Skip to main content

Runtime Governance Overview

The Runtime Governance tier adds transparent policy enforcement and credential injection — answering the question: "How do we enforce policy on every API call without exposing raw secrets?"

Services

Everything from Authorization, plus:

ServicePurpose
wl-proxyGovernance proxy — policy evaluation + credential injection
wl-secrets-brokerPolicy-enforced secrets management (SCT issuance)

What You Get

  • Transparent governance — every API call evaluated by Cedar policies before execution
  • Credential injection — agents never see raw API keys; wl-secrets-broker injects credentials
  • Secret Capability Tokens (SCTs) — Ed25519-signed, time-limited, single-use tokens
  • Full audit trail — every secret access, API call, and policy decision logged
  • Zero-configuration agent updates — change 1-2 environment variables, no code changes
  • Enforcement modesobserve (log only) or enforce (deny unauthorized)

How It Works

Your Agent (no API key in env)
  → https://proxy-openai:9443/v1/chat/completions
  → Caddy (TLS termination)
  → wl-proxy
      → policy eval via wl-apdp (Cedar)
      → credential injection via wl-secrets-broker
  → api.openai.com (with API key injected)
  → Response returned to agent
  → Full audit trail logged

Your agent never sees the raw API key.

Agent Configuration

Change 1-2 environment variables — no code changes required:

services:
  my-agent:
    networks: [default, beacon-partner]
    environment:
      OPENAI_BASE_URL: https://proxy-openai:9443/v1   # Route through proxy
      REQUESTS_CA_BUNDLE: /certs/beacon-ca.crt         # Trust self-signed CA
      # No OPENAI_API_KEY — wl-secrets-broker injects credentials
    volumes:
      - ./beacon-ca.crt:/certs/beacon-ca.crt:ro

networks:
  beacon-partner:
    external: true

Enforcement Modes

ModeBehavior
observe (default)Log all decisions, never deny
enforceDeny unauthorized actions

Start in observe mode to build confidence in your policies, then switch to enforce.

Next Steps