smartcontext-proxy 0.1.0 → 0.2.0

package/src/proxy/classifier.ts

@@ -0,0 +1,71 @@
+/** Known LLM provider hostnames and their API patterns */
+
+export interface ProviderMatch {
+  provider: string;
+  hostname: string;
+  isLLM: true;
+}
+
+const LLM_HOSTS: Record<string, string> = {
+  'api.anthropic.com': 'anthropic',
+  'api.openai.com': 'openai',
+  'generativelanguage.googleapis.com': 'google',
+  'openrouter.ai': 'openrouter',
+  'api.together.xyz': 'together',
+  'api.fireworks.ai': 'fireworks',
+  'api.mistral.ai': 'mistral',
+  'api.cohere.com': 'cohere',
+  'api.groq.com': 'groq',
+  'api.deepseek.com': 'deepseek',
+};
+
+/** Ollama ports to intercept (HTTP, no TLS) */
+const OLLAMA_PORTS = new Set([11434]);
+
+/** Custom hosts added via config */
+let customHosts: Record<string, string> = {};
+
+export function addCustomHost(hostname: string, provider: string): void {
+  customHosts[hostname] = provider;
+}
+
+export function removeCustomHost(hostname: string): void {
+  delete customHosts[hostname];
+}
+
+/** Check if a hostname:port is an LLM provider that should be intercepted */
+export function classifyHost(hostname: string, port: number): ProviderMatch | null {
+  // Check known LLM hosts
+  const provider = LLM_HOSTS[hostname] || customHosts[hostname];
+  if (provider) {
+    return { provider, hostname, isLLM: true };
+  }
+
+  // Check Ollama local
+  if ((hostname === 'localhost' || hostname === '127.0.0.1') && OLLAMA_PORTS.has(port)) {
+    return { provider: 'ollama', hostname, isLLM: true };
+  }
+
+  return null;
+}
+
+/** Get all known LLM hostnames (for PAC file generation) */
+export function getLLMHostnames(): string[] {
+  return [
+    ...Object.keys(LLM_HOSTS),
+    ...Object.keys(customHosts),
+  ];
+}
+
+/** Check if a request path looks like an LLM API call */
+export function isLLMPath(path: string): boolean {
+  const llmPaths = [
+    '/v1/messages',           // Anthropic
+    '/v1/chat/completions',   // OpenAI
+    '/v1/completions',        // OpenAI legacy
+    '/api/chat',              // Ollama
+    '/api/generate',          // Ollama
+    '/v1beta/models',         // Google
+  ];
+  return llmPaths.some((p) => path.startsWith(p));
+}

package/src/proxy/connect-proxy.ts

@@ -0,0 +1,187 @@
+import http from 'node:http';
+import type { Socket } from 'node:net';
+import { classifyHost } from './classifier.js';
+import { createTunnel } from './tunnel.js';
+import { interceptTLS, type InterceptorOptions } from './tls-interceptor.js';
+import type { SmartContextConfig } from '../config/schema.js';
+import type { ProviderAdapter } from '../providers/types.js';
+import { ContextOptimizer } from '../context/optimizer.js';
+import { MetricsCollector } from '../metrics/collector.js';
+import { renderDashboard } from '../ui/dashboard.js';
+
+/**
+ * HTTP CONNECT proxy that transparently intercepts LLM traffic.
+ *
+ * - Non-LLM HTTPS: blind TCP tunnel (zero overhead)
+ * - LLM HTTPS: TLS intercept → optimize → forward
+ * - HTTP requests: direct handling (dashboard, API, Ollama)
+ */
+export class ConnectProxy {
+  private server: http.Server;
+  private metrics = new MetricsCollector();
+  private optimizer: ContextOptimizer | null = null;
+  private adapters = new Map<string, ProviderAdapter>();
+  private paused = false;
+  private requestCounter = { value: 0 };
+  private config: SmartContextConfig;
+
+  constructor(
+    config: SmartContextConfig,
+    optimizer?: ContextOptimizer | null,
+    adapters?: Map<string, ProviderAdapter>,
+  ) {
+    this.config = config;
+    this.optimizer = optimizer || null;
+    if (adapters) this.adapters = adapters;
+
+    this.server = http.createServer((req, res) => this.handleHTTP(req, res));
+    this.server.on('connect', (req, clientSocket: Socket, head) => this.handleConnect(req, clientSocket, head));
+  }
+
+  async start(): Promise<void> {
+    const { port, host } = this.config.proxy;
+    return new Promise((resolve) => {
+      this.server.listen(port, host, () => resolve());
+    });
+  }
+
+  async stop(): Promise<void> {
+    return new Promise((resolve) => {
+      this.server.close(() => resolve());
+    });
+  }
+
+  getMetrics(): MetricsCollector { return this.metrics; }
+  isPaused(): boolean { return this.paused; }
+  setPaused(v: boolean): void { this.paused = v; }
+
+  /** Handle HTTP CONNECT requests (HTTPS tunnel establishment) */
+  private handleConnect(req: http.IncomingMessage, clientSocket: Socket, head: Buffer): void {
+    const [hostname, portStr] = (req.url || '').split(':');
+    const port = parseInt(portStr || '443', 10);
+
+    const match = classifyHost(hostname, port);
+
+    if (match) {
+      // LLM provider → intercept TLS
+      this.log('info', `INTERCEPT ${hostname}:${port} (${match.provider})`);
+      interceptTLS(clientSocket, hostname, port, match, this.interceptorOptions());
+    } else {
+      // Non-LLM → blind tunnel
+      createTunnel(clientSocket, hostname, port);
+    }
+  }
+
+  /** Handle plain HTTP requests (dashboard, API, Ollama interception) */
+  private async handleHTTP(req: http.IncomingMessage, res: http.ServerResponse): Promise<void> {
+    const path = req.url || '/';
+    const method = req.method || 'GET';
+
+    // Dashboard
+    if (path === '/' && method === 'GET') {
+      res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+      res.end(renderDashboard(this.metrics, this.paused));
+      return;
+    }
+
+    // Health
+    if (path === '/health') {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        ok: true,
+        requests: this.requestCounter.value,
+        paused: this.paused,
+        mode: this.optimizer ? 'optimizing' : 'transparent',
+        type: 'connect-proxy',
+      }));
+      return;
+    }
+
+    // PAC file
+    if (path === '/proxy.pac') {
+      res.writeHead(200, { 'Content-Type': 'application/x-ns-proxy-autoconfig' });
+      res.end(this.generatePAC());
+      return;
+    }
+
+    // API endpoints
+    if (path.startsWith('/_sc/')) {
+      this.handleAPI(path, method, req, res);
+      return;
+    }
+
+    // Everything else: 404
+    res.writeHead(404, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Not found' }));
+  }
+
+  private handleAPI(path: string, method: string, req: http.IncomingMessage, res: http.ServerResponse): void {
+    res.setHeader('Content-Type', 'application/json');
+
+    switch (path) {
+      case '/_sc/status':
+        res.end(JSON.stringify({
+          state: this.paused ? 'paused' : 'running',
+          uptime: this.metrics.getUptime(),
+          requests: this.requestCounter.value,
+          mode: this.optimizer ? 'optimizing' : 'transparent',
+        }));
+        break;
+      case '/_sc/stats':
+        res.end(JSON.stringify(this.metrics.getStats()));
+        break;
+      case '/_sc/feed':
+        res.end(JSON.stringify(this.metrics.getRecent(50)));
+        break;
+      case '/_sc/pause':
+        this.paused = true;
+        res.end(JSON.stringify({ ok: true, state: 'paused' }));
+        break;
+      case '/_sc/resume':
+        this.paused = false;
+        res.end(JSON.stringify({ ok: true, state: 'running' }));
+        break;
+      default:
+        res.writeHead(404);
