feat: update egress proxy secrets on running instances#154
Draft
sjmiller609 wants to merge 2 commits intomainfrom
Draft
feat: update egress proxy secrets on running instances#154sjmiller609 wants to merge 2 commits intomainfrom
sjmiller609 wants to merge 2 commits intomainfrom
Conversation
Adds PATCH /instances/{id}/env endpoint that merges new env vars into a
running instance and re-registers egress proxy header-injection rules.
This enables credential rotation without instance restart.
Design:
- New env vars are merged into existing env (not replaced)
- validateCredentialEnvBindings() ensures all credential bindings are
still satisfied after the update
- maybeRegisterEgressProxy() atomically swaps proxy rules via the
existing RegisterInstance() idempotent re-registration path
- Updated metadata is persisted to disk
- No guest-side changes needed since secrets never enter the guest
Files changed:
- openapi.yaml: PATCH /instances/{id}/env endpoint definition
- lib/oapi/oapi.go: regenerated from OpenAPI spec
- lib/instances/types.go: UpdateInstanceEnvRequest type
- lib/instances/manager.go: UpdateInstanceEnv interface method
- lib/instances/update_env.go: implementation
- cmd/api/api/instances.go: HTTP handler
- lib/scopes/scopes.go: route scope mapping
- lib/instances/egress_proxy_integration_test.go: secret rotation test
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
✱ Stainless preview buildsThis PR will update the Edit this comment to update it. It will appear in the SDK's changelogs. ✅ hypeman-typescript studio · code · diff
✅ hypeman-openapi studio · code · diff
✅ hypeman-go studio · code · diff
This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push. |
The mockInstanceManager in builds tests needs to implement all Manager interface methods to compile. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PATCH /instances/{id}/envendpoint to update environment variables on running instancesImplementation
PATCH /instances/{id}/envendpoint with request body{ env: { key: value } }UpdateInstanceEnv()loads metadata, merges env, validates credential bindings, gets network allocation, re-registers proxy, persists metadatainstance:writepermissionTest plan
egress_proxy_integration_test.goto cover secret rotation:real-openai-key-123UpdateInstanceEnvwithrotated-openai-key-456go build ./...andgo vetpass locally