npm - responses-proxy - Versions diffs - 0.1.2 → 0.2.0 - Mend

responses-proxy 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/cli.js +366 -92
package/dist/mitm/cert.js +111 -0
package/dist/mitm/dns.js +150 -0
package/dist/mitm/server.js +229 -0
package/dist/mitm/start-server.js +13 -0
package/dist/package.json +1 -1
package/dist/server.js +145 -22
package/package.json +1 -1

package/cli.js CHANGED Viewed

@@ -1,76 +1,307 @@
 #!/usr/bin/env node
 /**
- * responses-proxy CLI — starts the proxy server and opens the dashboard.
+ * responses-proxy CLI — full command interface for managing the proxy.
  *
  * Usage:
- *   npx responses-proxy
- *   responses-proxy --port 8318
- *   responses-proxy --no-browser
+ *   responses-proxy                     # Start foreground, open browser
+ *   responses-proxy --background        # Start as background daemon
+ *   responses-proxy stop                # Stop daemon
+ *   responses-proxy status              # Check running state
+ *   responses-proxy restart             # Restart daemon
+ *   responses-proxy logs                # Tail server logs
+ *   responses-proxy config              # Show current config
+ *   responses-proxy config set KEY VAL  # Set env config
+ *   responses-proxy setup               # Interactive first-time setup
+ *   responses-proxy password <pass>     # Set dashboard password
+ *   responses-proxy info                # Show connection details (endpoint + key)
  */
-const { spawn, exec } = require("child_process");
+const { spawn, exec, execSync } = require("child_process");
 const path = require("path");
 const fs = require("fs");
 const os = require("os");
+const readline = require("readline");
 const pkg = require("./package.json");
 const args = process.argv.slice(2);
-// Defaults
+// ─── Paths ───────────────────────────────────────────────────────────────────
+const dataDir = path.join(os.homedir(), ".responses-proxy");
+fs.mkdirSync(dataDir, { recursive: true });
+const PID_FILE = path.join(dataDir, "server.pid");
+const LOG_FILE = path.join(dataDir, "server.log");
+const ENV_FILE = path.join(dataDir, "config.env");
+const serverPath = path.join(__dirname, "dist", "server.js");
+const nodeModulesPath = path.join(__dirname, "dist", "node_modules");
+// ─── Config ──────────────────────────────────────────────────────────────────
+function loadEnvConfig() {
+  if (!fs.existsSync(ENV_FILE)) return {};
+  const lines = fs.readFileSync(ENV_FILE, "utf8").split("\n");
+  const env = {};
+  for (const line of lines) {
+    const match = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/);
+    if (match) env[match[1]] = match[2];
+  }
+  return env;
+}
+function saveEnvConfig(env) {
+  const lines = Object.entries(env).map(([k, v]) => `${k}=${v}`);
+  fs.writeFileSync(ENV_FILE, lines.join("\n") + "\n");
+}
+function getConfig(key) {
+  const env = loadEnvConfig();
+  return env[key] || process.env[key] || "";
+}
+function setConfig(key, value) {
+  const env = loadEnvConfig();
+  env[key] = value;
+  saveEnvConfig(env);
+}
+// ─── Parse args ──────────────────────────────────────────────────────────────
 const DEFAULT_PORT = 8318;
-let port = DEFAULT_PORT;
-let host = "0.0.0.0";
+let port = parseInt(getConfig("PORT")) || DEFAULT_PORT;
+let host = getConfig("HOST") || "0.0.0.0";
 let noBrowser = false;
+let background = false;
+let subcommand = null;
+let subArgs = [];
-// Parse args
 for (let i = 0; i < args.length; i++) {
-  if (args[i] === "--port" || args[i] === "-p") {
-    port = parseInt(args[i + 1], 10) || DEFAULT_PORT;
-    i++;
-  } else if (args[i] === "--host" || args[i] === "-H") {
-    host = args[i + 1] || "0.0.0.0";
-    i++;
-  } else if (args[i] === "--no-browser" || args[i] === "-n") {
-    noBrowser = true;
-  } else if (args[i] === "--help" || args[i] === "-h") {
-    console.log(`
-responses-proxy v${pkg.version}
-Usage: responses-proxy [options]
+  const arg = args[i];
+  if (arg === "--port" || arg === "-p") { port = parseInt(args[++i], 10) || DEFAULT_PORT; }
+  else if (arg === "--host" || arg === "-H") { host = args[++i] || "0.0.0.0"; }
+  else if (arg === "--no-browser" || arg === "-n") { noBrowser = true; }
+  else if (arg === "--background" || arg === "--bg" || arg === "-b" || arg === "--daemon") { background = true; }
+  else if (arg === "--help" || arg === "-h") { printHelp(); process.exit(0); }
+  else if (arg === "--version" || arg === "-v") { console.log(pkg.version); process.exit(0); }
+  else if (!arg.startsWith("-")) {
+    subcommand = arg;
+    subArgs = args.slice(i + 1);
+    break;
+  }
+}
+function printHelp() {
+  console.log(`
+responses-proxy v${pkg.version} — AI Routing Proxy
+Usage: responses-proxy [command] [options]
+Commands:
+  (none)                Start the server (foreground)
+  stop                  Stop the background daemon
+  status                Check if running
+  restart               Restart background daemon
+  logs                  Show recent server logs
+  info                  Show endpoint URL + API key
+  config                Show all config
+  config set KEY VALUE  Set a config value
+  config get KEY        Get a config value
+  setup                 Interactive first-time setup wizard
+  password <pass>       Set dashboard admin password
+  open                  Open dashboard in browser
 Options:
-  -p, --port <port>   Port to run the server (default: ${DEFAULT_PORT})
-  -H, --host <host>   Host to bind (default: 0.0.0.0)
-  -n, --no-browser    Don't open browser automatically
-  -h, --help          Show this help message
-  -v, --version       Show version
+  -p, --port <port>     Port (default: ${DEFAULT_PORT})
+  -H, --host <host>     Host (default: 0.0.0.0)
+  -n, --no-browser      Don't auto-open browser
+  -b, --background      Run as background daemon
+  -h, --help            Show help
+  -v, --version         Show version
+Data directory: ${dataDir}
+Config file:    ${ENV_FILE}
 `);
-    process.exit(0);
-  } else if (args[i] === "--version" || args[i] === "-v") {
-    console.log(pkg.version);
-    process.exit(0);
+}
+// ─── Subcommand dispatch ─────────────────────────────────────────────────────
+if (subcommand === "stop") { stopDaemon(); process.exit(0); }
+if (subcommand === "status") { checkStatus(); process.exit(0); }
+if (subcommand === "restart") { stopDaemon(); background = true; }
+if (subcommand === "logs") { showLogs(); process.exit(0); }
+if (subcommand === "info") { showInfo(); process.exit(0); }
+if (subcommand === "open") { openDashboard(); process.exit(0); }
+if (subcommand === "config") { handleConfig(); process.exit(0); }
+if (subcommand === "password") { handlePassword(); process.exit(0); }
+if (subcommand === "setup") { runSetup().then(() => process.exit(0)); }
+else if (subcommand && !["restart"].includes(subcommand)) {
+  console.error(`Unknown command: ${subcommand}\nRun 'responses-proxy --help' for usage.`);
+  process.exit(1);
+}
+// ─── Subcommand implementations ──────────────────────────────────────────────
+function getDaemonPid() {
+  try {
+    if (!fs.existsSync(PID_FILE)) return null;
+    const pid = parseInt(fs.readFileSync(PID_FILE, "utf8").trim(), 10);
+    if (!pid) return null;
+    process.kill(pid, 0);
+    return pid;
+  } catch {
+    try { fs.unlinkSync(PID_FILE); } catch {}
+    return null;
   }
 }
-// Resolve paths
-const serverPath = path.join(__dirname, "dist", "server.js");
+function stopDaemon() {
+  const pid = getDaemonPid();
+  if (!pid) { console.log("⏹  Not running."); return; }
+  try {
+    process.kill(pid, "SIGTERM");
+    console.log(`⏹  Stopped (PID: ${pid})`);
+    try { fs.unlinkSync(PID_FILE); } catch {}
+  } catch (e) { console.error(`Failed: ${e.message}`); }
+}
+function checkStatus() {
+  const pid = getDaemonPid();
+  const displayHost = host === "0.0.0.0" ? "localhost" : host;
+  if (pid) {
+    console.log(`✅ Running (PID: ${pid})`);
+    console.log(`   Endpoint:  http://${displayHost}:${port}/v1`);
+    console.log(`   Dashboard: http://${displayHost}:${port}/`);
+    console.log(`   Data:      ${dataDir}`);
+  } else {
+    console.log("⏹  Not running.");
+  }
+}
+function showLogs() {
+  if (!fs.existsSync(LOG_FILE)) { console.log("No logs yet."); return; }
+  const lines = fs.readFileSync(LOG_FILE, "utf8").split("\n");
+  console.log(lines.slice(-80).join("\n"));
+}
+function showInfo() {
+  const displayHost = host === "0.0.0.0" ? "localhost" : host;
+  const password = getConfig("DASHBOARD_PASSWORD") || "admin";
+  console.log(`
+┌─────────────────────────────────────────┐
+│  responses-proxy v${pkg.version.padEnd(25)}│
+├─────────────────────────────────────────┤
+│  Endpoint:  http://${displayHost}:${port}/v1${" ".repeat(Math.max(0, 18 - String(port).length))}│
+│  Dashboard: http://${displayHost}:${port}/${" ".repeat(Math.max(0, 20 - String(port).length))}│
+│  Password:  ${password.padEnd(27)}│
+├─────────────────────────────────────────┤
+│  For Claude Code:                       │
+│  export ANTHROPIC_BASE_URL=http://${displayHost}:${port}/v1
+│  export ANTHROPIC_API_KEY=sk_anything   │
+├─────────────────────────────────────────┤
+│  For Codex / OpenAI SDK:                │
+│  base_url = http://${displayHost}:${port}/v1${" ".repeat(Math.max(0, 18 - String(port).length))}│
+│  api_key  = sk_anything                 │
+└─────────────────────────────────────────┘
+`);
+}
+function openDashboard() {
+  const displayHost = host === "0.0.0.0" ? "localhost" : host;
+  const url = `http://${displayHost}:${port}`;
+  const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "" "${url}"` : `xdg-open "${url}"`;
+  exec(cmd, { windowsHide: true }, () => {});
+  console.log(`Opening ${url}`);
+}
+function handleConfig() {
+  if (subArgs[0] === "set" && subArgs[1]) {
+    setConfig(subArgs[1], subArgs.slice(2).join(" "));
+    console.log(`✅ ${subArgs[1]} = ${subArgs.slice(2).join(" ")}`);
+  } else if (subArgs[0] === "get" && subArgs[1]) {
+    console.log(getConfig(subArgs[1]) || "(not set)");
+  } else {
+    const env = loadEnvConfig();
+    console.log(`Config file: ${ENV_FILE}\n`);
+    if (Object.keys(env).length === 0) {
+      console.log("  (empty — using defaults)");
+      console.log(`\n  Default port: ${DEFAULT_PORT}`);
+      console.log(`  Default password: admin`);
+      console.log(`\n  Set values with: responses-proxy config set KEY VALUE`);
+    } else {
+      for (const [k, v] of Object.entries(env)) {
+        console.log(`  ${k} = ${v}`);
+      }
+    }
+    console.log(`\nAvailable keys:`);
+    console.log(`  PORT                    Server port (default: 8318)`);
+    console.log(`  HOST                    Bind host (default: 0.0.0.0)`);
+    console.log(`  DASHBOARD_PASSWORD      Admin password (default: admin)`);
+    console.log(`  UPSTREAM_BASE_URL       Default upstream provider URL`);
+    console.log(`  UPSTREAM_API_KEY        Default upstream API key`);
+    console.log(`  KIRO_ENABLED            Enable Kiro provider (true/false)`);
+    console.log(`  KIRO_DB_PATH            Path to 9router kiro.sqlite`);
+  }
+}
+function handlePassword() {
+  const pass = subArgs[0];
+  if (!pass) {
+    console.log(`Current password: ${getConfig("DASHBOARD_PASSWORD") || "admin"}`);
+    console.log(`\nUsage: responses-proxy password <new-password>`);
+    return;
+  }
+  setConfig("DASHBOARD_PASSWORD", pass);
+  console.log(`✅ Dashboard password set to: ${pass}`);
+  console.log(`   Restart the server for changes to take effect.`);
+}
+async function runSetup() {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const ask = (q) => new Promise((resolve) => rl.question(q, resolve));
+  console.log(`\n🚀 responses-proxy Setup Wizard\n`);
+  const portAnswer = await ask(`Port [${port}]: `);
+  if (portAnswer.trim()) setConfig("PORT", portAnswer.trim());
+  const passAnswer = await ask(`Dashboard password [admin]: `);
+  if (passAnswer.trim()) setConfig("DASHBOARD_PASSWORD", passAnswer.trim());
+  const kiroAnswer = await ask(`Enable Kiro provider? (y/n) [y]: `);
+  if (kiroAnswer.trim().toLowerCase() === "n") setConfig("KIRO_ENABLED", "false");
+  else setConfig("KIRO_ENABLED", "true");
+  const upstreamAnswer = await ask(`Default upstream URL (leave empty to skip): `);
+  if (upstreamAnswer.trim()) setConfig("UPSTREAM_BASE_URL", upstreamAnswer.trim());
+  const keyAnswer = await ask(`Default upstream API key (leave empty to skip): `);
+  if (keyAnswer.trim()) setConfig("UPSTREAM_API_KEY", keyAnswer.trim());
+  rl.close();
+  console.log(`\n✅ Config saved to ${ENV_FILE}`);
+  console.log(`\nStart the server with:`);
+  console.log(`   responses-proxy`);
+  console.log(`   responses-proxy --background`);
+  console.log(`\nView connection info:`);
+  console.log(`   responses-proxy info\n`);
+}
+// ─── If subcommand was handled above (setup is async), bail ──────────────────
+if (subcommand === "setup") { /* runSetup handles exit */ return; }
+if (subcommand && subcommand !== "restart") process.exit(0);
+// ─── Ensure deps ─────────────────────────────────────────────────────────────
 if (!fs.existsSync(serverPath)) {
-  console.error("Error: Built server not found at", serverPath);
-  console.error("Run 'npm run build' first, or reinstall the package.");
+  console.error("Error: Built server not found. Reinstall the package.");
   process.exit(1);
 }
-// Check if deps are installed
-const nodeModulesPath = path.join(__dirname, "dist", "node_modules");
 if (!fs.existsSync(path.join(nodeModulesPath, "fastify"))) {
-  console.log("📦 Runtime deps missing. Installing...");
-  const { execSync } = require("child_process");
+  console.log("📦 Installing runtime dependencies...");
   try {
     execSync("npm install --omit=dev --no-audit --no-fund --loglevel=error", {
-      cwd: path.join(__dirname, "dist"),
-      stdio: "inherit",
-      timeout: 120000,
+      cwd: path.join(__dirname, "dist"), stdio: "inherit", timeout: 120000,
     });
   } catch {
     console.error("Failed to install deps. Run: cd " + path.join(__dirname, "dist") + " && npm install --omit=dev");
@@ -78,69 +309,112 @@ if (!fs.existsSync(path.join(nodeModulesPath, "fastify"))) {
   }
 }
-// Data directory
-const dataDir = path.join(os.homedir(), ".responses-proxy");
+// ─── Kill existing ───────────────────────────────────────────────────────────
+const existingPid = getDaemonPid();
+if (existingPid) {
+  try { process.kill(existingPid, "SIGTERM"); } catch {}
+  try { fs.unlinkSync(PID_FILE); } catch {}
+  try { execSync("sleep 1", { stdio: "ignore" }); } catch {}
+}
+// ─── Build env ───────────────────────────────────────────────────────────────
 fs.mkdirSync(path.join(dataDir, "sessions"), { recursive: true });
+const userConfig = loadEnvConfig();
+const serverEnv = {
+  ...process.env,
+  ...userConfig,
+  NODE_PATH: nodeModulesPath,
+  PORT: String(port),
+  HOST: host,
+  UPSTREAM_BASE_URL: userConfig.UPSTREAM_BASE_URL || process.env.UPSTREAM_BASE_URL || "https://placeholder.invalid",
+  UPSTREAM_API_KEY: userConfig.UPSTREAM_API_KEY || process.env.UPSTREAM_API_KEY || "",
+  APP_DB_PATH: path.join(dataDir, "app.sqlite"),
+  SESSION_LOG_DIR: path.join(dataDir, "sessions"),
+  CUSTOMER_KEY_DB_PATH: path.join(dataDir, "telegram-bot.sqlite"),
+  KIRO_DB_PATH: userConfig.KIRO_DB_PATH || path.join(dataDir, "kiro.sqlite"),
+  KIRO_ENABLED: userConfig.KIRO_ENABLED || process.env.KIRO_ENABLED || "true",
+  QUICK_APPLY_HERMES_CONFIG_PATH: path.join(os.homedir(), ".hermes", "config.yaml"),
+  QUICK_APPLY_CODEX_CONFIG_PATH: path.join(os.homedir(), ".codex", "config.toml"),
+  QUICK_APPLY_CODEX_AUTH_PATH: path.join(os.homedir(), ".codex", "auth.json"),
+  TELEGRAM_BOT_TOKEN: userConfig.TELEGRAM_BOT_TOKEN || "",
+  TELEGRAM_OWNER_USER_IDS: userConfig.TELEGRAM_OWNER_USER_IDS || "",
+  TELEGRAM_ADMIN_USER_IDS: userConfig.TELEGRAM_ADMIN_USER_IDS || "",
+  DASHBOARD_PASSWORD: userConfig.DASHBOARD_PASSWORD || process.env.DASHBOARD_PASSWORD || "admin",
+};
 const displayHost = host === "0.0.0.0" ? "localhost" : host;
 const url = `http://${displayHost}:${port}`;
-console.log(`
+// ─── Background mode ─────────────────────────────────────────────────────────
+if (background) {
+  const logFd = fs.openSync(LOG_FILE, "a");
+  const child = spawn(process.execPath, [serverPath], {
+    cwd: __dirname, env: serverEnv,
+    stdio: ["ignore", logFd, logFd],
+    detached: true,
+  });
+  child.unref();
+  fs.writeFileSync(PID_FILE, String(child.pid));
+  fs.closeSync(logFd);
+  console.log(`
 ┌─────────────────────────────────────────┐
 │  responses-proxy v${pkg.version.padEnd(25)}│
+│  Running in background (PID: ${String(child.pid).padEnd(10)}│
 │  ${url.padEnd(39)}│
