Proxy AI

Open-source AI security gateway for developers and teams: detect secrets, PII, internal infrastructure, and risky context before prompts reach external LLMs.

Proxy AI sits between AI tools and model providers. It scans outgoing prompts, sanitizes sensitive values with signed placeholders, sends only the sanitized payload to the provider, and safely rehydrates model responses before returning them to the user.

It is designed for the messy reality of developer workflows: source code, .env files, kubeconfigs, CI/CD YAML, SQL, logs, stack traces, tickets, and incident notes often contain credentials or regulated data by accident.

Why this exists

Developers increasingly paste production-like context into AI assistants. The security team needs control and evidence, but developers need the workflow to stay fast. Proxy AI aims for that middle path:

• protect sensitive data before it leaves the machine or team gateway;
• preserve code shape so AI answers are still useful;
• keep an audit trail without storing raw secrets by default;
• make policy decisions explainable in an admin console.

What is included

• OpenAI-compatible and Anthropic-compatible proxy endpoints.
• Local HTTPS MITM proxy for browser and desktop AI tools.
• Secret, PII, internal-infra, source-code, prompt-injection, and document scanning.
• Code-shape preserving sanitization with signed __GWV1_*__ placeholders.
• Response rehydration, including common LLM placeholder mutations.
• Tree-sitter aware replacement planning for source-like prompts.
• Mutation score and warnings when a prompt is changed too heavily.
• Basic policy engine: allow, sanitize, block, shadow, warn, route_to_local_model, and disable_rehydration.
• Trusted-header identity attribution for local/team deployments.
• PostgreSQL audit store with safe previews, hash chain, retention purge, and Prometheus metrics.
• Community admin console for health, audit review, diff viewer, self-check, safe export, and policy simulation.
• macOS helper scripts for local CA trust and guarded system proxy lifecycle.

Community vs Enterprise

This repository is the open-source core. The following remain commercial / enterprise modules:

• SIEM webhook destinations and delivery management.
• OIDC/SAML/SCIM identity integrations.
• Policy exception approval workflow.
• Offline license and capability enforcement.
• Forensic/sensitive export controls.
• KMS/Vault managed encryption keys.
• Advanced RBAC, approval workflows, and compliance evidence packs.
• Agent firewall and tool-call governance.

See docs/open-core.md for the boundary.

Architecture

flowchart LR
    A["AI client\nClaude, Codex, custom app"] --> B["Proxy AI\nAPI proxy or MITM"]
    B --> C["Scanner\nsecrets, PII, infra, code"]
    C --> D["Policy engine\nallow/sanitize/block"]
    D --> E["Sanitizer\n__GWV1_*__ placeholders"]
    E --> F["External LLM provider"]
    F --> G["Rehydration\nrestore local response"]
    B --> H["Audit store\nsafe previews + hash chain"]
    H --> I["Admin console"]

Loading

Repository layout

backend/  API gateway, scanner, policy engine, audit API, admin API
mitm/     Local HTTPS MITM proxy and CA tooling
admin/    React admin console
docs/     Architecture, open-core boundary, roadmap

Quick start

1. Start Postgres

Use your own local Postgres, or start one however you prefer. Then export:

# Replace the placeholders with your local Postgres credentials.
export DATABASE_URL='postgres://<user>:<password>@127.0.0.1:5432/proxy_ai'
export GATEWAY_AUTH_TOKEN='local-dev-token'

2. Run the backend

cd backend
cargo run

Backend defaults to 127.0.0.1:3000.

3. Run the admin console

cd admin
npm ci
VITE_GATEWAY_API_BASE=http://127.0.0.1:3000 npm run dev

Admin defaults to 127.0.0.1:5173.

4. Run the MITM proxy

cd mitm
MITM_PROXY_BIND=127.0.0.1:3128 \
MITM_CA_COMMON_NAME='Proxy AI Community MITM CA' \
cargo run --bin mitm_proxy

On macOS, trust the local community MITM CA before browser testing:

cd mitm
scripts/mitm_ca_macos.sh reset

Use the guarded system proxy wrapper instead of toggling proxy settings by hand:

cd mitm
scripts/mitm_system_proxy.sh start
scripts/mitm_system_proxy.sh status
scripts/mitm_system_proxy.sh stop

Transparent local capture on macOS

Some native clients do not honor macOS System Proxy or HTTP_PROXY / HTTPS_PROXY. The community build includes an experimental pf helper for transparent capture, with a guard against local MITM self-loops.

Start MITM with the transparent listener:

MITM_TRANSPARENT_ENABLED=true \
MITM_TRANSPARENT_BIND=127.0.0.1:3130 \
cargo run --bin mitm_proxy

Then enable pf only for a controlled lab or gateway setup:

MITM_TRANSPARENT_CLIENTS="192.168.1.20" \
sudo -E scripts/mitm_transparent_pf.sh start

For same-host experiments, read mitm/README.md first. pf cannot exclude a process by name, so careless rules can redirect MITM upstream traffic back into MITM.

Smoke tests

cd backend
cargo test

cd ../mitm
cargo test --bin mitm_proxy

cd ../admin
npm ci
npm run build

Security posture

• Raw secrets are not stored in audit previews by default.
• Replacement maps are request/session scoped.
• Audit events include hashes and policy metadata for investigation.
• Local CA private keys, .env, .mitm, logs, and release artifacts are ignored by git.

If you find a vulnerability, please do not open a public issue. See SECURITY.md.

Roadmap

The short-term community roadmap is focused on:

• scanner quality and lower false positives;
• safer local setup;
• better provider coverage;
• stable admin UX for audit review and policy simulation;
• documented deployment patterns.

Enterprise roadmap items are tracked separately in docs/roadmap.md.

Contributing

Contributions are welcome. Please read CONTRIBUTING.md and CODE_OF_CONDUCT.md.

License

Apache License 2.0. See LICENSE.