Skip to content

feat: Added API and functionality for protocol sidecar processes (support beyond HTTP)#85

Open
jentfoo wants to merge 26 commits into
go-appsec:mainfrom
jentfoo:feat/protocol-sidecar
Open

feat: Added API and functionality for protocol sidecar processes (support beyond HTTP)#85
jentfoo wants to merge 26 commits into
go-appsec:mainfrom
jentfoo:feat/protocol-sidecar

Conversation

@jentfoo

@jentfoo jentfoo commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

This change expands the use cases which sectool can support outside of just HTTP and websockets to be able to be adapted with a second process for any request / response protocol. Now supported are purely binary protocols, as well as protocols which use an http 101 protocol switch / upgrade.

These sidecar adapters run out-of-process, speaking a JSON-RPC 2.0 contract over a local socket (with a Go SDK provided, or any language via the raw wire protocol). Rather than acting as passive taps, a sidecar's traffic presents into sectool's unified flow timeline, so every existing tools operates on adapter flows with the same agent parity as native HTTP.

jentfoo added 23 commits July 2, 2026 08:55
Foundation for the protocol-adapter sidecar contract. The proxy/store capture model moves off the HTTP/HTTP2/WS-unioned HistoryEntry to a single Flow envelope with a common per-side Message type. Handlers keep their wire types on the hot path and convert to Flow/Message only at store time, so parsing/rules/serialization are untouched. WebSocket frames are now stored as child flows (parent_flow_id link, method=FRAME) rather than appended onto the handshake entry; children are retrievable by id but excluded from the default listing.
The change replaces the hardcoded peek-switch in handleConnection with a per-connection adapter claim/dispatch registry (first-claim-wins). Introduces the proxy/protocol package with EarlyAdapter (accept-time) and UpgradeAdapter (post-HTTP-upgrade) seams, plus thin shims wrapping the existing HTTP/1.1, HTTP/2, and WebSocket handlers.
This was not well suited in sidecar since it's not clearly a sidecar owned functionality (just needed by both sectool and sidecar).
This reduces a few features to only what's necessary, as well as cleaning up the verbosity of comments.
CI was updated to fail if `make lint` changes any files (preserving prior validation).
@jentfoo jentfoo self-assigned this Jul 2, 2026
@jentfoo jentfoo force-pushed the feat/protocol-sidecar branch from 6c11251 to 5e1bb8d Compare July 2, 2026 19:09
@jentfoo jentfoo changed the title feat: Added API for protocol sidecar processes (support beyond HTTP) feat: Added API and functionality for protocol sidecar processes (support beyond HTTP) Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant