{"id":51590570,"url":"https://github.com/bentimor/heimdall","last_synced_at":"2026-07-11T14:02:44.644Z","repository":{"id":343553601,"uuid":"1164733807","full_name":"BenTimor/Heimdall","owner":"BenTimor","description":"The silent guardian of the Bifrost - a transparent proxy that watches over your HTTP traffic and injects secrets so your services never have to know them.","archived":false,"fork":false,"pushed_at":"2026-05-06T12:09:47.000Z","size":837,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-06T14:15:12.566Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BenTimor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-02-23T12:26:02.000Z","updated_at":"2026-05-06T12:09:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/BenTimor/Heimdall","commit_stats":null,"previous_names":["bentimor/heimdall"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/BenTimor/Heimdall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenTimor%2FHeimdall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenTimor%2FHeimdall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenTimor%2FHeimdall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenTimor%2FHeimdall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BenTimor","download_url":"https://codeload.github.com/BenTimor/Heimdall/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BenTimor%2FHeimdall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35364269,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-11T02:00:05.354Z","response_time":104,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-07-11T14:02:43.909Z","updated_at":"2026-07-11T14:02:44.626Z","avatar_url":"https://github.com/BenTimor.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Heimdall\n\nHeimdall keeps live API secrets off developer machines.\n\nApplications send placeholders such as `__OPENAI_API_KEY__`; Heimdall intercepts approved HTTPS traffic, resolves the real secret on a controlled server, injects it only for allowed domains, and forwards the request upstream.\n\nProject site: [heimdall.co.il](https://heimdall.co.il)\n\n## Why Heimdall\n\n- centralize secret ownership instead of distributing live keys to laptops and CI runners\n- support both explicit `HTTPS_PROXY` routing and transparent HTTPS interception\n- enforce per-secret domain allow-lists to reduce exfiltration risk\n- support environment variables, AWS Secrets Manager, and stored panel-managed secrets\n- provide an optional admin panel, audit logging, and remote developer access through a TLS tunnel\n\n## Components\n\n| Component | Language | Responsibility |\n| --- | --- | --- |\n| [proxy-server/](proxy-server/) | Node.js / TypeScript | Authenticates clients and agents, performs MITM, resolves secrets, injects placeholders, serves the tunnel, and hosts the optional admin panel |\n| [local-agent/](local-agent/) | Rust | Runs on developer machines, exposes a local proxy, optionally intercepts HTTPS transparently, and tunnels matching traffic to the server |\n\n## Quick Start\n\nThe recommended first run is the transparent local-agent flow on a developer workstation:\n\n1. Set up the proxy server and tunnel listener.\n2. Copy the Heimdall CA certificate to the developer machine.\n3. Configure the local agent with `transparent.enabled: true`.\n4. Run `heimdall-local-agent install --ca-cert /path/to/heimdall-ca.crt`.\n5. Start the agent and verify that apps work without setting `HTTPS_PROXY`.\n\nFollow [docs/quickstart.md](docs/quickstart.md) for the full transparent walkthrough.\nIf you are validating on a VPS, CI runner, or a root-owned workload, start with [docs/explicit-proxy.md](docs/explicit-proxy.md) instead.\nFor GitHub-hosted workflows specifically, use [docs/github-actions.md](docs/github-actions.md).\n\n## Local-Agent Downloads\n\nThe Rust local agent is designed to be distributed as downloadable executables so developers do not need Rust installed.\n\n- prefer the repository's [GitHub Releases page](https://github.com/BenTimor/Heimdall/releases) when prebuilt archives are published\n- fall back to building from source only when you need a custom build\n- see [local-agent/README.md](local-agent/README.md) and [docs/local-agent.md](docs/local-agent.md) for install and packaging guidance\n\n## Documentation\n\n- [Documentation Index](docs/README.md)\n- [Quick Start](docs/quickstart.md)\n- [GitHub Actions](docs/github-actions.md)\n- [Explicit Proxy Guide](docs/explicit-proxy.md)\n- [Deployment Guide](docs/deployment.md)\n- [Local Agent Guide](docs/local-agent.md)\n- [Architecture](docs/architecture.md)\n\n## How It Works\n\nHeimdall supports three practical usage modes:\n\n- local-only mode\n  - point `HTTPS_PROXY` straight at the proxy server\n  - useful for smoke tests and single-machine setups\n- explicit proxy mode\n  - point apps at the local agent on `127.0.0.1:19080`\n  - the agent forwards approved traffic through the authenticated tunnel\n- transparent mode\n  - install the local agent with elevated privileges\n  - the agent intercepts outbound HTTPS traffic without per-app proxy configuration\n\nIn all cases, secrets are resolved and injected on the server side, not on the client machine.\n\n## Production Notes\n\n- set `proxy.publicHost` when the proxy is reachable from other machines so minted certificates contain a usable OCSP responder URL\n- generate a dedicated tunnel certificate with `pnpm run generate-tunnel-cert \u003chostname-or-ip\u003e` for remote agents\n- keep `certs/`, `config/`, and `data/` out of version control and back them up appropriately\n- keep the admin panel on localhost unless you have a deliberate access layer in front of it\n- review [BACKLOG.md](BACKLOG.md) for remaining hardening work before a broad production rollout\n\n## Repository Layout\n\n- [proxy-server/](proxy-server/) contains the central HTTPS proxy and admin panel\n- [local-agent/](local-agent/) contains the Rust workstation agent\n- [docs/](docs/) contains deeper setup and operations documentation\n- [AGENTS.md](AGENTS.md) contains the canonical machine-oriented contributor guide\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbentimor%2Fheimdall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbentimor%2Fheimdall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbentimor%2Fheimdall/lists"}