Skip to content

feat(sandbox): L7 credential injection for non-inference providers#541

Draft
htekdev wants to merge 1 commit intoNVIDIA:mainfrom
htekdev:add-credential-injection
Draft

feat(sandbox): L7 credential injection for non-inference providers#541
htekdev wants to merge 1 commit intoNVIDIA:mainfrom
htekdev:add-credential-injection

Conversation

@htekdev
Copy link
Contributor

@htekdev htekdev commented Mar 22, 2026

Summary

Extends the L7 proxy to inject API credentials at the network layer for arbitrary REST endpoints -- generalizing the inference.local credential injection pattern to any service in network_policies.

Closes #538

Problem

Provider credentials (Exa AI, Perplexity, YouTube, GitHub, etc.) are injected as environment variables into sandboxes. Even with the SecretResolver placeholder mechanism, the agent process can infer credential existence and a prompt injection attack, malicious skill, or compromised dependency can read and exfiltrate placeholder values. The inference.local proxy already proves credential injection at the network layer works -- this feature generalizes it.

Changes

Proto and Policy Schema

  • Added CredentialInjection message to proto/sandbox.proto with fields: header, value_prefix, query_param, provider, credential
  • Added CredentialInjectionDef serde struct to openshell-policy with bidirectional YAML-proto conversion
  • Added validation rules: requires protocol: rest + tls: terminate, exactly one of header/query_param, credential and provider required

Credential Injector Module (credential_injector.rs)

  • New 755-line module in openshell-sandbox
  • CredentialInjector::extract_from_policy() scans policy endpoints for credential_injection configs, cross-references with provider env, removes matched credentials from child env
  • lookup(host, port) with case-insensitive exact match and glob pattern support
  • inject_credential() applies header injection (strip existing + append) or query parameter injection (URL append with percent-encoding)
  • Multiple endpoints can share the same credential

Sandbox and Proxy Integration

  • Modified run_sandbox() to extract credential injections before SecretResolver, filtering injected credentials out of the child environment
  • Threaded CredentialInjector through proxy pipeline to L7 relay
  • Applied injection in relay_http_request_with_resolver() after SecretResolver rewriting

Build System

  • Made protobuf-src optional (bundled-protoc feature) to support system protoc via PROTOC env var

Documentation

  • Updated docs/reference/policy-schema.md with full credential_injection field reference and examples
  • Added Credential Injection section to architecture/sandbox.md

Injection Types

Style YAML Fields Example
Plain header header: x-api-key x-api-key: <value>
Header + prefix header: Authorization, value_prefix: "Bearer " Authorization: Bearer <value>
Query parameter query_param: key URL appended with ?key=<value>

Testing

  • 4 policy YAML round-trip tests (header, bearer prefix, query param, none)
  • 20+ unit tests in credential_injector.rs covering extraction, lookup, glob matching, header injection, query param injection, body preservation
  • L7 validation tests for credential_injection constraint checking

Backward Compatibility

  • No changes when credential_injection is not set on endpoints
  • Existing providers and policies work without modification
  • Proto field 10 is new and optional -- wire-compatible

Checklist

  • Code follows project conventions
  • Proto schema changes are backward-compatible
  • YAML round-trip tests pass
  • Unit tests cover all injection types
  • Policy validation rejects invalid configurations
  • Documentation updated
  • Security: injected credentials never in child env, existing auth headers stripped

@htekdev
feat(sandbox): L7 credential injection for non-inference providers
07aae1a 
Extend the L7 proxy to inject API credentials at the network layer for
arbitrary REST endpoints, generalizing the inference.local pattern to
any service in network_policies.

When an endpoint has a credential_injection configuration, the
referenced provider credential is withheld from the sandbox environment
and injected by the proxy before forwarding upstream. The agent process
never sees the raw API key.

Supports three injection styles:
- Header (e.g., x-api-key: <value>)
- Header with prefix (e.g., Authorization: Bearer <value>)
- Query parameter (e.g., ?key=<value>)

Changes:
- Add CredentialInjection proto message to sandbox.proto
- Add CredentialInjectionDef YAML schema with round-trip conversion
- Add validation rules (requires rest + tls terminate)
- Create credential_injector.rs module with extraction, lookup, and
  HTTP modification logic
- Integrate into sandbox startup to filter provider env vars
- Thread CredentialInjector through proxy to L7 relay
- Apply injection in relay_http_request_with_resolver()
- Make protobuf-src optional to support system protoc
- Update policy-schema.md and architecture/sandbox.md

Closes NVIDIA#538
@htekdev htekdev requested a review from a team as a code owner March 22, 2026 14:33
@htekdev htekdev marked this pull request as draft March 22, 2026 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: L7 credential injection for non-inference providers

1 participant

@htekdev