responses-proxy 0.1.4 → 0.2.1

package/dist/client/index.html

@@ -22,7 +22,7 @@
         margin: 0;
       }
     </style>
-    <script type="module" crossorigin src="/assets/index-DAy1ivku.js"></script>
+    <script type="module" crossorigin src="/assets/index-D4Ktr4qL.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-DpqgYK3L.css">
   </head>
   <body>

package/dist/mitm/cert.js

@@ -0,0 +1,111 @@
+/**
+ * MITM Certificate Management — generates root CA + per-domain leaf certs.
+ * Uses node-forge for certificate generation (no native deps).
+ */
+import { execSync } from "node:child_process";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { randomBytes } from "node:crypto";
+const MITM_DIR = path.join(process.env.HOME || "", ".responses-proxy", "mitm");
+const ROOT_CA_KEY = path.join(MITM_DIR, "rootCA.key");
+const ROOT_CA_CERT = path.join(MITM_DIR, "rootCA.crt");
+export function getMitmDir() {
+    mkdirSync(MITM_DIR, { recursive: true });
+    return MITM_DIR;
+}
+export function rootCaExists() {
+    return existsSync(ROOT_CA_KEY) && existsSync(ROOT_CA_CERT);
+}
+export function isRootCaTrusted() {
+    if (process.platform !== "darwin")
+        return false;
+    try {
+        const result = execSync(`security verify-cert -c "${ROOT_CA_CERT}" 2>&1`, { encoding: "utf8", timeout: 5000 });
+        return result.includes("successful") || !result.includes("CSSMERR");
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Generate a self-signed Root CA using openssl CLI (available on macOS/Linux).
+ * Outputs rootCA.key + rootCA.crt to MITM_DIR.
+ */
+export function generateRootCA() {
+    mkdirSync(MITM_DIR, { recursive: true });
+    if (rootCaExists()) {
+        return { keyPath: ROOT_CA_KEY, certPath: ROOT_CA_CERT };
+    }
+    // Generate RSA 2048 key
+    execSync(`openssl genrsa -out "${ROOT_CA_KEY}" 2048`, { stdio: "ignore", timeout: 10000 });
+    // Generate self-signed CA cert (valid 10 years)
+    execSync(`openssl req -x509 -new -nodes -key "${ROOT_CA_KEY}" -sha256 -days 3650 ` +
+        `-subj "/CN=responses-proxy MITM CA/O=responses-proxy/C=US" ` +
+        `-out "${ROOT_CA_CERT}"`, { stdio: "ignore", timeout: 10000 });
+    return { keyPath: ROOT_CA_KEY, certPath: ROOT_CA_CERT };
+}
+/**
+ * Trust the root CA in the macOS system keychain (requires sudo).
+ */
+export async function trustRootCA(sudoPassword) {
+    if (process.platform !== "darwin") {
+        throw new Error("Trust cert is only supported on macOS");
+    }
+    if (!rootCaExists()) {
+        throw new Error("Root CA does not exist. Generate it first.");
+    }
+    const cmd = `security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${ROOT_CA_CERT}"`;
+    if (sudoPassword) {
+        const { execWithPassword } = await import("./dns.js");
+        await execWithPassword(cmd, sudoPassword);
+    }
+    else {
+        execSync(`sudo ${cmd}`, { stdio: "ignore", timeout: 15000 });
+    }
+}
+/**
+ * Generate a leaf certificate for a specific domain, signed by the root CA.
+ * Returns { key, cert } as PEM strings.
+ */
+export function generateLeafCert(domain) {
+    if (!rootCaExists())
+        return null;
+    const tmpDir = path.join(MITM_DIR, "tmp");
+    mkdirSync(tmpDir, { recursive: true });
+    const serial = randomBytes(8).toString("hex");
+    const leafKey = path.join(tmpDir, `${serial}.key`);
+    const leafCsr = path.join(tmpDir, `${serial}.csr`);
+    const leafCert = path.join(tmpDir, `${serial}.crt`);
+    const extFile = path.join(tmpDir, `${serial}.ext`);
+    try {
+        // Generate leaf key
+        execSync(`openssl genrsa -out "${leafKey}" 2048`, { stdio: "ignore", timeout: 5000 });
+        // Generate CSR
+        execSync(`openssl req -new -key "${leafKey}" -subj "/CN=${domain}" -out "${leafCsr}"`, { stdio: "ignore", timeout: 5000 });
+        // Write SAN extension file
+        writeFileSync(extFile, `authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment\nsubjectAltName=DNS:${domain}\n`);
+        // Sign with root CA
+        execSync(`openssl x509 -req -in "${leafCsr}" -CA "${ROOT_CA_CERT}" -CAkey "${ROOT_CA_KEY}" ` +
+            `-CAcreateserial -out "${leafCert}" -days 825 -sha256 -extfile "${extFile}"`, { stdio: "ignore", timeout: 5000 });
+        const key = readFileSync(leafKey, "utf8");
+        const cert = readFileSync(leafCert, "utf8");
+        // Cleanup temp files
+        try {
+            for (const f of [leafKey, leafCsr, leafCert, extFile]) {
+                if (existsSync(f))
+                    require("node:fs").unlinkSync(f);
+            }
+        }
+        catch { /* best effort */ }
+        return { key, cert };
+    }
+    catch (error) {
+        return null;
+    }
+}
+export function loadRootCA() {
+    return {
+        key: readFileSync(ROOT_CA_KEY, "utf8"),
+        cert: readFileSync(ROOT_CA_CERT, "utf8"),
+    };
+}

