feat(sidecars): add proxied sidecar tabs (#279)

## Summary
- add SideCar support across the server and UI, including proxied tabs,
picker/settings flows, and websocket-aware proxying
- unify top-level tab handling so workspace instances and SideCars share
the same tab model and navigation flows
- limit SideCars to port-based services only, removing server-managed
process control from the final API and UI

---------

Co-authored-by: Shantur <shantur@Mac.home>
Co-authored-by: Shantur <shantur@Shanturs-MacBook-Pro-M5.local>

packages/server/src/api-types.ts

@@ -170,6 +170,24 @@ export interface InstanceStreamEvent {
   [key: string]: unknown
 }
 
+export type SideCarKind = "port"
+
+export type SideCarPrefixMode = "strip" | "preserve"
+
+export type SideCarStatus = "running" | "stopped"
+
+export interface SideCar {
+  id: string
+  kind: SideCarKind
+  name: string
+  port: number
+  insecure: boolean
+  prefixMode: SideCarPrefixMode
+  status: SideCarStatus
+  createdAt: string
+  updatedAt: string
+}
+
 export interface BinaryRecord {
   id: string
   path: string
@@ -276,6 +294,8 @@ export type WorkspaceEventType =
   | "workspace.error"
   | "workspace.stopped"
   | "workspace.log"
+  | "sidecar.updated"
+  | "sidecar.removed"
   | "storage.configChanged"
   | "storage.stateChanged"
   | "instance.dataChanged"
@@ -288,6 +308,8 @@ export type WorkspaceEventPayload =
   | { type: "workspace.error"; workspace: WorkspaceDescriptor }
   | { type: "workspace.stopped"; workspaceId: string }
   | { type: "workspace.log"; entry: WorkspaceLogEntry }
+  | { type: "sidecar.updated"; sidecar: SideCar }
+  | { type: "sidecar.removed"; sidecarId: string }
   | { type: "storage.configChanged"; owner: SettingsOwner; value: SettingsBucket }
   | { type: "storage.stateChanged"; owner: SettingsOwner; value: SettingsBucket }
   | { type: "instance.dataChanged"; instanceId: string; data: InstanceData }

packages/server/src/auth/manager.ts

@@ -104,13 +104,18 @@ export class AuthManager {
   }
 
   getSessionFromRequest(request: FastifyRequest): { username: string; sessionId: string } | null {
+    return this.getSessionFromHeaders(request.headers)
+  }
+
+  getSessionFromHeaders(headers: { cookie?: string | string[] | undefined }): { username: string; sessionId: string } | null {
     if (!this.authEnabled) {
       // When auth is disabled, treat all requests as authenticated.
       // We still return a stable username so callers can display it.
       return { username: this.init.username, sessionId: "auth-disabled" }
     }
 
-    const cookies = parseCookies(request.headers.cookie)
+    const cookieHeader = Array.isArray(headers.cookie) ? headers.cookie.join("; ") : headers.cookie
+    const cookies = parseCookies(cookieHeader)
     const sessionId = cookies[this.cookieName]
     const session = this.sessionManager.getSession(sessionId)
     if (!session) return null

packages/server/src/events/bus.ts

@@ -24,6 +24,8 @@ export class EventBus extends EventEmitter {
     this.on("workspace.error", handler)
     this.on("workspace.stopped", handler)
     this.on("workspace.log", handler)
+    this.on("sidecar.updated", handler)
+    this.on("sidecar.removed", handler)
     this.on("storage.configChanged", handler)
     this.on("storage.stateChanged", handler)
     this.on("instance.dataChanged", handler)
@@ -35,6 +37,8 @@ export class EventBus extends EventEmitter {
       this.off("workspace.error", handler)
       this.off("workspace.stopped", handler)
       this.off("workspace.log", handler)
+      this.off("sidecar.updated", handler)
+      this.off("sidecar.removed", handler)
       this.off("storage.configChanged", handler)
       this.off("storage.stateChanged", handler)
       this.off("instance.dataChanged", handler)

packages/server/src/index.ts

@@ -24,6 +24,7 @@ import { resolveHttpsOptions } from "./server/tls"
 import { resolveNetworkAddresses, resolveRemoteAddresses } from "./server/network-addresses"
 import { startDevReleaseMonitor } from "./releases/dev-release-monitor"
 import { SpeechService } from "./speech/service"
+import { SideCarManager } from "./sidecars/manager"
 
 const require = createRequire(import.meta.url)
 
@@ -315,6 +316,11 @@ async function main() {
   const fileSystemBrowser = new FileSystemBrowser({ rootDir: options.rootDir, unrestricted: options.unrestrictedRoot })
   const instanceStore = new InstanceStore(configLocation.instancesDir)
   const speechService = new SpeechService(settings, logger.child({ component: "speech" }))
+  const sidecarManager = new SideCarManager({
+    settings,
+    eventBus,
+    logger: logger.child({ component: "sidecars" }),
+  })
   const instanceEventBridge = new InstanceEventBridge({
     workspaceManager,
     eventBus,
@@ -400,6 +406,7 @@ async function main() {
         serverMeta,
         instanceStore,
         speechService,
+        sidecarManager,
         authManager,
         uiStaticDir: uiResolution.uiStaticDir ?? DEFAULT_UI_STATIC_DIR,
         uiDevServerUrl: uiResolution.uiDevServerUrl,
@@ -421,6 +428,7 @@ async function main() {
         serverMeta,
         instanceStore,
         speechService,
+        sidecarManager,
         authManager,
         uiStaticDir: uiResolution.uiStaticDir ?? DEFAULT_UI_STATIC_DIR,
         uiDevServerUrl: undefined,
@@ -520,6 +528,12 @@ async function main() {
         logger.warn({ err: error }, "Instance event bridge shutdown failed")
       }
 
+      try {
+        await sidecarManager.shutdown()
+      } catch (error) {
+        logger.error({ err: error }, "SideCar manager shutdown failed")
+      }
+
       try {
         await workspaceManager.shutdown()
         logger.info("Workspace manager shutdown complete")

packages/server/src/server/http-server.ts

@@ -3,7 +3,9 @@ import cors from "@fastify/cors"
 import fastifyStatic from "@fastify/static"
 import replyFrom from "@fastify/reply-from"
 import fs from "fs"
+import { connect as connectTcp, type Socket } from "net"
 import path from "path"
+import { connect as connectTls, type TLSSocket } from "tls"
 import { fetch } from "undici"
 import type { Logger } from "../logger"
 import { WorkspaceManager } from "../workspaces/manager"
@@ -23,6 +25,7 @@ import { registerBackgroundProcessRoutes } from "./routes/background-processes"
 import { registerWorktreeRoutes } from "./routes/worktrees"
 import { registerSpeechRoutes } from "./routes/speech"
 import { registerRemoteServerRoutes } from "./routes/remote-servers"
+import { registerSideCarRoutes } from "./routes/sidecars"
 import { ServerMeta } from "../api-types"
 import { InstanceStore } from "../storage/instance-store"
 import { BackgroundProcessManager } from "../background-processes/manager"
@@ -33,6 +36,7 @@ import type { SpeechService } from "../speech/service"
 import { ClientConnectionManager } from "../clients/connection-manager"
 import { PluginChannelManager } from "../plugins/channel"
 import { VoiceModeManager } from "../plugins/voice-mode"
+import type { SideCarManager } from "../sidecars/manager"
 
 interface HttpServerDeps {
   bindHost: string
@@ -48,6 +52,7 @@ interface HttpServerDeps {
   serverMeta: ServerMeta
   instanceStore: InstanceStore
   speechService: SpeechService
+  sidecarManager: SideCarManager
   authManager: AuthManager
   uiStaticDir: string
   uiDevServerUrl?: string
@@ -204,7 +209,7 @@ export function createHttpServer(deps: HttpServerDeps) {
 
     const session = deps.authManager.getSessionFromRequest(request)
 
