Skip to main content

ProxyState

vellaveto_http_proxy::proxy

Struct ProxyState 

Source 
pub struct ProxyState {
Show 47 fields
    pub engine: Arc<PolicyEngine>,
    pub policies: Arc<Vec<Policy>>,
    pub audit: Arc<AuditLogger>,
    pub sessions: Arc<SessionStore>,
    pub upstream_url: String,
    pub http_client: Client,
    pub oauth: Option<Arc<OAuthValidator>>,
    pub injection_scanner: Option<Arc<InjectionScanner>>,
    pub injection_disabled: bool,
    pub injection_blocking: bool,
    pub api_key: Option<Arc<String>>,
    pub approval_store: Option<Arc<ApprovalStore>>,
    pub manifest_config: Option<ManifestConfig>,
    pub allowed_origins: Vec<String>,
    pub bind_addr: SocketAddr,
    pub canonicalize: bool,
    pub output_schema_registry: Arc<OutputSchemaRegistry>,
    pub response_dlp_enabled: bool,
    pub response_dlp_blocking: bool,
    pub audit_strict_mode: bool,
    pub mediation_config: MediationConfig,
    pub trusted_request_signers: Arc<HashMap<String, TrustedRequestSigner>>,
    pub detached_signature_freshness: DetachedSignatureFreshnessConfig,
    pub known_tools: HashSet<String>,
    pub elicitation_config: ElicitationConfig,
    pub sampling_config: SamplingConfig,
    pub tool_registry: Option<Arc<ToolRegistry>>,
    pub call_chain_hmac_key: Option<[u8; 32]>,
    pub trace_enabled: bool,
    pub circuit_breaker: Option<Arc<CircuitBreakerManager>>,
    pub shadow_agent: Option<Arc<ShadowAgentDetector>>,
    pub deputy: Option<Arc<DeputyValidator>>,
    pub schema_lineage: Option<Arc<SchemaLineageTracker>>,
    pub auth_level: Option<Arc<AuthLevelTracker>>,
    pub sampling_detector: Option<Arc<SamplingDetector>>,
    pub limits: LimitsConfig,
    pub ws_config: Option<WebSocketConfig>,
    pub extension_registry: Option<Arc<ExtensionRegistry>>,
    pub transport_config: TransportConfig,
    pub grpc_port: Option<u16>,
    pub gateway: Option<Arc<GatewayRouter>>,
    pub abac_engine: Option<Arc<AbacEngine>>,
    pub least_agency: Option<Arc<LeastAgencyTracker>>,
    pub continuous_auth_config: Option<ContinuousAuthConfig>,
    pub transport_health: Option<Arc<TransportHealthTracker>>,
    pub streamable_http: StreamableHttpConfig,
    pub federation: Option<Arc<FederationResolver>>,

}
Expand description

Shared state for the HTTP proxy handlers.

Fields§

§engine: Arc<PolicyEngine>§policies: Arc<Vec<Policy>>§audit: Arc<AuditLogger>§sessions: Arc<SessionStore>§upstream_url: String§http_client: Client§oauth: Option<Arc<OAuthValidator>>

OAuth 2.1 JWT validator. When Some, all MCP requests require a valid Bearer token.

§injection_scanner: Option<Arc<InjectionScanner>>

Custom injection scanner. When Some, uses configured patterns instead of defaults.

§injection_disabled: bool

When true, injection scanning is completely disabled.

§injection_blocking: bool

When true, injection matches block the response instead of just logging (H4).

§api_key: Option<Arc<String>>

API key for authenticating requests. None disables auth (–allow-anonymous).

§approval_store: Option<Arc<ApprovalStore>>

Optional approval store for RequireApproval verdicts. When set, creates pending approvals with approval_id in error response data.

§manifest_config: Option<ManifestConfig>

Optional manifest verification config. When set, tools/list responses are verified against a pinned manifest per session.

§allowed_origins: Vec<String>

Allowed origins for CSRF / DNS rebinding protection. If non-empty, Origin must be in the allowlist. If empty and the proxy is bound to a loopback address, only localhost origins are accepted. If empty and bound to a non-loopback address, falls back to same-origin check (Origin host must match Host header). Requests without an Origin header are always allowed (non-browser clients).

§bind_addr: SocketAddr

The socket address the proxy is bound to. Used for automatic localhost origin validation when allowed_origins is empty.

§canonicalize: bool

When true, re-serialize parsed JSON-RPC messages before forwarding to upstream. This closes the TOCTOU gap where the proxy evaluates a parsed representation but forwards original bytes that could differ (e.g., due to duplicate keys or parser-specific handling). Duplicate keys are always rejected regardless of this setting.

§output_schema_registry: Arc<OutputSchemaRegistry>

Output schema registry for structuredContent validation (MCP 2025-06-18).

§response_dlp_enabled: bool

When true, scan tool responses for secrets (DLP response scanning).

§response_dlp_blocking: bool

When true, block responses that contain detected secrets instead of just logging. SECURITY (R18-DLP-BLOCK): Without this, DLP is log-only and secrets still reach the client.

§audit_strict_mode: bool

Strict audit mode (FIND-CREATIVE-003): When true, audit logging failures cause requests to be denied instead of proceeding without an audit trail. This enforces non-repudiation guarantees — no unaudited security decisions can occur. Default: false (backward compatible).

§mediation_config: MediationConfig

Shared mediation-stage controls for provenance and semantic containment. HTTP handlers keep their existing request scanners and use this config for ACIS binding, provenance, and sink/lineage enforcement.

§trusted_request_signers: Arc<HashMap<String, TrustedRequestSigner>>

Trusted detached request-signature signers keyed by RequestSignature.key_id. Used to promote detached per-request signatures from metadata to verified provenance.

§detached_signature_freshness: DetachedSignatureFreshnessConfig

Freshness limits for verified detached request signatures.

§known_tools: HashSet<String>

Known legitimate tool names for squatting detection. Built from DEFAULT_KNOWN_TOOLS + any config overrides.

§elicitation_config: ElicitationConfig

Elicitation interception configuration (MCP 2025-06-18). Controls whether elicitation/create requests are allowed or blocked.

§sampling_config: SamplingConfig

Sampling request policy configuration. Controls whether sampling/createMessage requests are allowed or blocked.

§tool_registry: Option<Arc<ToolRegistry>>

Tool registry for tracking tool trust scores (P2.1). None when tool registry is disabled.

§call_chain_hmac_key: Option<[u8; 32]>

HMAC-SHA256 key for signing and verifying X-Upstream-Agents call chain entries (FIND-015). When Some, Vellaveto signs its own chain entries and verifies incoming ones. When None, chain signing/verification is disabled (backward compatible).

§trace_enabled: bool

When true, the ?trace=true query parameter is honored and evaluation traces are included in responses. When false (the default), trace output is silently suppressed regardless of the client query parameter.

SECURITY: Traces expose internal policy names, patterns, and constraint configurations. Leaving this disabled prevents information leakage to authenticated clients.

§circuit_breaker: Option<Arc<CircuitBreakerManager>>

Circuit breaker for cascading failure prevention (OWASP ASI08). When a tool fails repeatedly, the circuit opens and subsequent calls are rejected.

§shadow_agent: Option<Arc<ShadowAgentDetector>>

Shadow agent detector for agent impersonation detection. Tracks known agent fingerprints and alerts on impersonation attempts.

§deputy: Option<Arc<DeputyValidator>>

Deputy validator for confused deputy attack prevention (OWASP ASI02). Tracks delegation chains and validates action permissions.

§schema_lineage: Option<Arc<SchemaLineageTracker>>

Schema lineage tracker for schema poisoning detection (OWASP ASI05). Tracks tool schema changes and alerts on suspicious mutations.

§auth_level: Option<Arc<AuthLevelTracker>>

Auth level tracker for step-up authentication. Tracks session auth levels and enforces step-up requirements.

§sampling_detector: Option<Arc<SamplingDetector>>

Sampling detector for sampling attack prevention. Tracks sampling request patterns and enforces rate limits.

§limits: LimitsConfig

Configurable runtime limits for memory bounds, timeouts, and chain lengths. Provides operator control over previously hardcoded security constants.

§ws_config: Option<WebSocketConfig>

WebSocket transport configuration. When Some, the /mcp/ws endpoint is active with the specified message size, idle timeout, and rate limit. When None, WebSocket requests use default configuration.

§extension_registry: Option<Arc<ExtensionRegistry>>

Extension registry for x- prefixed protocol extensions. When Some, extension method calls are routed to registered handlers before falling back to upstream forwarding.

§transport_config: TransportConfig

Transport discovery and negotiation configuration.

§grpc_port: Option<u16>

gRPC listen port, when gRPC transport is enabled. Used by the discovery endpoint to advertise the gRPC endpoint.

§gateway: Option<Arc<GatewayRouter>>

Multi-backend gateway router. When Some, tool calls are routed to different upstream MCP servers based on tool name prefix matching. When None, all requests use upstream_url (single-server mode).

§abac_engine: Option<Arc<AbacEngine>>

ABAC policy engine for Cedar-style permit/forbid evaluation. When Some, refines Allow verdicts from the PolicyEngine. When None, behavior is identical to pre-Phase 21.

§least_agency: Option<Arc<LeastAgencyTracker>>

Least-agency tracker for permission usage monitoring. When Some, records which permissions each agent actually uses.

§continuous_auth_config: Option<ContinuousAuthConfig>

Continuous authorization config for risk-based deny.

§transport_health: Option<Arc<TransportHealthTracker>>

Per-transport circuit breaker tracker. When Some and transport_config.cross_transport_fallback is true, failed transports trigger automatic fallback to the next transport in priority order.

§streamable_http: StreamableHttpConfig

Streamable HTTP configuration for SSE resumability, strict tool name validation, and retry directives.

§federation: Option<Arc<FederationResolver>>

Federation resolver for cross-organization agent identity validation. When Some, incoming JWTs are checked against federation trust anchors before falling back to the local OAuth validator.

Trait Implementations§

Source§

impl Clone for ProxyState

Source§

fn clone(&self) -> ProxyState

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FromRef<T> for T
where T: Clone,

Source§

fn from_ref(input: &T) -> T

Converts to this type from a reference to the input type.
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<A, B, T> HttpServerConnExec<A, B> for T
where B: Body,