package/dist/mitm/dns.js

@@ -0,0 +1,150 @@
+/**
+ * MITM DNS Management — manages /etc/hosts entries to redirect tool domains to localhost.
+ */
+import { execSync, spawn } from "node:child_process";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+const IS_WIN = process.platform === "win32";
+const IS_MAC = process.platform === "darwin";
+const HOSTS_FILE = IS_WIN
+    ? `${process.env.SystemRoot || "C:\\Windows"}\\System32\\drivers\\etc\\hosts`
+    : "/etc/hosts";
+// Tool domains to intercept
+export const TOOL_HOSTS = {
+    antigravity: ["daily-cloudcode-pa.googleapis.com", "cloudcode-pa.googleapis.com"],
+    copilot: ["api.individual.githubcopilot.com"],
+    kiro: ["q.us-east-1.amazonaws.com"],
+};
+export function isSudoAvailable() {
+    if (IS_WIN)
+        return false;
+    try {
+        execSync("command -v sudo", { stdio: "ignore", timeout: 3000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function canRunSudoWithoutPassword() {
+    if (IS_WIN || !isSudoAvailable())
+        return true;
+    try {
+        execSync("sudo -n true", { stdio: "ignore", timeout: 3000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function isSudoPasswordRequired() {
+    return !IS_WIN && isSudoAvailable() && !canRunSudoWithoutPassword();
+}
+export function execWithPassword(command, password) {
+    return new Promise((resolve, reject) => {
+        const useSudo = isSudoAvailable();
+        const child = useSudo
+            ? spawn("sudo", ["-S", "sh", "-c", command], { stdio: ["pipe", "pipe", "pipe"] })
+            : spawn("sh", ["-c", command], { stdio: ["ignore", "pipe", "pipe"] });
+        let stdout = "";
+        let stderr = "";
+        child.stdout?.on("data", (d) => { stdout += d; });
+        child.stderr?.on("data", (d) => { stderr += d; });
+        child.on("close", (code) => {
+            if (code === 0)
+                resolve(stdout);
+            else
+                reject(new Error(stderr || `Exit code ${code}`));
+        });
+        if (useSudo && child.stdin) {
+            child.stdin.write(`${password}\n`);
+            child.stdin.end();
+        }
+    });
+}
+function checkDNSEntry(host) {
+    try {
+        const content = readFileSync(HOSTS_FILE, "utf8");
+        return content.includes(host);
+    }
+    catch {
+        return false;
+    }
+}
+export function checkAllDNSStatus() {
+    try {
+        const content = readFileSync(HOSTS_FILE, "utf8");
+        const result = {};
+        for (const [tool, hosts] of Object.entries(TOOL_HOSTS)) {
+            result[tool] = hosts.every((h) => content.includes(h));
+        }
+        return result;
+    }
+    catch {
+        return Object.fromEntries(Object.keys(TOOL_HOSTS).map((t) => [t, false]));
+    }
+}
+async function flushDNS(sudoPassword) {
+    if (IS_WIN)
+        return;
+    if (IS_MAC) {
+        await execWithPassword("dscacheutil -flushcache && killall -HUP mDNSResponder", sudoPassword);
+    }
+    else {
+        await execWithPassword("resolvectl flush-caches 2>/dev/null || true", sudoPassword);
+    }
+}
+export async function addDNSEntry(tool, sudoPassword) {
+    const hosts = TOOL_HOSTS[tool];
+    if (!hosts)
+        throw new Error(`Unknown tool: ${tool}`);
+    const entriesToAdd = hosts.filter((h) => !checkDNSEntry(h));
+    if (entriesToAdd.length === 0)
+        return;
+    const current = readFileSync(HOSTS_FILE, "utf8");
+    const trimmed = current.replace(/[\r\n\s]+$/g, "");
+    const toAppend = entriesToAdd.map((h) => `127.0.0.1 ${h}`).join("\n");
+    const next = `${trimmed}\n${toAppend}\n`;
+    const escaped = next.replace(/'/g, "'\\''");
+    await execWithPassword(`printf '%s' '${escaped}' | tee ${HOSTS_FILE} > /dev/null`, sudoPassword);
+    await flushDNS(sudoPassword);
+}
+export async function removeDNSEntry(tool, sudoPassword) {
+    const hosts = TOOL_HOSTS[tool];
+    if (!hosts)
+        throw new Error(`Unknown tool: ${tool}`);
+    const entriesToRemove = hosts.filter((h) => checkDNSEntry(h));
+    if (entriesToRemove.length === 0)
+        return;
+    const current = readFileSync(HOSTS_FILE, "utf8");
+    const filtered = current
+        .split(/\r?\n/)
+        .filter((l) => !entriesToRemove.some((h) => l.includes(h)))
+        .join("\n");
+    const next = filtered.replace(/[\r\n\s]+$/g, "") + "\n";
+    const escaped = next.replace(/'/g, "'\\''");
+    await execWithPassword(`printf '%s' '${escaped}' | tee ${HOSTS_FILE} > /dev/null`, sudoPassword);
+    await flushDNS(sudoPassword);
+}
+export function removeAllDNSEntriesSync() {
+    try {
+        if (!existsSync(HOSTS_FILE))
+            return;
+        const allHosts = Object.values(TOOL_HOSTS).flat();
+        const content = readFileSync(HOSTS_FILE, "utf8");
+        const filtered = content
+            .split(/\r?\n/)
+            .filter((l) => !allHosts.some((h) => l.includes(h)))
+            .join("\n");
+        const next = filtered.replace(/[\r\n\s]+$/g, "") + "\n";
+        if (next === content)
+            return;
+        writeFileSync(HOSTS_FILE, next, "utf8");
+        if (IS_MAC) {
+            try {
+                execSync("dscacheutil -flushcache && killall -HUP mDNSResponder", { stdio: "ignore" });
+            }
+            catch { /* ignore */ }
+        }
+    }
+    catch { /* best effort during shutdown */ }
+}

