feat: infisical proxy

[victorvhs017]

Description 📣

We are introducing the new proxy command to the CLI.

You can use it like this:

go run main.go proxy start \
  --domain=http://localhost:8080 \
  --listen-address=localhost:8081 \
  --eviction-strategy=optimistic \
  --access-token-check-interval=30s \
  --static-secrets-refresh-interval=30s \
  --tls-enabled=true \
  --tls-cert-file="./cert.pem" \
  --tls-key-file="key.pem" \
  --log-level debug

Here's a quick demonstration

Screenshare.-.2025-11-14.11_16_51.AM.mp4

And a more in-depth documentation can be found here: https://www.notion.so/infisical/Infisical-Proxy-2a9564692229808db6bdd30b73ed041a

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

If you're running the CLI locally, you can use the debug command to get a snapshot of your in-memory cache:

go run main.go proxy debug --listen-address=localhost:8081

Also, run the proxy start command with the --log-level=debug flag for better observability in the tests.

Tests:

• Try an invalid domain
  • Should allow the start but the proxy will fail
• Test all secrets and endpoints V3 and v4
  • The get endpoints should cache and the others should be only proxied
  • Test with different values for expand secret reference, recursive and include_imports params
• To try the resync you can set the access-token-check-interval to 1s and the static-secrets-refresh-interval to 1s
  • Do some List and Retrieve secret requests
    • Update the secret value through the UI: After the next static secrets refresh, the value in the cache should have updated.
      • Update the secret value through the proxy: The cached entries matching the updated secret will be purged from the cache (list responses containing the mutated secret, or single secret cache entries).
    • Delete the secret
      • Delete the secret through the UI: After the next static secret refresh interval, the cache entry should be refreshed.
      • Delete the secret through the proxy: If cached, the entry is immediately purged from the cache
    • Remove the access token
      • After the next access token check interval, all entries related to that token should be evicted
    • Remove the identity from the project
      • After the next access token check interval, all entries related to that token and project should be evicted
    • Remove the identity permission to access the secret or path
      • After the next access token check interval, all entries related to that token and secret or path should be evicted
    • Stop the local infisical instance
      • After the next static secrets refresh interval or access token check interval the cache shouldn't change.
• Stop the proxy server and start it again
  • The cache will be empty, as everything is in memory
• Do some lists and gets
  • Do an update, batch update, delete or batch delete on the same path (through the proxy)
    • The requests with secrets on that path will be purged accross all tokens
• In your local, set the rate limit of the app to work on development and lower the limit to something like 5 requests
  • Start your proxy with access-token-check-interval=1s and the static-secrets-refresh-interval=1s
  • cache 10 different requests
  • check logs and the debug statements to see the proxy handling the rate limit
    • even when the rate limit is reached, all cachedAt value will rise and steadily, meaning that the entries are being updated
  • Works for SSE requests to like api/v1/events/subscribe/project-events

Testing rate-limiting:

Remove this if statement in the backend/src/server/app.ts file:

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[greptile-apps]

Greptile Summary

Introduced a new infisical proxy command that acts as a caching reverse proxy for Infisical API requests. The proxy caches secret responses to improve performance and availability, with background processes for token validation and cache refresh.

Key Changes:

• Added proxy server with TLS support (enabled by default per custom rule 689000c1-34b4-4513-9aa0-ca4f3ea8c923)
• Implemented encrypted in-memory cache with BadgerDB backend
• Background loops for access token validation and static secrets refresh
• Mutation-based cache purging (PATCH/DELETE operations invalidate related cache entries across all tokens)
• Rate limiting handling with exponential backoff
• SSE/streaming endpoint support
• Moved ParseTimeDurationString from agent.go to helper.go with improved validation

Implementation Quality:
The code is well-structured with proper separation of concerns, comprehensive error handling, and thoughtful cache invalidation strategies. Go's standard regexp package (which uses RE2) is used correctly, addressing security concern from custom rule Rule 1. The proxy is designed for internal deployment, which addresses previously flagged SSRF concerns that were deemed acceptable by the senior developer.

Confidence Score: 5/5

• Safe to merge - well-architected feature with proper error handling and security considerations
• The implementation is production-ready with comprehensive error handling, proper use of concurrency primitives (mutex locks), graceful shutdown handling, and appropriate security measures (encrypted cache storage, token masking in logs). Previous security concerns from earlier review threads were addressed and deemed acceptable for internal deployment. The code follows Go best practices and includes thoughtful features like rate limit handling and optimistic caching strategy.
• No files require special attention - all implementations are solid and production-ready

Important Files Changed

Filename	Overview
packages/cmd/proxy.go	Added new proxy server command with caching, TLS support, and background refresh loops - implementation looks solid with proper error handling
packages/proxy/cache.go	Implemented encrypted cache storage with token and path indexing for efficient lookups and mutation-based purging
packages/proxy/resync.go	Background loops for token validation and secret refresh with rate limit handling and optimistic eviction strategy
packages/util/helper.go	Moved ParseTimeDurationString from agent.go and added zero validation check
packages/util/cache/cache-storage.go	Added prefix-based operations (GetKeysByPrefix, DeleteByPrefix, Exists) for efficient cache management
packages/util/agent.go	File deleted - ParseTimeDurationString moved to helper.go

[greptile-apps]

_{3 files reviewed, 6 comments}

_{Edit Code Review Agent Settings | Greptile}

[varonix0]

@greptile re-review this PR with the responses to your previous comments in mind. Also update the summary and score you posted earlier

[greptile-apps]

_{6 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[varonix0]

@greptile re-review with the latest changes and comments in mind. update summary when done

[greptile-apps]

_{6 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[varonix0]

@greptile, once again, re-review the pr and update your summary with my previous comments in mind

[fangpenlin]

half way through the testing. I think code looks mostly fine. Had a few suggestions. Found a bug tho, already DM you in slack. Will continue testing tomorrow

[fangpenlin]

lgtm