aikido-zen 1.0.0.pre.beta.1-x86_64-mingw-64 → 1.0.1.beta.2-x86_64-mingw-64

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 612c8be80af943e42d497eef7621c500acce361d8a269f35042df322b97f44ca
-  data.tar.gz: 50ead136c69a3c8a90896bf430b7632b3771ea0a2c2891cdb57abda83fb3220f
+  metadata.gz: 6870d1d0a0a5f98ddaa519ea4d4629d5f188651767d14e7d73e7f8f5f768dce5
+  data.tar.gz: 8fe0c47688f64f8a735b192159339ff19499f4da99451045ad0e3fad95bccdde
 SHA512:
-  metadata.gz: 97315d03785d9dc8b4dda1d31ff7ccb299812d5da789b2a5473883c975b07fac9c0c1d5336030f27bb9e21f162c2726d51dd39ffb00071e9d550f111aa098092
-  data.tar.gz: a83eb6028d858b19dbb3514d9a7565b804fcfa9d812d8670dce2a0abf41c750b7b9328208b44f60192018652d0dc5c8dec144d2caea6d920ec45362e1fb09ea4
+  metadata.gz: 516d0a01b52bc249bb5ed730322442c6885e76beb561b49e2dfac7dae399952ba55d7a9485c2f14ff17cdeea2e71ffdd4df94d25d106039aa4114f4327287d45
+  data.tar.gz: 3eb82a1a977b37c4cfba905a22ab071fd1f3ca68529c282b7ddb70659f6b52acefeba80d25d95d72db48bff6ce0dc43dc45e03cb04d691ec09781d4c237da64b

data/.aikido

@@ -0,0 +1,6 @@
+exclude:
+  paths:
+    - benchmarks/
+    - docs/
+    - sample_apps/
+    - tasklib/wrk.rb

data/README.md

@@ -1,146 +1,137 @@
 ![Zen by Aikido for Ruby](./docs/banner.svg)
 
+# Zen, in-app firewall for Ruby | by Aikido
+
 [![Gem Version](https://badge.fury.io/rb/aikido-zen.svg?icon=si%3Arubygems&style=flat)](https://badge.fury.io/rb/aikido-zen)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
 [![Unit tests](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/main.yml)
 [![Release](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml/badge.svg)](https://github.com/AikidoSec/firewall-ruby/actions/workflows/release.yml)
 
-# Zen, in-app firewall for Ruby | by Aikido
+Zen, your in-app firewall for peace of mind - at runtime.
+
+Zen by Aikido is an embedded Web Application Firewall that autonomously protects Ruby apps against common and critical attacks.
 
-Zen, your in-app firewall for peace of mind—at runtime.
+It protects your Ruby apps by preventing user input containing dangerous strings, which allow injection, pollution, and path traversal attacks. It runs on the same server as your Ruby app for simple [installation](#installation) and zero maintenance.
 
-Zen by Aikido is an embedded Web Application Firewall that autonomously protects
-Ruby on Rails apps against common and critical attacks.
+## Features
 
-It protects your Rails apps by preventing user input containing dangerous
-strings, preventing SQL injection and SSRF attacks. It runs embedded on your
-Rails application, for simple installation and zero maintenance.
+Zen will autonomously protect your Ruby applications against:
 
 * 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
 * 🛡️ [Server-side request forgery (SSRF)](https://github.com/AikidoSec/firewall-node/blob/main/docs/ssrf.md)
-* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked) (coming soon)
-* 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked) (coming soon)
+* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
+* 🛡️ [Path traversal attacks](https://www.aikido.dev/blog/path-traversal-in-2024-the-year-unpacked)
 * 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities) (coming soon)
 
-Zen operates autonomously on the same server as your Rails app to:
+Zen operates autonomously on the same server as your Ruby app to:
 
-* ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
-* ✅ Rate limit specific API endpoints by IP or by user.
-* ✅ Allow you to block specific users manually.
+* ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost
+* ✅ Rate limit specific API endpoints by IP or by user
+* ✅ Allow you to block specific users manually
 
