@vellumai/credential-executor 0.6.5 → 0.6.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/Dockerfile
CHANGED
|
@@ -22,9 +22,6 @@ COPY packages/egress-proxy ./packages/egress-proxy
|
|
|
22
22
|
COPY credential-executor/package.json credential-executor/bun.lock* ./credential-executor/
|
|
23
23
|
RUN cd /app/credential-executor && bun install --frozen-lockfile
|
|
24
24
|
|
|
25
|
-
# Copy credential-executor source
|
|
26
|
-
COPY credential-executor ./credential-executor
|
|
27
|
-
|
|
28
25
|
# Runtime stage
|
|
29
26
|
FROM debian:trixie-slim@sha256:1d3c811171a08a5adaa4a163fbafd96b61b87aa871bbc7aa15431ac275d3d430 AS runner
|
|
30
27
|
|
|
@@ -42,9 +39,12 @@ RUN ln -sf /usr/local/bin/bun /usr/local/bin/bunx
|
|
|
42
39
|
RUN groupadd --system --gid 1001 ces && \
|
|
43
40
|
useradd --system --uid 1001 --gid ces --create-home ces
|
|
44
41
|
|
|
45
|
-
# Copy
|
|
42
|
+
# Copy installed deps + shared packages from builder.
|
|
46
43
|
COPY --from=builder --chown=ces:ces /app /app
|
|
47
44
|
|
|
45
|
+
# Copy source separately to avoid invalidating builder layer.
|
|
46
|
+
COPY --chown=ces:ces credential-executor ./
|
|
47
|
+
|
|
48
48
|
# Pre-create /ces-data so the non-root ces user can write to it
|
|
49
49
|
# when no PVC volume is mounted (e.g., direct docker run)
|
|
50
50
|
RUN mkdir -p /ces-data && chown ces:ces /ces-data
|
|
@@ -197,12 +197,19 @@ export type PolicyDecision =
|
|
|
197
197
|
/**
|
|
198
198
|
* Callback invoked by the proxy HTTP forwarder for each outbound request.
|
|
199
199
|
* Returns injected headers on allow, or `null` to block the request.
|
|
200
|
+
*
|
|
201
|
+
* `method` and `requestHeaders` are populated for plain-HTTP proxied
|
|
202
|
+
* requests (absolute-URL form). For HTTPS CONNECT tunnels the proxy has
|
|
203
|
+
* not yet terminated TLS and cannot see HTTP-level details, so these are
|
|
204
|
+
* left undefined.
|
|
200
205
|
*/
|
|
201
206
|
export type PolicyCallback = (
|
|
202
207
|
hostname: string,
|
|
203
208
|
port: number | null,
|
|
204
209
|
path: string,
|
|
205
210
|
scheme: "http" | "https",
|
|
211
|
+
method?: string,
|
|
212
|
+
requestHeaders?: Record<string, string | string[] | undefined>,
|
|
206
213
|
) => Promise<Record<string, string> | null>;
|
|
207
214
|
|
|
208
215
|
/**
|
|
@@ -216,6 +223,18 @@ export interface ProxyApprovalRequest {
|
|
|
216
223
|
| PolicyDecisionAskUnauthenticated;
|
|
217
224
|
/** The proxy session ID that originated the request. */
|
|
218
225
|
sessionId: ProxySessionId;
|
|
226
|
+
/**
|
|
227
|
+
* HTTP method of the incoming request, when available. Undefined for HTTPS
|
|
228
|
+
* CONNECT tunnels — at CONNECT time the proxy has not terminated TLS so
|
|
229
|
+
* no HTTP-level information is visible.
|
|
230
|
+
*/
|
|
231
|
+
method?: string;
|
|
232
|
+
/**
|
|
233
|
+
* Curated subset of request headers, when available. Only non-sensitive
|
|
234
|
+
* headers are surfaced (content-type, content-length, user-agent, accept).
|
|
235
|
+
* Undefined for HTTPS CONNECT tunnels.
|
|
236
|
+
*/
|
|
237
|
+
requestHeaders?: Record<string, string>;
|
|
219
238
|
}
|
|
220
239
|
|
|
221
240
|
/**
|