James
|
dcdca016db
|
feat: add MITM proxy mode with LLM policy evaluation (C-017)
- New package clavis/clavis-vault/proxy/
- HTTPS MITM proxy via HTTP CONNECT tunnel
- Dynamic per-host TLS cert generation (signed by local CA)
- CA cert auto-generated at DataDir/proxy/ca.crt (1-year validity)
- Per-cert cache with 24h TTL
- Credential injection hook (stub — DB wiring next)
- LLM policy evaluation hook (stub — OpenAI-compatible API)
- L2 (identity/card) fields are never injectable by design
- cmd/clavitor/main.go: new flags
--proxy Enable proxy mode (default: off)
--proxy-addr Listen addr (default: 127.0.0.1:19840)
--proxy-llm Enable LLM policy evaluation
--proxy-llm-url LLM base URL (OpenAI-compat)
--proxy-llm-key LLM API key
--proxy-llm-model LLM model name
Usage:
clavitor --proxy
export HTTP_PROXY=http://127.0.0.1:19840 HTTPS_PROXY=http://127.0.0.1:19840
# Install DataDir/proxy/ca.crt in OS trust store for HTTPS MITM
|
2026-03-29 08:54:51 -04:00 |