Let the edge report the protections it was told to run#224
Draft
scotwells wants to merge 2 commits into
Draft
Conversation
Adds a read-only endpoint that reports the set of firewall and connector protections the platform handed to the edge. Read-only and off the traffic path; it observes configuration and never touches live requests. This is the reference point for later confirming the edge runs exactly what it was given. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JbCy8vy66RdNYzGSgqH6P6
scotwells
force-pushed
the
feat/extension-server-programmed-set-endpoint
branch
2 times, most recently
from
20f160b to
c59cbb9
Compare
The endpoint that reports what the last build intended to change exists only so a test can confirm the proxy is running exactly that set. Serve it (and do the per-build recording that backs it) only when the --enable-programmed-set flag is passed, so production exposes nothing and does no extra work on the build path. The flag joins the extension-server flag surface and is wired through the deployment the same way as the others: an arg that reads an env var (ENABLE_PROGRAMMED_SET), defaulting off, so an overlay can turn it on with a strategic-merge patch on env instead of rewriting the args list. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JbCy8vy66RdNYzGSgqH6P6
scotwells
force-pushed
the
feat/extension-server-programmed-set-endpoint
branch
from
c59cbb9 to
44cc215
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this enables
The edge applies firewall and connector protections on behalf of the platform — but until now there was no way to ask the edge what protections it believes it should be running.
This adds a small, read-only endpoint that reports exactly that: the set of rules the platform handed to the edge. On its own it changes nothing a customer can see. Its value comes next — it's the reference point that lets us confirm the edge is actually running what it was told to, instead of assuming that a healthy-looking response means the configuration took effect.
Why it matters
A request can succeed while the protection behind it never applied. Without a way to ask the edge what it intends to enforce, that gap stays invisible. This is the first half of closing it.
Safety
Read-only and off to the side of the traffic path — it observes configuration, it never touches live requests.