smartcontext-proxy 0.1.0 → 0.2.1

package/dist/src/system/pf-redirect.js

@@ -0,0 +1,177 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.enablePFRedirect = enablePFRedirect;
+exports.disablePFRedirect = disablePFRedirect;
+exports.isPFRedirectActive = isPFRedirectActive;
+exports.refreshPFRules = refreshPFRules;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_dns_1 = __importDefault(require("node:dns"));
+const node_path_1 = __importDefault(require("node:path"));
+const PF_ANCHOR = 'com.smartcontext';
+const PF_CONF_PATH = node_path_1.default.join(process.env['HOME'] || '.', '.smartcontext', 'pf-smartcontext.conf');
+/** Known LLM provider hostnames to intercept */
+const LLM_HOSTS = [
+    'api.anthropic.com',
+    'api.openai.com',
+    'generativelanguage.googleapis.com',
+    'openrouter.ai',
+    'api.together.xyz',
+    'api.fireworks.ai',
+    'api.mistral.ai',
+    'api.cohere.com',
+    'api.groq.com',
+    'api.deepseek.com',
+];
+/**
+ * Resolve hostnames to IPs for pf rules.
+ * pf works at IP level, not DNS.
+ */
+async function resolveHosts() {
+    const results = new Map();
+    for (const host of LLM_HOSTS) {
+        try {
+            const addrs = await new Promise((resolve, reject) => {
+                node_dns_1.default.resolve4(host, (err, addresses) => {
+                    if (err)
+                        reject(err);
+                    else
+                        resolve(addresses);
+                });
+            });
+            results.set(host, addrs);
+        }
+        catch {
+            // Host might not resolve — skip
+        }
+    }
+    return results;
+}
+/**
+ * Generate pf redirect rules.
+ * Redirects outgoing HTTPS (port 443) traffic to LLM provider IPs
+ * to our local proxy port.
+ */
+function generatePFConf(hostIPs, proxyPort) {
+    const lines = [
+        `# SmartContext Proxy — auto-generated pf rules`,
+        `# Redirects LLM API traffic to local proxy`,
+        ``,
+    ];
+    // Collect all IPs into a pf table
+    const allIPs = [];
+    for (const [host, ips] of hostIPs) {
+        lines.push(`# ${host}: ${ips.join(', ')}`);
+        allIPs.push(...ips);
+    }
+    if (allIPs.length === 0) {
+        lines.push('# No IPs resolved — no rules');
+        return lines.join('\n');
+    }
+    lines.push('');
+    lines.push(`table <llm_providers> { ${allIPs.join(', ')} }`);
+    lines.push('');
+    // Redirect outgoing HTTPS to LLM providers → local proxy
+    // rdr-to changes destination to localhost:proxyPort
+    lines.push(`rdr pass on lo0 proto tcp from any to <llm_providers> port 443 -> 127.0.0.1 port ${proxyPort}`);
+    lines.push('');
+    // Route the traffic through loopback so rdr applies
+    lines.push(`pass out on en0 route-to (lo0 127.0.0.1) proto tcp from any to <llm_providers> port 443`);
+    lines.push(`pass out on en1 route-to (lo0 127.0.0.1) proto tcp from any to <llm_providers> port 443`);
+    lines.push('');
+    return lines.join('\n');
+}
+/**
+ * Install pf redirect rules.
+ * Requires sudo.
+ */
+async function enablePFRedirect(proxyPort) {
+    try {
+        const hostIPs = await resolveHosts();
+        let totalIPs = 0;
+        for (const ips of hostIPs.values())
+            totalIPs += ips.length;
+        if (totalIPs === 0) {
+            return { success: false, message: 'No LLM provider IPs resolved', ips: 0 };
+        }
+        const conf = generatePFConf(hostIPs, proxyPort);
+        node_fs_1.default.mkdirSync(node_path_1.default.dirname(PF_CONF_PATH), { recursive: true });
+        node_fs_1.default.writeFileSync(PF_CONF_PATH, conf);
+        // Load anchor into pf
+        try {
+            (0, node_child_process_1.execFileSync)('sudo', ['pfctl', '-a', PF_ANCHOR, '-f', PF_CONF_PATH], { stdio: 'pipe' });
+        }
+        catch (err) {
+            return { success: false, message: `pfctl load failed: ${err}`, ips: totalIPs };
+        }
+        // Enable pf if not already enabled
+        try {
+            (0, node_child_process_1.execFileSync)('sudo', ['pfctl', '-e'], { stdio: 'pipe' });
+        }
+        catch {
+            // Already enabled — ok
+        }
+        return { success: true, message: `pf redirect active: ${totalIPs} IPs from ${hostIPs.size} hosts → :${proxyPort}`, ips: totalIPs };
+    }
+    catch (err) {
+        return { success: false, message: `Failed: ${err}`, ips: 0 };
+    }
+}
+/**
+ * Remove pf redirect rules.
+ */
+function disablePFRedirect() {
+    try {
+        // Flush anchor rules
+        try {
+            (0, node_child_process_1.execFileSync)('sudo', ['pfctl', '-a', PF_ANCHOR, '-F', 'all'], { stdio: 'pipe' });
+        }
+        catch { }
+        // Remove conf file
+        try {
+            node_fs_1.default.unlinkSync(PF_CONF_PATH);
+        }
+        catch { }
+        return { success: true, message: 'pf redirect removed' };
+    }
+    catch (err) {
+        return { success: false, message: `Failed: ${err}` };
+    }
+}
+/**
+ * Check if pf redirect is active.
+ */
+function isPFRedirectActive() {
+    try {
+        const result = (0, node_child_process_1.execFileSync)('sudo', ['pfctl', '-a', PF_ANCHOR, '-sr'], {
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        return result.includes('rdr') || result.includes('route-to');
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Refresh IP addresses (IPs can change due to DNS).
+ * Call periodically to keep rules current.
+ */
+async function refreshPFRules(proxyPort) {
+    const hostIPs = await resolveHosts();
+    let totalIPs = 0;
+    for (const ips of hostIPs.values())
+        totalIPs += ips.length;
+    if (totalIPs === 0)
+        return;
+    const conf = generatePFConf(hostIPs, proxyPort);
+    node_fs_1.default.writeFileSync(PF_CONF_PATH, conf);
+    try {
+        (0, node_child_process_1.execFileSync)('sudo', ['pfctl', '-a', PF_ANCHOR, '-f', PF_CONF_PATH], { stdio: 'pipe' });
+    }
+    catch { }
+}
+//# sourceMappingURL=pf-redirect.js.map

package/dist/src/system/watchdog.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Start watchdog that monitors proxy health.
+ * If proxy becomes unreachable, auto-removes system proxy config
+ * to prevent breaking the user's internet.
+ */
+export declare function startWatchdog(proxyPort: number): void;
+export declare function stopWatchdog(): void;

package/dist/src/system/watchdog.js

@@ -0,0 +1,115 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startWatchdog = startWatchdog;
+exports.stopWatchdog = stopWatchdog;
+const node_http_1 = __importDefault(require("node:http"));
+const macos = __importStar(require("./macos.js"));
+const linux = __importStar(require("./linux.js"));
+const CHECK_INTERVAL = 10_000; // 10 seconds
+let watchdogTimer = null;
+let port = 4800;
+/**
+ * Start watchdog that monitors proxy health.
+ * If proxy becomes unreachable, auto-removes system proxy config
+ * to prevent breaking the user's internet.
+ */
+function startWatchdog(proxyPort) {
+    port = proxyPort;
+    watchdogTimer = setInterval(() => {
+        checkHealth().catch(() => {
+            console.log('[watchdog] Proxy unreachable — clearing system proxy');
+            emergencyClearProxy();
+            stopWatchdog();
+        });
+    }, CHECK_INTERVAL);
+    // Also clear proxy on process exit
+    process.on('exit', emergencyClearProxy);
+    process.on('uncaughtException', (err) => {
+        console.error('[watchdog] Uncaught exception:', err);
+        emergencyClearProxy();
+        process.exit(1);
+    });
+    process.on('unhandledRejection', (err) => {
+        console.error('[watchdog] Unhandled rejection:', err);
+    });
+}
+function stopWatchdog() {
+    if (watchdogTimer) {
+        clearInterval(watchdogTimer);
+        watchdogTimer = null;
+    }
+}
+function checkHealth() {
+    return new Promise((resolve, reject) => {
+        const req = node_http_1.default.get(`http://127.0.0.1:${port}/health`, { timeout: 5000 }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => (data += chunk));
+            res.on('end', () => {
+                try {
+                    const parsed = JSON.parse(data);
+                    if (parsed.ok)
+                        resolve();
+                    else
+                        reject(new Error('Health check failed'));
+                }
+                catch {
+                    reject(new Error('Invalid health response'));
+                }
+            });
+        });
+        req.on('error', reject);
+        req.on('timeout', () => {
+            req.destroy();
+            reject(new Error('Health check timeout'));
+        });
+    });
+}
+function emergencyClearProxy() {
+    try {
+        if (process.platform === 'darwin') {
+            macos.clearAutoproxyURL();
+            macos.clearSystemProxy();
+        }
+        else {
+            linux.clearSystemProxy();
+        }
+    }
+    catch { }
+}
+//# sourceMappingURL=watchdog.js.map

package/dist/src/test/connect-proxy.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/test/connect-proxy.test.js

