Skip to main content

kz_proxy/
lib.rs

1//! kz-proxy: run a subprocess with masked secrets and an HTTP proxy that rewrites tokens.
2//!
3//! The main type is [`Sandbox`]: build it from a [`SandboxConfig`] (with optional [`SecretMapping`]s,
4//! [`StringMapping`]s, and connection allow/deny rules), then call [`Sandbox::run`] to execute a shell
5//! command with masked env vars and proxied HTTP that rewrites tokens to real secrets.
6//!
7//! The proxy is implemented with the [hyper](https://github.com/hyperium/hyper) stack so that
8//! HTTP parsing, Content-Length, chunked encoding, and CONNECT tunneling follow RFC 7230/9110.
9
10mod enforce;
11pub use enforce::ESSENTIAL_VARS;
12#[cfg(target_os = "linux")]
13mod enforce_linux;
14mod mitm;
15pub(crate) mod proxy;
16pub(crate) mod rewrite;
17pub(crate) mod types;
18
19pub use types::{
20    ConnectionPolicy, HostPattern, Sandbox, SandboxConfig, SecretMapping, StringMapping,
21};