smartcontext-proxy 0.1.0 → 0.2.1

package/dist/src/proxy/tls-interceptor.js

@@ -0,0 +1,211 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.interceptTLS = interceptTLS;
+const node_tls_1 = __importDefault(require("node:tls"));
+const node_http_1 = __importDefault(require("node:http"));
+const node_https_1 = __importDefault(require("node:https"));
+const ca_manager_js_1 = require("../tls/ca-manager.js");
+const chunker_js_1 = require("../context/chunker.js");
+const canonical_js_1 = require("../context/canonical.js");
+/**
+ * Intercept TLS connection to an LLM provider.
+ * Terminates TLS with a generated cert, parses the HTTP request inside,
+ * optionally optimizes context, then forwards to the real provider.
+ */
+function interceptTLS(clientSocket, hostname, port, match, options) {
+    const { cert, key } = (0, ca_manager_js_1.getCertForHost)(hostname);
+    const tlsSocket = new node_tls_1.default.TLSSocket(clientSocket, {
+        isServer: true,
+        cert,
+        key,
+    });
+    // Tell client the tunnel is established
+    clientSocket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+    // Read HTTP request from decrypted TLS stream
+    let requestData = Buffer.alloc(0);
+    let headersParsed = false;
+    let contentLength = 0;
+    let headerEnd = -1;
+    tlsSocket.on('data', (chunk) => {
+        requestData = Buffer.concat([requestData, chunk]);
+        if (!headersParsed) {
+            headerEnd = requestData.indexOf('\r\n\r\n');
+            if (headerEnd === -1)
+                return; // Wait for more data
+            headersParsed = true;
+            const headersStr = requestData.subarray(0, headerEnd).toString();
+            const clMatch = headersStr.match(/content-length:\s*(\d+)/i);
+            contentLength = clMatch ? parseInt(clMatch[1], 10) : 0;
+        }
+        const bodyStart = headerEnd + 4;
+        const bodyReceived = requestData.length - bodyStart;
+        if (bodyReceived >= contentLength) {
+            tlsSocket.pause();
+            handleInterceptedRequest(requestData, hostname, port, match, options, tlsSocket).catch((err) => {
+                options.log('error', `Intercept error: ${err}`);
+                try {
+                    tlsSocket.write('HTTP/1.1 502 Bad Gateway\r\nContent-Length: 0\r\n\r\n');
+                    tlsSocket.end();
+                }
+                catch { }
+            });
+        }
+    });
+    tlsSocket.on('error', (err) => {
+        options.log('error', `TLS socket error for ${hostname}: ${err.message}`);
+    });
+}
+/**
+ * Handle an intercepted HTTP request: parse, optimize, forward, stream back.
+ */
+async function handleInterceptedRequest(rawRequest, hostname, port, match, options, clientTLS) {
+    const startTime = Date.now();
+    options.requestCounter.value++;
+    const reqId = options.requestCounter.value;
+    // Parse raw HTTP request
+    const headerEnd = rawRequest.indexOf('\r\n\r\n');
+    const headersStr = rawRequest.subarray(0, headerEnd).toString();
+    const body = rawRequest.subarray(headerEnd + 4);
+    const [requestLine, ...headerLines] = headersStr.split('\r\n');
+    const [method, path] = requestLine.split(' ');
+    const headers = {};
+    for (const line of headerLines) {
+        const colonIdx = line.indexOf(':');
+        if (colonIdx > 0) {
+            headers[line.substring(0, colonIdx).toLowerCase().trim()] = line.substring(colonIdx + 1).trim();
+        }
+    }
+    // Find adapter for this provider
+    const adapter = options.adapters.get(match.provider);
+    let forwardBody;
+    let originalTokens = 0;
+    let optimizedTokens = 0;
+    let savingsPercent = 0;
+    let chunksRetrieved = 0;
+    let topScore = 0;
+    let passThrough = true;
+    let reason;
+    let model = 'unknown';
+    if (adapter && body.length > 0) {
+        try {
+            const parsed = JSON.parse(body.toString());
+            model = parsed.model || 'unknown';
+            const canonical = adapter.parseRequest(parsed, headers);
+            originalTokens = (0, chunker_js_1.estimateTokens)(canonical.systemPrompt || '') +
+                canonical.messages.reduce((sum, m) => sum + (0, chunker_js_1.estimateTokens)((0, canonical_js_1.getTextContent)(m)), 0);
