fix: two end-to-end bugs blocking filterRequest + ephemeral CA (#260)

* fix(network): updateConfig() throws DataCloneError when filterRequest is set

structuredClone cannot clone functions. When the consumer passes a
network.filterRequest callback (introduced in #258), the deep-clone in
updateConfig() throws DataCloneError. Callers that catch the throw end up
with config never set, so initialize() runs with no config and the proxy
falls through to opaque tunnelling instead of TLS termination.

Pull filterRequest out before cloning and restore the reference after —
a function reference is immutable in the sense the clone is protecting
against.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(terminating-tls): leaf AKI mismatched ephemeral CA's SKI → chain verify failed

node-forge's getExtension('subjectKeyIdentifier').subjectKeyIdentifier
returns a hex string for in-memory forge-created certs (e.g. the
ephemeral CA from #259) but raw bytes for certs parsed from PEM (e.g. a
user-supplied CA). Passing the hex string as authorityKeyIdentifier's
keyIdentifier caused the leaf's AKI to be the ASCII bytes of the hex
string, which doesn't match the CA's SKI — chain verification fails with
'unable to get local issuer certificate'.

AKI is optional; issuer/subject DN match is sufficient for chain
building. Drop the extension. Regression test: `openssl verify` against
both the fixture CA and an ephemeral CA.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* test(terminating-tls): end-to-end curl through proxy with ephemeral CA

Regression for the AKI fix: same curl-through-proxy round-trip as the
fixture-CA describe, but with createMitmCA({}). curl --cacert points at
the ephemeral CA's certPath; would fail 'unable to get local issuer'
without the AKI fix.

Also: agent:false on the proxy's outbound https.request. A proxy's
outbound leg shouldn't share the process-global connection pool; this
also documents (without fixing — it's process-wide) a Bun quirk where
the first request's `ca:` value sticks. The test sidesteps that by
using the fixture CA for the upstream leg in both describes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: shawnm-anthropic

src/sandbox/mitm-leaf.ts

@@ -48,15 +48,12 @@ export function mintLeafCert(ca: MitmCA, hostname: string): LeafCert {
     },
     { name: 'extKeyUsage', serverAuth: true },
     { name: 'subjectAltName', altNames: [sanFor(hostname)] },
-    {
-      name: 'authorityKeyIdentifier',
-      keyIdentifier:
-        (
-          ca.cert.getExtension('subjectKeyIdentifier') as {
-            subjectKeyIdentifier?: string
-          } | null
-        )?.subjectKeyIdentifier ?? true,
-    },
+    // No authorityKeyIdentifier: node-forge stores SKI as a hex string for
+    // in-memory certs (e.g. the ephemeral CA) but as raw bytes for certs
+    // parsed from PEM (e.g. a user-supplied CA). Passing the hex string as
+    // keyIdentifier produces an AKI that doesn't match the CA's SKI and
+    // chain verification fails. AKI is optional — issuer/subject DN match
+    // is sufficient — so omit it.
   ])
   cert.sign(ca.key, md.sha256.create())
 

src/sandbox/sandbox-manager.ts

@@ -765,8 +765,12 @@ function getConfig(): SandboxRuntimeConfig | undefined {
  * @param newConfig - The new configuration to use
  */
 function updateConfig(newConfig: SandboxRuntimeConfig): void {
-  // Deep clone the config to avoid mutations
-  config = structuredClone(newConfig)
+  // Deep clone the config to avoid mutations. structuredClone cannot clone
+  // functions, so pull filterRequest out, clone the rest, and put it back —
+  // a function reference is immutable in the sense that matters here.
+  const { filterRequest, ...rest } = newConfig.network
+  config = structuredClone({ ...newConfig, network: rest })
+  config.network.filterRequest = filterRequest
   // Re-resolve parent proxy so hot-reload picks up changes. Note: the proxy
   // servers capture `parentProxy` by value at creation, so changes here take
   // effect only on re-initialize. This keeps the state consistent for the

