llm-cli-gateway 2.8.0 → 2.10.0

package/dist/index.js

@@ -25,7 +25,7 @@ import { clearModelRegistryCache, getAvailableCliInfo, getCliInfo, resolveModelA
 import { getProviderToolCapabilities } from "./provider-tool-capabilities.js";
 import { AsyncJobManager, } from "./async-job-manager.js";
 import { createJobStore } from "./job-store.js";
-import { ApprovalManager } from "./approval-manager.js";
+import { ApprovalManager, bypassAllowedByOperator, } from "./approval-manager.js";
 import { checkReviewIntegrity } from "./review-integrity.js";
 import { buildClaudeMcpConfig, CLAUDE_MCP_SERVER_NAMES, } from "./claude-mcp-config.js";
 import { resolveGrokSessionArgs, resolveMistralSessionArgs, resolveCodexSessionArgs, sanitizeCliArgValues, prepareMistralRequest as buildMistralCliInvocation, MISTRAL_AGENT_MODES, GATEWAY_SESSION_PREFIX, resolveClaudePermissionFlags, resolveCodexSandboxFlags, CLAUDE_PERMISSION_MODES, GEMINI_APPROVAL_MODES, CODEX_SANDBOX_MODES, CODEX_ASK_FOR_APPROVAL_MODES, CLAUDE_EFFORT_LEVELS, prepareClaudeHighImpactFlags, validateClaudeAgentsMap, prepareCodexHighImpactFlags, prepareCodexForkRequest, CODEX_CONFIG_OVERRIDES_SCHEMA, resolveGeminiSessionPlan, GEMINI_HIGH_IMPACT_PARAMS_SCHEMA, } from "./request-helpers.js";
@@ -34,7 +34,7 @@ import { resolvePromptInput, PromptPartsSchema, assembleClaudeCacheBlocks, } fro
 import { computeSessionCacheStats, computeTtlRemaining, readPersistedRequest, PERSISTED_REQUEST_DEFAULT_MAX_CHARS, } from "./cache-stats.js";
 import { getCliVersions, runCliUpgrade } from "./cli-updater.js";
 import { startHttpGateway } from "./http-transport.js";
-import { getRequestContext } from "./request-context.js";
+import { getRequestContext, resolveOwnerPrincipal, principalCanAccess } from "./request-context.js";
 import { printDoctorJson } from "./doctor.js";
 import { createWorkspace, describeWorkspace, getWorkspace, loadWorkspaceRegistry, registerExistingWorkspace, resolveWorkspaceForProvider, validatePathInsideWorkspace, } from "./workspace-registry.js";
 import { generateSecret, hashSecret } from "./oauth.js";
@@ -434,7 +434,7 @@ export async function resolveWorktreeForRequest(worktreeOpt, sessionId, runtime,
         return {};
     const sessionManager = runtime.sessionManager;
     if (sessionId) {
-        const session = await Promise.resolve(sessionManager.getSession(sessionId));
+        const session = await getCallerOwnedSession(sessionManager, sessionId);
         const existingPath = session?.metadata?.worktreePath;
         if (typeof existingPath === "string" && existingPath.length > 0) {
             return {
@@ -477,9 +477,7 @@ function isGatewayAppDirCwd() {
     return process.cwd() === join(homedir(), ".llm-cli-gateway");
 }
 async function resolveWorkspaceAndWorktreeForRequest(args) {
-    const session = args.sessionId
-        ? await Promise.resolve(args.runtime.sessionManager.getSession(args.sessionId))
-        : null;
+    const session = await getCallerOwnedSession(args.runtime.sessionManager, args.sessionId);
     let workspace;
     if (args.workspace ||
         args.runtime.workspaces.defaultAlias ||
@@ -1274,7 +1272,8 @@ export function prepareClaudeRequest(params, runtime = resolveGatewayServerRunti
         args.push("--disallowed-tools", ...params.disallowedTools);
     }
     if (params.approvalStrategy === "mcp_managed") {
-        args.push("--permission-mode", "bypassPermissions");
+        const managedMode = bypassAllowedByOperator() ? "bypassPermissions" : "acceptEdits";
+        args.push("--permission-mode", managedMode);
     }
     else {
         const permFlags = resolveClaudePermissionFlags({
@@ -1539,7 +1538,11 @@ export function prepareGeminiRequest(params, runtime = resolveGatewayServerRunti
             return createApprovalDeniedResponse(params.operation, approvalDecision);
         }
     }
-    const effectiveApprovalMode = params.approvalStrategy === "mcp_managed" ? "yolo" : params.approvalMode;
+    const effectiveApprovalMode = params.approvalStrategy === "mcp_managed"
+        ? bypassAllowedByOperator()
+            ? "yolo"
+            : "default"
+        : params.approvalMode;
     const unsupported = (field, detail) => createErrorResponse(params.operation, 1, "", corrId, new Error(`${field} is not supported by Antigravity CLI (agy): ${detail}`));