+            // Optimize if available and not paused
+            if (options.optimizer && !options.paused) {
+                try {
+                    const result = await options.optimizer.optimize(canonical);
+                    passThrough = result.passThrough;
+                    reason = result.reason;
+                    if (!result.passThrough) {
+                        canonical.messages = result.optimizedMessages;
+                        if (result.systemPrompt !== undefined)
+                            canonical.systemPrompt = result.systemPrompt;
+                        optimizedTokens = result.packed.optimizedTokens;
+                        savingsPercent = result.packed.savingsPercent;
+                    }
+                    if (result.retrieval) {
+                        chunksRetrieved = result.retrieval.chunks.length;
+                        topScore = result.retrieval.topScore;
+                    }
+                }
+                catch (err) {
+                    passThrough = true;
+                    reason = `optimization error: ${err}`;
+                }
+            }
+            if (!passThrough) {
+                forwardBody = Buffer.from(JSON.stringify(adapter.serializeRequest(canonical)));
+            }
+            else {
+                forwardBody = body;
+                optimizedTokens = originalTokens;
+            }
+        }
+        catch {
+            forwardBody = body;
+            optimizedTokens = originalTokens;
+        }
+    }
+    else {
+        forwardBody = body;
+    }
+    const latencyOverhead = Date.now() - startTime;
+    const savingsStr = passThrough ? 'pass' : `-${savingsPercent}%`;
+    options.log('info', `#${reqId} ${match.provider}/${model} ${originalTokens}→${optimizedTokens} ${savingsStr} ${latencyOverhead}ms [intercepted]`);
+    // Forward to real provider
+    const useHTTPS = port === 443 || hostname.includes('.');
+    const transport = useHTTPS ? node_https_1.default : node_http_1.default;
+    const forwardUrl = `${useHTTPS ? 'https' : 'http'}://${hostname}:${port}${path}`;
+    const forwardHeaders = { ...headers };
+    forwardHeaders['host'] = hostname;
+    forwardHeaders['content-length'] = String(forwardBody.length);
+    const providerRes = await new Promise((resolve, reject) => {
+        const proxyReq = transport.request(forwardUrl, {
+            method,
+            headers: forwardHeaders,
+        }, resolve);
+        proxyReq.on('error', reject);
+        proxyReq.write(forwardBody);
+        proxyReq.end();
+    });
+    // Build response headers
+    const resHeaders = [
+        `HTTP/1.1 ${providerRes.statusCode} ${providerRes.statusMessage}`,
+    ];
+    for (const [key, val] of Object.entries(providerRes.headers)) {
+        if (val) {
+            const values = Array.isArray(val) ? val : [val];
+            for (const v of values) {
+                resHeaders.push(`${key}: ${v}`);
+            }
+        }
+    }
+    resHeaders.push('', '');
+    clientTLS.write(resHeaders.join('\r\n'));
+    // Stream response body
+    await new Promise((resolve) => {
+        providerRes.on('data', (chunk) => {
+            clientTLS.write(chunk);
+        });
+        providerRes.on('end', () => {
+            clientTLS.end();
+            resolve();
+        });
+        providerRes.on('error', () => {
+            clientTLS.end();
+            resolve();
+        });
+    });
+    // Record metrics
+    options.metrics.record({
+        id: reqId,
+        timestamp: Date.now(),
+        provider: match.provider,
+        model,
+        streaming: headers['accept']?.includes('text/event-stream') || false,
+        originalTokens,
+        optimizedTokens,
+        savingsPercent,
+        latencyOverheadMs: latencyOverhead,
+        chunksRetrieved,
+        topScore,
+        passThrough,
+        reason,
+    });
+    // Async post-indexing
+    if (options.optimizer && !passThrough && adapter) {
+        try {
+            const parsed = JSON.parse(body.toString());
+            const canonical = adapter.parseRequest(parsed, headers);
+            options.optimizer.indexExchange(canonical.messages, `intercepted-${reqId}`).catch(() => { });
+        }
+        catch { }
+    }
+}
+//# sourceMappingURL=tls-interceptor.js.map

package/dist/src/proxy/transparent-listener.d.ts

@@ -0,0 +1,31 @@
+import type { ProviderAdapter } from '../providers/types.js';
+import type { SmartContextConfig } from '../config/schema.js';
+import { ContextOptimizer } from '../context/optimizer.js';
+import { MetricsCollector } from '../metrics/collector.js';
+export interface TransparentOptions {
+    config: SmartContextConfig;
+    optimizer: ContextOptimizer | null;
+    metrics: MetricsCollector;
+    adapters: Map<string, ProviderAdapter>;
+    paused: boolean;
+    requestCounter: {
+        value: number;
+    };
+    log: (level: string, message: string) => void;
+}
+/**
+ * Transparent TLS listener on port 443.
+ * When DNS redirects LLM traffic to 127.0.0.1, clients connect directly
+ * via TLS (no CONNECT). This server terminates TLS using SNI to pick
+ * the right cert, then handles the request.
+ */
+export declare class TransparentListener {
+    private server;
+    private options;
+    constructor(options: TransparentOptions);
+    start(port?: number, host?: string): Promise<void>;
+    stop(): Promise<void>;
+    private handleConnection;
+    private handleTLSConnection;
+    private handleRequest;
+}

package/dist/src/proxy/transparent-listener.js

@@ -0,0 +1,285 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TransparentListener = void 0;
+const node_tls_1 = __importDefault(require("node:tls"));
+const node_net_1 = __importDefault(require("node:net"));
+const node_https_1 = __importDefault(require("node:https"));
+const ca_manager_js_1 = require("../tls/ca-manager.js");
+const classifier_js_1 = require("./classifier.js");
+const dns_redirect_js_1 = require("../system/dns-redirect.js");
+const chunker_js_1 = require("../context/chunker.js");
+const canonical_js_1 = require("../context/canonical.js");
+/**
+ * Transparent TLS listener on port 443.
+ * When DNS redirects LLM traffic to 127.0.0.1, clients connect directly
+ * via TLS (no CONNECT). This server terminates TLS using SNI to pick
+ * the right cert, then handles the request.
+ */
+class TransparentListener {
+    server;
+    options;
+    constructor(options) {
+        this.options = options;
+        // Raw TCP server — we need SNI from ClientHello before creating TLS context
+        this.server = node_net_1.default.createServer((socket) => this.handleConnection(socket));
+    }
+    async start(port = 443, host = '127.0.0.1') {
+        return new Promise((resolve, reject) => {
+            this.server.on('error', (err) => {
+                if (err.code === 'EACCES') {
+                    this.options.log('error', `Port ${port} requires root. Transparent listener disabled.`);
+                    resolve(); // Non-fatal
+                }
+                else {
+                    reject(err);
+                }
+            });
+            this.server.listen(port, host, () => {
+                this.options.log('info', `Transparent TLS listener on ${host}:${port}`);
+                resolve();
+            });
+        });
+    }
+    async stop() {
+        return new Promise((resolve) => {
+            this.server.close(() => resolve());
+        });
+    }
+    handleConnection(socket) {
+        // Peek at first bytes to extract SNI from TLS ClientHello
+        socket.once('data', (data) => {
+            const hostname = extractSNI(data);
+            if (!hostname) {
+                socket.destroy();
+                return;
+            }
+            const match = (0, classifier_js_1.classifyHost)(hostname, 443);
+            if (!match) {
+                // Not an LLM host — shouldn't happen with DNS redirect, but just in case
+                socket.destroy();
+                return;
+            }
+            this.options.log('info', `TRANSPARENT ${hostname} (${match.provider})`);
+            const { cert, key } = (0, ca_manager_js_1.getCertForHost)(hostname);
+            const tlsSocket = new node_tls_1.default.TLSSocket(socket, {
+                isServer: true,
+                cert,
+                key,
+            });
+            // Unshift the peeked data back
+            tlsSocket.unshift(data);
+            // Actually we already consumed data from socket, TLSSocket wraps socket
+            // Need to handle this differently — push data through
+            this.handleTLSConnection(tlsSocket, hostname, match);
+        });
+    }
+    handleTLSConnection(tlsSocket, hostname, match) {
+        let requestData = Buffer.alloc(0);
+        let headersParsed = false;
+        let contentLength = 0;
+        let headerEnd = -1;
+        tlsSocket.on('data', (chunk) => {
+            requestData = Buffer.concat([requestData, chunk]);
+            if (!headersParsed) {
+                headerEnd = requestData.indexOf('\r\n\r\n');
+                if (headerEnd === -1)
+                    return;
+                headersParsed = true;
+                const headersStr = requestData.subarray(0, headerEnd).toString();
+                const clMatch = headersStr.match(/content-length:\s*(\d+)/i);
+                contentLength = clMatch ? parseInt(clMatch[1], 10) : 0;
+            }
+            const bodyStart = headerEnd + 4;
+            const bodyReceived = requestData.length - bodyStart;
+            if (bodyReceived >= contentLength) {
+                tlsSocket.pause();
+                this.handleRequest(requestData, hostname, match, tlsSocket).catch((err) => {
+                    this.options.log('error', `Transparent handler error: ${err}`);
+                    try {
+                        tlsSocket.end();
+                    }
+                    catch { }
+                });
+            }
+        });
+        tlsSocket.on('error', (err) => {
+            this.options.log('error', `TLS error for ${hostname}: ${err.message}`);
+        });
+    }
+    async handleRequest(rawRequest, hostname, match, clientTLS) {
+        this.options.requestCounter.value++;
+        const reqId = this.options.requestCounter.value;
+        const startTime = Date.now();
+        // Parse HTTP request
+        const headerEnd = rawRequest.indexOf('\r\n\r\n');
+        const headersStr = rawRequest.subarray(0, headerEnd).toString();
+        const body = rawRequest.subarray(headerEnd + 4);
+        const [requestLine, ...headerLines] = headersStr.split('\r\n');
+        const [method, reqPath] = requestLine.split(' ');
+        const headers = {};
+        for (const line of headerLines) {
+            const colonIdx = line.indexOf(':');
+            if (colonIdx > 0) {
+                headers[line.substring(0, colonIdx).toLowerCase().trim()] = line.substring(colonIdx + 1).trim();
+            }
+        }
+        // Get real IP for this hostname (cached before DNS override)
+        const realIP = (0, dns_redirect_js_1.getRealIP)(hostname);
+        if (!realIP) {
+            this.options.log('error', `No real IP cached for ${hostname}`);
+            clientTLS.write('HTTP/1.1 502 Bad Gateway\r\nContent-Length: 0\r\n\r\n');
+            clientTLS.end();
+            return;
+        }
+        // Optimization logic
+        const adapter = this.options.adapters.get(match.provider);
+        let forwardBody = body;
+        let model = 'unknown';
+        let originalTokens = 0;
+        let optimizedTokens = 0;
+        let savingsPercent = 0;
+        let passThrough = true;
+        if (adapter && body.length > 0) {
+            try {
+                const parsed = JSON.parse(body.toString());
+                model = parsed.model || 'unknown';
+                const canonical = adapter.parseRequest(parsed, headers);
+                originalTokens = (0, chunker_js_1.estimateTokens)(canonical.systemPrompt || '') +
+                    canonical.messages.reduce((sum, m) => sum + (0, chunker_js_1.estimateTokens)((0, canonical_js_1.getTextContent)(m)), 0);
+                if (this.options.optimizer && !this.options.paused) {
+                    try {
+                        const result = await this.options.optimizer.optimize(canonical);
+                        passThrough = result.passThrough;
+                        if (!result.passThrough) {
+                            canonical.messages = result.optimizedMessages;
+                            if (result.systemPrompt !== undefined)
+                                canonical.systemPrompt = result.systemPrompt;
+                            optimizedTokens = result.packed.optimizedTokens;
+                            savingsPercent = result.packed.savingsPercent;
+                            forwardBody = Buffer.from(JSON.stringify(adapter.serializeRequest(canonical)));
+                        }
+                        else {
+                            optimizedTokens = originalTokens;
+                        }
+                    }
+                    catch {
+                        optimizedTokens = originalTokens;
+                    }
+                }
+                else {
+                    optimizedTokens = originalTokens;
+                }
+            }
+            catch {
+                optimizedTokens = originalTokens;
+            }
+        }
+        const latency = Date.now() - startTime;
+        const savingsStr = passThrough ? 'pass' : `-${savingsPercent}%`;
+        this.options.log('info', `#${reqId} ${match.provider}/${model} ${originalTokens}→${optimizedTokens} ${savingsStr} ${latency}ms [transparent]`);
+        // Forward to real provider IP
+        const forwardHeaders = { ...headers };
+        forwardHeaders['host'] = hostname;
+        forwardHeaders['content-length'] = String(forwardBody.length);
+        const providerRes = await new Promise((resolve, reject) => {
+            const req = node_https_1.default.request({
+                hostname: realIP,
+                port: 443,
+                path: reqPath,
+                method,
+                headers: forwardHeaders,
+                servername: hostname, // SNI for the real server
+            }, resolve);
+            req.on('error', reject);
+            req.write(forwardBody);
+            req.end();
+        });
+        // Stream response back
+        const resHeaders = [`HTTP/1.1 ${providerRes.statusCode} ${providerRes.statusMessage}`];
+        for (const [key, val] of Object.entries(providerRes.headers)) {
+            if (val) {
+                const values = Array.isArray(val) ? val : [val];
+                for (const v of values)
+                    resHeaders.push(`${key}: ${v}`);
+            }
+        }
+        resHeaders.push('', '');
+        clientTLS.write(resHeaders.join('\r\n'));
+        await new Promise((resolve) => {
+            providerRes.on('data', (chunk) => clientTLS.write(chunk));
+            providerRes.on('end', () => { clientTLS.end(); resolve(); });
+            providerRes.on('error', () => { clientTLS.end(); resolve(); });
+        });
+        // Record metrics
+        this.options.metrics.record({
+            id: reqId,
+            timestamp: Date.now(),
+            provider: match.provider,
+            model,
+            streaming: headers['accept']?.includes('text/event-stream') || false,
+            originalTokens,
+            optimizedTokens,
+            savingsPercent,
+            latencyOverheadMs: latency,
+            chunksRetrieved: 0,
+            topScore: 0,
+            passThrough,
+        });
+    }
+}
+exports.TransparentListener = TransparentListener;
+/**
+ * Extract SNI hostname from TLS ClientHello.
+ * Returns null if not found.
+ */
+function extractSNI(data) {
+    try {
+        // TLS record: type=22 (handshake), version, length
+        if (data.length < 5 || data[0] !== 0x16)
+            return null;
+        // Handshake: type=1 (ClientHello)
+        let offset = 5;
+        if (data[offset] !== 0x01)
+            return null;
+        // Skip handshake length (3 bytes) + client version (2) + random (32)
+        offset += 4 + 2 + 32;
+        // Session ID
+        const sessionIdLen = data[offset];
+        offset += 1 + sessionIdLen;
+        // Cipher suites
+        const cipherLen = data.readUInt16BE(offset);
+        offset += 2 + cipherLen;
+        // Compression methods
+        const compLen = data[offset];
+        offset += 1 + compLen;
+        // Extensions
+        if (offset + 2 > data.length)
+            return null;
+        const extLen = data.readUInt16BE(offset);
+        offset += 2;
+        const extEnd = offset + extLen;
+        while (offset + 4 < extEnd && offset < data.length) {
+            const extType = data.readUInt16BE(offset);
+            const extDataLen = data.readUInt16BE(offset + 2);
+            offset += 4;
+            if (extType === 0x0000) { // SNI extension
+                // Skip SNI list length (2)
+                offset += 2;
+                const nameType = data[offset];
+                offset += 1;
+                if (nameType === 0x00) { // hostname
+                    const nameLen = data.readUInt16BE(offset);
+                    offset += 2;
+                    return data.subarray(offset, offset + nameLen).toString('ascii');
+                }
+            }
+            offset += extDataLen;
+        }
+    }
+    catch { }
+    return null;
+}
+//# sourceMappingURL=transparent-listener.js.map

package/dist/src/proxy/tunnel.d.ts

@@ -0,0 +1,7 @@
+import type { Socket } from 'node:net';
+/**
+ * Create a blind TCP tunnel between client and target.
+ * Zero overhead — no inspection, no buffering.
+ * Used for non-LLM HTTPS traffic.
+ */
+export declare function createTunnel(clientSocket: Socket, targetHost: string, targetPort: number): void;

package/dist/src/proxy/tunnel.js

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTunnel = createTunnel;
+const node_net_1 = __importDefault(require("node:net"));
+/**
+ * Create a blind TCP tunnel between client and target.
+ * Zero overhead — no inspection, no buffering.
+ * Used for non-LLM HTTPS traffic.
+ */
+function createTunnel(clientSocket, targetHost, targetPort) {
+    const targetSocket = node_net_1.default.connect(targetPort, targetHost, () => {
+        clientSocket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+        targetSocket.pipe(clientSocket);
+        clientSocket.pipe(targetSocket);
+    });
+    targetSocket.on('error', (err) => {
+        clientSocket.write(`HTTP/1.1 502 Bad Gateway\r\n\r\n`);
+        clientSocket.end();
+    });
+    clientSocket.on('error', () => {
+        targetSocket.destroy();
+    });
+    clientSocket.on('close', () => {
+        targetSocket.destroy();
+    });
+    targetSocket.on('close', () => {
+        clientSocket.destroy();
+    });
+}
+//# sourceMappingURL=tunnel.js.map

package/dist/src/system/dns-redirect.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Resolve and cache real IPs before overriding DNS.
+ * MUST be called before enableDNSRedirect.
+ */
+export declare function cacheRealIPs(): Promise<Map<string, string[]>>;
+/** Get cached real IP for a hostname */
+export declare function getRealIP(hostname: string): string | null;
+/** Get all original IP mappings */
+export declare function getAllRealIPs(): Map<string, string[]>;
+/**
+ * Add /etc/hosts entries pointing LLM hostnames to 127.0.0.1.
+ * Requires sudo.
+ * After this, all apps resolve LLM hosts to localhost → our proxy.
+ */
+export declare function enableDNSRedirect(): {
+    success: boolean;
+    message: string;
+    hosts: number;
+};
+/**
+ * Remove /etc/hosts entries.
+ */
+export declare function disableDNSRedirect(): {
+    success: boolean;
+    message: string;
+};
+/** Check if DNS redirect is active */
+export declare function isDNSRedirectActive(): boolean;