Zero-config HTTPS MITM: --http-inject-ca and --http-ca-out

[congwang-mk]

Summary

Makes sandlock's HTTP-level ACL work over HTTPS, end to end. Two parts:

1. Zero-config CA + trust injection

• --http-inject-ca <path> (repeatable): splices the active MITM CA's public cert into each named trust bundle at openat time via a built-in seccomp handler (reuses the existing /etc/hosts memfd-injection mechanism). Without --http-ca, it also generates an ephemeral CA (private key in memory only, never on disk).
• --http-ca-out <path>: writes the active CA's public cert (never the key) for runtimes with a compiled-in CA store (Node via NODE_EXTRA_CA_CERTS).
• Full surface parity: CLI, TOML profile [config], FFI (header regenerated), Python SDK.

2. Transparent HTTPS MITM proxy (replaces hudsucker)

hudsucker only performs TLS MITM after an explicit CONNECT, but sandlock intercepts connections transparently (seccomp connect-redirect), so HTTPS never actually worked. This replaces hudsucker with a transparent proxy sandlock owns:

• One listener; each redirected connection is classified by a non-destructive first-byte peek (0x16 = TLS).
• TLS connections are MITM-terminated with a per-SNI leaf cert minted from the active CA (rcgen), then the decrypted request runs through the existing ACL.
• Plaintext and TLS-decrypted requests share one request path (host verification, http_acl_check, 403 on deny); allowed requests are forwarded upstream (rustls client validating the host's real system roots for HTTPS, plaintext for HTTP).
• hudsucker dependency removed.

Verification

• Rust: 328 lib + 222 integration tests pass; clean build, 0 warnings.
• Hermetic integration test: a client trusting the generated CA completes a TLS handshake against the proxy's minted leaf, and a disallowed request returns 403 (no network needed).
• Live end-to-end (manual): curl https://api.openai.com/v1/models through the sandbox with --http-allow "GET api.openai.com/v1/models" --http-inject-ca /etc/ssl/certs/ca-certificates.crt returns HTTP 401 (reached the real API through MITM, trusting the injected CA); a disallowed POST .../chat/completions returns Blocked by sandlock HTTP ACL policy / HTTP 403.

Notes for reviewers

• Single tier: HTTPS is always MITM (443 is only intercepted when a CA is configured); no SNI-passthrough tier.
• The CA and minted leaf carry distinct subject CNs so the leaf is not mistaken for self-signed by clients.
• Upstream is validated against the host's real roots, never the injected CA.

🤖 Generated with Claude Code