{"id":49751470,"url":"https://github.com/soapbucket/sbproxy","last_synced_at":"2026-06-26T06:00:29.249Z","repository":{"id":350881146,"uuid":"1205328564","full_name":"soapbucket/sbproxy","owner":"soapbucket","description":"AI Governance Engine. One self-hostable gateway for AI traffic, APIs, MCP, and AI crawlers.","archived":false,"fork":false,"pushed_at":"2026-06-25T02:37:57.000Z","size":32384,"stargazers_count":42,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-25T03:13:55.291Z","etag":null,"topics":["ai-gateway","ai-governance","anthropic","api-gateway","governance-engine","llm-proxy","load-balancer","mcp","openai","pingora","rate-limiting","reverse-proxy","rust","waf"],"latest_commit_sha":null,"homepage":"https://sbproxy.dev","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/soapbucket.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-04-08T21:29:07.000Z","updated_at":"2026-06-24T22:59:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"54ceeeb5-aae0-4183-94e0-049d76b4c06b","html_url":"https://github.com/soapbucket/sbproxy","commit_stats":null,"previous_names":["soapbucket/sbproxy"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/soapbucket/sbproxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soapbucket%2Fsbproxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soapbucket%2Fsbproxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soapbucket%2Fsbproxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soapbucket%2Fsbproxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/soapbucket","download_url":"https://codeload.github.com/soapbucket/sbproxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soapbucket%2Fsbproxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34805072,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-26T02:00:06.560Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-gateway","ai-governance","anthropic","api-gateway","governance-engine","llm-proxy","load-balancer","mcp","openai","pingora","rate-limiting","reverse-proxy","rust","waf"],"created_at":"2026-05-10T11:00:27.799Z","updated_at":"2026-06-26T06:00:29.214Z","avatar_url":"https://github.com/soapbucket.png","language":"Rust","funding_links":[],"categories":["API Gateways \u0026 Proxies","API Gateway"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://sbproxy.dev/logo.svg\" alt=\"SBproxy\" width=\"80\" height=\"80\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eSBproxy\u003c/h1\u003e\n\n*Last modified: 2026-06-25*\n\n\u003ch3 align=\"center\"\u003eGovern the AI you call and the AI that calls you.\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/soapbucket/sbproxy/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/soapbucket/sbproxy\" alt=\"Release\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.apache.org/licenses/LICENSE-2.0\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Apache_2.0-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/soapbucket/sbproxy/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/soapbucket/sbproxy/actions/workflows/ci.yml/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/soapbucket/sbproxy/stargazers\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/soapbucket/sbproxy\" alt=\"Stars\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.rust-lang.org/\"\u003e\u003cimg src=\"https://img.shields.io/badge/rust-1.82+-orange.svg\" alt=\"Rust 1.82+\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#install\"\u003eInstall\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#quick-start\"\u003eQuick start\u003c/a\u003e \u0026middot;\n  \u003ca href=\"examples/\"\u003eExamples\u003c/a\u003e \u0026middot;\n  \u003ca href=\"docs/README.md\"\u003eDocs\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/assets/ai-gateway.gif\" alt=\"One OpenAI-compatible request routed to OpenAI, Anthropic, and Google through sbproxy\" width=\"900\"\u003e\n\u003c/p\u003e\n\n---\n\n## Why SBproxy\n\nSBproxy governs AI traffic in both directions: the calls your apps and agents make out to models and MCP tools, and the calls AI agents and crawlers make in to your APIs and content. It is a real reverse proxy built on Pingora, so the same runtime also handles the rest of your API traffic, as one binary in your VPC. Most teams stitch this together from an LLM proxy, an API gateway, a key store, a guardrail service, and a dashboard they have to trust for spend. This is one process.\n\n- **The AI you call.** 200+ models behind one OpenAI-compatible API, with fallback chains, outcome-aware routing, predictive budgets, and per-error retry policies. Guardrails screen the prompt and the model's response, blocking or redacting a streaming completion mid-flight. A local semantic cache replays near-duplicate prompts with no per-call cost, and the prompt never leaves your network.\n- **The AI that calls you.** Charge AI crawlers per request with Pay Per Crawl (x402 or Stripe), verify signed agents with Web Bot Auth (RFC 9421), and negotiate Markdown so agents stop paying for HTML they cannot use. Inbound AI is governed by the same gateway, not a separate product.\n- **Govern every key.** Inbound virtual keys are hashed at rest (HMAC-SHA256 plus a server pepper) and minted, rotated, and revoked at runtime through an admin API. A revoke takes effect on the next request, not the next reload. Per-key policy travels with the key: models, budgets, rate, required redaction, model pinning. Upstream credentials are encrypted at rest. See [key management](docs/key-management.md).