+        res.end(JSON.stringify({ error: `Unknown: ${path}` }));
+    }
+  }
+
+  private generatePAC(): string {
+    const { getLLMHostnames } = require('./classifier.js');
+    const hosts = getLLMHostnames();
+    const { port, host } = this.config.proxy;
+
+    const conditions = hosts
+      .map((h: string) => `    if (dnsDomainIs(host, "${h}")) return proxy;`)
+      .join('\n');
+
+    return `function FindProxyForURL(url, host) {
+    var proxy = "PROXY ${host}:${port}";
+${conditions}
+    // Ollama local
+    if (host === "localhost" && url.indexOf(":11434") !== -1) return proxy;
+    return "DIRECT";
+}`;
+  }
+
+  private interceptorOptions(): import('./tls-interceptor.js').InterceptorOptions {
+    return {
+      config: this.config,
+      optimizer: this.optimizer,
+      metrics: this.metrics,
+      adapters: this.adapters,
+      paused: this.paused,
+      requestCounter: this.requestCounter,
+      log: this.log.bind(this),
+    };
+  }
+
+  private log(level: string, message: string): void {
+    const timestamp = new Date().toISOString().slice(11, 23);
+    const prefix = level === 'error' ? '✗' : '→';
+    if (level === 'error' || this.config.logging.level !== 'error') {
+      console.log(`[${timestamp}] ${prefix} ${message}`);
+    }
+  }
+}

package/src/proxy/tls-interceptor.ts

@@ -0,0 +1,261 @@
+import tls from 'node:tls';
+import http from 'node:http';
+import https from 'node:https';
+import net from 'node:net';
+import { URL } from 'node:url';
+import type { Socket } from 'node:net';
+import { getCertForHost } from '../tls/ca-manager.js';
+import { classifyHost, type ProviderMatch } from './classifier.js';
+import { streamResponse } from './stream.js';
+import type { ProviderAdapter } from '../providers/types.js';
+import type { SmartContextConfig } from '../config/schema.js';
+import { ContextOptimizer } from '../context/optimizer.js';
+import { MetricsCollector, type RequestMetric } from '../metrics/collector.js';
+import { estimateTokens } from '../context/chunker.js';
+import { getTextContent } from '../context/canonical.js';
+
+export interface InterceptorOptions {
+  config: SmartContextConfig;
+  optimizer: ContextOptimizer | null;
+  metrics: MetricsCollector;
+  adapters: Map<string, ProviderAdapter>;
+  paused: boolean;
+  requestCounter: { value: number };
+  log: (level: string, message: string) => void;
+}
+
+/**
+ * Intercept TLS connection to an LLM provider.
+ * Terminates TLS with a generated cert, parses the HTTP request inside,
+ * optionally optimizes context, then forwards to the real provider.
+ */
+export function interceptTLS(
+  clientSocket: Socket,
+  hostname: string,
+  port: number,
+  match: ProviderMatch,
+  options: InterceptorOptions,
+): void {
+  const { cert, key } = getCertForHost(hostname);
+
+  const tlsSocket = new tls.TLSSocket(clientSocket, {
+    isServer: true,
+    cert,
+    key,
+  });
+
+  // Tell client the tunnel is established
+  clientSocket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+
+  // Read HTTP request from decrypted TLS stream
+  let requestData = Buffer.alloc(0);
+  let headersParsed = false;
+  let contentLength = 0;
+  let headerEnd = -1;
+
+  tlsSocket.on('data', (chunk: Buffer) => {
+    requestData = Buffer.concat([requestData, chunk]);
+
+    if (!headersParsed) {
+      headerEnd = requestData.indexOf('\r\n\r\n');
+      if (headerEnd === -1) return; // Wait for more data
+
+      headersParsed = true;
+      const headersStr = requestData.subarray(0, headerEnd).toString();
+      const clMatch = headersStr.match(/content-length:\s*(\d+)/i);
+      contentLength = clMatch ? parseInt(clMatch[1], 10) : 0;
+    }
+
+    const bodyStart = headerEnd + 4;
+    const bodyReceived = requestData.length - bodyStart;
+
+    if (bodyReceived >= contentLength) {
+      tlsSocket.pause();
+      handleInterceptedRequest(
+        requestData, hostname, port, match, options, tlsSocket,
+      ).catch((err) => {
+        options.log('error', `Intercept error: ${err}`);
+        try {
+          tlsSocket.write('HTTP/1.1 502 Bad Gateway\r\nContent-Length: 0\r\n\r\n');
+          tlsSocket.end();
+        } catch {}
+      });
+    }
+  });
+
+  tlsSocket.on('error', (err) => {
+    options.log('error', `TLS socket error for ${hostname}: ${err.message}`);
+  });
+}
+
+/**
+ * Handle an intercepted HTTP request: parse, optimize, forward, stream back.
+ */
+async function handleInterceptedRequest(
+  rawRequest: Buffer,
+  hostname: string,
+  port: number,
+  match: ProviderMatch,
+  options: InterceptorOptions,
+  clientTLS: tls.TLSSocket,
+): Promise<void> {
+  const startTime = Date.now();
+  options.requestCounter.value++;
+  const reqId = options.requestCounter.value;
+
+  // Parse raw HTTP request
+  const headerEnd = rawRequest.indexOf('\r\n\r\n');
+  const headersStr = rawRequest.subarray(0, headerEnd).toString();
+  const body = rawRequest.subarray(headerEnd + 4);
+
+  const [requestLine, ...headerLines] = headersStr.split('\r\n');
+  const [method, path] = requestLine.split(' ');
+
+  const headers: Record<string, string> = {};
+  for (const line of headerLines) {
+    const colonIdx = line.indexOf(':');
+    if (colonIdx > 0) {
+      headers[line.substring(0, colonIdx).toLowerCase().trim()] = line.substring(colonIdx + 1).trim();
+    }
+  }
+
+  // Find adapter for this provider
+  const adapter = options.adapters.get(match.provider);
+  let forwardBody: Buffer;
+  let originalTokens = 0;
+  let optimizedTokens = 0;
+  let savingsPercent = 0;
+  let chunksRetrieved = 0;
+  let topScore = 0;
+  let passThrough = true;
+  let reason: string | undefined;
+  let model = 'unknown';
+
+  if (adapter && body.length > 0) {
+    try {
+      const parsed = JSON.parse(body.toString());
+      model = parsed.model || 'unknown';
+      const canonical = adapter.parseRequest(parsed, headers);
+
+      originalTokens = estimateTokens(canonical.systemPrompt || '') +
+        canonical.messages.reduce((sum, m) => sum + estimateTokens(getTextContent(m)), 0);
+
+      // Optimize if available and not paused
+      if (options.optimizer && !options.paused) {
+        try {
+          const result = await options.optimizer.optimize(canonical);
+          passThrough = result.passThrough;
+          reason = result.reason;
+
+          if (!result.passThrough) {
+            canonical.messages = result.optimizedMessages;
+            if (result.systemPrompt !== undefined) canonical.systemPrompt = result.systemPrompt;
+            optimizedTokens = result.packed.optimizedTokens;
+            savingsPercent = result.packed.savingsPercent;
+          }
+
+          if (result.retrieval) {
+            chunksRetrieved = result.retrieval.chunks.length;
+            topScore = result.retrieval.topScore;
+          }
+        } catch (err) {
+          passThrough = true;
+          reason = `optimization error: ${err}`;
+        }
+      }
+
+      if (!passThrough) {
+        forwardBody = Buffer.from(JSON.stringify(adapter.serializeRequest(canonical)));
+      } else {
+        forwardBody = body;
+        optimizedTokens = originalTokens;
+      }
+    } catch {
+      forwardBody = body;
+      optimizedTokens = originalTokens;
+    }
+  } else {
+    forwardBody = body;
+  }
+
+  const latencyOverhead = Date.now() - startTime;
+  const savingsStr = passThrough ? 'pass' : `-${savingsPercent}%`;
+  options.log('info',
+    `#${reqId} ${match.provider}/${model} ${originalTokens}→${optimizedTokens} ${savingsStr} ${latencyOverhead}ms [intercepted]`);
+
+  // Forward to real provider
+  const useHTTPS = port === 443 || hostname.includes('.');
+  const transport = useHTTPS ? https : http;
+  const forwardUrl = `${useHTTPS ? 'https' : 'http'}://${hostname}:${port}${path}`;
+
+  const forwardHeaders = { ...headers };
+  forwardHeaders['host'] = hostname;
+  forwardHeaders['content-length'] = String(forwardBody.length);
+
+  const providerRes = await new Promise<http.IncomingMessage>((resolve, reject) => {
+    const proxyReq = transport.request(forwardUrl, {
+      method,
+      headers: forwardHeaders,
+    }, resolve);
+    proxyReq.on('error', reject);
+    proxyReq.write(forwardBody);
+    proxyReq.end();
