shunt-proxy 0.1.35

A local proxy that pools multiple Claude accounts behind a single endpoint, routing requests to maximise rate limits
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

//! Credential bundle encryption and relay upload/download for `shunt push` / `shunt login`.
//!
//! Security model:
//! - Transfer code = 9 random bytes encoded as 18 hex chars, prefixed with "SH-"
//! - Encryption key = SHA-256(code) — 32 bytes, never sent to the relay
//! - Cipher: AES-256-GCM with a random 12-byte nonce
//! - Wire payload = base64(nonce_12B ‖ ciphertext_with_tag)
//! - Relay stores only ciphertext; bundle is deleted after first download

use std::collections::HashMap;

use aes_gcm::{
    aead::{Aead, KeyInit},
    Aes256Gcm, Key, Nonce,
};
use anyhow::{bail, Context, Result};
use base64::{engine::general_purpose::STANDARD as B64, Engine as _};
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};

use crate::oauth::OAuthCredential;

// ---------------------------------------------------------------------------
// Bundle
// ---------------------------------------------------------------------------

#[derive(Debug, Serialize, Deserialize)]
pub struct SyncBundle {
    pub config_toml: String,
    pub accounts: HashMap<String, OAuthCredential>,
}

// ---------------------------------------------------------------------------
// Code generation
// ---------------------------------------------------------------------------

/// Generate a random transfer code like `SH-a3f2b1c4d5e6f7a8b9`.
pub fn generate_code() -> String {
    let bytes = crate::oauth::rand_bytes::<9>();
    format!("SH-{}", hex::encode(bytes))
}

/// Validate that a code looks like what we generated.
pub fn validate_code(code: &str) -> Result<()> {
    if !code.starts_with("SH-") || code.len() != 21 {
        bail!("Invalid transfer code format. Expected SH-<18 hex chars> (e.g. SH-a3f2b1c4d5e6f7a8b9).");
    }
    if !code[3..].chars().all(|c| c.is_ascii_hexdigit()) {
        bail!("Invalid transfer code — must be hex characters after 'SH-'.");
    }
    Ok(())
}

// ---------------------------------------------------------------------------
// Encryption / decryption
// ---------------------------------------------------------------------------

fn derive_key(code: &str) -> [u8; 32] {
    let hash = Sha256::digest(code.as_bytes());
    hash.into()
}

/// Encrypt a `SyncBundle` and return a base64-encoded payload string.
pub fn encrypt_bundle(bundle: &SyncBundle, code: &str) -> Result<String> {
    let json = serde_json::to_vec(bundle).context("failed to serialize bundle")?;

    let key_bytes = derive_key(code);
    let key = Key::<Aes256Gcm>::from_slice(&key_bytes);
    let cipher = Aes256Gcm::new(key);

    let nonce_bytes = crate::oauth::rand_bytes::<12>();
    let nonce = Nonce::from_slice(&nonce_bytes);

    let ciphertext = cipher
        .encrypt(nonce, json.as_slice())
        .map_err(|e| anyhow::anyhow!("encryption failed: {e}"))?;

    // wire: nonce(12) ‖ ciphertext
    let mut wire = Vec::with_capacity(12 + ciphertext.len());
    wire.extend_from_slice(&nonce_bytes);
    wire.extend_from_slice(&ciphertext);

    Ok(B64.encode(wire))
}

/// Decrypt a base64-encoded payload into a `SyncBundle`.
pub fn decrypt_bundle(payload_b64: &str, code: &str) -> Result<SyncBundle> {
    let wire = B64
        .decode(payload_b64)
        .context("invalid base64 in payload")?;

    if wire.len() < 12 {
        bail!("payload too short");
    }

    let (nonce_bytes, ciphertext) = wire.split_at(12);

    let key_bytes = derive_key(code);
    let key = Key::<Aes256Gcm>::from_slice(&key_bytes);
    let cipher = Aes256Gcm::new(key);
    let nonce = Nonce::from_slice(nonce_bytes);

    let plaintext = cipher
        .decrypt(nonce, ciphertext)
        .map_err(|_| anyhow::anyhow!("decryption failed — wrong code or corrupted payload"))?;

    serde_json::from_slice::<SyncBundle>(&plaintext).context("failed to deserialize bundle")
}

// ---------------------------------------------------------------------------
// Relay HTTP
// ---------------------------------------------------------------------------

/// Upload an encrypted payload to the relay under the given code.
pub async fn push_to_relay(code: &str, payload: &str, relay_url: &str) -> Result<()> {
    let client = reqwest::Client::builder()
        .timeout(std::time::Duration::from_secs(15))
        .build()?;

    let body = serde_json::json!({ "code": code, "payload": payload });

    let resp = client
        .post(format!("{relay_url}/bundle"))
        .json(&body)
        .send()
        .await
        .context("failed to reach relay")?;

    if !resp.status().is_success() {
        let status = resp.status();
        let text = resp.text().await.unwrap_or_default();
        bail!("relay returned {status}: {text}");
    }

    Ok(())
}

/// Download and delete the encrypted payload for the given code from the relay.
/// Returns the base64 payload string.
pub async fn pull_from_relay(code: &str, relay_url: &str) -> Result<String> {
    let client = reqwest::Client::builder()
        .timeout(std::time::Duration::from_secs(15))
        .build()?;

    let resp = client
        .get(format!("{relay_url}/bundle/{code}"))
        .send()
        .await
        .context("failed to reach relay")?;

    if resp.status() == reqwest::StatusCode::NOT_FOUND {
        bail!("Code not found or already used. Codes are one-time use — run `shunt push` again to get a new one.");
    }

    if !resp.status().is_success() {
        let status = resp.status();
        let text = resp.text().await.unwrap_or_default();
        bail!("relay returned {status}: {text}");
    }

    let json: serde_json::Value = resp.json().await.context("invalid response from relay")?;
    json["payload"]
        .as_str()
        .map(|s| s.to_owned())
        .context("relay response missing 'payload' field")
}