@c6o/czproxy 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +188 -0
  2. package/package.json +7 -6
package/README.md ADDED
@@ -0,0 +1,188 @@
1
+ # czproxy — Secure Credentials for AI Agents and Developer Tools
2
+
3
+ A local Rust proxy that transparently injects API credentials into outbound HTTP/HTTPS requests. Your applications and AI agents never hold real secrets — they just make normal HTTP calls through the proxy.
4
+
5
+ ## The Problem
6
+
7
+ AI agents and developer tools need real credentials to call APIs, databases, and cloud services. Today, most teams pass these as environment variables or `.env` files. Every secret is one log statement, one compromised dependency, or one careless commit away from exposure.
8
+
9
+ ## How czproxy Solves It
10
+
11
+ czproxy runs locally and intercepts outbound HTTPS traffic. When a request matches a configured route, the proxy injects the real credential — fetched from 1Password at startup. If the app sent an auth header, it gets stripped and replaced. If it didn't, one gets added. The application never sees the real secret.
12
+
13
+ ```
14
+ Your App ──HTTPS_PROXY──▶ czproxy ──real credentials──▶ api.stripe.com
15
+ (from 1Password)
16
+ ```
17
+
18
+ No code changes. No SDK wrappers. No secret-fetching boilerplate. Just set two environment variables and your existing HTTP client works. If an SDK requires an API key to initialize, pass any dummy value — czproxy replaces it at the network layer.
19
+
20
+ ## Quick Start
21
+
22
+ ### 1. Install
23
+
24
+ ```bash
25
+ npm install -g @c6o/czproxy
26
+ ```
27
+
28
+ Requires macOS (ARM64/x64) or Linux (x64/ARM64). The npm package wraps a compiled Rust binary — no runtime dependencies.
29
+
30
+ ### 2. Initialize
31
+
32
+ ```bash
33
+ czproxy init
34
+ ```
35
+
36
+ This generates a `proxy.yaml` scaffold and detects your project's runtime (Node.js, Python, Go, etc.) to print the right setup instructions.
37
+
38
+ ### 3. Configure Routes
39
+
40
+ Edit `proxy.yaml` to map hostnames to 1Password secret references. This file is safe to commit — it contains no secrets.
41
+
42
+ ```yaml
43
+ listen: "127.0.0.1:6790"
44
+
45
+ tls:
46
+ enabled: true
47
+ ca_cert_path: "./ca-cert.pem"
48
+ ca_key_path: "./ca-key.pem"
49
+
50
+ routes:
51
+ - name: stripe
52
+ match:
53
+ host: api.stripe.com
54
+ auth:
55
+ type: bearer
56
+ secret:
57
+ source: 1password
58
+ vault: Engineering
59
+ item: Stripe API Key
60
+ field: secret_key
61
+
62
+ - name: openai
63
+ match:
64
+ host: api.openai.com
65
+ auth:
66
+ type: bearer
67
+ secret:
68
+ source: 1password
69
+ vault: Engineering
70
+ item: OpenAI API
71
+ field: credential
72
+ ```
73
+
74
+ ### 4. Trust the Proxy CA
75
+
76
+ ```bash
77
+ czproxy trust
78
+ ```
79
+
80
+ This generates a local CA certificate and key (if they don't already exist) and adds the CA to your system trust store (macOS Keychain or Linux ca-certificates).
81
+
82
+ For Node.js (which doesn't use the system trust store):
83
+
84
+ ```bash
85
+ export NODE_EXTRA_CA_CERTS=./ca-cert.pem
86
+ ```
87
+
88
+ ### 5. Run
89
+
90
+ ```bash
91
+ # Start the proxy
92
+ czproxy start
93
+
94
+ # In another terminal (or use a Procfile):
95
+ HTTPS_PROXY=http://127.0.0.1:6790 npm run dev
96
+ ```
97
+
98
+ Or with a Procfile (foreman/overmind):
99
+
100
+ ```
101
+ proxy: czproxy start
102
+ web: czproxy wait && npm run dev
103
+ ```
104
+
105
+ That's it. Your app makes normal API calls. czproxy intercepts them and injects real credentials from 1Password. The app never sees, stores, or logs a single secret.
106
+
107
+ ## Using with AI Agents
108
+
109
+ ### OpenClaw
110
+
111
+ ```bash
112
+ # Start czproxy, then run your agent
113
+ czproxy start &
114
+ czproxy wait
115
+ HTTPS_PROXY=http://127.0.0.1:6790 openclaw agent start
116
+ ```
117
+
118
+ Your OpenClaw agent calls APIs normally. czproxy handles the real auth transparently — no credentials needed in the agent's environment.
