Struct ProxyState 

pub struct ProxyState {

    pub engine: Arc<PolicyEngine>,
    pub policies: Arc<Vec<Policy>>,
    pub audit: Arc<AuditLogger>,
    pub sessions: Arc<SessionStore>,
    pub upstream_url: String,
    pub http_client: Client,
    pub oauth: Option<Arc<OAuthValidator>>,
    pub injection_scanner: Option<Arc<InjectionScanner>>,
    pub injection_disabled: bool,
    pub injection_blocking: bool,
    pub api_key: Option<Arc<String>>,
    pub approval_store: Option<Arc<ApprovalStore>>,
    pub manifest_config: Option<ManifestConfig>,
    pub allowed_origins: Vec<String>,
    pub bind_addr: SocketAddr,
    pub canonicalize: bool,
    pub output_schema_registry: Arc<OutputSchemaRegistry>,
    pub response_dlp_enabled: bool,
    pub response_dlp_blocking: bool,
    pub audit_strict_mode: bool,
    pub known_tools: HashSet<String>,
    pub elicitation_config: ElicitationConfig,
    pub sampling_config: SamplingConfig,
    pub tool_registry: Option<Arc<ToolRegistry>>,
    pub call_chain_hmac_key: Option<[u8; 32]>,
    pub trace_enabled: bool,
    pub circuit_breaker: Option<Arc<CircuitBreakerManager>>,
    pub shadow_agent: Option<Arc<ShadowAgentDetector>>,
    pub deputy: Option<Arc<DeputyValidator>>,
    pub schema_lineage: Option<Arc<SchemaLineageTracker>>,
    pub auth_level: Option<Arc<AuthLevelTracker>>,
    pub sampling_detector: Option<Arc<SamplingDetector>>,
    pub limits: LimitsConfig,
    pub ws_config: Option<WebSocketConfig>,
    pub extension_registry: Option<Arc<ExtensionRegistry>>,
    pub transport_config: TransportConfig,
    pub grpc_port: Option<u16>,
    pub gateway: Option<Arc<GatewayRouter>>,
    pub abac_engine: Option<Arc<AbacEngine>>,
    pub least_agency: Option<Arc<LeastAgencyTracker>>,
    pub continuous_auth_config: Option<ContinuousAuthConfig>,
    pub transport_health: Option<Arc<TransportHealthTracker>>,
    pub streamable_http: StreamableHttpConfig,
    pub federation: Option<Arc<FederationResolver>>,
}

Shared state for the HTTP proxy handlers.

Fields

engine: Arc<PolicyEngine>

policies: Arc<Vec<Policy>>

audit: Arc<AuditLogger>

sessions: Arc<SessionStore>

upstream_url: String

http_client: Client

oauth: Option<Arc<OAuthValidator>>

OAuth 2.1 JWT validator. When Some, all MCP requests require a valid Bearer token.

injection_scanner: Option<Arc<InjectionScanner>>

Custom injection scanner. When Some, uses configured patterns instead of defaults.

injection_disabled: bool

When true, injection scanning is completely disabled.

injection_blocking: bool

When true, injection matches block the response instead of just logging (H4).

api_key: Option<Arc<String>>

API key for authenticating requests. None disables auth (–allow-anonymous).

approval_store: Option<Arc<ApprovalStore>>

Optional approval store for RequireApproval verdicts. When set, creates pending approvals with approval_id in error response data.

manifest_config: Option<ManifestConfig>

Optional manifest verification config. When set, tools/list responses are verified against a pinned manifest per session.

allowed_origins: Vec<String>

Allowed origins for CSRF / DNS rebinding protection. If non-empty, Origin must be in the allowlist. If empty and the proxy is bound to a loopback address, only localhost origins are accepted. If empty and bound to a non-loopback address, falls back to same-origin check (Origin host must match Host header). Requests without an Origin header are always allowed (non-browser clients).

bind_addr: SocketAddr

The socket address the proxy is bound to. Used for automatic localhost origin validation when allowed_origins is empty.

canonicalize: bool

When true, re-serialize parsed JSON-RPC messages before forwarding to upstream. This closes the TOCTOU gap where the proxy evaluates a parsed representation but forwards original bytes that could differ (e.g., due to duplicate keys or parser-specific handling). Duplicate keys are always rejected regardless of this setting.

output_schema_registry: Arc<OutputSchemaRegistry>

Output schema registry for structuredContent validation (MCP 2025-06-18).

response_dlp_enabled: bool

When true, scan tool responses for secrets (DLP response scanning).

response_dlp_blocking: bool

When true, block responses that contain detected secrets instead of just logging. SECURITY (R18-DLP-BLOCK): Without this, DLP is log-only and secrets still reach the client.

audit_strict_mode: bool

Strict audit mode (FIND-CREATIVE-003): When true, audit logging failures cause requests to be denied instead of proceeding without an audit trail. This enforces non-repudiation guarantees — no unaudited security decisions can occur. Default: false (backward compatible).

known_tools: HashSet<String>

Known legitimate tool names for squatting detection. Built from DEFAULT_KNOWN_TOOLS + any config overrides.

elicitation_config: ElicitationConfig

Elicitation interception configuration (MCP 2025-06-18). Controls whether elicitation/create requests are allowed or blocked.

sampling_config: SamplingConfig

Sampling request policy configuration. Controls whether sampling/createMessage requests are allowed or blocked.

tool_registry: Option<Arc<ToolRegistry>>

Tool registry for tracking tool trust scores (P2.1). None when tool registry is disabled.

call_chain_hmac_key: Option<[u8; 32]>

HMAC-SHA256 key for signing and verifying X-Upstream-Agents call chain entries (FIND-015). When Some, Vellaveto signs its own chain entries and verifies incoming ones. When None, chain signing/verification is disabled (backward compatible).

trace_enabled: bool

When true, the ?trace=true query parameter is honored and evaluation traces are included in responses. When false (the default), trace output is silently suppressed regardless of the client query parameter.

SECURITY: Traces expose internal policy names, patterns, and constraint configurations. Leaving this disabled prevents information leakage to authenticated clients.

circuit_breaker: Option<Arc<CircuitBreakerManager>>

Circuit breaker for cascading failure prevention (OWASP ASI08). When a tool fails repeatedly, the circuit opens and subsequent calls are rejected.

shadow_agent: Option<Arc<ShadowAgentDetector>>

Shadow agent detector for agent impersonation detection. Tracks known agent fingerprints and alerts on impersonation attempts.

deputy: Option<Arc<DeputyValidator>>

Deputy validator for confused deputy attack prevention (OWASP ASI02). Tracks delegation chains and validates action permissions.

schema_lineage: Option<Arc<SchemaLineageTracker>>

Schema lineage tracker for schema poisoning detection (OWASP ASI05). Tracks tool schema changes and alerts on suspicious mutations.

auth_level: Option<Arc<AuthLevelTracker>>

Auth level tracker for step-up authentication. Tracks session auth levels and enforces step-up requirements.

sampling_detector: Option<Arc<SamplingDetector>>

Sampling detector for sampling attack prevention. Tracks sampling request patterns and enforces rate limits.

limits: LimitsConfig

Configurable runtime limits for memory bounds, timeouts, and chain lengths. Provides operator control over previously hardcoded security constants.

ws_config: Option<WebSocketConfig>

WebSocket transport configuration. When Some, the /mcp/ws endpoint is active with the specified message size, idle timeout, and rate limit. When None, WebSocket requests use default configuration.

extension_registry: Option<Arc<ExtensionRegistry>>

Extension registry for x- prefixed protocol extensions. When Some, extension method calls are routed to registered handlers before falling back to upstream forwarding.

transport_config: TransportConfig

Transport discovery and negotiation configuration.

grpc_port: Option<u16>

gRPC listen port, when gRPC transport is enabled. Used by the discovery endpoint to advertise the gRPC endpoint.

gateway: Option<Arc<GatewayRouter>>

Multi-backend gateway router. When Some, tool calls are routed to different upstream MCP servers based on tool name prefix matching. When None, all requests use upstream_url (single-server mode).

abac_engine: Option<Arc<AbacEngine>>

ABAC policy engine for Cedar-style permit/forbid evaluation. When Some, refines Allow verdicts from the PolicyEngine. When None, behavior is identical to pre-Phase 21.

least_agency: Option<Arc<LeastAgencyTracker>>

Least-agency tracker for permission usage monitoring. When Some, records which permissions each agent actually uses.

continuous_auth_config: Option<ContinuousAuthConfig>

Continuous authorization config for risk-based deny.

transport_health: Option<Arc<TransportHealthTracker>>

Per-transport circuit breaker tracker. When Some and transport_config.cross_transport_fallback is true, failed transports trigger automatic fallback to the next transport in priority order.

streamable_http: StreamableHttpConfig

Streamable HTTP configuration for SSE resumability, strict tool name validation, and retry directives.

federation: Option<Arc<FederationResolver>>

Federation resolver for cross-organization agent identity validation. When Some, incoming JWTs are checked against federation trust anchors before falling back to the local OAuth validator.

Trait Implementations

impl Clone for ProxyState

fn clone(&self) -> ProxyState

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.