 ## Supported libraries and frameworks
 
 Zen for Ruby 2.7+ is compatible with:
 
+### Web frameworks
+
+* ✅ [Ruby on Rails](docs/rails.md) 7.x, 8.x
+
 ### Database drivers
 
-* ✅ [sqlite3](https://github.com/sparklemotion/sqlite3-ruby) 1.x, 2.x
-* ✅ [pg](https://github.com/ged/ruby-pg) 1.x
-* ✅ [trilogy](https://github.com/trilogy-libraries/trilogy) 2.x
-* ✅ [mysql2](https://github.com/brianmario/mysql2) 0.x
+* ✅ [`sqlite3`](https://github.com/sparklemotion/sqlite3-ruby) 1.x, 2.x
+* ✅ [`pg`](https://github.com/ged/ruby-pg) 1.x
+* ✅ [`mysql2`](https://github.com/brianmario/mysql2) 0.x
+* ✅ [`trilogy`](https://github.com/trilogy-libraries/trilogy) 2.x
 
-### ORMs and Query Builders
+### ORMs and query builders
 
 See list above for supported database drivers.
 
 * ✅ [ActiveRecord](https://github.com/rails/rails)
 * ✅ [Sequel](https://github.com/jeremyevans/sequel)
 
-### HTTP Clients
+### HTTP clients
 
-* ✅ [net-http](https://github.com/ruby/net-http)
-* ✅ [http.rb](https://github.com/httprb/http) 1.x, 2.x, 3.x, 4.x, 5.x
-* ✅ [httpx](https://gitlab.com/os85/httpx) 1.x (1.1.3+)
-* ✅ [HttpClient](https://github.com/nahi/httpclient) 2.x, 3.x
-* ✅ [excon](https://github.com/excon/excon) 0.x (0.50.0+), 1.x
-* ✅ [patron](https://github.com/toland/patron) 0.x (0.6.4+)
-* ✅ [typhoeus](https://github.com/typhoeus/typhoeus) 0.x (0.5.0+), 1.x
-* ✅ [curb](https://github.com/taf2/curb) 0.x (0.2.3+), 1.x
-* ✅ [em-http-request](https://github.com/igrigorik/em-http-request) 1.x
-* ✅ [async-http](https://github.com/igrigorik/em-http-request) 0.x (0.70.0+)
+* ✅ [`net-http`](https://github.com/ruby/net-http)
+* ✅ [`http.rb`](https://github.com/httprb/http) 1.x, 2.x, 3.x, 4.x, 5.x
+* ✅ [`httpx`](https://gitlab.com/os85/httpx) 1.x (1.1.3+)
+* ✅ [`httpclient`](https://github.com/nahi/httpclient) 2.x, 3.x
+* ✅ [`excon`](https://github.com/excon/excon) 0.x (0.50.0+), 1.x
+* ✅ [`curb`](https://github.com/taf2/curb) 0.x (0.2.3+), 1.x
+* ✅ [`patron`](https://github.com/toland/patron) 0.x (0.6.4+)
+* ✅ [`typhoeus`](https://github.com/typhoeus/typhoeus) 0.x (0.5.0+), 1.x
+* ✅ [`async-http`](https://github.com/igrigorik/em-http-request) 0.x (0.70.0+)
+* ✅ [`em-http-request`](https://github.com/igrigorik/em-http-request) 1.x
 
 ## Installation
 
 We recommend testing Zen locally or on staging before deploying to production.
 
-```
+```sh
 bundle add aikido-zen
 ```
 
 or, if not using bundler:
 
-```
+```sh
 gem install aikido-zen
 ```
 
 For framework specific instructions, check out our docs:
 
-* [Ruby on Rails apps](docs/rails.md)
+* [Ruby on Rails](docs/rails.md)
 
-## Running in production (blocking) mode
+## Reporting to your Aikido Security dashboard
 
-By default, Zen will only detect and report attacks to Aikido.
+> Aikido is your no nonsense application security platform. One central system that scans your source code & cloud, shows you what vulnerabilities matter, and how to fix them - fast. So you can get back to building.
 
-To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
+Zen is a new product by Aikido. Built for developers to level up their security. While Aikido scans, get Zen for always-on protection.
 
-See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn
-how to send events to Aikido.
+You can use some of Zen's features without Aikido, of course. Peace of mind is just a few lines of code away.
 
-## Additional configuration
+But you will get the most value by reporting your data to Aikido.
 
-[Configure Zen using environment variables for authentication, mode settings, debugging, and more.](https://help.aikido.dev/doc/configuration-via-env-vars/docrSItUkeR9)
+You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can [sign up for free](https://app.aikido.dev/login).
 
-## Reporting to your Aikido Security dashboard
+Here's how:
 
-> Aikido is your no nonsense application security platform. One central system
-> that scans your source code & cloud, shows you what vulnerabilities matter,
-> and how to fix them - fast. So you can get back to building.
+* [Log in to your Aikido account](https://app.aikido.dev/login).
+* Go to [Zen](https://app.aikido.dev/runtime/services).
+* Go to apps.
+* Click on **Add app**.
+* Choose a name for your app.
+* Click **Generate token**.
+* Copy the token.
+* Set the token as an environment variable, `AIKIDO_TOKEN`, using [dotenv](https://github.com/bkeepers/dotenv) or another method of your choosing.
 
-Zen is a new product by Aikido. Built for developers to level up their security.
-While Aikido scans, get Zen for always-on protection.
+## Running in production (blocking) mode
 
-You can use some of Zen’s features without Aikido, of course. Peace of mind is
-just a few lines of code away.
+By default, Zen will only detect and report attacks to Aikido.
 
-But you will get the most value by reporting your data to Aikido.
+To block requests, set the `AIKIDO_BLOCK` environment variable to `true`.
 
-You will need an Aikido account and a token to report events to Aikido. If you
-don't have an account, you can sign up for free.
+See [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn how to send events to Aikido.
 
-Here's how:
+## Additional configuration
 
-* Log in to your Aikido account.
-* Go to "Zen" on the sidebar.
-* Click on "Add App".
-* Choose a name for your App.
-* Click "Continue to Install"
-* Click "Generate Token".
-* Copy the token.
-* Set the token as an environment variable, `AIKIDO_TOKEN`, using
-  [dotenv](https://github.com/bkeepers/dotenv) or another method
-  of your choosing.
+[Configure Zen using environment variables for authentication, mode settings, debugging, and more.](https://help.aikido.dev/doc/configuration-via-env-vars/docrSItUkeR9)
 
-## Performance
+## License
 
-We run a benchmark on every commit to ensure Zen has a minimal impact on your
-application's performance.
+This program is offered under a commercial and under the AGPL license. You can be released from the requirements of the AGPL license by purchasing a commercial license. Buying such a license is mandatory as soon as you develop commercial activities involving the Zen software without disclosing the source code of your own applications. 
 
-For example, here's a benchmark that runs a single GET request to a Rails
-endpoint that performs a single SQL SELECT query:
+For more information, please contact Aikido Security at this address: support@aikido.dev or create an account at https://app.aikido.dev.
 
-| Without Zen      | With Zen      | Difference    |
-|------------------|---------------|---------------|
-| 3.527ms          | 3.583ms       | +0.056ms      |
+## Benchmarks
 
-Using Ruby 3.3, Rails 7.1, SQLite 1.7, running on a MacBook Pro M1 Pro. Results
-will vary based on hardware.
+We run a benchmark on every commit to ensure Zen has a minimal impact on your application's performance.
 
-See [benchmarks](benchmarks) for more information.
+See [benchmarks](benchmarks)
 
 ## Bug bounty program
 
-Our bug bounty program is public and can be found by all registered Intigriti
-users at: https://app.intigriti.com/researcher/programs/aikido/aikidoruntime
+Our bug bounty program is public and can be found by all registered Intigriti users at: https://app.intigriti.com/researcher/programs/aikido/aikidozenbeta
 
 ## Contributing
 
@@ -150,13 +141,6 @@ See [CONTRIBUTING.md](.github/CONTRIBUTING.md) for more information.
 