     if (effectiveApprovalMode &&
         effectiveApprovalMode !== "default" &&
@@ -1646,14 +1649,22 @@ export function prepareGrokRequest(params, runtime = resolveGatewayServerRuntime
             return createApprovalDeniedResponse(params.operation, approvalDecision);
         }
     }
-    const effectiveAlwaysApprove = params.approvalStrategy === "mcp_managed" ? true : Boolean(params.alwaysApprove);
+    const managedGrokBypass = params.approvalStrategy === "mcp_managed" && bypassAllowedByOperator();
     const grokContract = UPSTREAM_CLI_CONTRACTS.grok;
     const genParams = params;
     const args = ["-p", effectivePrompt];
     if (resolvedModel)
         args.push("--model", resolvedModel);
     args.push(...buildArgvFromGeneration(grokContract, GROK_GEN_OUTPUT_FORMAT, genParams));
-    if (effectiveAlwaysApprove) {
+    if (params.approvalStrategy === "mcp_managed") {
+        if (managedGrokBypass) {
+            args.push("--always-approve");
+        }
+        else {
+            args.push("--permission-mode", "acceptEdits");
+        }
+    }
+    else if (Boolean(params.alwaysApprove)) {
         args.push("--always-approve");
     }
     else if (params.permissionMode) {
@@ -1760,7 +1771,9 @@ export function prepareMistralRequest(params, runtime = resolveGatewayServerRunt
         }
     }
     const effectivePermissionMode = params.approvalStrategy === "mcp_managed"
-        ? "auto-approve"
+        ? bypassAllowedByOperator()
+            ? "auto-approve"
+            : "accept-edits"
         : (params.permissionMode ?? "auto-approve");
     const prep = buildMistralCliInvocation({
         prompt: effectivePrompt,
@@ -1811,7 +1824,9 @@ export function buildMistralRetryPrep(params, recoveryModel) {
         resolvedModel: recoveryModel,
         outputFormat: params.outputFormat,
         permissionMode: params.approvalStrategy === "mcp_managed"
-            ? "auto-approve"
+            ? bypassAllowedByOperator()
+                ? "auto-approve"
+                : "accept-edits"
             : (params.permissionMode ?? "auto-approve"),
         allowedTools: params.allowedTools,
         disallowedTools: params.disallowedTools,
@@ -1955,11 +1970,33 @@ function usageFromXaiResult(result) {
         costUsd: result.usage.costUsd,
     };
 }
+function callerCanAccessSession(session) {
+    return principalCanAccess(session.ownerPrincipal, resolveOwnerPrincipal(getRequestContext()));
+}
+async function getCallerOwnedSession(sessionManager, sessionId) {
+    if (!sessionId)
+        return null;
+    const existing = await Promise.resolve(sessionManager.getSession(sessionId));
+    if (!existing || !callerCanAccessSession(existing))
+        return null;
+    return existing;
+}
+async function getCallerOwnedActiveSession(sessionManager, provider) {
+    const active = await Promise.resolve(sessionManager.getActiveSession(provider));
+    if (!active || !callerCanAccessSession(active))
+        return null;
+    return active;
+}
 async function getExistingSessionForProvider(sessionManager, sessionId, provider) {
     if (!sessionId)
         return null;
     const existing = await sessionManager.getSession(sessionId);
-    if (existing && existing.cli !== provider) {
+    if (!existing)
+        return null;
+    if (!callerCanAccessSession(existing)) {
+        throw new Error(`Session ${sessionId} is not accessible`);
+    }
+    if (existing.cli !== provider) {
         throw new Error(`Session ${sessionId} belongs to provider '${existing.cli}', not '${provider}'`);
     }
     return existing;
@@ -2012,7 +2049,7 @@ async function resolveGrokApiSession(params, runtime) {
         return { sessionId: session.id, previousResponseId: previous };
     }
     if (!params.createNewSession) {
-        const active = await runtime.sessionManager.getActiveSession("grok-api");
+        const active = await getCallerOwnedActiveSession(runtime.sessionManager, "grok-api");
         if (active) {
             const previous = typeof active.metadata?.xaiPreviousResponseId === "string"
                 ? active.metadata.xaiPreviousResponseId
@@ -3039,7 +3076,7 @@ export async function handleCodexRequestAsync(deps, params) {
     try {
