Skip to main content

The wire-protocol shim

chukei is a transparent wire-protocol proxy: your driver thinks it is talking to Snowflake, because at the byte level it is. chukei terminates TLS, inspects exactly one request type, and forwards everything else unchanged. No SDK, no client config beyond a hostname, no query rewriting your application can observe.

What gets intercepted vs passed through

The Snowflake driver protocol is a sequence of HTTPS REST calls. chukei intercepts only POST /queries/v1/query-request — the endpoint that carries a SQL statement. Every other call is proxied verbatim.

Driver  <->  chukei  <->  Snowflake     (time flows down)

login-request       forwarded verbatim -> session token

  ┌─ query-request (SQL): the ONE endpoint chukei intercepts ──┐
  │ decode -> parse -> fingerprint -> plugin bus              │
  │   hit  : return cached result   (warehouse never touched) │
  │   miss : forward to Snowflake (maybe rewritten), result   │
  └───────────────────────────────────────────────────────────┘

result chunk fetch  forwarded verbatim (driver<->cloud storage)
abort-request       forwarded verbatim

Passed through byte-for-byte: login and token renewal, PUT/GET file transfers, chunk/result negotiation, abort-request, SHOW/DESCRIBE, and any statement the parser does not recognise. Large (chunked) results are never buffered by chukei — the driver downloads them directly from Snowflake's presigned cloud-storage URLs, so the proxy is not in the data path for big result sets.

Why intercept at the wire, not the SDK

LayerRequires client change?Sees every query?chukei
Dashboard / advisoracts on humansno (after-the-fact)
SDK / driver wrapperyes (re-deploy)only wrapped apps
Wire protocolnoyes, all tools

Intercepting at the wire is the only layer that covers BI tools, dbt, notebooks, and ad-hoc SQL without anyone changing a connection string beyond the hostname. That is the property that makes a supervised pilot safe and complete.

Gzip and TLS

Official Snowflake drivers gzip every POST body and expect TLS. chukei decodes the gzip body to read the SQL, runs the plugin bus, and re-encodes on forward. TLS termination and the credential trust boundary are covered in the security model.

Measure it on your own workload. Point one team's driver at chukei and run the replay simulator on your QUERY_HISTORY to see cacheable volume before changing anything.