v0.0.3

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
gofmt
2026-05-20 09:42:34 +02:00 · 2026-05-13 18:20:57 +02:00 · 2026-05-13 18:20:33 +02:00 · 2026-05-13 18:19:28 +02:00 · 2026-05-13 18:17:05 +02:00 · 2026-05-13 18:15:42 +02:00
59 changed files with 1296 additions and 826 deletions
@@ -1,28 +0,0 @@
---
-name: "🐞 Bug Report"
-about: Report a reproducible error
-title: "[BUG] "
-labels: bug
---
-
-**Describe the bug**
-A clear and concise description of the issue.
-
-**To Reproduce**
-
-1. Go to '...'
-2. Click on '....'
-3. See error
-
-**Expected Behavior**
-
-What should have happened.
-
-**Environment**
-
- OS:
- Version (`spilltea -v`):
-
-**Additional Context**
-
-Add any logs or screenshots here.
@@ -0,0 +1,57 @@
+name: "🐞 Bug Report"
+description: Report a reproducible error
+title: "[BUG] "
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the bug
+      description: A clear and concise description of the issue.
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: Step-by-step instructions to trigger the bug.
+      placeholder: |
+        1. ...
+        2. ...
+        3. See error
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What should have happened instead.
+    validations:
+      required: true
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      placeholder: "e.g. Ubuntu 24.04, macOS 15"
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: spilltea version
+      description: Output of `spilltea -v`
+      placeholder: "e.g. v0.3.1"
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Logs, screenshots, or anything else relevant.
+    validations:
+      required: false
@@ -1,22 +0,0 @@
---
-name: "🚀 Feature Request"
-about: Suggest an idea for this project
-title: "[FEATURE] "
-labels: enhancement
---
-
-**Is your feature request related to a problem?**
-
-A description of what the problem is (e.g. I'm always frustrated when...).
-
-**Describe the solution**
-
-A clear description of what you want to happen.
-
-**Describe alternatives**
-
-Any alternative solutions or features you've considered.
-
-**Additional context**
-
-Add any other context or mockups here.
@@ -0,0 +1,37 @@
+name: "🚀 Feature Request"
+description: Suggest an idea for this project
+title: "[FEATURE] "
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: Is your feature request related to a problem? Describe it.
+      placeholder: "I'm always frustrated when..."
+    validations:
+      required: false
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: A clear description of what you want to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any alternative solutions or features you've thought about.
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Mockups, related issues, or anything else relevant.
+    validations:
+      required: false
@@ -0,0 +1,52 @@
+name: "🧩 Plugin Request"
+description: Suggest a plugin idea or propose an existing plugin
+title: "[PLUGIN] "
+labels: ["plugin"]
+body:
+  - type: dropdown
+    id: request_type
+    attributes:
+      label: Request type
+      description: Are you proposing an idea or an already-built plugin?
+      options:
+        - "Plugin idea — I have an idea but haven't built it"
+        - "Plugin proposal — I have already built a plugin"
+    validations:
+      required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: >
+        **If this is an idea:** describe what the plugin would do and the problem it solves.
+        **If this is a proposal:** describe what your plugin does and link to its repository.
+      placeholder: "This plugin would..."
+    validations:
+      required: true
+
+  - type: input
+    id: repo
+    attributes:
+      label: Repository (proposals only)
+      description: Link to the plugin repository, if it exists.
+      placeholder: "https://github.com/..."
+    validations:
+      required: false
+
+  - type: textarea
+    id: use_case
+    attributes:
+      label: Use case
+      description: Who would benefit from this plugin and in what scenario?
+      placeholder: "Useful when testing APIs that..."
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Screenshots, mockups, related issues, or anything else relevant.
+    validations:
+      required: false
@@ -1,6 +1,7 @@
 # Plugins

 Spilltea supports Lua plugins that can intercept, modify, and analyze HTTP traffic.
+You can found some pre-built plugins [here](../../plugins/).

 ## Where to place plugins

@@ -15,25 +16,28 @@ Every plugin must declare a `Plugin` table and implement the hooks it wants to u
 ```lua
 Plugin = {
  name        = "My Plugin",
+  description = "What this plugin does.",
+  priority    = 0,  -- higher = runs before other plugins (default: 0)

-  -- Declare which hooks you use and whether they are synchronous.
+  -- Declare which hooks you use and whether they are synchronous (default: false).
+  -- on_config and on_quit are always sync and do not need to be declared here.
  on_start          = { sync = true  },
  on_request        = { sync = true  },
  on_response       = { sync = false },
-  on_history_entry = {},
-  on_quit          = {},
+  on_history_entry  = { sync = true  },
 }
 ```

 ### Hook reference

-| Hook                      | When called                 | Sync/async   | Return value        |
-| ------------------------- | --------------------------- | ------------ | ------------------- |
-| `on_start(config_text)`   | Once at startup             | always sync  | ignored             |
+| Hook                      | When called                          | Sync/async    | Return value (sync only)                              |
+| ------------------------- | ------------------------------------ | ------------- | ----------------------------------------------------- |
+| `on_config(config_text)`  | At startup and on config save        | always sync   | ignored                                               |
+| `on_start()`              | Once at startup, after `on_config`   | configurable  | ignored                                               |
 | `on_quit()`               | When the app exits                   | always sync   | ignored                                               |
-| `on_request(req)`         | Every request               | declared     | `"drop"`, `"forward"`, or `nil` (sync only) |
-| `on_response(req, res)`   | Every response              | declared     | `"drop"`, `"forward"`, or `nil` (sync only) |
-| `on_history_entry(entry)` | After a flow is saved to DB | always async | ignored             |
+| `on_request(req)`         | Every request, before auto-forward   | configurable  | `"drop"`, `"forward"`, or `nil`                       |
+| `on_response(req, res)`   | Every response                       | configurable  | `"drop"`, `"forward"`, or `nil`                       |
+| `on_history_entry(entry)` | Sync: before DB insert / Async: after | configurable | `"skip"` (don't save), `"keep"` or `nil` (save)      |

 ## Request and response objects

@@ -80,7 +84,8 @@ Plugin = {
 log("message")

 -- Send a notification bubble in the TUI
-notif("Title", "Body text")
+-- kind is optional: "info" (default), "success", "warning", "error"
+notif("Title", "Body text", "warning")

 -- Create a finding (shown on the Findings page, persisted in DB)
 create_finding({
@@ -90,8 +95,17 @@ create_finding({
  severity    = "high",              -- info | low | medium | high | critical
 })

-- Check if a URL matches the current scope (whitelist/blacklist)
-local ok = is_in_scope("https://example.com/api/v1")
+-- Run a raw SQL query against the project DB (entries, findings, replay_entries, …)
+-- Returns a table of rows; each row is a table indexed by column name.
+-- Returns nil + error string on failure.
+local rows, err = db_query("SELECT id, host FROM entries WHERE host = ?", "example.com")
+if err then
+  log("query failed: " .. err)
+else
+  for i = 1, #rows do
+    log(rows[i].host)
+  end
+end

 -- Quit the app (useful for startup checks that fail)
 quit("reason message")
@@ -103,25 +117,46 @@ A finding is identified by `(plugin_name, key)`. If a finding with that pair alr

 ## Configuration

-Each plugin gets a **config textarea** on the Plugins page. The raw text is passed as-is to `on_start(config_text)`. Parse it however you like (line by line, key=value, JSON, etc.).
+Each plugin gets a **config textarea** on the Plugins page. The raw text is passed as-is to `on_config(config_text)`. Parse it however you like (line by line, key=value, JSON, etc.).
+
+`on_config` is called once at startup (before `on_start`) and again every time the user saves the config in the UI.

 ## Sync vs async

- **`sync = true`**: spilltea waits for the hook to return before continuing. For `on_request`/`on_response` this blocks the proxy goroutine; the hook can return one of the values below.
- **`sync = false`** (or omitted for supported hooks): the hook runs in a background goroutine. Return values are ignored. Use this for analysis and findings.
+- **`sync = true`**: spilltea waits for the hook to return before continuing. The hook can return a decision value (see below).
+- **`sync = false`** (default for all configurable hooks): the hook runs in a background goroutine. Return values are ignored.

-### Return values for `on_request` and `on_response` (sync only)
+`on_config` and `on_quit` are always synchronous regardless of the Plugin table declaration.
+
+### Return values for sync hooks
+
+**`on_request` and `on_response`:**

 | Return value | Effect                                                                            |
-| ------------ | ------ |
+| ------------ | --------------------------------------------------------------------------------- |
 | `"drop"`     | The flow is dropped immediately and never shown in the intercept panel.           |
 | `"forward"`  | The flow is forwarded immediately without going through the intercept panel.      |
 | `nil`        | Normal behaviour: the flow appears in the intercept panel for the user to decide. |

-The `sync` declaration is only meaningful for `on_request` and `on_response`. The other hooks have fixed behaviour:
+**`on_history_entry` (sync only):**

- `on_start` is **always synchronous**: plugins are initialised one by one before the first request is accepted.
- `on_quit` is **always synchronous**: the app waits for all `on_quit` hooks before exiting.
- `on_history_entry` is **always asynchronous**.
+| Return value        | Effect                                 |
+| ------------------- | -------------------------------------- |
+| `"skip"`            | The entry is not saved to the DB.      |
+| `"keep"` or `nil`   | The entry is saved normally.           |

-> A sync `on_request` or `on_response` hook that hangs will block traffic for that flow. There is no automatic timeout.
+Sync `on_history_entry` runs **before** the DB insert, so it can prevent an entry from ever appearing in history. Async `on_history_entry` runs **after** the insert and cannot affect it.
+
+## Priority
+
+Plugins with a higher `priority` value run before plugins with a lower value (default `0`). This matters for sync hooks that return a decision: the first plugin to return a non-nil value short-circuits the remaining plugins.
+
+```lua
+Plugin = {
+  name     = "Scopes",
+  priority = 100,  -- runs before all default-priority plugins
+  ...
+}
+```
+
+> A sync hook that hangs will block traffic for that flow. There is no automatic timeout.
@@ -1,19 +0,0 @@
-## Scopes
-
-Scopes let you control which requests Spilltea intercepts. Patterns are Go regular expressions matched against `host/path` (e.g. `api.example.com/v1/users`).
-
- **Whitelist**: if non-empty, only matching requests are intercepted.
- **Blacklist**: matching requests are always ignored, even if whitelisted.
-
-When both lists are set, a request must pass the whitelist _and_ not be in the blacklist.
-
-### Examples
-
-| Pattern                    | Matches                             |
-| -------------------------- | ----------------------------------- |
-| `example\.com`             | any request to `example.com`        |
-| `^api\.example\.com`       | only the `api` subdomain            |
-| `example\.com/api/v2`      | a specific path prefix              |
-| `\.(js\|css\|png\|woff2?)` | static assets (useful in blacklist) |
-| `googleapis\.com`          | all Google API traffic              |
-| `/graphql$`                | any host with a `/graphql` endpoint |
@@ -1,48 +0,0 @@
-- Check that the proxy's outbound IP is in the whitelist before starting.
-- Config: one allowed IP per line. Leave empty to disable the check.
-
-Plugin = {
-  name     = "IP Whitelist",
-  on_start = {},
-}
-
-function on_start(config_text)
-  local allowed = {}
-  for line in config_text:gmatch("[^\n]+") do
-    local ip = line:match("^%s*(.-)%s*$")
-    if ip ~= "" then
-      table.insert(allowed, ip)
-    end
-  end
-
-  if #allowed == 0 then
-    log("no IPs configured, skipping check")
-    return
-  end
-
-  -- Fetch the current outbound IP via a public API.
-  local ok, result = pcall(function()
-    local handle = io.popen("curl -sf https://api.ipify.org 2>/dev/null")
-    if not handle then return nil end
-    local ip = handle:read("*a")
-    handle:close()
-    return ip and ip:match("^%s*(.-)%s*$") or nil
-  end)
-
-  if not ok or not result or result == "" then
-    log("could not determine outbound IP, skipping check")
-    return
-  end
-
-  log("outbound IP: " .. result)
-
-  for _, ip in ipairs(allowed) do
-    if result == ip then
-      log("IP " .. result .. " is whitelisted")
-      return
-    end
-  end
-
-  notif("IP Whitelist", "Outbound IP " .. result .. " is NOT in the whitelist!")
-  quit("outbound IP " .. result .. " not whitelisted")
-end
@@ -1,35 +0,0 @@
-- Scan response bodies for common API key / secret patterns.
-- Runs asynchronously so it never delays traffic.
-
-Plugin = {
-  name        = "Secret Finder",
-  on_response = { sync = false },
-}
-
-local PATTERNS = {
-  { pattern = "AIza[0-9A-Za-z%-_]{35}",                label = "Google API Key" },
-  { pattern = "AKIA[0-9A-Z]{16}",                      label = "AWS Access Key" },
-  { pattern = "sk%-[a-zA-Z0-9]{20,}",                  label = "OpenAI API Key" },
-  { pattern = "ghp_[a-zA-Z0-9]{36}",                   label = "GitHub Personal Token" },
-  { pattern = "Bearer%s+[a-zA-Z0-9%-_%.]+%.[a-zA-Z0-9%-_%.]+%.[a-zA-Z0-9%-_%.]+",
-                                                         label = "JWT Bearer Token" },
-}
-
-function on_response(req, res)
-  local body = res:get_body()
-  if body == "" then return end
-
-  for _, p in ipairs(PATTERNS) do
-    if body:find(p.pattern) then
-      local key = p.label .. ":" .. req.host
-      create_finding({
-        title       = p.label .. " in response",
-        description = "**Host:** `" .. req.host .. "`\n\n" ..
-                      "**Path:** `" .. req.path .. "`\n\n" ..
-                      "Pattern `" .. p.pattern .. "` matched in the response body.",
-        key         = key,
-        severity    = "high",
-      })
-    end
-  end
-end
@@ -25,7 +25,6 @@ It is intentionally minimal. No Electron, no browser, no bloat. Just a fast, key
 - **Intercept**: Pause requests and responses in-flight. Inspect and modify them (even with your favorite editor) before forwarding.
 - **HTTP History**: Every request that passes through the proxy is stored. Browse, search and filter your full session history.
 - **Replay**: Pick any request from the history, modify it if needed, and send it again. Useful for manual testing and quick iteration
- **Scopes**: Keep your history clean by white/blacklisting domains or specific paths.
 - **HTTPS Support** (using go-mitmproxy under the hood)
 - Built-in Integrations:
  - **FFuf Export**: Generate a ffuf command or configuration directly from a request to start fuzzing instantly.
@@ -45,13 +44,26 @@ On startup, you choose:
 ## Plugin System

 Spilltea supports plugins written in **Lua**. Plugins are loaded from `~/.config/spilltea/plugins/` by default and do not require recompilation or access to the source code.
-For a full reference and examples, see the [plugin documentation](./.github/docs/plugins.md).
+For a full reference and examples, see the [plugin documentation](./.github/docs/plugins.md) or [plugin examples](./plugins/).