\n- **A real proxy for the rest.** Auth (JWT, OIDC, mTLS), automatic TLS via ACME, WAF, DDoS, CSRF, SSRF guards, and PII redaction. Prompt-injection detection runs on an on-box ONNX model, so it adds no per-call cost and nothing leaves your network, even air-gapped. Guardrails run as a quorum mesh on a latency budget. The proxy that fronts your models is the security layer, not a thing you bolt on after it.\n- **Run as a fleet without Redis.** Point every replica at a shared store and a key minted on one works on all, with a revoke seen across the fleet. The mesh that keeps the cache, budgets, and per-key spend counters coherent (gossip, CRDTs, a consistent-hash ring) is open source here, so the cluster coordinates itself without an external Redis or a vendor's control plane.\n- **Prove the spend.** Every request can emit a hash-chained, Ed25519-signed usage receipt with token counts and USD cost that you re-derive and verify offline. Metrics, logs, and OpenTelemetry GenAI traces come from the same process, ready for Phoenix, Langfuse, Grafana, or Datadog.\n- **Stay fast, stay yours.** Sub-millisecond p99 overhead, idle RSS in single-digit megabytes, hot reload with no dropped connections. One binary, Apache 2.0, in your VPC.\n\nNew here and weighing the options? See [how SBproxy compares](docs/comparison.md).\n\n---\n\n## Install\n\ncurl (macOS / Linux):\n\n```bash\ncurl -fsSL https://download.sbproxy.dev | sh\n```\n\nThe script detects your OS and architecture, fetches the matching release binary from GitHub, and drops it in `~/.local/bin`. Override with `SBPROXY_INSTALL=\u003cdir\u003e` for a custom location or `SBPROXY_VERSION=\u003ctag\u003e` to pin a release.\n\nHomebrew (macOS / Linux):\n\n```bash\nbrew tap soapbucket/tap\nbrew install sbproxy\n```\n\nDocker:\n\n```bash\ndocker pull ghcr.io/soapbucket/sbproxy:latest\n```\n\nFrom source (needs Rust 1.82+):\n\n```bash\ngit clone https://github.com/soapbucket/sbproxy\ncd sbproxy\nmake build-release\n```\n\n---\n\n## Quick start\n\nWe host a public HTTP echo service at `test.sbproxy.dev` (request inspection, like httpbin) so you can wire up a real upstream without leaving the SoapBucket ecosystem. Try it directly:\n\n```bash\ncurl https://test.sbproxy.dev/get\n```\n\nNow run the gateway in front of it. Drop this into `sb.yml`:\n\n```yaml\nproxy:\n  http_bind_port: 8080\n\norigins:\n  \"myapp.example.com\":\n    action:\n      type: proxy\n      url: https://test.sbproxy.dev\n```\n\n```bash\nmake run CONFIG=sb.yml\ncurl -H \"Host: myapp.example.com\" http://127.0.0.1:8080/get\n```\n\n`myapp.example.com` is the host your client sees; SoapBucket matches it against `origins:` and forwards to the upstream. Use any hostname you want here; `example.com` is reserved (RFC 2606), so it never collides with anything real.\n\nThat's a reverse proxy. Add AI routing, auth, and rate limiting in the same file. See [`examples/`](examples/) for runnable end-to-end configurations covering each feature.\n\n---\n\n## See it in action\n\nEach clip is recorded against the release binary running a real example config. Regenerate them with [`scripts/record-tapes.sh`](scripts/record-tapes.sh).\n\n**Failover across providers:** the primary is down, the backup answers, transparently. ([config](examples/ai-routing-fallback/))\n\n![Multi-provider failover](docs/assets/ai-fallback.gif)\n\n**Semantic cache:** a reworded prompt is served from cache (`x-semcache: HIT`), skipping the billable completion. ([config](examples/semantic-cache-openai/))\n\n![Semantic cache hit](docs/assets/semantic-cache.gif)\n\n**Guardrails:** prompt-injection and PII are blocked before any provider is called. ([config](examples/ai-guardrails/))\n\n![Guardrails blocking injection and PII](docs/assets/ai-guardrails.gif)\n\n**Governed keys:** mint a virtual key at runtime, then revoke it and watch the next request stop. No reload, no plaintext on disk. ([config](examples/ai-dynamic-keys/), [cluster](examples/ai-dynamic-keys-cluster/))\n\n```bash\n# Mint a key (the plaintext token is returned exactly once)\ncurl -s -u admin:admin -X POST http://127.0.0.1:9090/admin/keys \\\n  -d '{\"name\":\"ci-runner\",\"max_requests_per_minute\":60}'\n\n# Revoke it; the next request carrying it is denied on every replica\ncurl -s -u admin:admin -X POST http://127.0.0.1:9090/admin/keys/\u003ckey_id\u003e/revoke\n```\n\n---\n\n## Documentation\n\nThe full documentation lives in [`docs/README.md`](docs/README.md): manual, configuration reference, AI gateway guide, scripting reference, performance, troubleshooting, architecture, and more. Running the operator for the first time? Start with [`docs/quickstart-operator.md`](docs/quickstart-operator.md).\n\nFor contributors: [CONTRIBUTING.md](CONTRIBUTING.md).\n\n---\n\n## Community\n\n- [Issue Tracker](https://github.com/soapbucket/sbproxy/issues) for bug reports and feature requests.\n- Looking for a managed offering? [SBproxy Enterprise](https://sbproxy.dev/enterprise).\n\n---\n\n## License\n\nLicensed under the [Apache License 2.0](LICENSE). Free for any use, including production and commercial, with no field-of-use restriction.\n\nSee also [NOTICE](NOTICE) and [TRADEMARKS](TRADEMARKS.md). A [Soap Bucket LLC](https://www.soapbucket.com) project.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoapbucket%2Fsbproxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsoapbucket%2Fsbproxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoapbucket%2Fsbproxy/lists"}