Skip to main content

proxy.proto

Defines the proxy’s interception layer: message capture, policy decision output, and the gRPC service for audit queries.

InterceptedMessage

Normalized JSON-RPC intercept from the proxy layer. 
message InterceptedMessage {
  bytes raw_json = 1;            // Original JSON-RPC message
  string method = 2;             // JSON-RPC method
  string message_id = 3;         // Request ID
  string tool_name = 4;          // Extracted tool name
  bytes arguments_json = 5;      // Tool arguments (JSON)
  Direction direction = 6;       // REQUEST or RESPONSE
  MessageType type = 7;
}

enum MessageType {
  MSG_REQUEST = 0;
  MSG_RESPONSE = 1;
  MSG_NOTIFICATION = 2;
}

PolicyDecision

Result of policy evaluation against an intercepted message. 
message PolicyDecision {
  InterceptedMessage message = 1;
  Verdict verdict = 2;           // ALLOW, DENY, or PASSTHROUGH
  string matched_server = 3;     // Which server policy matched
  string matched_rule = 4;       // Which tool rule matched
  string policy_hash = 5;        // Hash of policy config at eval time
}

gRPC Service: QuintProxyService

service QuintProxyService {
  rpc QueryAuditLog(QueryAuditLogRequest) returns (QueryAuditLogResponse);
  rpc VerifyAuditLog(VerifyAuditLogRequest) returns (VerifyAuditLogResponse);
  rpc GetStatus(GetStatusRequest) returns (GetStatusResponse);
}

QueryAuditLog

Query audit entries by server, tool, verdict, and time range. 
message QueryAuditLogRequest {
  string server_name = 1;       // Filter by server
  string tool_name = 2;         // Filter by tool
  Verdict verdict = 3;          // Filter by verdict
  string since = 4;             // ISO-8601 start time
  int32 limit = 5;              // Max entries to return
}

message QueryAuditLogResponse {
  repeated AuditEntry entries = 1;
}

VerifyAuditLog

Verify signature chain integrity for audit entries. 
message VerifyAuditLogRequest {
  repeated AuditEntry entries = 1;
}

message VerifyAuditLogResponse {
  bool valid = 1;
  repeated ChainError errors = 2;
}

message ChainError {
  int32 entry_index = 1;
  string error_type = 2;        // "invalid_signature" | "broken_chain"
  string message = 3;
}

GetStatus

Proxy health and configuration status. 
message GetStatusResponse {
  string data_dir = 1;
  bytes public_key = 2;
  string fingerprint = 3;
  int64 entry_count = 4;
  PolicyConfig policy = 5;
  bool keys_loaded = 6;
}
The gRPC service is designed for future daemon mode. Currently the proxy operates via stdio-based interception.