feat(proxy): block CONNECT tunnels to credential upstreams and smart NO_PROXY

[RobertWi]

Addresses discussion in #424

Summary

Two related security improvements for the credential proxy:

CONNECT tunnel blocking

When allowed_paths or endpoint rules restrict what an agent can do on a credential upstream, the agent can bypass those restrictions by opening a CONNECT tunnel — the proxy just relays encrypted bytes without inspecting the HTTP method or path. This blocks CONNECT to any host that has credential injection configured, forcing traffic through the reverse proxy where L7 filtering applies.

Smart NO_PROXY

With HTTP_PROXY set, all traffic goes through the proxy — including internal services that don't need credential injection. These requests hit the reverse proxy handler, fail with UnknownService, and drop the connection.

Now NO_PROXY is computed dynamically: allowed_hosts minus credential upstreams. Credential traffic goes through the proxy for injection, everything else goes direct. Landlock still enforces the network boundary.

Edge cases discovered in production:

• Port suffixes in allow_domain entries need stripping for NO_PROXY matching
• allow_domain ports need adding to Landlock ConnectTcp rules
• If a credential file isn't available at startup (Vault sidecar race), the host incorrectly lands in NO_PROXY permanently — documented as a known startup ordering constraint

Production context

Running for a week in a Kubernetes cluster with 9 agents. CONNECT bypass and NO_PROXY misconfiguration were both discovered and fixed during production testing.

Test plan

• CONNECT to credential upstream returns 403
• CONNECT to non-credential host passes through
• credential_upstream_hosts() correctly extracts host:port
• NO_PROXY includes allowed hosts but excludes credential upstreams
• allow_domain ports added to Landlock ConnectTcp rules
• All existing tests pass

[gemini-code-assist]

Code Review

This pull request implements "Smart NO_PROXY" logic and refines credential management within the sandbox. Key changes include allowing non-HTTP protocols to bypass the proxy via direct Landlock TCP rules while ensuring credential-dependent traffic is routed through the proxy for L7 filtering and token injection. The profile configuration for credentials was also updated to support inheritance and explicit overrides during merging. Review feedback focuses on correcting a comment regarding credential merging logic, improving the robustness and performance of port stripping for NO_PROXY strings, and using a more reliable method for parsing network authorities to correctly handle IPv6 addresses.

[gemini-code-assist]

The comment here states that Some([...]) replaces parent credentials, but the implementation actually merges them with the parent's credentials. The test test_merge_profiles_credentials_some_merges_with_base also confirms the merge behavior. To avoid confusion, please update the comment to reflect the implementation.

Suggested change

	// Child `None` inherits parent credentials. Child `Some([...])` replaces parent.
	// Child None inherits parent credentials. Child Some([...]) merges with parent.

[gemini-code-assist]

This loop for building the NO_PROXY string can be made more robust and efficient.

1. Port Stripping: The current logic host.rsplit_once(':').map(|(h, _)| h).unwrap_or(host) is a bit too simplistic and could fail on inputs like IPv6 addresses. A safer approach, consistent with other parts of the codebase (e.g., network_policy.rs), is to verify that the part after the colon is a valid port before stripping it.
2. Performance: The no_proxy_parts.contains() check inside the loop results in O(n^2) complexity. Using a HashSet to collect unique hostnames would be more efficient, especially if no_proxy_hosts could become large.

Here's a suggested refactoring that addresses both points:

Suggested change

	let mut no_proxy_parts = vec!["localhost".to_string(), "127.0.0.1".to_string()];
	for host in &self.no_proxy_hosts {
	// Strip port for NO_PROXY (most HTTP clients match on hostname)
	let hostname = host.rsplit_once(':').map(|(h, _)| h).unwrap_or(host);
	if !no_proxy_parts.contains(&hostname.to_string()) {
	no_proxy_parts.push(hostname.to_string());
	}
	}
	let no_proxy = no_proxy_parts.join(",");
	let mut no_proxy_parts: std::collections::HashSet<String> =
	["localhost".to_string(), "127.0.0.1".to_string()].into();
	for host in &self.no_proxy_hosts {
	// Strip port for NO_PROXY (most HTTP clients match on hostname)
	let hostname = host
	.rsplit_once(':')
	.and_then(|(h, p)| p.parse::<u16>().ok().map(|_| h))
	.unwrap_or(host);
	no_proxy_parts.insert(hostname.to_string());
	}
	let no_proxy = no_proxy_parts.into_iter().collect::<Vec<_>>().join(",");

[gemini-code-assist]

The current logic for normalizing the authority to a host:port string is a bit simplistic and might not correctly handle all cases, especially with IPv6 addresses. For example, an IPv6 literal like [::1] contains colons but no port, and the current logic would not append the default port 443.

A more robust approach would be to use url::Url::parse to correctly handle various authority formats. This would ensure consistent and correct parsing of host and port.

                let host_port = match url::Url::parse(&format!("http://{}", authority)) {
                    Ok(parsed) => {
                        let host = parsed.host_str().unwrap_or(authority);
                        let port = parsed.port().unwrap_or(443);
                        format!("{}:{}", host, port).to_lowercase()
                    }
                    Err(_) => authority.to_lowercase(),
                };

[RobertWi]

Sorry for the wait — DCO sign-off added, rebased onto v0.26.1.

Addressed Gemini review feedback:

• Fixed misleading comment: credentials Some([...]) merges with parent, not replaces
• IPv6 handling in NO_PROXY port stripping ([::1]:443 → [::1])
• IPv6 handling in CONNECT authority normalization

fmt clean, clippy clean, all tests pass.