Struct EgressProxy 

pub struct EgressProxy { /* private fields */ }

Local forward proxy that authorizes every outbound agent connection.

Reads the SNI / requested host off the wire without MITM (PRODUCT.md B.5 step 2), asks the PolicyDecisionPoint per connection, and on Decision::Deny/Decision::Escalate issues a hard RST so zero bytes leave the box (PRODUCT.md B.5 step 4, Part D row 1). Every decision is appended to the signed audit log.

Fail-closed by construction: see FailMode / EgressProxy::on_error (PRODUCT.md W0).

Implementations

impl EgressProxy

pub fn new() -> Self

Construct an egress proxy that is fail-closed (PRODUCT.md W0) and tagged with the current platform’s EnforcementTier.

pub async fn start( &self, addr: SocketAddr, pdp: Arc<dyn PolicyDecisionPoint>, ) -> Result<()>

Bind the proxy listener on addr and serve forever, authorizing each connection against pdp (PRODUCT.md B.5 — the headline path).

Per accepted connection the real implementation will, in order:

1. Peek the first record to extract SNI / CONNECT host without MITM into a PeekedHost (PRODUCT.md B.5 step 2).
2. Resolve the originating ConnectionRequest::pid (SO_PEERCRED / LOCAL_PEERPID) so the PDP can fuse syscall context (PRODUCT.md B.6).
3. Call pdp.authorize(&req) (PRODUCT.md B.5 step 2-3).
4. Decision::Allow => splice to the upstream; otherwise Self::hard_rst (PRODUCT.md B.5 step 4).
5. Append exactly one entry to the signed audit log with pid/host/decision.

Any error along the way routes through Self::on_error => fail-closed.

Heavy deps (commented in Cargo.toml)

The wire-level work needs hyper (CONNECT proxy) and rustls/tokio-rustls (SNI peek without interception); both land in Phase 4.

Trait Implementations

impl Default for EgressProxy

fn default() -> Self

Returns the “default value” for a type.