CLI tool to manage proxy shadow keys
Project description
Proxy Shadow Keys
A CLI tool and local proxy service designed to intercept network requests and transparently replace "shadow keys" (e.g., shadow_my_api_key) with your real, secret keys stored securely in the macOS Keychain.
This tool allows developers to use placeholder keys in their application code or environment files, preventing accidental exposure or commits of sensitive API keys to version control.
Intentions
- Security Details: Never hardcode real API keys in your
.envfiles, scripts, or repositories. - Convenience: Use consistent placeholder keys (like
shadow_stripe_secret) across your projects and let the proxy handle inserting the real sensitive values behind the scenes. - Fallbacks: If a shadow key isn't found in your secure vault, the proxy sends the original placeholder unchanged, preventing unexpected crashes and making debugging easy.
Project Structure
proxy-shadow-keys/
├── src/
│ └── proxy_shadow_keys/
│ ├── cli.py # Click-based CLI commands (set, rm, start, stop, install-cert)
│ ├── interceptor.py # mitmproxy addon that intercepts and replaces shadow keys
│ └── system_proxy.py # Cross-platform utility to toggle system proxy settings (Windows, macOS, Linux)
├── tests/
│ ├── features/ # Behavior-Driven Development (BDD) feature specifications
│ └── step_defs/ # pytest-bdd step definitions
└── pyproject.toml # Project configuration and dependencies
How It Works
- Store Keys: Use the CLI to store a real key mapping in your system's keyring (macOS Keychain, Windows Credential Locker, or Linux Secret Service).
- Start Proxy: The CLI starts a local
mitmproxyinstance in the background and configures your OS system proxy (macOSnetworksetup, Windows Registry, or Linuxgsettings) to route traffic through it. - Intercept & Replace: As your system makes HTTP/HTTPS requests, the mitmproxy addon parses request headers, JSON bodies, and URL query parameters. When it detects a string starting with
shadow_, it queries the local keyring to swap the placeholder with the real API key before forwarding the request to its destination.
Requirements
- macOS, Windows, or Linux (GNOME)
- Python 3.9+
mitmproxyinstalled and available
Installation
The recommended way to install and run the CLI globally in an isolated environment is using pipx or uv:
# Using uv (fastest)
uv tool install proxy-shadow-keys
# Or using pipx
pipx install proxy-shadow-keys
Standard Installation
You can install proxy-shadow-keys via pip:
pip install proxy-shadow-keys
Recommended: Using pipx
For CLI tools, it's recommended to use pipx to keep dependencies isolated:
pipx install proxy-shadow-keys
One-liner (curl)
If you have pip installed, you can use this one-liner to download and install the latest version directly:
curl -sSL https://raw.githubusercontent.com/Tavernari/proxy-shadow-keys/main/scripts/install.sh | bash
Development or Source Installation
If you want to contribute or use the latest unreleased changes:
# Clone the repository
git clone git@github.com:Tavernari/proxy-shadow-keys.git
cd proxy-shadow-keys
# Install in editable mode
pip install -e .
GitHub Package Registry
You can also install the package directly from the GitHub Container/Package Registry:
pip install git+https://github.com/Tavernari/proxy-shadow-keys.git
Usage
1. Certificate Installation
For the proxy to inspect encrypted HTTPS traffic, you must first install and trust the mitmproxy CA certificate. Run this command once (requires sudo privileges):
proxy-shadow-keys install-cert
2. Managing Shadow Keys
Map a placeholder shadow_ key to your real API key (stored securely via keyring):
proxy-shadow-keys set shadow_openai_key sk-proj-123456789...
To remove a mapped key:
proxy-shadow-keys rm shadow_openai_key
3. Proxy Lifecycle
Start the proxy. This will launch mitmproxy in the background and configure your local network settings to use the local proxy:
proxy-shadow-keys start
(Default port is 8080. You can optionally pass --port 8081)
When you're done, stop the proxy to restore your standard network settings:
proxy-shadow-keys stop
Testing
The project uses a BDD approach with pytest and pytest-bdd. All functionality is strictly defined in feature files before implementation.
# Install development dependencies
pip install -e ".[dev]"
# Run all tests
pytest
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file proxy_shadow_keys-0.1.4.tar.gz.
File metadata
- Download URL: proxy_shadow_keys-0.1.4.tar.gz
- Upload date:
- Size: 12.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ac7f81959c3dceb051b31cebde99643f47b0adf46c5c36e8dc2cef57dc24f101
|
|
| MD5 |
7680a3499ed136ab597bd2bc131878ea
|
|
| BLAKE2b-256 |
8799b5afb9b413b35611e57f65c2d71a303f4d29cdb34cdd921b0968e69d67bc
|
Provenance
The following attestation bundles were made for proxy_shadow_keys-0.1.4.tar.gz:
Publisher:
release.yml on Tavernari/proxy-shadow-keys
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
proxy_shadow_keys-0.1.4.tar.gz -
Subject digest:
ac7f81959c3dceb051b31cebde99643f47b0adf46c5c36e8dc2cef57dc24f101 - Sigstore transparency entry: 975149404
- Sigstore integration time:
-
Permalink:
Tavernari/proxy-shadow-keys@2905c8e6ecee6358e84277b1630ed13fca49c7b1 -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/Tavernari
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@2905c8e6ecee6358e84277b1630ed13fca49c7b1 -
Trigger Event:
push
-
Statement type:
File details
Details for the file proxy_shadow_keys-0.1.4-py3-none-any.whl.
File metadata
- Download URL: proxy_shadow_keys-0.1.4-py3-none-any.whl
- Upload date:
- Size: 9.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
58eef5018e5b38b0f926dbbdc7d245af54aec2db21ffb764304059185292ac20
|
|
| MD5 |
eb11f4103de4441a85ef21bd914c3f63
|
|
| BLAKE2b-256 |
7825b855c2ee8376ce9feabee004597cdc9195a6ac1d5b6696c4a5480dad0dd8
|
Provenance
The following attestation bundles were made for proxy_shadow_keys-0.1.4-py3-none-any.whl:
Publisher:
release.yml on Tavernari/proxy-shadow-keys
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
proxy_shadow_keys-0.1.4-py3-none-any.whl -
Subject digest:
58eef5018e5b38b0f926dbbdc7d245af54aec2db21ffb764304059185292ac20 - Sigstore transparency entry: 975149405
- Sigstore integration time:
-
Permalink:
Tavernari/proxy-shadow-keys@2905c8e6ecee6358e84277b1630ed13fca49c7b1 -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/Tavernari
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@2905c8e6ecee6358e84277b1630ed13fca49c7b1 -
Trigger Event:
push
-
Statement type:
