soth-mitm 0.1.0

Rust intercepting proxy crate with deterministic handler/event contracts for SOTH.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

# soth-mitm

Public Rust crate for the SOTH intercepting proxy contract.

## What You Get

- Stable handler decisions: `Allow` / `Block { status, body }`
- Deterministic request/response/stream contracts:
  - `RawRequest`
  - `RawResponse`
  - `StreamChunk`
  - `ConnectionMeta`
- Proxy lifecycle APIs:
  - `MitmProxyBuilder`
  - `MitmProxy`
  - `MitmProxyHandle` (`reload`, `current_config`, `metrics`, `shutdown`)
- TLS CA helpers:
  - `generate_ca`, `load_ca`, `load_ca_from_files`
  - trust install/uninstall/check helpers
- Runtime metrics snapshot API (`ProxyMetrics`)

## Scope Boundary

`soth-mitm` is transport/proxy core. Product-specific bundle logic or provider semantics are intentionally outside this crate.

## Minimal Integration Example

```rust
use bytes::Bytes;
use soth_mitm::{HandlerDecision, InterceptHandler, MitmConfig, MitmProxyBuilder, RawRequest};

struct ForwardOnly;

impl InterceptHandler for ForwardOnly {
    async fn on_request(&self, request: &RawRequest) -> HandlerDecision {
        if request.path.contains("/blocked") {
            return HandlerDecision::Block {
                status: 403,
                body: Bytes::from_static(b"blocked"),
            };
        }
        HandlerDecision::Allow
    }
}

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut config = MitmConfig::default();
    config
        .interception
        .destinations
        .push("api.example.com:443".to_string());

    let _proxy = MitmProxyBuilder::new(config, ForwardOnly).build()?;
    Ok(())
}
```

Compilable example:

- `crates/soth-mitm/examples/soth_proxy_integration.rs`

## Key Types

- Config:
  - `MitmConfig`, `InterceptionScope`, `ProcessAttributionConfig`, `TlsConfig`
  - `UpstreamConfig`, `ConnectionPoolConfig`, `BodyConfig`, `HandlerConfig`
- Runtime metadata:
  - `ConnectionMeta`, `SocketFamily`, `ProcessInfo`, `TlsInfo`, `TlsVersion`
- Runtime streams:
  - `FrameKind::{SseData, NdjsonLine, GrpcMessage, WebSocketText, WebSocketBinary, WebSocketClose}`

> **Note:** All public config structs are marked `#[non_exhaustive]` — construct them
> via `Default::default()` and field assignment rather than struct literal syntax to
> remain forward-compatible.

## Feature Flags

| Flag | Default | Description |
|------|---------|-------------|
| `openssl-backend` | off | Enables OpenSSL-based CA material cross-validation when loading certificates from disk. On non-Windows platforms the OpenSSL crate is always present for downstream TLS fingerprinting, but this feature activates the CA validation code path. |
| `__internal` | off | Exposes internal sub-crate modules (`test_engine`, `test_policy`, etc.) for integration tests and benchmarks. **Not part of the stable API.** |

## Minimum Supported Rust Version

This crate requires **Rust 1.88** or later (`rust-version = "1.88"` in Cargo.toml).

## License

Licensed under the [Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
See [LICENSE](LICENSE) for the full text.

## Repository

- Main repo README: <https://github.com/soth-ai/soth-mitm/blob/main/README.md>
- Changelog: <https://github.com/soth-ai/soth-mitm/blob/main/crates/soth-mitm/CHANGELOG.md>
- Integration migration guide: <https://github.com/soth-ai/soth-mitm/blob/main/docs/migration/soth-proxy-integration.md>