Crate starpod_proxy

Expand description

Opaque secret proxy for Starpod.

A local HTTP proxy that intercepts outbound traffic from tool subprocesses, finds starpod:v1: opaque tokens, decrypts them, verifies host binding, and replaces them with real secret values before forwarding.

§Features

mitm — HTTPS MITM with ephemeral certificates (scans HTTPS traffic)
netns — Linux network namespace isolation (Phase 4)

§Usage

let handle = starpod_proxy::start_proxy(starpod_proxy::ProxyConfig {
    master_key: [0u8; 32],
    data_dir: std::path::PathBuf::from(".starpod/db"),
}).await?;

// Inject into tool subprocesses:
// HTTP_PROXY=http://127.0.0.1:{handle.port()}
// HTTPS_PROXY=http://127.0.0.1:{handle.port()}

// Shutdown when done
handle.shutdown().await;

Modules§

host_match: Host allow-list matching for opaque token host binding.
scan: Token scanning and replacement in byte buffers.
tier: Isolation tier detection.

Structs§

ProxyConfig: Configuration for starting the proxy.
ProxyHandle: Handle to a running proxy. Drop to shut down.

Functions§

start_proxy: Start the opaque secret proxy as a background tokio task.

Crate starpod_proxy

Crate starpod_proxy Copy item path

§Features

§Usage

Modules§

Structs§

Functions§

Crate starpod_proxy