proxyagent 0.2.1__tar.gz → 0.3.1__tar.gz

{proxyagent-0.2.1 → proxyagent-0.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: proxyagent
-Version: 0.2.1
+Version: 0.3.1
 Summary: Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools.
 Project-URL: Homepage, https://github.com/teddyoweh/proxyagent
 Author-email: Spawn Labs <teddy@spawnlabs.ai>
@@ -64,7 +64,7 @@ machine never sees a real credential.
 ## Try it with zero keys (local)
 ```bash
 pip install proxyagent && proxyagent serve        # prints an admin token
-proxyagent token new local --admin pa_admin_…     # mint a token
+proxyagent token new local        # works locally, no admin token needed     # mint a token
 # call the built-in `mock` model — full pipeline (auth, scope, usage, cost, log), no real key:
 curl -s localhost:8080/anthropic/v1/messages -H "x-api-key: pa_…" \
   -d '{"model":"mock","max_tokens":50,"messages":[{"role":"user","content":"hi"}]}'
@@ -81,7 +81,7 @@ proxyagent serve                        # prints an admin token + a dashboard at
 
 **2. Mint a machine token** (scoped + revocable):
 ```bash
-proxyagent token new macbook-01 --scope "anthropic:claude-*" --admin pa_admin_…
+proxyagent token new macbook-01 --scope "anthropic:claude-*"   # local: no admin token needed
 ```
 
 **3. Run any agent on any machine — no real key there:**
@@ -162,6 +162,26 @@ proxyagent.run("claude-code", goal="build the app",
                proxy="https://proxy.you.com", token=token)
 ```
 
+## Supported providers
+`anthropic` · `openai` · `gemini` · `groq` · `openrouter` · `mistral` · `deepseek` ·
+`xai` · `together` — Anthropic uses its Messages API; the rest are OpenAI-compatible.
+Point a harness/agent at `https://proxy.you.com/<provider>/v1` and it routes there.
+Add or override any endpoint with `PROXYAGENT_<NAME>_ENDPOINT`.
+
+## Model remap — rename or reroute models
+Rewrite the requested model before forwarding — rename it, or reroute it to a totally
+different provider:
+
+```bash
+proxyagent alias set gpt-4o anthropic:claude-sonnet-4-5   # send "gpt-4o" calls to Claude
+proxyagent alias set '*' mock                             # force EVERYTHING offline (no keys)
+proxyagent alias ls
+```
+
+The `'*' → mock` trick is the **offline harness** unlock: point `claude-code` at the
+proxy, map everything to `mock`, and it runs end-to-end with zero keys and zero spend —
+perfect for local dev, demos, and CI.
+
 ## Supported harnesses
 `claude-code`, `codex`, and any **custom** command (`--command "my-agent {goal}"`). Adding one
 is a few lines — it just needs to respect `*_BASE_URL`.

{proxyagent-0.2.1 → proxyagent-0.3.1}/README.md

@@ -32,7 +32,7 @@ machine never sees a real credential.
 ## Try it with zero keys (local)
 ```bash
 pip install proxyagent && proxyagent serve        # prints an admin token
-proxyagent token new local --admin pa_admin_…     # mint a token
+proxyagent token new local        # works locally, no admin token needed     # mint a token
 # call the built-in `mock` model — full pipeline (auth, scope, usage, cost, log), no real key:
 curl -s localhost:8080/anthropic/v1/messages -H "x-api-key: pa_…" \
   -d '{"model":"mock","max_tokens":50,"messages":[{"role":"user","content":"hi"}]}'
@@ -49,7 +49,7 @@ proxyagent serve                        # prints an admin token + a dashboard at
 
 **2. Mint a machine token** (scoped + revocable):
 ```bash
-proxyagent token new macbook-01 --scope "anthropic:claude-*" --admin pa_admin_…
+proxyagent token new macbook-01 --scope "anthropic:claude-*"   # local: no admin token needed
 ```
 
 **3. Run any agent on any machine — no real key there:**
@@ -130,6 +130,26 @@ proxyagent.run("claude-code", goal="build the app",
                proxy="https://proxy.you.com", token=token)
 ```
 
+## Supported providers
+`anthropic` · `openai` · `gemini` · `groq` · `openrouter` · `mistral` · `deepseek` ·
+`xai` · `together` — Anthropic uses its Messages API; the rest are OpenAI-compatible.
+Point a harness/agent at `https://proxy.you.com/<provider>/v1` and it routes there.
+Add or override any endpoint with `PROXYAGENT_<NAME>_ENDPOINT`.
+
+## Model remap — rename or reroute models
+Rewrite the requested model before forwarding — rename it, or reroute it to a totally
+different provider:
+
+```bash
+proxyagent alias set gpt-4o anthropic:claude-sonnet-4-5   # send "gpt-4o" calls to Claude
+proxyagent alias set '*' mock                             # force EVERYTHING offline (no keys)
+proxyagent alias ls
+```
+
+The `'*' → mock` trick is the **offline harness** unlock: point `claude-code` at the
+proxy, map everything to `mock`, and it runs end-to-end with zero keys and zero spend —
+perfect for local dev, demos, and CI.
+
 ## Supported harnesses
 `claude-code`, `codex`, and any **custom** command (`--command "my-agent {goal}"`). Adding one
 is a few lines — it just needs to respect `*_BASE_URL`.

{proxyagent-0.2.1 → proxyagent-0.3.1}/proxyagent/__init__.py

@@ -16,7 +16,7 @@ from typing import Optional
 
 from .harness import run  # noqa: F401  (the headline SDK call)
 
-__version__ = "0.2.1"
+__version__ = "0.3.1"
 __all__ = ["run", "serve", "create_app", "Config", "Admin", "__version__"]
 
 

proxyagent-0.3.1/proxyagent/aliases.py

@@ -0,0 +1,49 @@
+"""Model remapping — rewrite the requested model (and optionally re-route to another
+provider) before forwarding.
+
+A map entry's value is either a model name (rename) or "provider:model" (reroute):
+
+    PROXYAGENT_MODEL_MAP='{"*": "mock"}'                       # force everything offline
+    PROXYAGENT_MODEL_MAP='{"gpt-4o": "anthropic:claude-sonnet-4-5"}'   # reroute to Claude
+
+Lookup order: exact "provider:model" → exact "model" → wildcard "*".
+Runtime overrides (set via the admin API) win over the env map.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+
+_RUNTIME: dict[str, str] = {}
+
+
+def _env_map() -> dict[str, str]:
+    raw = os.environ.get("PROXYAGENT_MODEL_MAP")
+    if not raw:
+        return {}
+    try:
+        return {str(k): str(v) for k, v in json.loads(raw).items()}
+    except Exception:
+        return {}
+
+
+def get_map() -> dict[str, str]:
+    return {**_env_map(), **_RUNTIME}
+
+
+def set_map(m: dict) -> None:
+    _RUNTIME.clear()
+    _RUNTIME.update({str(k): str(v) for k, v in (m or {}).items()})
+
+
+def remap(provider: str, model: str) -> tuple[str, str]:
+    """Return the (provider, model) to actually use."""
+    m = get_map()
+    target = m.get(f"{provider}:{model}") or m.get(model) or m.get("*")
+    if not target:
+        return provider, model
+    if ":" in target:
+        p, mm = target.split(":", 1)
+        return p, mm
+    return provider, target

{proxyagent-0.2.1 → proxyagent-0.3.1}/proxyagent/cli.py

@@ -16,6 +16,9 @@ console = Console()
 err = Console(stderr=True)
 
 
+DEFAULT_PROXY = "http://127.0.0.1:8080"
+
+
 def _admin_client(proxy: str, admin: Optional[str]) -> httpx.Client:
     admin = admin or os.environ.get("PROXYAGENT_ADMIN_TOKEN")
     if not admin:
@@ -25,6 +28,22 @@ def _admin_client(proxy: str, admin: Optional[str]) -> httpx.Client:
     return httpx.Client(base_url=proxy.rstrip("/"), headers={"x-admin-token": admin}, timeout=30)
 
 
+def _is_remote(proxy: str, admin: Optional[str]) -> bool:
+    """Manage a REMOTE proxy (via admin API) only if an admin token is given or the
+    proxy isn't localhost. Otherwise operate on the LOCAL store directly — no admin
+    token needed, you already have filesystem access."""
+    from urllib.parse import urlparse
+    if admin or os.environ.get("PROXYAGENT_ADMIN_TOKEN"):
+        return True
+    return urlparse(proxy).hostname not in (None, "127.0.0.1", "localhost", "0.0.0.0")
+
+
+def _local_store():
+    from .config import Config
+    from .store import Store
+    return Store(Config.load().db_path)
+
+
 @app.command()
 def serve(host: str = "127.0.0.1", port: int = 8080):
     """Run the proxy server + dashboard."""
@@ -36,15 +55,27 @@ def serve(host: str = "127.0.0.1", port: int = 8080):
     config = Config.load()
     if config.admin_token_plain:
         console.print(Panel.fit(
-            f"[green]✓ proxyagent[/green]\n\n[bold]Admin token[/bold] (shown once)\n"
+            f"[green]✓ proxyagent[/green]\n\n[bold]Admin token[/bold] (for the dashboard)\n"
             f"  [yellow]{config.admin_token_plain}[/yellow]\n\n"
-            f"[dim]Save it — you need it for the dashboard + `proxyagent token`.[/dim]",
+            f"[dim]Reveal anytime: [bold]proxyagent admin-token[/bold][/dim]",
             border_style="green"))
     console.print(f"[dim]Dashboard:[/dim] http://{host}:{port}   "
-                  f"[dim]providers:[/dim] {', '.join(config.configured_providers()) or 'none — set ANTHROPIC_API_KEY / OPENAI_API_KEY'}")
+                  f"[dim]providers:[/dim] {', '.join(config.configured_providers()) or 'none — `proxyagent provider add anthropic --key …`'}")
+    console.print("[dim]Mint a machine token in another terminal:[/dim] [bold]proxyagent token new[/bold] [dim](works locally, no admin token needed)[/dim]")
     uvicorn.run(create_app(config), host=host, port=port, log_level="warning")
 
