Skip to content

feat: Add SSE stream filtering and dynamic upstream support#2

Merged
emretinaztepe merged 1 commit intomainfrom
feature/streaming-and-dynamic-upstreams
Feb 27, 2026
Merged

feat: Add SSE stream filtering and dynamic upstream support#2
emretinaztepe merged 1 commit intomainfrom
feature/streaming-and-dynamic-upstreams

Conversation

@emretinaztepe
Copy link
Copy Markdown

@emretinaztepe emretinaztepe commented Feb 27, 2026

Add real-time filtering of Server-Sent Event streams and agent-specified dynamic upstreams, enabling Wardgate to proxy streaming LLM APIs (OpenAI, Anthropic, etc.) while maintaining credential isolation and sensitive data filtering.

SSE filtering:

  • Per-chunk scanning of SSE data fields as they stream through
  • Supports redact (inline replacement) and block (stream termination)
  • SSE metadata lines (id, event, retry) and [DONE] sentinels pass through
  • Configurable via sse_mode: filter (default) or passthrough
  • 1MB per-line limit to protect against oversized payloads

Dynamic upstreams:

  • Endpoints can declare allowed_upstreams glob patterns instead of a fixed upstream URL
  • Agents specify the target per-request via X-Wardgate-Upstream header
  • Glob matching with scheme enforcement, case-insensitive hostnames, and path segment boundary checks
  • Header is stripped before forwarding to upstream

Documentation:

  • Added walkthrough for configuring SSE endpoints (OpenAI example)
  • Updated architecture and configuration reference docs

What

Why

Checklist

  • Tests added/updated
  • All tests pass (go test ./...)
  • Code formatted (go fmt ./...)
  • Docs updated (if applicable)
  • I have the right to submit this contribution under the project license.
  • I did not copy code/assets from incompatible or unknown-license sources.
  • I have signed off all commits (git commit -s) per the DCO

DCO Sign-Off

All commits must include a Signed-off-by line (use git commit -s). This certifies that you wrote or have the right to submit the code under the project's AGPL-3.0 license. See the Developer Certificate of Origin for details.

@emretinaztepe
feat: Add SSE stream filtering and dynamic upstream support
7ddf0e7 
Add real-time filtering of Server-Sent Event streams and agent-specified
dynamic upstreams, enabling Wardgate to proxy streaming LLM APIs (OpenAI,
Anthropic, etc.) while maintaining credential isolation and sensitive data
filtering.

SSE filtering:
- Per-chunk scanning of SSE data fields as they stream through
- Supports redact (inline replacement) and block (stream termination)
- SSE metadata lines (id, event, retry) and [DONE] sentinels pass through
- Configurable via sse_mode: filter (default) or passthrough
- 1MB per-line limit to protect against oversized payloads

Dynamic upstreams:
- Endpoints can declare allowed_upstreams glob patterns instead of a
  fixed upstream URL
- Agents specify the target per-request via X-Wardgate-Upstream header
- Glob matching with scheme enforcement, case-insensitive hostnames,
  and path segment boundary checks
- Header is stripped before forwarding to upstream

Documentation:
- Added walkthrough for configuring SSE endpoints (OpenAI example)
- Updated architecture and configuration reference docs

Signed-off-by: Emre Tinaztepe <emre@binalyze.com>
@emretinaztepe emretinaztepe merged commit bf662a0 into main Feb 27, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emretinaztepe