@@ -0,0 +1,147 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_test_1 = require("node:test");
+const node_assert_1 = __importDefault(require("node:assert"));
+const node_http_1 = __importDefault(require("node:http"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const connect_proxy_js_1 = require("../proxy/connect-proxy.js");
+const auto_detect_js_1 = require("../config/auto-detect.js");
+const ca_manager_js_1 = require("../tls/ca-manager.js");
+const classifier_js_1 = require("../proxy/classifier.js");
+function httpRequest(url, options) {
+    return new Promise((resolve, reject) => {
+        const req = node_http_1.default.request(url, options, (res) => {
+            let data = '';
+            res.on('data', (chunk) => (data += chunk));
+            res.on('end', () => resolve({ status: res.statusCode || 0, body: data }));
+        });
+        req.on('error', reject);
+        req.end();
+    });
+}
+(0, node_test_1.describe)('Traffic Classifier', () => {
+    (0, node_test_1.it)('identifies Anthropic as LLM', () => {
+        const match = (0, classifier_js_1.classifyHost)('api.anthropic.com', 443);
+        node_assert_1.default.ok(match);
+        node_assert_1.default.strictEqual(match.provider, 'anthropic');
+    });
+    (0, node_test_1.it)('identifies OpenAI as LLM', () => {
+        const match = (0, classifier_js_1.classifyHost)('api.openai.com', 443);
+        node_assert_1.default.ok(match);
+        node_assert_1.default.strictEqual(match.provider, 'openai');
+    });
+    (0, node_test_1.it)('identifies Ollama local as LLM', () => {
+        const match = (0, classifier_js_1.classifyHost)('localhost', 11434);
+        node_assert_1.default.ok(match);
+        node_assert_1.default.strictEqual(match.provider, 'ollama');
+    });
+    (0, node_test_1.it)('returns null for non-LLM hosts', () => {
+        node_assert_1.default.strictEqual((0, classifier_js_1.classifyHost)('google.com', 443), null);
+        node_assert_1.default.strictEqual((0, classifier_js_1.classifyHost)('github.com', 443), null);
+        node_assert_1.default.strictEqual((0, classifier_js_1.classifyHost)('localhost', 3000), null);
+    });
+    (0, node_test_1.it)('identifies all known providers', () => {
+        const providers = [
+            ['api.anthropic.com', 'anthropic'],
+            ['api.openai.com', 'openai'],
+            ['generativelanguage.googleapis.com', 'google'],
+            ['openrouter.ai', 'openrouter'],
+            ['api.groq.com', 'groq'],
+            ['api.deepseek.com', 'deepseek'],
+        ];
+        for (const [host, expected] of providers) {
+            const match = (0, classifier_js_1.classifyHost)(host, 443);
+            node_assert_1.default.ok(match, `Should match ${host}`);
+            node_assert_1.default.strictEqual(match.provider, expected);
+        }
+    });
+});
+(0, node_test_1.describe)('CA Manager', () => {
+    (0, node_test_1.it)('generates CA cert on first call', () => {
+        const result = (0, ca_manager_js_1.ensureCA)();
+        node_assert_1.default.ok(result.cert.includes('BEGIN CERTIFICATE'));
+        node_assert_1.default.ok(result.key.includes('BEGIN RSA PRIVATE KEY'));
+    });
+    (0, node_test_1.it)('returns same cert on subsequent calls', () => {
+        const a = (0, ca_manager_js_1.ensureCA)();
+        const b = (0, ca_manager_js_1.ensureCA)();
+        node_assert_1.default.strictEqual(a.cert, b.cert);
+    });
+    (0, node_test_1.it)('CA cert file exists on disk', () => {
+        node_assert_1.default.ok(node_fs_1.default.existsSync((0, ca_manager_js_1.getCACertPath)()));
+    });
+});
+(0, node_test_1.describe)('CONNECT Proxy', () => {
+    let proxy;
+    const PROXY_PORT = 14820;
+    (0, node_test_1.before)(async () => {
+        (0, ca_manager_js_1.ensureCA)();
+        const config = (0, auto_detect_js_1.buildConfig)({ proxy: { port: PROXY_PORT, host: '127.0.0.1' } });
+        config.logging.level = 'error';
+        proxy = new connect_proxy_js_1.ConnectProxy(config);
+        await proxy.start();
+    });
+    (0, node_test_1.after)(async () => {
+        await proxy.stop();
+    });
+    (0, node_test_1.it)('serves dashboard at root', async () => {
+        const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/`, { method: 'GET' });
+        node_assert_1.default.strictEqual(res.status, 200);
+        node_assert_1.default.ok(res.body.includes('SmartContext'));
+    });
+    (0, node_test_1.it)('serves health endpoint', async () => {
+        const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/health`, { method: 'GET' });
+        node_assert_1.default.strictEqual(res.status, 200);
+        const data = JSON.parse(res.body);
+        node_assert_1.default.strictEqual(data.ok, true);
+        node_assert_1.default.strictEqual(data.type, 'connect-proxy');
+    });
+    (0, node_test_1.it)('serves PAC file', async () => {
+        const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/proxy.pac`, { method: 'GET' });
+        node_assert_1.default.strictEqual(res.status, 200);
+        node_assert_1.default.ok(res.body.includes('FindProxyForURL'));
+        node_assert_1.default.ok(res.body.includes('api.anthropic.com'));
+        node_assert_1.default.ok(res.body.includes('api.openai.com'));
+    });
+    (0, node_test_1.it)('API endpoints work', async () => {
+        const status = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/_sc/status`, { method: 'GET' });
+        node_assert_1.default.strictEqual(JSON.parse(status.body).state, 'running');
+        const stats = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/_sc/stats`, { method: 'GET' });
+        node_assert_1.default.strictEqual(JSON.parse(stats.body).totalRequests, 0);
+    });
+    (0, node_test_1.it)('handles CONNECT to non-LLM host (tunnel)', async () => {
+        // Create a simple target server
+        const targetServer = node_http_1.default.createServer((req, res) => {
+            res.writeHead(200);
+            res.end('target-ok');
+        });
+        await new Promise((r) => targetServer.listen(14821, '127.0.0.1', r));
+        // Send CONNECT through proxy
+        const tunnelOk = await new Promise((resolve) => {
+            const req = node_http_1.default.request({
+                host: '127.0.0.1',
+                port: PROXY_PORT,
+                method: 'CONNECT',
+                path: '127.0.0.1:14821',
+            });
+            req.on('connect', (res, socket) => {
+                // Send HTTP request through tunnel
+                socket.write('GET / HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n');
+                let data = '';
+                socket.on('data', (chunk) => { data += chunk; });
+                socket.on('end', () => {
+                    socket.destroy();
+                    resolve(data.includes('target-ok'));
+                });
+            });
+            req.on('error', () => resolve(false));
+            req.end();
+        });
+        targetServer.close();
+        node_assert_1.default.ok(tunnelOk, 'Should tunnel non-LLM traffic');
+    });
+});
+//# sourceMappingURL=connect-proxy.test.js.map

package/dist/src/test/dashboard.test.js

@@ -40,6 +40,7 @@ function httpRequest(url, options, body) {
         node_assert_1.default.ok(res.headers['content-type']?.includes('text/html'));
         node_assert_1.default.ok(res.body.includes('SmartContext Proxy'));
         node_assert_1.default.ok(res.body.includes('Total Requests'));
+        node_assert_1.default.ok(res.body.includes('Settings'));
     });
     (0, node_test_1.it)('returns status via /_sc/status', async () => {
         const res = await httpRequest(`http://127.0.0.1:${PORT}/_sc/status`, { method: 'GET' });

package/dist/src/tls/ca-manager.d.ts

@@ -0,0 +1,9 @@
+export interface CertPair {
+    cert: string;
+    key: string;
+}
+/** Ensure root CA exists, generate if not */
+export declare function ensureCA(): CertPair;
+/** Generate a TLS certificate for a specific hostname, signed by our CA */
+export declare function getCertForHost(hostname: string): CertPair;
+export declare function getCACertPath(): string;

package/dist/src/tls/ca-manager.js

@@ -0,0 +1,117 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureCA = ensureCA;
+exports.getCertForHost = getCertForHost;
+exports.getCACertPath = getCACertPath;
+const node_forge_1 = __importDefault(require("node-forge"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const CA_DIR = node_path_1.default.join(process.env['HOME'] || '.', '.smartcontext', 'ca');
+const HOSTS_DIR = node_path_1.default.join(CA_DIR, 'hosts');
+const CA_CERT_PATH = node_path_1.default.join(CA_DIR, 'smartcontext-ca.crt');
+const CA_KEY_PATH = node_path_1.default.join(CA_DIR, 'smartcontext-ca.key');
+let cachedCA = null;
+const hostCertCache = new Map();
+/** Ensure root CA exists, generate if not */
+function ensureCA() {
+    node_fs_1.default.mkdirSync(CA_DIR, { recursive: true });
+    node_fs_1.default.mkdirSync(HOSTS_DIR, { recursive: true });
+    if (node_fs_1.default.existsSync(CA_CERT_PATH) && node_fs_1.default.existsSync(CA_KEY_PATH)) {
+        const cert = node_fs_1.default.readFileSync(CA_CERT_PATH, 'utf-8');
+        const key = node_fs_1.default.readFileSync(CA_KEY_PATH, 'utf-8');
+        cachedCA = {
+            cert: node_forge_1.default.pki.certificateFromPem(cert),
+            key: node_forge_1.default.pki.privateKeyFromPem(key),
+        };
+        return { cert, key };
+    }
+    // Generate new root CA
+    const keys = node_forge_1.default.pki.rsa.generateKeyPair(2048);
+    const cert = node_forge_1.default.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = generateSerial();
+    cert.validity.notBefore = new Date();
+    cert.validity.notAfter = new Date();
+    cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 10);
+    const attrs = [
+        { name: 'commonName', value: 'SmartContext Proxy CA' },
+        { name: 'organizationName', value: 'SmartContext' },
+    ];
+    cert.setSubject(attrs);
+    cert.setIssuer(attrs);
+    cert.setExtensions([
+        { name: 'basicConstraints', cA: true, critical: true },
+        { name: 'keyUsage', keyCertSign: true, cRLSign: true, critical: true },
+        { name: 'subjectKeyIdentifier' },
+    ]);
+    cert.sign(keys.privateKey, node_forge_1.default.md.sha256.create());
+    const certPem = node_forge_1.default.pki.certificateToPem(cert);
+    const keyPem = node_forge_1.default.pki.privateKeyToPem(keys.privateKey);
+    node_fs_1.default.writeFileSync(CA_CERT_PATH, certPem);
+    node_fs_1.default.writeFileSync(CA_KEY_PATH, keyPem, { mode: 0o600 });
+    cachedCA = { cert, key: keys.privateKey };
+    return { cert: certPem, key: keyPem };
+}
+/** Generate a TLS certificate for a specific hostname, signed by our CA */
+function getCertForHost(hostname) {
+    // Check memory cache
+    const cached = hostCertCache.get(hostname);
+    if (cached)
+        return cached;
+    // Check disk cache
+    const certPath = node_path_1.default.join(HOSTS_DIR, `${hostname}.crt`);
+    const keyPath = node_path_1.default.join(HOSTS_DIR, `${hostname}.key`);
+    if (node_fs_1.default.existsSync(certPath) && node_fs_1.default.existsSync(keyPath)) {
+        const pair = {
+            cert: node_fs_1.default.readFileSync(certPath, 'utf-8'),
+            key: node_fs_1.default.readFileSync(keyPath, 'utf-8'),
+        };
+        hostCertCache.set(hostname, pair);
+        return pair;
+    }
+    // Generate new cert
+    if (!cachedCA)
+        ensureCA();
+    const keys = node_forge_1.default.pki.rsa.generateKeyPair(2048);
+    const cert = node_forge_1.default.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = generateSerial();
+    cert.validity.notBefore = new Date();
+    cert.validity.notAfter = new Date();
+    cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 1);
+    cert.setSubject([{ name: 'commonName', value: hostname }]);
+    cert.setIssuer(cachedCA.cert.subject.attributes);
+    cert.setExtensions([
+        { name: 'basicConstraints', cA: false },
+        { name: 'keyUsage', digitalSignature: true, keyEncipherment: true },
+        { name: 'extKeyUsage', serverAuth: true },
+        {
+            name: 'subjectAltName',
+            altNames: [
+                { type: 2, value: hostname }, // DNS
+                ...(isIP(hostname) ? [{ type: 7, ip: hostname }] : []),
+            ],
+        },
+    ]);
+    cert.sign(cachedCA.key, node_forge_1.default.md.sha256.create());
+    const certPem = node_forge_1.default.pki.certificateToPem(cert);
+    const keyPem = node_forge_1.default.pki.privateKeyToPem(keys.privateKey);
+    node_fs_1.default.writeFileSync(certPath, certPem);
+    node_fs_1.default.writeFileSync(keyPath, keyPem, { mode: 0o600 });
+    const pair = { cert: certPem, key: keyPem };
+    hostCertCache.set(hostname, pair);
+    return pair;
+}
+function getCACertPath() {
+    return CA_CERT_PATH;
+}
+function generateSerial() {
+    return Date.now().toString(16) + Math.random().toString(16).slice(2, 10);
+}
+function isIP(str) {
+    return /^\d{1,3}(\.\d{1,3}){3}$/.test(str) || str.includes(':');
+}
+//# sourceMappingURL=ca-manager.js.map

package/dist/src/tls/trust-store.d.ts

@@ -0,0 +1,11 @@
+export interface TrustStoreResult {
+    success: boolean;
+    message: string;
+    requiresSudo: boolean;
+}
+/** Install CA cert into system trust store */
+export declare function installCA(): TrustStoreResult;
+/** Remove CA cert from system trust store */
+export declare function uninstallCA(): TrustStoreResult;
+/** Check if CA is installed in trust store */
+export declare function isCAInstalled(): boolean;