Skip to main content

Layer8 Proxy

Layer8 Proxy is the production deployment bundle for the Sentient Swarm credential-broker stack. It packages three services behind a Docker Compose bundle so that agents reach LLM providers, tools, and infra middleware through a single audited chokepoint — never touching the real upstream credentials.

The three services:

  • agent-locksmith — the credential broker. Runs locksmithd, validates per-agent bearers against ACLs, injects the real upstream credential on the wire, and writes one audit row per request. This is the keystone; the other two services harden the egress path around it.
  • pipelock — the egress chokepoint. Locksmith routes egress: proxied registrations through pipelock via HTTP CONNECT; pipelock enforces a network-layer allowlist/blocklist and DLP so nothing leaves the box except to approved upstreams.
  • lf-scan — a prompt/code scanner middleware. An infra-kind service that locksmith itself calls (never agent-callable) to scan request/response content before it is proxied.

The trust boundary

The organizing idea is a hard split between proxy-operator state and agent-side state:

  • The proxy operator holds the crown jewels: provider API keys, the lf-scan internal token, the restic backup password, OAuth sealing key, pipelock allowlist policy, and the locksmith base config. These are sealed at rest and the agent process must never see them.
  • The agent holds only its own locksmith bearer token and its provider routing config (base URLs pointing at locksmith). It carries no real credential.

Per-host proxy-operator state lives in a site repo (e.g. layer8-proxy-site) that pins a Layer8 Proxy version, holds the sealed credentials, declares per-agent ACLs, and wraps bring-up in a deploy.sh. Agent-side config lives in separate repos (hermes-site, openclaw-site).

What an agent sees

An agent points its provider base URLs at locksmith and authenticates with a bearer token the operator registered for it:

curl -sS -H "Authorization: Bearer $AGENT_TOKEN" \
http://127.0.0.1:9200/models

curl -sS -X POST http://127.0.0.1:9200/api/anthropic/v1/messages \
-H "Authorization: Bearer $AGENT_TOKEN" \
-H "anthropic-version: 2023-06-01" \
-H "Content-Type: application/json" \
-d '{"model":"claude-haiku-4-5","max_tokens":40,"messages":[{"role":"user","content":"hi"}]}'

Locksmith strips the agent's headers, injects the real x-api-key, routes the call through pipelock, and returns the upstream response. The agent never held the real Anthropic key.

The catalog substrate

Registrations are discriminated by kindmodel, tool, or infra. Agents discover models via /models and tools via /tools (both ACL-filtered); infra middleware like lf-scan is operator-only and not agent-discoverable. See Architecture for the full taxonomy and the broker/ACL/egress model.

Where to go next

  • Architecture — the broker/ACL/egress model and the kind taxonomy.
  • Operator Console — the web console over locksmith's admin API.
  • Deploy — bring up the Docker Compose bundle.
  • Agent Locksmith — the credential broker at the center of the stack.