 See [CODE_OF_CONDUCT.md](.github/CODE_OF_CONDUCT.md) for more information.
 
-## License
-
-This program is offered under a commercial and under the AGPL license. You can
-be released from the requirements of the AGPL license by purchasing a commercial
-license. Buying such a license is mandatory as soon as you develop commercial
-activities involving the Zen software without disclosing the source code of your
-own applications.
+## Security
 
-For more information, please contact Aikido Security at this address:
-support@aikido.dev or create an account at https://app.aikido.dev.
+See [SECURITY.md](.github/SECURITY.md) for more information.

data/lib/aikido/zen/config.rb

@@ -8,6 +8,12 @@ require_relative "context"
 
 module Aikido::Zen
   class Config
+    # @api private
+    # @return [Boolean] whether Aikido should protect.
+    def protect?
+      !api_token.nil? || blocking_mode? || debugging?
+    end
+
     # @return [Boolean] whether Aikido should be turned completely off (no
     #   intercepting calls to protect the app, no agent process running, no
     #   middleware installed). Defaults to false (so, enabled). Can be set
@@ -57,7 +63,7 @@ module Aikido::Zen
 
     # @return [string] Path of the socket where the detached agent will listen.
     # By default, is stored under the root application path with file name
-    # `aikido-detached-agent.socket`
+    # `aikido-detached-agent.sock`
     attr_reader :detached_agent_socket_path
 
     # @return [Boolean] is the agent in debugging mode?
@@ -158,7 +164,7 @@ module Aikido::Zen
       self.debugging = read_boolean_from_env(ENV.fetch("AIKIDO_DEBUG", false))
       self.logger = Logger.new($stdout, progname: "aikido", level: debugging ? Logger::DEBUG : Logger::INFO)
       self.max_performance_samples = 5000
-      self.detached_agent_socket_path = "aikido-detached-agent.socket"
+      self.detached_agent_socket_path = ENV.fetch("AIKIDO_DETACHED_AGENT_SOCKET_PATH", DEFAULT_DETACHED_AGENT_SOCKET_PATH)
       self.max_compressed_stats = 100
       self.max_outbound_connections = 200
       self.max_users_tracked = 1000
@@ -246,6 +252,9 @@ module Aikido::Zen
     # @!visibility private
     DEFAULT_JSON_DECODER = JSON.method(:parse)
 
+    # @!visibility private
+    DEFAULT_DETACHED_AGENT_SOCKET_PATH = "aikido-detached-agent.sock"
+
     # @!visibility private
     DEFAULT_BLOCKED_RESPONDER = ->(request, blocking_type) do
       message = case blocking_type

data/lib/aikido/zen/context.rb

@@ -20,6 +20,9 @@ module Aikido::Zen
     # @return [Aikido::Zen::Request]
     attr_reader :request
 
+    # @return [Boolean]
+    attr_accessor :scanning
+
     # @param request [Rack::Request] a Request object that implements the
     #   Rack::Request API, to which we will delegate behavior.
     # @param settings [Aikido::Zen::RuntimeSettings]
@@ -32,6 +35,7 @@ module Aikido::Zen
       @settings = settings
       @payload_sources = sources
       @metadata = {}
+      @scanning = false
     end
 
     # Fetch some metadata stored in the Context.

data/lib/aikido/zen/internals.rb

@@ -13,14 +13,48 @@ module Aikido::Zen
       attr_accessor :libzen_name
     end
 
