smartcontext-proxy 0.1.0 → 0.2.1

package/src/system/linux.ts

@@ -0,0 +1,57 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+
+/** Configure Linux system proxy */
+export function setSystemProxy(host: string, port: number): { success: boolean; message: string } {
+  const proxyUrl = `http://${host}:${port}`;
+
+  try {
+    // Try GNOME settings
+    try {
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy', 'mode', "'manual'"], { stdio: 'pipe' });
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy.http', 'host', `'${host}'`], { stdio: 'pipe' });
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy.http', 'port', String(port)], { stdio: 'pipe' });
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy.https', 'host', `'${host}'`], { stdio: 'pipe' });
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy.https', 'port', String(port)], { stdio: 'pipe' });
+    } catch {}
+
+    // Write environment file for shell sessions
+    const envFile = '/etc/profile.d/smartcontext-proxy.sh';
+    const content = `# SmartContext Proxy - auto-generated
+export http_proxy="${proxyUrl}"
+export https_proxy="${proxyUrl}"
+export HTTP_PROXY="${proxyUrl}"
+export HTTPS_PROXY="${proxyUrl}"
+export no_proxy="localhost,127.0.0.1,::1"
+`;
+    try {
+      execFileSync('sudo', ['tee', envFile], { input: content, stdio: ['pipe', 'pipe', 'pipe'] });
+    } catch {}
+
+    return { success: true, message: `System proxy set to ${proxyUrl}` };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/** Clear Linux system proxy */
+export function clearSystemProxy(): { success: boolean; message: string } {
+  try {
+    try {
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy', 'mode', "'none'"], { stdio: 'pipe' });
+    } catch {}
+
+    try {
+      execFileSync('sudo', ['rm', '-f', '/etc/profile.d/smartcontext-proxy.sh'], { stdio: 'pipe' });
+    } catch {}
+
+    return { success: true, message: 'System proxy cleared' };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+export function isProxyConfigured(port: number): boolean {
+  const proxyEnv = process.env['https_proxy'] || process.env['HTTPS_PROXY'] || '';
+  return proxyEnv.includes(String(port));
+}

package/src/system/macos.ts

@@ -0,0 +1,89 @@
+import { execFileSync } from 'node:child_process';
+
+/** Get active network interface name (e.g., "Wi-Fi", "Ethernet") */
+export function getActiveInterface(): string {
+  try {
+    const route = execFileSync('route', ['-n', 'get', 'default'], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const ifMatch = route.match(/interface:\s*(\S+)/);
+    if (!ifMatch) return 'Wi-Fi';
+
+    const ifName = ifMatch[1];
+    // Map interface ID to service name
+    const services = execFileSync('networksetup', ['-listallhardwareports'], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const lines = services.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      if (lines[i].includes(`Device: ${ifName}`)) {
+        const nameLine = lines[i - 1];
+        const nameMatch = nameLine?.match(/Hardware Port:\s*(.+)/);
+        if (nameMatch) return nameMatch[1];
+      }
+    }
+    return 'Wi-Fi';
+  } catch {
+    return 'Wi-Fi';
+  }
+}
+
+/** Configure macOS system proxy to use SmartContext */
+export function setSystemProxy(host: string, port: number): { success: boolean; message: string } {
+  const iface = getActiveInterface();
+  try {
+    // Set HTTPS proxy
+    execFileSync('networksetup', ['-setsecurewebproxy', iface, host, String(port)], { stdio: 'pipe' });
+    // Set HTTP proxy
+    execFileSync('networksetup', ['-setwebproxy', iface, host, String(port)], { stdio: 'pipe' });
+    // Enable them
+    execFileSync('networksetup', ['-setsecurewebproxystate', iface, 'on'], { stdio: 'pipe' });
+    execFileSync('networksetup', ['-setwebproxystate', iface, 'on'], { stdio: 'pipe' });
+
+    return { success: true, message: `System proxy set to ${host}:${port} on ${iface}` };
+  } catch (err) {
+    return { success: false, message: `Failed to set proxy on ${iface}: ${err}` };
+  }
+}
+
+/** Remove system proxy configuration */
+export function clearSystemProxy(): { success: boolean; message: string } {
+  const iface = getActiveInterface();
+  try {
+    execFileSync('networksetup', ['-setsecurewebproxystate', iface, 'off'], { stdio: 'pipe' });
+    execFileSync('networksetup', ['-setwebproxystate', iface, 'off'], { stdio: 'pipe' });
+    return { success: true, message: `System proxy cleared on ${iface}` };
+  } catch (err) {
+    return { success: false, message: `Failed to clear proxy on ${iface}: ${err}` };
+  }
+}
+
+/** Set PAC URL as auto-proxy configuration */
+export function setAutoproxyURL(pacUrl: string): { success: boolean; message: string } {
+  const iface = getActiveInterface();
+  try {
+    execFileSync('networksetup', ['-setautoproxyurl', iface, pacUrl], { stdio: 'pipe' });
+    execFileSync('networksetup', ['-setautoproxystate', iface, 'on'], { stdio: 'pipe' });
+    return { success: true, message: `Auto-proxy URL set to ${pacUrl} on ${iface}` };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/** Clear auto-proxy configuration */
+export function clearAutoproxyURL(): { success: boolean; message: string } {
+  const iface = getActiveInterface();
+  try {
+    execFileSync('networksetup', ['-setautoproxystate', iface, 'off'], { stdio: 'pipe' });
+    return { success: true, message: `Auto-proxy cleared on ${iface}` };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/** Check if system proxy is currently set to SmartContext */
+export function isProxyConfigured(port: number): boolean {
+  const iface = getActiveInterface();
+  try {
+    const info = execFileSync('networksetup', ['-getsecurewebproxy', iface], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    return info.includes(`Port: ${port}`) && info.includes('Enabled: Yes');
+  } catch {
+    return false;
+  }
+}