-    const requiresAuthForApi = pathname.startsWith("/api/") || pathname.startsWith("/workspaces/")
+    const requiresAuthForApi = pathname.startsWith("/api/") || pathname.startsWith("/workspaces/") || pathname.startsWith("/sidecars/")
     if (requiresAuthForApi && !session) {
       // Allow OpenCode plugin -> CodeNomad calls with per-instance basic auth.
       const pluginMatch = pathname.match(/^\/workspaces\/([^/]+)\/plugin(?:\/|$)/)
@@ -273,6 +278,13 @@ export function createHttpServer(deps: HttpServerDeps) {
   })
   registerRemoteServerRoutes(app, { logger: apiLogger })
   registerSpeechRoutes(app, { speechService: deps.speechService })
+  registerSideCarRoutes(app, { sidecarManager: deps.sidecarManager })
+  registerSideCarProxyRoutes(app, { sidecarManager: deps.sidecarManager, logger: proxyLogger })
+  setupSideCarWebSocketProxy(app, {
+    sidecarManager: deps.sidecarManager,
+    authManager: deps.authManager,
+    logger: proxyLogger,
+  })
   registerPluginRoutes(app, {
     workspaceManager: deps.workspaceManager,
     eventBus: deps.eventBus,
@@ -355,6 +367,68 @@ interface InstanceProxyDeps {
   logger: Logger
 }
 
