smartcontext-proxy 0.1.0 → 0.2.1

package/src/proxy/transparent-listener.ts

@@ -0,0 +1,328 @@
+import tls from 'node:tls';
+import net from 'node:net';
+import http from 'node:http';
+import https from 'node:https';
+import { getCertForHost } from '../tls/ca-manager.js';
+import { classifyHost } from './classifier.js';
+import { getRealIP } from '../system/dns-redirect.js';
+import type { ProviderAdapter } from '../providers/types.js';
+import type { SmartContextConfig } from '../config/schema.js';
+import { ContextOptimizer } from '../context/optimizer.js';
+import { MetricsCollector } from '../metrics/collector.js';
+import { estimateTokens } from '../context/chunker.js';
+import { getTextContent } from '../context/canonical.js';
+
+export interface TransparentOptions {
+  config: SmartContextConfig;
+  optimizer: ContextOptimizer | null;
+  metrics: MetricsCollector;
+  adapters: Map<string, ProviderAdapter>;
+  paused: boolean;
+  requestCounter: { value: number };
+  log: (level: string, message: string) => void;
+}
+
+/**
+ * Transparent TLS listener on port 443.
+ * When DNS redirects LLM traffic to 127.0.0.1, clients connect directly
+ * via TLS (no CONNECT). This server terminates TLS using SNI to pick
+ * the right cert, then handles the request.
+ */
+export class TransparentListener {
+  private server: net.Server;
+  private options: TransparentOptions;
+
+  constructor(options: TransparentOptions) {
+    this.options = options;
+
+    // Raw TCP server — we need SNI from ClientHello before creating TLS context
+    this.server = net.createServer((socket) => this.handleConnection(socket));
+  }
+
+  async start(port: number = 443, host: string = '127.0.0.1'): Promise<void> {
+    return new Promise((resolve, reject) => {
+      this.server.on('error', (err: NodeJS.ErrnoException) => {
+        if (err.code === 'EACCES') {
+          this.options.log('error', `Port ${port} requires root. Transparent listener disabled.`);
+          resolve(); // Non-fatal
+        } else {
+          reject(err);
+        }
+      });
+      this.server.listen(port, host, () => {
+        this.options.log('info', `Transparent TLS listener on ${host}:${port}`);
+        resolve();
+      });
+    });
+  }
+
+  async stop(): Promise<void> {
+    return new Promise((resolve) => {
+      this.server.close(() => resolve());
+    });
+  }
+
+  private handleConnection(socket: net.Socket): void {
+    // Peek at first bytes to extract SNI from TLS ClientHello
+    socket.once('data', (data) => {
+      const hostname = extractSNI(data);
+      if (!hostname) {
+        socket.destroy();
+        return;
+      }
+
+      const match = classifyHost(hostname, 443);
+      if (!match) {
+        // Not an LLM host — shouldn't happen with DNS redirect, but just in case
+        socket.destroy();
+        return;
+      }
+
+      this.options.log('info', `TRANSPARENT ${hostname} (${match.provider})`);
+
+      const { cert, key } = getCertForHost(hostname);
+
+      const tlsSocket = new tls.TLSSocket(socket, {
+        isServer: true,
+        cert,
+        key,
+      });
+
+      // Unshift the peeked data back
+      tlsSocket.unshift(data);
+      // Actually we already consumed data from socket, TLSSocket wraps socket
+      // Need to handle this differently — push data through
+
+      this.handleTLSConnection(tlsSocket, hostname, match);
+    });
+  }
+
+  private handleTLSConnection(
+    tlsSocket: tls.TLSSocket,
+    hostname: string,
+    match: ReturnType<typeof classifyHost> & {},
+  ): void {
+    let requestData = Buffer.alloc(0);
+    let headersParsed = false;
+    let contentLength = 0;
+    let headerEnd = -1;
+
+    tlsSocket.on('data', (chunk: Buffer) => {
+      requestData = Buffer.concat([requestData, chunk]);
+
+      if (!headersParsed) {
+        headerEnd = requestData.indexOf('\r\n\r\n');
+        if (headerEnd === -1) return;
+        headersParsed = true;
+        const headersStr = requestData.subarray(0, headerEnd).toString();
+        const clMatch = headersStr.match(/content-length:\s*(\d+)/i);
+        contentLength = clMatch ? parseInt(clMatch[1], 10) : 0;
+      }
+
+      const bodyStart = headerEnd + 4;
+      const bodyReceived = requestData.length - bodyStart;
+
+      if (bodyReceived >= contentLength) {
+        tlsSocket.pause();
+        this.handleRequest(requestData, hostname, match, tlsSocket).catch((err) => {
+          this.options.log('error', `Transparent handler error: ${err}`);
+          try { tlsSocket.end(); } catch {}
+        });
+      }
+    });
+
+    tlsSocket.on('error', (err) => {
+      this.options.log('error', `TLS error for ${hostname}: ${err.message}`);
+    });
+  }
+
+  private async handleRequest(
+    rawRequest: Buffer,
+    hostname: string,
+    match: { provider: string },
+    clientTLS: tls.TLSSocket,
+  ): Promise<void> {
+    this.options.requestCounter.value++;
+    const reqId = this.options.requestCounter.value;
+    const startTime = Date.now();
+
+    // Parse HTTP request
+    const headerEnd = rawRequest.indexOf('\r\n\r\n');
+    const headersStr = rawRequest.subarray(0, headerEnd).toString();
+    const body = rawRequest.subarray(headerEnd + 4);
+
+    const [requestLine, ...headerLines] = headersStr.split('\r\n');
+    const [method, reqPath] = requestLine.split(' ');
+
+    const headers: Record<string, string> = {};
+    for (const line of headerLines) {
+      const colonIdx = line.indexOf(':');
+      if (colonIdx > 0) {
+        headers[line.substring(0, colonIdx).toLowerCase().trim()] = line.substring(colonIdx + 1).trim();
+      }
+    }
+
+    // Get real IP for this hostname (cached before DNS override)
+    const realIP = getRealIP(hostname);
+    if (!realIP) {
+      this.options.log('error', `No real IP cached for ${hostname}`);
+      clientTLS.write('HTTP/1.1 502 Bad Gateway\r\nContent-Length: 0\r\n\r\n');
+      clientTLS.end();
+      return;
+    }
+
+    // Optimization logic
+    const adapter = this.options.adapters.get(match.provider);
+    let forwardBody = body;
+    let model = 'unknown';
+    let originalTokens = 0;
+    let optimizedTokens = 0;
+    let savingsPercent = 0;
+    let passThrough = true;
+
+    if (adapter && body.length > 0) {
+      try {
+        const parsed = JSON.parse(body.toString());
+        model = parsed.model || 'unknown';
+        const canonical = adapter.parseRequest(parsed, headers);
+        originalTokens = estimateTokens(canonical.systemPrompt || '') +
+          canonical.messages.reduce((sum, m) => sum + estimateTokens(getTextContent(m)), 0);
+
+        if (this.options.optimizer && !this.options.paused) {
+          try {
+            const result = await this.options.optimizer.optimize(canonical);
+            passThrough = result.passThrough;
+            if (!result.passThrough) {
+              canonical.messages = result.optimizedMessages;
+              if (result.systemPrompt !== undefined) canonical.systemPrompt = result.systemPrompt;
+              optimizedTokens = result.packed.optimizedTokens;
+              savingsPercent = result.packed.savingsPercent;
+              forwardBody = Buffer.from(JSON.stringify(adapter.serializeRequest(canonical)));
+            } else {
+              optimizedTokens = originalTokens;
+            }
+          } catch {
+            optimizedTokens = originalTokens;
+          }
+        } else {
+          optimizedTokens = originalTokens;
+        }
+      } catch {
+        optimizedTokens = originalTokens;
+      }
+    }
+
+    const latency = Date.now() - startTime;
+    const savingsStr = passThrough ? 'pass' : `-${savingsPercent}%`;
+    this.options.log('info', `#${reqId} ${match.provider}/${model} ${originalTokens}→${optimizedTokens} ${savingsStr} ${latency}ms [transparent]`);
+
+    // Forward to real provider IP
+    const forwardHeaders = { ...headers };
+    forwardHeaders['host'] = hostname;
+    forwardHeaders['content-length'] = String(forwardBody.length);
+
+    const providerRes = await new Promise<http.IncomingMessage>((resolve, reject) => {
+      const req = https.request({
+        hostname: realIP,
+        port: 443,
+        path: reqPath,
+        method,
+        headers: forwardHeaders,
+        servername: hostname, // SNI for the real server
+      }, resolve);
+      req.on('error', reject);
+      req.write(forwardBody);
+      req.end();
+    });
+
+    // Stream response back
+    const resHeaders = [`HTTP/1.1 ${providerRes.statusCode} ${providerRes.statusMessage}`];
+    for (const [key, val] of Object.entries(providerRes.headers)) {
+      if (val) {
+        const values = Array.isArray(val) ? val : [val];
+        for (const v of values) resHeaders.push(`${key}: ${v}`);
+      }
+    }
+    resHeaders.push('', '');
+    clientTLS.write(resHeaders.join('\r\n'));
+
+    await new Promise<void>((resolve) => {
+      providerRes.on('data', (chunk) => clientTLS.write(chunk));
+      providerRes.on('end', () => { clientTLS.end(); resolve(); });
+      providerRes.on('error', () => { clientTLS.end(); resolve(); });
+    });
+
+    // Record metrics
+    this.options.metrics.record({
+      id: reqId,
+      timestamp: Date.now(),
+      provider: match.provider,
+      model,
+      streaming: headers['accept']?.includes('text/event-stream') || false,
+      originalTokens,
+      optimizedTokens,
+      savingsPercent,
+      latencyOverheadMs: latency,
+      chunksRetrieved: 0,
+      topScore: 0,
+      passThrough,
+    });
+  }
+}
+
+/**
+ * Extract SNI hostname from TLS ClientHello.
+ * Returns null if not found.
+ */
+function extractSNI(data: Buffer): string | null {
+  try {
+    // TLS record: type=22 (handshake), version, length
+    if (data.length < 5 || data[0] !== 0x16) return null;
+
+    // Handshake: type=1 (ClientHello)
+    let offset = 5;
+    if (data[offset] !== 0x01) return null;
+
+    // Skip handshake length (3 bytes) + client version (2) + random (32)
+    offset += 4 + 2 + 32;
+
+    // Session ID
+    const sessionIdLen = data[offset];
+    offset += 1 + sessionIdLen;
+
+    // Cipher suites
+    const cipherLen = data.readUInt16BE(offset);
+    offset += 2 + cipherLen;
+
+    // Compression methods
+    const compLen = data[offset];
+    offset += 1 + compLen;
+
+    // Extensions
+    if (offset + 2 > data.length) return null;
+    const extLen = data.readUInt16BE(offset);
+    offset += 2;
+
+    const extEnd = offset + extLen;
+    while (offset + 4 < extEnd && offset < data.length) {
+      const extType = data.readUInt16BE(offset);
+      const extDataLen = data.readUInt16BE(offset + 2);
+      offset += 4;
+
+      if (extType === 0x0000) { // SNI extension
+        // Skip SNI list length (2)
+        offset += 2;
+        const nameType = data[offset];
+        offset += 1;
+        if (nameType === 0x00) { // hostname
+          const nameLen = data.readUInt16BE(offset);
+          offset += 2;
+          return data.subarray(offset, offset + nameLen).toString('ascii');
+        }
+      }
+
+      offset += extDataLen;
+    }
+  } catch {}
+  return null;
+}

package/src/proxy/tunnel.ts

@@ -0,0 +1,32 @@
+import net from 'node:net';
+import type { Socket } from 'node:net';
+
+/**
+ * Create a blind TCP tunnel between client and target.
+ * Zero overhead — no inspection, no buffering.
+ * Used for non-LLM HTTPS traffic.
+ */
+export function createTunnel(clientSocket: Socket, targetHost: string, targetPort: number): void {
+  const targetSocket = net.connect(targetPort, targetHost, () => {
+    clientSocket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+    targetSocket.pipe(clientSocket);
+    clientSocket.pipe(targetSocket);
+  });
+
+  targetSocket.on('error', (err) => {
+    clientSocket.write(`HTTP/1.1 502 Bad Gateway\r\n\r\n`);
+    clientSocket.end();
+  });
+
+  clientSocket.on('error', () => {
+    targetSocket.destroy();
+  });
+
+  clientSocket.on('close', () => {
+    targetSocket.destroy();
+  });
+
+  targetSocket.on('close', () => {
+    clientSocket.destroy();
+  });
+}

package/src/system/dns-redirect.ts

@@ -0,0 +1,144 @@
+import fs from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import dns from 'node:dns';
+
+const HOSTS_FILE = '/etc/hosts';
+const MARKER_START = '# SmartContext Proxy — START (auto-generated, do not edit)';
+const MARKER_END = '# SmartContext Proxy — END';
+
+/** LLM provider hostnames to redirect */
+const LLM_HOSTS = [
+  'api.anthropic.com',
+  'api.openai.com',
+  'generativelanguage.googleapis.com',
+  'openrouter.ai',
+  'api.together.xyz',
+  'api.fireworks.ai',
+  'api.mistral.ai',
+  'api.cohere.com',
+  'api.groq.com',
+  'api.deepseek.com',
+];
+
+/** Original IP mappings — needed to forward traffic to real providers */
+const originalIPs = new Map<string, string[]>();
+
+/**
+ * Resolve and cache real IPs before overriding DNS.
+ * MUST be called before enableDNSRedirect.
+ */
+export async function cacheRealIPs(): Promise<Map<string, string[]>> {
+  for (const host of LLM_HOSTS) {
+    try {
+      const addrs = await new Promise<string[]>((resolve, reject) => {
+        dns.resolve4(host, (err, addresses) => {
+          if (err) reject(err);
+          else resolve(addresses);
+        });
+      });
+      originalIPs.set(host, addrs);
+    } catch {}
+  }
+  return originalIPs;
+}
+
+/** Get cached real IP for a hostname */
+export function getRealIP(hostname: string): string | null {
+  const ips = originalIPs.get(hostname);
+  return ips?.[0] || null;
+}
+
+/** Get all original IP mappings */
+export function getAllRealIPs(): Map<string, string[]> {
+  return originalIPs;
+}
+
+/**
+ * Add /etc/hosts entries pointing LLM hostnames to 127.0.0.1.
+ * Requires sudo.
+ * After this, all apps resolve LLM hosts to localhost → our proxy.
+ */
+export function enableDNSRedirect(): { success: boolean; message: string; hosts: number } {
+  try {
+    const current = fs.readFileSync(HOSTS_FILE, 'utf-8');
+
+    // Don't add if already present
+    if (current.includes(MARKER_START)) {
+      return { success: true, message: 'DNS redirect already active', hosts: LLM_HOSTS.length };
+    }
+
+    const block = [
+      '',
+      MARKER_START,
+      ...LLM_HOSTS.map((h) => `127.0.0.1  ${h}`),
+      MARKER_END,
+      '',
+    ].join('\n');
+
+    const newContent = current + block;
+
+    // Write via sudo tee
+    execFileSync('sudo', ['tee', HOSTS_FILE], {
+      input: newContent,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    // Flush DNS cache
+    flushDNS();
+
+    return { success: true, message: `DNS redirect active: ${LLM_HOSTS.length} hosts → 127.0.0.1`, hosts: LLM_HOSTS.length };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}`, hosts: 0 };
+  }
+}
+
+/**
+ * Remove /etc/hosts entries.
+ */
+export function disableDNSRedirect(): { success: boolean; message: string } {
+  try {
+    const current = fs.readFileSync(HOSTS_FILE, 'utf-8');
+
+    if (!current.includes(MARKER_START)) {
+      return { success: true, message: 'DNS redirect not active' };
+    }
+
+    // Remove our block
+    const regex = new RegExp(`\\n?${escapeRegex(MARKER_START)}[\\s\\S]*?${escapeRegex(MARKER_END)}\\n?`, 'g');
+    const cleaned = current.replace(regex, '\n');
+
+    execFileSync('sudo', ['tee', HOSTS_FILE], {
+      input: cleaned,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    flushDNS();
+
+    return { success: true, message: 'DNS redirect removed' };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/** Check if DNS redirect is active */
+export function isDNSRedirectActive(): boolean {
+  try {
+    const content = fs.readFileSync(HOSTS_FILE, 'utf-8');
+    return content.includes(MARKER_START);
+  } catch {
+    return false;
+  }
+}
+
+function flushDNS(): void {
+  try {
+    if (process.platform === 'darwin') {
+      execFileSync('dscacheutil', ['-flushcache'], { stdio: 'pipe' });
+      execFileSync('sudo', ['killall', '-HUP', 'mDNSResponder'], { stdio: 'pipe' });
+    }
+  } catch {}
+}
+
+function escapeRegex(s: string): string {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/src/system/installer.ts

@@ -0,0 +1,148 @@
+import { ensureCA, getCACertPath } from '../tls/ca-manager.js';
+import { installCA, uninstallCA, isCAInstalled } from '../tls/trust-store.js';
+import { installService, uninstallService } from '../daemon/service.js';
+import * as macos from './macos.js';
+import * as linux from './linux.js';
+
+const platform = process.platform === 'darwin' ? macos : linux;
+
+export interface InstallResult {
+  success: boolean;
+  steps: Array<{ step: string; success: boolean; message: string }>;
+}
+
+/**
+ * Full installation:
+ * 1. Generate CA cert
+ * 2. Install CA in trust store
+ * 3. Configure system proxy
+ * 4. Install system service
+ */
+export function install(port: number): InstallResult {
+  const steps: InstallResult['steps'] = [];
+  let allOk = true;
+
+  // Step 1: Generate CA
+  try {
+    ensureCA();
+    steps.push({ step: 'Generate CA certificate', success: true, message: `CA cert at ${getCACertPath()}` });