119
+
120
+ ### Claude Code
121
+
122
+ When `HTTPS_PROXY` is set in your shell, Claude Code inherits it automatically. Run `czproxy trust` to add the CA system-wide, and set `NODE_EXTRA_CA_CERTS` for Node.js-based tools.
123
+
124
+ For MCP servers:
125
+
126
+ ```json
127
+ {
128
+ "mcpServers": {
129
+ "my-server": {
130
+ "command": "npx",
131
+ "args": ["-y", "@some/mcp-server"],
132
+ "env": {
133
+ "NODE_OPTIONS": "--import @c6o/czproxy/register"
134
+ }
135
+ }
136
+ }
137
+ }
138
+ ```
139
+
140
+ ## Community Edition
141
+
142
+ - Local proxy for individual developers
143
+ - 1Password integration
144
+ - Unlimited routes and services
145
+ - macOS and Linux support
146
+ - TLS interception with auto-generated CA
147
+
148
+ ## Enterprise Edition
149
+
150
+ Need more? Codezero Enterprise adds:
151
+
152
+ - **Vault integrations**: AWS Secrets Manager, HashiCorp Vault, Azure Key Vault
153
+ - **Identity binding**: OIDC/SSO integration, per-identity credential scoping
154
+ - **Policy enforcement**: OPA-based access policies
155
+ - **Audit logging**: Full trail of who accessed what, when
156
+ - **Remote gateway**: Secrets never reach the developer's machine
157
+ - **Multi-team administration**: Centralized credential governance
158
+
159
+ ## CLI Reference
160
+
161
+ | Command | Description |
162
+ |---------|-------------|
163
+ | `czproxy start` | Start the proxy (foreground) |
164
+ | `czproxy init` | Generate proxy.yaml scaffold with runtime-specific instructions |
165
+ | `czproxy trust` | Add proxy CA to system trust store |
166
+ | `czproxy untrust` | Remove proxy CA from system trust store |
167
+ | `czproxy wait` | Poll health endpoint until ready (for Procfiles/scripts) |
168
+ | `czproxy launchd` | Generate/install macOS launchd plist |
169
+ | `czproxy systemd` | Generate/install Linux systemd unit |
170
+
171
+ ## Security
172
+
173
+ czproxy is designed for credential security from the ground up:
174
+
175
+ - **No telemetry** or phone-home code
176
+ - **Never logs** secret values (secrets are wrapped in a `Secret` type that prints `****` on Debug/Display)
177
+ - **Binds loopback only** (`127.0.0.1`) — refuses to start on `0.0.0.0`
178
+ - Secrets are **zeroed from memory** on drop (via `zeroize`)
179
+ - Runs **entirely locally** (Community edition makes no network calls except to configured upstreams and 1Password CLI)
180
+ - `proxy.yaml` contains **only vault references**, never secret values
181
+
182
+ Report security issues to security@codezero.io.
183
+
184
+ ## License
185
+
186
+ Codezero Commercial License. See [LICENSE](https://github.com/c6o/czproxy/blob/main/LICENSE) for details.
187
+
188
+ Community edition is free for individual developer use. Enterprise edition requires a commercial license.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@c6o/czproxy",
3
- "version": "0.1.0",
3
+ "version": "0.1.1",
4
4
  "type": "module",
5
5
  "bin": {
6
6
  "czproxy": "bin.mjs"
@@ -10,15 +10,16 @@
10
10
  },
11
11
  "files": [
12
12
  "bin.mjs",
13
- "register.mjs"
13
+ "register.mjs",
14
+ "README.md"
14
15
  ],
15
16
  "dependencies": {
16
17
  "undici": "^7.22.0"
17
18
  },
18
19
  "optionalDependencies": {
19
- "@c6o/czproxy-darwin-arm64": "0.1.0",
20
- "@c6o/czproxy-darwin-x64": "0.1.0",
21
- "@c6o/czproxy-linux-x64": "0.1.0",
22
- "@c6o/czproxy-linux-arm64": "0.1.0"
20
+ "@c6o/czproxy-darwin-arm64": "0.1.1",
21
+ "@c6o/czproxy-darwin-x64": "0.1.1",
22
+ "@c6o/czproxy-linux-x64": "0.1.1",
23
+ "@c6o/czproxy-linux-arm64": "0.1.1"
23
24
  }
24
25
  }