Skip to content

feat(proxy): WebSocket support via ReverseProxy refactor #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andybons merged 8 commits into from
Apr 22, 2026
+970 −281
Merged

feat(proxy): WebSocket support via ReverseProxy refactor #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b6ab1af
test(proxy): add interception path coverage for ReverseProxy refactor
andybons Apr 22, 2026
ca5d29e
test(proxy): add WebSocket upgrade test (expected to fail)
andybons Apr 22, 2026
940057f
feat(proxy): replace interception loop with ReverseProxy for WebSocke…
andybons Apr 22, 2026
ca0b3e8
docs: add v0.9.0 changelog entry, remove design docs
andybons Apr 22, 2026
d722d4b
fix(proxy): address code review feedback on ReverseProxy refactor
andybons Apr 22, 2026
c990bc6
fix(proxy): address third round of review feedback
andybons Apr 22, 2026
12737cf
fix(proxy): add credential leak regression test, fix cred error log f…
andybons Apr 22, 2026
9e3db0b
fix(proxy): propagate request ID, add missing log fields in ErrorHandler
andybons Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,17 @@ Gatekeeper is a standalone credential-injecting TLS-intercepting proxy. It trans

Gatekeeper is pre-1.0. The configuration schema and credential source interface may change between minor versions.

## v0.9.0 — 2026-04-22

### Added

- **WebSocket support through TLS interception** — WebSocket upgrades (101 Switching Protocols) now work through CONNECT+TLS intercepted connections; credentials are injected on the upgrade request, then the proxy switches to bidirectional byte tunneling for WebSocket frames ([#22](https://github.com/majorcontext/gatekeeper/pull/22))

### Changed

- **Refactored `handleConnectWithInterception`** — replaced the manual `http.ReadRequest` → `transport.RoundTrip` → `resp.Write` loop with `httputil.ReverseProxy` served via a single-connection `http.Server`; all existing behaviors (credential injection, network/Keep policy, LLM gateway policy, response transformers, canonical logging) are preserved through `Rewrite`, `ModifyResponse`, and `ErrorHandler` hooks ([#22](https://github.com/majorcontext/gatekeeper/pull/22))
- **Extracted `evaluateAndReplaceLLMResponse`** — LLM gateway policy evaluation logic moved from inline in the request loop to a standalone method for readability ([#22](https://github.com/majorcontext/gatekeeper/pull/22))

## v0.8.0 — 2026-04-22

### Added
Expand Down
Loading
Loading