Runtime Proxy

Coming Soon

wl-proxy is under active development and will be available in an upcoming release.

wl-proxy is a transparent runtime proxy that intercepts agent API calls for policy evaluation and credential injection.

How It Works

Proxy Request Flow

Agent Configuration

Route API calls through the proxy by changing the base URL:

services:
  my-agent:
    environment:
      OPENAI_BASE_URL: https://proxy-openai:9443/v1
      REQUESTS_CA_BUNDLE: /certs/beacon-ca.crt
      # No OPENAI_API_KEY needed
    volumes:
      - ./beacon-ca.crt:/certs/beacon-ca.crt:ro
    networks: [default, beacon-partner]

For Anthropic:

    environment:
      ANTHROPIC_BASE_URL: https://proxy-anthropic:9443/v1
      REQUESTS_CA_BUNDLE: /certs/beacon-ca.crt

Enforcement Modes

Mode	Behavior
`observe` (default)	Log all decisions, never deny requests
`enforce`	Deny unauthorized requests with 403

Switch modes by re-running the bootstrap script — the mode is saved to .beacon-env.

Audit Trail

Every proxied request generates an audit record including:

Agent identity and request metadata
Cedar policy evaluation result (allow/deny, which policies applied)
Secret access record (which credentials were injected)
Upstream response status
Timestamps for each step

Credential Scrubbing

wl-proxy scrubs injected credentials from responses to prevent accidental exposure. API keys never appear in agent-visible responses or logs.

How It Works​

Agent Configuration​

Enforcement Modes​

Audit Trail​

Credential Scrubbing​

How It Works

Agent Configuration

Enforcement Modes

Audit Trail

Credential Scrubbing