Local credential proxy for AI agents (proxy MVP)

.bumpy/proxy-approval-granularity.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Proxy approvals: per-rule granularity and a max-duration cap.
+
+`@proxy(approval=true)` rules accept an options object for finer control: `@proxy(approval={each="request", maxDuration="15m"})`. `each` is how finely to ask — `host`, `endpoint` (method+path), or `request` (method+path+body) — and `maxDuration` is the ceiling on how long a "yes" is remembered (e.g. `"15m"`, or `0` for always-ask). The object form implies approval is required; `enabled=false` turns the rule back into a plain allow. A standing grant is keyed by the matched rule plus its granularity, so one broad rule can yield per-endpoint or per-exact-request approvals without writing many rules. The cap is enforced proxy-side: the approver's chosen lifetime is clamped to `maxDuration`, so no approver can exceed what the schema allows (always-ask is provably one-tap-per-request).

.bumpy/proxy-approval-scopes.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Proxy approvals: approve once, for the session, or for a time window.
+
+The `require-approval` terminal prompt (`varlock proxy start`) now offers scopes — `[y] once`, `[s] this session`, `[m] 15 min` — instead of a plain yes/no. A session- or duration-scoped approval is remembered as a standing grant (stored per session, no secret values) so later requests matching the same `@proxy(approve=true)` rule are auto-approved without re-prompting. Grants are decoupled from the approver behind a store, so the future phone / native-app approver reuses the same mechanism.

.bumpy/proxy-array-literals.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+`@proxy` uses array literals for lists.
+
+`domain` and `method` now accept an array literal for matching multiple values (`domain=[api.a.com, api.b.com]`, `method=[GET, POST]`), and a detached rule attaches extra items with `keys=[ITEM_A, ITEM_B]` instead of positional `$REF`s. A single value still works (`domain="api.x.com"`).

.bumpy/proxy-audit-log.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Add an append-only audit log for proxy sessions (Invariant #7).
+
+Every proxied request now records one JSON line — timestamp, host, method, path, a request fingerprint hash, the matched rule, the decision (allow / deny / blocked-egress / blocked-cleartext), and which managed items were injected (by key name). No secret values, query strings, or request bodies are ever written. Logs are stored per session under `~/.config/varlock/proxy/audit/<uuid>.jsonl` and persist after the session ends. View them with `varlock proxy audit [--session <id>] [--format text|json]`.

.bumpy/proxy-default-omit-sensitive.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Proxy: show the agent a placeholder for every sensitive item by default.
+
+Inside `varlock proxy run|start`, any `@sensitive` item the agent sees is replaced with a placeholder — the `@proxy(domain=...)`-routed ones (whose real value is injected at the wire) plus every other sensitive item (which simply isn't injected anywhere). The real value never reaches the child. Use `@proxy=passthrough` to inject the real value (escape hatch) or `@proxy=omit` to withhold an item entirely. Varlock's own `_VARLOCK_*` reserved keys are internal infrastructure and are excluded from this policy.

.bumpy/proxy-dual-form-decorator.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Proxy: unify `@proxyPassthrough` into a dual-form `@proxy` decorator.
+
+`@proxy` can now be used as a function — `@proxy(domain=...)` to route a value through the proxy (the agent sees a placeholder) — or as a value: `@proxy=passthrough` injects the real value into the proxied child, and `@proxy=omit` explicitly withholds it (no "no policy set" warning). The two forms are mutually exclusive on a single item. This replaces the separate `@proxyPassthrough` decorator.

