Skip to content

feat: harden Rust auth and add encrypted web APIs#88

Draft
AnthonyRonning wants to merge 7 commits into
masterfrom
codex-maple-native-provider-web-tools-opensecret-sdk
Draft

feat: harden Rust auth and add encrypted web APIs#88
AnthonyRonning wants to merge 7 commits into
masterfrom
codex-maple-native-provider-web-tools-opensecret-sdk

Conversation

@AnthonyRonning

@AnthonyRonning AnthonyRonning commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • serialize automatic JWT refresh and protect credential replacement, logout, and concurrent authenticated requests from stale-token races
  • apply the hardened authenticated transport consistently to encrypted JSON and streaming inference calls
  • verify enclave deployment identity against OpenSecret's signed production and development PCR histories fetched from GitHub
  • reject PCR-history redirects and bound remote history retrieval and verification
  • add typed, authenticated, end-to-end encrypted web search and URL extraction APIs to the Rust and TypeScript SDKs
  • cover ordered extraction results, typed partial failures, validation errors, and a live OpenSecret-to-Kagi integration path

Web API surface

Rust:

  • OpenSecretClient::web_search
  • OpenSecretClient::web_extract
  • typed search workflow, lens, filter, result, extraction-page, and partial-error models

TypeScript:

  • webSearch
  • webExtract
  • matching request and response types exported from the package

Both clients call /v1/web/search and /v1/web/extract through the existing authenticated encrypted transport.

Authentication and attestation

Concurrent 401 responses now share one refresh operation. Token updates use credential snapshots so an in-flight refresh cannot overwrite credentials newly supplied by the application or restore credentials after logout.

Production Rust clients enforce an approved PCR0 identity after Nitro verification. The default policy uses signed official OpenSecret production/development histories fetched from GitHub and verified with the SDK's embedded P-384 public key. Loopback development endpoints retain mock-attestation support.

Validation

  • cargo fmt --manifest-path rust/Cargo.toml --all -- --check
  • cargo clippy --manifest-path rust/Cargo.toml --all-targets --all-features -- -D warnings
  • cargo test --manifest-path rust/Cargo.toml --all-features
  • bun run build
  • TypeScript test suite
  • live ignored Rust integration test against local OpenSecret and Kagi for search and extraction
  • git diff --check origin/master...HEAD

Rollout note

The SDK release has not been published yet. Maple temporarily pins this PR's exact commit (b5a144f87b7929d37464f6aff3bd56a432d02f8d) and will switch to the published SDK version in a follow-up.

Companion drafts:

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fb26537d-ea29-4941-96fc-6dbc05f5c373

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex-maple-native-provider-web-tools-opensecret-sdk

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 17, 2026

Copy link
Copy Markdown

Deploying opensecret-sdk with  Cloudflare Pages  Cloudflare Pages

Latest commit: b5a144f
Status: ✅  Deploy successful!
Preview URL: https://dd5c7ebd.opensecret-sdk.pages.dev
Branch Preview URL: https://codex-maple-native-provider.opensecret-sdk.pages.dev

View logs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant