Skip to content

How it works

Lupid runs as a small docker compose stack. One port leaves the network — the dashboard on :3000. Postgres, the REST API, the HTTPS-CONNECT gateway, and the MCP gateway all stay inside the docker network.

The HTTPS-CONNECT gateway is reachable only inside the docker network. Next.js can’t reverse-proxy CONNECT tunnels, so agents that want network-level enforcement run in the same docker network and set HTTPS_PROXY=http://lupid:7070.

The TypeScript SDK installs fetch interceptors for OpenAI, Anthropic, Cohere, and Gemini at init() time. Every call to those providers is routed through Lupid’s policy engine first, then sent on. No URL changes, no proxy config — the agent code doesn’t know it’s being governed.

Set HTTPS_PROXY=http://lupid:7070 in the agent’s process. Every outbound HTTPS request issues a CONNECT to Lupid, which authenticates the agent, intercepts the TLS handshake using a dynamically-minted cert from its local CA, runs the enforcement pipeline, then re-tunnels the request to the real destination.

No agent code changes either. This path is what you want when you don’t control the agent’s source — third-party tooling, browser-based agents, MCP servers.

LayerWhat runsWhere
AuthNJWT verification + revocation blocklist lookupagentum-authn
AuthZPolicy engine evaluates (principal, action, resource) → allow / deny / require_hitlagentum-authz
InspectionDLP scans prompt / tool-call args / response for 17 detector kinds (emails, SSNs, API keys, …)agentum-dlp via agentum-mitm-core
ApprovalsHITL queue; HMAC-signed webhook fan-out to any URLagentum-api::hitl + webhooks
CredentialsLease tracker; static (encrypted Postgres) / HashiCorp Vault / AWS Secrets Manager / Azure KVagentum-vault
AuditAppend-only writes to audit_events in Postgres (or ClickHouse with --profile audit)agentum-audit
LifecycleAgent state machine + JWT revocation via Postgres LISTEN/NOTIFYagentum-lifecycle + agentum-authn

Everything Lupid needs lives in Postgres. The schema is one migration — migrations/001_initial_schema.sql. There are no other writable state stores by default; ClickHouse, when enabled, only holds audit events.