.bumpy/proxy-phase1-guardrails.md

@@ -0,0 +1,21 @@
+---
+varlock: patch
+---
+
+Add proxy guardrails and strict egress enforcement for run --proxy.
+
+Verified-upstream-identity binding (Invariant #1): secrets are injected only onto upstream TLS connections that validate against the public PKI AND whose cert identity matches the rule-targeted host. A DNS-poisoned / rebound host can't present a valid cert for the target, so it causes a failed connection, never a leaked secret. Cleartext guard (Invariant #2): refuse to inject a secret into a non-TLS (http://) connection; fail closed. Upstream-error path now fails closed (tears down the client connection) rather than half-delivering.
+
+Response scrubbing (Invariant #6): real values reflected in responses are replaced back to placeholders — now including streamed (SSE/chunked) text responses, scrubbed chunk-by-chunk without buffering (so a secret echoed in a stream never reaches the child while streaming still works). Bounded responses gain a post-scrub fail-safe: if a real value somehow survives redaction, the response is withheld rather than leaked. Compressed/binary bodies still pass through unscanned (documented residual).
+
+Per-call policy / static authorization: requests are evaluated as facts (host + method + path) against the `@proxy` rules. A matching `block=true` rule denies the request (fail closed — never reaches upstream), and credential injection is now scoped by path/method too (`getRequestScopedManagedItems`), so a secret can be limited to specific endpoints/methods, not just a host. Modeled as `facts → verdict` (allow|deny|require-approval) with a generic fact bag so domain plugins / non-HTTP protocols slot onto the same seam later. Glob path matching (`*` within a segment, `**` across).
+
+Local-MVP hardening: per-item domain scoping (an item's secret is injected only on hosts its own rule matches), response redaction of headers + uncompressed bodies (compressed bodies pass through — most APIs don't reflect credentials, and forcing identity on every request wasn't worth the cost), schema-fingerprint enforcement on nested commands (closes the @sensitive-downgrade re-load), and correctness fixes (byte-accurate content-length, strict-mode 403 length).
+
+In-memory ephemeral CA: cert generation moved from the `openssl` subprocess to `@peculiar/x509` over WebCrypto (EC P-256). CA and per-host leaf private keys are now generated and held in memory — only the public CA cert is written to disk for child trust. Removes the openssl dependency (portability for the compiled binary) and closes the on-disk private-key exposure. Leaf certs for IP-literal ruled domains now use an IP SAN (clients verify IPs against iPAddress, not dNSName), so IP-based `@proxy` domains work. Validated end-to-end through the compiled binary (real HTTPS MITM) and via an in-process TLS integration test.
+
+Process-ancestry context detection: nested-command guards and placeholder overrides now detect the proxy session by matching a running session's owner/child PID against the current process's parent chain, not just the inherited `__VARLOCK_PROXY_CHILD` marker. Closes the `env -u __VARLOCK_PROXY_CHILD varlock load` bypass that previously recovered real values; a child would now have to daemonize/reparent to escape the process tree. Marker-absent-but-ancestry-positive is logged as a likely bypass probe.
+
+Streaming responses: the proxy no longer buffers `text/event-stream` (and other unknown-length) responses for body redaction — they stream through incrementally, so LLM/agent token-by-token responses work. Body redaction now applies only to bounded, small (<2MB content-length) text responses; header redaction still applies to all responses.
+
+Placeholder generation: the placeholder is functionally load-bearing (a bad one fails an SDK's key-format check at client construction), so generation now favors known-format sources. `@example` derivation was removed (a docs field shouldn't double as a validation-critical placeholder); priority is explicit `@placeholder` → data-type `generatePlaceholder()` → `@type` constraints → generic fallback. Items that land on the generic fallback are flagged and a warning is printed at proxy startup.

.bumpy/proxy-refresh-hot-reload.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+`varlock proxy refresh` hot-reloads a running proxy.
+
+Editing your schema and running `varlock proxy refresh` re-resolves it in the proxy's trusted context and swaps the live policy — rules, injected secrets, and egress mode — without restarting the proxy or dropping your agent's connection. `refresh` now blocks until the reload completes and then prints how to pick up the new variables (`varlock load` / `varlock run`). Works for both `proxy start` daemons and self-owned `proxy run` sessions.

.bumpy/proxy-require-approval.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Add a `require-approval` verdict to the proxy (Invariant #8).
+
+Mark a rule `@proxy(domain="...", approve=true)` and matching requests are held for an out-of-band, request-bound approval before being forwarded. The approval commits to the exact request — method + verified host + path + body hash + nonce + expiry — so a future signed phone-approval relay drops in unchanged. Precedence is block > require-approval > allow (most restrictive wins). The MVP approver is a terminal prompt under `varlock proxy start` (where the proxy owns the terminal; under `varlock proxy run` the child owns stdio, so approval-required requests fail closed). Everything fails closed — denied, timed-out, or unanswerable approvals never reach upstream — and each outcome is recorded in the audit log as `approval-granted` / `approval-denied`.