package/src/system/pf-redirect.ts

@@ -0,0 +1,175 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import dns from 'node:dns';
+import path from 'node:path';
+
+const PF_ANCHOR = 'com.smartcontext';
+const PF_CONF_PATH = path.join(process.env['HOME'] || '.', '.smartcontext', 'pf-smartcontext.conf');
+
+/** Known LLM provider hostnames to intercept */
+const LLM_HOSTS = [
+  'api.anthropic.com',
+  'api.openai.com',
+  'generativelanguage.googleapis.com',
+  'openrouter.ai',
+  'api.together.xyz',
+  'api.fireworks.ai',
+  'api.mistral.ai',
+  'api.cohere.com',
+  'api.groq.com',
+  'api.deepseek.com',
+];
+
+/**
+ * Resolve hostnames to IPs for pf rules.
+ * pf works at IP level, not DNS.
+ */
+async function resolveHosts(): Promise<Map<string, string[]>> {
+  const results = new Map<string, string[]>();
+
+  for (const host of LLM_HOSTS) {
+    try {
+      const addrs = await new Promise<string[]>((resolve, reject) => {
+        dns.resolve4(host, (err, addresses) => {
+          if (err) reject(err);
+          else resolve(addresses);
+        });
+      });
+      results.set(host, addrs);
+    } catch {
+      // Host might not resolve — skip
+    }
+  }
+
+  return results;
+}
+
+/**
+ * Generate pf redirect rules.
+ * Redirects outgoing HTTPS (port 443) traffic to LLM provider IPs
+ * to our local proxy port.
+ */
+function generatePFConf(hostIPs: Map<string, string[]>, proxyPort: number): string {
+  const lines: string[] = [
+    `# SmartContext Proxy — auto-generated pf rules`,
+    `# Redirects LLM API traffic to local proxy`,
+    ``,
+  ];
+
+  // Collect all IPs into a pf table
+  const allIPs: string[] = [];
+  for (const [host, ips] of hostIPs) {
+    lines.push(`# ${host}: ${ips.join(', ')}`);
+    allIPs.push(...ips);
+  }
+
+  if (allIPs.length === 0) {
+    lines.push('# No IPs resolved — no rules');
+    return lines.join('\n');
+  }
+
+  lines.push('');
+  lines.push(`table <llm_providers> { ${allIPs.join(', ')} }`);
+  lines.push('');
+  // Redirect outgoing HTTPS to LLM providers → local proxy
+  // rdr-to changes destination to localhost:proxyPort
+  lines.push(`rdr pass on lo0 proto tcp from any to <llm_providers> port 443 -> 127.0.0.1 port ${proxyPort}`);
+  lines.push('');
+  // Route the traffic through loopback so rdr applies
+  lines.push(`pass out on en0 route-to (lo0 127.0.0.1) proto tcp from any to <llm_providers> port 443`);
+  lines.push(`pass out on en1 route-to (lo0 127.0.0.1) proto tcp from any to <llm_providers> port 443`);
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+/**
+ * Install pf redirect rules.
+ * Requires sudo.
+ */
+export async function enablePFRedirect(proxyPort: number): Promise<{ success: boolean; message: string; ips: number }> {
+  try {
+    const hostIPs = await resolveHosts();
+
+    let totalIPs = 0;
+    for (const ips of hostIPs.values()) totalIPs += ips.length;
+
+    if (totalIPs === 0) {
+      return { success: false, message: 'No LLM provider IPs resolved', ips: 0 };
+    }
+
+    const conf = generatePFConf(hostIPs, proxyPort);
+    fs.mkdirSync(path.dirname(PF_CONF_PATH), { recursive: true });
+    fs.writeFileSync(PF_CONF_PATH, conf);
+
+    // Load anchor into pf
+    try {
+      execFileSync('sudo', ['pfctl', '-a', PF_ANCHOR, '-f', PF_CONF_PATH], { stdio: 'pipe' });
+    } catch (err) {
+      return { success: false, message: `pfctl load failed: ${err}`, ips: totalIPs };
+    }
+
+    // Enable pf if not already enabled
+    try {
+      execFileSync('sudo', ['pfctl', '-e'], { stdio: 'pipe' });
+    } catch {
+      // Already enabled — ok
+    }
+
+    return { success: true, message: `pf redirect active: ${totalIPs} IPs from ${hostIPs.size} hosts → :${proxyPort}`, ips: totalIPs };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}`, ips: 0 };
+  }
+}
+
+/**
+ * Remove pf redirect rules.
+ */
+export function disablePFRedirect(): { success: boolean; message: string } {
+  try {
+    // Flush anchor rules
+    try {
+      execFileSync('sudo', ['pfctl', '-a', PF_ANCHOR, '-F', 'all'], { stdio: 'pipe' });
+    } catch {}
+
+    // Remove conf file
+    try { fs.unlinkSync(PF_CONF_PATH); } catch {}
+
+    return { success: true, message: 'pf redirect removed' };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/**
+ * Check if pf redirect is active.
+ */
+export function isPFRedirectActive(): boolean {
+  try {
+    const result = execFileSync('sudo', ['pfctl', '-a', PF_ANCHOR, '-sr'], {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return result.includes('rdr') || result.includes('route-to');
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Refresh IP addresses (IPs can change due to DNS).
+ * Call periodically to keep rules current.
+ */
+export async function refreshPFRules(proxyPort: number): Promise<void> {
+  const hostIPs = await resolveHosts();
+  let totalIPs = 0;
+  for (const ips of hostIPs.values()) totalIPs += ips.length;
+  if (totalIPs === 0) return;
+
+  const conf = generatePFConf(hostIPs, proxyPort);
+  fs.writeFileSync(PF_CONF_PATH, conf);
+
+  try {
+    execFileSync('sudo', ['pfctl', '-a', PF_ANCHOR, '-f', PF_CONF_PATH], { stdio: 'pipe' });
+  } catch {}
+}

