feat(secrets): session proxy wiring — fake creds, hooks, leak guard, bootstrap (Plan 5)#206
Merged
feat(secrets): session proxy wiring — fake creds, hooks, leak guard, bootstrap (Plan 5)#206
Conversation
Covers fake generator, hook wiring in proxy, CredsSubHook/LeakGuardHook, session startup credential bootstrap, and cleanup semantics. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds GenerateFake and ParseFormat for producing length-preserving
fake credentials from format templates like ghp_{rand:36}. Uses
crypto/rand with base62 alphabet, enforces 24-char minimum entropy.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
PreHook can return *HookAbortError to abort with a specific status code (e.g. 403 for leak detection). Other errors still produce 502. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ContainsFake scans a byte buffer for any registered fake as a substring. Used by LeakGuardHook to detect credential exfiltration in request bodies, URLs, and headers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds hookRegistry field to Proxy, calls ApplyPreHooks after DLP and ApplyPostHooks after response body read. HookAbortError produces the specified status code; other errors produce 502. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Validates HookAbortError.StatusCode is in 100-599 range, falls back to 502 for invalid values. Changes ContainsFake to return only the service name string instead of a full Entry, preventing Real credential bytes from leaking to callers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
PreHook replaces fakes with reals in request bodies. PostHook replaces reals with fakes in response bodies. Both are infallible and use the credsub.Table's single-pass longest-match algorithm. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Scans request body, URL query, and select headers for known fake credentials. Returns 403 via HookAbortError and logs audit event secret_leak_blocked when a fake is detected. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BootstrapCredentials fetches secrets, generates length-preserving fakes, and populates a credsub.Table. StartLLMProxy registers LeakGuardHook and CredsSubHook when service configs are provided. Session cleanup zeros the table on close. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Uses Header.Values instead of Header.Get to scan all values for a given header name. Prevents bypass via duplicate Authorization or X-Api-Key headers hiding a fake in a non-first value. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Moves SetLLMProxy/SetProxyInstance to after BootstrapCredentials succeeds, preventing stale session fields on bootstrap failure. Reorders CloseLLMProxy to stop the proxy (draining in-flight requests) before zeroing the credential table, preventing hooks from seeing an empty table during teardown. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1xx-3xx status codes are not valid abort responses. Tightens validation to only allow client/server error codes (400-599), falling back to 502 for anything outside that range. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
internal/proxy/secrets/fakegen.go): format-string-driven generation with{rand:N}syntax, crypto/rand, base62 alphabet, 24-char minimum entropy enforcementinternal/proxy/hooks.go,proxy.go):HookAbortErrorfor typed hook aborts (400-599 only),hookRegistrywired intoServeHTTP(pre-hook after DLP) andModifyResponse(post-hook after body read)internal/proxy/credsub/table.go): substring scan returning(serviceName, bool)— never exposes real credential bytesinternal/proxy/credshook.go): fake→real on request, real→fake on response, infallibleinternal/proxy/credshook.go): scans body, URL query, and all header values (Header.Values, notHeader.Get) for fakes; returns 403 viaHookAbortErrorinternal/session/secrets.go):BootstrapCredentialsfetches secrets, generates fakes, populates table, returns cleanup fn; zeros table on failureinternal/session/manager.go,llmproxy.go):SetLLMProxy/SetProxyInstancedeferred until after bootstrap succeeds;CloseLLMProxystops proxy before zeroing tableOut of scope (future plans)
Test plan
go test ./internal/proxy/secrets/... -v -race— 17 tests for format parsing, generation, entropygo test ./internal/proxy/... -v -race— hook abort, plain error, status code validation (table-driven), CredsSubHook, LeakGuardHook (body/query/headers/duplicates)go test ./internal/proxy/credsub/... -v -race— ContainsFake substring scanninggo test ./internal/session/... -v -race— bootstrap happy path, fetch error cleanup, invalid format, length mismatch, multiple services, integration test (end-to-end substitution + leak detection)GOOS=windows go build ./...— cross-compilation clean🤖 Generated with Claude Code