstreamResponse, routeContext, runtime, i
 
   const result = await runtime.haechi.protectJson(json, {
     ...routeContext,
+    ...authContext,
     operation: `response:${routeContext.operation}`,
     direction: "response",
     mode: runtime.config.responseProtection.mode ?? runtime.config.policy.mode ?? runtime.config.mode
@@ -595,7 +720,7 @@ async function cancelReader(reader) {
   }
 }
 
-async function recordProxyDecision({ runtime, routeContext, decision, reason, enforced, blocked }) {
+async function recordProxyDecision({ runtime, routeContext, decision, reason, enforced, blocked, identity = null, profile = null }) {
   if (typeof runtime.auditSink?.record !== "function") {
     return;
   }
@@ -606,7 +731,8 @@ async function recordProxyDecision({ runtime, routeContext, decision, reason, en
     protocol: routeContext?.protocol ?? "proxy",
     operation: routeContext ? `proxy:${routeContext.protocol}:${routeContext.routeId ?? "unknown"}` : "proxy",
     mode: runtime.config.policy.mode ?? runtime.config.mode,
-    identity: null,
+    identity,
+    profile,
     enforced,
     blocked,
     decision,

package/scripts/release-checksums.mjs

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+// Generate or verify a SHA256SUMS manifest for release artifacts.
+//
+//   node scripts/release-checksums.mjs <file...>           # print "<hash>  <name>" lines
+//   node scripts/release-checksums.mjs --check SHA256SUMS  # verify files against a manifest
+//
+// Standard `<sha256-hex>  <basename>` format (two spaces), so `sha256sum -c`
+// and `shasum -a 256 -c` interoperate with what this prints.
+
+import { createHash } from "node:crypto";
+import { createReadStream } from "node:fs";
+import { readFile } from "node:fs/promises";
+import { basename, dirname, isAbsolute, join, relative } from "node:path";
+import { fileURLToPath } from "node:url";
+
+export async function sha256File(path) {
+  const hash = createHash("sha256");
+  for await (const chunk of createReadStream(path)) {
+    hash.update(chunk);
+  }
+  return hash.digest("hex");
+}
+
+export function formatManifestLine(hashHex, name) {
+  return `${hashHex}  ${name}`;
+}
+
+export function parseManifest(text) {
+  return text
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean)
+    .map((line) => {
+      const match = /^([a-f0-9]{64})\s+(.+)$/.exec(line);
+      if (!match) {
+        throw new Error(`Malformed SHA256SUMS line: ${line}`);
+      }
+      return { hash: match[1], name: match[2] };
+    });
+}
+
+export async function generateManifest(files) {
+  const lines = [];
+  for (const file of files) {
+    lines.push(formatManifestLine(await sha256File(file), basename(file)));
+  }
+  return `${lines.join("\n")}\n`;
+}
+
+export async function verifyManifest(manifestPath) {
+  const baseDir = dirname(manifestPath);
+  const entries = parseManifest(await readFile(manifestPath, "utf8"));
+  const results = [];
+  for (const entry of entries) {
+    // A manifest is untrusted input: never hash a path that escapes the
+    // manifest's own directory (no absolute paths, no `../` traversal).
+    const rel = relative(baseDir, join(baseDir, entry.name));
+    if (isAbsolute(entry.name) || rel.startsWith("..")) {
+      results.push({ name: entry.name, ok: false, reason: "unsafe path" });
+      continue;
+    }
+    let actual = null;
+    try {
+      actual = await sha256File(join(baseDir, entry.name));
+    } catch (error) {
+      results.push({ name: entry.name, ok: false, reason: error.code === "ENOENT" ? "missing" : error.message });
+      continue;
+    }
+    results.push({ name: entry.name, ok: actual === entry.hash, reason: actual === entry.hash ? null : "hash mismatch" });
+  }
+  return { ok: results.every((r) => r.ok), results };
+}
+
+async function main(argv) {
+  if (argv[0] === "--check") {
+    const manifestPath = argv[1];
+    if (!manifestPath) {
+      throw new Error("--check requires a SHA256SUMS path");
+    }
+    const { ok, results } = await verifyManifest(manifestPath);
+    for (const r of results) {
+      process.stderr.write(`${r.ok ? "OK  " : "FAIL"} ${r.name}${r.reason ? ` (${r.reason})` : ""}\n`);
+    }
+    process.exitCode = ok ? 0 : 1;
+    return;
+  }
+  if (argv.length === 0) {
+    throw new Error("usage: release-checksums.mjs <file...> | --check SHA256SUMS");
+  }
+  process.stdout.write(await generateManifest(argv));
+}
+
+// Run only as a CLI (not when imported by tests). fileURLToPath handles
+// Windows paths and URL encoding that a raw `file://` compare would miss.
+if (process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1]) {
+  main(process.argv.slice(2)).catch((error) => {
+    process.stderr.write(`release-checksums: ${error.message}\n`);
+    process.exitCode = 1;
+  });
+}