 
+@app.command("admin-token")
+def admin_token():
+    """Print this machine's admin token (for the dashboard)."""
+    from .config import Config
+    cfg = Config.load()
+    if cfg.admin_token_plain:
+        console.print(cfg.admin_token_plain)
+    else:
+        err.print("[yellow]Admin token is set via PROXYAGENT_ADMIN_TOKEN (not stored here).[/yellow]")
+
+
 @app.command("run")
 def run_harness(
     harness: str = typer.Argument(..., help="claude-code | codex | <custom>"),
@@ -70,6 +101,46 @@ token_app = typer.Typer(help="Mint / list / revoke machine tokens.")
 app.add_typer(token_app, name="token")
 provider_app = typer.Typer(help="Add / list / remove provider credentials (stored, encrypted).")
 app.add_typer(provider_app, name="provider")
+alias_app = typer.Typer(help="Model remap — rename or reroute models (e.g. force everything to mock).")
+app.add_typer(alias_app, name="alias")
+
+
+@alias_app.command("ls")
+def alias_ls(proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
+             admin: str = typer.Option(None, "--admin")):
+    """Show the current model map."""
+    with _admin_client(proxy, admin) as c:
+        m = c.get("/admin/aliases").json()["map"]
+    if not m:
+        console.print("[dim]No aliases. e.g. `proxyagent alias set '*' mock`[/dim]"); return
+    t = Table(title="Model aliases")
+    t.add_column("Match"); t.add_column("→ Target")
+    for k, v in m.items():
+        t.add_row(k, v)
+    console.print(t)
+
+
+@alias_app.command("set")
+def alias_set(match: str, target: str,
+              proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
+              admin: str = typer.Option(None, "--admin")):
+    """Map a model → a model (rename) or 'provider:model' (reroute). Use '*' to catch all."""
+    with _admin_client(proxy, admin) as c:
+        m = c.get("/admin/aliases").json()["map"]
+        m[match] = target
+        c.put("/admin/aliases", json={"map": m})
+    console.print(f"[green]✓[/green] [cyan]{match}[/cyan] → {target}")
+
+
+@alias_app.command("rm")
+def alias_rm(match: str, proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
+             admin: str = typer.Option(None, "--admin")):
+    """Remove an alias."""
+    with _admin_client(proxy, admin) as c:
+        m = c.get("/admin/aliases").json()["map"]
+        m.pop(match, None)
+        c.put("/admin/aliases", json={"map": m})
+    console.print(f"[green]✓[/green] removed {match}")
 
 
 @provider_app.command("add")
@@ -82,13 +153,21 @@ def provider_add(
     admin: str = typer.Option(None, "--admin"),
 ):
     """Store a provider credential (encrypted if PROXYAGENT_SECRET_KEY is set)."""
-    with _admin_client(proxy, admin) as c:
-        r = c.post("/admin/providers", json={"provider": provider, "secret": key,
-                                             "kind": kind, "label": label})
-    if r.status_code >= 400:
-        err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
-    d = r.json()
-    note = "[green]encrypted[/green]" if d["stored"] == "encrypted" else "[yellow]plaintext — set PROXYAGENT_SECRET_KEY[/yellow]"
+    from .config import PROVIDERS
+    if provider not in PROVIDERS:
+        err.print(f"[red]✗[/red] unknown provider; known: {', '.join(PROVIDERS)}"); raise typer.Exit(1)
+    if not _is_remote(proxy, admin):
+        from . import crypto
+        _local_store().add_credential(provider, key, kind=kind, label=label)
+        stored = "encrypted" if crypto.encryption_available() else "plaintext"
+    else:
+        with _admin_client(proxy, admin) as c:
+            r = c.post("/admin/providers", json={"provider": provider, "secret": key,
+                                                 "kind": kind, "label": label})
+        if r.status_code >= 400:
+            err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
+        stored = r.json()["stored"]
+    note = "[green]encrypted[/green]" if stored == "encrypted" else "[yellow]plaintext — set PROXYAGENT_SECRET_KEY[/yellow]"
     console.print(f"[green]✓[/green] stored [cyan]{provider}[/cyan] ({kind}) · {note}")
 
 
@@ -96,11 +175,19 @@ def provider_add(
 def provider_ls(proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
                 admin: str = typer.Option(None, "--admin")):
     """List stored provider credentials (secrets never shown)."""
-    with _admin_client(proxy, admin) as c:
-        r = c.get("/admin/providers")
-    if r.status_code >= 400:
-        err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
-    d = r.json()
+    if not _is_remote(proxy, admin):
+        from . import crypto
+        from .config import PROVIDERS
+        creds = _local_store().list_credentials()
+        configured = sorted({n for n, p in PROVIDERS.items() if p.key}
+                            | {c["provider"] for c in creds if c["active"]})
+        d = {"credentials": creds, "configured": configured, "encryption": crypto.encryption_available()}
+    else:
+        with _admin_client(proxy, admin) as c:
+            r = c.get("/admin/providers")
+        if r.status_code >= 400:
+            err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
+        d = r.json()
     t = Table(title=f"Provider credentials  ·  encryption {'on' if d['encryption'] else 'OFF'}")
     for col in ("ID", "Provider", "Kind", "Label", "Active"):
         t.add_column(col)
@@ -115,10 +202,14 @@ def provider_ls(proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
 def provider_rm(cred_id: str, proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
                 admin: str = typer.Option(None, "--admin")):
     """Remove a stored credential."""
-    with _admin_client(proxy, admin) as c:
-        r = c.delete(f"/admin/providers/{cred_id}")
-    if r.status_code >= 400:
-        err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
+    if not _is_remote(proxy, admin):
+        if not _local_store().remove_credential(cred_id):
+            err.print(f"[red]✗[/red] no such credential"); raise typer.Exit(1)
+    else:
+        with _admin_client(proxy, admin) as c:
+            r = c.delete(f"/admin/providers/{cred_id}")
+        if r.status_code >= 400:
+            err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
     console.print(f"[green]✓[/green] removed {cred_id}")
 
 
@@ -132,14 +223,17 @@ def token_new(
     admin: Optional[str] = typer.Option(None, "--admin"),
 ):
     """Mint a machine token — give it to a remote machine; it holds no real key."""
-    with _admin_client(proxy, admin) as c:
-        r = c.post("/admin/tokens", json={"label": label, "scope": list(scope),
-                                          "ttl_seconds": ttl, "rate_limit": rate})
-    if r.status_code >= 400:
-        err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
-    d = r.json()
+    if not _is_remote(proxy, admin):
+        plain, _ = _local_store().create_token(label, list(scope), ttl_seconds=ttl, rate_limit=rate)
+    else:
+        with _admin_client(proxy, admin) as c:
+            r = c.post("/admin/tokens", json={"label": label, "scope": list(scope),
+                                              "ttl_seconds": ttl, "rate_limit": rate})
+        if r.status_code >= 400:
+            err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
+        plain = r.json()["token"]
     console.print(Panel.fit(
-        f"[green]✓ machine token[/green] [dim]({label})[/dim]\n\n  [yellow]{d['token']}[/yellow]\n\n"
+        f"[green]✓ machine token[/green] [dim]({label})[/dim]\n\n  [yellow]{plain}[/yellow]\n\n"
         f"[dim]scope: {', '.join(scope)} · shown once[/dim]", border_style="green"))
 
 
@@ -147,11 +241,17 @@ def token_new(
 def token_ls(proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
              admin: Optional[str] = typer.Option(None, "--admin")):
     """List machine tokens."""
-    with _admin_client(proxy, admin) as c:
-        r = c.get("/admin/tokens")
-    if r.status_code >= 400:
-        err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
-    rows = r.json()["tokens"]
+    if not _is_remote(proxy, admin):
+        import json as _json
+        rows = [{"id": t["id"], "label": t["label"], "masked": t["masked"],
+                 "scope": _json.loads(t["scope_json"]), "revoked": t["revoked"]}
+                for t in _local_store().list_tokens()]
+    else:
+        with _admin_client(proxy, admin) as c:
+            r = c.get("/admin/tokens")
+        if r.status_code >= 400:
+            err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
+        rows = r.json()["tokens"]
     if not rows:
         console.print("[dim]No tokens.[/dim]"); return
     t = Table(title="Machine tokens")
@@ -167,10 +267,14 @@ def token_ls(proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
 def token_revoke(token_id: str, proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
                  admin: Optional[str] = typer.Option(None, "--admin")):
     """Revoke a token by id."""
-    with _admin_client(proxy, admin) as c:
-        r = c.delete(f"/admin/tokens/{token_id}")
-    if r.status_code >= 400:
-        err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
+    if not _is_remote(proxy, admin):
+        if not _local_store().revoke_token(token_id):
+            err.print(f"[red]✗[/red] no such token"); raise typer.Exit(1)
+    else:
+        with _admin_client(proxy, admin) as c:
+            r = c.delete(f"/admin/tokens/{token_id}")
+        if r.status_code >= 400:
+            err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
     console.print(f"[green]✓[/green] revoked {token_id}")
 
