v0.0.3

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,28 +0,0 @@
----
-name: "🐞 Bug Report"
-about: Report a reproducible error
-title: "[BUG] "
-labels: bug
----
-
-**Describe the bug**
-A clear and concise description of the issue.
-
-**To Reproduce**
-
-1. Go to '...'
-2. Click on '....'
-3. See error
-
-**Expected Behavior**
-
-What should have happened.
-
-**Environment**
-
-- OS:
-- Version (`spilltea -v`):
-
-**Additional Context**
-
-Add any logs or screenshots here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,57 @@
+name: "🐞 Bug Report"
+description: Report a reproducible error
+title: "[BUG] "
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the bug
+      description: A clear and concise description of the issue.
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: Step-by-step instructions to trigger the bug.
+      placeholder: |
+        1. ...
+        2. ...
+        3. See error
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What should have happened instead.
+    validations:
+      required: true
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      placeholder: "e.g. Ubuntu 24.04, macOS 15"
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: spilltea version
+      description: Output of `spilltea -v`
+      placeholder: "e.g. v0.3.1"
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Logs, screenshots, or anything else relevant.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,22 +0,0 @@
----
-name: "🚀 Feature Request"
-about: Suggest an idea for this project
-title: "[FEATURE] "
-labels: enhancement
----
-
-**Is your feature request related to a problem?**
-
-A description of what the problem is (e.g. I'm always frustrated when...).
-
-**Describe the solution**
-
-A clear description of what you want to happen.
-
-**Describe alternatives**
-
-Any alternative solutions or features you've considered.
-
-**Additional context**
-
-Add any other context or mockups here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,37 @@
+name: "🚀 Feature Request"
+description: Suggest an idea for this project
+title: "[FEATURE] "
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: Is your feature request related to a problem? Describe it.
+      placeholder: "I'm always frustrated when..."
+    validations:
+      required: false
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: A clear description of what you want to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any alternative solutions or features you've thought about.
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Mockups, related issues, or anything else relevant.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/plugin_request.yml

@@ -0,0 +1,52 @@
+name: "🧩 Plugin Request"
+description: Suggest a plugin idea or propose an existing plugin
+title: "[PLUGIN] "
+labels: ["plugin"]
+body:
+  - type: dropdown
+    id: request_type
+    attributes:
+      label: Request type
+      description: Are you proposing an idea or an already-built plugin?
+      options:
+        - "Plugin idea — I have an idea but haven't built it"
+        - "Plugin proposal — I have already built a plugin"
+    validations:
+      required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: >
+        **If this is an idea:** describe what the plugin would do and the problem it solves.
+        **If this is a proposal:** describe what your plugin does and link to its repository.
+      placeholder: "This plugin would..."
+    validations:
+      required: true
+
+  - type: input
+    id: repo
+    attributes:
+      label: Repository (proposals only)
+      description: Link to the plugin repository, if it exists.
+      placeholder: "https://github.com/..."
+    validations:
+      required: false
+
+  - type: textarea
+    id: use_case
+    attributes:
+      label: Use case
+      description: Who would benefit from this plugin and in what scenario?
+      placeholder: "Useful when testing APIs that..."
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Screenshots, mockups, related issues, or anything else relevant.
+    validations:
+      required: false

.github/docs/plugins.md

@@ -1,6 +1,7 @@
 # Plugins
 
 Spilltea supports Lua plugins that can intercept, modify, and analyze HTTP traffic.
+You can found some pre-built plugins [here](../../plugins/).
 
 ## Where to place plugins
 
@@ -15,25 +16,28 @@ Every plugin must declare a `Plugin` table and implement the hooks it wants to u
 ```lua
 Plugin = {
   name        = "My Plugin",
+  description = "What this plugin does.",
+  priority    = 0,  -- higher = runs before other plugins (default: 0)
 
-  -- Declare which hooks you use and whether they are synchronous.
+  -- Declare which hooks you use and whether they are synchronous (default: false).
+  -- on_config and on_quit are always sync and do not need to be declared here.
   on_start          = { sync = true  },
   on_request        = { sync = true  },
   on_response       = { sync = false },
-  on_history_entry = {},
+  on_history_entry  = { sync = true  },
-  on_quit          = {},
 }
 ```
 
 ### Hook reference
 
-| Hook                      | When called                 | Sync/async   | Return value        |
+| Hook                      | When called                          | Sync/async    | Return value (sync only)                              |
-| ------------------------- | --------------------------- | ------------ | ------------------- |
+| ------------------------- | ------------------------------------ | ------------- | ----------------------------------------------------- |
-| `on_start(config_text)`   | Once at startup             | always sync  | ignored             |
+| `on_config(config_text)`  | At startup and on config save        | always sync   | ignored                                               |
+| `on_start()`              | Once at startup, after `on_config`   | configurable  | ignored                                               |
 | `on_quit()`               | When the app exits                   | always sync   | ignored                                               |
-| `on_request(req)`         | Every request               | declared     | `"drop"`, `"forward"`, or `nil` (sync only) |
+| `on_request(req)`         | Every request, before auto-forward   | configurable  | `"drop"`, `"forward"`, or `nil`                       |
-| `on_response(req, res)`   | Every response              | declared     | `"drop"`, `"forward"`, or `nil` (sync only) |
+| `on_response(req, res)`   | Every response                       | configurable  | `"drop"`, `"forward"`, or `nil`                       |
-| `on_history_entry(entry)` | After a flow is saved to DB | always async | ignored             |
+| `on_history_entry(entry)` | Sync: before DB insert / Async: after | configurable | `"skip"` (don't save), `"keep"` or `nil` (save)      |
 
 ## Request and response objects
 
@@ -80,7 +84,8 @@ Plugin = {
 log("message")
 
 -- Send a notification bubble in the TUI
-notif("Title", "Body text")
+-- kind is optional: "info" (default), "success", "warning", "error"
+notif("Title", "Body text", "warning")
 
 -- Create a finding (shown on the Findings page, persisted in DB)
 create_finding({
@@ -90,8 +95,17 @@ create_finding({
   severity    = "high",              -- info | low | medium | high | critical
 })
 
--- Check if a URL matches the current scope (whitelist/blacklist)
+-- Run a raw SQL query against the project DB (entries, findings, replay_entries, …)
-local ok = is_in_scope("https://example.com/api/v1")
+-- Returns a table of rows; each row is a table indexed by column name.
+-- Returns nil + error string on failure.
+local rows, err = db_query("SELECT id, host FROM entries WHERE host = ?", "example.com")
+if err then
+  log("query failed: " .. err)
+else
+  for i = 1, #rows do
+    log(rows[i].host)
+  end
+end
 
 -- Quit the app (useful for startup checks that fail)
 quit("reason message")
@@ -103,25 +117,46 @@ A finding is identified by `(plugin_name, key)`. If a finding with that pair alr
 
 ## Configuration
 
-Each plugin gets a **config textarea** on the Plugins page. The raw text is passed as-is to `on_start(config_text)`. Parse it however you like (line by line, key=value, JSON, etc.).
+Each plugin gets a **config textarea** on the Plugins page. The raw text is passed as-is to `on_config(config_text)`. Parse it however you like (line by line, key=value, JSON, etc.).
+
+`on_config` is called once at startup (before `on_start`) and again every time the user saves the config in the UI.
 
 ## Sync vs async
 
-- **`sync = true`**: spilltea waits for the hook to return before continuing. For `on_request`/`on_response` this blocks the proxy goroutine; the hook can return one of the values below.
+- **`sync = true`**: spilltea waits for the hook to return before continuing. The hook can return a decision value (see below).
-- **`sync = false`** (or omitted for supported hooks): the hook runs in a background goroutine. Return values are ignored. Use this for analysis and findings.
+- **`sync = false`** (default for all configurable hooks): the hook runs in a background goroutine. Return values are ignored.
 
-### Return values for `on_request` and `on_response` (sync only)
+`on_config` and `on_quit` are always synchronous regardless of the Plugin table declaration.
+
+### Return values for sync hooks
+
+**`on_request` and `on_response`:**
 
 | Return value | Effect                                                                            |
-| ------------ | ------ |
+| ------------ | --------------------------------------------------------------------------------- |
 | `"drop"`     | The flow is dropped immediately and never shown in the intercept panel.           |
 | `"forward"`  | The flow is forwarded immediately without going through the intercept panel.      |
 | `nil`        | Normal behaviour: the flow appears in the intercept panel for the user to decide. |
 
-The `sync` declaration is only meaningful for `on_request` and `on_response`. The other hooks have fixed behaviour:
+**`on_history_entry` (sync only):**
 
-- `on_start` is **always synchronous**: plugins are initialised one by one before the first request is accepted.
+| Return value        | Effect                                 |
-- `on_quit` is **always synchronous**: the app waits for all `on_quit` hooks before exiting.
+| ------------------- | -------------------------------------- |
-- `on_history_entry` is **always asynchronous**.
+| `"skip"`            | The entry is not saved to the DB.      |
+| `"keep"` or `nil`   | The entry is saved normally.           |
 
-> A sync `on_request` or `on_response` hook that hangs will block traffic for that flow. There is no automatic timeout.
+Sync `on_history_entry` runs **before** the DB insert, so it can prevent an entry from ever appearing in history. Async `on_history_entry` runs **after** the insert and cannot affect it.
+
+## Priority
+
+Plugins with a higher `priority` value run before plugins with a lower value (default `0`). This matters for sync hooks that return a decision: the first plugin to return a non-nil value short-circuits the remaining plugins.
+
+```lua
+Plugin = {
+  name     = "Scopes",
+  priority = 100,  -- runs before all default-priority plugins
+  ...
+}
+```
+
+> A sync hook that hangs will block traffic for that flow. There is no automatic timeout.

.github/plugins_example/ip_whitelist.lua

@@ -1,48 +0,0 @@
--- Check that the proxy's outbound IP is in the whitelist before starting.
--- Config: one allowed IP per line. Leave empty to disable the check.
-
-Plugin = {
-  name     = "IP Whitelist",
-  on_start = {},
-}
-
-function on_start(config_text)
-  local allowed = {}
-  for line in config_text:gmatch("[^\n]+") do
-    local ip = line:match("^%s*(.-)%s*$")
-    if ip ~= "" then
-      table.insert(allowed, ip)
-    end
-  end
-
-  if #allowed == 0 then
-    log("no IPs configured, skipping check")
-    return
-  end
-
-  -- Fetch the current outbound IP via a public API.
-  local ok, result = pcall(function()
-    local handle = io.popen("curl -sf https://api.ipify.org 2>/dev/null")
-    if not handle then return nil end
-    local ip = handle:read("*a")
-    handle:close()
-    return ip and ip:match("^%s*(.-)%s*$") or nil
-  end)
-
-  if not ok or not result or result == "" then
-    log("could not determine outbound IP, skipping check")
-    return
-  end
-
-  log("outbound IP: " .. result)
-
-  for _, ip in ipairs(allowed) do
-    if result == ip then
-      log("IP " .. result .. " is whitelisted")
-      return
-    end
-  end
-
-  notif("IP Whitelist", "Outbound IP " .. result .. " is NOT in the whitelist!")
-  quit("outbound IP " .. result .. " not whitelisted")
-end

.github/plugins_example/secret_finder.lua

@@ -1,35 +0,0 @@
--- Scan response bodies for common API key / secret patterns.
--- Runs asynchronously so it never delays traffic.
-
-Plugin = {
-  name        = "Secret Finder",
-  on_response = { sync = false },
-}
-
-local PATTERNS = {
-  { pattern = "AIza[0-9A-Za-z%-_]{35}",                label = "Google API Key" },
-  { pattern = "AKIA[0-9A-Z]{16}",                      label = "AWS Access Key" },
-  { pattern = "sk%-[a-zA-Z0-9]{20,}",                  label = "OpenAI API Key" },
-  { pattern = "ghp_[a-zA-Z0-9]{36}",                   label = "GitHub Personal Token" },
-  { pattern = "Bearer%s+[a-zA-Z0-9%-_%.]+%.[a-zA-Z0-9%-_%.]+%.[a-zA-Z0-9%-_%.]+",
-                                                         label = "JWT Bearer Token" },
-}
-
-function on_response(req, res)
-  local body = res:get_body()
-  if body == "" then return end
-
-  for _, p in ipairs(PATTERNS) do
-    if body:find(p.pattern) then
-      local key = p.label .. ":" .. req.host
-      create_finding({
-        title       = p.label .. " in response",
-        description = "**Host:** `" .. req.host .. "`\n\n" ..
-                      "**Path:** `" .. req.path .. "`\n\n" ..
-                      "Pattern `" .. p.pattern .. "` matched in the response body.",
-        key         = key,
-        severity    = "high",
-      })
-    end
-  end
-end

README.md

@@ -44,7 +44,7 @@ On startup, you choose:
 ## Plugin System
 
 Spilltea supports plugins written in **Lua**. Plugins are loaded from `~/.config/spilltea/plugins/` by default and do not require recompilation or access to the source code.
-For a full reference and examples, see the [plugin documentation](./.github/docs/plugins.md).
+For a full reference and examples, see the [plugin documentation](./.github/docs/plugins.md) or [plugin examples](./plugins/).
 
 ## Configuration
 
@@ -54,12 +54,15 @@ Check the default configuration with all the options [here](./internal/config/de
 ## CLI Flags
 
 | Flag                    | Short | Description                                                                    |
-| ---- | ----- | ----------- |
+| ----------------------- | ----- | ------------------------------------------------------------------------------ |
 | `--config`              | `-c`  | Path to config file (default: `~/.config/spilltea/config.yaml`)                |
+| `--plugin-dir`          |       | Path to plugins dir, overrides config (default: `~/.config/spilltea/plugins/`) |
 | `--host`                |       | Proxy host, overrides config                                                   |
 | `--port`                | `-p`  | Proxy port, overrides config                                                   |
 | `--project`             | `-P`  | Project name to open directly, or `tmp` for a temporary session                |
+| `--upstream-proxy`      |       | Upstream proxy URL, overrides config (e.g. `http://user:pass@host:8888`)       |
 | `--version`             | `-v`  | Print version and exit                                                         |
+| `--add-default-plugins` |       | Add the default plugins to your plugins dir and exit                           |
 
 ## Deployment
 

cmd/spilltea/main.go

@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 
 	tea "charm.land/bubbletea/v2"
+	spilltea "github.com/anotherhadi/spilltea"
 	"github.com/anotherhadi/spilltea/internal/config"
 	"github.com/anotherhadi/spilltea/internal/icons"
 	"github.com/anotherhadi/spilltea/internal/intercept"
@@ -23,10 +24,13 @@ var version = "dev"
 func main() {
 	var (
 		flagConfig            = flag.StringP("config", "c", "", "path to config file")
+		flagPluginsDir        = flag.String("plugins-dir", "", "path to plugins dir (overrides config)")
 		flagHost              = flag.String("host", "", "proxy host (overrides config)")
 		flagPort              = flag.IntP("port", "p", 0, "proxy port (overrides config)")
+		flagUpstreamProxy     = flag.String("upstream-proxy", "", "upstream proxy URL, e.g. http://user:pass@host:8888 (overrides config)")
 		flagVersion           = flag.BoolP("version", "v", false, "print version")
 		flagProject           = flag.StringP("project", "P", "", `project name to open directly, or "tmp" for a temporary session`)
+		flagAddDefaultPlugins = flag.Bool("add-default-plugins", false, "copy built-in example plugins into the plugins dir and exit")
 	)
 	flag.Parse()
 
@@ -35,6 +39,28 @@ func main() {
 		os.Exit(0)
 	}
 
+	if *flagAddDefaultPlugins {
+		cfgPath := filepath.Join(os.Getenv("HOME"), ".config", "spilltea", "config.yaml")
+		if *flagConfig != "" {
+			cfgPath = *flagConfig
+		}
+		if err := config.Load(cfgPath); err != nil {
+			fmt.Fprintf(os.Stderr, "config: %v\n", err)
+			os.Exit(1)
+		}
+		dir := config.ExpandPath(config.Global.App.PluginsDir)
+		if *flagPluginsDir != "" {
+			dir = *flagPluginsDir
+		}
+		n, err := spilltea.InstallDefaultPlugins(dir)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "add-default-plugins: %v\n", err)
+			os.Exit(1)
+		}
+		fmt.Printf("added %d plugin(s) to %s\n", n, dir)
+		os.Exit(0)
+	}
+
 	if *flagProject != "" && !homeUI.IsValidProjectName(*flagProject) {
 		fmt.Fprintf(os.Stderr, "project: invalid name %q (only lowercase letters, digits, - and _ are allowed)\n", *flagProject)
 		os.Exit(1)
@@ -51,12 +77,18 @@ func main() {
 	}
 	config.Global.Version = version
 
+	if *flagPluginsDir != "" {
+		config.Global.App.PluginsDir = *flagPluginsDir
+	}
 	if *flagHost != "" {
 		config.Global.App.Host = *flagHost
 	}
 	if *flagPort != 0 {
 		config.Global.App.Port = *flagPort
 	}
+	if *flagUpstreamProxy != "" {
+		config.Global.App.UpstreamProxy = *flagUpstreamProxy
+	}
 
 	addr := fmt.Sprintf("%s:%d", config.Global.App.Host, config.Global.App.Port)
 	// Check if the proxy port is available before starting the UI.

flake.nix

@@ -14,7 +14,7 @@
       (system: f system (import nixpkgs {inherit system;}));
 
     pname = "spilltea";
-    version = "0.0.1";
+    version = "0.0.3";
 
     ldflags = ["-s" "-w" "-X main.version=${version}"];
   in {
@@ -25,7 +25,7 @@
         src = ./.;
         outputs = ["out"];
 
-        vendorHash = "sha256-u+u38Qr5Dugk5eFmxTK4vKUEv2SlXcfY6ZFlu1cPqVk=";
+        vendorHash = "sha256-v37RFS/T6KGZTO1tHmtUqBrRcCqNS3+ACBcsd7tl50c=";
 
         meta = with pkgs.lib; {
           description = "A minimal, terminal-based HTTP(S) proxy for pentesters and CTF players.";

go.mod

@@ -9,7 +9,7 @@ require (
 	charm.land/lipgloss/v2 v2.0.3
 	github.com/charmbracelet/x/ansi v0.11.7
 	github.com/lqqyt2423/go-mitmproxy v1.8.11
-	github.com/sirupsen/logrus v1.8.1
+	github.com/sirupsen/logrus v1.8.3
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
 	github.com/yuin/gopher-lua v1.1.2

go.sum

@@ -42,6 +42,7 @@ github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSE
 github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
 github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
 github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dlclark/regexp2 v1.12.0 h1:0j4c5qQmnC6XOWNjP3PIXURXN2gWx76rd3KvgdPkCz8=
@@ -108,8 +109,8 @@ github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=
 github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.3 h1:DBBfY8eMYazKEJHb3JKpSPfpgd2mBCoNFlQx6C5fftU=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.8.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
@@ -120,7 +121,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
@@ -146,7 +148,7 @@ golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
 golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
 golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
@@ -157,6 +159,7 @@ golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=

internal/config/config.go

@@ -23,6 +23,7 @@ type Config struct {
 		CertDir       string `mapstructure:"cert_dir"`
 		ProjectDir    string `mapstructure:"project_dir"`
 		PluginsDir    string `mapstructure:"plugins_dir"`
+		UpstreamProxy string `mapstructure:"upstream_proxy"`
 	} `mapstructure:"app"`
 
 	TUI struct {

internal/config/default_config.yaml

@@ -4,6 +4,7 @@ app:
   cert_dir: ~/.local/share/spilltea
   project_dir: ~/.local/share/spilltea
   plugins_dir: ~/.config/spilltea/plugins
+  upstream_proxy: "" # e.g. http://corporate-proxy:8888 or http://user:pass@host:8888
 
 intercept:
   default_intercept_enabled: true
@@ -12,13 +13,13 @@ intercept:
     - '\.(js|css|png|gif|ico|woff2?|ttf|svg)(\?.*)?$'
 
 replay:
-  switch_to_page_on_send: false
+  switch_to_page_on_send: true
 
 history:
-  skip_duplicates: false # if true, skip saving entries with the same method, host, path and body
+  skip_duplicates: true # if true, skip saving entries with the same method, host, path and body
 
 tui:
-  use_nerdfont_icons: true
+  use_nerdfont_icons: false
   default_sidebar_state: "expanded" # hidden, collapsed, expanded
   pretty_print_body: true # auto-indent JSON and HTML response bodies
   colors:
@@ -50,7 +51,8 @@ keybindings:
     left: "left,h"
     right: "right,l"
     cycle_focus: "tab"
-    copy_request: "ctrl+y"
+    copy_as: "ctrl+y"
+    copy: "y"
     send_to_replay: "ctrl+r"
     scroll_up: "pgup"
     scroll_down: "pgdown"
@@ -61,7 +63,7 @@ keybindings:
     forward_all: "F"
     drop: "d"
     drop_all: "D"
-    toggle_intercept: "a"
+    toggle_intercept: "i"
     capture_response: "r"
     undo_edits: "ctrl+z"
     edit: "e,enter"

internal/config/keybindings.go

@@ -10,7 +10,8 @@ type GlobalKeys struct {
 	Left          string `mapstructure:"left"`
 	Right         string `mapstructure:"right"`
 	CycleFocus    string `mapstructure:"cycle_focus"`
-	CopyRequest   string `mapstructure:"copy_request"`
+	CopyAs        string `mapstructure:"copy_as"`
+	Copy          string `mapstructure:"copy"`
 	SendToReplay  string `mapstructure:"send_to_replay"`
 	ScrollUp      string `mapstructure:"scroll_up"`
 	ScrollDown    string `mapstructure:"scroll_down"`

internal/db/db.go

@@ -68,6 +68,12 @@ CREATE TABLE IF NOT EXISTS replay_entries (
 	return err
 }
 
+// Query executes a SQL query and returns the rows. The caller must close the
+// returned rows. Args are passed as positional parameters.
+func (d *DB) Query(query string, args ...any) (*sql.Rows, error) {
+	return d.conn.Query(query, args...)
+}
+
 func (d *DB) Close() error {
 	if d == nil {
 		return nil

internal/db/findings.go

@@ -48,7 +48,7 @@ func (d *DB) LoadFindings() ([]Finding, error) {
 		}
 		for _, layout := range findingTimeFormats {
 			if t, err := time.Parse(layout, ts); err == nil {
-				f.CreatedAt = t
+				f.CreatedAt = t.Local()
 				break
 			}
 		}

internal/intercept/broker.go

@@ -44,9 +44,14 @@ type Broker struct {
 	autoFwdMu      sync.RWMutex
 	autoFwdRegexes []*regexp.Regexp
 
+	onBeforeNewEntry func(db.Entry) bool
 	onNewEntry       func(db.Entry)
 }
 
+func (b *Broker) SetOnBeforeNewEntry(cb func(db.Entry) bool) {
+	b.onBeforeNewEntry = cb
+}
+
 func (b *Broker) SetOnNewEntry(cb func(db.Entry)) {
 	b.onNewEntry = cb
 }
@@ -165,7 +170,7 @@ func (b *Broker) SaveEntry(f *proxy.Flow) {
 			return
 		}
 	}
-	entry, err := d.InsertEntry(db.Entry{
+	pending := db.Entry{
 		Timestamp:   time.Now(),
 		Method:      r.Method,
 		Host:        r.URL.Host,
@@ -173,7 +178,13 @@ func (b *Broker) SaveEntry(f *proxy.Flow) {
 		StatusCode:  status,
 		RequestRaw:  FormatRawRequest(f),
 		ResponseRaw: FormatRawResponse(f),
-	})
+	}
+	if cb := b.onBeforeNewEntry; cb != nil {
+		if !cb(pending) {
+			return
+		}
+	}
+	entry, err := d.InsertEntry(pending)
 	if err == nil {
 		if cb := b.onNewEntry; cb != nil {
 			go cb(entry)

internal/keys/global.go

@@ -15,7 +15,8 @@ type GlobalKeyMap struct {
 	Left          key.Binding
 	Right         key.Binding
 	CycleFocus    key.Binding
-	CopyRequest   key.Binding
+	CopyAs        key.Binding
+	Copy          key.Binding
 	Escape        key.Binding
 	SendToReplay  key.Binding
 	ScrollUp      key.Binding
@@ -34,7 +35,8 @@ func newGlobalKeyMap(cfg config.GlobalKeys) GlobalKeyMap {
 		Left:          binding(cfg.Left, "scroll left"),
 		Right:         binding(cfg.Right, "scroll right"),
 		CycleFocus:    binding(cfg.CycleFocus, "cycle focus"),
-		CopyRequest:   binding(cfg.CopyRequest, "copy as..."),
+		CopyAs:        binding(cfg.CopyAs, "copy as..."),
+		Copy:          binding(cfg.Copy, "copy..."),
 		Escape:        key.NewBinding(key.WithKeys("esc"), key.WithHelp("esc", "cancel")),
 		SendToReplay:  binding(cfg.SendToReplay, "send to replay"),
 		ScrollUp:      binding(cfg.ScrollUp, "scroll up"),
@@ -47,7 +49,7 @@ func (g GlobalKeyMap) Bindings() []key.Binding {
 	return []key.Binding{
 		g.Up, g.Down, g.Left, g.Right, g.CycleFocus,
 		g.Quit, g.Escape, g.Help,
-		g.OpenLogs, g.ToggleSidebar, g.CopyRequest,
+		g.OpenLogs, g.ToggleSidebar, g.CopyAs, g.Copy,
 		g.SendToReplay, g.SendToDiff,
 		g.ScrollUp, g.ScrollDown,
 	}

internal/plugins/lua.go

@@ -26,8 +26,9 @@ func registerUtilities(L *lua.LState, mgr *Manager, p *Plugin) {
 	L.SetGlobal("notif", L.NewFunction(func(L *lua.LState) int {
 		title := L.CheckString(1)
 		body := L.CheckString(2)
+		kind := L.OptString(3, "info")
 		select {
-		case mgr.Notifs <- PluginNotifMsg{Title: title, Body: body}:
+		case mgr.Notifs <- PluginNotifMsg{Title: title, Body: body, Kind: kind}:
 		default:
 		}
 		return 0
@@ -64,6 +65,86 @@ func registerUtilities(L *lua.LState, mgr *Manager, p *Plugin) {
 		return 0
 	}))
 
+	L.SetGlobal("db_query", L.NewFunction(func(L *lua.LState) int {
+		if mgr.db == nil {
+			L.Push(lua.LNil)
+			L.Push(lua.LString("db not available"))
+			return 2
+		}
+		query := L.CheckString(1)
+		var args []any
+		for i := 2; i <= L.GetTop(); i++ {
+			switch v := L.Get(i).(type) {
+			case lua.LString:
+				args = append(args, string(v))
+			case lua.LNumber:
+				args = append(args, float64(v))
+			case lua.LBool:
+				args = append(args, bool(v))
+			default:
+				args = append(args, nil)
+			}
+		}
+		rows, err := mgr.db.Query(query, args...)
+		if err != nil {
+			L.Push(lua.LNil)
+			L.Push(lua.LString(err.Error()))
+			return 2
+		}
+		defer rows.Close()
+		cols, err := rows.Columns()
+		if err != nil {
+			L.Push(lua.LNil)
+			L.Push(lua.LString(err.Error()))
+			return 2
+		}
+		result := L.NewTable()
+		rowIdx := 1
+		for rows.Next() {
+			vals := make([]any, len(cols))
+			ptrs := make([]any, len(cols))
+			for i := range vals {
+				ptrs[i] = &vals[i]
+			}
+			if err := rows.Scan(ptrs...); err != nil {
+				L.Push(lua.LNil)
+				L.Push(lua.LString(err.Error()))
+				return 2
+			}
+			row := L.NewTable()
+			for i, col := range cols {
+				switch v := vals[i].(type) {
+				case int64:
+					L.SetField(row, col, lua.LNumber(v))
+				case float64:
+					L.SetField(row, col, lua.LNumber(v))
+				case string:
+					L.SetField(row, col, lua.LString(v))
+				case []byte:
+					L.SetField(row, col, lua.LString(string(v)))
+				case bool:
+					if v {
+						L.SetField(row, col, lua.LTrue)
+					} else {
+						L.SetField(row, col, lua.LFalse)
+					}
+				case nil:
+					L.SetField(row, col, lua.LNil)
+				}
+			}
+			L.RawSetInt(result, rowIdx, row)
+			rowIdx++
+		}
+		if err := rows.Err(); err != nil {
+			L.Push(lua.LNil)
+			L.Push(lua.LString(err.Error()))
+			return 2
+		}
+		L.Push(result)
+		L.Push(lua.LNil)
+		return 2
+	}))
+
 	L.SetGlobal("quit", L.NewFunction(func(L *lua.LState) int {
 		reason := L.OptString(1, "plugin requested quit")
 		select {

internal/plugins/manager.go

@@ -5,6 +5,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"sync"
 
@@ -32,7 +33,8 @@ func NewManager(broker *intercept.Broker) *Manager {
 		Quit:   make(chan string, 4),
 	}
 	if broker != nil {
-		broker.SetOnNewEntry(mgr.RunOnHistoryEntry)
+		broker.SetOnBeforeNewEntry(mgr.RunSyncOnHistoryEntry)
+		broker.SetOnNewEntry(mgr.RunAsyncOnHistoryEntry)
 	}
 	return mgr
 }
@@ -107,27 +109,41 @@ func (m *Manager) loadPlugin(path string) (*Plugin, error) {
 		p.Name = strings.TrimSuffix(filepath.Base(path), ".lua")
 	}
 
-	// Defaults when not overridden by the Plugin table.
+	if s, ok := pluginTable.RawGetString("description").(lua.LString); ok {
-	hookDefaults := map[string]bool{
+		p.Description = string(s)
-		"on_start":         true,  // always sync
-		"on_request":       false, // async
-		"on_response":      false, // async
-		"on_quit":          true,  // always sync
-		"on_history_entry": false, // always async
 	}
-	for hookName, defaultSync := range hookDefaults {
+
-		// Plugin table entry overrides the default (except on_start/on_quit/on_history_entry which are fixed).
+	if n, ok := pluginTable.RawGetString("priority").(lua.LNumber); ok {
-		if hookName != "on_start" && hookName != "on_quit" && hookName != "on_history_entry" {
+		p.Priority = int(n)
+	}
+
+	// Hooks configurable via the Plugin table (sync field).
+	configurableHooks := map[string]bool{
+		"on_start":         false, // async by default
+		"on_request":       false,
+		"on_response":      false,
+		"on_history_entry": false,
+	}
+	// Fixed-sync hooks: always sync, not configurable.
+	fixedSyncHooks := map[string]struct{}{
+		"on_config": {},
+		"on_quit":   {},
+	}
+
+	for hookName, defaultSync := range configurableHooks {
 		if tbl, ok := pluginTable.RawGetString(hookName).(*lua.LTable); ok {
 			p.hooks[hookName] = HookConfig{Sync: tbl.RawGetString("sync") == lua.LTrue}
 			continue
 		}
-		}
-		// Auto-detect: register the hook if the function exists as a global.
 		if p.L.GetGlobal(hookName) != lua.LNil {
 			p.hooks[hookName] = HookConfig{Sync: defaultSync}
 		}
 	}
+	for hookName := range fixedSyncHooks {
+		if p.L.GetGlobal(hookName) != lua.LNil {
+			p.hooks[hookName] = HookConfig{Sync: true}
+		}
+	}
 
 	return p, nil
 }
@@ -137,6 +153,7 @@ func (m *Manager) GetPlugins() []*Plugin {
 	defer m.mu.RUnlock()
 	out := make([]*Plugin, len(m.plugins))
 	copy(out, m.plugins)
+	sort.Slice(out, func(i, j int) bool { return out[i].Priority > out[j].Priority })
 	return out
 }
 
@@ -179,45 +196,61 @@ func (m *Manager) SaveConfig(name, configText string) {
 	found.mu.Lock()
 	found.ConfigText = configText
 	enabled := found.Enabled
-	hc, hasOnStart := found.hooks["on_start"]
+	_, hasOnConfig := found.hooks["on_config"]
 	found.mu.Unlock()
 	if m.db != nil {
 		_ = m.db.SavePluginState(name, enabled, configText)
 	}
-	if !hasOnStart {
+	if !hasOnConfig {
 		return
 	}
-	// Re-run on_start so the plugin can re-parse the new config.
+	// on_config is always sync.
-	if hc.Sync {
 	found.mu.Lock()
-		if _, err := callHook(found, "on_start", lua.LString(configText)); err != nil {
+	if _, err := callHook(found, "on_config", lua.LString(configText)); err != nil {
-			log.Printf("plugin %s on_start (config reload): %v", name, err)
+		log.Printf("plugin %s on_config (config reload): %v", name, err)
 	}
 	found.mu.Unlock()
-	} else {
-		go func() {
-			found.mu.Lock()
-			if _, err := callHook(found, "on_start", lua.LString(configText)); err != nil {
-				log.Printf("plugin %s on_start (config reload): %v", name, err)
-			}
-			found.mu.Unlock()
-		}()
-	}
 }
 
 func (m *Manager) RunOnStart() {
+	// on_config runs first, always sync, for every enabled plugin that has it.
 	for _, p := range m.GetPlugins() {
 		if !p.Enabled {
 			continue
 		}
-		if _, ok := p.hooks["on_start"]; !ok {
+		if _, ok := p.hooks["on_config"]; !ok {
 			continue
 		}
 		p.mu.Lock()
-		if _, err := callHook(p, "on_start", lua.LString(p.ConfigText)); err != nil {
+		if _, err := callHook(p, "on_config", lua.LString(p.ConfigText)); err != nil {
+			log.Printf("plugin %s on_config: %v", p.Name, err)
+		}
+		p.mu.Unlock()
+	}
+	// on_start runs after, sync or async depending on plugin config.
+	for _, p := range m.GetPlugins() {
+		if !p.Enabled {
+			continue
+		}
+		hc, ok := p.hooks["on_start"]
+		if !ok {
+			continue
+		}
+		if hc.Sync {
+			p.mu.Lock()
+			if _, err := callHook(p, "on_start"); err != nil {
 				log.Printf("plugin %s on_start: %v", p.Name, err)
 			}
 			p.mu.Unlock()
+		} else {
+			go func(p *Plugin) {
+				p.mu.Lock()
+				if _, err := callHook(p, "on_start"); err != nil {
+					log.Printf("plugin %s on_start: %v", p.Name, err)
+				}
+				p.mu.Unlock()
+			}(p)
+		}
 	}
 }
 
@@ -327,12 +360,37 @@ func (m *Manager) RunAsyncOnResponse(f *goproxy.Flow) {
 	}
 }
 
-func (m *Manager) RunOnHistoryEntry(e db.Entry) {
+// RunSyncOnHistoryEntry is called before DB insert; returns false to skip saving.
+func (m *Manager) RunSyncOnHistoryEntry(e db.Entry) bool {
 	for _, p := range m.GetPlugins() {
 		if !p.Enabled {
 			continue
 		}
-		if _, ok := p.hooks["on_history_entry"]; !ok {
+		hc, ok := p.hooks["on_history_entry"]
+		if !ok || !hc.Sync {
+			continue
+		}
+		p.mu.Lock()
+		result, err := callHook(p, "on_history_entry", pushEntry(p.L, e))
+		p.mu.Unlock()
+		if err != nil {
+			log.Printf("plugin %s on_history_entry: %v", p.Name, err)
+			continue
+		}
+		if result == "skip" {
+			return false
+		}
+	}
+	return true
+}
+
+func (m *Manager) RunAsyncOnHistoryEntry(e db.Entry) {
+	for _, p := range m.GetPlugins() {
+		if !p.Enabled {
+			continue
+		}
+		hc, ok := p.hooks["on_history_entry"]
+		if !ok || hc.Sync {
 			continue
 		}
 		go func(p *Plugin) {

internal/plugins/types.go

@@ -12,9 +12,11 @@ type HookConfig struct {
 
 type Plugin struct {
 	Name        string
+	Description string
 	FilePath    string
 	Enabled     bool
 	ConfigText  string
+	Priority    int
 
 	L     *lua.LState
 	mu    sync.Mutex
@@ -36,22 +38,31 @@ func (p *Plugin) HookConfig(name string) (HookConfig, bool) {
 
 type Info struct {
 	Name        string
+	Description string
 	FilePath    string
 	Enabled     bool
 	ConfigText  string
+	Priority    int
 	Hooks       map[string]HookConfig
 }
 
 func (p *Plugin) Info() Info {
+	p.mu.Lock()
+	enabled := p.Enabled
+	configText := p.ConfigText
+	p.mu.Unlock()
+
 	hooks := make(map[string]HookConfig, len(p.hooks))
 	for k, v := range p.hooks {
 		hooks[k] = v
 	}
 	return Info{
 		Name:        p.Name,
+		Description: p.Description,
 		FilePath:    p.FilePath,
-		Enabled:    p.Enabled,
+		Enabled:     enabled,
-		ConfigText: p.ConfigText,
+		ConfigText:  configText,
+		Priority:    p.Priority,
 		Hooks:       hooks,
 	}
 }
@@ -59,6 +70,7 @@ func (p *Plugin) Info() Info {
 type PluginNotifMsg struct {
 	Title string
 	Body  string
+	Kind  string // "info", "success", "warning", "error"
 }
 
 type PluginQuitMsg struct {

internal/proxy/proxy.go

@@ -108,6 +108,7 @@ func Start(broker *intercept.Broker, mgr *plugins.Manager) error {
 		Addr:              addr,
 		StreamLargeBodies: 1024 * 1024 * 5,
 		CaRootPath:        caPath,
+		Upstream:          cfg.UpstreamProxy,
 	}
 
 	p, err := goproxy.NewProxy(opts)

internal/style/components.go

@@ -28,15 +28,20 @@ func NewTextarea(showLineNumbers bool) textarea.Model {
 	ta.Prompt = ""
 	ta.ShowLineNumbers = showLineNumbers
 	ta.CharLimit = 0
+	ta.EndOfBufferCharacter = '~'
 	ts := ta.Styles()
 	ts.Focused.Base = lipgloss.NewStyle()
 	ts.Blurred.Base = lipgloss.NewStyle()
+	ts.Focused.Text = lipgloss.NewStyle().Foreground(S.Text)
 	ts.Focused.CursorLine = lipgloss.NewStyle().Background(S.Selection).Foreground(S.Text)
+	ts.Focused.CursorLineNumber = lipgloss.NewStyle().Background(S.Selection).Foreground(S.Primary).Bold(true)
+	ts.Focused.LineNumber = lipgloss.NewStyle().Foreground(S.Subtle)
 	ts.Focused.Placeholder = lipgloss.NewStyle().Foreground(S.Subtle)
-	ts.Blurred.Placeholder = lipgloss.NewStyle().Foreground(S.Subtle)
 	ts.Focused.EndOfBuffer = lipgloss.NewStyle().Foreground(S.SubtleBg)
-	ts.Blurred.EndOfBuffer = lipgloss.NewStyle().Foreground(S.SubtleBg)
 	ts.Blurred.Text = lipgloss.NewStyle().Foreground(S.MutedFg)
+	ts.Blurred.LineNumber = lipgloss.NewStyle().Foreground(S.SubtleBg)
+	ts.Blurred.Placeholder = lipgloss.NewStyle().Foreground(S.Subtle)
+	ts.Blurred.EndOfBuffer = lipgloss.NewStyle().Foreground(S.SubtleBg)
 	ta.SetStyles(ts)
 	return ta
 }

internal/style/style.go

@@ -24,6 +24,7 @@ type Styles struct {
 
 	Panel        lipgloss.Style
 	PanelFocused lipgloss.Style
+	PanelEditing lipgloss.Style
 
 	PagerDotActive   string
 	PagerDotInactive string
@@ -43,6 +44,7 @@ func Init(cfg *config.Config) {
 	warning := lipgloss.Color("#" + c.Base09)   // Orange: warnings
 	success := lipgloss.Color("#" + c.Base0B)   // Green: success
 	primary := lipgloss.Color("#" + c.Base0D)   // Accent: primary
+	purple := lipgloss.Color("#" + c.Base0E)    // Purple: editing
 
 	S = &Styles{
 		Primary:   primary,
@@ -66,6 +68,10 @@ func Init(cfg *config.Config) {
 			Border(lipgloss.RoundedBorder()).
 			BorderForeground(primary),
 
+		PanelEditing: lipgloss.NewStyle().
+			Border(lipgloss.RoundedBorder()).
+			BorderForeground(purple),
+
 		PagerDotActive:   lipgloss.NewStyle().Foreground(primary).SetString("•").String(),
 		PagerDotInactive: lipgloss.NewStyle().Foreground(subtle).SetString("•").String(),
 	}

internal/ui/app/model.go

@@ -13,6 +13,7 @@ import (
 	"github.com/anotherhadi/spilltea/internal/intercept"
 	"github.com/anotherhadi/spilltea/internal/plugins"
 	proxyPkg "github.com/anotherhadi/spilltea/internal/proxy"
+	copyUI "github.com/anotherhadi/spilltea/internal/ui/components/copy"
 	copyasUI "github.com/anotherhadi/spilltea/internal/ui/components/copyas"
 	notificationsUI "github.com/anotherhadi/spilltea/internal/ui/components/notifications"
 	diffUI "github.com/anotherhadi/spilltea/internal/ui/diff"
@@ -66,6 +67,7 @@ type Model struct {
 	pluginsPage   pluginsUI.Model
 	findingsPage  findingsUI.Model
 	copyAs        copyasUI.Model
+	copy          copyUI.Model
 	notifications notificationsUI.Model
 }
 
@@ -87,6 +89,7 @@ func New(broker *intercept.Broker, name, path string) Model {
 		pluginsPage:   pluginsUI.New(mgr),
 		findingsPage:  findingsUI.New(),
 		copyAs:        copyasUI.New(),
+		copy:          copyUI.New(),
 		notifications: notificationsUI.New(),
 		sidebarState:  sidebarState(cfg.TUI.DefaultSidebarState),
 	}

internal/ui/app/update.go

@@ -13,6 +13,7 @@ import (
 	"github.com/anotherhadi/spilltea/internal/keys"
 	"github.com/anotherhadi/spilltea/internal/plugins"
 	proxyPkg "github.com/anotherhadi/spilltea/internal/proxy"
+	copyUI "github.com/anotherhadi/spilltea/internal/ui/components/copy"
 	copyasUI "github.com/anotherhadi/spilltea/internal/ui/components/copyas"
 	notificationsUI "github.com/anotherhadi/spilltea/internal/ui/components/notifications"
 	diffUI "github.com/anotherhadi/spilltea/internal/ui/diff"
@@ -44,11 +45,20 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 
 	case plugins.PluginNotifMsg:
 		cmd := plugins.WaitForNotif(m.pluginManager)
+		kind := notificationsUI.KindInfo
+		switch msg.Kind {
+		case "success":
+			kind = notificationsUI.KindSuccess
+		case "warning":
+			kind = notificationsUI.KindWarning
+		case "error":
+			kind = notificationsUI.KindError
+		}
 		notifCmd := func() tea.Msg {
 			return notificationsUI.NotificationMsg{
 				Title: msg.Title,
 				Body:  msg.Body,
-				Kind:  notificationsUI.KindInfo,
+				Kind:  kind,
 			}
 		}
 		return m, tea.Batch(cmd, notifCmd)
@@ -72,6 +82,19 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		return m, cmd
 	}
 
+	if m.copy.IsOpen() {
+		if ws, ok := msg.(tea.WindowSizeMsg); ok {
+			m.width = ws.Width
+			m.height = ws.Height
+			m.copy.SetSize(ws.Width, ws.Height)
+			m.resizeChildren()
+			return m, nil
+		}
+		var cmd tea.Cmd
+		m.copy, cmd = m.copy.Update(msg)
+		return m, cmd
+	}
+
 	switch msg := msg.(type) {
 	case tea.WindowSizeMsg:
 		m.width = msg.Width
@@ -152,7 +175,7 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 
 		if !m.activeIsEditing() {
 			switch {
-			case key.Matches(msg, keys.Keys.Global.CopyRequest):
+			case key.Matches(msg, keys.Keys.Global.CopyAs):
 				if m.page == pageDiff {
 					if raw := m.diff.CurrentRaw(); raw != "" {
 						m.copyAs.SetSize(m.width, m.height)
@@ -172,6 +195,28 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 				}
 				return m, nil
 
+			case key.Matches(msg, keys.Keys.Global.Copy):
+				var raw, scheme string
+				switch m.page {
+				case pageIntercept:
+					raw = m.intercept.CurrentRaw()
+					scheme = m.intercept.CurrentScheme()
+				case pageDiff:
+					raw = m.diff.CurrentRaw()
+					scheme = "https"
+				case pageHistory:
+					raw = m.history.CurrentRaw()
+					scheme = m.history.CurrentScheme()
+				case pageReplay:
+					raw = m.replay.CurrentRaw()
+					scheme = m.replay.CurrentScheme()
+				}
+				if raw != "" {
+					m.copy.SetSize(m.width, m.height)
+					m.copy.Open(copyUI.OpenMsg{RawRequest: raw, Scheme: scheme})
+				}
+				return m, nil
+
 			case key.Matches(msg, keys.Keys.Global.ToggleSidebar):
 				m.cycleSidebarState()
 				m.resizeChildren()

internal/ui/app/view.go

@@ -22,6 +22,13 @@ func (m Model) View() tea.View {
 		return v
 	}
 
+	if m.copy.IsOpen() {
+		v := tea.NewView(m.copy.View(normal))
+		v.AltScreen = true
+		v.MouseMode = tea.MouseModeCellMotion
+		return v
+	}
+
 	rendered := normal
 	if m.notifications.HasNotifications() {
 		rendered = m.notifications.View(normal)

internal/ui/components/copy/model.go

@@ -0,0 +1,165 @@
+package copy
+
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strings"
+
+	"charm.land/bubbles/v2/list"
+	tea "charm.land/bubbletea/v2"
+	"charm.land/lipgloss/v2"
+	"github.com/anotherhadi/spilltea/internal/style"
+)
+
+const popupInnerW = 40
+
+func writeClipboard(text string) {
+	encoded := base64.StdEncoding.EncodeToString([]byte(text))
+	fmt.Fprintf(os.Stderr, "\033]52;c;%s\a", encoded)
+}
+
+type OpenMsg struct {
+	RawRequest string
+	Scheme     string
+}
+
+type copyItem struct {
+	id    string
+	title string
+	desc  string
+}
+
+func (c copyItem) Title() string       { return c.title }
+func (c copyItem) Description() string { return c.desc }
+func (c copyItem) FilterValue() string { return c.title }
+
+var allItems = []list.Item{
+	copyItem{"raw", "Raw", "full HTTP request"},
+	copyItem{"headers", "Headers", "request headers only"},
+	copyItem{"body", "Body", "request body only"},
+	copyItem{"url", "URL", "request URL"},
+}
+
+type Model struct {
+	open       bool
+	list       list.Model
+	rawRequest string
+	scheme     string
+	width      int
+	height     int
+}
+
+func New() Model {
+	s := style.S
+
+	delegate := list.NewDefaultDelegate()
+	delegate.SetSpacing(0)
+	delegate.Styles.NormalTitle = lipgloss.NewStyle().Foreground(s.Text).PaddingLeft(2)
+	delegate.Styles.NormalDesc = lipgloss.NewStyle().Foreground(s.Subtle).PaddingLeft(2)
+	delegate.Styles.SelectedTitle = lipgloss.NewStyle().
+		Border(lipgloss.NormalBorder(), false, false, false, true).
+		BorderForeground(s.Primary).
+		Foreground(s.Primary).Bold(true).PaddingLeft(1)
+	delegate.Styles.SelectedDesc = lipgloss.NewStyle().
+		Border(lipgloss.NormalBorder(), false, false, false, true).
+		BorderForeground(s.Primary).
+		Foreground(s.MutedFg).PaddingLeft(1)
+
+	l := list.New(allItems, delegate, popupInnerW, 8)
+	l.SetShowTitle(false)
+	l.SetShowStatusBar(false)
+	l.SetShowHelp(false)
+	l.SetFilteringEnabled(true)
+	l.KeyMap.Quit.SetEnabled(false)
+	l.KeyMap.ForceQuit.SetEnabled(false)
+	l.KeyMap.ShowFullHelp.SetEnabled(false)
+	l.KeyMap.CloseFullHelp.SetEnabled(false)
+
+	return Model{list: l}
+}
+
+func (m Model) Init() tea.Cmd { return nil }
+
+func (m Model) IsOpen() bool { return m.open }
+
+func (m *Model) Open(msg OpenMsg) {
+	m.rawRequest = msg.RawRequest
+	m.scheme = msg.Scheme
+	m.open = true
+	m.list.ResetFilter()
+	m.list.Select(0)
+	m.list.SetSize(popupInnerW, m.listHeight())
+}
+
+func (m *Model) SetSize(w, h int) {
+	m.width = w
+	m.height = h
+	m.list.SetSize(popupInnerW, m.listHeight())
+}
+
+func (m Model) popupHeight() int {
+	h := 12
+	if m.height > 0 && m.height-4 < h {
+		h = m.height - 4
+	}
+	if h < 6 {
+		h = 6
+	}
+	return h
+}
+
+func (m Model) listHeight() int {
+	return style.PanelContentH(m.popupHeight()) - 1
+}
+
+func (m Model) extract(id string) string {
+	raw := m.rawRequest
+	lines := strings.Split(strings.ReplaceAll(raw, "\r\n", "\n"), "\n")
+
+	switch id {
+	case "raw":
+		return raw
+
+	case "headers":
+		var sb strings.Builder
+		for _, l := range lines[1:] {
+			if l == "" {
+				break
+			}
+			sb.WriteString(l + "\n")
+		}
+		return strings.TrimRight(sb.String(), "\n")
+
+	case "body":
+		for i, l := range lines {
+			if l == "" && i > 0 {
+				return strings.TrimRight(strings.Join(lines[i+1:], "\n"), "\n")
+			}
+		}
+		return ""
+
+	case "url":
+		scheme := m.scheme
+		if scheme == "" {
+			scheme = "https"
+		}
+		var host, path string
+		if len(lines) > 0 {
+			parts := strings.SplitN(lines[0], " ", 3)
+			if len(parts) >= 2 {
+				path = parts[1]
+			}
+		}
+		for _, l := range lines[1:] {
+			if l == "" {
+				break
+			}
+			if kv := strings.SplitN(l, ": ", 2); len(kv) == 2 && strings.EqualFold(kv[0], "host") {
+				host = strings.TrimSpace(kv[1])
+			}
+		}
+		return scheme + "://" + host + path
+	}
+	return raw
+}

internal/ui/components/copy/update.go

@@ -0,0 +1,30 @@
+package copy
+
+import (
+	"charm.land/bubbles/v2/key"
+	tea "charm.land/bubbletea/v2"
+	"github.com/anotherhadi/spilltea/internal/keys"
+)
+
+func (m Model) Update(msg tea.Msg) (Model, tea.Cmd) {
+	if kp, ok := msg.(tea.KeyPressMsg); ok {
+		switch {
+		case kp.String() == "enter":
+			if item, ok := m.list.SelectedItem().(copyItem); ok {
+				writeClipboard(m.extract(item.id))
+			}
+			m.open = false
+			return m, nil
+		case key.Matches(kp, keys.Keys.Global.Escape):
+			if m.list.SettingFilter() {
+				break
+			}
+			m.open = false
+			return m, nil
+		}
+	}
+
+	var cmd tea.Cmd
+	m.list, cmd = m.list.Update(msg)
+	return m, cmd
+}

internal/ui/components/copy/view.go

@@ -0,0 +1,28 @@
+package copy
+
+import (
+	"charm.land/lipgloss/v2"
+	"github.com/anotherhadi/spilltea/internal/style"
+	copyasUI "github.com/anotherhadi/spilltea/internal/ui/components/copyas"
+)
+
+func (m *Model) View(background string) string {
+	s := style.S
+
+	hint := lipgloss.NewStyle().Foreground(s.Subtle).
+		Render("  enter: copy  •  /: filter  •  esc: cancel")
+
+	inner := lipgloss.JoinVertical(lipgloss.Left,
+		m.list.View(),
+		hint,
+	)
+
+	border := lipgloss.NewStyle().
+		Border(lipgloss.RoundedBorder()).
+		BorderForeground(s.Primary)
+
+	popupH := m.popupHeight()
+	popup := style.RenderWithTitle(border, "Copy", inner, popupInnerW+2, popupH)
+
+	return copyasUI.OverlayCenter(background, popup, m.width, m.height)
+}

internal/ui/components/copyas/formats.go

@@ -66,6 +66,8 @@ func (pr parsedRequest) fullURL() string {
 func formatAs(id, raw, scheme string) string {
 	pr := parseRaw(raw, scheme)
 	switch id {
+	case "raw":
+		return raw
 	case "curl":
 		return toCurl(pr)
 	case "python":

internal/ui/components/copyas/model.go

@@ -36,6 +36,7 @@ func (f formatItem) Description() string { return f.desc }
 func (f formatItem) FilterValue() string { return f.title }
 
 var allFormats = []list.Item{
+	formatItem{"raw", "Raw", "raw HTTP request"},
 	formatItem{"curl", "cURL", "command line HTTP request"},
 	formatItem{"python", "Python", "requests library"},
 	formatItem{"go", "Go", "net/http package"},

internal/ui/components/copyas/view.go

@@ -26,10 +26,10 @@ func (m *Model) View(background string) string {
 	popupH := m.popupHeight()
 	popup := style.RenderWithTitle(border, "Copy as", inner, popupInnerW+2, popupH)
 
-	return overlayCenter(background, popup, m.width, m.height)
+	return OverlayCenter(background, popup, m.width, m.height)
 }
 
-func overlayCenter(bg, popup string, w, h int) string {
+func OverlayCenter(bg, popup string, w, h int) string {
 	s := style.S
 
 	stripped := ansi.Strip(bg)

internal/ui/history/model.go

@@ -55,6 +55,15 @@ func (m Model) IsEditing() bool {
 	return m.searchKind != searchKindOff && !m.searchAccepted
 }
 
+func (m Model) CurrentRaw() string {
+	if len(m.entries) == 0 || m.cursor >= len(m.entries) {
+		return ""
+	}
+	return m.entries[m.cursor].RequestRaw
+}
+
+func (m Model) CurrentScheme() string { return "https" }
+
 // RefreshCmd returns the appropriate load command given the current search state.
 // The app model should call this instead of LoadEntriesCmd directly so that
 // background refreshes re-run the active search rather than resetting it.

internal/ui/intercept/model.go

@@ -115,4 +115,3 @@ func (m *Model) SetSize(w, h int) {
 	m.height = h
 	m.recalcSizes()
 }
-

internal/ui/intercept/update.go

@@ -5,14 +5,24 @@ import (
 	tea "charm.land/bubbletea/v2"
 	"github.com/anotherhadi/spilltea/internal/intercept"
 	"github.com/anotherhadi/spilltea/internal/keys"
-	"github.com/anotherhadi/spilltea/internal/util"
 	diffUI "github.com/anotherhadi/spilltea/internal/ui/diff"
 	replayUI "github.com/anotherhadi/spilltea/internal/ui/replay"
+	"github.com/anotherhadi/spilltea/internal/util"
 )
 
 func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 	var cmds []tea.Cmd
 
+	// Route non-key messages to textarea when editing so internal
+	// textarea messages (e.g. clipboard paste) are handled correctly.
+	if m.editing {
+		if _, ok := msg.(tea.KeyPressMsg); !ok {
+			var taCmd tea.Cmd
+			m.textarea, taCmd = m.textarea.Update(msg)
+			cmds = append(cmds, taCmd)
+		}
+	}
+
 	switch msg := msg.(type) {
 	case intercept.RequestArrivedMsg:
 		if !m.interceptEnabled {

internal/ui/plugins/model.go

@@ -1,7 +1,6 @@
 package plugins
 
 import (
-	"os"
 	"strings"
 
 	"charm.land/bubbles/v2/help"
@@ -25,6 +24,7 @@ type Model struct {
 	filtered []plugins.Info
 
 	listViewport   viewport.Model
+	detailViewport viewport.Model
 	textarea       textarea.Model
 	filterInput    textinput.Model
 	filtering      bool
@@ -36,7 +36,7 @@ type Model struct {
 }
 
 func New(mgr *plugins.Manager) Model {
-	ta := style.NewTextarea(false)
+	ta := style.NewTextarea(true)
 	ta.Placeholder = "plugin configuration..."
 	ta.Blur()
 
@@ -46,6 +46,7 @@ func New(mgr *plugins.Manager) Model {
 	return Model{
 		manager:        mgr,
 		listViewport:   style.NewViewport(),
+		detailViewport: style.NewViewport(),
 		textarea:       ta,
 		filterInput:    fi,
 		pager:          style.NewPaginator(),
@@ -88,10 +89,27 @@ func (m *Model) recalcSizes() {
 	}
 
 	m.filterInput.SetWidth(inner - 2)
+
+	detailContentH := style.PanelContentH(detailH)
+	const headerH = 2
+	const configFixedH = 2 // blank line + label line
+	textareaH := max(3, detailContentH/3)
+	if textareaH > 12 {
+		textareaH = 12
+	}
+	configTotalH := 0
+	if m.hasConfig() {
+		configTotalH = configFixedH + textareaH
+	}
+	descVH := max(1, detailContentH-headerH-configTotalH)
+
+	m.detailViewport.SetWidth(inner)
+	m.detailViewport.SetHeight(descVH)
 	m.textarea.SetWidth(max(1, inner-2))
-	m.textarea.SetHeight(max(3, detailH-6))
+	m.textarea.SetHeight(max(3, textareaH))
 
 	m.refreshListViewport()
+	m.syncDetailViewport()
 }
 
 // Refresh reloads the plugin list from the manager.
@@ -126,6 +144,7 @@ func (m *Model) applyFilter() {
 	}
 	m.refreshListViewport()
 	m.syncTextarea()
+	m.syncDetailViewport()
 }
 
 func (m *Model) selected() (plugins.Info, bool) {
@@ -135,6 +154,15 @@ func (m *Model) selected() (plugins.Info, bool) {
 	return m.filtered[m.cursor], true
 }
 
+func (m *Model) hasConfig() bool {
+	info, ok := m.selected()
+	if !ok {
+		return false
+	}
+	_, has := info.Hooks["on_config"]
+	return has
+}
+
 func (m *Model) syncTextarea() {
 	if m.editing {
 		return
@@ -147,6 +175,16 @@ func (m *Model) syncTextarea() {
 	m.textarea.SetValue(info.ConfigText)
 }
 
+func (m *Model) syncDetailViewport() {
+	info, ok := m.selected()
+	if !ok || info.Description == "" {
+		m.detailViewport.SetContent("")
+		return
+	}
+	desc := renderPluginDescription(info.Description, m.width-6)
+	m.detailViewport.SetContent(desc)
+}
+
 func (m *Model) refreshListViewport() {
 	if m.pager.PerPage > 0 {
 		m.pager.Page = m.cursor / m.pager.PerPage
@@ -155,15 +193,10 @@ func (m *Model) refreshListViewport() {
 	m.listViewport.SetContent(m.renderList())
 }
 
-func shortenPath(p string) string {
+type pluginsKeyMap struct {
-	home := os.Getenv("HOME")
+	editing   bool
-	if home != "" && strings.HasPrefix(p, home) {
+	hasConfig bool
-		return "~" + p[len(home):]
 }
-	return p
-}
-
-type pluginsKeyMap struct{ editing bool }
 
 func (k pluginsKeyMap) ShortHelp() []key.Binding {
 	pk := keys.Keys.Plugins
@@ -172,7 +205,14 @@ func (k pluginsKeyMap) ShortHelp() []key.Binding {
 		esc := key.NewBinding(key.WithKeys(g.Escape.Keys()...), key.WithHelp(g.Escape.Help().Key, "save & exit"))
 		return []key.Binding{esc}
 	}
-	return []key.Binding{pk.Toggle, pk.EditConfig, pk.Filter}
+	scrollHint := key.NewBinding(
+		key.WithKeys(g.ScrollUp.Keys()...),
+		key.WithHelp(g.ScrollUp.Help().Key+"/"+g.ScrollDown.Help().Key, "scroll detail"),
+	)
+	if k.hasConfig {
+		return []key.Binding{pk.Toggle, pk.EditConfig, pk.Filter, scrollHint}
+	}
+	return []key.Binding{pk.Toggle, pk.Filter, scrollHint}
 }
 
 func (k pluginsKeyMap) FullHelp() [][]key.Binding {

internal/ui/plugins/update.go

@@ -21,7 +21,27 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		return m, nil
 	}
 
+	// Route non-key messages to textarea when editing so internal
+	// textarea messages (e.g. clipboard paste) are handled correctly.
+	if m.editing {
+		if _, ok := msg.(tea.KeyPressMsg); !ok {
+			var cmd tea.Cmd
+			m.textarea, cmd = m.textarea.Update(msg)
+			return m, cmd
+		}
+	}
+
 	switch msg := msg.(type) {
+	case tea.MouseWheelMsg:
+		if !m.editing {
+			switch msg.Button {
+			case tea.MouseWheelUp:
+				m.detailViewport.SetYOffset(m.detailViewport.YOffset() - 1)
+			case tea.MouseWheelDown:
+				m.detailViewport.SetYOffset(m.detailViewport.YOffset() + 1)
+			}
+		}
+
 	case tea.KeyPressMsg:
 		pk := keys.Keys.Plugins
 		g := keys.Keys.Global
@@ -90,15 +110,17 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		case key.Matches(msg, g.Up):
 			if m.cursor > 0 {
 				m.cursor--
-				m.refreshListViewport()
+				m.recalcSizes()
 				m.syncTextarea()
+				m.detailViewport.GotoTop()
 			}
 
 		case key.Matches(msg, g.Down):
 			if m.cursor < len(m.filtered)-1 {
 				m.cursor++
-				m.refreshListViewport()
+				m.recalcSizes()
 				m.syncTextarea()
+				m.detailViewport.GotoTop()
 			}
 
 		case key.Matches(msg, pk.Toggle):
@@ -115,11 +137,25 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 			}
 
 		case key.Matches(msg, pk.EditConfig):
-			if _, ok := m.selected(); ok {
+			if _, ok := m.selected(); ok && m.hasConfig() {
 				m.editing = true
 				m.textarea.Focus()
 			}
 
+		case key.Matches(msg, g.ScrollUp):
+			step := m.detailViewport.Height() / 2
+			if step < 1 {
+				step = 1
+			}
+			m.detailViewport.SetYOffset(m.detailViewport.YOffset() - step)
+
+		case key.Matches(msg, g.ScrollDown):
+			step := m.detailViewport.Height() / 2
+			if step < 1 {
+				step = 1
+			}
+			m.detailViewport.SetYOffset(m.detailViewport.YOffset() + step)
+
 		case key.Matches(msg, g.Help):
 			m.help.ShowAll = !m.help.ShowAll
 			m.recalcSizes()

internal/ui/plugins/view.go

@@ -1,10 +1,13 @@
 package plugins
 
 import (
+	"path/filepath"
 	"strings"
 
 	tea "charm.land/bubbletea/v2"
+	"charm.land/glamour/v2"
 	"charm.land/lipgloss/v2"
+	"github.com/anotherhadi/spilltea/internal/config"
 	"github.com/anotherhadi/spilltea/internal/icons"
 	"github.com/anotherhadi/spilltea/internal/keys"
 	"github.com/anotherhadi/spilltea/internal/style"
@@ -27,23 +30,29 @@ func (m Model) View() tea.View {
 
 func (m *Model) renderListPanel(w, h int) string {
 	s := style.S
+	panelStyle := s.PanelFocused
+	if m.editing {
+		panelStyle = s.Panel
+	}
 	dots := s.Faint.Render(m.pager.View())
 	inner := lipgloss.JoinVertical(lipgloss.Left,
 		m.listViewport.View(),
 		lipgloss.PlaceHorizontal(m.listViewport.Width(), lipgloss.Center, dots),
 	)
-	return style.RenderWithTitle(s.PanelFocused, icons.I.Plugin+"Plugins", inner, w, h)
+	return style.RenderWithTitle(panelStyle, icons.I.Plugin+"Plugins", inner, w, h)
 }
 
 func (m *Model) renderDetailPanel(h int) string {
 	s := style.S
+	panelStyle := s.Panel
+	if m.editing {
+		panelStyle = s.PanelFocused
+	}
 	info, ok := m.selected()
 	if !ok {
-		return style.RenderWithTitle(s.Panel, "Config", "", m.width, h)
+		return style.RenderWithTitle(panelStyle, icons.I.Detail+"Detail", "", m.width, h)
 	}
 
-	var sb strings.Builder
-
 	statusSt := lipgloss.NewStyle().Foreground(s.Error)
 	if info.Enabled {
 		statusSt = lipgloss.NewStyle().Foreground(s.Success)
@@ -52,22 +61,52 @@ func (m *Model) renderDetailPanel(h int) string {
 	if info.Enabled {
 		status = "enabled"
 	}
-	sb.WriteString(s.Bold.Render(info.Name) + "  " + statusSt.Render(status) + "\n")
-	sb.WriteString(s.Faint.Render(shortenPath(info.FilePath)) + "\n\n")
 
+	pad := lipgloss.NewStyle().Padding(0, 1)
+
+	header := pad.Render(
+		s.Bold.Render(info.Name) + "  " + statusSt.Render(status) + "\n" +
+			s.Faint.Render(filepath.Base(info.FilePath)),
+	)
+
+	parts := []string{header, m.detailViewport.View()}
+
+	if m.hasConfig() {
+		var configLabel string
 		if m.editing {
 			escKey := keys.Keys.Global.Escape.Help().Key
-		sb.WriteString(s.Faint.Render("editing config (" + escKey + " to save):"))
+			configLabel = pad.Render(s.Faint.Render("editing config (" + escKey + " to save):"))
 		} else {
 			editKey := keys.Keys.Plugins.EditConfig.Help().Key
-		sb.WriteString(s.Faint.Render("config (" + editKey + " to edit):"))
+			configLabel = pad.Render(s.Faint.Render("config (" + editKey + " to edit):"))
+		}
+		parts = append(parts, "", configLabel, pad.Render(m.textarea.View()))
 	}
 
-	inner := lipgloss.JoinVertical(lipgloss.Left,
+	inner := lipgloss.JoinVertical(lipgloss.Left, parts...)
-		lipgloss.NewStyle().Padding(0, 1).Render(sb.String()),
+	return style.RenderWithTitle(panelStyle, icons.I.Detail+"Detail", inner, m.width, h)
-		lipgloss.NewStyle().Padding(0, 1).Render(m.textarea.View()),
+}
+
+func renderPluginDescription(desc string, width int) string {
+	desc = strings.TrimSpace(desc)
+	lines := strings.Split(desc, "\n")
+	for i, l := range lines {
+		lines[i] = strings.TrimLeft(l, " \t")
+	}
+	desc = strings.Join(lines, "\n")
+
+	r, err := glamour.NewTermRenderer(
+		glamour.WithStyles(style.GlamourStyleConfig(config.Global)),
+		glamour.WithWordWrap(width),
 	)
-	return style.RenderWithTitle(s.Panel, "Detail", inner, m.width, h)
+	if err != nil {
+		return desc
+	}
+	out, err := r.Render(desc)
+	if err != nil {
+		return desc
+	}
+	return strings.Trim(out, "\n")
 }
 
 func (m *Model) renderStatusBar() string {
@@ -81,9 +120,9 @@ func (m *Model) renderStatusBar() string {
 		escKey := keys.Keys.Global.Escape.Help().Key
 		accent := lipgloss.NewStyle().Foreground(s.Primary)
 		filterLine := pad.Render(accent.Render(filterKey) + " " + s.Bold.Render(m.filter) + s.Faint.Render("  "+escKey+" to clear"))
-		return lipgloss.JoinVertical(lipgloss.Left, filterLine, pad.Render(m.help.View(pluginsKeyMap{editing: m.editing})))
+		return lipgloss.JoinVertical(lipgloss.Left, filterLine, pad.Render(m.help.View(pluginsKeyMap{editing: m.editing, hasConfig: m.hasConfig()})))
 	}
-	return pad.Render(m.help.View(pluginsKeyMap{editing: m.editing}))
+	return pad.Render(m.help.View(pluginsKeyMap{editing: m.editing, hasConfig: m.hasConfig()}))
 }
 
 func (m *Model) renderList() string {

internal/ui/replay/model.go

@@ -68,6 +68,23 @@ func (m Model) Init() tea.Cmd { return nil }
 
 func (m Model) IsEditing() bool { return m.editing }
 
+func (m Model) CurrentRaw() string {
+	if len(m.entries) == 0 || m.cursor >= len(m.entries) {
+		return ""
+	}
+	return m.entries[m.cursor].RequestRaw
+}
+
+func (m Model) CurrentScheme() string {
+	if len(m.entries) == 0 || m.cursor >= len(m.entries) {
+		return "https"
+	}
+	if s := m.entries[m.cursor].Scheme; s != "" {
+		return s
+	}
+	return "https"
+}
+
 func (m *Model) SetDB(d *db.DB) {
 	m.database = d
 	if d == nil {

internal/ui/replay/update.go

@@ -33,6 +33,18 @@ func sendCmd(entry Entry, index int) tea.Cmd {
 }
 
 func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
+	var cmds []tea.Cmd
+
+	// Route non-key messages to textarea when editing so internal
+	// textarea messages (e.g. clipboard paste) are handled correctly.
+	if m.editing {
+		if _, ok := msg.(tea.KeyPressMsg); !ok {
+			var taCmd tea.Cmd
+			m.textarea, taCmd = m.textarea.Update(msg)
+			cmds = append(cmds, taCmd)
+		}
+	}
+
 	switch msg := msg.(type) {
 	case SendToReplayMsg:
 		entry := entryFromMsg(msg)
@@ -104,7 +116,7 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		return m.updateNormalMode(msg)
 	}
 
-	return m, nil
+	return m, tea.Batch(cmds...)
 }
 
 func (m Model) updateNormalMode(msg tea.KeyPressMsg) (tea.Model, tea.Cmd) {

internal/ui/replay/view.go

@@ -33,12 +33,16 @@ func (m Model) View() tea.View {
 
 func (m *Model) renderListPanel(w, h int) string {
 	s := style.S
+	panelStyle := s.PanelFocused
+	if m.editing {
+		panelStyle = s.Panel
+	}
 	dots := s.Faint.Render(m.pager.View())
 	inner := lipgloss.JoinVertical(lipgloss.Left,
 		m.listViewport.View(),
 		lipgloss.PlaceHorizontal(m.listViewport.Width(), lipgloss.Center, dots),
 	)
-	return style.RenderWithTitle(s.PanelFocused, icons.I.Replay+"Replay", inner, w, h)
+	return style.RenderWithTitle(panelStyle, icons.I.Replay+"Replay", inner, w, h)
 }
 
 func (m *Model) renderRequestPanel(w, h int) string {

plugins.go

@@ -0,0 +1,45 @@
+package spilltea
+
+import (
+	"embed"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+)
+
+//go:embed plugins/*.lua
+var PluginsFS embed.FS
+
+// InstallDefaultPlugins copies embedded default plugins into dir, skipping
+// files that already exist. Returns the number of files written.
+func InstallDefaultPlugins(dir string) (int, error) {
+	if err := os.MkdirAll(dir, 0o755); err != nil {
+		return 0, fmt.Errorf("create plugins dir: %w", err)
+	}
+
+	entries, err := fs.ReadDir(PluginsFS, "plugins")
+	if err != nil {
+		return 0, err
+	}
+
+	written := 0
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		dst := filepath.Join(dir, e.Name())
+		if _, err := os.Stat(dst); err == nil {
+			continue
+		}
+		data, err := PluginsFS.ReadFile("plugins/" + e.Name())
+		if err != nil {
+			return written, fmt.Errorf("read embedded %s: %w", e.Name(), err)
+		}
+		if err := os.WriteFile(dst, data, 0o644); err != nil {
+			return written, fmt.Errorf("write %s: %w", dst, err)
+		}
+		written++
+	}
+	return written, nil
+}

plugins/inject_header.lua

@@ -1,26 +1,28 @@
--- Inject a custom header into every request.
--- Config format (one per line): Header-Name: value
-
 Plugin = {
   name        = "Inject Header",
+  description = [[
+Inject custom headers into every intercepted request.
+
+**Config**:
+- one 'Header-Name: value' per line.
+  ]],
   on_request  = { sync = true },
 }
 
 local headers = {}
 
-function on_start(config_text)
+function on_config(config_text)
+  headers = {}
   for line in config_text:gmatch("[^\n]+") do
     local name, value = line:match("^([^:]+):%s*(.+)$")
     if name and value then
       table.insert(headers, { name = name, value = value })
     end
   end
-  log("loaded " .. #headers .. " header(s)")
 end
 
 function on_request(req)
   for _, h in ipairs(headers) do
     req:set_header(h.name, h.value)
   end
-  return "forward"
 end

plugins/ip_filter.lua

@@ -0,0 +1,75 @@
+Plugin = {
+  name        = "IP Filter (Whitelist/Blacklist)",
+  description = [[
+Checks that the proxy's outbound IP is in an allowed list on startup.
+
+**Config**:
+- one IP per line
+- prefix with `!` for a blacklist entry (blocked)
+- prefix with `#` to comment it out (ignored)
+- if no IPs are configured, the check is skipped
+  ]],
+  on_start = { sync = false },
+}
+
+local whitelist = {}
+local blacklist = {}
+
+function on_config(config_text)
+  whitelist = {}
+  blacklist = {}
+
+  for line in config_text:gmatch("[^\n]+") do
+    local trimmed = line:match("^%s*(.-)%s*$")
+    if trimmed ~= "" and trimmed:sub(1, 1) ~= "#" then
+      if trimmed:sub(1, 1) == "!" then
+        local ip = trimmed:sub(2):match("^%s*(.-)%s*$")
+        if ip ~= "" then
+          table.insert(blacklist, ip)
+        end
+      else
+        table.insert(whitelist, trimmed)
+      end
+    end
+  end
+end
+
+function on_start()
+  if #whitelist == 0 and #blacklist == 0 then
+    return
+  end
+
+  -- Fetch the current outbound IP via a public API.
+  local ok, result = pcall(function()
+    local handle = io.popen("curl -sf https://api.ipify.org 2>/dev/null")
+    if not handle then return nil end
+    local ip = handle:read("*a")
+    handle:close()
+    return ip and ip:match("^%s*(.-)%s*$") or nil
+  end)
+
+  if not ok or not result or result == "" then
+    log("could not determine outbound IP, skipping check")
+    notif("IP Filter", "Could not determine outbound IP, skipping check", "warning")
+    return
+  end
+
+  for _, ip in ipairs(blacklist) do
+    if result == ip then
+      notif("IP Filter", "Outbound IP " .. result .. " is blacklisted!", "error")
+      return
+    end
+  end
+
+  if #whitelist == 0 then
+    return
+  end
+
+  for _, ip in ipairs(whitelist) do
+    if result == ip then
+      return
+    end
+  end
+
+  notif("IP Filter", "Outbound IP " .. result .. " is not in the whitelist!", "error")
+end

plugins/scopes.lua

@@ -0,0 +1,78 @@
+Plugin = {
+  name        = "Scopes",
+  description = [[
+Auto-forward requests and exclude them from history based on patterns.
+
+**Config**:
+- `pattern`  - whitelist: only intercept matching requests
+- `!pattern` - blacklist: don't intercept matching requests and exclude from history
+- lines starting with `#` are comments
+
+Example (ignore static assets):
+```
+!%.css$
+!%.js$
+!%.png$
+```
+
+Example (focus on mytarget.com, skip everything else):
+```
+mytarget%.com/
+```
+
+Example (intercept mytarget.com except its static assets):
+```
+mytarget%.com/
+!%.css$
+!%.js$
+!%.png$
+```
+  ]],
+  priority         = 100,
+  on_request       = { sync = true },
+  on_response       = { sync = true },
+  on_history_entry = { sync = true },
+}
+
+local whitelist = {}
+local blacklist = {}
+
+function on_config(config_text)
+  whitelist = {}
+  blacklist = {}
+  for line in config_text:gmatch("[^\n]+") do
+    local trimmed = line:match("^%s*(.-)%s*$")
+    if trimmed ~= "" and trimmed:sub(1, 1) ~= "#" then
+      if trimmed:sub(1, 1) == "!" then
+        table.insert(blacklist, trimmed:sub(2))
+      else
+        table.insert(whitelist, trimmed)
+      end
+    end
+  end
+end
+
+local function should_skip(url)
+  for _, pattern in ipairs(blacklist) do
+    if url:match(pattern) then return true end
+  end
+  if #whitelist > 0 then
+    for _, pattern in ipairs(whitelist) do
+      if url:match(pattern) then return false end
+    end
+    return true
+  end
+  return false
+end
+
+function on_request(req)
+  if should_skip(req.url) then return "forward" end
+end
+
+function on_response(req)
+  if should_skip(req.url) then return "forward" end
+end
+
+function on_history_entry(entry)
+  if should_skip(entry.host .. entry.path) then return "skip" end
+end