Skip to content

How a request flows

Say one of your agents is about to call OpenAI. Here’s what actually happens.

  1. The agent sends an HTTPS CONNECT to the Lupid gateway on :7070 because its HTTPS_PROXY is pointed at Lupid (or, on the SDK path, the SDK’s fetch interceptor routes the request internally).

  2. Lupid authenticates the agent. It verifies the JWT signature, checks the token’s not on the revocation blocklist (a bloom-filtered Postgres-backed list refreshed via LISTEN/NOTIFY), and binds the session to the agent’s network context.

  3. TLS is intercepted. The gateway mints a leaf certificate on the fly from its local CA and presents it to the agent. The agent talks TLS to Lupid; Lupid talks TLS to OpenAI. From the agent’s perspective the trust chain ends at Lupid’s CA, which the agent’s container trusts via a mounted root.

  4. The request body is classified. DLP scans the prompt for 17 detector kinds (emails, phone numbers, SSNs, credit cards, AWS / OpenAI / Anthropic / GitHub / Slack tokens, JWTs, bearer tokens, PEM private keys, and high-entropy generic secrets). Hits become data_classes on the eventual audit row.

  5. The policy engine evaluates (principal=agent, action=call_tool, resource=tool_name) and returns allow, deny, or require_hitl. The decision is served from an in-memory cache, but the exact latency is implementation detail you shouldn’t depend on.

  6. Optional HITL gate. If the policy emitted @advice("require_hitl:…"), the request parks in the approval queue, an HMAC-signed webhook fires to any URL the operator has configured, and the agent either blocks (synchronous wait) or gets a 202 with a poll URL.

  7. The request is proxied upstream. The response streams back through the same pipeline. DLP can redact secrets on the way out too — useful when the LLM has echoed a system-prompt fragment that contained credentials.

  8. An audit event is written. One row in Postgres (or ClickHouse, if you enabled the audit profile) with: agent id, tool, resource, decision, the policy hash that was evaluated against, data classes detected, redactions applied, and chunk hashes of the prompt and response.

Step that failedWhat the agent seesWhat lands in audit
JWT invalid or revokedHTTP 401auth_failed event
Policy returns denyHTTP 403 with the policy idpolicy_denied event
DLP severity ≥ critical (block)The request is dropped; agent sees a 403dlp_blocked event + finding list
HITL approver said denyHTTP 403 (sync mode) or the poll returns denyhitl_denied event
Upstream LLM returned 5xxThe 5xx is forwarded to the agent transparentlyupstream_error event

Every event has a stable schema; you can query them from the dashboard’s audit page or via agentum audit query from the CLI.