         let effectiveSessionId = params.sessionId;
         if (!params.createNewSession && !params.sessionId) {
-            const activeSession = await deps.sessionManager.getActiveSession("codex");
+            const activeSession = await getCallerOwnedActiveSession(deps.sessionManager, "codex");
             if (activeSession) {
                 effectiveSessionId = activeSession.id;
             }
@@ -3049,6 +3086,7 @@ export async function handleCodexRequestAsync(deps, params) {
             }
         }
         else if (params.sessionId) {
+            await getExistingSessionForProvider(deps.sessionManager, params.sessionId, "codex");
             await deps.sessionManager.updateSessionUsage(params.sessionId);
         }
         else if (params.createNewSession) {
@@ -3389,7 +3427,7 @@ export function createGatewayServer(deps = {}) {
         let useContinue = continueSession;
         let activeSession = null;
         try {
-            activeSession = await sessionManager.getActiveSession("claude");
+            activeSession = await getCallerOwnedActiveSession(sessionManager, "claude");
         }
         catch (err) {
             logger.warn(`[${corrId}] sessionManager.getActiveSession failed (non-fatal): ${err.message}`);
@@ -3758,7 +3796,7 @@ export function createGatewayServer(deps = {}) {
             wasSuccessful = true;
             let effectiveSessionId = sessionId;
             if (!createNewSession && !sessionId) {
-                const activeSession = await sessionManager.getActiveSession("codex");
+                const activeSession = await getCallerOwnedActiveSession(sessionManager, "codex");
                 if (activeSession) {
                     effectiveSessionId = activeSession.id;
                 }
@@ -4469,7 +4507,7 @@ export function createGatewayServer(deps = {}) {
             try {
                 let effectiveSessionId = sessionId;
                 let useContinue = continueSession;
-                const activeSession = await sessionManager.getActiveSession("claude");
+                const activeSession = await getCallerOwnedActiveSession(sessionManager, "claude");
                 if (!createNewSession && !continueSession && !sessionId && activeSession) {
                     effectiveSessionId = activeSession.id;
                     useContinue = true;
@@ -5158,7 +5196,8 @@ export function createGatewayServer(deps = {}) {
             openWorldHint: false,
         }, async ({ jobId }) => {
             const job = asyncJobManager.getJobSnapshot(jobId);
-            if (!job) {
+            const caller = resolveOwnerPrincipal(getRequestContext());
+            if (!job || !principalCanAccess(asyncJobManager.getJobOwner(jobId), caller)) {
                 return {
                     content: [
                         {
@@ -5202,7 +5241,8 @@ export function createGatewayServer(deps = {}) {
             openWorldHint: false,
         }, async ({ jobId, maxChars }) => {
             const result = asyncJobManager.getJobResult(jobId, maxChars);
-            if (!result) {
+            const caller = resolveOwnerPrincipal(getRequestContext());
+            if (!result || !principalCanAccess(asyncJobManager.getJobOwner(jobId), caller)) {
                 return {
                     content: [
                         {
@@ -5259,6 +5299,23 @@ export function createGatewayServer(deps = {}) {
             idempotentHint: true,
             openWorldHint: false,
         }, async ({ jobId }) => {
+            const caller = resolveOwnerPrincipal(getRequestContext());
+            if (asyncJobManager.getJobSnapshot(jobId) &&
+                !principalCanAccess(asyncJobManager.getJobOwner(jobId), caller)) {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: JSON.stringify({
+                                success: false,
+                                jobId,
+                                reason: "Job not found",
+                            }, null, 2),
+                        },
+                    ],
+                    isError: true,
+                };
+            }
             const cancel = asyncJobManager.cancelJob(jobId);
             if (!cancel.canceled) {
                 return {
@@ -5315,7 +5372,8 @@ export function createGatewayServer(deps = {}) {
             maxChars,
             includePrompt,
         });
-        if (!record) {
+        const caller = resolveOwnerPrincipal(getRequestContext());
+        if (!record || !principalCanAccess(record.ownerPrincipal, caller)) {
             return {
                 content: [
                     {
@@ -5741,11 +5799,15 @@ export function createGatewayServer(deps = {}) {
         openWorldHint: false,
     }, async ({ cli }) => {
         try {
-            const sessions = await sessionManager.listSessions(cli);
-            const activeSessions = Object.fromEntries(await Promise.all(SESSION_PROVIDER_VALUES.map(async (provider) => [
-                provider,
-                await sessionManager.getActiveSession(provider),
-            ])));
+            const caller = resolveOwnerPrincipal(getRequestContext());
+            const sessions = (await sessionManager.listSessions(cli)).filter(s => principalCanAccess(s.ownerPrincipal, caller));
+            const activeSessions = Object.fromEntries(await Promise.all(SESSION_PROVIDER_VALUES.map(async (provider) => {
+                const active = await sessionManager.getActiveSession(provider);
+                return [
+                    provider,
+                    active && principalCanAccess(active.ownerPrincipal, caller) ? active : null,
+                ];
+            })));
             const sessionList = sessions.map(s => ({
                 id: s.id,
                 cli: s.cli,
@@ -5785,6 +5847,24 @@ export function createGatewayServer(deps = {}) {
         openWorldHint: false,
     }, async ({ cli, sessionId }) => {
         try {
+            if (sessionId) {
+                const caller = resolveOwnerPrincipal(getRequestContext());
+                const target = await sessionManager.getSession(sessionId);
+                if (!target || !principalCanAccess(target.ownerPrincipal, caller)) {
+                    return {
+                        content: [
+                            {
+                                type: "text",
+                                text: JSON.stringify({
+                                    success: false,
+                                    error: "Session not found or does not belong to the specified provider",
+                                }, null, 2),
+                            },
+                        ],
+                        isError: true,
+                    };
+                }
+            }
             const success = await sessionManager.setActiveSession(cli, sessionId || null);
             if (!success) {
                 return {
@@ -5829,7 +5909,8 @@ export function createGatewayServer(deps = {}) {
     }, async ({ sessionId }) => {
         try {
             const session = await sessionManager.getSession(sessionId);
-            if (!session) {
+            const caller = resolveOwnerPrincipal(getRequestContext());
+            if (!session || !principalCanAccess(session.ownerPrincipal, caller)) {
                 return {
                     content: [
                         {
@@ -5876,7 +5957,8 @@ export function createGatewayServer(deps = {}) {
     }, async ({ sessionId }) => {
         try {
             const session = await sessionManager.getSession(sessionId);
-            if (!session) {
+            const caller = resolveOwnerPrincipal(getRequestContext());
+            if (!session || !principalCanAccess(session.ownerPrincipal, caller)) {
                 return {
                     content: [
                         {
@@ -5944,7 +6026,13 @@ export function createGatewayServer(deps = {}) {
         openWorldHint: false,
     }, async ({ cli }) => {
         try {
-            const count = await sessionManager.clearAllSessions(cli);
+            const caller = resolveOwnerPrincipal(getRequestContext());
+            const owned = (await sessionManager.listSessions(cli)).filter(s => principalCanAccess(s.ownerPrincipal, caller));
+            let count = 0;
+            for (const s of owned) {
+                if (await sessionManager.deleteSession(s.id))
+                    count++;
+            }
             logger.info(`Cleared ${count} sessions${cli ? ` for ${cli}` : ""}`);
             return {
                 content: [

