Struct ProxyHandle 

pub struct ProxyHandle {
    pub port: u16,
    pub token: Zeroizing<String>,
    /* private fields */
}

Handle returned when the proxy server starts.

Contains the assigned port, session token, and a shutdown channel. Drop the handle or send to shutdown_tx to stop the proxy.

Fields

port: u16

The actual port the proxy is listening on

token: Zeroizing<String>

Session token for client authentication

Implementations

impl ProxyHandle

pub fn shutdown(&self)

Signal the proxy to shut down gracefully.

pub fn drain_audit_events(&self) -> Vec<NetworkAuditEvent>

Drain and return collected network audit events.

pub fn intercept_ca_path(&self) -> Option<&Path>

Path to the TLS-intercept trust bundle, when interception is active.

The CLI uses this to:

• point SSL_CERT_FILE / REQUESTS_CA_BUNDLE / NODE_EXTRA_CA_CERTS / CURL_CA_BUNDLE at the file in the child env;
• grant the sandboxed child a Landlock / Seatbelt read capability on the file before applying the sandbox.

None when interception is not configured (no intercept_ca_dir in ProxyConfig) or when no configured route requires L7 visibility.

pub fn route_diagnostics(&self, config: &ProxyConfig) -> Vec<(String, String)>

One-line-per-route diagnostic summary suitable for surfacing at session start. Returns (prefix, summary) pairs.

Each summary names: upstream URL, credential resolution status (✓ / ✗ + source label), TLS-intercept on/off, and endpoint_rules count. Designed to make silent credential-resolution failures noisy by default, addressing the common “I created the keychain entry but the warn at debug level got missed” footgun.

config is the same ProxyConfig that was passed to start(); the handle doesn’t keep a copy, so the CLI passes it back in.

pub fn env_vars(&self) -> Vec<(String, String)>

Environment variables to inject into the child process.

The proxy URL includes nono:<token>@ userinfo so that standard HTTP clients (curl, Python requests, etc.) automatically send Proxy-Authorization: Basic ... on every request. The raw token is also provided via NONO_PROXY_TOKEN for nono-aware clients that prefer Bearer auth.

When TLS interception is active (intercept_ca_path() is Some), the standard runtime CA-trust env vars are also set so the agent trusts the proxy’s ephemeral CA when minted leaf certs are presented during interception.

pub fn credential_env_vars(&self, config: &ProxyConfig) -> Vec<(String, String)>

Environment variables for reverse proxy credential routes.

Returns two types of env vars per route:

1. SDK base URL overrides (e.g., OPENAI_BASE_URL=http://127.0.0.1:PORT/openai)
2. SDK API key vars set to the session token (e.g., OPENAI_API_KEY=<token>)

The SDK sends the session token as its “API key” (phantom token pattern). The proxy validates this token and swaps it for the real credential.

Trait Implementations

impl Drop for ProxyHandle

fn drop(&mut self)

Best-effort cleanup of the TLS-intercept trust bundle on shutdown.

The CA private key was never persisted to disk (it lives only in a Zeroizing<Vec<u8>> inside the running proxy task and is zeroized when that task drops). Here we remove the public certificate file so the next session doesn’t inherit a stale bundle path.

Errors are intentionally swallowed — Drop has no good way to surface them, and the file may already be gone if the user invoked shutdown() from another path.

fn pin_drop(self: Pin<&mut Self>)

🔬This is a nightly-only experimental API. (pin_ergonomics)

Execute the destructor for this type, but different to Drop::drop, it requires self to be pinned.