package/src/system/watchdog.ts

@@ -0,0 +1,76 @@
+import http from 'node:http';
+import * as macos from './macos.js';
+import * as linux from './linux.js';
+
+const CHECK_INTERVAL = 10_000; // 10 seconds
+let watchdogTimer: NodeJS.Timeout | null = null;
+let port = 4800;
+
+/**
+ * Start watchdog that monitors proxy health.
+ * If proxy becomes unreachable, auto-removes system proxy config
+ * to prevent breaking the user's internet.
+ */
+export function startWatchdog(proxyPort: number): void {
+  port = proxyPort;
+
+  watchdogTimer = setInterval(() => {
+    checkHealth().catch(() => {
+      console.log('[watchdog] Proxy unreachable — clearing system proxy');
+      emergencyClearProxy();
+      stopWatchdog();
+    });
+  }, CHECK_INTERVAL);
+
+  // Also clear proxy on process exit
+  process.on('exit', emergencyClearProxy);
+  process.on('uncaughtException', (err) => {
+    console.error('[watchdog] Uncaught exception:', err);
+    emergencyClearProxy();
+    process.exit(1);
+  });
+  process.on('unhandledRejection', (err) => {
+    console.error('[watchdog] Unhandled rejection:', err);
+  });
+}
+
+export function stopWatchdog(): void {
+  if (watchdogTimer) {
+    clearInterval(watchdogTimer);
+    watchdogTimer = null;
+  }
+}
+
+function checkHealth(): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const req = http.get(`http://127.0.0.1:${port}/health`, { timeout: 5000 }, (res) => {
+      let data = '';
+      res.on('data', (chunk) => (data += chunk));
+      res.on('end', () => {
+        try {
+          const parsed = JSON.parse(data);
+          if (parsed.ok) resolve();
+          else reject(new Error('Health check failed'));
+        } catch {
+          reject(new Error('Invalid health response'));
+        }
+      });
+    });
+    req.on('error', reject);
+    req.on('timeout', () => {
+      req.destroy();
+      reject(new Error('Health check timeout'));
+    });
+  });
+}
+
+function emergencyClearProxy(): void {
+  try {
+    if (process.platform === 'darwin') {
+      macos.clearAutoproxyURL();
+      macos.clearSystemProxy();
+    } else {
+      linux.clearSystemProxy();
+    }
+  } catch {}
+}

package/src/test/connect-proxy.test.ts

@@ -0,0 +1,170 @@
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import http from 'node:http';
+import https from 'node:https';
+import net from 'node:net';
+import tls from 'node:tls';
+import fs from 'node:fs';
+import { ConnectProxy } from '../proxy/connect-proxy.js';
+import { buildConfig } from '../config/auto-detect.js';
+import { ensureCA, getCACertPath } from '../tls/ca-manager.js';
+import { classifyHost } from '../proxy/classifier.js';
+
+function httpRequest(
+  url: string,
+  options: http.RequestOptions,
+): Promise<{ status: number; body: string }> {
+  return new Promise((resolve, reject) => {
+    const req = http.request(url, options, (res) => {
+      let data = '';
+      res.on('data', (chunk) => (data += chunk));
+      res.on('end', () => resolve({ status: res.statusCode || 0, body: data }));
+    });
+    req.on('error', reject);
+    req.end();
+  });
+}
+
+describe('Traffic Classifier', () => {
+  it('identifies Anthropic as LLM', () => {
+    const match = classifyHost('api.anthropic.com', 443);
+    assert.ok(match);
+    assert.strictEqual(match.provider, 'anthropic');
+  });
+
+  it('identifies OpenAI as LLM', () => {
+    const match = classifyHost('api.openai.com', 443);
+    assert.ok(match);
+    assert.strictEqual(match.provider, 'openai');
+  });
+
+  it('identifies Ollama local as LLM', () => {
+    const match = classifyHost('localhost', 11434);
+    assert.ok(match);
+    assert.strictEqual(match.provider, 'ollama');
+  });
+
+  it('returns null for non-LLM hosts', () => {
+    assert.strictEqual(classifyHost('google.com', 443), null);
+    assert.strictEqual(classifyHost('github.com', 443), null);
+    assert.strictEqual(classifyHost('localhost', 3000), null);
+  });
+
+  it('identifies all known providers', () => {
+    const providers = [
+      ['api.anthropic.com', 'anthropic'],
+      ['api.openai.com', 'openai'],
+      ['generativelanguage.googleapis.com', 'google'],
+      ['openrouter.ai', 'openrouter'],
+      ['api.groq.com', 'groq'],
+      ['api.deepseek.com', 'deepseek'],
+    ] as const;
+
+    for (const [host, expected] of providers) {
+      const match = classifyHost(host, 443);
+      assert.ok(match, `Should match ${host}`);
+      assert.strictEqual(match.provider, expected);
+    }
+  });
+});
+
+describe('CA Manager', () => {
+  it('generates CA cert on first call', () => {
+    const result = ensureCA();
+    assert.ok(result.cert.includes('BEGIN CERTIFICATE'));
+    assert.ok(result.key.includes('BEGIN RSA PRIVATE KEY'));
+  });
+
+  it('returns same cert on subsequent calls', () => {
+    const a = ensureCA();
+    const b = ensureCA();
+    assert.strictEqual(a.cert, b.cert);
+  });
+
+  it('CA cert file exists on disk', () => {
+    assert.ok(fs.existsSync(getCACertPath()));
+  });
+});
+
+describe('CONNECT Proxy', () => {
+  let proxy: ConnectProxy;
+  const PROXY_PORT = 14820;
+
+  before(async () => {
+    ensureCA();
+    const config = buildConfig({ proxy: { port: PROXY_PORT, host: '127.0.0.1' } });
+    config.logging.level = 'error';
+    proxy = new ConnectProxy(config);
+    await proxy.start();
+  });
+
+  after(async () => {
+    await proxy.stop();
+  });
+
+  it('serves dashboard at root', async () => {
+    const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/`, { method: 'GET' });
+    assert.strictEqual(res.status, 200);
+    assert.ok(res.body.includes('SmartContext'));
+  });
+
+  it('serves health endpoint', async () => {
+    const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/health`, { method: 'GET' });
+    assert.strictEqual(res.status, 200);
+    const data = JSON.parse(res.body);
+    assert.strictEqual(data.ok, true);
+    assert.strictEqual(data.type, 'connect-proxy');
+  });
+
+  it('serves PAC file', async () => {
+    const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/proxy.pac`, { method: 'GET' });
+    assert.strictEqual(res.status, 200);
+    assert.ok(res.body.includes('FindProxyForURL'));
+    assert.ok(res.body.includes('api.anthropic.com'));
+    assert.ok(res.body.includes('api.openai.com'));
+  });
+
+  it('API endpoints work', async () => {
+    const status = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/_sc/status`, { method: 'GET' });
+    assert.strictEqual(JSON.parse(status.body).state, 'running');
+
+    const stats = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/_sc/stats`, { method: 'GET' });
+    assert.strictEqual(JSON.parse(stats.body).totalRequests, 0);
+  });
+
+  it('handles CONNECT to non-LLM host (tunnel)', async () => {
+    // Create a simple target server
+    const targetServer = http.createServer((req, res) => {
+      res.writeHead(200);
+      res.end('target-ok');
+    });
+    await new Promise<void>((r) => targetServer.listen(14821, '127.0.0.1', r));
+
+    // Send CONNECT through proxy
+    const tunnelOk = await new Promise<boolean>((resolve) => {
+      const req = http.request({
+        host: '127.0.0.1',
+        port: PROXY_PORT,
+        method: 'CONNECT',
+        path: '127.0.0.1:14821',
+      });
+
+      req.on('connect', (res, socket) => {
+        // Send HTTP request through tunnel
+        socket.write('GET / HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n');
+        let data = '';
+        socket.on('data', (chunk) => { data += chunk; });
+        socket.on('end', () => {
+          socket.destroy();
+          resolve(data.includes('target-ok'));
+        });
+      });
+
+      req.on('error', () => resolve(false));
+      req.end();
+    });
+
+    targetServer.close();
+    assert.ok(tunnelOk, 'Should tunnel non-LLM traffic');
+  });
+});

package/src/test/dashboard.test.ts

@@ -43,6 +43,7 @@ describe('Dashboard & API', () => {
     assert.ok(res.headers['content-type']?.includes('text/html'));
     assert.ok(res.body.includes('SmartContext Proxy'));
     assert.ok(res.body.includes('Total Requests'));
+    assert.ok(res.body.includes('Settings'));
   });
 
   it('returns status via /_sc/status', async () => {