-
Notifications
You must be signed in to change notification settings - Fork 43
docs: complete source-of-truth overhaul for core proxy #779
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,7 +15,8 @@ | |
| headers, status codes) | ||
| - **Branch chains** - conditional branching in filter | ||
| pipelines based on filter results, with skip-forward, | ||
| terminal short-circuit, and re-entrance loops | ||
| terminal short-circuit, and re-entrance loops. | ||
| See [Branch Chains](filters/branch-chains.md). | ||
|
|
||
|
rikatz marked this conversation as resolved.
|
||
| ## Traffic Management | ||
|
|
||
|
|
@@ -91,6 +92,10 @@ | |
| request and response payload size. | ||
|
|
||
| [payload-processing]:./architecture/payload-processing.md | ||
| [pipeline-concepts]:./architecture/pipeline-concepts.md | ||
|
|
||
|
rikatz marked this conversation as resolved.
|
||
| Filter results and branch conditions are covered in | ||
| [Pipeline Concepts][pipeline-concepts]. | ||
|
|
||
| ## Security | ||
|
|
||
|
|
@@ -136,7 +141,10 @@ deployment guidance. | |
| injection with trusted proxy CIDR support | ||
| - **Credential injection**: per-cluster API key injection | ||
| into upstream request headers with environment variable | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [Large] Phantom feature: the |
||
| or inline values | ||
| or inline values; client credential stripping | ||
| - **Policy engine** (`policy`, experimental, feature | ||
| `cpex-policy-engine`): JWT identity, route policy, PII | ||
| scanning, audit | ||
|
|
||
| ## Observability | ||
|
|
||
|
|
@@ -229,3 +237,21 @@ deployment guidance. | |
| - **External processing** (`ext_proc`): Envoy-compatible | ||
| gRPC external processing filter (opt-in, separate | ||
| crate) | ||
| - **Endpoint selector**: pin upstream endpoints from | ||
| trusted mutation sources (e.g. `ext_proc`). | ||
| - **Failure mode**: per-filter `failure_mode: open` for | ||
| non-security filters when runtime errors should not | ||
| block traffic. | ||
|
|
||
| ## AI gateway | ||
|
|
||
| An **AI Gateway** (AI API Gateway) routes, manages, enriches, | ||
| and parses inference and agentic traffic between workloads and | ||
| model or agent backends. Full definitions: | ||
| [praxis-ai overview](https://github.com/praxis-proxy/ai/blob/main/docs/overview.md). | ||
|
|
||
| LLM provider filters, MCP/A2A, response storage, and token | ||
| metadata ship in [praxis-ai](https://github.com/praxis-proxy/ai), | ||
| not the core `praxis` binary. Core filters such as | ||
| `json_rpc`, `credential_injection`, and `router` compose | ||
| with AI filters in `praxis-ai` pipelines. | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -560,3 +560,12 @@ filter with `FilterFactory::Http(Arc::new(factory))`, | |
| build a minimal YAML config, and assert on status codes | ||
| and response bodies. See `tests/integration/` for | ||
| examples. | ||
|
|
||
| Built-in filter reference pages are generated from source. | ||
| After changing a filter config struct, run: | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [Medium] Phantom xtask commands: |
||
|
|
||
| ```console | ||
| cargo xtask generate-filter-docs | ||
|
rikatz marked this conversation as resolved.
|
||
| ``` | ||
|
|
||
| CI runs `cargo xtask lint-filter-docs` as part of `make lint`. | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -607,14 +607,35 @@ by category: | |
|
|
||
| | Directory | Contents | | ||
| | ----------- | ---------- | | ||
| | `traffic-management` | Router, load balancer, timeouts, static responses, redirects, rate limiting, health checks | | ||
| | `payload-processing` | Body processing: compression, field extraction, stream buffering, size limits | | ||
| | `security` | Forwarded headers, IP ACL, guardrails, CORS, downstream read timeout | | ||
| | `observability` | Access logs, request IDs | | ||
| | `transformation` | Header manipulation, path rewriting, URL rewriting | | ||
| | `branching` | Branch chains: conditional skip, terminal, reentrance, cross-chain | | ||
|
rikatz marked this conversation as resolved.
|
||
| | `traffic-management` | Router, load balancing, timeouts, redirects, rate limiting, static responses, P2C, canary, circuit breaker, health checks, gRPC detection | | ||
| | `payload-processing` | Compression, JSON field extraction, stream buffering, size limits | | ||
| | `security` | CORS, CSRF, IP ACL, guardrails, policy (feature-gated), forwarded headers, downstream read timeout | | ||
| | `observability` | Access logs, request IDs, TCP access logs | | ||
| | `transformation` | Headers, path rewrite, URL rewrite | | ||
| | `protocols` | TCP, TLS, mixed protocol configs | | ||
| | `pipeline` | Filter chain composition and conditions | | ||
| | `operations` | Production gateway, multi-listener, admin | | ||
| | `pipeline` | Chain composition, conditions, failure mode, branch chains | | ||
| | `operations` | Hot reload, admin, multi-listener, max connections, production gateway | | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [Medium] The |
||
|
|
||
| ## Branch Chains | ||
|
|
||
|
rikatz marked this conversation as resolved.
|
||
| Conditional sub-pipelines based on filter results: | ||
| short-circuit responses, skip filters, retry loops, and | ||
| cross-chain routing. See [Branch Chains](../filters/branch-chains.md) | ||
| and [Pipeline Concepts](../architecture/pipeline-concepts.md). | ||
|
|
||
| ## Health Checks | ||
|
|
||
| Per-cluster active HTTP/TCP probes and passive inline | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [Medium] Both links in this section are broken: |
||
| failure tracking remove unhealthy endpoints from rotation. | ||
| See [health-checks.yaml](../../examples/configs/traffic-management/health-checks.yaml). | ||
|
|
||
| ## Failure Mode | ||
|
|
||
| Filters declare `failure_mode: open` (continue on error) | ||
| or `closed` (reject the request). Security-critical | ||
| filters reject open mode by default. See | ||
| [failure-mode.yaml](../../examples/configs/pipeline/failure-mode.yaml). | ||
|
|
||
| ## Validation and Security | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Large] Broken link:
filters/branch-chains.mddoes not exist. Neither doesarchitecture/pipeline-concepts.mdreferenced on line 92. Both links will 404. Either create these files as part of this PR, or remove the links and track the missing docs as a follow-up issue.