src/sandbox/tls-terminate-proxy.ts

@@ -186,6 +186,11 @@ async function forwardUpstream(
       // omitting the key, so spread conditionally.
       ...(isIP(target.hostname) ? {} : { servername: target.hostname }),
       ...(target.upstreamCA ? { ca: target.upstreamCA } : {}),
+      // No global agent: a proxy's outbound leg shouldn't share a connection
+      // pool keyed on the proxy process. Also works around a Bun quirk where
+      // the first request's `ca:` value is cached on the global agent and
+      // subsequent calls with a different `ca:` are silently ignored.
+      agent: false,
     },
     upRes => {
       res.writeHead(upRes.statusCode ?? 502, stripHopByHop(upRes.headers))

test/sandbox/mitm-leaf.test.ts

@@ -5,7 +5,7 @@ import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { X509Certificate } from 'node:crypto'
 import { createSecureContext } from 'node:tls'
-import { createMitmCA } from '../../src/sandbox/mitm-ca.js'
+import { createMitmCA, disposeMitmCA } from '../../src/sandbox/mitm-ca.js'
 import { mintLeafCert, secureContextFor } from '../../src/sandbox/mitm-leaf.js'
 import { whichSync } from '../../src/utils/which.js'
 
@@ -72,22 +72,32 @@ describe('mitm-leaf: mintLeafCert', () => {
   // Chain verification via openssl — the strongest correctness signal.
   // Skipped only if openssl is unavailable.
   const verifyTest = whichSync('openssl') !== null ? test : test.skip
-  verifyTest('leaf verifies against the CA via `openssl verify`', () => {
-    const leaf = mintLeafCert(ca, 'verify.example')
-    const dir = mkdtempSync(join(tmpdir(), 'srt-mitm-leaf-'))
-    try {
-      const leafPath = join(dir, 'leaf.crt')
-      writeFileSync(leafPath, firstPemBlock(leaf.certPem))
-      const out = execFileSync(
-        'openssl',
-        ['verify', '-CAfile', CA_CERT, leafPath],
-        { encoding: 'utf8' },
-      )
-      expect(out.trim()).toMatch(/: OK$/)
-    } finally {
-      rmSync(dir, { recursive: true, force: true })
-    }
-  })
+  verifyTest(
+    'leaf verifies against the CA via `openssl verify` (fixture and ephemeral)',
+    async () => {
+      // Regression: with an ephemeral (forge-generated) CA, node-forge stores
+      // the SKI as a hex string, which the leaf's authorityKeyIdentifier was
+      // copying verbatim → AKI ≠ SKI → chain verification failed.
+      const ephemeral = createMitmCA({})
+      const dir = mkdtempSync(join(tmpdir(), 'srt-mitm-leaf-'))
+      try {
+        for (const c of [ca, ephemeral]) {
+          const leaf = mintLeafCert(c, 'verify.example')
+          const leafPath = join(dir, 'leaf.crt')
+          writeFileSync(leafPath, firstPemBlock(leaf.certPem))
+          const out = execFileSync(
+            'openssl',
+            ['verify', '-CAfile', c.certPath, leafPath],
+            { encoding: 'utf8' },
+          )
+          expect(out.trim()).toMatch(/: OK$/)
+        }
+      } finally {
+        rmSync(dir, { recursive: true, force: true })
+        await disposeMitmCA(ephemeral)
+      }
+    },
+  )
 })
 
 function firstPemBlock(pem: string): string {

test/sandbox/tls-terminate-proxy.test.ts

@@ -5,7 +5,7 @@ import { spawn } from 'node:child_process'
 import { readFileSync } from 'node:fs'
 import { join } from 'node:path'
 import { createHttpProxyServer } from '../../src/sandbox/http-proxy.js'
-import { createMitmCA } from '../../src/sandbox/mitm-ca.js'
+import { createMitmCA, disposeMitmCA } from '../../src/sandbox/mitm-ca.js'
 import { mintLeafCert } from '../../src/sandbox/mitm-leaf.js'
 
 // Committed test-only CA — see test/fixtures/tls-terminate/README.md.
@@ -145,6 +145,67 @@ describe('tls-terminate-proxy: end-to-end through createHttpProxyServer', () =>
   })
 })
 
