Ecosystem

OpenApe Proxy

Agent HTTP gateway with grant-based access control.

@openape/proxy

A forward proxy that sits between an agent and the internet, enforcing grant-based access rules before forwarding requests. All traffic is logged for audit purposes.

Installation

npm install -g @openape/proxy

Quick Start

# Start the proxy
openape-proxy --config config.toml

# Dry-run mode (evaluate rules without enforcing)
openape-proxy --config config.toml --dry-run

# Require all requests to have agent authentication
openape-proxy --config config.toml --mandatory-auth

Configuration

Create a config.toml file:

listen = "127.0.0.1:9090"
idp_url = "https://id.example.com"
agent_email = "bot@example.com"
default_action = "block"  # block | request | request-async
audit_log = "/var/log/openape-proxy/audit.jsonl"

# Allow GET requests to GitHub API
[[rules.allow]]
domains = ["api.github.com"]
methods = ["GET"]

# Require a grant for write operations
[[rules.grant_required]]
domains = ["api.github.com"]
methods = ["POST", "PUT", "DELETE"]
grant_type = "once"

# Block internal network access
[[rules.deny]]
domains = ["*.internal.corp"]

Configuration Fields

Field	Required	Default	Description
`listen`	Yes	—	Bind address and port
`idp_url`	Yes	—	IdP URL for grant requests
`agent_email`	Yes	—	Agent identity email
`default_action`	No	`block`	Action for unmatched requests: `block`, `request`, `request-async`
`audit_log`	No	—	Path for JSONL audit log

Default Actions

Action	Behavior
`block`	Reject unmatched requests immediately
`request`	Auto-request a grant and wait for approval
`request-async`	Auto-request a grant, reject the current request, retry on next attempt

Rule Evaluation

Rules are evaluated in this order:

deny — If a deny rule matches, the request is blocked immediately
allow — If an allow rule matches, the request is forwarded
grant_required — If a grant rule matches, a grant must be approved before forwarding
Default action — If no rule matches, the default_action is applied

Rule Fields

Each rule can match on:

Field	Type	Description	Example
`domains`	`string[]`	Domain patterns (supports `*` wildcard)	`["api.github.com", "*.aws.com"]`
`methods`	`string[]`	HTTP methods	`["GET", "POST"]`
`paths`	`string[]`	URL path patterns	`["/api/v1/*"]`

For grant_required rules, additionally:

Field	Type	Description
`grant_type`	`string`	Required grant type: `once`, `timed`, `always`

Multi-Agent Configuration

For proxies serving multiple agents:

[agents.deploy-bot]
idp_url = "https://id.example.com"
agent_email = "agent+deploy@example.com"

[agents.monitor-bot]
idp_url = "https://id.example.com"
agent_email = "agent+monitor@example.com"

# