Expand description
Network-layer secret injection proxy (Gondolin pattern).
Runs an HTTP forward proxy on the host that intercepts sandbox traffic. Secrets are injected as HTTP headers for allowed hosts — they never enter the VM.
The proxy supports:
- Domain allowlist enforcement (blocks unauthorized destinations)
- Secret header injection (Authorization, x-api-key, etc.)
- HTTPS MITM via per-host TLS certificates signed by a generated CA
- Audit logging of all proxied requests
Structs§
- CaSigner
- Holds the CA cert and key pair for signing per-host certs.
- Proxy
Config - Configuration for a proxy instance.
- Proxy
Handle - Handle to a running proxy instance.
- Secret
Binding - A secret binding: maps a secret key to a target host and HTTP header.
Functions§
- generate_
proxy_ ca - Generate a CA certificate and key pair for the proxy.
- is_
host_ allowed - Check if a host is allowed by the proxy’s domain policy.
- start_
proxy - Start the proxy server.