smartcontext-proxy 0.2.0 → 0.2.1

package/src/proxy/transparent-listener.ts

@@ -0,0 +1,328 @@
+import tls from 'node:tls';
+import net from 'node:net';
+import http from 'node:http';
+import https from 'node:https';
+import { getCertForHost } from '../tls/ca-manager.js';
+import { classifyHost } from './classifier.js';
+import { getRealIP } from '../system/dns-redirect.js';
+import type { ProviderAdapter } from '../providers/types.js';
+import type { SmartContextConfig } from '../config/schema.js';
+import { ContextOptimizer } from '../context/optimizer.js';
+import { MetricsCollector } from '../metrics/collector.js';
+import { estimateTokens } from '../context/chunker.js';
+import { getTextContent } from '../context/canonical.js';
+
+export interface TransparentOptions {
+  config: SmartContextConfig;
+  optimizer: ContextOptimizer | null;
+  metrics: MetricsCollector;
+  adapters: Map<string, ProviderAdapter>;
+  paused: boolean;
+  requestCounter: { value: number };
+  log: (level: string, message: string) => void;
+}
+
+/**
+ * Transparent TLS listener on port 443.
+ * When DNS redirects LLM traffic to 127.0.0.1, clients connect directly
+ * via TLS (no CONNECT). This server terminates TLS using SNI to pick
+ * the right cert, then handles the request.
+ */
+export class TransparentListener {
+  private server: net.Server;
+  private options: TransparentOptions;
+
+  constructor(options: TransparentOptions) {
+    this.options = options;
+
+    // Raw TCP server — we need SNI from ClientHello before creating TLS context
+    this.server = net.createServer((socket) => this.handleConnection(socket));
+  }
+
+  async start(port: number = 443, host: string = '127.0.0.1'): Promise<void> {
+    return new Promise((resolve, reject) => {
+      this.server.on('error', (err: NodeJS.ErrnoException) => {
+        if (err.code === 'EACCES') {
+          this.options.log('error', `Port ${port} requires root. Transparent listener disabled.`);
+          resolve(); // Non-fatal
+        } else {
+          reject(err);
+        }
+      });
+      this.server.listen(port, host, () => {
+        this.options.log('info', `Transparent TLS listener on ${host}:${port}`);
+        resolve();
+      });
+    });
+  }
+
+  async stop(): Promise<void> {
+    return new Promise((resolve) => {
+      this.server.close(() => resolve());
+    });
+  }
+
+  private handleConnection(socket: net.Socket): void {
+    // Peek at first bytes to extract SNI from TLS ClientHello
+    socket.once('data', (data) => {
+      const hostname = extractSNI(data);
+      if (!hostname) {
+        socket.destroy();
+        return;
+      }
+
+      const match = classifyHost(hostname, 443);
+      if (!match) {
+        // Not an LLM host — shouldn't happen with DNS redirect, but just in case
+        socket.destroy();
+        return;
+      }
+
+      this.options.log('info', `TRANSPARENT ${hostname} (${match.provider})`);
+
+      const { cert, key } = getCertForHost(hostname);
+
+      const tlsSocket = new tls.TLSSocket(socket, {
+        isServer: true,
+        cert,
+        key,
+      });
+
+      // Unshift the peeked data back
+      tlsSocket.unshift(data);
+      // Actually we already consumed data from socket, TLSSocket wraps socket
+      // Need to handle this differently — push data through
+
+      this.handleTLSConnection(tlsSocket, hostname, match);
+    });
+  }
+
+  private handleTLSConnection(
+    tlsSocket: tls.TLSSocket,
+    hostname: string,
+    match: ReturnType<typeof classifyHost> & {},
+  ): void {
+    let requestData = Buffer.alloc(0);
+    let headersParsed = false;
+    let contentLength = 0;
+    let headerEnd = -1;
+
+    tlsSocket.on('data', (chunk: Buffer) => {
+      requestData = Buffer.concat([requestData, chunk]);
+
+      if (!headersParsed) {
+        headerEnd = requestData.indexOf('\r\n\r\n');
+        if (headerEnd === -1) return;
+        headersParsed = true;
+        const headersStr = requestData.subarray(0, headerEnd).toString();
+        const clMatch = headersStr.match(/content-length:\s*(\d+)/i);
+        contentLength = clMatch ? parseInt(clMatch[1], 10) : 0;
+      }
+
+      const bodyStart = headerEnd + 4;
+      const bodyReceived = requestData.length - bodyStart;
+
+      if (bodyReceived >= contentLength) {
+        tlsSocket.pause();
+        this.handleRequest(requestData, hostname, match, tlsSocket).catch((err) => {
+          this.options.log('error', `Transparent handler error: ${err}`);
+          try { tlsSocket.end(); } catch {}
+        });
+      }
+    });
+
+    tlsSocket.on('error', (err) => {
+      this.options.log('error', `TLS error for ${hostname}: ${err.message}`);
+    });
+  }
+
+  private async handleRequest(
+    rawRequest: Buffer,
+    hostname: string,
+    match: { provider: string },
+    clientTLS: tls.TLSSocket,
+  ): Promise<void> {
+    this.options.requestCounter.value++;
+    const reqId = this.options.requestCounter.value;
+    const startTime = Date.now();
+
+    // Parse HTTP request
+    const headerEnd = rawRequest.indexOf('\r\n\r\n');
+    const headersStr = rawRequest.subarray(0, headerEnd).toString();
+    const body = rawRequest.subarray(headerEnd + 4);
+
+    const [requestLine, ...headerLines] = headersStr.split('\r\n');
+    const [method, reqPath] = requestLine.split(' ');
+
+    const headers: Record<string, string> = {};
+    for (const line of headerLines) {
+      const colonIdx = line.indexOf(':');
+      if (colonIdx > 0) {
+        headers[line.substring(0, colonIdx).toLowerCase().trim()] = line.substring(colonIdx + 1).trim();
+      }
+    }
+
+    // Get real IP for this hostname (cached before DNS override)
+    const realIP = getRealIP(hostname);
+    if (!realIP) {
+      this.options.log('error', `No real IP cached for ${hostname}`);
+      clientTLS.write('HTTP/1.1 502 Bad Gateway\r\nContent-Length: 0\r\n\r\n');
+      clientTLS.end();
+      return;
+    }
+
+    // Optimization logic
+    const adapter = this.options.adapters.get(match.provider);
+    let forwardBody = body;
+    let model = 'unknown';
+    let originalTokens = 0;
+    let optimizedTokens = 0;
+    let savingsPercent = 0;
+    let passThrough = true;
+
+    if (adapter && body.length > 0) {
+      try {
+        const parsed = JSON.parse(body.toString());
+        model = parsed.model || 'unknown';
+        const canonical = adapter.parseRequest(parsed, headers);
+        originalTokens = estimateTokens(canonical.systemPrompt || '') +
+          canonical.messages.reduce((sum, m) => sum + estimateTokens(getTextContent(m)), 0);
+
+        if (this.options.optimizer && !this.options.paused) {
+          try {
+            const result = await this.options.optimizer.optimize(canonical);
+            passThrough = result.passThrough;
+            if (!result.passThrough) {
+              canonical.messages = result.optimizedMessages;
+              if (result.systemPrompt !== undefined) canonical.systemPrompt = result.systemPrompt;
+              optimizedTokens = result.packed.optimizedTokens;
+              savingsPercent = result.packed.savingsPercent;
+              forwardBody = Buffer.from(JSON.stringify(adapter.serializeRequest(canonical)));
+            } else {
+              optimizedTokens = originalTokens;
+            }
+          } catch {
+            optimizedTokens = originalTokens;
+          }
+        } else {
+          optimizedTokens = originalTokens;
+        }
+      } catch {
+        optimizedTokens = originalTokens;
+      }
+    }
+
+    const latency = Date.now() - startTime;
+    const savingsStr = passThrough ? 'pass' : `-${savingsPercent}%`;
+    this.options.log('info', `#${reqId} ${match.provider}/${model} ${originalTokens}→${optimizedTokens} ${savingsStr} ${latency}ms [transparent]`);
+
+    // Forward to real provider IP
+    const forwardHeaders = { ...headers };
+    forwardHeaders['host'] = hostname;
+    forwardHeaders['content-length'] = String(forwardBody.length);
+
+    const providerRes = await new Promise<http.IncomingMessage>((resolve, reject) => {
+      const req = https.request({
+        hostname: realIP,
+        port: 443,
+        path: reqPath,
+        method,
+        headers: forwardHeaders,
+        servername: hostname, // SNI for the real server
+      }, resolve);
+      req.on('error', reject);
+      req.write(forwardBody);
+      req.end();
+    });
+
+    // Stream response back
+    const resHeaders = [`HTTP/1.1 ${providerRes.statusCode} ${providerRes.statusMessage}`];
+    for (const [key, val] of Object.entries(providerRes.headers)) {
+      if (val) {
+        const values = Array.isArray(val) ? val : [val];
+        for (const v of values) resHeaders.push(`${key}: ${v}`);
+      }
+    }
+    resHeaders.push('', '');
+    clientTLS.write(resHeaders.join('\r\n'));
+
+    await new Promise<void>((resolve) => {
+      providerRes.on('data', (chunk) => clientTLS.write(chunk));
+      providerRes.on('end', () => { clientTLS.end(); resolve(); });
+      providerRes.on('error', () => { clientTLS.end(); resolve(); });
+    });
+
+    // Record metrics
+    this.options.metrics.record({
+      id: reqId,
+      timestamp: Date.now(),
+      provider: match.provider,
+      model,
+      streaming: headers['accept']?.includes('text/event-stream') || false,
+      originalTokens,
+      optimizedTokens,
+      savingsPercent,
+      latencyOverheadMs: latency,
+      chunksRetrieved: 0,
+      topScore: 0,
+      passThrough,
+    });
+  }
+}
+
+/**
+ * Extract SNI hostname from TLS ClientHello.