-    self.libzen_name = [
-      "libzen-v#{LIBZEN_VERSION}",
-      FFI::Platform::ARCH,
-      FFI::Platform::LIBSUFFIX
-    ].join(".")
+    def self.libzen_names
+      lib_name = "libzen-v#{LIBZEN_VERSION}"
+      lib_ext = FFI::Platform::LIBSUFFIX
+
+      # Gem::Platform#version should be understood as an arbitrary Ruby defined
+      # OS specific string. A platform with a version string is considered more
+      # specific than a platform without a version string.
+      # https://docs.ruby-lang.org/en/3.3/Gem/Platform.html
+
+      platform = Gem::Platform.local.dup
+
+      # Library names in preferred order.
+      #
+      # If two library names are added, the specific platform library names is
+      # first and the generic platform library name is second.
+      names = []
+
+      names << "#{lib_name}-#{platform}.#{lib_ext}"
+
+      unless platform.version.nil?
+        platform.version = nil
+        names << "#{lib_name}-#{platform}.#{lib_ext}"
+      end
+
+      names
+    end
+
+    # Load the most specific library
+    def self.load_libzen
+      libzen_names.each do |libzen_name|
+        libzen_path = File.expand_path(libzen_name, __dir__)
+        begin
+          return ffi_lib(libzen_path)
+        rescue LoadError
+          # empty
+        end
+      end
+      raise LoadError, "Could not load libzen"
+    end
 
     begin
-      ffi_lib File.expand_path(libzen_name, __dir__)
+      load_libzen
 
       # @!method self.detect_sql_injection_native(query, input, dialect)
       # @param (see .detect_sql_injection)
@@ -30,7 +64,7 @@ module Aikido::Zen
       #   calling libzen.
       attach_function :detect_sql_injection_native, :detect_sql_injection,
         [:string, :string, :int], :int
-    rescue LoadError, FFI::NotFoundError => err
+    rescue LoadError, FFI::NotFoundError => err # rubocop:disable Lint/ShadowedException
       # :nocov:
 
       # Emit an $stderr warning at startup.

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -13,14 +13,16 @@ module Aikido::Zen
         request = Aikido::Zen::Middleware.request_from(env)
         response = @app.call(env)
 
-        Aikido::Zen.track_request request
-
-        if Aikido::Zen.config.collect_api_schema? && request.route && track?(
+        if request.route && track?(
           status_code: response[0],
           route: request.route.path,
           http_method: request.request_method
         )
-          Aikido::Zen.track_discovered_route(request)
+          Aikido::Zen.track_request request
+
+          if Aikido::Zen.config.collect_api_schema?
+            Aikido::Zen.track_discovered_route(request)
+          end
         end
 
         response

data/lib/aikido/zen/rails_engine.rb

@@ -10,7 +10,7 @@ module Aikido::Zen
     end
 
     initializer "aikido.add_middleware" do |app|
-      next if config.zen.disabled?
+      next unless config.zen.protect?
 
       app.middleware.use Aikido::Zen::Middleware::SetContext
       app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
@@ -33,9 +33,9 @@ module Aikido::Zen
     initializer "aikido.configuration" do |app|
       # Allow the logger to be configured before checking if disabled? so we can
       # let the user know that the agent is disabled.
-      app.config.zen.logger = ::Rails.logger.tagged("aikido")
-
-      next if config.zen.disabled?
+      logger = ::Rails.logger
+      logger = ActiveSupport::TaggedLogging.new(logger) unless logger.respond_to?(:tagged)
+      app.config.zen.logger = logger.tagged("aikido")
 
       app.config.zen.request_builder = Aikido::Zen::Context::RAILS_REQUEST_BUILDER
 
@@ -51,10 +51,7 @@ module Aikido::Zen
     end
 
     config.after_initialize do
-      if config.zen.disabled?
-        config.zen.logger.warn("Zen has been disabled and will not run.")
-        next
-      end
+      next unless config.zen.protect?
 
       # Make sure this is run at the end of the initialization process, so
       # that any gems required after aikido-zen are detected and patched
@@ -63,7 +60,6 @@ module Aikido::Zen
 
       # It's important we start after loading sinks, so we can report the installed packages
       Aikido::Zen.start!
-      Aikido::Zen.start!
 