package/dist/job-store.d.ts

@@ -18,6 +18,7 @@ export interface JobRecord {
     finishedAt: string | null;
     pid: number | null;
     expiresAt: string;
+    ownerPrincipal: string | null;
 }
 export declare function resolveJobStoreDbPath(): string | null;
 export declare function resolveJobRetentionMs(): number;
@@ -33,6 +34,7 @@ export interface JobStore {
         outputFormat?: string;
         startedAt: string;
         pid: number | null;
+        ownerPrincipal?: string | null;
     }): void;
     recordOutput(id: string, stdout: string, stderr: string, outputTruncated: boolean): void;
     recordComplete(input: {
@@ -88,6 +90,7 @@ export declare class SqliteJobStore implements JobStore {
         outputFormat?: string;
         startedAt: string;
         pid: number | null;
+        ownerPrincipal?: string | null;
     }): void;
     recordOutput(id: string, stdout: string, stderr: string, outputTruncated: boolean): void;
     recordComplete(input: {
@@ -127,6 +130,7 @@ export declare class MemoryJobStore implements JobStore {
         outputFormat?: string;
         startedAt: string;
         pid: number | null;
+        ownerPrincipal?: string | null;
     }): void;
     recordOutput(id: string, stdout: string, stderr: string, outputTruncated: boolean): void;
     recordComplete(input: {

package/dist/job-store.js

@@ -57,8 +57,16 @@ function rowToRecord(row) {
         finishedAt: row.finished_at,
         pid: row.pid,
         expiresAt: row.expires_at,
+        ownerPrincipal: row.owner_principal ?? null,
     };
 }
+function ensureJobsOwnerColumn(db) {
+    const cols = db.prepare("PRAGMA table_info(jobs)").all();
+    const hasOwner = cols.some(col => col?.name === "owner_principal");
+    if (!hasOwner) {
+        db.exec("ALTER TABLE jobs ADD COLUMN owner_principal TEXT");
+    }
+}
 export class SqliteJobStore {
     logger;
     db;
@@ -94,13 +102,15 @@ export class SqliteJobStore {
         started_at TEXT NOT NULL,
         finished_at TEXT,
         pid INTEGER,
-        expires_at TEXT NOT NULL
+        expires_at TEXT NOT NULL,
+        owner_principal TEXT
       );
       CREATE INDEX IF NOT EXISTS idx_jobs_request_key ON jobs(request_key);
       CREATE INDEX IF NOT EXISTS idx_jobs_status ON jobs(status);
       CREATE INDEX IF NOT EXISTS idx_jobs_expires_at ON jobs(expires_at);
       CREATE INDEX IF NOT EXISTS idx_jobs_request_key_finished ON jobs(request_key, finished_at);
     `);
+        ensureJobsOwnerColumn(this.db);
         if (process.platform !== "win32") {
             try {
                 chmodSync(dbPath, 0o600);
@@ -113,10 +123,10 @@ export class SqliteJobStore {
         this.insertStmt = this.db.prepare(`
       INSERT INTO jobs (id, correlation_id, request_key, cli, args_json, output_format,
                         status, exit_code, stdout, stderr, output_truncated, error,
-                        started_at, finished_at, pid, expires_at)
+                        started_at, finished_at, pid, expires_at, owner_principal)
       VALUES (@id, @correlation_id, @request_key, @cli, @args_json, @output_format,
               @status, @exit_code, @stdout, @stderr, @output_truncated, @error,
-              @started_at, @finished_at, @pid, @expires_at)
+              @started_at, @finished_at, @pid, @expires_at, @owner_principal)
     `);
         this.updateOutputStmt = this.db.prepare(`
       UPDATE jobs SET stdout = @stdout, stderr = @stderr, output_truncated = @output_truncated
@@ -163,12 +173,13 @@ export class SqliteJobStore {
             exit_code: null,
             stdout: "",
             stderr: "",
-            output_truncated: 0,
             error: null,
+            output_truncated: 0,
             started_at: input.startedAt,
             finished_at: null,
             pid: input.pid,
             expires_at: FAR_FUTURE_ISO,
+            owner_principal: input.ownerPrincipal ?? null,
         });
     }
     recordOutput(id, stdout, stderr, outputTruncated) {
@@ -258,6 +269,7 @@ export class MemoryJobStore {
             finishedAt: null,
             pid: input.pid,
             expiresAt: FAR_FUTURE_ISO,
+            ownerPrincipal: input.ownerPrincipal ?? null,
         });
     }
     recordOutput(id, stdout, stderr, outputTruncated) {

package/dist/oauth.d.ts

@@ -33,6 +33,8 @@ export declare class OAuthServer {
     private registrationAllowedByPolicy;
     private handleRegister;
     private handleAuthorize;
+    private verifyConsent;
+    private renderConsentPage;
     private handleToken;
     private pruneExpiredCodes;
 }

package/dist/oauth.js

@@ -1,5 +1,6 @@
 import { createHash, randomBytes, randomUUID, scryptSync, timingSafeEqual } from "node:crypto";
 import { URLSearchParams } from "node:url";
+import { readCappedRawBody, maxOAuthBodyBytes } from "./request-limits.js";
 import { issueOAuthAccessToken, timingSafeStringEqual, } from "./auth.js";
 export const OAUTH_CODE_TTL_MS = 5 * 60 * 1000;
 const GENERATED_SECRET_BYTES = 32;
@@ -52,6 +53,30 @@ export function redactSecret(value) {
 function firstHeader(value) {
     return Array.isArray(value) ? value[0] : value;
 }
+const HTML_ESCAPES = {
+    "&": "&",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#39;",
+};
+function escapeHtml(value) {
+    return value.replace(/[&<>"']/g, char => HTML_ESCAPES[char] ?? char);
+}
+function readCookie(req, name) {
+    const header = firstHeader(req.headers.cookie);
+    if (!header)
+        return null;
+    for (const part of header.split(";")) {
+        const idx = part.indexOf("=");
+        if (idx < 0)
+            continue;
+        if (part.slice(0, idx).trim() === name) {
+            return decodeURIComponent(part.slice(idx + 1).trim());
+        }
+    }
+    return null;
+}
 function methodNotAllowed(res) {
     res.writeHead(405, { allow: "GET, POST", "content-type": "application/json" });
     res.end(JSON.stringify({ error: "Method not allowed" }));
@@ -105,12 +130,7 @@ function extractStringArray(value, params, key) {
     return values.filter((item) => typeof item === "string" && item.length > 0);
 }
 async function readRawBody(req) {
-    return new Promise((resolve, reject) => {
-        const chunks = [];
-        req.on("data", chunk => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
-        req.on("error", reject);
-        req.on("end", () => resolve(chunks.length ? Buffer.concat(chunks).toString("utf8") : ""));
-    });
+    return readCappedRawBody(req, maxOAuthBodyBytes());
 }
 async function readOAuthBody(req) {
     const raw = await readRawBody(req);
@@ -272,8 +292,7 @@ export class OAuthServer {
     registrationAllowedByPolicy(req, params) {
         const policy = this.opts.config.registrationPolicy;
         if (policy === "open_dev") {
-            const host = firstHeader(req.headers.host) ?? "";
-            return isLocalHost(host) || process.env.LLM_GATEWAY_OAUTH_OPEN_DEV === "1";
+            return process.env.LLM_GATEWAY_OAUTH_OPEN_DEV === "1";
         }
         if (policy === "static_clients")
             return false;
@@ -372,6 +391,17 @@ export class OAuthServer {
             res.end();
             return;
         }
+        if (this.opts.config.requireConsent) {
+            const isSubmission = req.method === "POST" && params.get("gw_consent") === "1";
+            if (!isSubmission) {
+                this.renderConsentPage(res, params, clientId, requestedScopes);
+                return;
+            }
+            if (!this.verifyConsent(req, params)) {
