PRD: Egress traffic logging #207

Merged

didericis merged 7 commits from feat/egress-log-option into main 2026-06-07 20:32:47 -04:00

Conversation 0 Commits 7 Files Changed 10

+668 -94

7 Commits

Author	SHA1	Message	Date
didericis	55cb3429d4	fix(lint): add parse_config tests to satisfy pyright unused-import ... Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-07 20:25:59 -04:00
didericis	545ff3582f	fix(lint): resolve pylint and pyright issues on egress-log-option ... - egress.py: extract _render_match_entry helper to reduce nesting depth - egress_addon_core.py: make request_method/request_headers keyword-only to satisfy too-many-positional-arguments; wrap long lazy import lines - egress_addon.py: remove unused Route import; add pylint disable for import-error on sidecar-only mitmproxy/egress_addon_core imports - dlp_detectors.py: remove dead _min_distance function (superseded by _closest_pair) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-07 20:10:32 -04:00
didericis	8743299226	ci(prd): rename PRD to prd-new placeholder per new convention	2026-06-07 14:41:27 -04:00
didericis	205e94f960	docs(prd): renumber PRD 0053 → 0056 (0053 slot claimed by user-provider-plugins)	2026-06-07 14:41:27 -04:00
didericis	86b0a4d285	feat(egress): add location, context snippets, and token redaction to DLP logging ... Each DLP block/warn now reports where the match was found (body, authorization header, response body) and includes a context snippet: SNIPPET_CONTEXT chars before and after the match, with the matched value replaced by REDACT ("********"). scan_token_patterns/scan_known_secrets/scan_naive_injection all gain `location` and `context` fields on their ScanResult returns. The outbound scanner takes `auth_header` as a separate kwarg so the two locations are scanned and reported independently. redact_tokens() is added to dlp_detectors and used in egress_addon.py to scrub token patterns and provisioned secrets from host/path fields before they appear in any log output (level 1 and 2). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-07 14:41:27 -04:00
didericis	79212481c9	feat(egress): replace log bool with integer log levels (0/1/2) ... Level 0 (off, default): no stderr output beyond boot line. Level 1 (blocks): each block/warn emitted as JSON with reason and request context (host, method, path, response_status for inbound). Level 2 (full): level-1 events + egress_request and egress_response JSON lines for every forwarded connection. Block logging at level 1+ replaces the previous plain-text stderr write. DLP warn logging is also gated on level 1+. All block call sites now pass _req_ctx(flow) so the blocked request is visible in the log entry. Boot message shows log level label (off/blocks/full). Adds PRD 0053 documenting wire format, manifest format, and all log event shapes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-07 14:41:27 -04:00
didericis	76dd153760	feat(egress): add global log option for full request/response logging ... Adds a top-level `log: true` option to the egress config that logs the full request (method, path, headers, body) and response (status, headers, body) for every forwarded connection as JSON lines on stderr. Wire format: `log: true` at the root of routes.yaml, parsed into the new `Config` dataclass alongside `routes`. The sidecar addon switches from `self.routes` to `self.config` and writes `_log_request` / `_log_response` JSON lines when `self.config.log` is set. Manifest: `egress.log: true` in bottle YAML flows through `EgressConfig.Log` → `Egress.prepare()` → `egress_render_routes(..., log=)` → routes.yaml. `EgressPlan` also carries the flag for introspection. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-07 14:41:27 -04:00