 ## Configuration

 Spilltea is fully configured via a YAML file at `~/.config/spilltea/config.yaml`.
 Check the default configuration with all the options [here](./internal/config/default_config.yaml)

+## CLI Flags
+
+| Flag                    | Short | Description                                                                    |
+| ----------------------- | ----- | ------------------------------------------------------------------------------ |
+| `--config`              | `-c`  | Path to config file (default: `~/.config/spilltea/config.yaml`)                |
+| `--plugin-dir`          |       | Path to plugins dir, overrides config (default: `~/.config/spilltea/plugins/`) |
+| `--host`                |       | Proxy host, overrides config                                                   |
+| `--port`                | `-p`  | Proxy port, overrides config                                                   |
+| `--project`             | `-P`  | Project name to open directly, or `tmp` for a temporary session                |
+| `--upstream-proxy`      |       | Upstream proxy URL, overrides config (e.g. `http://user:pass@host:8888`)       |
+| `--version`             | `-v`  | Print version and exit                                                         |
+| `--add-default-plugins` |       | Add the default plugins to your plugins dir and exit                           |
+
 ## Deployment

 spilltea runs **locally** on the machine used for pentesting or CTF. There is no separate server component.
@@ -7,6 +7,7 @@ import (
 	"path/filepath"

 	tea "charm.land/bubbletea/v2"
+	spilltea "github.com/anotherhadi/spilltea"
 	"github.com/anotherhadi/spilltea/internal/config"
 	"github.com/anotherhadi/spilltea/internal/icons"
 	"github.com/anotherhadi/spilltea/internal/intercept"
@@ -23,10 +24,13 @@ var version = "dev"
 func main() {
 	var (
 		flagConfig            = flag.StringP("config", "c", "", "path to config file")
+		flagPluginsDir        = flag.String("plugins-dir", "", "path to plugins dir (overrides config)")
 		flagHost              = flag.String("host", "", "proxy host (overrides config)")
 		flagPort              = flag.IntP("port", "p", 0, "proxy port (overrides config)")
+		flagUpstreamProxy     = flag.String("upstream-proxy", "", "upstream proxy URL, e.g. http://user:pass@host:8888 (overrides config)")
 		flagVersion           = flag.BoolP("version", "v", false, "print version")
 		flagProject           = flag.StringP("project", "P", "", `project name to open directly, or "tmp" for a temporary session`)
+		flagAddDefaultPlugins = flag.Bool("add-default-plugins", false, "copy built-in example plugins into the plugins dir and exit")
 	)
 	flag.Parse()

@@ -35,6 +39,28 @@ func main() {
 		os.Exit(0)
 	}

+	if *flagAddDefaultPlugins {
+		cfgPath := filepath.Join(os.Getenv("HOME"), ".config", "spilltea", "config.yaml")
+		if *flagConfig != "" {
+			cfgPath = *flagConfig
+		}
+		if err := config.Load(cfgPath); err != nil {
+			fmt.Fprintf(os.Stderr, "config: %v\n", err)
+			os.Exit(1)
+		}
+		dir := config.ExpandPath(config.Global.App.PluginsDir)
+		if *flagPluginsDir != "" {
+			dir = *flagPluginsDir
+		}
+		n, err := spilltea.InstallDefaultPlugins(dir)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "add-default-plugins: %v\n", err)
+			os.Exit(1)
+		}
+		fmt.Printf("added %d plugin(s) to %s\n", n, dir)
+		os.Exit(0)
+	}
+
 	if *flagProject != "" && !homeUI.IsValidProjectName(*flagProject) {
 		fmt.Fprintf(os.Stderr, "project: invalid name %q (only lowercase letters, digits, - and _ are allowed)\n", *flagProject)
 		os.Exit(1)
@@ -51,12 +77,18 @@ func main() {
 	}
 	config.Global.Version = version

+	if *flagPluginsDir != "" {
+		config.Global.App.PluginsDir = *flagPluginsDir
+	}
 	if *flagHost != "" {
 		config.Global.App.Host = *flagHost
 	}
 	if *flagPort != 0 {
 		config.Global.App.Port = *flagPort
 	}
+	if *flagUpstreamProxy != "" {
+		config.Global.App.UpstreamProxy = *flagUpstreamProxy
+	}

 	addr := fmt.Sprintf("%s:%d", config.Global.App.Host, config.Global.App.Port)
 	// Check if the proxy port is available before starting the UI.
@@ -14,7 +14,7 @@
      (system: f system (import nixpkgs {inherit system;}));

    pname = "spilltea";
-    version = "0.0.1";
+    version = "0.0.3";

    ldflags = ["-s" "-w" "-X main.version=${version}"];
  in {
@@ -25,7 +25,7 @@
        src = ./.;
        outputs = ["out"];

-        vendorHash = "sha256-u+u38Qr5Dugk5eFmxTK4vKUEv2SlXcfY6ZFlu1cPqVk=";
+        vendorHash = "sha256-v37RFS/T6KGZTO1tHmtUqBrRcCqNS3+ACBcsd7tl50c=";

        meta = with pkgs.lib; {
          description = "A minimal, terminal-based HTTP(S) proxy for pentesters and CTF players.";
@@ -9,7 +9,7 @@ require (
 	charm.land/lipgloss/v2 v2.0.3
 	github.com/charmbracelet/x/ansi v0.11.7
 	github.com/lqqyt2423/go-mitmproxy v1.8.11
-	github.com/sirupsen/logrus v1.8.1
+	github.com/sirupsen/logrus v1.8.3
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
 	github.com/yuin/gopher-lua v1.1.2
@@ -42,6 +42,7 @@ github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSE
 github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
 github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
 github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dlclark/regexp2 v1.12.0 h1:0j4c5qQmnC6XOWNjP3PIXURXN2gWx76rd3KvgdPkCz8=
@@ -108,8 +109,8 @@ github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=
 github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.8.3 h1:DBBfY8eMYazKEJHb3JKpSPfpgd2mBCoNFlQx6C5fftU=
+github.com/sirupsen/logrus v1.8.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
@@ -120,7 +121,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
@@ -146,7 +148,7 @@ golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
 golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
 golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
@@ -157,6 +159,7 @@ golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
@@ -23,6 +23,7 @@ type Config struct {
 		CertDir       string `mapstructure:"cert_dir"`
 		ProjectDir    string `mapstructure:"project_dir"`
 		PluginsDir    string `mapstructure:"plugins_dir"`
+		UpstreamProxy string `mapstructure:"upstream_proxy"`
 	} `mapstructure:"app"`

 	TUI struct {
@@ -33,8 +34,9 @@ type Config struct {
 	} `mapstructure:"tui"`

 	Intercept struct {
-		DefaultAutoForward     bool `mapstructure:"default_auto_forward"`
+		DefaultInterceptEnabled bool     `mapstructure:"default_intercept_enabled"`
 		DefaultCaptureResponse  bool     `mapstructure:"default_capture_response"`
+		AutoForwardRegex        []string `mapstructure:"auto_forward_regex"`
 	} `mapstructure:"intercept"`

 	Replay struct {
@@ -4,19 +4,22 @@ app:
  cert_dir: ~/.local/share/spilltea
  project_dir: ~/.local/share/spilltea
  plugins_dir: ~/.config/spilltea/plugins
+  upstream_proxy: "" # e.g. http://corporate-proxy:8888 or http://user:pass@host:8888

 intercept:
-  default_auto_forward: false
+  default_intercept_enabled: true
  default_capture_response: false
+  auto_forward_regex:
+    - '\.(js|css|png|gif|ico|woff2?|ttf|svg)(\?.*)?$'

 replay:
-  switch_to_page_on_send: false
+  switch_to_page_on_send: true

 history:
-  skip_duplicates: false # if true, skip saving entries with the same method, host, path and body
+  skip_duplicates: true # if true, skip saving entries with the same method, host, path and body

 tui:
-  use_nerdfont_icons: true
+  use_nerdfont_icons: false
  default_sidebar_state: "expanded" # hidden, collapsed, expanded
  pretty_print_body: true # auto-indent JSON and HTML response bodies
  colors:
@@ -48,7 +51,8 @@ keybindings:
    left: "left,h"
    right: "right,l"
    cycle_focus: "tab"
-    copy_request: "ctrl+y"
+    copy_as: "ctrl+y"
+    copy: "y"
    send_to_replay: "ctrl+r"
    scroll_up: "pgup"
    scroll_down: "pgdown"
@@ -59,7 +63,7 @@ keybindings:
    forward_all: "F"
    drop: "d"
    drop_all: "D"
-    auto_forward: "a"
+    toggle_intercept: "i"
    capture_response: "r"
    undo_edits: "ctrl+z"
    edit: "e,enter"
@@ -10,7 +10,8 @@ type GlobalKeys struct {
 	Left          string `mapstructure:"left"`
 	Right         string `mapstructure:"right"`
 	CycleFocus    string `mapstructure:"cycle_focus"`
-	CopyRequest   string `mapstructure:"copy_request"`
+	CopyAs        string `mapstructure:"copy_as"`
+	Copy          string `mapstructure:"copy"`
 	SendToReplay  string `mapstructure:"send_to_replay"`
 	ScrollUp      string `mapstructure:"scroll_up"`
 	ScrollDown    string `mapstructure:"scroll_down"`
@@ -22,7 +23,7 @@ type InterceptKeys struct {
 	ForwardAll      string `mapstructure:"forward_all"`
 	Drop            string `mapstructure:"drop"`
 	DropAll         string `mapstructure:"drop_all"`
-	AutoForward     string `mapstructure:"auto_forward"`
+	ToggleIntercept string `mapstructure:"toggle_intercept"`
 	CaptureResponse string `mapstructure:"capture_response"`
 	UndoEdits       string `mapstructure:"undo_edits"`
 	Edit            string `mapstructure:"edit"`
@@ -35,12 +35,7 @@ func (d *DB) migrate() error {
 			request_raw  TEXT NOT NULL,
 			response_raw TEXT NOT NULL
 		);
-		CREATE TABLE IF NOT EXISTS scope (
-			id      INTEGER PRIMARY KEY AUTOINCREMENT,
-			kind    TEXT NOT NULL CHECK(kind IN ('whitelist','blacklist')),
-			pattern TEXT NOT NULL
-		);
-		CREATE TABLE IF NOT EXISTS replay_entries (
+CREATE TABLE IF NOT EXISTS replay_entries (
 			id           INTEGER PRIMARY KEY AUTOINCREMENT,
 			timestamp    DATETIME NOT NULL,
 			scheme       TEXT NOT NULL,
@@ -69,13 +64,16 @@ func (d *DB) migrate() error {
 			created_at  DATETIME NOT NULL,
 			UNIQUE(plugin_name, dedup_key)
 		);
-		INSERT INTO scope (kind, pattern)
-			SELECT 'blacklist', '\.(js|css|png|gif|ico|woff2?|ttf|svg)(\?.*)?$'
-			WHERE NOT EXISTS (SELECT 1 FROM scope);
 	`)
 	return err
 }

+// Query executes a SQL query and returns the rows. The caller must close the
+// returned rows. Args are passed as positional parameters.
+func (d *DB) Query(query string, args ...any) (*sql.Rows, error) {
+	return d.conn.Query(query, args...)
+}
+
 func (d *DB) Close() error {
 	if d == nil {
 		return nil
@@ -48,7 +48,7 @@ func (d *DB) LoadFindings() ([]Finding, error) {
 		}
 		for _, layout := range findingTimeFormats {
 			if t, err := time.Parse(layout, ts); err == nil {
-				f.CreatedAt = t
+				f.CreatedAt = t.Local()
 				break
 			}
 		}
@@ -1,45 +0,0 @@
-package db
-
-func (d *DB) SaveScope(whitelist, blacklist []string) error {
-	tx, err := d.conn.Begin()
-	if err != nil {
-		return err
-	}
-	if _, err := tx.Exec(`DELETE FROM scope`); err != nil {
-		tx.Rollback()
-		return err
-	}
-	for _, p := range whitelist {
-		if _, err := tx.Exec(`INSERT INTO scope (kind, pattern) VALUES ('whitelist', ?)`, p); err != nil {
-			tx.Rollback()
-			return err
-		}
-	}
-	for _, p := range blacklist {
-		if _, err := tx.Exec(`INSERT INTO scope (kind, pattern) VALUES ('blacklist', ?)`, p); err != nil {
-			tx.Rollback()
-			return err
-		}
-	}
-	return tx.Commit()
-}
-
-func (d *DB) LoadScope() (whitelist, blacklist []string, err error) {
-	rows, err := d.conn.Query(`SELECT kind, pattern FROM scope`)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer rows.Close()
-	for rows.Next() {
-		var kind, pattern string
-		if err := rows.Scan(&kind, &pattern); err != nil {
-			return nil, nil, err
-		}
-		if kind == "whitelist" {
-			whitelist = append(whitelist, pattern)
-		} else {
-			blacklist = append(blacklist, pattern)
-		}
-	}
-	return whitelist, blacklist, rows.Err()
-}
@@ -41,87 +41,59 @@ type Broker struct {
 	droppedFlows sync.Map // *proxy.Flow → struct{}
 	outOfScope   sync.Map // *proxy.Flow → struct{}

-	scopeMu   sync.RWMutex
-	whitelist []*regexp.Regexp
-	blacklist []*regexp.Regexp
+	autoFwdMu      sync.RWMutex
+	autoFwdRegexes []*regexp.Regexp

+	onBeforeNewEntry func(db.Entry) bool
 	onNewEntry       func(db.Entry)
 }

+func (b *Broker) SetOnBeforeNewEntry(cb func(db.Entry) bool) {
+	b.onBeforeNewEntry = cb
+}
+
 func (b *Broker) SetOnNewEntry(cb func(db.Entry)) {
 	b.onNewEntry = cb
 }

-// IsInScope reports whether the given target string (host+path) matches the
-// current scope rules. Used by the plugin API.
-func (b *Broker) IsInScope(target string) bool {
-	b.scopeMu.RLock()
-	wl := b.whitelist
-	bl := b.blacklist
-	b.scopeMu.RUnlock()
-	return scopeMatches(wl, bl, target)
-}
-
 func NewBroker() *Broker {
-	return &Broker{
+	b := &Broker{
 		Incoming:         make(chan *PendingRequest, 64),
 		IncomingResponse: make(chan *PendingResponse, 64),
 	}
+	b.SetAutoForwardRegex(config.Global.Intercept.AutoForwardRegex)
+	return b
 }

 func (b *Broker) SetCaptureResponse(v bool) {
 	b.captureResponse.Store(v)
 }

-// SetScope compiles and stores whitelist/blacklist regex patterns.
+// SetAutoForwardRegex compiles and stores patterns for requests that should
+// be forwarded automatically without interception or history logging.
 // Invalid patterns are silently skipped.
-func (b *Broker) SetScope(whitelist, blacklist []string) {
-	wl := compilePatterns(whitelist)
-	bl := compilePatterns(blacklist)
-	b.scopeMu.Lock()
-	b.whitelist = wl
-	b.blacklist = bl
-	b.scopeMu.Unlock()
-}
-
-func compilePatterns(patterns []string) []*regexp.Regexp {
-	out := make([]*regexp.Regexp, 0, len(patterns))
+func (b *Broker) SetAutoForwardRegex(patterns []string) {
+	compiled := make([]*regexp.Regexp, 0, len(patterns))
 	for _, p := range patterns {
 		if r, err := regexp.Compile(p); err == nil {
-			out = append(out, r)
+			compiled = append(compiled, r)
 		}
 	}
-	return out
+	b.autoFwdMu.Lock()
+	b.autoFwdRegexes = compiled
+	b.autoFwdMu.Unlock()
 }

-func (b *Broker) matchesScope(f *proxy.Flow) bool {
-	target := f.Request.URL.Host + f.Request.URL.Path
-	b.scopeMu.RLock()
-	wl := b.whitelist
-	bl := b.blacklist
-	b.scopeMu.RUnlock()
-	return scopeMatches(wl, bl, target)
-}
-
-func scopeMatches(wl, bl []*regexp.Regexp, target string) bool {
-	if len(wl) > 0 {
-		matched := false
-		for _, r := range wl {
+func (b *Broker) isAutoForwarded(target string) bool {
+	b.autoFwdMu.RLock()
+	regexes := b.autoFwdRegexes
+	b.autoFwdMu.RUnlock()
+	for _, r := range regexes {
 		if r.MatchString(target) {
-				matched = true
-				break
-			}
-		}
-		if !matched {
-			return false
-		}
-	}
-	for _, r := range bl {
-		if r.MatchString(target) {
-			return false
-		}
-	}
 			return true
+		}
+	}
+	return false
 }

 func (b *Broker) SetDB(d *db.DB) {
@@ -132,7 +104,8 @@ func (b *Broker) SetDB(d *db.DB) {

 // Hold is called from the proxy addon: it blocks until a decision is made in the TUI.
 func (b *Broker) Hold(f *proxy.Flow) Decision {
-	if !b.matchesScope(f) {
+	target := f.Request.URL.Host + f.Request.URL.Path
+	if b.isAutoForwarded(target) {
 		b.outOfScope.Store(f, struct{}{})
 		return Forward
 	}
@@ -168,7 +141,7 @@ func (b *Broker) HoldResponse(f *proxy.Flow) Decision {

 // SaveEntry persists the completed flow to the history DB.
 // It must be called after HoldResponse and before modifying f.Response.
-// Flows that were dropped at the request phase are silently skipped.
+// Flows that were dropped or auto-forwarded are silently skipped.
 func (b *Broker) SaveEntry(f *proxy.Flow) {
 	b.dbMu.RLock()
 	d := b.database
@@ -197,7 +170,7 @@ func (b *Broker) SaveEntry(f *proxy.Flow) {
 			return
 		}
 	}
-	entry, err := d.InsertEntry(db.Entry{
+	pending := db.Entry{
 		Timestamp:   time.Now(),
 		Method:      r.Method,
 		Host:        r.URL.Host,
@@ -205,7 +178,13 @@ func (b *Broker) SaveEntry(f *proxy.Flow) {
 		StatusCode:  status,
 		RequestRaw:  FormatRawRequest(f),
 		ResponseRaw: FormatRawResponse(f),
-	})
+	}
+	if cb := b.onBeforeNewEntry; cb != nil {
+		if !cb(pending) {
+			return
+		}
+	}
+	entry, err := d.InsertEntry(pending)
 	if err == nil {
 		if cb := b.onNewEntry; cb != nil {
 			go cb(entry)
@@ -15,7 +15,8 @@ type GlobalKeyMap struct {
 	Left          key.Binding
 	Right         key.Binding
 	CycleFocus    key.Binding
-	CopyRequest   key.Binding
+	CopyAs        key.Binding
+	Copy          key.Binding
 	Escape        key.Binding
 	SendToReplay  key.Binding
 	ScrollUp      key.Binding
@@ -34,7 +35,8 @@ func newGlobalKeyMap(cfg config.GlobalKeys) GlobalKeyMap {
 		Left:          binding(cfg.Left, "scroll left"),
 		Right:         binding(cfg.Right, "scroll right"),
 		CycleFocus:    binding(cfg.CycleFocus, "cycle focus"),
-		CopyRequest:   binding(cfg.CopyRequest, "copy as..."),
+		CopyAs:        binding(cfg.CopyAs, "copy as..."),
+		Copy:          binding(cfg.Copy, "copy..."),
 		Escape:        key.NewBinding(key.WithKeys("esc"), key.WithHelp("esc", "cancel")),
 		SendToReplay:  binding(cfg.SendToReplay, "send to replay"),
 		ScrollUp:      binding(cfg.ScrollUp, "scroll up"),
@@ -47,7 +49,7 @@ func (g GlobalKeyMap) Bindings() []key.Binding {
 	return []key.Binding{
 		g.Up, g.Down, g.Left, g.Right, g.CycleFocus,
 		g.Quit, g.Escape, g.Help,
-		g.OpenLogs, g.ToggleSidebar, g.CopyRequest,
+		g.OpenLogs, g.ToggleSidebar, g.CopyAs, g.Copy,
 		g.SendToReplay, g.SendToDiff,
 		g.ScrollUp, g.ScrollDown,
 	}
@@ -10,7 +10,7 @@ type InterceptKeyMap struct {
 	ForwardAll      key.Binding
 	Drop            key.Binding
 	DropAll         key.Binding
-	AutoForward     key.Binding
+	ToggleIntercept key.Binding
 	CaptureResponse key.Binding
 	UndoEdits       key.Binding
 	Edit            key.Binding
@@ -23,7 +23,7 @@ func newInterceptKeyMap(cfg config.InterceptKeys) InterceptKeyMap {
 		ForwardAll:      binding(cfg.ForwardAll, "forward all"),
 		Drop:            binding(cfg.Drop, "drop"),
 		DropAll:         binding(cfg.DropAll, "drop all"),
-		AutoForward:     binding(cfg.AutoForward, "auto forward"),
+		ToggleIntercept: binding(cfg.ToggleIntercept, "toggle intercept"),
 		CaptureResponse: binding(cfg.CaptureResponse, "capture response"),
 		UndoEdits:       binding(cfg.UndoEdits, "undo edits"),
 		Edit:            binding(cfg.Edit, "edit"),
@@ -36,6 +36,6 @@ func (ic InterceptKeyMap) Bindings() []key.Binding {
 		ic.Forward, ic.ForwardAll,
 		ic.Drop, ic.DropAll,
 		ic.Edit, ic.EditExternal, ic.UndoEdits,
-		ic.AutoForward, ic.CaptureResponse,
+		ic.ToggleIntercept, ic.CaptureResponse,
 	}
 }
@@ -2,7 +2,6 @@ package plugins

 import (
 	"log"
-	"net/url"
 	"strings"
 	"time"

@@ -27,8 +26,9 @@ func registerUtilities(L *lua.LState, mgr *Manager, p *Plugin) {
 	L.SetGlobal("notif", L.NewFunction(func(L *lua.LState) int {
 		title := L.CheckString(1)
 		body := L.CheckString(2)
+		kind := L.OptString(3, "info")
 		select {
-		case mgr.Notifs <- PluginNotifMsg{Title: title, Body: body}:
+		case mgr.Notifs <- PluginNotifMsg{Title: title, Body: body, Kind: kind}:
 		default:
 		}
 		return 0
@@ -65,23 +65,84 @@ func registerUtilities(L *lua.LState, mgr *Manager, p *Plugin) {
 		return 0
 	}))

-	L.SetGlobal("is_in_scope", L.NewFunction(func(L *lua.LState) int {
-		raw := L.CheckString(1)
-		if mgr.broker == nil {
-			L.Push(lua.LTrue)
-			return 1
+	L.SetGlobal("db_query", L.NewFunction(func(L *lua.LState) int {
+		if mgr.db == nil {
+			L.Push(lua.LNil)
+			L.Push(lua.LString("db not available"))
+			return 2
 		}
-		u, err := url.Parse(raw)
+		query := L.CheckString(1)
+		var args []any
+		for i := 2; i <= L.GetTop(); i++ {
+			switch v := L.Get(i).(type) {
+			case lua.LString:
+				args = append(args, string(v))
+			case lua.LNumber:
+				args = append(args, float64(v))
+			case lua.LBool:
+				args = append(args, bool(v))
+			default:
+				args = append(args, nil)
+			}
+		}
+		rows, err := mgr.db.Query(query, args...)
 		if err != nil {
-			L.Push(lua.LFalse)
-			return 1
+			L.Push(lua.LNil)
+			L.Push(lua.LString(err.Error()))
+			return 2
 		}
-		path := u.Path
-		if path == "" {
-			path = "/"
+		defer rows.Close()
+		cols, err := rows.Columns()
+		if err != nil {
+			L.Push(lua.LNil)
+			L.Push(lua.LString(err.Error()))
+			return 2
 		}
-		L.Push(lua.LBool(mgr.broker.IsInScope(u.Host + path)))
-		return 1
+		result := L.NewTable()
+		rowIdx := 1
+		for rows.Next() {
+			vals := make([]any, len(cols))
+			ptrs := make([]any, len(cols))
+			for i := range vals {
+				ptrs[i] = &vals[i]
+			}
+			if err := rows.Scan(ptrs...); err != nil {
+				L.Push(lua.LNil)
+				L.Push(lua.LString(err.Error()))
+				return 2
+			}
+			row := L.NewTable()
+			for i, col := range cols {
+				switch v := vals[i].(type) {
+				case int64:
+					L.SetField(row, col, lua.LNumber(v))
+				case float64:
+					L.SetField(row, col, lua.LNumber(v))
+				case string:
+					L.SetField(row, col, lua.LString(v))
+				case []byte:
+					L.SetField(row, col, lua.LString(string(v)))
+				case bool:
+					if v {
+						L.SetField(row, col, lua.LTrue)
+					} else {
+						L.SetField(row, col, lua.LFalse)
+					}
+				case nil:
+					L.SetField(row, col, lua.LNil)
+				}
+			}
+			L.RawSetInt(result, rowIdx, row)
+			rowIdx++
+		}
+		if err := rows.Err(); err != nil {
+			L.Push(lua.LNil)
+			L.Push(lua.LString(err.Error()))
+			return 2
+		}
+		L.Push(result)
+		L.Push(lua.LNil)
+		return 2
 	}))

 	L.SetGlobal("quit", L.NewFunction(func(L *lua.LState) int {
@@ -5,6 +5,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"sync"

@@ -32,7 +33,8 @@ func NewManager(broker *intercept.Broker) *Manager {
 		Quit:   make(chan string, 4),
 	}
 	if broker != nil {
-		broker.SetOnNewEntry(mgr.RunOnHistoryEntry)
+		broker.SetOnBeforeNewEntry(mgr.RunSyncOnHistoryEntry)
+		broker.SetOnNewEntry(mgr.RunAsyncOnHistoryEntry)
 	}
 	return mgr
 }
@@ -107,27 +109,41 @@ func (m *Manager) loadPlugin(path string) (*Plugin, error) {
 		p.Name = strings.TrimSuffix(filepath.Base(path), ".lua")
 	}

-	// Defaults when not overridden by the Plugin table.
-	hookDefaults := map[string]bool{
-		"on_start":         true,  // always sync
-		"on_request":       false, // async
-		"on_response":      false, // async
-		"on_quit":          true,  // always sync
-		"on_history_entry": false, // always async
+	if s, ok := pluginTable.RawGetString("description").(lua.LString); ok {
+		p.Description = string(s)
 	}
-	for hookName, defaultSync := range hookDefaults {
-		// Plugin table entry overrides the default (except on_start/on_quit/on_history_entry which are fixed).
-		if hookName != "on_start" && hookName != "on_quit" && hookName != "on_history_entry" {
+
+	if n, ok := pluginTable.RawGetString("priority").(lua.LNumber); ok {
+		p.Priority = int(n)
+	}
+
+	// Hooks configurable via the Plugin table (sync field).
+	configurableHooks := map[string]bool{
+		"on_start":         false, // async by default
+		"on_request":       false,
+		"on_response":      false,
+		"on_history_entry": false,
+	}
+	// Fixed-sync hooks: always sync, not configurable.
+	fixedSyncHooks := map[string]struct{}{
+		"on_config": {},
+		"on_quit":   {},
+	}
+
+	for hookName, defaultSync := range configurableHooks {
 		if tbl, ok := pluginTable.RawGetString(hookName).(*lua.LTable); ok {
 			p.hooks[hookName] = HookConfig{Sync: tbl.RawGetString("sync") == lua.LTrue}
 			continue
 		}
-		}
-		// Auto-detect: register the hook if the function exists as a global.
 		if p.L.GetGlobal(hookName) != lua.LNil {
 			p.hooks[hookName] = HookConfig{Sync: defaultSync}
 		}
 	}
+	for hookName := range fixedSyncHooks {
+		if p.L.GetGlobal(hookName) != lua.LNil {
+			p.hooks[hookName] = HookConfig{Sync: true}
+		}
+	}

 	return p, nil
 }
@@ -137,6 +153,7 @@ func (m *Manager) GetPlugins() []*Plugin {
 	defer m.mu.RUnlock()
 	out := make([]*Plugin, len(m.plugins))
 	copy(out, m.plugins)
+	sort.Slice(out, func(i, j int) bool { return out[i].Priority > out[j].Priority })
 	return out
 }

@@ -179,45 +196,61 @@ func (m *Manager) SaveConfig(name, configText string) {
 	found.mu.Lock()
 	found.ConfigText = configText
 	enabled := found.Enabled
-	hc, hasOnStart := found.hooks["on_start"]
+	_, hasOnConfig := found.hooks["on_config"]
 	found.mu.Unlock()
 	if m.db != nil {
 		_ = m.db.SavePluginState(name, enabled, configText)
 	}
-	if !hasOnStart {
+	if !hasOnConfig {
 		return
 	}
-	// Re-run on_start so the plugin can re-parse the new config.
-	if hc.Sync {
+	// on_config is always sync.
 	found.mu.Lock()
-		if _, err := callHook(found, "on_start", lua.LString(configText)); err != nil {
-			log.Printf("plugin %s on_start (config reload): %v", name, err)
+	if _, err := callHook(found, "on_config", lua.LString(configText)); err != nil {
+		log.Printf("plugin %s on_config (config reload): %v", name, err)
 	}
 	found.mu.Unlock()
-	} else {
-		go func() {
-			found.mu.Lock()
-			if _, err := callHook(found, "on_start", lua.LString(configText)); err != nil {
-				log.Printf("plugin %s on_start (config reload): %v", name, err)
-			}
-			found.mu.Unlock()
-		}()
-	}
 }

 func (m *Manager) RunOnStart() {
+	// on_config runs first, always sync, for every enabled plugin that has it.
 	for _, p := range m.GetPlugins() {
 		if !p.Enabled {
 			continue
 		}
-		if _, ok := p.hooks["on_start"]; !ok {
+		if _, ok := p.hooks["on_config"]; !ok {
 			continue
 		}
 		p.mu.Lock()
-		if _, err := callHook(p, "on_start", lua.LString(p.ConfigText)); err != nil {
+		if _, err := callHook(p, "on_config", lua.LString(p.ConfigText)); err != nil {
+			log.Printf("plugin %s on_config: %v", p.Name, err)
+		}
+		p.mu.Unlock()
+	}
+	// on_start runs after, sync or async depending on plugin config.
+	for _, p := range m.GetPlugins() {
+		if !p.Enabled {
+			continue
+		}
+		hc, ok := p.hooks["on_start"]
+		if !ok {
+			continue
+		}
+		if hc.Sync {
+			p.mu.Lock()
+			if _, err := callHook(p, "on_start"); err != nil {
 				log.Printf("plugin %s on_start: %v", p.Name, err)
 			}
 			p.mu.Unlock()
+		} else {
+			go func(p *Plugin) {
+				p.mu.Lock()
+				if _, err := callHook(p, "on_start"); err != nil {
+					log.Printf("plugin %s on_start: %v", p.Name, err)
+				}
+				p.mu.Unlock()
+			}(p)
+		}
 	}
 }

@@ -327,12 +360,37 @@ func (m *Manager) RunAsyncOnResponse(f *goproxy.Flow) {
 	}
 }

-func (m *Manager) RunOnHistoryEntry(e db.Entry) {
+// RunSyncOnHistoryEntry is called before DB insert; returns false to skip saving.
+func (m *Manager) RunSyncOnHistoryEntry(e db.Entry) bool {
 	for _, p := range m.GetPlugins() {
 		if !p.Enabled {
 			continue
 		}
-		if _, ok := p.hooks["on_history_entry"]; !ok {
+		hc, ok := p.hooks["on_history_entry"]
+		if !ok || !hc.Sync {
+			continue
+		}
+		p.mu.Lock()
+		result, err := callHook(p, "on_history_entry", pushEntry(p.L, e))
+		p.mu.Unlock()
+		if err != nil {
+			log.Printf("plugin %s on_history_entry: %v", p.Name, err)
+			continue
+		}
+		if result == "skip" {
+			return false
+		}
+	}
+	return true
+}
+
+func (m *Manager) RunAsyncOnHistoryEntry(e db.Entry) {
+	for _, p := range m.GetPlugins() {
+		if !p.Enabled {
+			continue
+		}
+		hc, ok := p.hooks["on_history_entry"]
+		if !ok || hc.Sync {
 			continue
 		}
 		go func(p *Plugin) {
@@ -12,9 +12,11 @@ type HookConfig struct {

 type Plugin struct {
 	Name        string
+	Description string
 	FilePath    string
 	Enabled     bool
 	ConfigText  string
+	Priority    int

 	L     *lua.LState
 	mu    sync.Mutex
@@ -36,22 +38,31 @@ func (p *Plugin) HookConfig(name string) (HookConfig, bool) {

 type Info struct {
 	Name        string
+	Description string
 	FilePath    string
 	Enabled     bool
 	ConfigText  string
+	Priority    int
 	Hooks       map[string]HookConfig
 }

 func (p *Plugin) Info() Info {
+	p.mu.Lock()
+	enabled := p.Enabled
+	configText := p.ConfigText
+	p.mu.Unlock()
+
 	hooks := make(map[string]HookConfig, len(p.hooks))
 	for k, v := range p.hooks {
 		hooks[k] = v
 	}
 	return Info{
 		Name:        p.Name,
+		Description: p.Description,
 		FilePath:    p.FilePath,
-		Enabled:    p.Enabled,
-		ConfigText: p.ConfigText,
+		Enabled:     enabled,
+		ConfigText:  configText,
+		Priority:    p.Priority,
 		Hooks:       hooks,
 	}
 }
@@ -59,6 +70,7 @@ func (p *Plugin) Info() Info {
 type PluginNotifMsg struct {
 	Title string
 	Body  string
+	Kind  string // "info", "success", "warning", "error"
 }

 type PluginQuitMsg struct {
@@ -108,6 +108,7 @@ func Start(broker *intercept.Broker, mgr *plugins.Manager) error {
 		Addr:              addr,
 		StreamLargeBodies: 1024 * 1024 * 5,
 		CaRootPath:        caPath,
+		Upstream:          cfg.UpstreamProxy,
 	}

 	p, err := goproxy.NewProxy(opts)
@@ -36,8 +36,8 @@ func RenderWithTitle(border lipgloss.Style, title, content string, width, height
 	if fillW < 0 {
 		fillW = 0
 	}
-	topLine := "╭" + label + strings.Repeat("─", fillW) + "╮"
-	topLine = lipgloss.NewStyle().Foreground(border.GetBorderTopForeground()).Render(topLine)
+	bc := lipgloss.NewStyle().Foreground(border.GetBorderTopForeground())
+	topLine := bc.Render("╭ ") + bc.Render(title) + bc.Render(" "+strings.Repeat("─", fillW)+"╮")

 	return lipgloss.JoinVertical(lipgloss.Left, topLine, box)
 }
@@ -28,15 +28,20 @@ func NewTextarea(showLineNumbers bool) textarea.Model {
 	ta.Prompt = ""
 	ta.ShowLineNumbers = showLineNumbers
 	ta.CharLimit = 0
+	ta.EndOfBufferCharacter = '~'
 	ts := ta.Styles()
 	ts.Focused.Base = lipgloss.NewStyle()
 	ts.Blurred.Base = lipgloss.NewStyle()
+	ts.Focused.Text = lipgloss.NewStyle().Foreground(S.Text)
 	ts.Focused.CursorLine = lipgloss.NewStyle().Background(S.Selection).Foreground(S.Text)
+	ts.Focused.CursorLineNumber = lipgloss.NewStyle().Background(S.Selection).Foreground(S.Primary).Bold(true)
+	ts.Focused.LineNumber = lipgloss.NewStyle().Foreground(S.Subtle)
 	ts.Focused.Placeholder = lipgloss.NewStyle().Foreground(S.Subtle)
-	ts.Blurred.Placeholder = lipgloss.NewStyle().Foreground(S.Subtle)
 	ts.Focused.EndOfBuffer = lipgloss.NewStyle().Foreground(S.SubtleBg)
-	ts.Blurred.EndOfBuffer = lipgloss.NewStyle().Foreground(S.SubtleBg)
 	ts.Blurred.Text = lipgloss.NewStyle().Foreground(S.MutedFg)
+	ts.Blurred.LineNumber = lipgloss.NewStyle().Foreground(S.SubtleBg)
+	ts.Blurred.Placeholder = lipgloss.NewStyle().Foreground(S.Subtle)
+	ts.Blurred.EndOfBuffer = lipgloss.NewStyle().Foreground(S.SubtleBg)
 	ta.SetStyles(ts)
 	return ta
 }
@@ -24,6 +24,7 @@ type Styles struct {

 	Panel        lipgloss.Style
 	PanelFocused lipgloss.Style
+	PanelEditing lipgloss.Style

 	PagerDotActive   string
 	PagerDotInactive string
@@ -43,6 +44,7 @@ func Init(cfg *config.Config) {
 	warning := lipgloss.Color("#" + c.Base09)   // Orange: warnings
 	success := lipgloss.Color("#" + c.Base0B)   // Green: success
 	primary := lipgloss.Color("#" + c.Base0D)   // Accent: primary
+	purple := lipgloss.Color("#" + c.Base0E)    // Purple: editing

 	S = &Styles{
 		Primary:   primary,
@@ -66,6 +68,10 @@ func Init(cfg *config.Config) {
 			Border(lipgloss.RoundedBorder()).
 			BorderForeground(primary),

+		PanelEditing: lipgloss.NewStyle().
+			Border(lipgloss.RoundedBorder()).
+			BorderForeground(purple),
+
 		PagerDotActive:   lipgloss.NewStyle().Foreground(primary).SetString("•").String(),
 		PagerDotInactive: lipgloss.NewStyle().Foreground(subtle).SetString("•").String(),
 	}
@@ -13,6 +13,7 @@ import (
 	"github.com/anotherhadi/spilltea/internal/intercept"
 	"github.com/anotherhadi/spilltea/internal/plugins"
 	proxyPkg "github.com/anotherhadi/spilltea/internal/proxy"
+	copyUI "github.com/anotherhadi/spilltea/internal/ui/components/copy"
 	copyasUI "github.com/anotherhadi/spilltea/internal/ui/components/copyas"
 	notificationsUI "github.com/anotherhadi/spilltea/internal/ui/components/notifications"
 	diffUI "github.com/anotherhadi/spilltea/internal/ui/diff"
@@ -22,7 +23,6 @@ import (
 	interceptUI "github.com/anotherhadi/spilltea/internal/ui/intercept"
 	pluginsUI "github.com/anotherhadi/spilltea/internal/ui/plugins"
 	replayUI "github.com/anotherhadi/spilltea/internal/ui/replay"
-	scopeUI "github.com/anotherhadi/spilltea/internal/ui/scope"
 	"github.com/sirupsen/logrus"
 )

@@ -64,10 +64,10 @@ type Model struct {
 	replay        replayUI.Model
 	diff          diffUI.Model
 	docs          docsUI.Model
-	scope         scopeUI.Model
 	pluginsPage   pluginsUI.Model
 	findingsPage  findingsUI.Model
 	copyAs        copyasUI.Model
+	copy          copyUI.Model
 	notifications notificationsUI.Model
 }

@@ -86,10 +86,10 @@ func New(broker *intercept.Broker, name, path string) Model {
 		replay:        replayUI.New(),
 		diff:          diffUI.New(),
 		docs:          docsUI.New(),
-		scope:         scopeUI.New(name, path),
 		pluginsPage:   pluginsUI.New(mgr),
 		findingsPage:  findingsUI.New(),
 		copyAs:        copyasUI.New(),
+		copy:          copyUI.New(),
 		notifications: notificationsUI.New(),
 		sidebarState:  sidebarState(cfg.TUI.DefaultSidebarState),
 	}
@@ -101,10 +101,6 @@ func New(broker *intercept.Broker, name, path string) Model {
 		m.replay.SetDB(d)
 		m.findingsPage.SetDB(d)
 		mgr.SetDB(d)
-		if wl, bl, err := d.LoadScope(); err == nil {
-			broker.SetScope(wl, bl)
-			m.scope.SetScope(wl, bl)
-		}
 	}

 	pluginsDir := config.ExpandPath(cfg.App.PluginsDir)
@@ -10,7 +10,6 @@ import (
 	interceptUI "github.com/anotherhadi/spilltea/internal/ui/intercept"
 	pluginsUI "github.com/anotherhadi/spilltea/internal/ui/plugins"
 	replayUI "github.com/anotherhadi/spilltea/internal/ui/replay"
-	scopeUI "github.com/anotherhadi/spilltea/internal/ui/scope"
 )

 type page string
@@ -20,7 +19,6 @@ const (
 	pageHistory   page = "History"
 	pageReplay    page = "Replay"
 	pageDiff      page = "Diff"
-	pageScopes    page = "Scopes"
 	pagePlugins   page = "Plugins"
 	pageFindings  page = "Findings"
 	pageDocs      page = "Docs"
@@ -93,19 +91,6 @@ var pageRegistry = []pageEntry{
 		},
 		resize: func(m *Model, w, h int) { m.diff.SetSize(w, h) },
 	},
-	{
-		id:   pageScopes,
-		icon: func() string { return icons.I.Scope },
-
-		render: func(m *Model) string { return m.scope.View().Content },
-		update: func(m *Model, msg tea.Msg) tea.Cmd {
-			updated, cmd := m.scope.Update(msg)
-			m.scope = updated.(scopeUI.Model)
-			return cmd
-		},
-		isEditing: func(m *Model) bool { return m.scope.IsEditing() },
-		resize:    func(m *Model, w, h int) { m.scope.SetSize(w, h) },
-	},
 	{
 		id:   pagePlugins,
 		icon: func() string { return icons.I.Plugin },
@@ -13,6 +13,7 @@ import (
 	"github.com/anotherhadi/spilltea/internal/keys"
 	"github.com/anotherhadi/spilltea/internal/plugins"
 	proxyPkg "github.com/anotherhadi/spilltea/internal/proxy"
+	copyUI "github.com/anotherhadi/spilltea/internal/ui/components/copy"
 	copyasUI "github.com/anotherhadi/spilltea/internal/ui/components/copyas"
 	notificationsUI "github.com/anotherhadi/spilltea/internal/ui/components/notifications"
 	diffUI "github.com/anotherhadi/spilltea/internal/ui/diff"
@@ -20,7 +21,6 @@ import (
 	historyUI "github.com/anotherhadi/spilltea/internal/ui/history"
 	interceptUI "github.com/anotherhadi/spilltea/internal/ui/intercept"
 	replayUI "github.com/anotherhadi/spilltea/internal/ui/replay"
-	scopeUI "github.com/anotherhadi/spilltea/internal/ui/scope"
 )

 func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
@@ -45,11 +45,20 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {

 	case plugins.PluginNotifMsg:
 		cmd := plugins.WaitForNotif(m.pluginManager)
+		kind := notificationsUI.KindInfo
+		switch msg.Kind {
+		case "success":
+			kind = notificationsUI.KindSuccess
+		case "warning":
+			kind = notificationsUI.KindWarning
+		case "error":
+			kind = notificationsUI.KindError
+		}
 		notifCmd := func() tea.Msg {
 			return notificationsUI.NotificationMsg{
 				Title: msg.Title,
 				Body:  msg.Body,
-				Kind:  notificationsUI.KindInfo,
+				Kind:  kind,
 			}
 		}
 		return m, tea.Batch(cmd, notifCmd)
@@ -73,21 +82,25 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		return m, cmd
 	}

+	if m.copy.IsOpen() {
+		if ws, ok := msg.(tea.WindowSizeMsg); ok {
+			m.width = ws.Width
+			m.height = ws.Height
+			m.copy.SetSize(ws.Width, ws.Height)
+			m.resizeChildren()
+			return m, nil
+		}
+		var cmd tea.Cmd
+		m.copy, cmd = m.copy.Update(msg)
+		return m, cmd
+	}
+
 	switch msg := msg.(type) {
 	case tea.WindowSizeMsg:
 		m.width = msg.Width
 		m.height = msg.Height
 		m.resizeChildren()

-	case scopeUI.ScopeChangedMsg:
-		m.broker.SetScope(msg.Whitelist, msg.Blacklist)
-		if m.database != nil {
-			if err := m.database.SaveScope(msg.Whitelist, msg.Blacklist); err != nil {
-				log.Printf("failed to persist scope: %v", err)
-			}
-		}
-		return m, nil
-
 	case proxyPkg.ErrMsg:
 		if msg.Err != nil {
 			log.Printf("proxy error: %v", msg.Err)
@@ -162,7 +175,7 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {

 		if !m.activeIsEditing() {
 			switch {
-			case key.Matches(msg, keys.Keys.Global.CopyRequest):
+			case key.Matches(msg, keys.Keys.Global.CopyAs):
 				if m.page == pageDiff {
 					if raw := m.diff.CurrentRaw(); raw != "" {
 						m.copyAs.SetSize(m.width, m.height)
@@ -182,6 +195,28 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 				}
 				return m, nil

+			case key.Matches(msg, keys.Keys.Global.Copy):
+				var raw, scheme string
+				switch m.page {
+				case pageIntercept:
+					raw = m.intercept.CurrentRaw()
+					scheme = m.intercept.CurrentScheme()
+				case pageDiff:
+					raw = m.diff.CurrentRaw()
+					scheme = "https"
+				case pageHistory:
+					raw = m.history.CurrentRaw()
+					scheme = m.history.CurrentScheme()
+				case pageReplay:
+					raw = m.replay.CurrentRaw()
+					scheme = m.replay.CurrentScheme()
+				}
+				if raw != "" {
+					m.copy.SetSize(m.width, m.height)
+					m.copy.Open(copyUI.OpenMsg{RawRequest: raw, Scheme: scheme})
+				}
+				return m, nil
+
 			case key.Matches(msg, keys.Keys.Global.ToggleSidebar):
 				m.cycleSidebarState()
 				m.resizeChildren()
@@ -22,6 +22,13 @@ func (m Model) View() tea.View {
 		return v
 	}

+	if m.copy.IsOpen() {
+		v := tea.NewView(m.copy.View(normal))
+		v.AltScreen = true
+		v.MouseMode = tea.MouseModeCellMotion
+		return v
+	}
+
 	rendered := normal
 	if m.notifications.HasNotifications() {
 		rendered = m.notifications.View(normal)
@@ -0,0 +1,165 @@
+package copy
+
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strings"
+
+	"charm.land/bubbles/v2/list"
+	tea "charm.land/bubbletea/v2"
+	"charm.land/lipgloss/v2"
+	"github.com/anotherhadi/spilltea/internal/style"
+)
+
+const popupInnerW = 40
+
+func writeClipboard(text string) {
+	encoded := base64.StdEncoding.EncodeToString([]byte(text))
+	fmt.Fprintf(os.Stderr, "\033]52;c;%s\a", encoded)
+}
+
+type OpenMsg struct {
+	RawRequest string
+	Scheme     string
+}
+
+type copyItem struct {
+	id    string
+	title string
+	desc  string
+}
+
+func (c copyItem) Title() string       { return c.title }
+func (c copyItem) Description() string { return c.desc }
+func (c copyItem) FilterValue() string { return c.title }
+
+var allItems = []list.Item{
+	copyItem{"raw", "Raw", "full HTTP request"},
+	copyItem{"headers", "Headers", "request headers only"},
+	copyItem{"body", "Body", "request body only"},
+	copyItem{"url", "URL", "request URL"},
+}
+
+type Model struct {
+	open       bool
+	list       list.Model
+	rawRequest string
+	scheme     string
+	width      int
+	height     int
+}
+
+func New() Model {
+	s := style.S
+
+	delegate := list.NewDefaultDelegate()
+	delegate.SetSpacing(0)
+	delegate.Styles.NormalTitle = lipgloss.NewStyle().Foreground(s.Text).PaddingLeft(2)
+	delegate.Styles.NormalDesc = lipgloss.NewStyle().Foreground(s.Subtle).PaddingLeft(2)
+	delegate.Styles.SelectedTitle = lipgloss.NewStyle().
+		Border(lipgloss.NormalBorder(), false, false, false, true).
+		BorderForeground(s.Primary).
+		Foreground(s.Primary).Bold(true).PaddingLeft(1)
+	delegate.Styles.SelectedDesc = lipgloss.NewStyle().
+		Border(lipgloss.NormalBorder(), false, false, false, true).
+		BorderForeground(s.Primary).
+		Foreground(s.MutedFg).PaddingLeft(1)
+
+	l := list.New(allItems, delegate, popupInnerW, 8)
+	l.SetShowTitle(false)
+	l.SetShowStatusBar(false)
+	l.SetShowHelp(false)
+	l.SetFilteringEnabled(true)
+	l.KeyMap.Quit.SetEnabled(false)
+	l.KeyMap.ForceQuit.SetEnabled(false)
+	l.KeyMap.ShowFullHelp.SetEnabled(false)
+	l.KeyMap.CloseFullHelp.SetEnabled(false)
+
+	return Model{list: l}
+}
+
+func (m Model) Init() tea.Cmd { return nil }
+
+func (m Model) IsOpen() bool { return m.open }
+
+func (m *Model) Open(msg OpenMsg) {
+	m.rawRequest = msg.RawRequest
+	m.scheme = msg.Scheme
+	m.open = true
+	m.list.ResetFilter()
+	m.list.Select(0)
+	m.list.SetSize(popupInnerW, m.listHeight())
+}
+
+func (m *Model) SetSize(w, h int) {
+	m.width = w
+	m.height = h
+	m.list.SetSize(popupInnerW, m.listHeight())
+}
+
+func (m Model) popupHeight() int {
+	h := 12
+	if m.height > 0 && m.height-4 < h {
+		h = m.height - 4
+	}
+	if h < 6 {
+		h = 6
+	}
+	return h
+}
+
+func (m Model) listHeight() int {
+	return style.PanelContentH(m.popupHeight()) - 1
+}
+
+func (m Model) extract(id string) string {
+	raw := m.rawRequest
+	lines := strings.Split(strings.ReplaceAll(raw, "\r\n", "\n"), "\n")
+
+	switch id {
+	case "raw":
+		return raw
+
+	case "headers":
+		var sb strings.Builder
+		for _, l := range lines[1:] {
+			if l == "" {
+				break
+			}
+			sb.WriteString(l + "\n")
+		}
+		return strings.TrimRight(sb.String(), "\n")
+
+	case "body":
+		for i, l := range lines {
+			if l == "" && i > 0 {
+				return strings.TrimRight(strings.Join(lines[i+1:], "\n"), "\n")
+			}
+		}
+		return ""
+
+	case "url":
+		scheme := m.scheme
+		if scheme == "" {
+			scheme = "https"
+		}
+		var host, path string
+		if len(lines) > 0 {
+			parts := strings.SplitN(lines[0], " ", 3)
+			if len(parts) >= 2 {
+				path = parts[1]
+			}
+		}
+		for _, l := range lines[1:] {
+			if l == "" {
+				break
+			}
+			if kv := strings.SplitN(l, ": ", 2); len(kv) == 2 && strings.EqualFold(kv[0], "host") {
+				host = strings.TrimSpace(kv[1])
+			}
+		}
+		return scheme + "://" + host + path
+	}
+	return raw
+}
@@ -0,0 +1,30 @@
+package copy
+
+import (
+	"charm.land/bubbles/v2/key"
+	tea "charm.land/bubbletea/v2"
+	"github.com/anotherhadi/spilltea/internal/keys"
+)
+
+func (m Model) Update(msg tea.Msg) (Model, tea.Cmd) {
+	if kp, ok := msg.(tea.KeyPressMsg); ok {
+		switch {
+		case kp.String() == "enter":
+			if item, ok := m.list.SelectedItem().(copyItem); ok {
+				writeClipboard(m.extract(item.id))
+			}
+			m.open = false
+			return m, nil
+		case key.Matches(kp, keys.Keys.Global.Escape):
+			if m.list.SettingFilter() {
+				break
+			}
+			m.open = false
+			return m, nil
+		}
+	}
+
+	var cmd tea.Cmd
+	m.list, cmd = m.list.Update(msg)
+	return m, cmd
+}
@@ -0,0 +1,28 @@
+package copy
+
+import (
+	"charm.land/lipgloss/v2"
+	"github.com/anotherhadi/spilltea/internal/style"
+	copyasUI "github.com/anotherhadi/spilltea/internal/ui/components/copyas"
+)
+
+func (m *Model) View(background string) string {
+	s := style.S
+
+	hint := lipgloss.NewStyle().Foreground(s.Subtle).
+		Render("  enter: copy  •  /: filter  •  esc: cancel")
+
+	inner := lipgloss.JoinVertical(lipgloss.Left,
+		m.list.View(),
+		hint,
+	)
+
+	border := lipgloss.NewStyle().
+		Border(lipgloss.RoundedBorder()).
+		BorderForeground(s.Primary)
+
+	popupH := m.popupHeight()
+	popup := style.RenderWithTitle(border, "Copy", inner, popupInnerW+2, popupH)
+
+	return copyasUI.OverlayCenter(background, popup, m.width, m.height)
+}
@@ -66,6 +66,8 @@ func (pr parsedRequest) fullURL() string {
 func formatAs(id, raw, scheme string) string {
 	pr := parseRaw(raw, scheme)
 	switch id {
+	case "raw":
+		return raw
 	case "curl":
 		return toCurl(pr)
 	case "python":
@@ -36,6 +36,7 @@ func (f formatItem) Description() string { return f.desc }
 func (f formatItem) FilterValue() string { return f.title }

 var allFormats = []list.Item{
+	formatItem{"raw", "Raw", "raw HTTP request"},
 	formatItem{"curl", "cURL", "command line HTTP request"},
 	formatItem{"python", "Python", "requests library"},
 	formatItem{"go", "Go", "net/http package"},
@@ -26,10 +26,10 @@ func (m *Model) View(background string) string {
 	popupH := m.popupHeight()
 	popup := style.RenderWithTitle(border, "Copy as", inner, popupInnerW+2, popupH)

-	return overlayCenter(background, popup, m.width, m.height)
+	return OverlayCenter(background, popup, m.width, m.height)
 }

-func overlayCenter(bg, popup string, w, h int) string {
+func OverlayCenter(bg, popup string, w, h int) string {
 	s := style.S

 	stripped := ansi.Strip(bg)
@@ -221,16 +221,16 @@ func lcsAlignedDiff(a, b, aHL, bHL []string) (left, right []diffLine) {
 	for i > 0 || j > 0 {
 		switch {
 		case i > 0 && j > 0 && a[i-1] == b[j-1]:
-			left = append(left, diffLine{text: hlA(i-1), kind: lineUnchanged})
-			right = append(right, diffLine{text: hlB(j-1), kind: lineUnchanged})
+			left = append(left, diffLine{text: hlA(i - 1), kind: lineUnchanged})
+			right = append(right, diffLine{text: hlB(j - 1), kind: lineUnchanged})
 			i--
 			j--
 		case j > 0 && (i == 0 || dp[i][j-1] >= dp[i-1][j]):
 			left = append(left, diffLine{kind: lineAdded})
-			right = append(right, diffLine{text: hlB(j-1), kind: lineAdded})
+			right = append(right, diffLine{text: hlB(j - 1), kind: lineAdded})
 			j--
 		default:
-			left = append(left, diffLine{text: hlA(i-1), kind: lineRemoved})
+			left = append(left, diffLine{text: hlA(i - 1), kind: lineRemoved})
 			right = append(right, diffLine{kind: lineRemoved})
 			i--
 		}
@@ -19,7 +19,6 @@ var contentMarkdown = strings.Join([]string{
 	readDoc("proxy.md"),
 	readDoc("certificate.md"),
 	readDoc("history.md"),
-	readDoc("scopes.md"),
 }, "\n")

 type Model struct {
@@ -55,6 +55,15 @@ func (m Model) IsEditing() bool {
 	return m.searchKind != searchKindOff && !m.searchAccepted
 }

+func (m Model) CurrentRaw() string {
+	if len(m.entries) == 0 || m.cursor >= len(m.entries) {
+		return ""
+	}
+	return m.entries[m.cursor].RequestRaw
+}
+
+func (m Model) CurrentScheme() string { return "https" }
+
 // RefreshCmd returns the appropriate load command given the current search state.
 // The app model should call this instead of LoadEntriesCmd directly so that
 // background refreshes re-run the active search rather than resetting it.
@@ -29,7 +29,7 @@ type Model struct {
 	responseCursor  int

 	editing              bool
-	autoForward         bool
+	interceptEnabled     bool
 	pendingEdits         map[*intercept.PendingRequest]string
 	pendingResponseEdits map[*intercept.PendingResponse]string

@@ -60,7 +60,7 @@ func New(broker *intercept.Broker) Model {

 	return Model{
 		broker:               broker,
-		autoForward:     cfg.Intercept.DefaultAutoForward,
+		interceptEnabled:     cfg.Intercept.DefaultInterceptEnabled,
 		captureResponse:      cfg.Intercept.DefaultCaptureResponse,
 		listViewport:         lv,
 		responseViewport:     rv,
@@ -115,4 +115,3 @@ func (m *Model) SetSize(w, h int) {
 	m.height = h
 	m.recalcSizes()
 }
-
@@ -5,17 +5,27 @@ import (
 	tea "charm.land/bubbletea/v2"
 	"github.com/anotherhadi/spilltea/internal/intercept"
 	"github.com/anotherhadi/spilltea/internal/keys"
-	"github.com/anotherhadi/spilltea/internal/util"
 	diffUI "github.com/anotherhadi/spilltea/internal/ui/diff"
 	replayUI "github.com/anotherhadi/spilltea/internal/ui/replay"
+	"github.com/anotherhadi/spilltea/internal/util"
 )

 func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 	var cmds []tea.Cmd

+	// Route non-key messages to textarea when editing so internal
+	// textarea messages (e.g. clipboard paste) are handled correctly.
+	if m.editing {
+		if _, ok := msg.(tea.KeyPressMsg); !ok {
+			var taCmd tea.Cmd
+			m.textarea, taCmd = m.textarea.Update(msg)
+			cmds = append(cmds, taCmd)
+		}
+	}
+
 	switch msg := msg.(type) {
 	case intercept.RequestArrivedMsg:
-		if m.autoForward {
+		if !m.interceptEnabled {
 			m.broker.Decide(msg.Req, intercept.Forward)
 			break
 		}
@@ -152,9 +162,9 @@ func (m Model) updateNormalMode(msg tea.KeyPressMsg, cmds *[]tea.Cmd) (tea.Model
 			}
 		}

-	case key.Matches(msg, keys.Keys.Intercept.AutoForward):
-		m.autoForward = !m.autoForward
-		if m.autoForward {
+	case key.Matches(msg, keys.Keys.Intercept.ToggleIntercept):
+		m.interceptEnabled = !m.interceptEnabled
+		if !m.interceptEnabled {
 			for len(m.queue) > 0 {
 				m.applyAndDecide(intercept.Forward)
 			}
@@ -52,8 +52,8 @@ func (m *Model) renderListPanel(w, h int) string {
 	)

 	title := icons.I.Request + "Requests"
-	if m.autoForward {
-		title += " [auto forward]"
+	if !m.interceptEnabled {
+		title += " " + lipgloss.NewStyle().Foreground(style.S.Error).Render("[intercept off]")
 	}
 	return style.RenderWithTitle(border, title, inner, w, h)
 }
@@ -1,7 +1,6 @@
 package plugins

 import (
-	"os"
 	"strings"

 	"charm.land/bubbles/v2/help"
@@ -25,6 +24,7 @@ type Model struct {
 	filtered []plugins.Info

 	listViewport   viewport.Model
+	detailViewport viewport.Model
 	textarea       textarea.Model
 	filterInput    textinput.Model
 	filtering      bool
@@ -36,7 +36,7 @@ type Model struct {
 }

 func New(mgr *plugins.Manager) Model {
-	ta := style.NewTextarea(false)
+	ta := style.NewTextarea(true)
 	ta.Placeholder = "plugin configuration..."
 	ta.Blur()

@@ -46,6 +46,7 @@ func New(mgr *plugins.Manager) Model {
 	return Model{
 		manager:        mgr,
 		listViewport:   style.NewViewport(),
+		detailViewport: style.NewViewport(),
 		textarea:       ta,
 		filterInput:    fi,
 		pager:          style.NewPaginator(),
@@ -88,10 +89,27 @@ func (m *Model) recalcSizes() {
 	}

 	m.filterInput.SetWidth(inner - 2)
+
+	detailContentH := style.PanelContentH(detailH)
+	const headerH = 2
+	const configFixedH = 2 // blank line + label line
+	textareaH := max(3, detailContentH/3)
+	if textareaH > 12 {
+		textareaH = 12
+	}
+	configTotalH := 0
+	if m.hasConfig() {
+		configTotalH = configFixedH + textareaH
+	}
+	descVH := max(1, detailContentH-headerH-configTotalH)
+
+	m.detailViewport.SetWidth(inner)
+	m.detailViewport.SetHeight(descVH)
 	m.textarea.SetWidth(max(1, inner-2))
-	m.textarea.SetHeight(max(3, detailH-6))
+	m.textarea.SetHeight(max(3, textareaH))

 	m.refreshListViewport()
+	m.syncDetailViewport()
 }

 // Refresh reloads the plugin list from the manager.
@@ -126,6 +144,7 @@ func (m *Model) applyFilter() {
 	}
 	m.refreshListViewport()
 	m.syncTextarea()
+	m.syncDetailViewport()
 }

 func (m *Model) selected() (plugins.Info, bool) {
@@ -135,6 +154,15 @@ func (m *Model) selected() (plugins.Info, bool) {
 	return m.filtered[m.cursor], true
 }

+func (m *Model) hasConfig() bool {
+	info, ok := m.selected()
+	if !ok {
+		return false
+	}
+	_, has := info.Hooks["on_config"]
+	return has
+}
+
 func (m *Model) syncTextarea() {
 	if m.editing {
 		return
@@ -147,6 +175,16 @@ func (m *Model) syncTextarea() {
 	m.textarea.SetValue(info.ConfigText)
 }

+func (m *Model) syncDetailViewport() {
+	info, ok := m.selected()
+	if !ok || info.Description == "" {
+		m.detailViewport.SetContent("")
+		return
+	}
+	desc := renderPluginDescription(info.Description, m.width-6)
+	m.detailViewport.SetContent(desc)
+}
+
 func (m *Model) refreshListViewport() {
 	if m.pager.PerPage > 0 {
 		m.pager.Page = m.cursor / m.pager.PerPage
@@ -155,16 +193,11 @@ func (m *Model) refreshListViewport() {
 	m.listViewport.SetContent(m.renderList())
 }

-func shortenPath(p string) string {
-	home := os.Getenv("HOME")
-	if home != "" && strings.HasPrefix(p, home) {
-		return "~" + p[len(home):]
-	}
-	return p
+type pluginsKeyMap struct {
+	editing   bool
+	hasConfig bool
 }

-type pluginsKeyMap struct{ editing bool }
-
 func (k pluginsKeyMap) ShortHelp() []key.Binding {
 	pk := keys.Keys.Plugins
 	g := keys.Keys.Global
@@ -172,7 +205,14 @@ func (k pluginsKeyMap) ShortHelp() []key.Binding {
 		esc := key.NewBinding(key.WithKeys(g.Escape.Keys()...), key.WithHelp(g.Escape.Help().Key, "save & exit"))
 		return []key.Binding{esc}
 	}
-	return []key.Binding{pk.Toggle, pk.EditConfig, pk.Filter}
+	scrollHint := key.NewBinding(
+		key.WithKeys(g.ScrollUp.Keys()...),
+		key.WithHelp(g.ScrollUp.Help().Key+"/"+g.ScrollDown.Help().Key, "scroll detail"),
+	)
+	if k.hasConfig {
+		return []key.Binding{pk.Toggle, pk.EditConfig, pk.Filter, scrollHint}
+	}
+	return []key.Binding{pk.Toggle, pk.Filter, scrollHint}
 }

 func (k pluginsKeyMap) FullHelp() [][]key.Binding {
@@ -21,7 +21,27 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		return m, nil
 	}

+	// Route non-key messages to textarea when editing so internal
+	// textarea messages (e.g. clipboard paste) are handled correctly.
+	if m.editing {
+		if _, ok := msg.(tea.KeyPressMsg); !ok {
+			var cmd tea.Cmd
+			m.textarea, cmd = m.textarea.Update(msg)
+			return m, cmd
+		}
+	}
+
 	switch msg := msg.(type) {
+	case tea.MouseWheelMsg:
+		if !m.editing {
+			switch msg.Button {
+			case tea.MouseWheelUp:
+				m.detailViewport.SetYOffset(m.detailViewport.YOffset() - 1)
+			case tea.MouseWheelDown:
+				m.detailViewport.SetYOffset(m.detailViewport.YOffset() + 1)
+			}
+		}
+
 	case tea.KeyPressMsg:
 		pk := keys.Keys.Plugins
 		g := keys.Keys.Global
@@ -90,15 +110,17 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		case key.Matches(msg, g.Up):
 			if m.cursor > 0 {
 				m.cursor--
-				m.refreshListViewport()
+				m.recalcSizes()
 				m.syncTextarea()
+				m.detailViewport.GotoTop()
 			}

 		case key.Matches(msg, g.Down):
 			if m.cursor < len(m.filtered)-1 {
 				m.cursor++
-				m.refreshListViewport()
+				m.recalcSizes()
 				m.syncTextarea()
+				m.detailViewport.GotoTop()
 			}

 		case key.Matches(msg, pk.Toggle):
@@ -115,11 +137,25 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 			}

 		case key.Matches(msg, pk.EditConfig):
-			if _, ok := m.selected(); ok {
+			if _, ok := m.selected(); ok && m.hasConfig() {
 				m.editing = true
 				m.textarea.Focus()
 			}

+		case key.Matches(msg, g.ScrollUp):
+			step := m.detailViewport.Height() / 2
+			if step < 1 {
+				step = 1
+			}
+			m.detailViewport.SetYOffset(m.detailViewport.YOffset() - step)
+
+		case key.Matches(msg, g.ScrollDown):
+			step := m.detailViewport.Height() / 2
+			if step < 1 {
+				step = 1
+			}
+			m.detailViewport.SetYOffset(m.detailViewport.YOffset() + step)
+
 		case key.Matches(msg, g.Help):
 			m.help.ShowAll = !m.help.ShowAll
 			m.recalcSizes()
@@ -1,10 +1,13 @@
 package plugins

 import (
+	"path/filepath"
 	"strings"

 	tea "charm.land/bubbletea/v2"
+	"charm.land/glamour/v2"
 	"charm.land/lipgloss/v2"
+	"github.com/anotherhadi/spilltea/internal/config"
 	"github.com/anotherhadi/spilltea/internal/icons"
 	"github.com/anotherhadi/spilltea/internal/keys"
 	"github.com/anotherhadi/spilltea/internal/style"
@@ -27,23 +30,29 @@ func (m Model) View() tea.View {

 func (m *Model) renderListPanel(w, h int) string {
 	s := style.S
+	panelStyle := s.PanelFocused
+	if m.editing {
+		panelStyle = s.Panel
+	}
 	dots := s.Faint.Render(m.pager.View())
 	inner := lipgloss.JoinVertical(lipgloss.Left,
 		m.listViewport.View(),
 		lipgloss.PlaceHorizontal(m.listViewport.Width(), lipgloss.Center, dots),
 	)
-	return style.RenderWithTitle(s.PanelFocused, icons.I.Plugin+"Plugins", inner, w, h)
+	return style.RenderWithTitle(panelStyle, icons.I.Plugin+"Plugins", inner, w, h)
 }

 func (m *Model) renderDetailPanel(h int) string {
 	s := style.S
+	panelStyle := s.Panel
+	if m.editing {
+		panelStyle = s.PanelFocused
+	}
 	info, ok := m.selected()
 	if !ok {
-		return style.RenderWithTitle(s.Panel, "Config", "", m.width, h)
+		return style.RenderWithTitle(panelStyle, icons.I.Detail+"Detail", "", m.width, h)
 	}

-	var sb strings.Builder
-
 	statusSt := lipgloss.NewStyle().Foreground(s.Error)
 	if info.Enabled {
 		statusSt = lipgloss.NewStyle().Foreground(s.Success)
@@ -52,22 +61,52 @@ func (m *Model) renderDetailPanel(h int) string {
 	if info.Enabled {
 		status = "enabled"
 	}
-	sb.WriteString(s.Bold.Render(info.Name) + "  " + statusSt.Render(status) + "\n")
-	sb.WriteString(s.Faint.Render(shortenPath(info.FilePath)) + "\n\n")

+	pad := lipgloss.NewStyle().Padding(0, 1)
+
+	header := pad.Render(
+		s.Bold.Render(info.Name) + "  " + statusSt.Render(status) + "\n" +
+			s.Faint.Render(filepath.Base(info.FilePath)),
+	)
+
+	parts := []string{header, m.detailViewport.View()}
+
+	if m.hasConfig() {
+		var configLabel string
 		if m.editing {
 			escKey := keys.Keys.Global.Escape.Help().Key
-		sb.WriteString(s.Faint.Render("editing config (" + escKey + " to save):"))
+			configLabel = pad.Render(s.Faint.Render("editing config (" + escKey + " to save):"))
 		} else {
 			editKey := keys.Keys.Plugins.EditConfig.Help().Key
-		sb.WriteString(s.Faint.Render("config (" + editKey + " to edit):"))
+			configLabel = pad.Render(s.Faint.Render("config (" + editKey + " to edit):"))
+		}
+		parts = append(parts, "", configLabel, pad.Render(m.textarea.View()))
 	}

-	inner := lipgloss.JoinVertical(lipgloss.Left,
-		lipgloss.NewStyle().Padding(0, 1).Render(sb.String()),
-		lipgloss.NewStyle().Padding(0, 1).Render(m.textarea.View()),
+	inner := lipgloss.JoinVertical(lipgloss.Left, parts...)
+	return style.RenderWithTitle(panelStyle, icons.I.Detail+"Detail", inner, m.width, h)
+}
+
+func renderPluginDescription(desc string, width int) string {
+	desc = strings.TrimSpace(desc)
+	lines := strings.Split(desc, "\n")
+	for i, l := range lines {
+		lines[i] = strings.TrimLeft(l, " \t")
+	}
+	desc = strings.Join(lines, "\n")
+
+	r, err := glamour.NewTermRenderer(
+		glamour.WithStyles(style.GlamourStyleConfig(config.Global)),
+		glamour.WithWordWrap(width),
 	)
-	return style.RenderWithTitle(s.Panel, "Detail", inner, m.width, h)
+	if err != nil {
+		return desc
+	}
+	out, err := r.Render(desc)
+	if err != nil {
+		return desc
+	}
+	return strings.Trim(out, "\n")
 }

 func (m *Model) renderStatusBar() string {
@@ -81,9 +120,9 @@ func (m *Model) renderStatusBar() string {
 		escKey := keys.Keys.Global.Escape.Help().Key
 		accent := lipgloss.NewStyle().Foreground(s.Primary)
 		filterLine := pad.Render(accent.Render(filterKey) + " " + s.Bold.Render(m.filter) + s.Faint.Render("  "+escKey+" to clear"))
-		return lipgloss.JoinVertical(lipgloss.Left, filterLine, pad.Render(m.help.View(pluginsKeyMap{editing: m.editing})))
+		return lipgloss.JoinVertical(lipgloss.Left, filterLine, pad.Render(m.help.View(pluginsKeyMap{editing: m.editing, hasConfig: m.hasConfig()})))
 	}
-	return pad.Render(m.help.View(pluginsKeyMap{editing: m.editing}))
+	return pad.Render(m.help.View(pluginsKeyMap{editing: m.editing, hasConfig: m.hasConfig()}))
 }

 func (m *Model) renderList() string {
@@ -68,6 +68,23 @@ func (m Model) Init() tea.Cmd { return nil }

 func (m Model) IsEditing() bool { return m.editing }

+func (m Model) CurrentRaw() string {
+	if len(m.entries) == 0 || m.cursor >= len(m.entries) {
+		return ""
+	}
+	return m.entries[m.cursor].RequestRaw
+}
+
+func (m Model) CurrentScheme() string {
+	if len(m.entries) == 0 || m.cursor >= len(m.entries) {
+		return "https"
+	}
+	if s := m.entries[m.cursor].Scheme; s != "" {
+		return s
+	}
+	return "https"
+}
+
 func (m *Model) SetDB(d *db.DB) {
 	m.database = d
 	if d == nil {
@@ -33,6 +33,18 @@ func sendCmd(entry Entry, index int) tea.Cmd {
 }

 func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
+	var cmds []tea.Cmd
+
+	// Route non-key messages to textarea when editing so internal
+	// textarea messages (e.g. clipboard paste) are handled correctly.
+	if m.editing {
+		if _, ok := msg.(tea.KeyPressMsg); !ok {
+			var taCmd tea.Cmd
+			m.textarea, taCmd = m.textarea.Update(msg)
+			cmds = append(cmds, taCmd)
+		}
+	}
+
 	switch msg := msg.(type) {
 	case SendToReplayMsg:
 		entry := entryFromMsg(msg)
@@ -104,7 +116,7 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		return m.updateNormalMode(msg)
 	}

-	return m, nil
+	return m, tea.Batch(cmds...)
 }

 func (m Model) updateNormalMode(msg tea.KeyPressMsg) (tea.Model, tea.Cmd) {
@@ -33,12 +33,16 @@ func (m Model) View() tea.View {

 func (m *Model) renderListPanel(w, h int) string {
 	s := style.S
+	panelStyle := s.PanelFocused
+	if m.editing {
+		panelStyle = s.Panel
+	}
 	dots := s.Faint.Render(m.pager.View())
 	inner := lipgloss.JoinVertical(lipgloss.Left,
 		m.listViewport.View(),
 		lipgloss.PlaceHorizontal(m.listViewport.Width(), lipgloss.Center, dots),
 	)
-	return style.RenderWithTitle(s.PanelFocused, icons.I.Replay+"Replay", inner, w, h)
+	return style.RenderWithTitle(panelStyle, icons.I.Replay+"Replay", inner, w, h)
 }

 func (m *Model) renderRequestPanel(w, h int) string {
@@ -1,150 +0,0 @@
-package scope
-
-import (
-	"strings"
-
-	"charm.land/bubbles/v2/help"
-	"charm.land/bubbles/v2/key"
-	"charm.land/bubbles/v2/textarea"
-	tea "charm.land/bubbletea/v2"
-	"charm.land/lipgloss/v2"
-	"github.com/anotherhadi/spilltea/internal/keys"
-	"github.com/anotherhadi/spilltea/internal/style"
-)
-
-const (
-	fieldNone      = -1
-	fieldWhitelist = 0
-	fieldBlacklist = 1
-)
-
-const (
-	minTaH = 3
-	maxTaH = 12
-	fixedH = 8 // (blank + label + desc + blank) x2
-)
-
-type ScopeChangedMsg struct {
-	Whitelist []string
-	Blacklist []string
-}
-
-type Model struct {
-	focusIdx int
-
-	wlTextarea textarea.Model
-	blTextarea textarea.Model
-
-	innerH int
-	width  int
-	height int
-
-	help help.Model
-}
-
-func New(name, path string) Model {
-	wl := style.NewTextarea(true)
-	wl.Placeholder = "one pattern per line..."
-
-	bl := style.NewTextarea(true)
-	bl.Placeholder = "one pattern per line..."
-	bl.Blur()
-
-	return Model{
-		focusIdx:   fieldNone,
-		wlTextarea: wl,
-		blTextarea: bl,
-		help:       style.NewHelp(),
-	}
-}
-
-func (m Model) Init() tea.Cmd { return nil }
-
-func (m *Model) SetScope(whitelist, blacklist []string) {
-	m.wlTextarea.SetValue(strings.Join(whitelist, "\n"))
-	m.blTextarea.SetValue(strings.Join(blacklist, "\n"))
-}
-
-func (m *Model) SetSize(w, h int) {
-	m.width = w
-	m.height = h
-	m.syncLayout()
-}
-
-func (m *Model) syncLayout() {
-	if m.width == 0 {
-		return
-	}
-	m.help.SetWidth(m.width - 2)
-
-	statusH := strings.Count(m.renderStatusBar(), "\n") + 1
-	panelH := m.height - statusH
-	m.innerH = max(1, style.PanelContentH(panelH))
-
-	taH := (m.innerH - fixedH) / 2
-	if taH < minTaH {
-		taH = minTaH
-	}
-	if taH > maxTaH {
-		taH = maxTaH
-	}
-	// width - 2 (panel border) - 1 (leading space in view) - 3 (right margin + cursor)
-	taW := max(1, m.width-6)
-	m.wlTextarea.SetWidth(taW)
-	m.wlTextarea.SetHeight(taH)
-	m.blTextarea.SetWidth(taW)
-	m.blTextarea.SetHeight(taH)
-}
-
-func (m Model) IsEditing() bool {
-	return m.focusIdx == fieldWhitelist || m.focusIdx == fieldBlacklist
-}
-
-func (m *Model) scopeChangedCmd() tea.Cmd {
-	wl := parseLines(m.wlTextarea.Value())
-	bl := parseLines(m.blTextarea.Value())
-	return func() tea.Msg {
-		return ScopeChangedMsg{Whitelist: wl, Blacklist: bl}
-	}
-}
-
-func parseLines(s string) []string {
-	var out []string
-	for _, line := range strings.Split(s, "\n") {
-		if t := strings.TrimSpace(line); t != "" {
-			out = append(out, t)
-		}
-	}
-	return out
-}
-
-func (m Model) renderStatusBar() string {
-	return lipgloss.NewStyle().Padding(0, 1).Render(
-		m.help.View(formKeyMap{focusIdx: m.focusIdx}),
-	)
-}
-
-type formKeyMap struct {
-	focusIdx int
-}
-
-func (k formKeyMap) ShortHelp() []key.Binding {
-	cycle := keys.Keys.Global.CycleFocus
-	hlp := keys.Keys.Global.Help
-
-	switch k.focusIdx {
-	case fieldWhitelist, fieldBlacklist:
-		esc := keys.Keys.Global.Escape
-		escBinding := key.NewBinding(key.WithKeys(esc.Keys()...), key.WithHelp(esc.Help().Key, "unfocus"))
-		return []key.Binding{
-			key.NewBinding(key.WithKeys("enter"), key.WithHelp("enter", "new line")),
-			escBinding,
-			cycle,
-		}
-	}
-	return []key.Binding{cycle, hlp}
-}
-
-func (k formKeyMap) FullHelp() [][]key.Binding {
-	return [][]key.Binding{k.ShortHelp()}
-}
@@ -1,70 +0,0 @@
-package scope
-
-import (
-	"charm.land/bubbles/v2/key"
-	tea "charm.land/bubbletea/v2"
-	"github.com/anotherhadi/spilltea/internal/keys"
-)
-
-func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
-	kp, isKey := msg.(tea.KeyPressMsg)
-	if !isKey {
-		return m, nil
-	}
-
-	if key.Matches(kp, keys.Keys.Global.CycleFocus) {
-		return m.cycleFocus()
-	}
-
-	if key.Matches(kp, keys.Keys.Global.Help) && !m.IsEditing() {
-		m.help.ShowAll = !m.help.ShowAll
-		return m, nil
-	}
-
-	switch m.focusIdx {
-	case fieldWhitelist:
-		if key.Matches(kp, keys.Keys.Global.Escape) {
-			return m.blurAll()
-		}
-		var cmd tea.Cmd
-		m.wlTextarea, cmd = m.wlTextarea.Update(kp)
-		return m, cmd
-
-	case fieldBlacklist:
-		if key.Matches(kp, keys.Keys.Global.Escape) {
-			return m.blurAll()
-		}
-		var cmd tea.Cmd
-		m.blTextarea, cmd = m.blTextarea.Update(kp)
-		return m, cmd
-	}
-
-	return m, nil
-}
-
-func (m Model) blurAll() (tea.Model, tea.Cmd) {
-	m.wlTextarea.Blur()
-	m.blTextarea.Blur()
-	m.focusIdx = fieldNone
-	m.syncLayout()
-	return m, m.scopeChangedCmd()
-}
-
-func (m Model) cycleFocus() (tea.Model, tea.Cmd) {
-	scopeCmd := m.scopeChangedCmd()
-
-	var focusCmd tea.Cmd
-	switch m.focusIdx {
-	case fieldNone, fieldBlacklist:
-		m.blTextarea.Blur()
-		m.focusIdx = fieldWhitelist
-		focusCmd = m.wlTextarea.Focus()
-	case fieldWhitelist:
-		m.wlTextarea.Blur()
-		m.focusIdx = fieldBlacklist
-		focusCmd = m.blTextarea.Focus()
-	}
-
-	m.syncLayout()
-	return m, tea.Batch(focusCmd, scopeCmd)
-}
@@ -1,84 +0,0 @@
-package scope
-
-import (
-	"strings"
-
-	tea "charm.land/bubbletea/v2"
-	"charm.land/lipgloss/v2"
-	"github.com/anotherhadi/spilltea/internal/icons"
-	"github.com/anotherhadi/spilltea/internal/style"
-)
-
-func (m Model) View() tea.View {
-	if m.width == 0 {
-		return tea.NewView("")
-	}
-
-	s := style.S
-
-	statusBar := m.renderStatusBar()
-	statusH := strings.Count(statusBar, "\n") + 1
-	panelH := m.height - statusH
-	innerH := max(1, style.PanelContentH(panelH))
-
-	taH := (innerH - fixedH) / 2
-	if taH < minTaH {
-		taH = minTaH
-	}
-	if taH > maxTaH {
-		taH = maxTaH
-	}
-
-	var lines []string
-	add := func(l string) { lines = append(lines, l) }
-
-	add("")
-	add(fieldLabel("Whitelist", m.focusIdx == fieldWhitelist))
-	add(" " + s.Faint.Render("If non-empty, only matching requests are intercepted."))
-	add("")
-	wlContentLines := strings.Count(m.wlTextarea.Value(), "\n") + 1
-	for _, l := range taLines(m.wlTextarea.View(), taH, wlContentLines) {
-		add(" " + l)
-	}
-
-	add("")
-	add(fieldLabel("Blacklist", m.focusIdx == fieldBlacklist))
-	add(" " + s.Faint.Render("Matching requests are always excluded from history."))
-	add("")
-	blContentLines := strings.Count(m.blTextarea.Value(), "\n") + 1
-	for _, l := range taLines(m.blTextarea.View(), taH, blContentLines) {
-		add(" " + l)
-	}
-
-	for len(lines) < innerH {
-		lines = append(lines, "")
-	}
-	content := strings.Join(lines[:innerH], "\n")
-
-	panel := style.RenderWithTitle(s.PanelFocused, icons.I.Scope+"Scopes", content, m.width, panelH)
-	return tea.NewView(lipgloss.JoinVertical(lipgloss.Left, panel, statusBar))
-}
-
-func fieldLabel(name string, focused bool) string {
-	s := style.S
-	c := s.MutedFg
-	if focused {
-		c = s.Primary
-	}
-	return "  " + lipgloss.NewStyle().Foreground(c).Bold(focused).Render(name)
-}
-
-func taLines(view string, h int, contentLines int) []string {
-	raw := strings.Split(strings.TrimRight(view, "\n"), "\n")
-	tilde := style.S.Faint.Render("~")
-	for len(raw) < h {
-		raw = append(raw, tilde)
-	}
-	if len(raw) > h {
-		raw = raw[:h]
-	}
-	for i := contentLines; i < len(raw); i++ {
-		raw[i] = tilde
-	}
-	return raw
-}
@@ -0,0 +1,45 @@
+package spilltea
+
+import (
+	"embed"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+)
+
+//go:embed plugins/*.lua
+var PluginsFS embed.FS
+
+// InstallDefaultPlugins copies embedded default plugins into dir, skipping
+// files that already exist. Returns the number of files written.
+func InstallDefaultPlugins(dir string) (int, error) {
+	if err := os.MkdirAll(dir, 0o755); err != nil {
+		return 0, fmt.Errorf("create plugins dir: %w", err)
+	}
+
+	entries, err := fs.ReadDir(PluginsFS, "plugins")
+	if err != nil {
+		return 0, err
+	}
+
+	written := 0
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		dst := filepath.Join(dir, e.Name())
+		if _, err := os.Stat(dst); err == nil {
+			continue
+		}
+		data, err := PluginsFS.ReadFile("plugins/" + e.Name())
+		if err != nil {
+			return written, fmt.Errorf("read embedded %s: %w", e.Name(), err)
+		}
+		if err := os.WriteFile(dst, data, 0o644); err != nil {
+			return written, fmt.Errorf("write %s: %w", dst, err)
+		}
+		written++
+	}
+	return written, nil
+}
@@ -1,26 +1,28 @@
-- Inject a custom header into every request.
-- Config format (one per line): Header-Name: value
-
 Plugin = {
  name        = "Inject Header",
+  description = [[
+Inject custom headers into every intercepted request.
+
+**Config**:
+- one 'Header-Name: value' per line.
+  ]],
  on_request  = { sync = true },
 }

 local headers = {}

-function on_start(config_text)
+function on_config(config_text)
+  headers = {}
  for line in config_text:gmatch("[^\n]+") do
    local name, value = line:match("^([^:]+):%s*(.+)$")
    if name and value then
      table.insert(headers, { name = name, value = value })
    end
  end
-  log("loaded " .. #headers .. " header(s)")
 end

 function on_request(req)
  for _, h in ipairs(headers) do
    req:set_header(h.name, h.value)
  end
-  return "forward"
 end
@@ -0,0 +1,75 @@
+Plugin = {
+  name        = "IP Filter (Whitelist/Blacklist)",
+  description = [[
+Checks that the proxy's outbound IP is in an allowed list on startup.
+
+**Config**:
+- one IP per line
+- prefix with `!` for a blacklist entry (blocked)
+- prefix with `#` to comment it out (ignored)
+- if no IPs are configured, the check is skipped
+  ]],
+  on_start = { sync = false },
+}
+
+local whitelist = {}
+local blacklist = {}
+
+function on_config(config_text)
+  whitelist = {}
+  blacklist = {}
+
+  for line in config_text:gmatch("[^\n]+") do
+    local trimmed = line:match("^%s*(.-)%s*$")
+    if trimmed ~= "" and trimmed:sub(1, 1) ~= "#" then
+      if trimmed:sub(1, 1) == "!" then
+        local ip = trimmed:sub(2):match("^%s*(.-)%s*$")
+        if ip ~= "" then
+          table.insert(blacklist, ip)
+        end
+      else
+        table.insert(whitelist, trimmed)
+      end
+    end
+  end
+end
+
+function on_start()
+  if #whitelist == 0 and #blacklist == 0 then
+    return
+  end
+
+  -- Fetch the current outbound IP via a public API.
+  local ok, result = pcall(function()
+    local handle = io.popen("curl -sf https://api.ipify.org 2>/dev/null")
+    if not handle then return nil end
+    local ip = handle:read("*a")
+    handle:close()
+    return ip and ip:match("^%s*(.-)%s*$") or nil
+  end)
+
+  if not ok or not result or result == "" then
+    log("could not determine outbound IP, skipping check")
+    notif("IP Filter", "Could not determine outbound IP, skipping check", "warning")
+    return
+  end
+
+  for _, ip in ipairs(blacklist) do
+    if result == ip then
+      notif("IP Filter", "Outbound IP " .. result .. " is blacklisted!", "error")
+      return
+    end
+  end
+
+  if #whitelist == 0 then
+    return
+  end
+
+  for _, ip in ipairs(whitelist) do
+    if result == ip then
+      return
+    end
+  end
+
+  notif("IP Filter", "Outbound IP " .. result .. " is not in the whitelist!", "error")
+end
@@ -0,0 +1,78 @@
+Plugin = {
+  name        = "Scopes",
+  description = [[
+Auto-forward requests and exclude them from history based on patterns.
+
+**Config**:
+- `pattern`  - whitelist: only intercept matching requests
+- `!pattern` - blacklist: don't intercept matching requests and exclude from history
+- lines starting with `#` are comments
+
+Example (ignore static assets):
+```
+!%.css$
+!%.js$
+!%.png$
+```
+
+Example (focus on mytarget.com, skip everything else):
+```
+mytarget%.com/
+```
+
+Example (intercept mytarget.com except its static assets):
+```
+mytarget%.com/
+!%.css$
+!%.js$
+!%.png$
+```
+  ]],
+  priority         = 100,
+  on_request       = { sync = true },
+  on_response       = { sync = true },
+  on_history_entry = { sync = true },
+}
+
+local whitelist = {}
+local blacklist = {}
+
+function on_config(config_text)
+  whitelist = {}
+  blacklist = {}
+  for line in config_text:gmatch("[^\n]+") do
+    local trimmed = line:match("^%s*(.-)%s*$")
+    if trimmed ~= "" and trimmed:sub(1, 1) ~= "#" then
+      if trimmed:sub(1, 1) == "!" then
+        table.insert(blacklist, trimmed:sub(2))
+      else
+        table.insert(whitelist, trimmed)
+      end
+    end
+  end
+end
+
+local function should_skip(url)
+  for _, pattern in ipairs(blacklist) do
+    if url:match(pattern) then return true end
+  end
+  if #whitelist > 0 then
+    for _, pattern in ipairs(whitelist) do
+      if url:match(pattern) then return false end
+    end
+    return true
+  end
+  return false
+end
+
+function on_request(req)
+  if should_skip(req.url) then return "forward" end
+end
+
+function on_response(req)
+  if should_skip(req.url) then return "forward" end
+end
+
+function on_history_entry(entry)
+  if should_skip(entry.host .. entry.path) then return "skip" end
+end
Author	SHA1	Message	Date
Hadi	407ca13a33	v0.0.3 Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 18:20:57 +02:00
Hadi	9ab7f12bf4	gofmt Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 18:20:33 +02:00
Hadi	7d4f32549e	update vendor hash Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 18:19:28 +02:00
Hadi	bed122fc99	Merge pull request #1 from anotherhadi/dependabot/go_modules/github.com/sirupsen/logrus-1.8.3 Bump github.com/sirupsen/logrus from 1.8.1 to 1.8.3	2026-05-13 18:17:05 +02:00
Hadi	967aab8363	Edit issue templates: md -> yaml, init plugin_request Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 18:15:42 +02:00
Hadi	a414a51168	Update docs Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 18:11:47 +02:00
Hadi	c7392474b7	CopyRequest -> Copy & CopyAs Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 18:07:23 +02:00
Hadi	de254b4e52	Use local timezone for findings Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 17:36:46 +02:00
Hadi	47d2cf6845	change default config Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 17:04:06 +02:00
Hadi	26994a3a37	upstream proxy Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 17:03:00 +02:00
Hadi	4eb9dd53f5	Change plugins behavior Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-13 16:52:12 +02:00
Hadi	dbea0ab0f2	Add cli flags Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-12 22:54:36 +02:00
dependabot[bot]	4caecaeec4	Bump github.com/sirupsen/logrus from 1.8.1 to 1.8.3 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.8.1 to 1.8.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.8.1...v1.8.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-version: 1.8.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-12 20:50:45 +00:00
Hadi	a6bd5c1071	Rename auto-forward -> toggle-intercept Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-12 22:25:10 +02:00
Hadi	7879720d07	Remove scope page Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>	2026-05-12 22:01:29 +02:00