package/dist/mitm/server.js

@@ -0,0 +1,229 @@
+/**
+ * MITM Proxy Server — intercepts HTTPS on port 443 with dynamic SSL certs.
+ *
+ * Cloned from 9Router's src/mitm/server.js approach:
+ * - HTTPS server on :443 with SNI callback for per-domain certs
+ * - Intercepts requests to tool domains (Antigravity, Copilot, Kiro)
+ * - Rewrites model in request body to mapped model from proxy
+ * - Forwards to real upstream via HTTPS with custom DNS (bypass /etc/hosts loop)
+ */
+import * as https from "node:https";
+import * as tls from "node:tls";
+import * as dns from "node:dns";
+import { promisify } from "node:util";
+import { readFileSync, existsSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { execSync } from "node:child_process";
+import { generateLeafCert, loadRootCA, rootCaExists, getMitmDir } from "./cert.js";
+import { TOOL_HOSTS, removeAllDNSEntriesSync } from "./dns.js";
+const LOCAL_PORT = 443;
+const MITM_DIR = getMitmDir();
+const PID_FILE = path.join(MITM_DIR, ".mitm.pid");
+// Tool detection from host header
+const HOST_TO_TOOL = {};
+for (const [tool, hosts] of Object.entries(TOOL_HOSTS)) {
+    for (const h of hosts)
+        HOST_TO_TOOL[h] = tool;
+}
+// Proxy base URL — requests are forwarded to responses-proxy for model routing
+const ROUTER_BASE_URL = process.env.MITM_ROUTER_BASE_URL || "http://localhost:8318";
+// Internal header to prevent loop
+const INTERNAL_HEADER = "x-request-source";
+const INTERNAL_VALUE = "mitm-local";
+// ─── SSL / SNI ───────────────────────────────────────────────────────────────
+const certCache = new Map();
+let rootCAPem;
+function sniCallback(servername, cb) {
+    try {
+        if (certCache.has(servername))
+            return cb(null, certCache.get(servername));
+        const certData = generateLeafCert(servername);
+        if (!certData)
+            return cb(new Error(`Failed to generate cert for ${servername}`));
+        const ctx = tls.createSecureContext({
+            key: certData.key,
+            cert: `${certData.cert}\n${rootCAPem}`,
+        });
+        certCache.set(servername, ctx);
+        cb(null, ctx);
+    }
+    catch (e) {
+        cb(e);
+    }
+}
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+const resolve4 = promisify((() => {
+    const resolver = new dns.Resolver();
+    resolver.setServers(["8.8.8.8", "1.1.1.1"]);
+    return resolver.resolve4.bind(resolver);
+})());
+const ipCache = {};
+async function resolveTargetIP(hostname) {
+    const cached = ipCache[hostname];
+    if (cached && Date.now() - cached.ts < 5 * 60 * 1000)
+        return cached.ip;
+    const addresses = await resolve4(hostname);
+    ipCache[hostname] = { ip: addresses[0], ts: Date.now() };
+    return addresses[0];
+}
+function collectBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        req.on("data", (chunk) => chunks.push(chunk));
+        req.on("end", () => resolve(Buffer.concat(chunks)));
+        req.on("error", reject);
+    });
+}
+// ─── Request handler ─────────────────────────────────────────────────────────
+async function handleRequest(req, res) {
+    try {
+        // Health check
+        if (req.url === "/_mitm_health") {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: true, pid: process.pid }));
+            return;
+        }
+        const bodyBuffer = await collectBody(req);
+        // Anti-loop: skip our own requests
+        if (req.headers[INTERNAL_HEADER] === INTERNAL_VALUE) {
+            return passthrough(req, res, bodyBuffer);
+        }
+        const host = (req.headers.host || "").split(":")[0];
+        const tool = HOST_TO_TOOL[host];
+        // Not a tool domain — passthrough
+        if (!tool) {
+            return passthrough(req, res, bodyBuffer);
+        }
+        // Forward to our proxy router instead of upstream
+        // This lets the proxy handle model routing, RTK, combos, etc.
+        return forwardToRouter(req, res, bodyBuffer, tool);
+    }
+    catch (e) {
+        if (!res.headersSent)
+            res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: { message: e.message, type: "mitm_error" } }));
+    }
+}
+/**
+ * Forward intercepted request to the local responses-proxy router.
+ * The proxy will handle model selection, provider routing, RTK, etc.
+ */
+function forwardToRouter(req, res, bodyBuffer, tool) {
+    const url = new URL(ROUTER_BASE_URL);
+    const http = require("node:http");
+    const proxyReq = http.request({
+        hostname: url.hostname,
+        port: url.port || 8318,
+        path: "/v1/chat/completions",
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            "content-length": String(bodyBuffer.length),
+            [INTERNAL_HEADER]: INTERNAL_VALUE,
+            "x-mitm-tool": tool,
+            "x-mitm-original-host": req.headers.host || "",
+            "x-mitm-original-path": req.url || "",
+        },
+    }, (proxyRes) => {
+        res.writeHead(proxyRes.statusCode, proxyRes.headers);
+        proxyRes.pipe(res);
+    });
+    proxyReq.on("error", (e) => {
+        // If proxy is unreachable, passthrough to real upstream
+        passthrough(req, res, bodyBuffer);
+    });
+    proxyReq.write(bodyBuffer);
+    proxyReq.end();
+}
+/**
+ * Forward request to the real upstream (bypass /etc/hosts via custom DNS).
+ */
+async function passthrough(req, res, bodyBuffer) {
+    const originalHost = (req.headers.host || "").split(":")[0];
+    const targetIP = await resolveTargetIP(originalHost);
+    const forwardReq = https.request({
+        hostname: targetIP,
+        port: 443,
+        path: req.url,
+        method: req.method,
+        headers: { ...req.headers, host: originalHost },
+        servername: originalHost,
+        rejectUnauthorized: false,
+    }, (forwardRes) => {
+        res.writeHead(forwardRes.statusCode || 502, forwardRes.headers);
+        forwardRes.pipe(res);
+    });
+    forwardReq.on("error", (e) => {
+        if (!res.headersSent)
+            res.writeHead(502);
+        res.end("Bad Gateway");
+    });
+    if (bodyBuffer.length > 0)
+        forwardReq.write(bodyBuffer);
+    forwardReq.end();
+}
+// ─── Server startup ──────────────────────────────────────────────────────────
+export function startMitmServer() {
+    if (!rootCaExists()) {
+        throw new Error("Root CA not found. Generate it first via the dashboard.");
+    }
+    const rootCA = loadRootCA();
+    rootCAPem = rootCA.cert;
+    const sslOptions = {
+        key: rootCA.key,
+        cert: rootCA.cert,
+        SNICallback: sniCallback,
+    };
+    // Kill existing process on port 443
+    try {
+        const pids = execSync(`lsof -nP -iTCP:${LOCAL_PORT} -sTCP:LISTEN -t`, { encoding: "utf8", timeout: 3000 }).trim();
+        if (pids) {
+            pids.split("\n").forEach((pid) => {
+                try {
+                    process.kill(Number(pid), "SIGKILL");
+                }
+                catch { /* ignore */ }
+            });
+        }
+    }
+    catch { /* port is free */ }
+    const server = https.createServer(sslOptions, handleRequest);
+    server.listen(LOCAL_PORT, () => {
+        console.log(`[mitm] 🚀 MITM server running on :${LOCAL_PORT}`);
+        writeFileSync(PID_FILE, String(process.pid));
+    });
+    server.on("error", (e) => {
+        if (e.code === "EADDRINUSE") {
+            throw new Error(`Port ${LOCAL_PORT} already in use`);
+        }
+        if (e.code === "EACCES") {
+            throw new Error(`Permission denied for port ${LOCAL_PORT}. Run with sudo.`);
+        }
+        throw e;
+    });
+    // Graceful shutdown
+    const shutdown = () => {
+        removeAllDNSEntriesSync();
+        server.close(() => process.exit(0));
+        setTimeout(() => process.exit(0), 1500);
+    };
+    process.on("SIGTERM", shutdown);
+    process.on("SIGINT", shutdown);
+    return { pid: process.pid };
+}
+export function getMitmPid() {
+    try {
+        if (!existsSync(PID_FILE))
+            return null;
+        const pid = Number(readFileSync(PID_FILE, "utf8").trim());
+        // Check if process is alive
+        process.kill(pid, 0);
+        return pid;
+    }
+    catch {
+        return null;
+    }
+}
+export function isMitmRunning() {
+    return getMitmPid() !== null;
+}

package/dist/mitm/start-server.js

@@ -0,0 +1,13 @@
+/**
+ * MITM Server entry point — spawned with sudo by the main proxy.
+ * Runs the HTTPS interception server on port 443.
+ */
+import { startMitmServer } from "./server.js";
+try {
+    const { pid } = startMitmServer();
+    console.log(`[mitm] Server started (PID: ${pid})`);
+}
+catch (error) {
+    console.error(`[mitm] Failed to start:`, error instanceof Error ? error.message : error);
+    process.exit(1);
+}

package/dist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "responses-proxy-runtime",
-  "version": "0.1.4",
+  "version": "0.2.1",
   "private": true,
   "type": "module",
   "dependencies": {

package/dist/server.js

@@ -1972,33 +1972,122 @@ app.delete("/api/cli-tools/codex-settings", async (_request, reply) => {
         return reply.code(500).send({ error: error instanceof Error ? error.message : "Failed to reset settings" });
     }
 });
-// ─── MITM Server Status (stub — requires host-mode deployment) ──────────────
+// ─── MITM Server Status ─────────────────────────────────────────────────────
 app.get("/api/cli-tools/mitm-status", async (_request, reply) => {
-    // MITM requires running directly on host (not Docker) with root privileges.
-    // Return stub status indicating MITM is not available in this deployment mode.
-    return reply.send({
-        running: false,
-        certExists: false,
-        certTrusted: false,
-        dnsStatus: {},
-        available: false,
-        reason: "MITM requires host-mode deployment with root privileges (port 443 + DNS + cert trust). Not available in Docker mode.",
-    });
+    try {
+        const { rootCaExists, isRootCaTrusted } = await import("./mitm/cert.js");
+        const { isMitmRunning } = await import("./mitm/server.js");
+        const { checkAllDNSStatus, isSudoPasswordRequired } = await import("./mitm/dns.js");
+        return reply.send({
+            running: isMitmRunning(),
+            certExists: rootCaExists(),
+            certTrusted: isRootCaTrusted(),
+            dnsStatus: checkAllDNSStatus(),
+            needsSudoPassword: isSudoPasswordRequired(),
+            available: true,
+            isWin: process.platform === "win32",
+        });
+    }
+    catch (error) {
+        return reply.send({
+            running: false,
+            certExists: false,
+            certTrusted: false,
+            dnsStatus: {},
+            available: false,
+            reason: error instanceof Error ? error.message : "MITM module not available",
+        });
+    }
 });
-app.post("/api/cli-tools/mitm-start", async (_request, reply) => {
-    return reply.code(501).send({
-        error: "MITM server is not available in Docker deployment mode. Run the proxy directly on the host with root privileges.",
-    });
+app.post("/api/cli-tools/mitm-start", async (request, reply) => {
+    const body = request.body;
+    try {
+        const { generateRootCA, trustRootCA, rootCaExists: caExists } = await import("./mitm/cert.js");
+        const { spawn } = await import("node:child_process");
+        // Ensure CA exists
+        if (!caExists()) {
+            generateRootCA();
+        }
+        // Start MITM server as a child process (needs root for port 443)
+        const mitmScript = path.resolve(import.meta.dirname || __dirname, "mitm", "start-server.js");
+        const sudoPassword = body?.sudoPassword || "";
