mtrx-cli 0.1.11 → 0.1.14

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "mtrx-cli",
-  "version": "0.1.11",
-  "description": "MATRX CLI for routing Codex and Claude through Matrx",
+  "version": "0.1.14",
+  "description": "MATRX CLI for routing Codex, Claude, and Cursor through Matrx",
   "homepage": "https://mtrx.so",
   "repository": {
     "type": "git",
@@ -15,6 +15,7 @@
     "cli",
     "codex",
     "claude",
+    "cursor",
     "ai"
   ],
   "bin": {
@@ -24,8 +25,12 @@
     "bin/mtrx.js",
     "src/matrx/__init__.py",
     "src/matrx/cli/__init__.py",
+    "src/matrx/cli/cursor_ca.py",
     "src/matrx/cli/cursor_config.py",
+    "src/matrx/cli/cursor_daemon.py",
+    "src/matrx/cli/cursor_launcher.py",
     "src/matrx/cli/cursor_proxy.py",
+    "src/matrx/cli/cursor_service.py",
     "src/matrx/cli/launcher.py",
     "src/matrx/cli/main.py",
     "src/matrx/cli/state.py"

package/src/matrx/__init__.py

@@ -1 +1 @@
-__version__ = "0.1.11"
+__version__ = "0.1.14"

package/src/matrx/cli/cursor_ca.py

@@ -0,0 +1,275 @@
+"""
+CA certificate management for the MTRX Cursor MITM proxy.
+
+Generates a root CA key + certificate, dynamically signs per-host leaf
+certificates, and provides platform-specific helpers for trusting the CA
+in the system/Cursor environment.
+"""
+
+from __future__ import annotations
+
+import datetime
+import logging
+import os
+import platform
+import subprocess
+import threading
+from pathlib import Path
+
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+
+from matrx.cli.state import config_dir
+
+logger = logging.getLogger(__name__)
+
+_CA_DIR_NAME = "ca"
+_CA_KEY_FILE = "mtrx-ca.key"
+_CA_CERT_FILE = "mtrx-ca.pem"
+_CERT_VALIDITY_YEARS = 5
+_LEAF_VALIDITY_DAYS = 365
+
+
+def ca_dir() -> Path:
+    return config_dir() / _CA_DIR_NAME
+
+
+def ca_key_path() -> Path:
+    return ca_dir() / _CA_KEY_FILE
+
+
+def ca_cert_path() -> Path:
+    return ca_dir() / _CA_CERT_FILE
+
+
+def ca_exists() -> bool:
+    return ca_key_path().exists() and ca_cert_path().exists()
+
+
+def generate_ca(*, force: bool = False) -> tuple[Path, Path]:
+    """Generate a root CA key and self-signed certificate.
+
+    Returns (key_path, cert_path).  Skips generation if files already exist
+    unless *force* is True.
+    """
+    key_path = ca_key_path()
+    cert_path = ca_cert_path()
+    if not force and key_path.exists() and cert_path.exists():
+        return key_path, cert_path
+
+    ca_dir().mkdir(parents=True, exist_ok=True)
+
+    key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    subject = issuer = x509.Name([
+        x509.NameAttribute(NameOID.ORGANIZATION_NAME, "MTRX"),
+        x509.NameAttribute(NameOID.COMMON_NAME, "MTRX Cursor Proxy CA"),
+    ])
+    now = datetime.datetime.now(datetime.timezone.utc)
+    cert = (
+        x509.CertificateBuilder()
+        .subject_name(subject)
+        .issuer_name(issuer)
+        .public_key(key.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(now)
+        .not_valid_after(now + datetime.timedelta(days=_CERT_VALIDITY_YEARS * 365))
+        .add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True)
+        .add_extension(
+            x509.KeyUsage(
+                digital_signature=True,
+                key_cert_sign=True,
+                crl_sign=True,
+                content_commitment=False,
+                key_encipherment=False,
+                data_encipherment=False,
+                key_agreement=False,
+                encipher_only=False,
+                decipher_only=False,
+            ),
+            critical=True,
+        )
+        .sign(key, hashes.SHA256())
+    )
+
+    key_path.write_bytes(
+        key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+    )
+    os.chmod(key_path, 0o600)
+    cert_path.write_bytes(cert.public_bytes(serialization.Encoding.PEM))
+
+    return key_path, cert_path
+
+
+def load_ca() -> tuple[rsa.RSAPrivateKey, x509.Certificate]:
+    """Load the CA key and certificate from disk."""
+    key_pem = ca_key_path().read_bytes()
+    cert_pem = ca_cert_path().read_bytes()
+    key = serialization.load_pem_private_key(key_pem, password=None)
+    cert = x509.load_pem_x509_certificate(cert_pem)
+    return key, cert  # type: ignore[return-value]
+
+
+class CertCache:
+    """Thread-safe cache for dynamically-signed leaf certificates.
+
+    Caches both the raw PEM bytes and ready-to-use ``ssl.SSLContext``
+    objects so that repeated connections to the same host avoid temp-file
+    I/O and key-generation overhead.
+    """
+
+    def __init__(self, ca_key: rsa.RSAPrivateKey, ca_cert: x509.Certificate):
+        self._ca_key = ca_key
+        self._ca_cert = ca_cert
+        self._lock = threading.Lock()
+        self._cache: dict[str, tuple[bytes, bytes]] = {}
+        self._ctx_cache: dict[str, "ssl.SSLContext"] = {}
+        self._certs_dir = ca_dir() / "certs"
+        self._certs_dir.mkdir(parents=True, exist_ok=True)
+
+    def get_cert_pair(self, hostname: str) -> tuple[bytes, bytes]:
+        """Return (cert_pem, key_pem) for *hostname*, creating if needed."""
+        with self._lock:
+            if hostname in self._cache:
+                return self._cache[hostname]
+
+        cert_pem, key_pem = self._sign_leaf(hostname)
+
+        with self._lock:
+            self._cache[hostname] = (cert_pem, key_pem)
+        return cert_pem, key_pem
+
+    def get_ssl_context(self, hostname: str) -> "ssl.SSLContext":
+        """Return a server-side ``ssl.SSLContext`` for *hostname*."""
+        import ssl as _ssl
+
+        with self._lock:
+            if hostname in self._ctx_cache:
+                return self._ctx_cache[hostname]
+
+        cert_pem, key_pem = self.get_cert_pair(hostname)
+
+        cert_file = self._certs_dir / f"{hostname}.crt"
+        key_file = self._certs_dir / f"{hostname}.key"
+        cert_file.write_bytes(cert_pem)
+        key_file.write_bytes(key_pem)
+        os.chmod(key_file, 0o600)
+
+        ctx = _ssl.SSLContext(_ssl.PROTOCOL_TLS_SERVER)
+        ctx.load_cert_chain(str(cert_file), str(key_file))
+        ctx.set_alpn_protocols(["http/1.1"])
+
+        with self._lock:
+            self._ctx_cache[hostname] = ctx
+        return ctx
+
+    def _sign_leaf(self, hostname: str) -> tuple[bytes, bytes]:
+        leaf_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+        now = datetime.datetime.now(datetime.timezone.utc)
+        subject = x509.Name([
+            x509.NameAttribute(NameOID.COMMON_NAME, hostname),
+        ])
+
+        builder = (
+            x509.CertificateBuilder()
+            .subject_name(subject)
+            .issuer_name(self._ca_cert.subject)
+            .public_key(leaf_key.public_key())
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(now - datetime.timedelta(days=1))
+            .not_valid_after(now + datetime.timedelta(days=_LEAF_VALIDITY_DAYS))
+            .add_extension(
+                x509.SubjectAlternativeName([x509.DNSName(hostname)]),
+                critical=False,
+            )
+            .add_extension(
+                x509.BasicConstraints(ca=False, path_length=None),
+                critical=True,
+            )
+        )
+        leaf_cert = builder.sign(self._ca_key, hashes.SHA256())
+
+        cert_pem = leaf_cert.public_bytes(serialization.Encoding.PEM)
+        key_pem = leaf_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+        return cert_pem, key_pem
+
+
+# ---------------------------------------------------------------------------
+# Platform-specific CA trust helpers
+# ---------------------------------------------------------------------------
+
+def trust_ca_system(cert_path: Path | None = None) -> bool:
+    """Attempt to trust the CA certificate in the OS certificate store.
+
+    Returns True on success.  May require elevated privileges.
+    """
+    cert_path = cert_path or ca_cert_path()
+    system = platform.system()
+    try:
+        if system == "Darwin":
+            return _trust_ca_macos(cert_path)
+        if system == "Linux":
+            return _trust_ca_linux(cert_path)
+        if system == "Windows":
+            return _trust_ca_windows(cert_path)
+    except Exception as exc:
+        logger.warning("CA trust failed: %s", exc)
+    return False
+
+
+def _trust_ca_macos(cert_path: Path) -> bool:
+    result = subprocess.run(
+        [
+            "security", "add-trusted-cert",
+            "-d",  # user trust domain
+            "-r", "trustRoot",
+            "-k", str(Path.home() / "Library" / "Keychains" / "login.keychain-db"),
+            str(cert_path),
+        ],
+        capture_output=True,
+        timeout=30,
+    )
+    return result.returncode == 0
+
+
+def _trust_ca_linux(cert_path: Path) -> bool:
+    dest = Path("/usr/local/share/ca-certificates/mtrx-cursor-proxy.crt")
+    subprocess.run(["sudo", "cp", str(cert_path), str(dest)], check=True, timeout=30)
+    result = subprocess.run(["sudo", "update-ca-certificates"], capture_output=True, timeout=30)
+    return result.returncode == 0
+
+
+def _trust_ca_windows(cert_path: Path) -> bool:
+    result = subprocess.run(
+        ["certutil", "-addstore", "Root", str(cert_path)],
+        capture_output=True,
+        timeout=30,
+    )
+    return result.returncode == 0
+
+
+def is_ca_trusted() -> bool:
+    """Best-effort check whether the MTRX CA is trusted by the OS."""
+    if not ca_exists():
+        return False
+    system = platform.system()
+    try:
+        if system == "Darwin":
+            result = subprocess.run(
+                ["security", "find-certificate", "-c", "MTRX Cursor Proxy CA"],
+                capture_output=True,
+                timeout=10,
+            )
+            return result.returncode == 0
+    except Exception:
+        pass
+    return False