didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Egress DLP addon: token detection, secret detection, and prompt injection scanning #195

New Issue
Closed
opened 2026-06-04 20:33:35 -04:00 by didericis-claude · 0 comments
didericis-claude commented 2026-06-04 20:33:35 -04:00
Collaborator
Copy Link
Copy Source

After removing pipelock (PR #193), the egress proxy has no DLP scanning. The research in PR #192 recommends building a mitmproxy addon that adds per-route DLP configuration.

This issue tracks the implementation of the three remaining phases from the plan:

  1. Phase 1a: Token patterns detector — regex-based API key / credential detection on outbound requests
  2. Phase 1b: Known secrets detector — check if provisioned credentials (from cred-proxy / agent env) appear in outbound traffic, including encoded variants
  3. Phase 2: Naive prompt injection detector — pattern-based detection of prompt disclosure and jailbreak attempts in inbound responses

Per-route configuration is added to the manifest egress.routes[*].dlp block; detectors are implemented as pure functions in egress_addon_core.py and wired into the mitmproxy addon.

After removing pipelock ([PR #193](https://gitea.dideric.is/didericis/bot-bottle/pulls/193)), the egress proxy has no DLP scanning. The [research in PR #192](https://gitea.dideric.is/didericis/bot-bottle/pulls/192) recommends building a mitmproxy addon that adds per-route DLP configuration. This issue tracks the implementation of the three remaining phases from the plan: 1. **Phase 1a: Token patterns detector** — regex-based API key / credential detection on outbound requests 2. **Phase 1b: Known secrets detector** — check if provisioned credentials (from cred-proxy / agent env) appear in outbound traffic, including encoded variants 3. **Phase 2: Naive prompt injection detector** — pattern-based detection of prompt disclosure and jailbreak attempts in inbound responses Per-route configuration is added to the manifest `egress.routes[*].dlp` block; detectors are implemented as pure functions in `egress_addon_core.py` and wired into the mitmproxy addon.
didericis added the Kind/FeatureKind/Security labels 2026-06-04 21:01:20 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label Kind/Feature Kind/Security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#195
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?