fix(proxy): allocation-free encode fast paths + typed path/query selector

encodePhantomForPair: a pre-scan via phantomNeedsQueryEscape returns nil
without any allocation when every byte in the phantom is already in the
unreserved-for-query-component set. Skips the byte->string copy that
url.QueryEscape would otherwise produce for the no-op case.

encodePhantomLowerForPair: a pre-scan returns nil without allocating
when no percent-escape in the encoded phantom contains an uppercase A-F
hex digit, so the "nothing to lowercase" case (notably OAuth JWT
phantoms with no upper-hex escapes) is allocation-free.

swapPhantomBytes: the path-vs-query escape choice is now driven by an
explicit pathContext bool parameter instead of comparing the
human-readable location label. Callers in Request and the two test
helpers pass pathContext directly, so the type system enforces the
escape choice and a typo in the location string can no longer silently
flip path encoding to query encoding (or vice versa).

Author: nnemirovsky

internal/proxy/addon.go

@@ -637,20 +637,21 @@ func (a *SluiceAddon) Request(f *mitmproxy.Flow) {
 
 	// Pass 2+3 on body.
 	if len(f.Request.Body) > 0 {
-		f.Request.Body = a.swapPhantomBytes(f.Request.Body, pairs, host, port, "body")
+		f.Request.Body = a.swapPhantomBytes(f.Request.Body, pairs, host, port, "body", false)
 	}
 
 	// Pass 2+3 on URL query.
 	if rawQ := f.Request.URL.RawQuery; bytesContainsAnyPhantomPrefix([]byte(rawQ)) {
 		f.Request.URL.RawQuery = string(
-			a.swapPhantomBytes([]byte(rawQ), pairs, host, port, "URL query"),
+			a.swapPhantomBytes([]byte(rawQ), pairs, host, port, "URL query", false),
 		)
 	}
 
-	// Pass 2+3 on URL path.
+	// Pass 2+3 on URL path. pathContext=true selects path escaping so
+	// secrets containing spaces get %20, not '+'.
 	if rawP := f.Request.URL.Path; bytesContainsAnyPhantomPrefix([]byte(rawP)) {
 		f.Request.URL.Path = string(
-			a.swapPhantomBytes([]byte(rawP), pairs, host, port, "URL path"),
+			a.swapPhantomBytes([]byte(rawP), pairs, host, port, "URL path", true),
 		)
 		f.Request.URL.RawPath = ""
 	}
@@ -1265,14 +1266,17 @@ func bytesContainsAnyPhantomPrefix(data []byte) bool {
 // every body, query, or header scan. The encoded secret is computed on
 // demand once per swap call, only when the encoded phantom actually appears.
 //
-// location chooses between query escaping (body, URL query, header) and
-// path escaping (URL path). The two differ in how spaces are encoded:
-// QueryEscape uses '+', PathEscape uses '%20'. Using QueryEscape for a path
-// substitution would turn a space in the secret into a literal '+' in the
-// URL path, which is interpreted as a plus character by the server, not a
-// space — corrupting the request.
-func (a *SluiceAddon) swapPhantomBytes(data []byte, pairs []phantomPair, host string, port int, location string) []byte {
-	pathContext := location == "URL path"
+// pathContext chooses between query escaping (false; body, URL query,
+// header) and path escaping (true; URL path). The two differ in how
+// spaces are encoded: QueryEscape uses '+', PathEscape uses '%20'. Using
+// query escaping for a path substitution would turn a space in the
+// secret into a literal '+' in the URL path, which the server reads as
+// a plus character, not a space — corrupting the request. The boolean is
+// passed in explicitly so the type system enforces the choice; callers
+// cannot accidentally pick path escaping by typo-ing the location label.
+// location is still passed for the audit log message but never drives
+// behavior.
+func (a *SluiceAddon) swapPhantomBytes(data []byte, pairs []phantomPair, host string, port int, location string, pathContext bool) []byte {
 	for _, p := range pairs {
 		if bytes.Contains(data, p.phantom) {
 			data = bytes.ReplaceAll(data, p.phantom, p.secret.Bytes())

internal/proxy/addon_test.go

@@ -854,7 +854,7 @@ func TestSwapPhantomBytes_PathUsesPathEscape(t *testing.T) {
 	defer releasePhantomPairs(pairs)
 
 	in := []byte("/v1/SLUICE_PHANTOM%3Aapi_key/resource")
-	out := addon.swapPhantomBytes(in, pairs, "api.example.com", 443, "URL path")
+	out := addon.swapPhantomBytes(in, pairs, "api.example.com", 443, "URL path", true)
 	got := string(out)
 
 	if !strings.Contains(got, "real%20secret") {
@@ -892,7 +892,7 @@ func TestSwapPhantomBytes_QueryUsesQueryEscape(t *testing.T) {
 	defer releasePhantomPairs(pairs)
 
 	in := []byte("token=SLUICE_PHANTOM%3Aapi_key")
-	out := addon.swapPhantomBytes(in, pairs, "api.example.com", 443, "URL query")
+	out := addon.swapPhantomBytes(in, pairs, "api.example.com", 443, "URL query", false)
 	got := string(out)
 
 	if !strings.Contains(got, "real+secret") {

internal/proxy/phantom_pairs.go

@@ -1,23 +1,35 @@
 package proxy
 
 import (
-	"bytes"
 	"log"
-	"net/url"
 
 	"github.com/nemirovsky/sluice/internal/vault"
 )
 
 // encodePhantomForPair returns the URL query-escaped form of a phantom
 // token, or nil when QueryEscape would leave the bytes unchanged. The
 // "nil when unchanged" convention lets the hot-path swap skip a redundant
-// bytes.Contains scan for the literal form a second time.
+// bytes.Contains scan for the literal form a second time. A pre-scan
+// returns nil before any allocation when no byte in phantom would be
+// escaped — also avoids the byte->string copy that url.QueryEscape would
+// otherwise produce for the no-op case.
 func encodePhantomForPair(phantom []byte) []byte {
-	encoded := []byte(url.QueryEscape(string(phantom)))
-	if bytes.Equal(encoded, phantom) {
+	if !phantomNeedsQueryEscape(phantom) {
 		return nil
 	}
-	return encoded
+	return queryEscapeBytes(phantom)
+}
+
+// phantomNeedsQueryEscape reports whether any byte in phantom would be
+// rewritten by queryEscapeBytes. Returns true on a space or any byte
+// outside the unreserved-for-query-component set.
+func phantomNeedsQueryEscape(phantom []byte) bool {
+	for _, c := range phantom {
+		if c == ' ' || !shouldNotEscapeQueryComponent(c) {
+			return true
+		}
+	}
+	return false
 }
 
 // encodePhantomLowerForPair returns the lowercase-hex variant of the
@@ -26,16 +38,33 @@ func encodePhantomForPair(phantom []byte) []byte {
 // hex digits A-F). RFC 3986 §2.1 makes percent-encoded hex case-
 // insensitive, so a phantom that arrives encoded as %3a must still match
 // the precomputed phantom whose canonical form is %3A.
+//
+// A pre-scan returns nil before any allocation when no percent-escape
+// sequence contains an uppercase A-F hex digit. The "no allocation when
+// nothing to lower" path matters for OAuth JWT phantoms and any phantom
+// whose only escape is %3A (the encoded colon) — once we've already
+// stored the uppercase variant elsewhere on the pair, there is nothing
+// new to lower for those.
 func encodePhantomLowerForPair(encoded []byte) []byte {
 	if len(encoded) == 0 {
 		return nil
 	}
+	hasUpperHex := false
+	for i := 0; i < len(encoded); i++ {
+		if encoded[i] != '%' || i+2 >= len(encoded) {
+			continue
+		}
+		if isASCIIUpperHex(encoded[i+1]) || isASCIIUpperHex(encoded[i+2]) {
+			hasUpperHex = true
+			break
+		}
+	}
+	if !hasUpperHex {
+		return nil
+	}
 	lower := make([]byte, len(encoded))
 	i := 0
 	for i < len(encoded) {
-		// Lowercase only the two hex digits after a %, leave everything
-		// else untouched so the credential name (which can contain
-		// upper-case letters by policy) isn't corrupted.
 		if encoded[i] == '%' && i+2 < len(encoded) {
 			lower[i] = '%'
 			lower[i+1] = asciiLowerHex(encoded[i+1])
@@ -46,12 +75,13 @@ func encodePhantomLowerForPair(encoded []byte) []byte {
 		lower[i] = encoded[i]
 		i++
 	}
-	if bytes.Equal(lower, encoded) {
-		return nil
-	}
 	return lower
 }
 
+func isASCIIUpperHex(b byte) bool {
+	return b >= 'A' && b <= 'F'
+}
+
 func asciiLowerHex(b byte) byte {
 	if b >= 'A' && b <= 'F' {
 		return b + ('a' - 'A')