+  });
+
+  // Build response headers
+  const resHeaders: string[] = [
+    `HTTP/1.1 ${providerRes.statusCode} ${providerRes.statusMessage}`,
+  ];
+  for (const [key, val] of Object.entries(providerRes.headers)) {
+    if (val) {
+      const values = Array.isArray(val) ? val : [val];
+      for (const v of values) {
+        resHeaders.push(`${key}: ${v}`);
+      }
+    }
+  }
+  resHeaders.push('', '');
+
+  clientTLS.write(resHeaders.join('\r\n'));
+
+  // Stream response body
+  await new Promise<void>((resolve) => {
+    providerRes.on('data', (chunk) => {
+      clientTLS.write(chunk);
+    });
+    providerRes.on('end', () => {
+      clientTLS.end();
+      resolve();
+    });
+    providerRes.on('error', () => {
+      clientTLS.end();
+      resolve();
+    });
+  });
+
+  // Record metrics
+  options.metrics.record({
+    id: reqId,
+    timestamp: Date.now(),
+    provider: match.provider,
+    model,
+    streaming: headers['accept']?.includes('text/event-stream') || false,
+    originalTokens,
+    optimizedTokens,
+    savingsPercent,
+    latencyOverheadMs: latencyOverhead,
+    chunksRetrieved,
+    topScore,
+    passThrough,
+    reason,
+  });
+
+  // Async post-indexing
+  if (options.optimizer && !passThrough && adapter) {
+    try {
+      const parsed = JSON.parse(body.toString());
+      const canonical = adapter.parseRequest(parsed, headers);
+      options.optimizer.indexExchange(canonical.messages, `intercepted-${reqId}`).catch(() => {});
+    } catch {}
+  }
+}

package/src/proxy/tunnel.ts

@@ -0,0 +1,32 @@
+import net from 'node:net';
+import type { Socket } from 'node:net';
+
+/**
+ * Create a blind TCP tunnel between client and target.
+ * Zero overhead — no inspection, no buffering.
+ * Used for non-LLM HTTPS traffic.
+ */
+export function createTunnel(clientSocket: Socket, targetHost: string, targetPort: number): void {
+  const targetSocket = net.connect(targetPort, targetHost, () => {
+    clientSocket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+    targetSocket.pipe(clientSocket);
+    clientSocket.pipe(targetSocket);
+  });
+
+  targetSocket.on('error', (err) => {
+    clientSocket.write(`HTTP/1.1 502 Bad Gateway\r\n\r\n`);
+    clientSocket.end();
+  });
+
+  clientSocket.on('error', () => {
+    targetSocket.destroy();
+  });
+
+  clientSocket.on('close', () => {
+    targetSocket.destroy();
+  });
+
+  targetSocket.on('close', () => {
+    clientSocket.destroy();
+  });
+}

package/src/system/installer.ts

@@ -0,0 +1,148 @@
+import { ensureCA, getCACertPath } from '../tls/ca-manager.js';
+import { installCA, uninstallCA, isCAInstalled } from '../tls/trust-store.js';
+import { installService, uninstallService } from '../daemon/service.js';
+import * as macos from './macos.js';
+import * as linux from './linux.js';
+
+const platform = process.platform === 'darwin' ? macos : linux;
+
+export interface InstallResult {
+  success: boolean;
+  steps: Array<{ step: string; success: boolean; message: string }>;
+}
+
+/**
+ * Full installation:
+ * 1. Generate CA cert
+ * 2. Install CA in trust store
+ * 3. Configure system proxy
+ * 4. Install system service
+ */
+export function install(port: number): InstallResult {
+  const steps: InstallResult['steps'] = [];
+  let allOk = true;
+
+  // Step 1: Generate CA
+  try {
+    ensureCA();
+    steps.push({ step: 'Generate CA certificate', success: true, message: `CA cert at ${getCACertPath()}` });
+  } catch (err) {
+    steps.push({ step: 'Generate CA certificate', success: false, message: String(err) });
+    allOk = false;
+  }
+
+  // Step 2: Install CA in trust store
+  if (allOk) {
+    const result = installCA();
+    steps.push({ step: 'Install CA in trust store', success: result.success, message: result.message });
+    if (!result.success) allOk = false;
+  }
+
+  // Step 3: Configure system proxy (PAC URL for selective proxying)
+  if (allOk) {
+    if (process.platform === 'darwin') {
+      const result = macos.setAutoproxyURL(`http://127.0.0.1:${port}/proxy.pac`);
+      steps.push({ step: 'Configure system proxy (PAC)', success: result.success, message: result.message });
+      if (!result.success) allOk = false;
+    } else {
+      const result = platform.setSystemProxy('127.0.0.1', port);
+      steps.push({ step: 'Configure system proxy', success: result.success, message: result.message });
+      if (!result.success) allOk = false;
+    }
+  }
+
+  // Step 4: Install system service
+  if (allOk) {
+    try {
+      const servicePath = installService(port);
+      steps.push({ step: 'Install system service', success: true, message: `Service at ${servicePath}` });
+    } catch (err) {
+      steps.push({ step: 'Install system service', success: false, message: String(err) });
+      // Non-fatal: proxy can still run manually
+    }
+  }
+
+  // Rollback on failure
+  if (!allOk) {
+    rollback(steps);
+  }
+
+  return { success: allOk, steps };
+}
+
+/**
+ * Full uninstallation:
+ * 1. Remove system service
+ * 2. Clear system proxy
+ * 3. Remove CA from trust store
+ */
+export function uninstall(purge: boolean = false): InstallResult {
+  const steps: InstallResult['steps'] = [];
+
+  // Step 1: Remove service
+  try {
+    const msg = uninstallService();
+    steps.push({ step: 'Remove system service', success: true, message: msg });
+  } catch (err) {
+    steps.push({ step: 'Remove system service', success: false, message: String(err) });
+  }
+
+  // Step 2: Clear proxy
+  if (process.platform === 'darwin') {
+    const r1 = macos.clearAutoproxyURL();
+    steps.push({ step: 'Clear auto-proxy', success: r1.success, message: r1.message });
+    const r2 = macos.clearSystemProxy();
+    steps.push({ step: 'Clear system proxy', success: r2.success, message: r2.message });
+  } else {
+    const r = linux.clearSystemProxy();
+    steps.push({ step: 'Clear system proxy', success: r.success, message: r.message });
+  }
+
+  // Step 3: Remove CA
+  const caResult = uninstallCA();
+  steps.push({ step: 'Remove CA from trust store', success: caResult.success, message: caResult.message });
+
+  // Step 4: Purge data (optional)
+  if (purge) {
+    try {
+      const fs = require('node:fs');
+      const path = require('node:path');
+      const dataDir = path.join(process.env['HOME'] || '.', '.smartcontext');
+      fs.rmSync(dataDir, { recursive: true, force: true });
+      steps.push({ step: 'Purge data directory', success: true, message: `Removed ${dataDir}` });
+    } catch (err) {
+      steps.push({ step: 'Purge data directory', success: false, message: String(err) });
+    }
+  }
+
+  const allOk = steps.every((s) => s.success);
+  return { success: allOk, steps };
+}
+
+/** Check installation status */
+export function status(port: number): Record<string, boolean | string> {
+  return {
+    caExists: require('node:fs').existsSync(getCACertPath()),
+    caInstalled: isCAInstalled(),
+    proxyConfigured: platform.isProxyConfigured(port),
+  };
+}
+
+/** Rollback completed steps on failure */
+function rollback(completedSteps: InstallResult['steps']): void {
+  for (const step of completedSteps.reverse()) {
+    if (!step.success) continue;
+    try {
+      if (step.step.includes('CA in trust store')) uninstallCA();
+      if (step.step.includes('system proxy') || step.step.includes('PAC')) {
+        if (process.platform === 'darwin') {
+          macos.clearAutoproxyURL();
+          macos.clearSystemProxy();
+        } else {
+          linux.clearSystemProxy();
+        }
+      }
+      if (step.step.includes('system service')) uninstallService();
+    } catch {}
+  }
+}