+ * Returns null if not found.
+ */
+function extractSNI(data: Buffer): string | null {
+  try {
+    // TLS record: type=22 (handshake), version, length
+    if (data.length < 5 || data[0] !== 0x16) return null;
+
+    // Handshake: type=1 (ClientHello)
+    let offset = 5;
+    if (data[offset] !== 0x01) return null;
+
+    // Skip handshake length (3 bytes) + client version (2) + random (32)
+    offset += 4 + 2 + 32;
+
+    // Session ID
+    const sessionIdLen = data[offset];
+    offset += 1 + sessionIdLen;
+
+    // Cipher suites
+    const cipherLen = data.readUInt16BE(offset);
+    offset += 2 + cipherLen;
+
+    // Compression methods
+    const compLen = data[offset];
+    offset += 1 + compLen;
+
+    // Extensions
+    if (offset + 2 > data.length) return null;
+    const extLen = data.readUInt16BE(offset);
+    offset += 2;
+
+    const extEnd = offset + extLen;
+    while (offset + 4 < extEnd && offset < data.length) {
+      const extType = data.readUInt16BE(offset);
+      const extDataLen = data.readUInt16BE(offset + 2);
+      offset += 4;
+
+      if (extType === 0x0000) { // SNI extension
+        // Skip SNI list length (2)
+        offset += 2;
+        const nameType = data[offset];
+        offset += 1;
+        if (nameType === 0x00) { // hostname
+          const nameLen = data.readUInt16BE(offset);
+          offset += 2;
+          return data.subarray(offset, offset + nameLen).toString('ascii');
+        }
+      }
+
+      offset += extDataLen;
+    }
+  } catch {}
+  return null;
+}

package/src/system/dns-redirect.ts

@@ -0,0 +1,144 @@
+import fs from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import dns from 'node:dns';
+
+const HOSTS_FILE = '/etc/hosts';
+const MARKER_START = '# SmartContext Proxy — START (auto-generated, do not edit)';
+const MARKER_END = '# SmartContext Proxy — END';
+
+/** LLM provider hostnames to redirect */
+const LLM_HOSTS = [
+  'api.anthropic.com',
+  'api.openai.com',
+  'generativelanguage.googleapis.com',
+  'openrouter.ai',
+  'api.together.xyz',
+  'api.fireworks.ai',
+  'api.mistral.ai',
+  'api.cohere.com',
+  'api.groq.com',
+  'api.deepseek.com',
+];
+
+/** Original IP mappings — needed to forward traffic to real providers */
+const originalIPs = new Map<string, string[]>();
+
+/**
+ * Resolve and cache real IPs before overriding DNS.
+ * MUST be called before enableDNSRedirect.
+ */
+export async function cacheRealIPs(): Promise<Map<string, string[]>> {
+  for (const host of LLM_HOSTS) {
+    try {
+      const addrs = await new Promise<string[]>((resolve, reject) => {
+        dns.resolve4(host, (err, addresses) => {
+          if (err) reject(err);
+          else resolve(addresses);
+        });
+      });
+      originalIPs.set(host, addrs);
+    } catch {}
+  }
+  return originalIPs;
+}
+
+/** Get cached real IP for a hostname */
+export function getRealIP(hostname: string): string | null {
+  const ips = originalIPs.get(hostname);
+  return ips?.[0] || null;
+}
+
+/** Get all original IP mappings */
+export function getAllRealIPs(): Map<string, string[]> {
+  return originalIPs;
+}
+
+/**
+ * Add /etc/hosts entries pointing LLM hostnames to 127.0.0.1.
+ * Requires sudo.
+ * After this, all apps resolve LLM hosts to localhost → our proxy.
+ */
+export function enableDNSRedirect(): { success: boolean; message: string; hosts: number } {
+  try {
+    const current = fs.readFileSync(HOSTS_FILE, 'utf-8');
+
+    // Don't add if already present
+    if (current.includes(MARKER_START)) {
+      return { success: true, message: 'DNS redirect already active', hosts: LLM_HOSTS.length };
+    }
+
+    const block = [
+      '',
+      MARKER_START,
+      ...LLM_HOSTS.map((h) => `127.0.0.1  ${h}`),
+      MARKER_END,
+      '',
+    ].join('\n');
+
+    const newContent = current + block;
+
+    // Write via sudo tee
+    execFileSync('sudo', ['tee', HOSTS_FILE], {
+      input: newContent,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    // Flush DNS cache
+    flushDNS();
+
+    return { success: true, message: `DNS redirect active: ${LLM_HOSTS.length} hosts → 127.0.0.1`, hosts: LLM_HOSTS.length };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}`, hosts: 0 };
+  }
+}
+
+/**
+ * Remove /etc/hosts entries.
+ */
+export function disableDNSRedirect(): { success: boolean; message: string } {
+  try {
+    const current = fs.readFileSync(HOSTS_FILE, 'utf-8');
+
+    if (!current.includes(MARKER_START)) {
+      return { success: true, message: 'DNS redirect not active' };
+    }
+
+    // Remove our block
+    const regex = new RegExp(`\\n?${escapeRegex(MARKER_START)}[\\s\\S]*?${escapeRegex(MARKER_END)}\\n?`, 'g');
+    const cleaned = current.replace(regex, '\n');
+
+    execFileSync('sudo', ['tee', HOSTS_FILE], {
+      input: cleaned,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    flushDNS();
+
+    return { success: true, message: 'DNS redirect removed' };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/** Check if DNS redirect is active */
+export function isDNSRedirectActive(): boolean {
+  try {
+    const content = fs.readFileSync(HOSTS_FILE, 'utf-8');
+    return content.includes(MARKER_START);
+  } catch {
+    return false;
+  }
+}
+
+function flushDNS(): void {
+  try {
+    if (process.platform === 'darwin') {
+      execFileSync('dscacheutil', ['-flushcache'], { stdio: 'pipe' });
+      execFileSync('sudo', ['killall', '-HUP', 'mDNSResponder'], { stdio: 'pipe' });
+    }
+  } catch {}
+}
+
+function escapeRegex(s: string): string {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/src/system/pf-redirect.ts

@@ -0,0 +1,175 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import dns from 'node:dns';
+import path from 'node:path';
+
+const PF_ANCHOR = 'com.smartcontext';
+const PF_CONF_PATH = path.join(process.env['HOME'] || '.', '.smartcontext', 'pf-smartcontext.conf');
+
+/** Known LLM provider hostnames to intercept */
+const LLM_HOSTS = [
+  'api.anthropic.com',
+  'api.openai.com',
+  'generativelanguage.googleapis.com',
+  'openrouter.ai',
+  'api.together.xyz',
+  'api.fireworks.ai',
+  'api.mistral.ai',
+  'api.cohere.com',
+  'api.groq.com',
+  'api.deepseek.com',
+];
+
+/**
+ * Resolve hostnames to IPs for pf rules.
+ * pf works at IP level, not DNS.
+ */
+async function resolveHosts(): Promise<Map<string, string[]>> {
+  const results = new Map<string, string[]>();
+
+  for (const host of LLM_HOSTS) {
+    try {
+      const addrs = await new Promise<string[]>((resolve, reject) => {
+        dns.resolve4(host, (err, addresses) => {
+          if (err) reject(err);
+          else resolve(addresses);
+        });
+      });
+      results.set(host, addrs);
+    } catch {
+      // Host might not resolve — skip
+    }
+  }
+
+  return results;
+}
+
+/**
+ * Generate pf redirect rules.
+ * Redirects outgoing HTTPS (port 443) traffic to LLM provider IPs
+ * to our local proxy port.
+ */
+function generatePFConf(hostIPs: Map<string, string[]>, proxyPort: number): string {
+  const lines: string[] = [
+    `# SmartContext Proxy — auto-generated pf rules`,
+    `# Redirects LLM API traffic to local proxy`,
+    ``,
+  ];
+
+  // Collect all IPs into a pf table
+  const allIPs: string[] = [];
+  for (const [host, ips] of hostIPs) {
+    lines.push(`# ${host}: ${ips.join(', ')}`);
+    allIPs.push(...ips);
+  }
+
+  if (allIPs.length === 0) {
+    lines.push('# No IPs resolved — no rules');
+    return lines.join('\n');
+  }
+
+  lines.push('');
+  lines.push(`table <llm_providers> { ${allIPs.join(', ')} }`);
+  lines.push('');
+  // Redirect outgoing HTTPS to LLM providers → local proxy
+  // rdr-to changes destination to localhost:proxyPort
+  lines.push(`rdr pass on lo0 proto tcp from any to <llm_providers> port 443 -> 127.0.0.1 port ${proxyPort}`);
+  lines.push('');
+  // Route the traffic through loopback so rdr applies
+  lines.push(`pass out on en0 route-to (lo0 127.0.0.1) proto tcp from any to <llm_providers> port 443`);
+  lines.push(`pass out on en1 route-to (lo0 127.0.0.1) proto tcp from any to <llm_providers> port 443`);
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+/**
+ * Install pf redirect rules.
+ * Requires sudo.
+ */
+export async function enablePFRedirect(proxyPort: number): Promise<{ success: boolean; message: string; ips: number }> {
+  try {
+    const hostIPs = await resolveHosts();
+
+    let totalIPs = 0;
+    for (const ips of hostIPs.values()) totalIPs += ips.length;
+
+    if (totalIPs === 0) {
+      return { success: false, message: 'No LLM provider IPs resolved', ips: 0 };
+    }
+
+    const conf = generatePFConf(hostIPs, proxyPort);
+    fs.mkdirSync(path.dirname(PF_CONF_PATH), { recursive: true });
+    fs.writeFileSync(PF_CONF_PATH, conf);
+
+    // Load anchor into pf
+    try {
+      execFileSync('sudo', ['pfctl', '-a', PF_ANCHOR, '-f', PF_CONF_PATH], { stdio: 'pipe' });
+    } catch (err) {
+      return { success: false, message: `pfctl load failed: ${err}`, ips: totalIPs };
+    }
+
+    // Enable pf if not already enabled
+    try {
+      execFileSync('sudo', ['pfctl', '-e'], { stdio: 'pipe' });
+    } catch {
+      // Already enabled — ok
+    }
+
+    return { success: true, message: `pf redirect active: ${totalIPs} IPs from ${hostIPs.size} hosts → :${proxyPort}`, ips: totalIPs };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}`, ips: 0 };
+  }
+}
+
+/**
+ * Remove pf redirect rules.
+ */
+export function disablePFRedirect(): { success: boolean; message: string } {
+  try {
+    // Flush anchor rules
+    try {
+      execFileSync('sudo', ['pfctl', '-a', PF_ANCHOR, '-F', 'all'], { stdio: 'pipe' });
+    } catch {}
+
+    // Remove conf file
+    try { fs.unlinkSync(PF_CONF_PATH); } catch {}
+
+    return { success: true, message: 'pf redirect removed' };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/**
+ * Check if pf redirect is active.
+ */
+export function isPFRedirectActive(): boolean {
+  try {
+    const result = execFileSync('sudo', ['pfctl', '-a', PF_ANCHOR, '-sr'], {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return result.includes('rdr') || result.includes('route-to');
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Refresh IP addresses (IPs can change due to DNS).
+ * Call periodically to keep rules current.
+ */
+export async function refreshPFRules(proxyPort: number): Promise<void> {
+  const hostIPs = await resolveHosts();
+  let totalIPs = 0;
+  for (const ips of hostIPs.values()) totalIPs += ips.length;
+  if (totalIPs === 0) return;
+
+  const conf = generatePFConf(hostIPs, proxyPort);
+  fs.writeFileSync(PF_CONF_PATH, conf);
+
+  try {
+    execFileSync('sudo', ['pfctl', '-a', PF_ANCHOR, '-f', PF_CONF_PATH], { stdio: 'pipe' });
+  } catch {}
+}

package/src/test/dashboard.test.ts

@@ -43,6 +43,7 @@ describe('Dashboard & API', () => {
     assert.ok(res.headers['content-type']?.includes('text/html'));
     assert.ok(res.body.includes('SmartContext Proxy'));
     assert.ok(res.body.includes('Total Requests'));
+    assert.ok(res.body.includes('Settings'));
   });
 
   it('returns status via /_sc/status', async () => {