Module forward 

Shared L7 upstream-forwarding pipeline.

Used by both the reverse-proxy path (crate::reverse) and the TLS-intercept CONNECT path (crate::tls_intercept). The two callers differ in how they parse the inbound request, look up the route, and transform/inject credentials, but converge on the same wire-level upstream operation:

1. Establish an upstream byte stream — direct TCP (with optional TLS) or chained CONNECT through an enterprise proxy (then TLS).
2. Write the pre-built HTTP/1.1 request bytes + body.
3. Stream the response back into the inbound sink.
4. Emit one L7 audit event with the response status.

Why pre-built request bytes

Each caller has its own rules for header filtering, credential injection, and path transformation. Asking this module to handle that would mean smuggling all of that policy through a parameter struct. Instead, the caller hands in finished bytes: a clean separation between “build the request” and “speak it on the wire”.

Structs

AuditCtx

Audit-emission context.

UpstreamSpec

Description of the upstream the caller wants to reach.

Enums

UpstreamScheme

Scheme of the upstream connection. Http is only legal for loopback targets; the caller is responsible for enforcing that invariant (reverse.rs does so via validate_http_upstream_target).

UpstreamStrategy

How the upstream byte stream is established.

Functions

forward_request

Connect to the upstream, write request_bytes + body, stream the response back into inbound, and emit the L7 audit event.