{"id":50383438,"url":"https://github.com/clay-good/proxilion","last_synced_at":"2026-05-30T13:30:22.673Z","repository":{"id":357195613,"uuid":"1235703464","full_name":"clay-good/proxilion","owner":"clay-good","description":"Proxilion is the security layer for the agentic workforce. It turns managed AI agents into governed users by enforcing strict cryptographic boundaries on every API call to SaaS like Google Workspace, Salesforce, or Atlassian.","archived":false,"fork":false,"pushed_at":"2026-05-26T13:22:02.000Z","size":2577,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-26T14:37:35.699Z","etag":null,"topics":["agentic-ai","ai-governance","ai-security","audit-logging","claude-security","confused-deputy","cryptography","cybersecurity","data-loss-prevention","human-in-the-loop","llm-security","managed-agents","oauth-proxy","openai-security","pic-protocol","prompt-injection-defense","reverse-proxy","saas-security","self-hosted","zero-trust"],"latest_commit_sha":null,"homepage":"https://proxilion.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/clay-good.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-11T15:16:52.000Z","updated_at":"2026-05-26T13:26:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/clay-good/proxilion","commit_stats":null,"previous_names":["clay-good/proxilion"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/clay-good/proxilion","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clay-good%2Fproxilion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clay-good%2Fproxilion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clay-good%2Fproxilion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clay-good%2Fproxilion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/clay-good","download_url":"https://codeload.github.com/clay-good/proxilion/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clay-good%2Fproxilion/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33694714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agentic-ai","ai-governance","ai-security","audit-logging","claude-security","confused-deputy","cryptography","cybersecurity","data-loss-prevention","human-in-the-loop","llm-security","managed-agents","oauth-proxy","openai-security","pic-protocol","prompt-injection-defense","reverse-proxy","saas-security","self-hosted","zero-trust"],"created_at":"2026-05-30T13:30:19.585Z","updated_at":"2026-05-30T13:30:22.663Z","avatar_url":"https://github.com/clay-good.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Proxilion\n\n\u003e Confused-deputy defense for managed AI agents.\n\nManaged AI agents (Anthropic's hosted Claude, OpenAI's Workspace Agents,\nGoogle's Vertex agents, plus the growing field of OSS Claude-likes) act on\nbehalf of your users. When they call your SaaS APIs (Google Drive, Gmail,\nCalendar, Salesforce, …), the OAuth token doesn't carry *which user* the\nagent is acting for. The agent can act beyond that user's authority, and\nnothing in the stack stops it.\n\nProxilion is a **self-hosted, MIT-licensed** reverse proxy (and pre-flight\nadvisor, and audit ingester) that binds every action the agent takes to a\ncryptographic `PCA` chain rooted at the *human user* the agent is acting for.\nThe Trust Plane refuses to issue authority the user doesn't have. Every\naction is audit-logged in a way that's both human-legible and\ncryptographically verifiable.\n\n**Free. MIT. Self-hosted. No telemetry. No paid product. No SaaS path.**\n\n## What Proxilion actually does\n\nCryptographic capability chains alone don't stop a managed agent from acting\non the wrong data. Proxilion is the deployable enforcement layer that turns\nthe math into something a security team can install. The pieces that are\noriginal Proxilion work:\n\n- **OAuth interception.** Proxilion sits in the OAuth flow between the agent\n  platform and your SaaS providers, swaps in a Proxilion-issued bearer token,\n  and stays in path for every subsequent request.\n- **Read-filtering for prompt injection.** Response bodies from Drive, Gmail,\n  and other upstreams are scanned for known injection patterns (delimiter\n  confusion, hidden Unicode, base64-encoded directives, \"ignore prior\n  instructions\") and stripped or quarantined before the agent reads them.\n- **Write-gating with human-in-the-loop.** External email sends, mass deletes,\n  external file shares are blocked unless a real human explicitly approves\n  through Slack or a ticket. Configurable per sender, per domain, per op.\n- **Real-time action stream + killswitch.** Every agent action streams to an\n  operator dashboard and your SIEM the moment it happens. One click revokes\n  every capability tied to that agent or user within one request cycle.\n- **YAML policy engine.** A compiled match-expression engine for rules like\n  \"this agent can read engineering docs but never finance,\" with hot-reload.\n- **SaaS adapters.** Google Drive, Gmail, and Calendar at launch, each one\n  upstream-aware so policy can reason about specific files, recipients, and\n  events. Pattern is open; add Salesforce, Jira, Notion in a few hundred LOC.\n- **The thesis.** That the OAuth integration boundary is the single\n  preventative chokepoint for governing managed agents you don't own, and\n  that prevention-by-construction is still possible there.\n\n## Credits: standing on PIC's shoulders\n\nThe cryptographic primitive Proxilion uses for signed authority chains is the\n**[PIC protocol](https://www.pic-protocol.org/)** (Provenance, Identity,\nContinuity) by **[Nicola Gallo](https://github.com/ngallo)**. PIC's three\nformal invariants, *provenance* (every action traces back to an immutable\norigin), *identity* (the origin identity cannot mutate across hops), and\n*continuity* (authority can only shrink, never broaden), are what let\nProxilion say \"this exact action was authorized by this exact human\" and\nprove it years later. Credit and respect to Nicola for designing and\npublishing the protocol. We consume the upstream Rust reference\nimplementation as a SHA-pinned dependency; we do not vendor or reimplement\nit.\n\n## Quickstart\n\n```bash\ngit clone https://github.com/clay-good/proxilion\ncd proxilion\n\n# 1. Generate a CAT signing key for the local Trust Plane.\necho \"TRUST_PLANE_CAT_KEY_HEX=$(openssl rand -hex 32)\" \u003e .env\n\n# 2. Bring up postgres + Trust Plane + mock-okta.\ndocker compose up -d --wait postgres trust-plane mock-okta\n\n# 3. Drive the mock OAuth flow and obtain a verifiable PCA_0.\nbash scripts/smoke-pic.sh\n```\n\nYou should see a JSON `PCA_0` with `p_0`, granted ops, and a base64 COSE\nsignature. Open \u003chttps://localhost:8443/admin/\u003e in a browser to paste that\nPCA id into the chain inspector.\n\n## Three deployment modes, one PIC fabric\n\nA single architecture can't cover every managed-agent platform. Proxilion\nruns in **whichever mode each platform supports**, and the PIC semantics,\naudit log, policy engine, and admin UI are identical across all three.\n\n| Mode | What sits where | Covers | Status |\n|---|---|---|---|\n| **1. In-path proxy** | Agent's OAuth + API URLs point at Proxilion; TLS terminated inside your perimeter | Anthropic Managed Claude, OpenAI Workspace Agents, OSS Claude-likes, Vertex for cross-vendor flows | ✅ Implemented (M1) |\n| **2. Pre-flight advisor** | Platform calls `POST /v1/check` before each SaaS action; we never see the OAuth token or body | Any platform exposing a pre-flight webhook | 🟡 Planned (M3) |\n| **3. Audit-only ingestion** | Platform forwards events after the fact (SIEM-style) | Platforms with action-log export but no pre-flight hook (likely Lindy, Decagon, Moveworks) | 🟡 Planned (M3) |\n\nWhat Proxilion **does not** promise: cryptographic enforcement *at the SaaS\nprovider*. That requires SaaS-side adoption of PIC (RFC 8693-shaped token\nexchange validating chains). The three modes give the strongest enforcement\npossible without SaaS cooperation; we are upfront about that ceiling.\n\n## What's in the repo\n\n```\nproxilion/\n├── crates/\n│   ├── proxy/              # axum reverse proxy + OAuth interception + adapters\n│   ├── cli/                # `proxilion-cli` operator binary\n│   ├── policy-engine/      # YAML → match expression + ops template grammar\n│   └── shared-types/       # re-exports of upstream provenance-core\n├── site/                   # proxilion.com, static, Cloudflare Pages\n├── docs/specs/spec.md      # the design doc\n├── ops/                    # Prometheus scrape config + Grafana JSON\n├── docker/                 # Dockerfiles for proxy and trust-plane\n├── migrations/             # postgres SQL for OAuth + PCA + audit tables\n├── scripts/                # dev helpers (cert gen, smoke test)\n└── docker-compose.yml      # full dev stack\n```\n\nNo Next.js dashboard. The proxy serves a single embedded static admin\npage at `/admin/` for chain inspection; everything else (log queries,\nmetrics, alerting) goes through `proxilion-cli`, Prometheus, and your\nexisting observability stack.