Optional VM egress MITM proxy with mock-secret header rewriting

[sjmiller609]

Summary

This PR adds an optional, default-off egress MITM proxy mode for Hypeman VMs so workloads can run with mock secrets in-VM while real secrets stay on the host.

When enabled per instance, Hypeman now:

• Starts/uses a host-side HTTP/HTTPS MITM proxy on the VM bridge gateway.
• Injects proxy env vars into the guest (HTTP_PROXY / HTTPS_PROXY, lower-case variants).
• Installs proxy CA material in guest init so TLS MITM can be trusted by system components.
• Rewrites outbound HTTP header values by replacing configured mock literals with real values from host env vars.
• Enforces egress path on Linux using per-instance iptables FORWARD rules for TCP ports 80/443 so direct internet egress bypass is rejected.

Why

This enables safer execution of untrusted or lower-trust workloads in VMs without placing real secrets inside guest env/config, while still allowing authenticated outbound API traffic.

API / Config changes

• CreateInstanceRequest now supports top-level egress_proxy:
  • enabled: bool
  • mock_to_real_env_var: map[string]string (mock literal -> host env var name)
• OpenAPI schema updated accordingly.
• Instance domain model now persists optional EgressProxyConfig.

Implementation details

• New module: lib/egressproxy/
  • Host CA generation/load and on-the-fly cert signing.
  • HTTP proxying and HTTPS CONNECT MITM handling.
  • Header replacement policy resolved per source VM IP.
  • Linux enforcement helpers for egress gating.
  • Behavior-focused README.
• Lifecycle wiring in instances manager:
  • Register proxy policy/enforcement on create/start/restore when enabled.
  • Remove policy/enforcement on stop/standby/delete and rollback paths.
• Guest init support:
  • New guest config section for egress proxy settings and CA PEM.
  • CA installation call added in both exec and systemd modes.

Tests

Added integration test:

• TestEgressProxyRewritesHTTPSHeaders
  • Boots a VM with egress proxy mode enabled.
  • Sends HTTPS request with mock secret in Authorization header.
  • Verifies upstream receives rewritten real secret value.

Validation run

Executed on deft-kernel-dev as root:

• sudo -n /usr/local/go/bin/go test ./cmd/api/api -run TestDoesNotExist -count=1
• sudo -n /usr/local/go/bin/go test ./lib/instances -run TestEgressProxyRewritesHTTPSHeaders -count=1 -v
• sudo -n /usr/local/go/bin/go test ./... -run TestDoesNotExist -count=1

All passed for this change set.

Notes

• Enforcement currently targets default HTTP/HTTPS ports (80/443) by design.
• Header replacement applies to HTTP headers only (not bodies).

---

Note

High Risk
Introduces a host-side MITM proxy and Linux iptables enforcement that alters VM outbound networking and handles real secret material, so misconfiguration or bugs could impact security and connectivity.

Overview
Adds an optional, default-off egress MITM proxy mode for instances, including new API fields network.egress (with enforcement mode) and credentials to keep real secrets host-side while the guest receives mock-* placeholders.

Wires the feature through instance lifecycle (create/start/restore and cleanup on stop/standby/delete): registers per-instance proxy + enforcement, regenerates config disks to inject proxy settings and mock env vars, and persists new metadata (NetworkEgress, Credentials).

Introduces lib/egressproxy (CA generation + per-host cert signing, CONNECT MITM, HTTPS-only header rewriting with domain allowlists, and Linux iptables egress blocking) plus guest-init support to install the proxy CA, expands test coverage (unit + VM integration), and updates prewarm/e2e scripts and tests to support registry mirroring and new OpenAPI fields.

^{Written by Cursor Bugbot for commit a25a59b. This will update automatically on new commits. Configure here.}

[github-actions]

✱ Stainless preview builds

This PR will update the hypeman SDKs with the following commit message.

feat: add optional VM egress MITM proxy with mock-secret header rewriting

⚠️ hypeman-typescript studio · code

Your SDK build had at least one "error" diagnostic.
generate ❗ → build ✅ → lint ✅ → test ✅

npm install https://pkg.stainless.com/s/hypeman-typescript/99c818225c466f8ca53ceb64f11a4c631082e2a9/dist.tar.gz

✅ hypeman-go studio · code

Your SDK build had at least one "note" diagnostic.
generate ✅ → build ⏭️ → lint ✅ → test ✅

go get github.com/stainless-sdks/hypeman-go@e8b721cbc709af739827929839e443981d636233

✅ hypeman-openapi studio · code

Your SDK build had at least one "note" diagnostic.
generate ✅

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-03-19 17:56:25 UTC

[cursor]

Automated risk triage result: High risk.

Why this is high risk (from code diff evidence):

• Introduces a new host-side HTTP/HTTPS MITM subsystem (lib/egressproxy/*) including dynamic cert signing, CONNECT interception, and header rewriting logic.
• Adds Linux egress enforcement via host iptables FORWARD rules (lib/egressproxy/enforce_linux.go), which affects networking behavior and operational safety.
• Wires proxy/enforcement into core VM lifecycle flows (create, start, restore, stop, standby, delete) across lib/instances/*.
• Expands external API surface (openapi.yaml, lib/oapi/oapi.go, API request mapping) and guest init trust/bootstrap behavior (lib/system/init/*, lib/vmconfig/config.go).

Decision:

• Code review is required.
• No auto-approval (high-risk PRs are not approved by automation).

Reviewer assignment:

• PR already has 2 reviewers requested, so no additional reviewers were added.

---

  

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[rgarcia]

still seems like there's no hard api/control-plane error when mitm ca cert setup fails in the guest... seems not ideal to have to inspect guest logs to find that this failure. fine merging as is to keep things moving though

[sjmiller609]

still seems like there's no hard api/control-plane error when mitm ca cert setup fails in the guest... seems not ideal to have to inspect guest logs to find that this failure. fine merging as is to keep things moving though

I'll take a look. I still need to review the changes it decided to do since the previous review, and I'll see if I can handle that too. thanks for the careful reviews.