 │  Dashboard: ${(url + "/").padEnd(27)}│
 │  API: ${(url + "/v1").padEnd(33)}│
+├─────────────────────────────────────────┤
+│  Stop:    responses-proxy stop          │
+│  Status:  responses-proxy status        │
+│  Logs:    responses-proxy logs          │
+│  Config:  responses-proxy config        │
+│  Info:    responses-proxy info          │
 └─────────────────────────────────────────┘
 `);
-// Spawn server
-const server = spawn(process.execPath, [serverPath], {
-  cwd: __dirname,
-  stdio: "inherit",
-  env: {
-    ...process.env,
-    NODE_PATH: nodeModulesPath,
-    PORT: String(port),
-    HOST: host,
-    UPSTREAM_BASE_URL: process.env.UPSTREAM_BASE_URL || "https://placeholder.invalid",
-    UPSTREAM_API_KEY: process.env.UPSTREAM_API_KEY || "",
-    APP_DB_PATH: path.join(dataDir, "app.sqlite"),
-    SESSION_LOG_DIR: path.join(dataDir, "sessions"),
-    CUSTOMER_KEY_DB_PATH: path.join(dataDir, "telegram-bot.sqlite"),
-    KIRO_DB_PATH: path.join(dataDir, "kiro.sqlite"),
-    KIRO_ENABLED: process.env.KIRO_ENABLED || "false",
-    QUICK_APPLY_HERMES_CONFIG_PATH: path.join(os.homedir(), ".hermes", "config.yaml"),
-    QUICK_APPLY_CODEX_CONFIG_PATH: path.join(os.homedir(), ".codex", "config.toml"),
-    QUICK_APPLY_CODEX_AUTH_PATH: path.join(os.homedir(), ".codex", "auth.json"),
-    TELEGRAM_BOT_TOKEN: "",
-    TELEGRAM_OWNER_USER_IDS: "",
-    TELEGRAM_ADMIN_USER_IDS: "",
-    DASHBOARD_PASSWORD: process.env.DASHBOARD_PASSWORD || "admin",
-  },
-});
-// Open browser after short delay
-if (!noBrowser) {
-  setTimeout(() => {
-    const openCmd =
-      process.platform === "darwin" ? `open "${url}"` :
-      process.platform === "win32" ? `start "" "${url}"` :
-      `xdg-open "${url}"`;
-    exec(openCmd, { windowsHide: true }, () => {});
-  }, 2000);
-}
-// Handle exit
-function cleanup() {
-  if (server.pid) {
-    try { process.kill(server.pid, "SIGTERM"); } catch {}
+  if (!noBrowser) {
+    setTimeout(() => {
+      const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "" "${url}"` : `xdg-open "${url}"`;
+      exec(cmd, { windowsHide: true }, () => {});
+    }, 2000);
   }
-}
+  setTimeout(() => process.exit(0), 2500);
+} else {
+  // ─── Foreground mode ───────────────────────────────────────────────────────
+  console.log(`
+┌─────────────────────────────────────────┐
+│  responses-proxy v${pkg.version.padEnd(25)}│
+│  ${url.padEnd(39)}│
+│  Dashboard: ${(url + "/").padEnd(27)}│
+│  API: ${(url + "/v1").padEnd(33)}│
+│  Press Ctrl+C to stop                  │
+└─────────────────────────────────────────┘
+`);
+  const server = spawn(process.execPath, [serverPath], {
+    cwd: __dirname, stdio: "inherit", env: serverEnv,
+  });
+  fs.writeFileSync(PID_FILE, String(server.pid));
-process.on("SIGINT", () => { cleanup(); process.exit(0); });
-process.on("SIGTERM", () => { cleanup(); process.exit(0); });
+  if (!noBrowser) {
+    setTimeout(() => {
+      const cmd = process.platform === "darwin" ? `open "${url}"` : process.platform === "win32" ? `start "" "${url}"` : `xdg-open "${url}"`;
+      exec(cmd, { windowsHide: true }, () => {});
+    }, 2000);
+  }
-server.on("close", (code) => {
-  process.exit(code || 0);
-});
+  function cleanup() {
+    try { fs.unlinkSync(PID_FILE); } catch {}
+    if (server.pid) { try { process.kill(server.pid, "SIGTERM"); } catch {} }
+  }
+  process.on("SIGINT", () => { cleanup(); process.exit(0); });
+  process.on("SIGTERM", () => { cleanup(); process.exit(0); });
+  server.on("close", (code) => { try { fs.unlinkSync(PID_FILE); } catch {} process.exit(code || 0); });
+}

package/dist/mitm/cert.js ADDED Viewed

@@ -0,0 +1,111 @@
+/**
+ * MITM Certificate Management — generates root CA + per-domain leaf certs.
+ * Uses node-forge for certificate generation (no native deps).
+ */
+import { execSync } from "node:child_process";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { randomBytes } from "node:crypto";
+const MITM_DIR = path.join(process.env.HOME || "", ".responses-proxy", "mitm");
+const ROOT_CA_KEY = path.join(MITM_DIR, "rootCA.key");
+const ROOT_CA_CERT = path.join(MITM_DIR, "rootCA.crt");
+export function getMitmDir() {
+    mkdirSync(MITM_DIR, { recursive: true });
+    return MITM_DIR;
+}
+export function rootCaExists() {
+    return existsSync(ROOT_CA_KEY) && existsSync(ROOT_CA_CERT);
+}
+export function isRootCaTrusted() {
+    if (process.platform !== "darwin")
+        return false;
+    try {
+        const result = execSync(`security verify-cert -c "${ROOT_CA_CERT}" 2>&1`, { encoding: "utf8", timeout: 5000 });
+        return result.includes("successful") || !result.includes("CSSMERR");
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Generate a self-signed Root CA using openssl CLI (available on macOS/Linux).
+ * Outputs rootCA.key + rootCA.crt to MITM_DIR.
+ */
+export function generateRootCA() {
+    mkdirSync(MITM_DIR, { recursive: true });
+    if (rootCaExists()) {
+        return { keyPath: ROOT_CA_KEY, certPath: ROOT_CA_CERT };
+    }
+    // Generate RSA 2048 key
+    execSync(`openssl genrsa -out "${ROOT_CA_KEY}" 2048`, { stdio: "ignore", timeout: 10000 });
+    // Generate self-signed CA cert (valid 10 years)
+    execSync(`openssl req -x509 -new -nodes -key "${ROOT_CA_KEY}" -sha256 -days 3650 ` +
+        `-subj "/CN=responses-proxy MITM CA/O=responses-proxy/C=US" ` +
+        `-out "${ROOT_CA_CERT}"`, { stdio: "ignore", timeout: 10000 });
+    return { keyPath: ROOT_CA_KEY, certPath: ROOT_CA_CERT };
+}
+/**
+ * Trust the root CA in the macOS system keychain (requires sudo).
