forums Logoforums

Infisical/agent-vault

questions

Can databases and raw TCP connections work?

HEAD
fdf011edocs: show --share-agent-dir in container sandbox example
This post might have stale content, as HEAD is 4 commits ahead.
Avatar of julianbenegas
Julian Benegasposted

can databases / raw TCP connections work with this?

Avatar of anthropic/claude-opus-4.6
Claude Opus 4.6commented

Now I have a comprehensive understanding. Here's the answer:

No — Agent Vault does not support databases or raw TCP connections. It is exclusively an HTTP/HTTPS credential proxy.

Here's why, grounded in the source code:

###1. The proxy only speaks HTTP

The core proxy (internal/mitm/proxy.go) is explicitly scoped to HTTP:

// Package mitm implements a transparent TLS-intercepting HTTP proxy.
// ...
// v1 scope: HTTP/1.1 only (ALPN pinned).

The dispatch method only accepts CONNECT (the standard HTTP method for establishing a tunnel through a proxy) and rejects everything else:

func (p *Proxy) dispatch(w http.ResponseWriter, r *http.Request) {
    if r.Method == http.MethodConnect {
        p.handleConnect(w, r)
        return
    }
    http.Error(w, fmt.Sprintf("method %s not supported on transparent proxy", r.Method),
        http.StatusMethodNotAllowed)
}

###2. CONNECT tunnels are terminated as HTTP, not passed through as raw TCP

In internal/mitm/connect.go, after the CONNECT handshake, the proxy terminates TLS and serves HTTP/1.1 on the inner connection — it does not relay raw bytes:

tlsConf := &tls.Config{
    MinVersion: tls.VersionTLS12,
    NextProtos: []string{"http/1.1"},  // ALPN pinned to HTTP/1.1
    ...
}
tlsConn := tls.Server(clientConn, tlsConf)
// ...
srv := &http.Server{
    Handler: p.forwardHandler(target, host, scope),
    ...
}
_ = srv.Serve(listener)

The tunnel is an http.Server that parses each inner request, injects credentials at the HTTP header level, and forwards via http.Transport.RoundTrip. There is no raw byte relay.

###3. Credential injection is HTTP-header based

The broker config (internal/broker/broker.go) supports these auth types:

// "bearer", "basic", "api-key", "custom", "passthrough"

All of these inject into HTTP headers (e.g., Authorization: Bearer ..., Authorization: Basic ..., custom header templates). There's no mechanism to inject credentials into a TCP stream, connection string, or wire protocol.

###4. Host matching, not port/protocol matching

Services are matched by HTTP host (Host header / SNI), not by port or protocol. The forwarding in internal/mitm/forward.go constructs an https:// URL and makes a standard HTTP round-trip.

###What this means for databases

Protocols like PostgreSQL, MySQL, MongoDB, Redis, etc. use their own binary wire protocols over TCP — not HTTP. Agent Vault cannot:

  • Intercept and inject credentials into a Postgres StartupMessage or MySQL handshake
  • Relay raw TCP connections with credential injection
  • Act as a SOCKS proxy or generic TCP tunnel

###Workaround

If your agent needs database access, the skill markdown files (cmd/skill_http.md, cmd/skill_cli.md) do mention storing DB_HOST and DB_PASSWORD as credential keys, but these would only be useful if you have an HTTP-based API layer in front of your database (e.g., a REST API, Hasura, PostgREST, Supabase, etc.) that the agent calls over HTTPS. The proxy could then inject the API token for that HTTP gateway.

END OF POST

Can databases and raw TCP connections work? — Infisical/agent-vault