+interface SideCarProxyDeps {
+  sidecarManager: SideCarManager
+  logger: Logger
+}
+
+interface SideCarWebSocketProxyDeps extends SideCarProxyDeps {
+  authManager: AuthManager
+}
+
+function registerSideCarProxyRoutes(app: FastifyInstance, deps: SideCarProxyDeps) {
+  const proxyBaseHandler = async (
+    request: FastifyRequest<{ Params: { id: string } }>,
+    reply: FastifyReply,
+  ) => {
+    await proxySideCarRequest({
+      request,
+      reply,
+      sidecarManager: deps.sidecarManager,
+      logger: deps.logger,
+      pathSuffix: "",
+    })
+  }
+
+  const proxyWildcardHandler = async (
+    request: FastifyRequest<{ Params: { id: string; "*": string } }>,
+    reply: FastifyReply,
+  ) => {
+    await proxySideCarRequest({
+      request,
+      reply,
+      sidecarManager: deps.sidecarManager,
+      logger: deps.logger,
+      pathSuffix: request.params["*"] ?? "",
+    })
+  }
+
+  app.all("/sidecars/:id", proxyBaseHandler)
+  app.all("/sidecars/:id/*", proxyWildcardHandler)
+}
+
+function setupSideCarWebSocketProxy(app: FastifyInstance, deps: SideCarWebSocketProxyDeps) {
+  app.server.on("upgrade", (request, socket, head) => {
+    const rawUrl = request.url ?? "/"
+    const parsed = parseSideCarUpgradePath(rawUrl)
+    if (!parsed) {
+      return
+    }
+
+    void proxySideCarWebSocketUpgrade({
+      request,
+      socket: socket as Socket,
+      head,
+      sidecarId: parsed.sidecarId,
+      incomingPath: parsed.pathname,
+      search: parsed.search,
+      sidecarManager: deps.sidecarManager,
+      authManager: deps.authManager,
+      logger: deps.logger,
+    })
+  })
+}
+
 function registerInstanceProxyRoutes(app: FastifyInstance, deps: InstanceProxyDeps) {
   app.register(async (instance) => {
     instance.removeAllContentTypeParsers()
@@ -839,3 +913,281 @@ function buildProxyHeaders(headers: FastifyRequest["headers"]): Record<string, s
   }
   return result
 }
+
+async function proxySideCarRequest(args: {
+  request: FastifyRequest
+  reply: FastifyReply
+  sidecarManager: SideCarManager
+  logger: Logger
+  pathSuffix?: string
+}) {
+  const sidecarId = (args.request.params as { id?: string }).id ?? ""
+  const sidecar = await args.sidecarManager.get(sidecarId)
+  if (!sidecar) {
+    args.reply.code(404).send({ error: "SideCar not found" })
+    return
+  }
+
+  const pathname = (args.request.raw.url ?? args.request.url ?? "").split("?")[0] ?? ""
+  const queryIndex = (args.request.raw.url ?? args.request.url ?? "").indexOf("?")
+  const search = queryIndex >= 0 ? (args.request.raw.url ?? args.request.url ?? "").slice(queryIndex) : ""
+  const pathSuffix = args.pathSuffix ?? ""
+  const requestPath = pathSuffix ? `${args.sidecarManager.buildProxyBasePath(sidecarId)}/${pathSuffix.replace(/^\/+/, "")}` : args.sidecarManager.buildProxyBasePath(sidecarId)
+  const targetPath = args.sidecarManager.buildTargetPath(sidecarId, requestPath, search)
+  const targetOrigin = args.sidecarManager.buildTargetOrigin(sidecar)
+  const targetUrl = `${targetOrigin}${targetPath}`
+  args.logger.debug({ sidecarId: sidecar.id, targetUrl, pathname, prefixMode: sidecar.prefixMode }, "Proxying request to SideCar")
+
+  await args.reply.from(targetUrl, {
+    rewriteRequestHeaders: (_originalRequest, headers) =>
+      sanitizeSideCarProxyRequestHeaders(headers as Record<string, string | string[] | undefined>, targetOrigin),
+    rewriteHeaders: (headers) => rewriteSideCarResponseHeaders(headers, sidecarId, targetOrigin, sidecar.prefixMode),
+    onError: (reply, { error }) => {
+      args.logger.error({ sidecarId: sidecar.id, err: error, targetUrl }, "Failed to proxy SideCar request")
+      if (!reply.sent) {
+        reply.code(502).send({ error: "SideCar proxy failed" })
+      }
+    },
+  })
+}
+
+function parseSideCarUpgradePath(rawUrl: string): { sidecarId: string; pathname: string; search: string } | null {
+  let parsed: URL
+  try {
+    parsed = new URL(rawUrl, "http://localhost")
+  } catch {
+    return null
+  }
+
+  const match = parsed.pathname.match(/^\/sidecars\/([^/]+)(?:\/.*)?$/)
+  if (!match) {
+    return null
+  }
+
+  try {
+    return {
+      sidecarId: decodeURIComponent(match[1] ?? ""),
+      pathname: parsed.pathname,
+      search: parsed.search,
+    }
+  } catch {
+    return null
+  }
+}
+
+async function proxySideCarWebSocketUpgrade(args: {
+  request: import("http").IncomingMessage
+  socket: Socket
+  head: Buffer
+  sidecarId: string
+  incomingPath: string
+  search: string
+  sidecarManager: SideCarManager
+  authManager: AuthManager
+  logger: Logger
+}) {
+  const { request, socket, head, sidecarId, incomingPath, search, sidecarManager, authManager, logger } = args
+
+  if (!isWebSocketUpgradeRequest(request)) {
+    rejectUpgrade(socket, 400, "Bad Request")
+    return
+  }
+
+  const session = authManager.getSessionFromHeaders(request.headers)
+  if (!session) {
+    rejectUpgrade(socket, 401, "Unauthorized")
+    return
+  }
+
+  const sidecar = await sidecarManager.get(sidecarId)
+  if (!sidecar) {
+    rejectUpgrade(socket, 404, "Not Found")
+    return
+  }
+
+  const targetOrigin = sidecarManager.buildTargetOrigin(sidecar)
+  const targetPath = sidecarManager.buildTargetPath(sidecarId, incomingPath, search)
+  const targetUrl = new URL(`${targetOrigin}${targetPath}`)
+  logger.debug({ sidecarId, targetUrl: targetUrl.toString(), prefixMode: sidecar.prefixMode }, "Proxying websocket to SideCar")
+
+  const { socket: upstream, readyEvent } = createSideCarUpstreamSocket(targetUrl)
+
+  const closeBoth = () => {
+    if (!socket.destroyed) {
+      socket.destroy()
+    }
+    if (!upstream.destroyed) {
+      upstream.destroy()
+    }
+  }
+
+  upstream.once("error", (error) => {
+    logger.error({ sidecarId, err: error, targetUrl: targetUrl.toString() }, "Failed to proxy SideCar websocket")
+    rejectUpgrade(socket, 502, "Bad Gateway")
+    if (!upstream.destroyed) {
+      upstream.destroy()
+    }
+  })
+
+  socket.once("error", (error) => {
+    logger.debug({ sidecarId, err: error }, "SideCar websocket client socket errored")
+    if (!upstream.destroyed) {
+      upstream.destroy()
+    }
+  })
+
+  upstream.once(readyEvent, () => {
+    try {
+      upstream.write(buildSideCarWebSocketRequest(request, targetUrl))
+      if (head.length > 0) {
+        upstream.write(head)
+      }
+      upstream.pipe(socket)
+      socket.pipe(upstream)
+    } catch (error) {
+      logger.error({ sidecarId, err: error, targetUrl: targetUrl.toString() }, "Failed to forward SideCar websocket upgrade")
+      closeBoth()
+    }
+  })
+
+  upstream.once("close", () => {
+    if (!socket.destroyed) {
+      socket.end()
+    }
+  })
+
+  socket.once("close", () => {
+    if (!upstream.destroyed) {
+      upstream.end()
+    }
+  })
+}
+
+function createSideCarUpstreamSocket(targetUrl: URL): { socket: Socket | TLSSocket; readyEvent: "connect" | "secureConnect" } {
+  const port = Number(targetUrl.port || (targetUrl.protocol === "https:" ? 443 : 80))
+  if (targetUrl.protocol === "https:") {
+    return {
+      socket: connectTls({
+        host: targetUrl.hostname,
+        port,
+        servername: targetUrl.hostname,
+      }),
+      readyEvent: "secureConnect",
+    }
+  }
+  return {
+    socket: connectTcp(port, targetUrl.hostname),
+    readyEvent: "connect",
+  }
+}
+
+function buildSideCarWebSocketRequest(request: import("http").IncomingMessage, targetUrl: URL): string {
+  const pathWithQuery = `${targetUrl.pathname}${targetUrl.search}`
+  const requestLine = `${request.method ?? "GET"} ${pathWithQuery} HTTP/${request.httpVersion}\r\n`
+  const headerLines: string[] = []
+  const rawHeaders = request.rawHeaders ?? []
+  const blockedHeaders = getBlockedSideCarRequestHeaders()
+
+  for (let index = 0; index < rawHeaders.length; index += 2) {
+    const key = rawHeaders[index]
+    const value = rawHeaders[index + 1]
+    if (!key || value === undefined) continue
+    const lower = key.toLowerCase()
+    if (blockedHeaders.has(lower)) continue
+    if (lower === "origin") {
+      headerLines.push(`Origin: ${targetUrl.origin}\r\n`)
+      continue
+    }
+    headerLines.push(`${key}: ${value}\r\n`)
+  }
+
+  const hostValue = targetUrl.port ? `${targetUrl.hostname}:${targetUrl.port}` : targetUrl.hostname
+  headerLines.push(`Host: ${hostValue}\r\n`)
+  headerLines.push("\r\n")
+
+  return requestLine + headerLines.join("")
+}
+
+function isWebSocketUpgradeRequest(request: import("http").IncomingMessage): boolean {
+  const upgrade = request.headers.upgrade
+  if (typeof upgrade !== "string" || upgrade.toLowerCase() !== "websocket") {
+    return false
+  }
+  const connection = request.headers.connection
+  const connectionValue = Array.isArray(connection) ? connection.join(",") : connection ?? ""
+  return connectionValue.toLowerCase().split(",").map((part) => part.trim()).includes("upgrade")
+}
+
+function rejectUpgrade(socket: Socket, statusCode: number, statusText: string) {
+  if (socket.destroyed) {
+    return
+  }
+  socket.write(`HTTP/1.1 ${statusCode} ${statusText}\r\nConnection: close\r\nContent-Length: 0\r\n\r\n`)
+  socket.destroy()
+}
+
+function rewriteSideCarResponseHeaders(
+  headers: Record<string, string | string[] | undefined>,
+  sidecarId: string,
+  targetOrigin: string,
+  prefixMode: "strip" | "preserve",
+) {
+  if (prefixMode === "preserve") {
+    return headers
+  }
+
+  const next = { ...headers }
+  const locationHeader = next.location
+  const location = Array.isArray(locationHeader) ? locationHeader[0] : locationHeader
+  if (!location) {
+    return next
+  }
+
+  const publicBase = `/sidecars/${encodeURIComponent(sidecarId)}`
+
+  if (location.startsWith("/")) {
+    next.location = `${publicBase}${location}`
+    return next
+  }
+
+  try {
+    const parsed = new URL(location)
+    if (parsed.origin === targetOrigin) {
+      next.location = `${publicBase}${parsed.pathname}${parsed.search}${parsed.hash}`
+    }
+  } catch {
+    // Relative redirects should continue to resolve against the public sidecar path.
+  }
+
+  return next
+}
+
+function sanitizeSideCarProxyRequestHeaders(
+  headers: Record<string, string | string[] | undefined>,
+  targetOrigin: string,
+): Record<string, string | string[] | undefined> {
+  const blockedHeaders = getBlockedSideCarRequestHeaders()
+  const next: Record<string, string | string[] | undefined> = {}
+
+  for (const [key, value] of Object.entries(headers)) {
+    if (!value) continue
+    if (blockedHeaders.has(key.toLowerCase())) continue
+    next[key] = value
+  }
+
+  next.origin = targetOrigin
+  return next
+}
+
+function getBlockedSideCarRequestHeaders(): Set<string> {
+  return new Set([
+    "host",
+    "authorization",
+    "proxy-authorization",
+    "forwarded",
+    "x-forwarded-for",
+    "x-forwarded-host",
+    "x-forwarded-port",
+    "x-forwarded-proto",
+  ])
+}

packages/server/src/server/routes/sidecars.ts

@@ -0,0 +1,56 @@
+import { FastifyInstance } from "fastify"
+import { z } from "zod"
+import type { SideCarManager } from "../../sidecars/manager"
+
+interface RouteDeps {
+  sidecarManager: SideCarManager
+}
+
+const SideCarCreateSchema = z.object({
+  kind: z.literal("port").default("port"),
+  name: z.string().trim().min(1),
+  port: z.number().int().min(1).max(65535),
+  insecure: z.boolean().default(false),
+  prefixMode: z.enum(["strip", "preserve"]).default("strip"),
+})
+
+const SideCarUpdateSchema = SideCarCreateSchema.omit({ kind: true }).partial().refine((value) => Object.keys(value).length > 0, {
+  message: "At least one field is required",
+})
+
+export function registerSideCarRoutes(app: FastifyInstance, deps: RouteDeps) {
+  app.get("/api/sidecars", async () => {
+    return { sidecars: await deps.sidecarManager.list() }
+  })
+
+  app.post("/api/sidecars", async (request, reply) => {
+    try {
+      const body = SideCarCreateSchema.parse(request.body ?? {})
+      const sidecar = await deps.sidecarManager.create(body)
+      reply.code(201)
+      return sidecar
+    } catch (error) {
+      reply.code(400)
+      return { error: error instanceof Error ? error.message : "Failed to create SideCar" }
+    }
+  })
+
+  app.put<{ Params: { id: string } }>("/api/sidecars/:id", async (request, reply) => {
+    try {
+      const body = SideCarUpdateSchema.parse(request.body ?? {})
+      return await deps.sidecarManager.update(request.params.id, body)
+    } catch (error) {
+      reply.code(400)
+      return { error: error instanceof Error ? error.message : "Failed to update SideCar" }
+    }
+  })
+
+  app.delete<{ Params: { id: string } }>("/api/sidecars/:id", async (request, reply) => {
+    const removed = await deps.sidecarManager.delete(request.params.id)
+    if (!removed) {
+      reply.code(404)
+      return { error: "SideCar not found" }
+    }
+    reply.code(204)
+  })
+}

packages/server/src/sidecars/manager.ts

@@ -0,0 +1,256 @@
+import { connect } from "net"
+import type { EventBus } from "../events/bus"
+import type { Logger } from "../logger"
+import type { SettingsService } from "../settings/service"
+import type { SideCar, SideCarKind, SideCarPrefixMode, SideCarStatus } from "../api-types"
+
+interface SideCarManagerOptions {
+  settings: SettingsService
+  eventBus: EventBus
+  logger: Logger
+}
+
+interface SideCarConfigRecord {
+  id: string
+  kind: SideCarKind
+  name: string
+  port: number
+  insecure: boolean
+  prefixMode: SideCarPrefixMode
+  createdAt: string
+  updatedAt: string
+}
+
+interface SideCarRuntimeRecord {
+  status: SideCarStatus
+}
+
+export class SideCarManager {
+  private readonly configs = new Map<string, SideCarConfigRecord>()
+  private readonly runtime = new Map<string, SideCarRuntimeRecord>()
+
+  constructor(private readonly options: SideCarManagerOptions) {
+    for (const record of this.loadConfiguredSideCars()) {
+      this.configs.set(record.id, record)
+      this.runtime.set(record.id, { status: "stopped" })
+    }
+
+    queueMicrotask(() => {
+      for (const record of this.configs.values()) {
+        void this.refreshPortSideCar(record.id).catch((error) => {
+          this.options.logger.warn({ sidecarId: record.id, err: error }, "Failed to probe sidecar port")
+        })
+      }
+    })
+  }
+
+  async list(): Promise<SideCar[]> {
+    await this.refreshPortStatuses()
+    return Array.from(this.configs.values()).map((record) => this.toSideCar(record))
+  }
+
+  async get(id: string): Promise<SideCar | undefined> {
+    if (!this.configs.has(id)) return undefined
+    await this.refreshPortSideCar(id)
+    return this.toSideCar(this.requireConfig(id))
+  }
+
+  async create(input: {
+    kind: SideCarKind
+    name: string
+    port: number
+    insecure: boolean
+    prefixMode: SideCarPrefixMode
+  }): Promise<SideCar> {
+    const normalizedName = input.name.trim()
+    const id = this.buildSideCarId(normalizedName)
+    if (this.configs.has(id)) {
+      throw new Error(`SideCar '${id}' already exists`)
+    }
+
+    const now = new Date().toISOString()
+    const record: SideCarConfigRecord = {
+      id,
+      kind: input.kind,
+      name: normalizedName,
+      port: input.port,
+      insecure: input.insecure,
+      prefixMode: input.prefixMode,
+      createdAt: now,
+      updatedAt: now,
+    }
+
+    this.configs.set(record.id, record)
+    this.runtime.set(record.id, { status: "stopped" })
+    this.persistConfigs()
+    await this.refreshPortSideCar(record.id)
+    return this.toSideCar(record)
+  }
+
+  async update(
+    id: string,
+    input: Partial<{
+      name: string
+      port: number
+      insecure: boolean
+      prefixMode: SideCarPrefixMode
+    }>,
+  ): Promise<SideCar> {
+    const record = this.requireConfig(id)
+
+    record.name = typeof input.name === "string" ? input.name.trim() : record.name
+    record.port = typeof input.port === "number" ? input.port : record.port
+    record.insecure = typeof input.insecure === "boolean" ? input.insecure : record.insecure
+    record.prefixMode = typeof input.prefixMode === "string" ? input.prefixMode : record.prefixMode
+    record.updatedAt = new Date().toISOString()
+
+    this.persistConfigs()
+    await this.refreshPortSideCar(id)
+    return this.toSideCar(record)
+  }
+
+  async delete(id: string): Promise<boolean> {
+    const record = this.configs.get(id)
+    if (!record) return false
+
+    this.configs.delete(id)
+    this.runtime.delete(id)
+    this.persistConfigs()
+    this.options.eventBus.publish({ type: "sidecar.removed", sidecarId: id })
+    return true
+  }
+
+  async shutdown() {
+    return
+  }
+
+  buildTargetOrigin(sidecar: Pick<SideCar, "port" | "insecure">): string {
+    const protocol = sidecar.insecure ? "http" : "https"
+    return `${protocol}://127.0.0.1:${sidecar.port}`
+  }
+
+  buildProxyBasePath(id: string): string {
+    return `/sidecars/${encodeURIComponent(id)}`
+  }
+
+  buildTargetPath(id: string, incomingPath: string, search = ""): string {
+    const record = this.requireConfig(id)
+    const publicBase = this.buildProxyBasePath(id)
