Changelog

New: AWS SSM Parameter Store Secret Source

Secrets can now be resolved directly from AWS Systems Manager Parameter Store. Use source.type: aws_ssm with a parameter name or ARN, and iron-proxy will fetch the value before applying the existing replace or inject secret transform behavior.

SSM sources support optional region, with_decryption, json_key, and ttl fields. with_decryption defaults to true, which is the expected setting for SecureString parameters. json_key extracts a field from JSON parameter values, and ttl enables periodic refresh without restarting the proxy.

transforms:
  - name: secrets
    config:
      secrets:
        - source:
            type: aws_ssm
            name: "/myapp/api-key"
            region: "us-east-1"
            with_decryption: true
            json_key: "api_key"
            ttl: "15m"
          replace:
            proxy_value: "proxy-token-789"
            match_headers: ["Authorization"]
          rules:
            - host: "api.example.com"

New: Inject Mode for Secrets Transform

Secrets can now be injected directly onto matching requests without requiring the client to send a proxy token. In inject mode, the proxy unconditionally sets a header or query parameter on every request that matches the secret's rules. This is useful when sandboxed workloads should never see credentials at all.

A Go template formatter field controls the header value. The template receives .Value (the resolved secret) and a variadic base64 helper that concatenates and base64-encodes its arguments.

transforms:
  - name: secrets
    config:
      secrets:
        - source:
            type: env
            var: OPENAI_API_KEY
          inject:
            header: "Authorization"
            formatter: "Bearer {{ .Value }}"
          rules:
            - host: "api.openai.com"
              methods: ["POST"]
              paths: ["/v1/*"]

Inject mode also supports query parameters (omit formatter):

- source:
    type: env
    var: MAPS_API_KEY
  inject:
    query_param: "key"
  rules:
    - host: "maps.googleapis.com"

The existing replace behavior now lives under an explicit replace: block. Legacy top-level fields (proxy_value, match_headers, etc.) remain supported for backwards compatibility.

New: AWS Secrets Manager Support

Secrets can now be sourced from AWS Secrets Manager in addition to environment variables. Each secret declares its own source, so you can mix env and aws_sm entries in a single pipeline. AWS Secrets Manager entries support configurable TTL with lazy inline refresh.

Breaking change: the secrets transform config format has changed. The global source field has been removed, and each secret now declares its own source and config. Existing configs will need to be updated.

transforms:
  - name: secrets
    config:
      secrets:
        - source: env
          config:
            var: OPENAI_API_KEY
          proxy_value: "pk-proxy-xxx"
          match_headers: ["Authorization"]
          require: true
          rules:
            - host: "api.openai.com"
        - source: aws_sm
          config:
            secret_id: "arn:aws:secretsmanager:us-west-1:673698305641:secret:example-raw-secret-dgDlkC"
            region: "us-east-1"
            ttl: 5m
          proxy_value: "pk-proxy-yyy"
          match_headers: ["x-api-key"]
          rules:
            - host: "api.anthropic.com"

Fix: Wildcard Method Matching in Rules

When a rule's methods are specified as ["*"], it now matches all HTTP methods instead of literally matching the string "*".

rules:
  - host: "api.example.com"
    methods: ["*"]

New: CONNECT/SOCKS5 Tunnel Listener

An optional tunnel_listen address accepts HTTP CONNECT and SOCKS5 tunnel requests. The listener peeks at the first byte to distinguish the two protocols, runs the target through the transform pipeline (so allowlists, secrets, etc. apply), then serves traffic through the normal HTTP handler. TLS connections are MITM'd using the configured CA; plain HTTP is served directly; non-HTTP/TLS protocols are rejected.

proxy:
  tunnel_listen: ":1080"

New: require Flag on Secrets Transform

A new require boolean on each secret entry rejects requests that match the configured host but do not contain the proxy token. This prevents sandboxed workloads from bypassing the secret-swap mechanism with alternative credentials. When the proxy token is not found in any scanned location (headers, query, body), the transform returns a 403 instead of passing the request through. Default is false, preserving existing behavior.

transforms:
  - name: secrets
    config:
      source: env
      secrets:
        - var: OPENAI_API_KEY
          proxy_value: "pk-proxy-xxx"
          match_headers: ["Authorization"]
          require: true
          hosts:
            - name: "api.openai.com"

New: Annotate Transform

A new annotate transform captures HTTP request header values into audit log annotations based on host, method, and path rules. This is useful for enriching audit logs with request-specific context like request IDs.

Each annotation group specifies rules to match and headers to capture. When a request matches, the specified header values are written as header:<Name> entries in the transform trace. Requests that don't match pass through unchanged. This transform never rejects requests.

transforms:
  - name: annotate
    config:
      annotations:
        - rules:
            - host: "api.openai.com"
              methods: ["POST"]
              paths: ["/v1/*"]
          headers: ["x-request-id", "authorization"]
        - rules:
            - host: "*.anthropic.com"
          headers: ["x-api-key"]

Example audit log annotation output:

{
  "header:X-Request-Id": "req-abc123",
  "header:Authorization": "Bearer sk-ant-..."
}