+ */
+export async function trustRootCA(sudoPassword) {
+    if (process.platform !== "darwin") {
+        throw new Error("Trust cert is only supported on macOS");
+    }
+    if (!rootCaExists()) {
+        throw new Error("Root CA does not exist. Generate it first.");
+    }
+    const cmd = `security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${ROOT_CA_CERT}"`;
+    if (sudoPassword) {
+        const { execWithPassword } = await import("./dns.js");
+        await execWithPassword(cmd, sudoPassword);
+    }
+    else {
+        execSync(`sudo ${cmd}`, { stdio: "ignore", timeout: 15000 });
+    }
+}
+/**
+ * Generate a leaf certificate for a specific domain, signed by the root CA.
+ * Returns { key, cert } as PEM strings.
+ */
+export function generateLeafCert(domain) {
+    if (!rootCaExists())
+        return null;
+    const tmpDir = path.join(MITM_DIR, "tmp");
+    mkdirSync(tmpDir, { recursive: true });
+    const serial = randomBytes(8).toString("hex");
+    const leafKey = path.join(tmpDir, `${serial}.key`);
+    const leafCsr = path.join(tmpDir, `${serial}.csr`);
+    const leafCert = path.join(tmpDir, `${serial}.crt`);
+    const extFile = path.join(tmpDir, `${serial}.ext`);
+    try {
+        // Generate leaf key
+        execSync(`openssl genrsa -out "${leafKey}" 2048`, { stdio: "ignore", timeout: 5000 });
+        // Generate CSR
+        execSync(`openssl req -new -key "${leafKey}" -subj "/CN=${domain}" -out "${leafCsr}"`, { stdio: "ignore", timeout: 5000 });
+        // Write SAN extension file
+        writeFileSync(extFile, `authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment\nsubjectAltName=DNS:${domain}\n`);
+        // Sign with root CA
+        execSync(`openssl x509 -req -in "${leafCsr}" -CA "${ROOT_CA_CERT}" -CAkey "${ROOT_CA_KEY}" ` +
+            `-CAcreateserial -out "${leafCert}" -days 825 -sha256 -extfile "${extFile}"`, { stdio: "ignore", timeout: 5000 });
+        const key = readFileSync(leafKey, "utf8");
+        const cert = readFileSync(leafCert, "utf8");
+        // Cleanup temp files
+        try {
+            for (const f of [leafKey, leafCsr, leafCert, extFile]) {
+                if (existsSync(f))
+                    require("node:fs").unlinkSync(f);
+            }
+        }
+        catch { /* best effort */ }
+        return { key, cert };
+    }
+    catch (error) {
+        return null;
+    }
+}
+export function loadRootCA() {
+    return {
+        key: readFileSync(ROOT_CA_KEY, "utf8"),
+        cert: readFileSync(ROOT_CA_CERT, "utf8"),
+    };
+}

package/dist/mitm/dns.js ADDED Viewed

@@ -0,0 +1,150 @@
+/**
+ * MITM DNS Management — manages /etc/hosts entries to redirect tool domains to localhost.
+ */
+import { execSync, spawn } from "node:child_process";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+const IS_WIN = process.platform === "win32";
+const IS_MAC = process.platform === "darwin";
+const HOSTS_FILE = IS_WIN
+    ? `${process.env.SystemRoot || "C:\\Windows"}\\System32\\drivers\\etc\\hosts`
+    : "/etc/hosts";
+// Tool domains to intercept
+export const TOOL_HOSTS = {
+    antigravity: ["daily-cloudcode-pa.googleapis.com", "cloudcode-pa.googleapis.com"],
+    copilot: ["api.individual.githubcopilot.com"],
+    kiro: ["q.us-east-1.amazonaws.com"],
+};
+export function isSudoAvailable() {
+    if (IS_WIN)
+        return false;
+    try {
+        execSync("command -v sudo", { stdio: "ignore", timeout: 3000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function canRunSudoWithoutPassword() {
+    if (IS_WIN || !isSudoAvailable())
+        return true;
+    try {
+        execSync("sudo -n true", { stdio: "ignore", timeout: 3000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function isSudoPasswordRequired() {
+    return !IS_WIN && isSudoAvailable() && !canRunSudoWithoutPassword();
+}
+export function execWithPassword(command, password) {
+    return new Promise((resolve, reject) => {
+        const useSudo = isSudoAvailable();
+        const child = useSudo
+            ? spawn("sudo", ["-S", "sh", "-c", command], { stdio: ["pipe", "pipe", "pipe"] })
+            : spawn("sh", ["-c", command], { stdio: ["ignore", "pipe", "pipe"] });
+        let stdout = "";
+        let stderr = "";
+        child.stdout?.on("data", (d) => { stdout += d; });
+        child.stderr?.on("data", (d) => { stderr += d; });
+        child.on("close", (code) => {
+            if (code === 0)
+                resolve(stdout);
+            else
+                reject(new Error(stderr || `Exit code ${code}`));
+        });
+        if (useSudo && child.stdin) {
+            child.stdin.write(`${password}\n`);
+            child.stdin.end();
+        }
+    });
+}
+function checkDNSEntry(host) {
+    try {
+        const content = readFileSync(HOSTS_FILE, "utf8");
+        return content.includes(host);
+    }
+    catch {
+        return false;
+    }
+}
+export function checkAllDNSStatus() {
+    try {
+        const content = readFileSync(HOSTS_FILE, "utf8");
+        const result = {};
+        for (const [tool, hosts] of Object.entries(TOOL_HOSTS)) {
+            result[tool] = hosts.every((h) => content.includes(h));
+        }
+        return result;
+    }
+    catch {
+        return Object.fromEntries(Object.keys(TOOL_HOSTS).map((t) => [t, false]));
+    }
+}
+async function flushDNS(sudoPassword) {
+    if (IS_WIN)
+        return;
+    if (IS_MAC) {
+        await execWithPassword("dscacheutil -flushcache && killall -HUP mDNSResponder", sudoPassword);
+    }
+    else {
+        await execWithPassword("resolvectl flush-caches 2>/dev/null || true", sudoPassword);
+    }
+}
+export async function addDNSEntry(tool, sudoPassword) {
+    const hosts = TOOL_HOSTS[tool];
+    if (!hosts)
+        throw new Error(`Unknown tool: ${tool}`);
+    const entriesToAdd = hosts.filter((h) => !checkDNSEntry(h));
+    if (entriesToAdd.length === 0)
+        return;
+    const current = readFileSync(HOSTS_FILE, "utf8");
+    const trimmed = current.replace(/[\r\n\s]+$/g, "");
+    const toAppend = entriesToAdd.map((h) => `127.0.0.1 ${h}`).join("\n");
+    const next = `${trimmed}\n${toAppend}\n`;
+    const escaped = next.replace(/'/g, "'\\''");
+    await execWithPassword(`printf '%s' '${escaped}' | tee ${HOSTS_FILE} > /dev/null`, sudoPassword);
+    await flushDNS(sudoPassword);
+}
+export async function removeDNSEntry(tool, sudoPassword) {
+    const hosts = TOOL_HOSTS[tool];
+    if (!hosts)
+        throw new Error(`Unknown tool: ${tool}`);
+    const entriesToRemove = hosts.filter((h) => checkDNSEntry(h));
+    if (entriesToRemove.length === 0)
+        return;
+    const current = readFileSync(HOSTS_FILE, "utf8");
+    const filtered = current
+        .split(/\r?\n/)
+        .filter((l) => !entriesToRemove.some((h) => l.includes(h)))
+        .join("\n");
+    const next = filtered.replace(/[\r\n\s]+$/g, "") + "\n";
+    const escaped = next.replace(/'/g, "'\\''");
+    await execWithPassword(`printf '%s' '${escaped}' | tee ${HOSTS_FILE} > /dev/null`, sudoPassword);
+    await flushDNS(sudoPassword);
+}
+export function removeAllDNSEntriesSync() {
+    try {
+        if (!existsSync(HOSTS_FILE))
+            return;
+        const allHosts = Object.values(TOOL_HOSTS).flat();
+        const content = readFileSync(HOSTS_FILE, "utf8");
+        const filtered = content
+            .split(/\r?\n/)
+            .filter((l) => !allHosts.some((h) => l.includes(h)))
+            .join("\n");
+        const next = filtered.replace(/[\r\n\s]+$/g, "") + "\n";
+        if (next === content)
+            return;
+        writeFileSync(HOSTS_FILE, next, "utf8");
+        if (IS_MAC) {
+            try {
+                execSync("dscacheutil -flushcache && killall -HUP mDNSResponder", { stdio: "ignore" });
+            }
+            catch { /* ignore */ }
+        }
+    }
+    catch { /* best effort during shutdown */ }
+}

package/dist/mitm/server.js ADDED Viewed

@@ -0,0 +1,229 @@
+/**
+ * MITM Proxy Server — intercepts HTTPS on port 443 with dynamic SSL certs.
+ *
+ * Cloned from 9Router's src/mitm/server.js approach:
+ * - HTTPS server on :443 with SNI callback for per-domain certs
+ * - Intercepts requests to tool domains (Antigravity, Copilot, Kiro)
+ * - Rewrites model in request body to mapped model from proxy
+ * - Forwards to real upstream via HTTPS with custom DNS (bypass /etc/hosts loop)
+ */
+import * as https from "node:https";
+import * as tls from "node:tls";
+import * as dns from "node:dns";
+import { promisify } from "node:util";
+import { readFileSync, existsSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { execSync } from "node:child_process";
+import { generateLeafCert, loadRootCA, rootCaExists, getMitmDir } from "./cert.js";
+import { TOOL_HOSTS, removeAllDNSEntriesSync } from "./dns.js";
+const LOCAL_PORT = 443;
+const MITM_DIR = getMitmDir();
+const PID_FILE = path.join(MITM_DIR, ".mitm.pid");
+// Tool detection from host header
+const HOST_TO_TOOL = {};
+for (const [tool, hosts] of Object.entries(TOOL_HOSTS)) {
+    for (const h of hosts)
+        HOST_TO_TOOL[h] = tool;
+}
+// Proxy base URL — requests are forwarded to responses-proxy for model routing
+const ROUTER_BASE_URL = process.env.MITM_ROUTER_BASE_URL || "http://localhost:8318";
+// Internal header to prevent loop
+const INTERNAL_HEADER = "x-request-source";
+const INTERNAL_VALUE = "mitm-local";
+// ─── SSL / SNI ───────────────────────────────────────────────────────────────
+const certCache = new Map();
+let rootCAPem;
+function sniCallback(servername, cb) {
+    try {
+        if (certCache.has(servername))
+            return cb(null, certCache.get(servername));
+        const certData = generateLeafCert(servername);
+        if (!certData)
+            return cb(new Error(`Failed to generate cert for ${servername}`));
+        const ctx = tls.createSecureContext({
+            key: certData.key,
+            cert: `${certData.cert}\n${rootCAPem}`,
+        });
+        certCache.set(servername, ctx);
+        cb(null, ctx);
+    }
+    catch (e) {
+        cb(e);
+    }
+}
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+const resolve4 = promisify((() => {
+    const resolver = new dns.Resolver();
+    resolver.setServers(["8.8.8.8", "1.1.1.1"]);
+    return resolver.resolve4.bind(resolver);
+})());
+const ipCache = {};
+async function resolveTargetIP(hostname) {
+    const cached = ipCache[hostname];
+    if (cached && Date.now() - cached.ts < 5 * 60 * 1000)
+        return cached.ip;
+    const addresses = await resolve4(hostname);
+    ipCache[hostname] = { ip: addresses[0], ts: Date.now() };
+    return addresses[0];
+}
+function collectBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        req.on("data", (chunk) => chunks.push(chunk));
+        req.on("end", () => resolve(Buffer.concat(chunks)));
+        req.on("error", reject);
+    });
+}
+// ─── Request handler ─────────────────────────────────────────────────────────
+async function handleRequest(req, res) {
+    try {
+        // Health check
+        if (req.url === "/_mitm_health") {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: true, pid: process.pid }));
+            return;
+        }
+        const bodyBuffer = await collectBody(req);
+        // Anti-loop: skip our own requests
+        if (req.headers[INTERNAL_HEADER] === INTERNAL_VALUE) {
+            return passthrough(req, res, bodyBuffer);
+        }
+        const host = (req.headers.host || "").split(":")[0];
+        const tool = HOST_TO_TOOL[host];
+        // Not a tool domain — passthrough
+        if (!tool) {
+            return passthrough(req, res, bodyBuffer);
+        }
+        // Forward to our proxy router instead of upstream
+        // This lets the proxy handle model routing, RTK, combos, etc.
+        return forwardToRouter(req, res, bodyBuffer, tool);
+    }
+    catch (e) {
+        if (!res.headersSent)
+            res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: { message: e.message, type: "mitm_error" } }));
+    }
+}
+/**
+ * Forward intercepted request to the local responses-proxy router.
+ * The proxy will handle model selection, provider routing, RTK, etc.
+ */
+function forwardToRouter(req, res, bodyBuffer, tool) {
+    const url = new URL(ROUTER_BASE_URL);
+    const http = require("node:http");
+    const proxyReq = http.request({
+        hostname: url.hostname,
+        port: url.port || 8318,
+        path: "/v1/chat/completions",
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            "content-length": String(bodyBuffer.length),
+            [INTERNAL_HEADER]: INTERNAL_VALUE,
+            "x-mitm-tool": tool,
+            "x-mitm-original-host": req.headers.host || "",
+            "x-mitm-original-path": req.url || "",
+        },
+    }, (proxyRes) => {
+        res.writeHead(proxyRes.statusCode, proxyRes.headers);
+        proxyRes.pipe(res);
+    });
+    proxyReq.on("error", (e) => {
+        // If proxy is unreachable, passthrough to real upstream
+        passthrough(req, res, bodyBuffer);
+    });
+    proxyReq.write(bodyBuffer);
+    proxyReq.end();
+}
+/**
+ * Forward request to the real upstream (bypass /etc/hosts via custom DNS).
+ */
+async function passthrough(req, res, bodyBuffer) {
+    const originalHost = (req.headers.host || "").split(":")[0];
+    const targetIP = await resolveTargetIP(originalHost);
+    const forwardReq = https.request({
+        hostname: targetIP,
+        port: 443,
+        path: req.url,
+        method: req.method,
+        headers: { ...req.headers, host: originalHost },
+        servername: originalHost,
+        rejectUnauthorized: false,
+    }, (forwardRes) => {
+        res.writeHead(forwardRes.statusCode || 502, forwardRes.headers);
+        forwardRes.pipe(res);
+    });
+    forwardReq.on("error", (e) => {
+        if (!res.headersSent)
+            res.writeHead(502);
+        res.end("Bad Gateway");
+    });
+    if (bodyBuffer.length > 0)
+        forwardReq.write(bodyBuffer);
+    forwardReq.end();
+}
+// ─── Server startup ──────────────────────────────────────────────────────────
+export function startMitmServer() {
+    if (!rootCaExists()) {
+        throw new Error("Root CA not found. Generate it first via the dashboard.");
+    }
+    const rootCA = loadRootCA();
+    rootCAPem = rootCA.cert;
+    const sslOptions = {
+        key: rootCA.key,
+        cert: rootCA.cert,
+        SNICallback: sniCallback,
+    };
+    // Kill existing process on port 443
+    try {
+        const pids = execSync(`lsof -nP -iTCP:${LOCAL_PORT} -sTCP:LISTEN -t`, { encoding: "utf8", timeout: 3000 }).trim();
+        if (pids) {
+            pids.split("\n").forEach((pid) => {
+                try {
+                    process.kill(Number(pid), "SIGKILL");
+                }
+                catch { /* ignore */ }
+            });
+        }
+    }
+    catch { /* port is free */ }
+    const server = https.createServer(sslOptions, handleRequest);
+    server.listen(LOCAL_PORT, () => {
+        console.log(`[mitm] 🚀 MITM server running on :${LOCAL_PORT}`);
+        writeFileSync(PID_FILE, String(process.pid));
+    });
+    server.on("error", (e) => {
+        if (e.code === "EADDRINUSE") {
+            throw new Error(`Port ${LOCAL_PORT} already in use`);
+        }
+        if (e.code === "EACCES") {
+            throw new Error(`Permission denied for port ${LOCAL_PORT}. Run with sudo.`);
+        }
+        throw e;
+    });
+    // Graceful shutdown
+    const shutdown = () => {
+        removeAllDNSEntriesSync();
+        server.close(() => process.exit(0));
+        setTimeout(() => process.exit(0), 1500);
+    };
+    process.on("SIGTERM", shutdown);
+    process.on("SIGINT", shutdown);
+    return { pid: process.pid };
+}
+export function getMitmPid() {
+    try {
+        if (!existsSync(PID_FILE))
+            return null;
+        const pid = Number(readFileSync(PID_FILE, "utf8").trim());
+        // Check if process is alive
+        process.kill(pid, 0);
+        return pid;
+    }
+    catch {
+        return null;
+    }
+}
+export function isMitmRunning() {
+    return getMitmPid() !== null;
+}

package/dist/mitm/start-server.js ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * MITM Server entry point — spawned with sudo by the main proxy.
+ * Runs the HTTPS interception server on port 443.
+ */
+import { startMitmServer } from "./server.js";
+try {
+    const { pid } = startMitmServer();
+    console.log(`[mitm] Server started (PID: ${pid})`);
+}
+catch (error) {
+    console.error(`[mitm] Failed to start:`, error instanceof Error ? error.message : error);
+    process.exit(1);
+}

package/dist/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "responses-proxy-runtime",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "private": true,
   "type": "module",
   "dependencies": {

package/dist/server.js CHANGED Viewed

@@ -95,6 +95,20 @@ const deviceLoginService = new DeviceLoginService({
     kiroDbPath: config.KIRO_DB_PATH,
 });
 setInterval(() => deviceLoginService.pruneExpiredSessions(), 60_000).unref();
+// Auto-disable Kiro provider if it has no accounts
+if (kiroTokenStore) {
+    const kiroAccounts = kiroTokenStore.listAccounts();
+    if (kiroAccounts.length === 0) {
+        try {
+            const kiroProvider = providerRepository.getProvider("account-kiro");
+            if (kiroProvider && kiroProvider.enabled !== false) {
+                providerRepository.updateProvider("account-kiro", { ...kiroProvider, enabled: false });
+                console.log("[kiro] No accounts found — provider auto-disabled. Add accounts via dashboard to enable.");
+            }
+        }
+        catch { /* provider might not exist yet */ }
+    }
+}
 // Initialize routing services after all stores are available
 const routingComboRepository = new RoutingComboRepository(providerRepository.getDatabase());
 const modelComboRepository = new ModelComboRepository(providerRepository.getDatabase());
@@ -1551,6 +1565,16 @@ app.post("/api/kiro/import", async (request, reply) => {
             destDbPath: destPath,
             provider: 'kiro',
         });
+        // Auto-enable the Kiro provider after importing accounts
+        if (result.imported > 0) {
+            try {
+                const kiroProvider = providerRepository.getProvider("account-kiro");
+                if (kiroProvider && !kiroProvider.enabled) {
+                    providerRepository.updateProvider("account-kiro", { ...kiroProvider, enabled: true });
+                }
+            }
+            catch { /* ignore */ }
+        }
         return reply.send({
             ok: true,
             imported: result.imported,
@@ -1636,6 +1660,16 @@ app.post("/api/kiro/device/poll", async (request, reply) => {
     }
     try {
         const result = await deviceLoginService.pollDeviceLogin(sessionId);
+        // Auto-enable Kiro provider when a new account is added
+        if (result.status === "completed") {
+            try {
+                const kiroProvider = providerRepository.getProvider("account-kiro");
+                if (kiroProvider && !kiroProvider.enabled) {
+                    providerRepository.updateProvider("account-kiro", { ...kiroProvider, enabled: true });
+                }
+            }
+            catch { /* ignore */ }
+        }
         return reply.send({ ok: true, ...result });
     }
     catch (error) {
@@ -1938,33 +1972,122 @@ app.delete("/api/cli-tools/codex-settings", async (_request, reply) => {
         return reply.code(500).send({ error: error instanceof Error ? error.message : "Failed to reset settings" });
     }
 });
-// ─── MITM Server Status (stub — requires host-mode deployment) ──────────────
+// ─── MITM Server Status ─────────────────────────────────────────────────────
 app.get("/api/cli-tools/mitm-status", async (_request, reply) => {
-    // MITM requires running directly on host (not Docker) with root privileges.
-    // Return stub status indicating MITM is not available in this deployment mode.
-    return reply.send({
-        running: false,
-        certExists: false,
-        certTrusted: false,
-        dnsStatus: {},
-        available: false,
-        reason: "MITM requires host-mode deployment with root privileges (port 443 + DNS + cert trust). Not available in Docker mode.",
-    });
+    try {
+        const { rootCaExists, isRootCaTrusted } = await import("./mitm/cert.js");
+        const { isMitmRunning } = await import("./mitm/server.js");
+        const { checkAllDNSStatus, isSudoPasswordRequired } = await import("./mitm/dns.js");
+        return reply.send({
+            running: isMitmRunning(),
+            certExists: rootCaExists(),
+            certTrusted: isRootCaTrusted(),
+            dnsStatus: checkAllDNSStatus(),
+            needsSudoPassword: isSudoPasswordRequired(),
+            available: true,
+            isWin: process.platform === "win32",
+        });
+    }
+    catch (error) {
+        return reply.send({
+            running: false,
+            certExists: false,
+            certTrusted: false,
+            dnsStatus: {},
+            available: false,
+            reason: error instanceof Error ? error.message : "MITM module not available",
+        });
+    }
 });
-app.post("/api/cli-tools/mitm-start", async (_request, reply) => {
-    return reply.code(501).send({
-        error: "MITM server is not available in Docker deployment mode. Run the proxy directly on the host with root privileges.",
-    });
+app.post("/api/cli-tools/mitm-start", async (request, reply) => {
+    const body = request.body;
+    try {
+        const { generateRootCA, trustRootCA, rootCaExists: caExists } = await import("./mitm/cert.js");
+        const { spawn } = await import("node:child_process");
+        // Ensure CA exists
+        if (!caExists()) {
+            generateRootCA();
+        }
+        // Start MITM server as a child process (needs root for port 443)
+        const mitmScript = path.resolve(import.meta.dirname || __dirname, "mitm", "start-server.js");
+        const sudoPassword = body?.sudoPassword || "";
+        // Use sudo to start the server process
+        const env = {
+            ...process.env,
+            MITM_ROUTER_BASE_URL: `http://127.0.0.1:${config.PORT}`,
+        };
+        const child = spawn("sudo", ["-S", process.execPath, mitmScript], {
+            env,
+            stdio: ["pipe", "ignore", "pipe"],
+            detached: true,
+        });
+        if (sudoPassword && child.stdin) {
+            child.stdin.write(`${sudoPassword}\n`);
+            child.stdin.end();
+        }
+        child.unref();
+        // Wait a moment to check if it started
+        await new Promise((resolve) => setTimeout(resolve, 2000));
+        return reply.send({ ok: true });
+    }
+    catch (error) {
+        return reply.code(500).send({
+            error: error instanceof Error ? error.message : "Failed to start MITM server",
+        });
+    }
 });
 app.post("/api/cli-tools/mitm-stop", async (_request, reply) => {
-    return reply.code(501).send({
-        error: "MITM server is not available in Docker deployment mode.",
-    });
+    try {
+        const { getMitmPid } = await import("./mitm/server.js");
+        const pid = getMitmPid();
+        if (pid) {
+            try {
+                process.kill(pid, "SIGTERM");
+            }
+            catch { /* already dead */ }
+        }
+        return reply.send({ ok: true });
+    }
+    catch (error) {
+        return reply.code(500).send({
+            error: error instanceof Error ? error.message : "Failed to stop MITM server",
+        });
+    }
 });
-app.post("/api/cli-tools/mitm-dns", async (_request, reply) => {
-    return reply.code(501).send({
-        error: "DNS interception is not available in Docker deployment mode.",
-    });
+app.post("/api/cli-tools/mitm-dns", async (request, reply) => {
+    const body = request.body;
+    const toolId = typeof body?.toolId === "string" ? body.toolId : "";
+    const enable = body?.enable !== false;
+    const sudoPassword = typeof body?.sudoPassword === "string" ? body.sudoPassword : "";
+    try {
+        const { addDNSEntry, removeDNSEntry } = await import("./mitm/dns.js");
+        if (enable) {
+            await addDNSEntry(toolId, sudoPassword);
+        }
+        else {
+            await removeDNSEntry(toolId, sudoPassword);
+        }
+        return reply.send({ ok: true });
+    }
+    catch (error) {
+        return reply.code(500).send({
+            error: error instanceof Error ? error.message : "Failed to update DNS",
+        });
+    }
+});
+app.post("/api/cli-tools/mitm-trust-cert", async (request, reply) => {
+    const body = request.body;
+    try {
+        const { generateRootCA, trustRootCA } = await import("./mitm/cert.js");
+        generateRootCA();
+        await trustRootCA(body?.sudoPassword);
+        return reply.send({ ok: true });
+    }
+    catch (error) {
+        return reply.code(500).send({
+            error: error instanceof Error ? error.message : "Failed to trust certificate",
+        });
+    }
 });
 app.get("/api/customer/codex/setup.sh", async (request, reply) => {
     const routingApiKey = readBearerToken(request.headers.authorization);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "responses-proxy",
-  "version": "0.1.2",
+  "version": "0.2.0",
   "description": "AI routing proxy with multi-provider fallback, RTK token saver, and web dashboard",
   "bin": {
     "responses-proxy": "./cli.js"