 

proxyagent-0.3.1/proxyagent/config.py

@@ -0,0 +1,95 @@
+"""Configuration — provider upstreams, real credentials (env only), paths, admin auth.
+
+Real keys are read from the environment and never persisted. The proxy is the ONLY
+place they live.
+"""
+
+from __future__ import annotations
+
+import os
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from .security import hash_token, new_token, ADMIN_PREFIX
+
+HOME = Path(os.environ.get("PROXYAGENT_HOME", Path.home() / ".proxyagent"))
+
+
+@dataclass
+class Provider:
+    name: str
+    endpoint: str          # full upstream URL (e.g. …/v1/chat/completions)
+    key_env: str           # env var holding the REAL key
+    auth_style: str        # "bearer" | "x-api-key"
+    shape: str             # "openai" | "anthropic" (request + usage format)
+    extra_headers: dict = field(default_factory=dict)
+
+    @property
+    def key(self) -> str | None:
+        return os.environ.get(self.key_env)
+
+    def auth_headers(self) -> dict:
+        key = self.key
+        if not key:
+            return {}
+        if self.auth_style == "x-api-key":
+            return {"x-api-key": key, **self.extra_headers}
+        return {"Authorization": f"Bearer {key}", **self.extra_headers}
+
+
+def _p(name, endpoint, key_env, *, shape="openai", style="bearer", extra=None) -> Provider:
+    endpoint = os.environ.get(f"PROXYAGENT_{name.upper()}_ENDPOINT", endpoint)
+    return Provider(name, endpoint, key_env, style, shape, extra or {})
+
+
+# Built-in upstreams. Anthropic uses its Messages API; the rest are OpenAI-compatible.
+# Add your own / override endpoints via PROXYAGENT_<NAME>_ENDPOINT.
+PROVIDERS: dict[str, Provider] = {
+    "anthropic":  _p("anthropic", "https://api.anthropic.com/v1/messages", "ANTHROPIC_API_KEY",
+                     shape="anthropic", style="x-api-key",
+                     extra={"anthropic-version": os.environ.get("ANTHROPIC_VERSION", "2023-06-01")}),
+    "openai":     _p("openai", "https://api.openai.com/v1/chat/completions", "OPENAI_API_KEY"),
+    "gemini":     _p("gemini", "https://generativelanguage.googleapis.com/v1beta/openai/chat/completions", "GEMINI_API_KEY"),
+    "groq":       _p("groq", "https://api.groq.com/openai/v1/chat/completions", "GROQ_API_KEY"),
+    "openrouter": _p("openrouter", "https://openrouter.ai/api/v1/chat/completions", "OPENROUTER_API_KEY"),
+    "mistral":    _p("mistral", "https://api.mistral.ai/v1/chat/completions", "MISTRAL_API_KEY"),
+    "deepseek":   _p("deepseek", "https://api.deepseek.com/v1/chat/completions", "DEEPSEEK_API_KEY"),
+    "xai":        _p("xai", "https://api.x.ai/v1/chat/completions", "XAI_API_KEY"),
+    "together":   _p("together", "https://api.together.xyz/v1/chat/completions", "TOGETHER_API_KEY"),
+}
+
+
+@dataclass
+class Config:
+    home: Path = HOME
+    db_path: str = ""
+    admin_token_hash: str = ""
+    admin_token_plain: str | None = None   # only set when freshly generated
+    request_timeout: float = 600.0
+
+    @classmethod
+    def load(cls) -> "Config":
+        HOME.mkdir(parents=True, exist_ok=True)
+        cfg = cls(db_path=str(HOME / "proxyagent.db"))
+        # Admin token: from env, or a persisted one, or freshly generated (shown once).
+        env_admin = os.environ.get("PROXYAGENT_ADMIN_TOKEN")
+        admin_file = HOME / "admin_token"
+        existing = admin_file.read_text().strip() if admin_file.exists() else ""
+        if env_admin:
+            # Production: trust the env token, persist nothing.
+            cfg.admin_token_hash = hash_token(env_admin)
+        elif existing.startswith(ADMIN_PREFIX):
+            # Local: the plaintext is stored (0600) so the dashboard stays reachable.
+            cfg.admin_token_plain = existing
+            cfg.admin_token_hash = hash_token(existing)
+        else:
+            # Fresh (or migrating an old hash-only file we can't recover): regenerate.
+            plain = new_token(ADMIN_PREFIX)
+            admin_file.write_text(plain)
+            admin_file.chmod(0o600)
+            cfg.admin_token_plain = plain
+            cfg.admin_token_hash = hash_token(plain)
+        return cfg
+
+    def configured_providers(self) -> list[str]:
+        return [n for n, p in PROVIDERS.items() if p.key]

{proxyagent-0.2.1 → proxyagent-0.3.1}/proxyagent/providers.py

@@ -16,13 +16,6 @@ from . import pricing
 from .config import Config, PROVIDERS
 from .store import Store, now_ms
 
-# Map our public path → (provider, upstream path).
-ROUTES = {
-    "anthropic": ("anthropic", "/v1/messages"),
-    "openai": ("openai", "/v1/chat/completions"),
-}
-
-
 def resolve_auth(provider, store: Store | None) -> tuple[dict, bool]:
     """Auth headers for an upstream call. A stored credential (proxy_agent_keys) wins
     over the env key; returns ({}, False) when nothing is configured."""
@@ -55,7 +48,7 @@ def _extract_usage(provider: str, payload: dict) -> tuple[int | None, int | None
 
 
 async def forward(
-    config: Config, provider_name: str, upstream_path: str, body: dict,
+    config: Config, provider_name: str, body: dict,
     *, streaming: bool, token: dict, store: Store, tools_used: list[str] | None = None,
 ):
     """Forward a request upstream. Returns (status, headers, body_iter_or_dict, log_after)."""
@@ -66,7 +59,7 @@ async def forward(
     # Offline mock — exercise the full pipeline (auth, scope, log, cost) with NO real
     # key. Use model "mock" (or "mock-…") anywhere a real model would go.
     if model.startswith("mock"):
-        payload, (ptok, ctok) = _mock_payload(provider_name, body)
+        payload, (ptok, ctok) = _mock_payload(provider.shape, body)
         store.log_request(
             token_id=token["id"], token_label=token.get("label"), provider=provider_name,
             model=model, status=200, prompt_tokens=ptok, completion_tokens=ctok,
@@ -74,7 +67,7 @@ async def forward(
             tools_used=json.dumps(tools_used or []), cost_usd=pricing.cost_usd(model, ptok, ctok),
             error=None)
         if streaming:
-            return 200, {"content-type": "text/event-stream"}, _mock_stream(provider_name, payload), None
+            return 200, {"content-type": "text/event-stream"}, _mock_stream(provider.shape, payload), None
         return 200, {"content-type": "application/json"}, payload, None
 
     auth, ok = resolve_auth(provider, store)
@@ -82,7 +75,7 @@ async def forward(
         return 502, {}, {"error": f"provider '{provider_name}' not configured on the proxy "
                                   f"(set {provider.key_env} or `proxyagent provider add {provider_name}`)"}, None
 
-    url = provider.base_url + upstream_path
+    url = provider.endpoint
     headers = {"content-type": "application/json", **auth}
 
     def _log(status, ptok, ctok, err=None):
@@ -127,7 +120,7 @@ async def forward(
         payload = resp.json()
     except Exception:
         payload = {"error": resp.text}
-    ptok, ctok = _extract_usage(provider_name, payload if isinstance(payload, dict) else {})
+    ptok, ctok = _extract_usage(provider.shape, payload if isinstance(payload, dict) else {})
     _log(resp.status_code, ptok, ctok, None if resp.is_success else str(payload)[:300])
     return resp.status_code, {"content-type": "application/json"}, payload, None
 

{proxyagent-0.2.1 → proxyagent-0.3.1}/proxyagent/server.py

@@ -14,9 +14,9 @@ from fastapi import FastAPI, Header, HTTPException, Request
 from fastapi.responses import HTMLResponse, JSONResponse, StreamingResponse
 from pydantic import BaseModel
 
-from . import crypto
+from . import aliases, crypto
 from .config import Config, PROVIDERS
-from .providers import ROUTES, forward, scope_allows
+from .providers import forward, scope_allows
 from .security import token_matches
 from .store import Store, now_ms
 from .tools import ToolRegistry
@@ -83,38 +83,44 @@ def create_app(config: Config | None = None) -> FastAPI:
     # ------------------------------------------------------------------ #
     # Provider proxy endpoints
     # ------------------------------------------------------------------ #
-    async def _proxy(provider_key: str, request: Request, authorization, x_api_key):
+    async def _proxy(provider: str, request: Request, authorization, x_api_key):
         token = auth_machine(authorization, x_api_key)
-        provider_name, upstream_path = ROUTES[provider_key]
+        if provider not in PROVIDERS:
+            raise HTTPException(404, f"unknown provider '{provider}' (known: {list(PROVIDERS)})")
         body = await request.json()
-        model = body.get("model", "")
+        # model remap — may rename the model and/or reroute to another provider
+        provider, model = aliases.remap(provider, body.get("model", ""))
+        if provider not in PROVIDERS:
+            raise HTTPException(400, f"alias target provider '{provider}' is unknown")
+        body["model"] = model
         scope = _json.loads(token["scope_json"])
-        if not scope_allows(scope, provider_name, model):
-            raise HTTPException(403, f"token scope does not allow {provider_name}:{model}")
+        if not scope_allows(scope, provider, model):
+            raise HTTPException(403, f"token scope does not allow {provider}:{model}")
 
         used_tools: list[str] = []
         if request.headers.get("x-proxyagent-tools", "").lower() in ("1", "on", "true"):
-            body = tools.inject(body, provider_name)
+            body = tools.inject(body, PROVIDERS[provider].shape)
             used_tools = tools.names()
 
         streaming = bool(body.get("stream"))
         status, headers, payload, _ = await forward(
-            config, provider_name, upstream_path, body,
-            streaming=streaming, token=token, store=store, tools_used=used_tools,
-        )
+            config, provider, body, streaming=streaming, token=token, store=store,
+            tools_used=used_tools)
         if streaming:
             return StreamingResponse(payload, media_type="text/event-stream")
         return JSONResponse(payload, status_code=status)
 
-    @app.post("/anthropic/v1/messages")
-    async def anthropic(request: Request, authorization: str | None = Header(None),
-                        x_api_key: str | None = Header(None)):
-        return await _proxy("anthropic", request, authorization, x_api_key)
+    # OpenAI-compatible providers hit /<provider>/v1/chat/completions; Anthropic-style
+    # hit /<provider>/v1/messages. The provider segment selects the upstream.
+    @app.post("/{provider}/v1/chat/completions")
+    async def chat(provider: str, request: Request, authorization: str | None = Header(None),
+                   x_api_key: str | None = Header(None)):
+        return await _proxy(provider, request, authorization, x_api_key)
 
-    @app.post("/openai/v1/chat/completions")
-    async def openai(request: Request, authorization: str | None = Header(None),
-                     x_api_key: str | None = Header(None)):
-        return await _proxy("openai", request, authorization, x_api_key)
+    @app.post("/{provider}/v1/messages")
+    async def messages(provider: str, request: Request, authorization: str | None = Header(None),
+                       x_api_key: str | None = Header(None)):
+        return await _proxy(provider, request, authorization, x_api_key)
 
     # ------------------------------------------------------------------ #
     # Tools — execute a proxied tool (creds stay here)
@@ -212,10 +218,26 @@ def create_app(config: Config | None = None) -> FastAPI:
             raise HTTPException(404, "no such credential")
         return {"ok": True}
 
+    # -- model aliases / remap -------------------------------------------- #
+    @app.get("/admin/aliases")
+    async def get_aliases(authorization: str | None = Header(None),
+                          x_admin_token: str | None = Header(None)):
+        require_admin(authorization, x_admin_token)
+        return {"map": aliases.get_map()}
+
+    @app.put("/admin/aliases")
+    async def set_aliases(request: Request, authorization: str | None = Header(None),
+                          x_admin_token: str | None = Header(None)):
+        require_admin(authorization, x_admin_token)
+        body = await request.json()
+        aliases.set_map(body.get("map", body))
+        return {"map": aliases.get_map()}
+
     @app.get("/healthz")
     async def healthz():
-        return {"ok": True, "providers": _configured(), "tools": tools.names(),
-                "backend": store.backend}
+        return {"ok": True, "providers": _configured(), "available": sorted(PROVIDERS),
+                "tools": tools.names(), "backend": store.backend,
+                "aliases": len(aliases.get_map())}
 
     # ------------------------------------------------------------------ #
     # Dashboard

{proxyagent-0.2.1 → proxyagent-0.3.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "proxyagent"
-version = "0.2.1"
+version = "0.3.1"
 description = "Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools."
 readme = "README.md"
 requires-python = ">=3.10"

{proxyagent-0.2.1 → proxyagent-0.3.1}/tests/test_proxy.py

@@ -5,9 +5,18 @@ import os
 os.environ.setdefault("PROXYAGENT_HOME", "/tmp/proxyagent_test_home")
 os.environ["PROXYAGENT_ADMIN_TOKEN"] = "pa_admin_test"
 
+import pytest  # noqa: E402
 from fastapi.testclient import TestClient  # noqa: E402
 
