Documentation
¶
Index ¶
Constants ¶
const DefaultTimeout = 30 * time.Second
DefaultTimeout for outbound HTTP requests.
Variables ¶
This section is empty.
Functions ¶
func DefaultLogPath ¶
DefaultLogPath returns the default audit database path: ~/.agentsecrets/audit.db
Types ¶
type AuditEvent ¶
type AuditEvent struct {
ID string `json:"id"`
Timestamp time.Time `json:"timestamp"`
Environment string `json:"environment,omitempty"` // "development", "staging", "production"
SecretKeys []string `json:"secret_keys"` // KEY NAMES e.g. ["STRIPE_SECRET_KEY"]
AgentID string `json:"agent_id,omitempty"` // from agent identification
IdentityLevel string `json:"identity_level"` // "anonymous", "declared", "issued"
Method string `json:"method"`
TargetURL string `json:"target_url"`
Domain string `json:"domain,omitempty"` // Target domain (e.g. "api.stripe.com")
AuthStyles []string `json:"auth_styles"` // e.g. ["bearer"]
StatusCode int `json:"status_code"`
DurationMs int64 `json:"duration_ms"`
Status string `json:"status"` // "OK" or "BLOCKED"
Reason string `json:"reason,omitempty"` // "domain_not_in_allowlist" or "-"
Redacted bool `json:"redacted"`
ResolutionPath string `json:"resolution_path"` // e.g. "local proxy", "cloud"
CallerRole string `json:"caller_role,omitempty"` // e.g. "member"
WorkspaceID string `json:"workspace_id,omitempty"`
ProjectID string `json:"project_id,omitempty"`
TokenID string `json:"token_id,omitempty"`
}
AuditEvent records a single proxied API call. Secret KEY NAMES are logged. Secret VALUES are NEVER logged.
type AuditLogger ¶
AuditLogger writes AuditEvents to a local SQLite database and syncs them to the cloud.
func NewAuditLogger ¶
func NewAuditLogger(dbPath string) (*AuditLogger, error)
NewAuditLogger creates an audit logger that connects to a local SQLite database.
func (*AuditLogger) Close ¶
func (a *AuditLogger) Close() error
Close closes the underlying database connection.
func (*AuditLogger) DB ¶ added in v1.1.2
func (a *AuditLogger) DB() *sql.DB
DB returns the underlying database for querying.
func (*AuditLogger) Log ¶
func (a *AuditLogger) Log(event AuditEvent) error
Log writes a single audit event to the SQLite database.
func (*AuditLogger) SyncUnpushedLogs ¶ added in v1.1.3
func (a *AuditLogger) SyncUnpushedLogs() error
SyncUnpushedLogs reads unsynced events from the database, pushes them to the cloud API, and marks them as synced if successful.
type CallRequest ¶
type CallRequest struct {
TargetURL string // full URL e.g. https://api.stripe.com/v1/charges
Method string // GET, POST, PUT, PATCH, DELETE
Headers map[string]string // extra headers to forward (non-auth)
Body []byte // raw request body (optional)
Injections []Injection // what to inject and where
AgentID string // optional, for audit logging
IdentityLevel string // "anonymous", "declared", "issued"
TokenID string // optional token ID if issued
}
CallRequest is the input to the engine — used by both MCP and HTTP paths.
type CallResult ¶
CallResult is the output from the engine.
type Engine ¶
type Engine struct {
ProjectID string
WorkspaceID string
Audit *AuditLogger
Client *http.Client
ResolveSecret SecretResolver
SkipAllowlist bool
// Live State
LastSync time.Time
RevokedIDs []string
// contains filtered or unexported fields
}
Engine coordinates keyring lookup, injection, forwarding, and auditing.
func (*Engine) Execute ¶
func (e *Engine) Execute(req CallRequest) (*CallResult, error)
Execute runs the full proxy pipeline: resolve secrets → inject → forward → audit.
type ForwardResult ¶
ForwardResult holds the raw response from the upstream API.
type Injection ¶
type Injection struct {
Style string // "bearer", "basic", "header", "query", "body", "form"
Target string // header name, query param (depends on style)
SecretKey string // keyring key name e.g. "STRIPE_SECRET_KEY"
}
Injection describes one credential to inject.
type SecretResolver ¶
SecretResolver is a function that retrieves a secret value by key name. This allows the engine to be tested with a mock keyring.
Source Files