smartcontext-proxy 0.2.0 → 0.2.1

package/dist/src/proxy/connect-proxy.d.ts

@@ -15,6 +15,8 @@ export declare class ConnectProxy {
     private optimizer;
     private adapters;
     private paused;
+    private debugHeaders;
+    private systemProxyActive;
     private requestCounter;
     private config;
     constructor(config: SmartContextConfig, optimizer?: ContextOptimizer | null, adapters?: Map<string, ProviderAdapter>);
@@ -28,6 +30,7 @@ export declare class ConnectProxy {
     /** Handle plain HTTP requests (dashboard, API, Ollama interception) */
     private handleHTTP;
     private handleAPI;
+    private getDashboardState;
     private generatePAC;
     private interceptorOptions;
     private log;

package/dist/src/proxy/connect-proxy.js

@@ -10,6 +10,9 @@ const tunnel_js_1 = require("./tunnel.js");
 const tls_interceptor_js_1 = require("./tls-interceptor.js");
 const collector_js_1 = require("../metrics/collector.js");
 const dashboard_js_1 = require("../ui/dashboard.js");
+const ab_test_js_1 = require("../context/ab-test.js");
+const trust_store_js_1 = require("../tls/trust-store.js");
+const dns_redirect_js_1 = require("../system/dns-redirect.js");
 /**
  * HTTP CONNECT proxy that transparently intercepts LLM traffic.
  *
@@ -23,6 +26,8 @@ class ConnectProxy {
     optimizer = null;
     adapters = new Map();
     paused = false;
+    debugHeaders = false;
+    systemProxyActive = false;
     requestCounter = { value: 0 };
     config;
     constructor(config, optimizer, adapters) {
@@ -69,7 +74,7 @@ class ConnectProxy {
         // Dashboard
         if (path === '/' && method === 'GET') {
             res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
-            res.end((0, dashboard_js_1.renderDashboard)(this.metrics, this.paused));
+            res.end((0, dashboard_js_1.renderDashboard)(this.metrics, this.getDashboardState()));
             return;
         }
         // Health
@@ -99,7 +104,7 @@ class ConnectProxy {
         res.writeHead(404, { 'Content-Type': 'application/json' });
         res.end(JSON.stringify({ error: 'Not found' }));
     }
-    handleAPI(path, method, req, res) {
+    async handleAPI(path, method, req, res) {
         res.setHeader('Content-Type', 'application/json');
         switch (path) {
             case '/_sc/status':
@@ -124,11 +129,73 @@ class ConnectProxy {
                 this.paused = false;
                 res.end(JSON.stringify({ ok: true, state: 'running' }));
                 break;
+            case '/_sc/ab-test/enable':
+                (0, ab_test_js_1.enableABTest)();
+                res.end(JSON.stringify({ ok: true, abTest: true }));
+                break;
+            case '/_sc/ab-test/disable':
+                (0, ab_test_js_1.disableABTest)();
+                res.end(JSON.stringify({ ok: true, abTest: false }));
+                break;
+            case '/_sc/ab-test/results':
+                res.end(JSON.stringify((0, ab_test_js_1.getABResults)()));
+                break;
+            case '/_sc/ab-test/summary':
+                res.end(JSON.stringify((0, ab_test_js_1.getABSummary)()));
+                break;
+            case '/_sc/debug-headers/enable':
+                this.debugHeaders = true;
+                this.config.logging.debug_headers = true;
+                res.end(JSON.stringify({ ok: true, debugHeaders: true }));
+                break;
+            case '/_sc/debug-headers/disable':
+                this.debugHeaders = false;
+                this.config.logging.debug_headers = false;
+                res.end(JSON.stringify({ ok: true, debugHeaders: false }));
+                break;
+            case '/_sc/system-proxy/enable':
+                try {
+                    // Cache real IPs before overriding DNS
+                    await (0, dns_redirect_js_1.cacheRealIPs)();
+                    const dnsResult = (0, dns_redirect_js_1.enableDNSRedirect)();
+                    this.systemProxyActive = dnsResult.success;
+                    res.end(JSON.stringify({ ok: dnsResult.success, message: dnsResult.message, method: 'dns-redirect' }));
+                }
+                catch (err) {
+                    res.end(JSON.stringify({ ok: false, error: String(err) }));
+                }
+                break;
+            case '/_sc/system-proxy/disable':
+                try {
+                    const disableResult = (0, dns_redirect_js_1.disableDNSRedirect)();
+                    this.systemProxyActive = false;
+                    res.end(JSON.stringify({ ok: disableResult.success, message: disableResult.message }));
+                }
+                catch (err) {
+                    res.end(JSON.stringify({ ok: false, error: String(err) }));
+                }
+                break;
             default:
                 res.writeHead(404);
                 res.end(JSON.stringify({ error: `Unknown: ${path}` }));
         }
     }
+    getDashboardState() {
+        let caInstalled = false;
+        try {
+            caInstalled = (0, trust_store_js_1.isCAInstalled)();
+        }
+        catch { }
+        return {
+            paused: this.paused,
+            mode: this.optimizer ? 'optimizing' : 'transparent',
+            proxyType: 'connect',
+            abTestEnabled: (0, ab_test_js_1.isABEnabled)(),
+            debugHeaders: this.debugHeaders,
+            caInstalled,
+            systemProxyActive: this.systemProxyActive,
+        };
+    }
     generatePAC() {
         const { getLLMHostnames } = require('./classifier.js');
         const hosts = getLLMHostnames();