+// Regression: same end-to-end path with an SRT-generated ephemeral CA
+// (createMitmCA({})). #259 introduced ephemeral CAs; the leaf-minting AKI
+// extension turned out to encode the SKI as a hex string (rather than raw
+// bytes) for forge-created CAs, breaking chain verification — caught only
+// when testing against a non-fixture CA.
+describe('tls-terminate-proxy: end-to-end with ephemeral CA', () => {
+  test('curl trusts the ephemeral-CA-signed leaf and round-trips', async () => {
+    const ca = createMitmCA({})
+    // Upstream uses the FIXTURE CA (same as the other describe) so the
+    // proxy's outbound `ca:` value is identical across the file — Bun's
+    // https.request caches the first `ca:` process-wide. The regression
+    // under test is the client-facing leaf (ephemeral CA → curl), which is
+    // covered by mitmCA below + curl --cacert pointing at the ephemeral CA.
+    const fixtureCA = createMitmCA({ caCertPath: CA_CERT, caKeyPath: CA_KEY })
+    const upCert = mintLeafCert(fixtureCA, '127.0.0.1')
+    const upLeafOnly = upCert.certPem.match(
+      /-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----\r?\n?/,
+    )![0]
+    const upstream = createHttpsServer(
+      { cert: upLeafOnly, key: upCert.keyPem },
+      (req, res) => {
+        let body = ''
+        req.on('data', c => (body += c))
+        req.on('end', () => {
+          res.writeHead(200, { 'x-upstream': 'ok' })
+          res.end(JSON.stringify({ echoed: body, path: req.url }))
+        })
+      },
+    )
+    await new Promise<void>(r => upstream.listen(0, '127.0.0.1', r))
+    const upstreamPort = (upstream.address() as AddressInfo).port
+
+    const proxy = createHttpProxyServer({
+      filter: () => true,
+      mitmCA: ca,
+      tlsTerminateUpstreamCA: CA_PEM,
+    })
+    await new Promise<void>(r => proxy.listen(0, '127.0.0.1', () => r()))
+    const proxyPort = (proxy.address() as AddressInfo).port
+
+    try {
+      const r = await curlViaProxy(
+        proxyPort,
+        `https://127.0.0.1:${upstreamPort}/hello?a=1`,
+        { method: 'POST', body: 'from-ephemeral', cacert: ca.certPath },
+      )
+      expect(r.exit).toBe(0)
+      expect(r.status).toBe(200)
+      expect(r.headers['x-upstream']).toBe('ok')
+      const parsed = JSON.parse(r.body)
+      expect(parsed.echoed).toBe('from-ephemeral')
+      expect(parsed.path).toBe('/hello?a=1')
+      expect(r.stderr).toMatch(/issuer:.*sandbox-runtime ephemeral CA/)
+    } finally {
+      await new Promise<void>(r => proxy.close(() => r()))
+      await new Promise<void>(r => upstream.close(() => r()))
+      await disposeMitmCA(ca)
+    }
+  })
+})
+
 type CurlResult = {
   exit: number
   status: number
@@ -156,15 +217,15 @@ type CurlResult = {
 async function curlViaProxy(
   proxyPort: number,
   url: string,
-  opts: { method?: string; body?: string } = {},
+  opts: { method?: string; body?: string; cacert?: string } = {},
 ): Promise<CurlResult> {
   const args = [
     '-sS',
     '-v', // TLS issuer line goes to stderr
     '--proxy',
     `http://127.0.0.1:${proxyPort}`,
     '--cacert',
-    CA_CERT,
+    opts.cacert ?? CA_CERT,
     '--max-time',
     '10',
     '-D',

test/sandbox/update-config.test.ts

@@ -162,6 +162,20 @@ describe('SandboxManager.updateConfig', () => {
     expect(fullConfig).toBeDefined()
     expect(fullConfig?.network.allowedDomains).toEqual([])
   })
+
+  it('preserves filterRequest across updateConfig (structuredClone cannot clone functions)', () => {
+    const filterRequest = async () => ({ action: 'allow' as const })
+    // Must not throw: structuredClone(fn) throws DataCloneError; the
+    // function is pulled out, the rest is cloned, then the reference is
+    // restored.
+    SandboxManager.updateConfig({
+      network: { allowedDomains: [], deniedDomains: [], filterRequest },
+      filesystem: { denyRead: [], allowWrite: [], denyWrite: [] },
+    })
+    expect(SandboxManager.getConfig()?.network.filterRequest).toBe(
+      filterRequest,
+    )
+  })
 })
 
 describe('SandboxManager.updateConfig proxy filtering', () => {