+        // Use sudo to start the server process
+        const env = {
+            ...process.env,
+            MITM_ROUTER_BASE_URL: `http://127.0.0.1:${config.PORT}`,
+        };
+        const child = spawn("sudo", ["-S", process.execPath, mitmScript], {
+            env,
+            stdio: ["pipe", "ignore", "pipe"],
+            detached: true,
+        });
+        if (sudoPassword && child.stdin) {
+            child.stdin.write(`${sudoPassword}\n`);
+            child.stdin.end();
+        }
+        child.unref();
+        // Wait a moment to check if it started
+        await new Promise((resolve) => setTimeout(resolve, 2000));
+        return reply.send({ ok: true });
+    }
+    catch (error) {
+        return reply.code(500).send({
+            error: error instanceof Error ? error.message : "Failed to start MITM server",
+        });
+    }
 });
 app.post("/api/cli-tools/mitm-stop", async (_request, reply) => {
-    return reply.code(501).send({
-        error: "MITM server is not available in Docker deployment mode.",
-    });
+    try {
+        const { getMitmPid } = await import("./mitm/server.js");
+        const pid = getMitmPid();
+        if (pid) {
+            try {
+                process.kill(pid, "SIGTERM");
+            }
+            catch { /* already dead */ }
+        }
+        return reply.send({ ok: true });
+    }
+    catch (error) {
+        return reply.code(500).send({
+            error: error instanceof Error ? error.message : "Failed to stop MITM server",
+        });
+    }
 });
-app.post("/api/cli-tools/mitm-dns", async (_request, reply) => {
-    return reply.code(501).send({
-        error: "DNS interception is not available in Docker deployment mode.",
-    });
+app.post("/api/cli-tools/mitm-dns", async (request, reply) => {
+    const body = request.body;
+    const toolId = typeof body?.toolId === "string" ? body.toolId : "";
+    const enable = body?.enable !== false;
+    const sudoPassword = typeof body?.sudoPassword === "string" ? body.sudoPassword : "";
+    try {
+        const { addDNSEntry, removeDNSEntry } = await import("./mitm/dns.js");
+        if (enable) {
+            await addDNSEntry(toolId, sudoPassword);
+        }
+        else {
+            await removeDNSEntry(toolId, sudoPassword);
+        }
+        return reply.send({ ok: true });
+    }
+    catch (error) {
+        return reply.code(500).send({
+            error: error instanceof Error ? error.message : "Failed to update DNS",
+        });
+    }
+});
+app.post("/api/cli-tools/mitm-trust-cert", async (request, reply) => {
+    const body = request.body;
+    try {
+        const { generateRootCA, trustRootCA } = await import("./mitm/cert.js");
+        generateRootCA();
+        await trustRootCA(body?.sudoPassword);
+        return reply.send({ ok: true });
+    }
+    catch (error) {
+        return reply.code(500).send({
+            error: error instanceof Error ? error.message : "Failed to trust certificate",
+        });
+    }
 });
 app.get("/api/customer/codex/setup.sh", async (request, reply) => {
     const routingApiKey = readBearerToken(request.headers.authorization);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "responses-proxy",
-  "version": "0.1.4",
+  "version": "0.2.1",
   "description": "AI routing proxy with multi-provider fallback, RTK token saver, and web dashboard",
   "bin": {
     "responses-proxy": "./cli.js"