Runtime Enforcement Proxy Overview
Coming Soon
The Runtime Enforcement Proxy is under active development and will be available in an upcoming release.
The Runtime Enforcement Proxy tier adds transparent policy enforcement and credential injection — answering the question: "How do we enforce policy on every API call without exposing raw secrets?"
Services
Everything from Authorization, plus:
| Service | Purpose |
|---|---|
| wl-proxy | Governance proxy — policy evaluation + credential injection |
| wl-secrets-broker | Policy-enforced secrets management (SCT issuance) |
What You Get
- Transparent governance — every API call evaluated by Cedar policies before execution
- Credential injection — agents never see raw API keys; wl-secrets-broker injects credentials
- Secret Capability Tokens (SCTs) — Ed25519-signed, time-limited, single-use tokens
- Full audit trail — every secret access, API call, and policy decision logged
- Zero-configuration agent updates — change 1-2 environment variables, no code changes
- Enforcement modes —
observe(log only) orenforce(deny unauthorized)
How It Works
Your Agent (no API key in env)
→ https://proxy-openai:9443/v1/chat/completions
→ Caddy (TLS termination)
→ wl-proxy
→ policy eval via wl-apdp (Cedar)
→ credential injection via wl-secrets-broker
→ api.openai.com (with API key injected)
→ Response returned to agent
→ Full audit trail logged
Your agent never sees the raw API key.
Agent Configuration
Change 1-2 environment variables — no code changes required:
services:
my-agent:
networks: [default, beacon-partner]
environment:
OPENAI_BASE_URL: https://proxy-openai:9443/v1 # Route through proxy
REQUESTS_CA_BUNDLE: /certs/beacon-ca.crt # Trust self-signed CA
# No OPENAI_API_KEY — wl-secrets-broker injects credentials
volumes:
- ./beacon-ca.crt:/certs/beacon-ca.crt:ro
networks:
beacon-partner:
external: true
Enforcement Modes
| Mode | Behavior |
|---|---|
observe (default) | Log all decisions, never deny |
enforce | Deny unauthorized actions |
Start in observe mode to build confidence in your policies, then switch to enforce.
Next Steps
- Runtime Proxy — How wl-proxy works
- Secrets Broker — SCT issuance and credential management