+    const normalizedPath = incomingPath || publicBase
+
+    if (record.prefixMode === "preserve") {
+      return `${normalizedPath}${search}`
+    }
+
+    let stripped = normalizedPath.startsWith(publicBase) ? normalizedPath.slice(publicBase.length) : normalizedPath
+    if (!stripped || stripped === "/") {
+      stripped = "/"
+    } else if (!stripped.startsWith("/")) {
+      stripped = `/${stripped}`
+    }
+    return `${stripped}${search}`
+  }
+
+  private async refreshPortStatuses() {
+    await Promise.all(Array.from(this.configs.values()).map((record) => this.refreshPortSideCar(record.id)))
+  }
+
+  private async refreshPortSideCar(id: string) {
+    const record = this.configs.get(id)
+    if (!record) return
+    const isAvailable = await this.isPortAvailable(record.port)
+    const current = this.runtime.get(id)
+    const nextStatus: SideCarStatus = isAvailable ? "running" : "stopped"
+    if (current?.status === nextStatus) {
+      return
+    }
+
+    this.runtime.set(id, { status: nextStatus })
+    record.updatedAt = new Date().toISOString()
+    this.publish(id)
+  }
+
+  private publish(id: string) {
+    const record = this.configs.get(id)
+    if (!record) return
+    this.options.eventBus.publish({ type: "sidecar.updated", sidecar: this.toSideCar(record) })
+  }
+
+  private toSideCar(record: SideCarConfigRecord): SideCar {
+    const runtime = this.runtime.get(record.id)
+    return {
+      id: record.id,
+      kind: record.kind,
+      name: record.name,
+      port: record.port,
+      insecure: record.insecure,
+      prefixMode: record.prefixMode,
+      status: runtime?.status ?? "stopped",
+      createdAt: record.createdAt,
+      updatedAt: record.updatedAt,
+    }
+  }
+
+  private requireConfig(id: string): SideCarConfigRecord {
+    const record = this.configs.get(id)
+    if (!record) {
+      throw new Error("SideCar not found")
+    }
+    return record
+  }
+
+  private persistConfigs() {
+    const sidecars = Array.from(this.configs.values()).map((record) => ({ ...record }))
+    this.options.settings.mergePatchOwner("config", "server", { sidecars })
+  }
+
+  private loadConfiguredSideCars(): SideCarConfigRecord[] {
+    const serverConfig = this.options.settings.getOwner("config", "server") as { sidecars?: unknown }
+    const list = Array.isArray(serverConfig?.sidecars) ? serverConfig.sidecars : []
+    const records: SideCarConfigRecord[] = []
+    for (const item of list) {
+      if (!item || typeof item !== "object") continue
+      const record = item as Record<string, unknown>
+      const kind = record.kind === "port" ? "port" : null
+      const id = typeof record.id === "string" && record.id.trim() ? record.id.trim() : null
+      const name = typeof record.name === "string" && record.name.trim() ? record.name.trim() : null
+      const port = typeof record.port === "number" && Number.isInteger(record.port) ? record.port : null
+      if (!kind || !id || !name || !port) continue
+
+      const insecure = record.insecure === true
+      const prefixMode = record.prefixMode === "preserve" ? "preserve" : "strip"
+      const createdAt = typeof record.createdAt === "string" && record.createdAt ? record.createdAt : new Date().toISOString()
+      const updatedAt = typeof record.updatedAt === "string" && record.updatedAt ? record.updatedAt : createdAt
+      records.push({ id, kind, name, port, insecure, prefixMode, createdAt, updatedAt })
+    }
+    return records
+  }
+
+  private isPortAvailable(port: number): Promise<boolean> {
+    return new Promise((resolve) => {
+      const socket = connect({ port, host: "127.0.0.1" }, () => {
+        socket.end()
+        resolve(true)
+      })
+      socket.once("error", () => {
+        socket.destroy()
+        resolve(false)
+      })
+    })
+  }
+
+  private buildSideCarId(name: string): string {
+    const normalized = name
+      .trim()
+      .toLowerCase()
+      .replace(/[^a-z0-9]+/g, "-")
+      .replace(/-{2,}/g, "-")
+      .replace(/^-|-$/g, "")
+
+    if (!normalized) {
+      throw new Error("SideCar name must include letters or numbers")
+    }
+
+    return normalized
+  }
+}