+  } catch (err) {
+    steps.push({ step: 'Generate CA certificate', success: false, message: String(err) });
+    allOk = false;
+  }
+
+  // Step 2: Install CA in trust store
+  if (allOk) {
+    const result = installCA();
+    steps.push({ step: 'Install CA in trust store', success: result.success, message: result.message });
+    if (!result.success) allOk = false;
+  }
+
+  // Step 3: Configure system proxy (PAC URL for selective proxying)
+  if (allOk) {
+    if (process.platform === 'darwin') {
+      const result = macos.setAutoproxyURL(`http://127.0.0.1:${port}/proxy.pac`);
+      steps.push({ step: 'Configure system proxy (PAC)', success: result.success, message: result.message });
+      if (!result.success) allOk = false;
+    } else {
+      const result = platform.setSystemProxy('127.0.0.1', port);
+      steps.push({ step: 'Configure system proxy', success: result.success, message: result.message });
+      if (!result.success) allOk = false;
+    }
+  }
+
+  // Step 4: Install system service
+  if (allOk) {
+    try {
+      const servicePath = installService(port);
+      steps.push({ step: 'Install system service', success: true, message: `Service at ${servicePath}` });
+    } catch (err) {
+      steps.push({ step: 'Install system service', success: false, message: String(err) });
+      // Non-fatal: proxy can still run manually
+    }
+  }
+
+  // Rollback on failure
+  if (!allOk) {
+    rollback(steps);
+  }
+
+  return { success: allOk, steps };
+}
+
+/**
+ * Full uninstallation:
+ * 1. Remove system service
+ * 2. Clear system proxy
+ * 3. Remove CA from trust store
+ */
+export function uninstall(purge: boolean = false): InstallResult {
+  const steps: InstallResult['steps'] = [];
+
+  // Step 1: Remove service
+  try {
+    const msg = uninstallService();
+    steps.push({ step: 'Remove system service', success: true, message: msg });
+  } catch (err) {
+    steps.push({ step: 'Remove system service', success: false, message: String(err) });
+  }
+
+  // Step 2: Clear proxy
+  if (process.platform === 'darwin') {
+    const r1 = macos.clearAutoproxyURL();
+    steps.push({ step: 'Clear auto-proxy', success: r1.success, message: r1.message });
+    const r2 = macos.clearSystemProxy();
+    steps.push({ step: 'Clear system proxy', success: r2.success, message: r2.message });
+  } else {
+    const r = linux.clearSystemProxy();
+    steps.push({ step: 'Clear system proxy', success: r.success, message: r.message });
+  }
+
+  // Step 3: Remove CA
+  const caResult = uninstallCA();
+  steps.push({ step: 'Remove CA from trust store', success: caResult.success, message: caResult.message });
+
+  // Step 4: Purge data (optional)
+  if (purge) {
+    try {
+      const fs = require('node:fs');
+      const path = require('node:path');
+      const dataDir = path.join(process.env['HOME'] || '.', '.smartcontext');
+      fs.rmSync(dataDir, { recursive: true, force: true });
+      steps.push({ step: 'Purge data directory', success: true, message: `Removed ${dataDir}` });
+    } catch (err) {
+      steps.push({ step: 'Purge data directory', success: false, message: String(err) });
+    }
+  }
+
+  const allOk = steps.every((s) => s.success);
+  return { success: allOk, steps };
+}
+
+/** Check installation status */
+export function status(port: number): Record<string, boolean | string> {
+  return {
+    caExists: require('node:fs').existsSync(getCACertPath()),
+    caInstalled: isCAInstalled(),
+    proxyConfigured: platform.isProxyConfigured(port),
+  };
+}
+
+/** Rollback completed steps on failure */
+function rollback(completedSteps: InstallResult['steps']): void {
+  for (const step of completedSteps.reverse()) {
+    if (!step.success) continue;
+    try {
+      if (step.step.includes('CA in trust store')) uninstallCA();
+      if (step.step.includes('system proxy') || step.step.includes('PAC')) {
+        if (process.platform === 'darwin') {
+          macos.clearAutoproxyURL();
+          macos.clearSystemProxy();
+        } else {
+          linux.clearSystemProxy();
+        }
+      }
+      if (step.step.includes('system service')) uninstallService();
+    } catch {}
+  }
+}