.bumpy/proxy-resolution-hardening.md

@@ -0,0 +1,9 @@
+---
+varlock: patch
+---
+
+Proxy: harden secret isolation and fail-closed config validation.
+
+- A proxied agent can no longer recover a secret by re-resolving the schema (`varlock load`/`printenv`/`run`): inside a proxy session every sensitive item resolves to its placeholder, and `@proxy=omit` items resolve to unset — never the real value. Detection now uses the env marker, the session token, and process ancestry together, so clearing `__VARLOCK_PROXY_CHILD` doesn't bypass the schema-fingerprint guard.
+- `@proxy(...)` now rejects unknown options (e.g. a typo like `aproval=true`) and wrong-typed `block`/`approval`/`path` at load time instead of silently producing a permissive rule.
+- Type-aware placeholders: `@type=url`/`email`/`uuid`/`md5` get a valid, unique placeholder so SDK format checks pass; all placeholders are unique per item.

.bumpy/proxy-root-decorator-fix.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Fix: allow `@proxy(...)` in the `.env.schema` header for "detached" proxy rules.
+
+`@proxy` is both an item decorator (attached rules) and a root decorator (detached rules), but the header placement check rejected it as a misplaced item decorator, so detached rules — including header-level `block`/`approve` rules — couldn't be authored. A decorator registered as both is now accepted in the header.

.bumpy/proxy-rules-command.md

@@ -0,0 +1,10 @@
+---
+varlock: patch
+---
+
+Add `varlock proxy rules` to summarize the effective `@proxy` configuration.
+
+Prints the routing rules (host / path / method, block / approval) and each
+secret's mode — proxied (placeholder, injected), placeholder (sensitive, no
+rule), passthrough (real value), or omit — without starting a proxy. Handy for
+verifying a schema and seeing what an agent could and couldn't reach.

.bumpy/proxy-run-attach.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+`varlock proxy run` attaches to a running proxy when possible.
+
+Instead of always starting a fresh (auto-deny) proxy, `proxy run` now attaches to a `proxy start` daemon for the current directory — so the daemon's terminal handles approval prompts while you run the agent in another. It picks the single running session whose directory contains yours (or use `--session <id>`), validates the schema fingerprint (and tells you to restart the proxy on drift, rather than silently routing through a stale one), and injects the session's proxy env + placeholders. Pass `--new` to force a separate fresh proxy. This is the missing piece that makes interactive approval usable from a `run`-style agent command.

.bumpy/proxy-schema-fingerprint-full.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Proxy: the schema fingerprint now covers the full schema definition.
+
+The fingerprint that guards an active proxy session against schema drift (and that `varlock proxy refresh` re-approves) now hashes each config item's value definitions (pre-resolution — no secrets, no I/O) plus every decorator, and all root decorators — instead of only key/sensitivity/required/type. Cosmetic decorators (`@example`, `@docs`, `@docsUrl`, `@icon`, `@deprecated`) are marked `inert` and excluded, and decorator order, named-arg order, comments, and whitespace don't affect it. This closes gaps where a behavioral change left the fingerprint unchanged — e.g. flipping a secret from `@proxy(domain=…)` to `@proxy=passthrough`, changing a `@proxy` domain, or the egress mode.

.bumpy/proxy-session-record.md

@@ -0,0 +1,7 @@
+---
+varlock: patch
+---
+
+Proxy sessions are kept as a durable record instead of deleted on stop.
+
+Each session now lives in its own directory (`proxy/sessions/<id>/`) holding its `session.json`, `audit.jsonl`, and `grants.jsonl` together. Stopping a session marks it ended rather than deleting it, so its audit log and approval grants survive for later inspection. `proxy status` shows active sessions by default; pass `--all` to include ended ones.

.bumpy/proxy-start-request-log.md

@@ -0,0 +1,16 @@
+---
+varlock: patch
+---
+
+`varlock proxy start` now prints a live request log to its terminal.
+
+Each proxied request shows a color-coded one-line decision with the keys injected
+on the way out, and each forwarded response shows its status and any keys scrubbed
+back to placeholders on the way in (`→` green / `✗` red request, `←` cyan response,
+status colored by class, injected/scrubbed key names highlighted):
+
+```
+→ GET httpbin.org/get  inject: API_TOKEN
+← GET httpbin.org/get  200  scrubbed: API_TOKEN
+✗ GET example.com/  blocked-egress
+```