Skip to content

feat: add core AI MITM proxy daemon #21296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ssncferreira wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: add core AI MITM proxy daemon #21296

ssncferreira wants to merge 6 commits into from

Conversation

@ssncferreira
Copy link
Contributor

@ssncferreira ssncferreira commented Dec 16, 2025
edited
Loading

Description

Adds the core AI Bridge MITM proxy daemon. This proxy intercepts HTTPS traffic, decrypts it using a configured CA certificate, and forwards requests to AIBridge for processing.

Changes

  • Added aibridgeproxyd package with the core proxy server implementation
  • Added configuration options: CODER_AIBRIDGE_PROXY_ENABLED, CODER_AIBRIDGE_PROXY_LISTEN_ADDR, CODER_AIBRIDGE_PROXY_CERT_FILE, CODER_AIBRIDGE_PROXY_KEY_FILE
  • Added tests for server initialization and MITM functionality

Closes coder/internal#1180

@ssncferreira Graphite App
Copy link
Contributor Author

ssncferreira commented Dec 16, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ssncferreira ssncferreira force-pushed the ssncferreira/feat-add-aiproxy-core branch 2 times, most recently from f095630 to a6abd82 Compare December 16, 2025 20:50
ssncferreira
ssncferreira commented Dec 16, 2025
View reviewed changes
ssncferreira
ssncferreira commented Dec 16, 2025
View reviewed changes
codersdk/deployment.go
Value: &c.AI.ProxyConfig.KeyFile,
Default: "",
Group: &deploymentGroupAIProxy,
YAML: "key_file",
Copy link
Contributor Author

@ssncferreira ssncferreira Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to confirm, do we need to set this as a secret? Something like: Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
This is the file path, so the content is the actual secret 🤔

Copy link
Contributor

@dannykopping dannykopping Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think since it's a file path it's not sensitive itself.

ssncferreira
ssncferreira commented Dec 16, 2025
View reviewed changes
dannykopping
dannykopping reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

@dannykopping dannykopping left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good 👍

Needs some basic test coverage please, and the renaming that we discussed offline.

enterprise/aibridgeproxyd/aibridgeproxyd_test.go
return certFile, keyFile
}

func TestNew(t *testing.T) {
Copy link
Contributor

@dannykopping dannykopping Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is good but it's not validating the actual behaviour.

Can you add a test which exercises the proxy? i.e. that it actually tunnels to some mock handler?

It can be simple since we'll be doing a lot more upstack.

Copy link
Contributor Author

@ssncferreira ssncferreira Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was planning to add more detailed tests on the following upstack PRs, but that is a good callout.
Addressed in feca199

@ssncferreira ssncferreira force-pushed the ssncferreira/feat-add-aiproxy-core branch from cbbdad6 to 637bf69 Compare December 17, 2025 13:37
@ssncferreira ssncferreira mentioned this pull request Dec 17, 2025
Open
@ssncferreira ssncferreira force-pushed the ssncferreira/feat-add-aiproxy-core branch from 637bf69 to c90790f Compare December 17, 2025 17:16
dannykopping
dannykopping approved these changes Dec 17, 2025
View reviewed changes
Copy link
Contributor

@dannykopping dannykopping left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

codersdk/deployment.go
Value: &c.AI.ProxyConfig.KeyFile,
Default: "",
Group: &deploymentGroupAIProxy,
YAML: "key_file",
Copy link
Contributor

@dannykopping dannykopping Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think since it's a file path it's not sensitive itself.

@ssncferreira ssncferreira force-pushed the ssncferreira/feat-add-aiproxy-core branch 3 times, most recently from 5a6ab75 to fdd4a44 Compare December 19, 2025 17:50
@ssncferreira ssncferreira mentioned this pull request Dec 19, 2025
Open
@ssncferreira ssncferreira force-pushed the ssncferreira/feat-add-aiproxy-core branch from fdd4a44 to e4d1ca1 Compare December 19, 2025 19:03
@ssncferreira ssncferreira force-pushed the ssncferreira/feat-add-aiproxy-core branch from e4d1ca1 to ca7e3a6 Compare December 19, 2025 19:09
@ssncferreira
Copy link
Contributor Author

ssncferreira commented Dec 19, 2025

Currently, tests are flaky because of multiple test calls to aibridgeproxyd.New() in parallel, and each loads a different CA certificate into goproxy.GoproxyCa, which is a global variable. When one test overwrites the CA while another test is making a request, TLS verification fails because the client trusts a different CA than the one goproxy is using to sign certificates:

Get "https://127.0.0.1:45849/": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Test CA")

A possible fix would be to use a shared global CA for all tests so they don't overwrite each other.

This was referenced Dec 19, 2025
Open
Open
@ssncferreira ssncferreira marked this pull request as ready for review December 19, 2025 22:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dannykopping dannykopping dannykopping approved these changes

Assignees

@ssncferreira ssncferreira

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aibridge: implement core MITM proxy

3 participants

@ssncferreira @dannykopping