-from proxyagent.config import Config  # noqa: E402
+from proxyagent import aliases as _aliases  # noqa: E402
+from proxyagent.config import Config, PROVIDERS  # noqa: E402
+
+
+@pytest.fixture(autouse=True)
+def _reset_aliases():
+    _aliases.set_map({})
+    yield
+    _aliases.set_map({})
 from proxyagent.providers import scope_allows  # noqa: E402
 from proxyagent.security import hash_token, token_matches, new_token  # noqa: E402
 from proxyagent.server import create_app  # noqa: E402
@@ -126,3 +135,33 @@ def test_provider_admin_endpoints():
     # unknown provider rejected
     assert c.post("/admin/providers", headers=ADMIN,
                   json={"provider": "nope", "secret": "x"}).status_code == 400
+
+
+def test_more_providers_route():
+    # new providers are routable; mock works on any of them with no key
+    assert "groq" in PROVIDERS and "gemini" in PROVIDERS and "openrouter" in PROVIDERS
+    c = _client()
+    tok = c.post("/admin/tokens", headers=ADMIN, json={"scope": ["*"]}).json()["token"]
+    r = c.post("/groq/v1/chat/completions", headers={"authorization": f"Bearer {tok}"},
+               json={"model": "mock", "messages": [{"role": "user", "content": "hi"}]})
+    assert r.status_code == 200 and r.json()["choices"][0]["message"]["content"].startswith("[proxyagent mock]")
+    # unknown provider → 404
+    assert c.post("/nope/v1/chat/completions", headers={"authorization": f"Bearer {tok}"},
+                  json={"model": "mock", "messages": []}).status_code == 404
+
+
+def test_model_remap_forces_mock_offline():
+    c = _client()
+    tok = c.post("/admin/tokens", headers=ADMIN, json={"scope": ["*"]}).json()["token"]
+    # map everything to mock → a "real" model call runs offline, no key
+    c.put("/admin/aliases", headers=ADMIN, json={"map": {"*": "mock"}})
+    r = c.post("/openai/v1/chat/completions", headers={"authorization": f"Bearer {tok}"},
+               json={"model": "gpt-4o", "messages": [{"role": "user", "content": "hi"}]})
+    assert r.status_code == 200 and "[proxyagent mock]" in r.json()["choices"][0]["message"]["content"]
+
+
+def test_model_remap_reroutes_provider():
+    from proxyagent.aliases import remap
+    _aliases.set_map({"gpt-4o": "anthropic:mock"})
+    assert remap("openai", "gpt-4o") == ("anthropic", "mock")
+    assert remap("openai", "gpt-4o-mini") == ("openai", "gpt-4o-mini")  # no match

proxyagent-0.2.1/proxyagent/config.py

@@ -1,82 +0,0 @@
-"""Configuration — provider upstreams, real credentials (env only), paths, admin auth.
-
-Real keys are read from the environment and never persisted. The proxy is the ONLY
-place they live.
-"""
-
-from __future__ import annotations
-
-import os
-from dataclasses import dataclass, field
-from pathlib import Path
-
-from .security import hash_token, new_token, ADMIN_PREFIX
-
-HOME = Path(os.environ.get("PROXYAGENT_HOME", Path.home() / ".proxyagent"))
-
-
-@dataclass
-class Provider:
-    name: str
-    base_url: str          # upstream API root
-    key_env: str           # env var holding the REAL key
-    auth_style: str        # "bearer" (OpenAI) | "x-api-key" (Anthropic)
-    extra_headers: dict = field(default_factory=dict)
-
-    @property
-    def key(self) -> str | None:
-        return os.environ.get(self.key_env)
-
-    def auth_headers(self) -> dict:
-        key = self.key
-        if not key:
-            return {}
-        if self.auth_style == "x-api-key":
-            return {"x-api-key": key, **self.extra_headers}
-        return {"Authorization": f"Bearer {key}", **self.extra_headers}
-
-
-# Built-in upstreams. base_url overridable via env (e.g. Azure, self-hosted, gateways).
-def _provider(name, default_base, key_env, style, extra=None) -> Provider:
-    base = os.environ.get(f"PROXYAGENT_{name.upper()}_BASE_URL", default_base)
-    return Provider(name, base.rstrip("/"), key_env, style, extra or {})
-
-
-PROVIDERS: dict[str, Provider] = {
-    "anthropic": _provider(
-        "anthropic", "https://api.anthropic.com", "ANTHROPIC_API_KEY", "x-api-key",
-        {"anthropic-version": os.environ.get("ANTHROPIC_VERSION", "2023-06-01")},
-    ),
-    "openai": _provider("openai", "https://api.openai.com", "OPENAI_API_KEY", "bearer"),
-}
-
-
-@dataclass
-class Config:
-    home: Path = HOME
-    db_path: str = ""
-    admin_token_hash: str = ""
-    admin_token_plain: str | None = None   # only set when freshly generated
-    request_timeout: float = 600.0
-
-    @classmethod
-    def load(cls) -> "Config":
-        HOME.mkdir(parents=True, exist_ok=True)
-        cfg = cls(db_path=str(HOME / "proxyagent.db"))
-        # Admin token: from env, or a persisted one, or freshly generated (shown once).
-        env_admin = os.environ.get("PROXYAGENT_ADMIN_TOKEN")
-        admin_file = HOME / "admin_token"
-        if env_admin:
-            cfg.admin_token_hash = hash_token(env_admin)
-        elif admin_file.exists():
-            cfg.admin_token_hash = admin_file.read_text().strip()
-        else:
-            plain = new_token(ADMIN_PREFIX)
-            cfg.admin_token_hash = hash_token(plain)
-            admin_file.write_text(cfg.admin_token_hash)
-            admin_file.chmod(0o600)
-            cfg.admin_token_plain = plain
-        return cfg
-
-    def configured_providers(self) -> list[str]:
-        return [n for n, p in PROVIDERS.items() if p.key]