package/dist/src/proxy/server.js

@@ -59,7 +59,16 @@ class ProxyServer {
         // Dashboard (root path)
         if (path === '/' && method === 'GET') {
             res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
-            res.end((0, dashboard_js_1.renderDashboard)(this.metrics, this.paused));
+            const state = {
+                paused: this.paused,
+                mode: this.optimizer ? 'optimizing' : 'transparent',
+                proxyType: 'legacy',
+                abTestEnabled: false,
+                debugHeaders: this.config.logging.debug_headers,
+                caInstalled: false,
+                systemProxyActive: false,
+            };
+            res.end((0, dashboard_js_1.renderDashboard)(this.metrics, state));
             return;
         }
         // Health check

package/dist/src/proxy/transparent-listener.d.ts

@@ -0,0 +1,31 @@
+import type { ProviderAdapter } from '../providers/types.js';
+import type { SmartContextConfig } from '../config/schema.js';
+import { ContextOptimizer } from '../context/optimizer.js';
+import { MetricsCollector } from '../metrics/collector.js';
+export interface TransparentOptions {
+    config: SmartContextConfig;
+    optimizer: ContextOptimizer | null;
+    metrics: MetricsCollector;
+    adapters: Map<string, ProviderAdapter>;
+    paused: boolean;
+    requestCounter: {
+        value: number;
+    };
+    log: (level: string, message: string) => void;
+}
+/**
+ * Transparent TLS listener on port 443.
+ * When DNS redirects LLM traffic to 127.0.0.1, clients connect directly
+ * via TLS (no CONNECT). This server terminates TLS using SNI to pick
+ * the right cert, then handles the request.
+ */
+export declare class TransparentListener {
+    private server;
+    private options;
+    constructor(options: TransparentOptions);
+    start(port?: number, host?: string): Promise<void>;
+    stop(): Promise<void>;
+    private handleConnection;
+    private handleTLSConnection;
+    private handleRequest;
+}

package/dist/src/proxy/transparent-listener.js

@@ -0,0 +1,285 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TransparentListener = void 0;
+const node_tls_1 = __importDefault(require("node:tls"));
+const node_net_1 = __importDefault(require("node:net"));
+const node_https_1 = __importDefault(require("node:https"));
+const ca_manager_js_1 = require("../tls/ca-manager.js");
+const classifier_js_1 = require("./classifier.js");
+const dns_redirect_js_1 = require("../system/dns-redirect.js");
+const chunker_js_1 = require("../context/chunker.js");
+const canonical_js_1 = require("../context/canonical.js");
+/**
+ * Transparent TLS listener on port 443.
+ * When DNS redirects LLM traffic to 127.0.0.1, clients connect directly
+ * via TLS (no CONNECT). This server terminates TLS using SNI to pick
+ * the right cert, then handles the request.
+ */
+class TransparentListener {
+    server;
+    options;
+    constructor(options) {
+        this.options = options;
+        // Raw TCP server — we need SNI from ClientHello before creating TLS context
+        this.server = node_net_1.default.createServer((socket) => this.handleConnection(socket));
+    }
+    async start(port = 443, host = '127.0.0.1') {
+        return new Promise((resolve, reject) => {
+            this.server.on('error', (err) => {
+                if (err.code === 'EACCES') {
+                    this.options.log('error', `Port ${port} requires root. Transparent listener disabled.`);
+                    resolve(); // Non-fatal
+                }
+                else {
+                    reject(err);
+                }
+            });
+            this.server.listen(port, host, () => {
+                this.options.log('info', `Transparent TLS listener on ${host}:${port}`);
+                resolve();
+            });
+        });
+    }
+    async stop() {
+        return new Promise((resolve) => {
+            this.server.close(() => resolve());
+        });
+    }
+    handleConnection(socket) {
+        // Peek at first bytes to extract SNI from TLS ClientHello
+        socket.once('data', (data) => {
+            const hostname = extractSNI(data);
+            if (!hostname) {
+                socket.destroy();
+                return;
+            }
+            const match = (0, classifier_js_1.classifyHost)(hostname, 443);
+            if (!match) {
+                // Not an LLM host — shouldn't happen with DNS redirect, but just in case
+                socket.destroy();
+                return;
+            }
+            this.options.log('info', `TRANSPARENT ${hostname} (${match.provider})`);
+            const { cert, key } = (0, ca_manager_js_1.getCertForHost)(hostname);
+            const tlsSocket = new node_tls_1.default.TLSSocket(socket, {
+                isServer: true,
+                cert,
+                key,
+            });
+            // Unshift the peeked data back
+            tlsSocket.unshift(data);
+            // Actually we already consumed data from socket, TLSSocket wraps socket
+            // Need to handle this differently — push data through
+            this.handleTLSConnection(tlsSocket, hostname, match);
+        });
+    }
+    handleTLSConnection(tlsSocket, hostname, match) {
+        let requestData = Buffer.alloc(0);
+        let headersParsed = false;
+        let contentLength = 0;
+        let headerEnd = -1;
+        tlsSocket.on('data', (chunk) => {
+            requestData = Buffer.concat([requestData, chunk]);
+            if (!headersParsed) {
+                headerEnd = requestData.indexOf('\r\n\r\n');
+                if (headerEnd === -1)
+                    return;
+                headersParsed = true;
+                const headersStr = requestData.subarray(0, headerEnd).toString();
+                const clMatch = headersStr.match(/content-length:\s*(\d+)/i);
+                contentLength = clMatch ? parseInt(clMatch[1], 10) : 0;
+            }
+            const bodyStart = headerEnd + 4;
+            const bodyReceived = requestData.length - bodyStart;
+            if (bodyReceived >= contentLength) {
+                tlsSocket.pause();
+                this.handleRequest(requestData, hostname, match, tlsSocket).catch((err) => {
+                    this.options.log('error', `Transparent handler error: ${err}`);
+                    try {
+                        tlsSocket.end();
+                    }
+                    catch { }
+                });
+            }
+        });
+        tlsSocket.on('error', (err) => {
+            this.options.log('error', `TLS error for ${hostname}: ${err.message}`);
+        });
+    }
+    async handleRequest(rawRequest, hostname, match, clientTLS) {
+        this.options.requestCounter.value++;
+        const reqId = this.options.requestCounter.value;
+        const startTime = Date.now();
+        // Parse HTTP request
+        const headerEnd = rawRequest.indexOf('\r\n\r\n');
+        const headersStr = rawRequest.subarray(0, headerEnd).toString();
+        const body = rawRequest.subarray(headerEnd + 4);
+        const [requestLine, ...headerLines] = headersStr.split('\r\n');
+        const [method, reqPath] = requestLine.split(' ');
+        const headers = {};
+        for (const line of headerLines) {
+            const colonIdx = line.indexOf(':');
+            if (colonIdx > 0) {
+                headers[line.substring(0, colonIdx).toLowerCase().trim()] = line.substring(colonIdx + 1).trim();
+            }
+        }
+        // Get real IP for this hostname (cached before DNS override)
+        const realIP = (0, dns_redirect_js_1.getRealIP)(hostname);
+        if (!realIP) {
+            this.options.log('error', `No real IP cached for ${hostname}`);
+            clientTLS.write('HTTP/1.1 502 Bad Gateway\r\nContent-Length: 0\r\n\r\n');
+            clientTLS.end();
+            return;
+        }
+        // Optimization logic
+        const adapter = this.options.adapters.get(match.provider);
+        let forwardBody = body;
+        let model = 'unknown';
+        let originalTokens = 0;
+        let optimizedTokens = 0;
+        let savingsPercent = 0;
+        let passThrough = true;
+        if (adapter && body.length > 0) {
+            try {
+                const parsed = JSON.parse(body.toString());
+                model = parsed.model || 'unknown';
+                const canonical = adapter.parseRequest(parsed, headers);
+                originalTokens = (0, chunker_js_1.estimateTokens)(canonical.systemPrompt || '') +
+                    canonical.messages.reduce((sum, m) => sum + (0, chunker_js_1.estimateTokens)((0, canonical_js_1.getTextContent)(m)), 0);
+                if (this.options.optimizer && !this.options.paused) {
+                    try {
+                        const result = await this.options.optimizer.optimize(canonical);
+                        passThrough = result.passThrough;
+                        if (!result.passThrough) {
+                            canonical.messages = result.optimizedMessages;
+                            if (result.systemPrompt !== undefined)
+                                canonical.systemPrompt = result.systemPrompt;
+                            optimizedTokens = result.packed.optimizedTokens;
+                            savingsPercent = result.packed.savingsPercent;
+                            forwardBody = Buffer.from(JSON.stringify(adapter.serializeRequest(canonical)));
+                        }
+                        else {
+                            optimizedTokens = originalTokens;
+                        }
+                    }
+                    catch {
+                        optimizedTokens = originalTokens;
+                    }
+                }
+                else {
+                    optimizedTokens = originalTokens;
+                }
+            }
+            catch {
+                optimizedTokens = originalTokens;
+            }
+        }
+        const latency = Date.now() - startTime;
+        const savingsStr = passThrough ? 'pass' : `-${savingsPercent}%`;
+        this.options.log('info', `#${reqId} ${match.provider}/${model} ${originalTokens}→${optimizedTokens} ${savingsStr} ${latency}ms [transparent]`);
+        // Forward to real provider IP
+        const forwardHeaders = { ...headers };
+        forwardHeaders['host'] = hostname;
+        forwardHeaders['content-length'] = String(forwardBody.length);
+        const providerRes = await new Promise((resolve, reject) => {
+            const req = node_https_1.default.request({
+                hostname: realIP,
+                port: 443,
+                path: reqPath,
+                method,
+                headers: forwardHeaders,
+                servername: hostname, // SNI for the real server
+            }, resolve);
+            req.on('error', reject);
+            req.write(forwardBody);
+            req.end();
+        });
+        // Stream response back
+        const resHeaders = [`HTTP/1.1 ${providerRes.statusCode} ${providerRes.statusMessage}`];
+        for (const [key, val] of Object.entries(providerRes.headers)) {
+            if (val) {
+                const values = Array.isArray(val) ? val : [val];
+                for (const v of values)
+                    resHeaders.push(`${key}: ${v}`);
+            }
+        }
+        resHeaders.push('', '');
+        clientTLS.write(resHeaders.join('\r\n'));
+        await new Promise((resolve) => {
+            providerRes.on('data', (chunk) => clientTLS.write(chunk));
+            providerRes.on('end', () => { clientTLS.end(); resolve(); });
+            providerRes.on('error', () => { clientTLS.end(); resolve(); });
+        });
+        // Record metrics
+        this.options.metrics.record({
+            id: reqId,
+            timestamp: Date.now(),
+            provider: match.provider,
+            model,
+            streaming: headers['accept']?.includes('text/event-stream') || false,
+            originalTokens,
+            optimizedTokens,
+            savingsPercent,
+            latencyOverheadMs: latency,
+            chunksRetrieved: 0,
+            topScore: 0,
+            passThrough,
+        });
+    }
+}
+exports.TransparentListener = TransparentListener;
+/**
+ * Extract SNI hostname from TLS ClientHello.
+ * Returns null if not found.
+ */
+function extractSNI(data) {
+    try {
+        // TLS record: type=22 (handshake), version, length
+        if (data.length < 5 || data[0] !== 0x16)
+            return null;
+        // Handshake: type=1 (ClientHello)
+        let offset = 5;
+        if (data[offset] !== 0x01)
+            return null;
+        // Skip handshake length (3 bytes) + client version (2) + random (32)
+        offset += 4 + 2 + 32;
+        // Session ID
+        const sessionIdLen = data[offset];
+        offset += 1 + sessionIdLen;
+        // Cipher suites
+        const cipherLen = data.readUInt16BE(offset);
+        offset += 2 + cipherLen;
+        // Compression methods
+        const compLen = data[offset];
+        offset += 1 + compLen;
+        // Extensions
+        if (offset + 2 > data.length)
+            return null;
+        const extLen = data.readUInt16BE(offset);
+        offset += 2;
+        const extEnd = offset + extLen;
+        while (offset + 4 < extEnd && offset < data.length) {
+            const extType = data.readUInt16BE(offset);
+            const extDataLen = data.readUInt16BE(offset + 2);
+            offset += 4;
+            if (extType === 0x0000) { // SNI extension
+                // Skip SNI list length (2)
+                offset += 2;
+                const nameType = data[offset];
+                offset += 1;
+                if (nameType === 0x00) { // hostname
+                    const nameLen = data.readUInt16BE(offset);
+                    offset += 2;
+                    return data.subarray(offset, offset + nameLen).toString('ascii');
+                }
+            }
+            offset += extDataLen;
+        }
+    }
+    catch { }
+    return null;
+}
+//# sourceMappingURL=transparent-listener.js.map

package/dist/src/system/dns-redirect.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Resolve and cache real IPs before overriding DNS.
+ * MUST be called before enableDNSRedirect.
+ */
+export declare function cacheRealIPs(): Promise<Map<string, string[]>>;
+/** Get cached real IP for a hostname */
+export declare function getRealIP(hostname: string): string | null;
+/** Get all original IP mappings */
+export declare function getAllRealIPs(): Map<string, string[]>;
+/**
+ * Add /etc/hosts entries pointing LLM hostnames to 127.0.0.1.
+ * Requires sudo.
+ * After this, all apps resolve LLM hosts to localhost → our proxy.
+ */
+export declare function enableDNSRedirect(): {
+    success: boolean;
+    message: string;
+    hosts: number;
+};
+/**
+ * Remove /etc/hosts entries.
+ */
+export declare function disableDNSRedirect(): {
+    success: boolean;
+    message: string;
+};
+/** Check if DNS redirect is active */
+export declare function isDNSRedirectActive(): boolean;

package/dist/src/system/dns-redirect.js

@@ -0,0 +1,141 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cacheRealIPs = cacheRealIPs;
+exports.getRealIP = getRealIP;
+exports.getAllRealIPs = getAllRealIPs;
+exports.enableDNSRedirect = enableDNSRedirect;
+exports.disableDNSRedirect = disableDNSRedirect;
+exports.isDNSRedirectActive = isDNSRedirectActive;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_child_process_1 = require("node:child_process");
+const node_dns_1 = __importDefault(require("node:dns"));
+const HOSTS_FILE = '/etc/hosts';
+const MARKER_START = '# SmartContext Proxy — START (auto-generated, do not edit)';
+const MARKER_END = '# SmartContext Proxy — END';
+/** LLM provider hostnames to redirect */
+const LLM_HOSTS = [
+    'api.anthropic.com',
+    'api.openai.com',
+    'generativelanguage.googleapis.com',
+    'openrouter.ai',
+    'api.together.xyz',
+    'api.fireworks.ai',
+    'api.mistral.ai',
+    'api.cohere.com',
+    'api.groq.com',
+    'api.deepseek.com',
+];
+/** Original IP mappings — needed to forward traffic to real providers */
+const originalIPs = new Map();
+/**
+ * Resolve and cache real IPs before overriding DNS.
+ * MUST be called before enableDNSRedirect.
+ */
+async function cacheRealIPs() {
+    for (const host of LLM_HOSTS) {
+        try {
+            const addrs = await new Promise((resolve, reject) => {
+                node_dns_1.default.resolve4(host, (err, addresses) => {
+                    if (err)
+                        reject(err);
+                    else
+                        resolve(addresses);
+                });
+            });
+            originalIPs.set(host, addrs);
+        }
+        catch { }
+    }
+    return originalIPs;
+}
+/** Get cached real IP for a hostname */
+function getRealIP(hostname) {
+    const ips = originalIPs.get(hostname);
+    return ips?.[0] || null;
+}
+/** Get all original IP mappings */
+function getAllRealIPs() {
+    return originalIPs;
+}
+/**
+ * Add /etc/hosts entries pointing LLM hostnames to 127.0.0.1.
+ * Requires sudo.
+ * After this, all apps resolve LLM hosts to localhost → our proxy.
+ */
+function enableDNSRedirect() {
+    try {
+        const current = node_fs_1.default.readFileSync(HOSTS_FILE, 'utf-8');
+        // Don't add if already present
+        if (current.includes(MARKER_START)) {
+            return { success: true, message: 'DNS redirect already active', hosts: LLM_HOSTS.length };
+        }
+        const block = [
+            '',
+            MARKER_START,
+            ...LLM_HOSTS.map((h) => `127.0.0.1  ${h}`),
+            MARKER_END,
+            '',
+        ].join('\n');
+        const newContent = current + block;
+        // Write via sudo tee
+        (0, node_child_process_1.execFileSync)('sudo', ['tee', HOSTS_FILE], {
+            input: newContent,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        // Flush DNS cache
+        flushDNS();
+        return { success: true, message: `DNS redirect active: ${LLM_HOSTS.length} hosts → 127.0.0.1`, hosts: LLM_HOSTS.length };
+    }
+    catch (err) {
+        return { success: false, message: `Failed: ${err}`, hosts: 0 };
+    }
+}
+/**
+ * Remove /etc/hosts entries.
+ */
+function disableDNSRedirect() {
+    try {
+        const current = node_fs_1.default.readFileSync(HOSTS_FILE, 'utf-8');
+        if (!current.includes(MARKER_START)) {
+            return { success: true, message: 'DNS redirect not active' };
+        }
+        // Remove our block
+        const regex = new RegExp(`\\n?${escapeRegex(MARKER_START)}[\\s\\S]*?${escapeRegex(MARKER_END)}\\n?`, 'g');
+        const cleaned = current.replace(regex, '\n');
+        (0, node_child_process_1.execFileSync)('sudo', ['tee', HOSTS_FILE], {
+            input: cleaned,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        flushDNS();
+        return { success: true, message: 'DNS redirect removed' };
+    }
+    catch (err) {
+        return { success: false, message: `Failed: ${err}` };
+    }
+}
+/** Check if DNS redirect is active */
+function isDNSRedirectActive() {
+    try {
+        const content = node_fs_1.default.readFileSync(HOSTS_FILE, 'utf-8');
+        return content.includes(MARKER_START);
+    }
+    catch {
+        return false;
+    }
+}
+function flushDNS() {
+    try {
+        if (process.platform === 'darwin') {
+            (0, node_child_process_1.execFileSync)('dscacheutil', ['-flushcache'], { stdio: 'pipe' });
+            (0, node_child_process_1.execFileSync)('sudo', ['killall', '-HUP', 'mDNSResponder'], { stdio: 'pipe' });
+        }
+    }
+    catch { }
+}
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+//# sourceMappingURL=dns-redirect.js.map

package/dist/src/system/pf-redirect.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Install pf redirect rules.
+ * Requires sudo.
+ */
+export declare function enablePFRedirect(proxyPort: number): Promise<{
+    success: boolean;
+    message: string;
+    ips: number;
+}>;
+/**
+ * Remove pf redirect rules.
+ */
+export declare function disablePFRedirect(): {
+    success: boolean;
+    message: string;
+};
+/**
+ * Check if pf redirect is active.
+ */
+export declare function isPFRedirectActive(): boolean;
+/**
+ * Refresh IP addresses (IPs can change due to DNS).
+ * Call periodically to keep rules current.
+ */
+export declare function refreshPFRules(proxyPort: number): Promise<void>;