\n\n## Visibility and trust\n\nIn **Mode 1**, the proxy terminates TLS inside your perimeter and sees\nplaintext request and response bodies. That visibility is what enables\nLayer-B policy (prompt-injection quarantine, external-send gates) and\nfull-fidelity audit. It also means the proxy MUST run on your\ninfrastructure. CAT keys + plaintext SaaS payloads belong inside your\nperimeter, not someone else's. To minimize the in-memory cleartext\nsurface: **adapters opt into body-field exposure**. The Drive read adapter\ndeclares no body fields in the policy context; only adapters that\nactually need them (Gmail send → `body.to_domain`) do.\n\nIn **Modes 2 and 3**, the proxy never sees the body or the OAuth token.\nThe platform sends us metadata; we evaluate, mint a PCA, and respond.\n\n## Trust model in one paragraph\n\nPIC's preventative property depends on the **CAT signing key** being\ncustomer-held. Proxilion is self-hosted for that reason; we never see your\nkeys, your traffic, or your PCAs. The marketing site at\n[proxilion.com](https://proxilion.com) is a static HTML page that points\nhere. No telemetry, no phone-home, no upsell paths in the admin UI.\n\n## License\n\nMIT. Built on [`clay-good/provenance`](https://github.com/clay-good/provenance)\n(MIT), our single PIC dependency, SHA-pinned in [`Cargo.toml`](Cargo.toml).\nSee [NOTICE](NOTICE) and [docs/specs/spec.md](docs/specs/spec.md) §3 for\nattribution and detail.\n\n## Contributing\n\nIssues and PRs welcome. There's no CLA; contributions land under the\nrepository's MIT license. See [CONTRIBUTING.md](CONTRIBUTING.md) for the\ndev setup, the CI gates you'll need to pass (`cargo fmt --check`,\n`cargo clippy -- -D warnings`, `cargo test --workspace --locked`,\n`cargo audit --deny warnings`), the per-spec contribution model, and\nthe deliberate non-goals.\n\n## Security\n\nFound a vulnerability? **Do not open a public GitHub issue.** See\n[SECURITY.md](SECURITY.md) for the private disclosure address,\nresponse SLAs (72 hours to acknowledge, scaled by severity to patch),\nin-scope / out-of-scope surfaces, and what we already defend against\nso you can lead with where you got past it.\n\n## The Skill Overreach problem\n\nThe agent platforms now ship \"skills.\" You train one agent for the whole\norg, attach it to Drive, Gmail, Salesforce, Jira, Notion, and an internal\nAPI or two, and hand it out to every employee. That single agent now holds\nthe *union* of every permission any of its users have. In effect, you have\ndeployed a super-user. The OAuth scope says `drive.readonly` for the\ntenant; the skill says \"summarize anything the user asks about\"; the\nruntime has no idea whether the human on the other end is an intern, a\nfinance lead, or the CEO.\n\nThat is the Skill Overreach problem. A skill is authority defined at the\nagent level. A user is authority defined at the human level. The gap\nbetween them is exactly where confused-deputy attacks, prompt-injection\nexfiltration, and insider laundering live.\n\nProxilion is the only thing in the stack that forces the skilled agent\nback into the Human User box. Every call the agent makes is bound to a\nPCA chain rooted at the specific human it is acting for at that moment.\nThe intern's request to \"summarize Q3 financials\" fails the same way it\nwould if the intern opened Drive directly. The CEO's request succeeds.\nThe skill stays the same; the *authority* is no longer the skill's, it is\nthe user's. Prevention by construction, even when the skill itself is\noverpowered.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclay-good%2Fproxilion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fclay-good%2Fproxilion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclay-good%2Fproxilion/lists"}