       # Agent's bootstrap process has finished —Controllers are patched to block
       # unwanted requests, sinks are loaded, scanners are running—, so we mark

data/lib/aikido/zen/request/heuristic_router.rb

@@ -30,6 +30,10 @@ module Aikido::Zen
 
     private def parameterize_segment(segment)
       case segment
+      when ULID
+        ":ulid"
+      when OBJECT_ID
+        ":objectId"
       when NUMBER
         ":number"
       when UUID
@@ -57,6 +61,8 @@ module Aikido::Zen
             | 00000000-0000-0000-0000-000000000000
             | ffffffff-ffff-ffff-ffff-ffffffffffff
             )\z/ix
+    ULID = /\A[0-9A-HJKMNP-TV-Z]{26}\z/i
+    OBJECT_ID = /\A[0-9a-f]{24}\z/i
     EMAIL = /\A
               [a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+
               @

data/lib/aikido/zen/sink.rb

@@ -80,6 +80,9 @@ module Aikido::Zen
     # @raise [Aikido::UnderAttackError] if an attack is detected and
     #   blocking_mode is enabled.
     def scan(context: Aikido::Zen.current_context, **scan_params)
+      return if context&.scanning
+      context&.scanning = true
+
       return if context&.protection_disabled?
 
       scan = Scan.new(sink: self, context: context)
@@ -108,6 +111,8 @@ module Aikido::Zen
       @reporter.call(scan) if scans_performed > 0
 
       scan
+    ensure
+      context&.scanning = false
     end
   end
 end

data/lib/aikido/zen/sinks/async_http.rb

@@ -1,26 +1,46 @@
 # frozen_string_literal: true
 
-require_relative "../sink"
+require_relative "../scanners/ssrf_scanner"
 require_relative "../outbound_connection_monitor"
 
 module Aikido::Zen
   module Sinks
     module Async
       module HTTP
+        def self.load_sinks!
+          if Gem.loaded_specs["async-http"]
+            require "async/http"
+
+            ::Async::HTTP::Client.prepend(Async::HTTP::ClientExtensions)
+          end
+        end
+
         SINK = Sinks.add("async-http", scanners: [
-          Aikido::Zen::Scanners::SSRFScanner,
-          Aikido::Zen::OutboundConnectionMonitor
+          Scanners::SSRFScanner,
+          OutboundConnectionMonitor
         ])
 
-        module Extensions
-          def call(request)
+        module Helpers
+          def self.scan(request, connection, operation)
+            SINK.scan(
+              request: request,
+              connection: connection,
+              operation: operation
+            )
+          end
+        end
+
+        module ClientExtensions
+          extend Sinks::DSL
+
+          sink_around :call do |super_call, request|
             uri = URI(format("%<scheme>s://%<authority>s%<path>s", {
               scheme: request.scheme || scheme,
               authority: request.authority || authority,
               path: request.path
             }))
 
-            wrapped_request = Aikido::Zen::Scanners::SSRFScanner::Request.new(
+            wrapped_request = Scanners::SSRFScanner::Request.new(
               verb: request.method,
               uri: uri,
               headers: request.headers.to_h,
@@ -28,22 +48,21 @@ module Aikido::Zen
             )
 
             # Store the request information so the DNS sinks can pick it up.
-            if (context = Aikido::Zen.current_context)
+            context = Aikido::Zen.current_context
+            if context
               prev_request = context["ssrf.request"]
               context["ssrf.request"] = wrapped_request
             end
 
-            SINK.scan(
-              connection: Aikido::Zen::OutboundConnection.from_uri(uri),
-              request: wrapped_request,
-              operation: "request"
-            )
+            connection = OutboundConnection.from_uri(uri)
+
+            Helpers.scan(wrapped_request, connection, "request")
 
-            response = super
+            response = super_call.call
 
-            Aikido::Zen::Scanners::SSRFScanner.track_redirects(
+            Scanners::SSRFScanner.track_redirects(
               request: wrapped_request,
-              response: Aikido::Zen::Scanners::SSRFScanner::Response.new(
+              response: Scanners::SSRFScanner::Response.new(
                 status: response.status,
                 headers: response.headers.to_h,
                 header_normalizer: ->(value) { Array(value).join(", ") }
@@ -60,4 +79,4 @@ module Aikido::Zen
   end
 end
 
-::Async::HTTP::Client.prepend(Aikido::Zen::Sinks::Async::HTTP::Extensions)
+Aikido::Zen::Sinks::Async::HTTP.load_sinks!