Why we call it a splice
Every TLS connection through the agent is a "splice." It's the third name we tried. Before "splice" it was "bridge," and before that "split" — and the git history still remembers the moment we switched, along with the fossils of the names we threw away. Naming it took three tries because the thing is genuinely unusual, and the first two words each told a small lie about it.
The thing that needed a name
When the agent sits in a TLS path it does something most network gear doesn't. It isn't a proxy relaying bytes, and it isn't a transparent forwarder. It runs two independent TLS handshakes — one with the client, one with the upstream — and joins them into a single logical flow, transforming the crypto in between (upgrading a classical client onto a post-quantum handshake with the server, say). Each side sees a complete, valid handshake. The mechanics are their own story; this one is about what to call it.
split — the first name, wrong in two ways
The earliest whiteboard name, and it never made it into a commit. It points the wrong direction: you're joining two connections into one, not cutting one into two. And the word was already busy elsewhere — at the packet level we genuinely do split things, because a post-quantum ClientHello gets split across TCP segments, and there's a whole test suite for that path. Reusing "split" for the session would have collided with a real, separate concept. It washed out fast.
bridge — closer, but too passive
The second name, and the first one git actually records: it shows up in the commit that wired up the network layer. "Bridge" gets the direction right — a bridge joins two sides. But it's too passive. A network bridge forwards frames unchanged; bridging implies the thing in the middle is transparent, doing nothing to what crosses it. Ours is the opposite: its entire reason to exist is to change the crypto in the middle. "Bridge" quietly undersold the most important part.
splice — the third name, and why it stuck
Soon after, the session class was named Splice_session and the word went on the landing page. Splice comes from rope and cable work: you join two lines by unlaying their strands and interweaving them, so the join carries the full load — as strong as the rope itself, with no bulky knot. That is exactly the property we needed a word for: not a relay bolted into the middle (a knot), but a join where each side remains a structurally complete, full-strength TLS connection. And a splice doesn't only join — you splice in new material. A film splice cuts in a new frame; a gene splice inserts new code. That is the transformation "bridge" was missing. Join, seamless, full-strength, and transform — in one syllable.
The fossils
The rejected names didn't fully die. The tree is sediment, and you can still dig them up — the discarded names still live in the code, each doing its real job. "Bridge" survives as "AEAD bridge" for the cross-version case — the one place the forward-with-a-small-change metaphor actually fits. And "split" got the job it was always right for: splitting the ClientHello across segments. Each word found its correct meaning in the end. "Splice" just had to claim the session name first.
Naming is part of understanding a thing — you don't have the right word until you know what's essential about it, and the wrong words are wrong in instructive ways. "Splice" won because it's the only one that says join, seamless, full-strength, and transform at once. Why that transform matters is the post-quantum migration; and it's what we do for a living.
← All posts