+                this.renderConsentPage(res, params, clientId, requestedScopes, "Incorrect access code.");
+                return;
+            }
+        }
         this.pruneExpiredCodes();
         const code = randomUUID();
         this.codes.set(code, {
@@ -389,6 +419,58 @@ export class OAuthServer {
         res.writeHead(302, { location: target.toString() });
         res.end();
     }
+    verifyConsent(req, params) {
+        const cookie = readCookie(req, "gw_oauth_csrf");
+        const formCsrf = params.get("gw_csrf");
+        if (!cookie || !formCsrf || !timingSafeStringEqual(cookie, formCsrf))
+            return false;
+        const secret = params.get("consent_secret") ?? "";
+        const hash = this.opts.config.consentSecretHash;
+        return Boolean(hash && secret && verifySecret(secret, hash));
+    }
+    renderConsentPage(res, params, clientId, requestedScopes, error) {
+        const csrf = randomUUID();
+        const carried = [
+            ["response_type", params.get("response_type")],
+            ["client_id", clientId],
+            ["redirect_uri", params.get("redirect_uri")],
+            ["scope", params.get("scope")],
+            ["state", params.get("state")],
+            ["code_challenge", params.get("code_challenge")],
+            ["code_challenge_method", params.get("code_challenge_method")],
+            ["gw_consent", "1"],
+            ["gw_csrf", csrf],
+        ];
+        const hidden = carried
+            .filter(([, value]) => value != null && value !== "")
+            .map(([key, value]) => `<input type="hidden" name="${escapeHtml(key)}" value="${escapeHtml(String(value))}">`)
+            .join("\n      ");
+        const scopeList = requestedScopes.map(escapeHtml).join(", ");
+        const errorBlock = error ? `<p class="err">${escapeHtml(error)}</p>` : "";
+        const html = `<!doctype html>
+<html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorize access</title>
+<style>body{font-family:system-ui,sans-serif;max-width:32rem;margin:3rem auto;padding:0 1rem}
+.box{border:1px solid #ddd;border-radius:8px;padding:1.5rem}label{display:block;margin:.75rem 0 .25rem}
+input[type=password]{width:100%;padding:.5rem;box-sizing:border-box}button{margin-top:1rem;padding:.6rem 1.2rem}
+.err{color:#b00020}.muted{color:#555;font-size:.9rem}</style></head>
+<body><div class="box"><h2>Authorize access</h2>
+<p>Application <strong>${escapeHtml(clientId)}</strong> is requesting access to: <strong>${scopeList}</strong>.</p>
+${errorBlock}
+<form method="post" autocomplete="off">
+      ${hidden}
+      <label for="consent_secret">Gateway access code</label>
+      <input id="consent_secret" type="password" name="consent_secret" required autofocus>
+      <button type="submit">Approve</button>
+</form>
+<p class="muted">Only approve if you initiated this connection.</p></div></body></html>`;
+        res.writeHead(200, {
+            "content-type": "text/html; charset=utf-8",
+            "set-cookie": `gw_oauth_csrf=${csrf}; HttpOnly; SameSite=Lax; Path=/oauth`,
+            "cache-control": "no-store",
+        });
+        res.end(html);
+    }
     async handleToken(req, res) {
         if (req.method !== "POST") {
             methodNotAllowed(res);

package/dist/request-context.d.ts

@@ -3,6 +3,9 @@ export interface GatewayRequestContext {
     authKind?: "disabled" | "gateway_bearer" | "oauth";
     authScopes: string[];
     authClientId?: string;
+    authPrincipal?: string;
 }
+export declare function resolveOwnerPrincipal(ctx: GatewayRequestContext | undefined): string;
+export declare function principalCanAccess(rowOwner: string | null | undefined, caller: string): boolean;
 export declare function runWithRequestContext<T>(context: GatewayRequestContext, callback: () => T | Promise<T>): T | Promise<T>;
 export declare function getRequestContext(): GatewayRequestContext | undefined;

package/dist/request-context.js

@@ -1,5 +1,21 @@
 import { AsyncLocalStorage } from "node:async_hooks";
 const requestContext = new AsyncLocalStorage();
+export function resolveOwnerPrincipal(ctx) {
+    if (!ctx)
+        return "local";
+    if (ctx.authPrincipal)
+        return ctx.authPrincipal;
+    if (ctx.authKind === "gateway_bearer")
+        return "gateway-bearer";
+    return "local";
+}
+export function principalCanAccess(rowOwner, caller) {
+    if (rowOwner === caller)
+        return true;
+    if ((rowOwner === null || rowOwner === undefined) && caller === "local")
+        return true;
+    return false;
+}
 export function runWithRequestContext(context, callback) {
     return requestContext.run(context, callback);
 }

package/dist/request-limits.d.ts

@@ -0,0 +1,8 @@
+import type { IncomingMessage } from "node:http";
+export declare class PayloadTooLargeError extends Error {
+    readonly statusCode = 413;
+    constructor(maxBytes: number);
+}
+export declare function maxHttpBodyBytes(env?: NodeJS.ProcessEnv): number;
+export declare function maxOAuthBodyBytes(env?: NodeJS.ProcessEnv): number;
+export declare function readCappedRawBody(req: IncomingMessage, maxBytes: number): Promise<string>;

package/dist/request-limits.js

@@ -0,0 +1,49 @@
+export class PayloadTooLargeError extends Error {
+    statusCode = 413;
+    constructor(maxBytes) {
+        super(`Request body exceeds maximum size (${maxBytes} bytes)`);
+        this.name = "PayloadTooLargeError";
+    }
+}
+const DEFAULT_MAX_HTTP_BODY_BYTES = 8 * 1024 * 1024;
+const DEFAULT_MAX_OAUTH_BODY_BYTES = 64 * 1024;
+function positiveIntFromEnv(value, fallback) {
+    const parsed = Number(value);
+    return Number.isFinite(parsed) && parsed > 0 ? Math.floor(parsed) : fallback;
+}
+export function maxHttpBodyBytes(env = process.env) {
+    return positiveIntFromEnv(env.LLM_GATEWAY_MAX_HTTP_BODY_BYTES, DEFAULT_MAX_HTTP_BODY_BYTES);
+}
+export function maxOAuthBodyBytes(env = process.env) {
+    return positiveIntFromEnv(env.LLM_GATEWAY_MAX_OAUTH_BODY_BYTES, DEFAULT_MAX_OAUTH_BODY_BYTES);
+}
+export function readCappedRawBody(req, maxBytes) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let total = 0;
+        let aborted = false;
+        req.on("data", (chunk) => {
+            if (aborted)
+                return;
+            const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+            total += buf.length;
+            if (total > maxBytes) {
+                aborted = true;
+                chunks.length = 0;
+                reject(new PayloadTooLargeError(maxBytes));
+                req.resume();
+                return;
+            }
+            chunks.push(buf);
+        });
+        req.on("error", err => {
+            if (!aborted)
+                reject(err);
+        });
+        req.on("end", () => {
+            if (aborted)
+                return;
+            resolve(chunks.length === 0 ? "" : Buffer.concat(chunks).toString("utf8"));
+        });
+    });
+}