proxy

package

v1.1.0 Latest Latest Go to latest Published: Mar 3, 2026 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/The-17/agentsecrets

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func DefaultLogPath() (string, error)
func Inject(req *http.Request, cred string, inj Injection) error
type AuditEvent
type AuditLogger
- func NewAuditLogger(logPath string) (*AuditLogger, error)
- func (a *AuditLogger) Close() error
- func (a *AuditLogger) Log(event AuditEvent) error
type CallRequest
type CallResult
type Engine
- func NewEngine(projectID string) (*Engine, error)
- func (e *Engine) Execute(req CallRequest) (*CallResult, error)
type ForwardResult
- func Forward(client *http.Client, req *http.Request) (*ForwardResult, error)
type Injection
type SecretResolver
type Server
- func NewServer(port int, engine *Engine) *Server
- func (s *Server) Start() error

Constants ¶

View Source

const DefaultTimeout = 30 * time.Second

DefaultTimeout for outbound HTTP requests.

Variables ¶

This section is empty.

Functions ¶

func DefaultLogPath ¶

func DefaultLogPath() (string, error)

DefaultLogPath returns the default audit log path: ~/.agentsecrets/proxy.log

func Inject ¶

func Inject(req *http.Request, cred string, inj Injection) error

Inject applies a single credential injection to the outbound request. Dispatches to the appropriate injection function based on style.

Types ¶

type AuditEvent ¶

type AuditEvent struct {
	Timestamp  time.Time `json:"timestamp"`
	SecretKeys []string  `json:"secret_keys"`        // KEY NAMES e.g. ["STRIPE_SECRET_KEY"]
	AgentID    string    `json:"agent_id,omitempty"` // from agent identification
	Method     string    `json:"method"`
	TargetURL  string    `json:"target_url"`
	Domain     string    `json:"domain,omitempty"` // Target domain (e.g. "api.stripe.com")
	AuthStyles []string  `json:"auth_styles"`      // e.g. ["bearer"]
	StatusCode int       `json:"status_code"`
	DurationMs int64     `json:"duration_ms"`
	Status     string    `json:"status"`           // "OK" or "BLOCKED"
	Reason     string    `json:"reason,omitempty"` // "domain_not_in_allowlist" or "-"
	Redacted   bool      `json:"redacted"`
}

AuditEvent records a single proxied API call. Secret KEY NAMES are logged. Secret VALUES are NEVER logged.

type AuditLogger ¶

type AuditLogger struct {
	// contains filtered or unexported fields
}

AuditLogger writes AuditEvents as JSONL to an append-only log file.

func NewAuditLogger ¶

func NewAuditLogger(logPath string) (*AuditLogger, error)

NewAuditLogger creates an audit logger that appends to the given file path. If logPath is empty, the default path (~/.agentsecrets/proxy.log) is used.

func (*AuditLogger) Close ¶

func (a *AuditLogger) Close() error

Close closes the underlying log file.

func (*AuditLogger) Log ¶

func (a *AuditLogger) Log(event AuditEvent) error

Log writes a single audit event as a JSON line.

type CallRequest ¶

type CallRequest struct {
	TargetURL  string            // full URL e.g. https://api.stripe.com/v1/charges
	Method     string            // GET, POST, PUT, PATCH, DELETE
	Headers    map[string]string // extra headers to forward (non-auth)
	Body       []byte            // raw request body (optional)
	Injections []Injection       // what to inject and where
	AgentID    string            // optional, for audit logging
}

CallRequest is the input to the engine — used by both MCP and HTTP paths.

type CallResult ¶

type CallResult struct {
	StatusCode int
	Headers    map[string][]string
	Body       []byte
}

CallResult is the output from the engine.

type Engine ¶

type Engine struct {
	ProjectID     string
	WorkspaceID   string
	Audit         *AuditLogger
	Client        *http.Client
	ResolveSecret SecretResolver
	SkipAllowlist bool
}

Engine coordinates keyring lookup, injection, forwarding, and auditing.

func NewEngine ¶

func NewEngine(projectID string) (*Engine, error)

NewEngine creates an engine wired to the real keyring for the given project.

func (*Engine) Execute ¶

func (e *Engine) Execute(req CallRequest) (*CallResult, error)

Execute runs the full proxy pipeline: resolve secrets → inject → forward → audit.

type ForwardResult ¶

type ForwardResult struct {
	StatusCode int
	Headers    http.Header
	Body       []byte
	Duration   time.Duration
}

ForwardResult holds the raw response from the upstream API.

func Forward ¶

func Forward(client *http.Client, req *http.Request) (*ForwardResult, error)

Forward sends the outbound request and returns the result. The caller is responsible for building the request (URL, method, headers, body). This function reads and closes the upstream response body.

type Injection ¶

type Injection struct {
	Style     string // "bearer", "basic", "header", "query", "body", "form"
	Target    string // header name, query param (depends on style)
	SecretKey string // keyring key name e.g. "STRIPE_SECRET_KEY"
}

Injection describes one credential to inject.

type SecretResolver ¶

type SecretResolver func(key string) (string, error)

SecretResolver is a function that retrieves a secret value by key name. This allows the engine to be tested with a mock keyring.

type Server ¶

type Server struct {
	Port   int
	Engine *Engine
	// contains filtered or unexported fields
}

Server is the HTTP proxy server that wraps the Engine. It listens for incoming requests with X-AS-* headers, builds CallRequests, executes them through the engine, and returns responses.

func NewServer ¶

func NewServer(port int, engine *Engine) *Server

NewServer creates a proxy server bound to the given port and engine.

func (*Server) Start ¶

func (s *Server) Start() error

Start begins listening and serving. This blocks until the server is stopped.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL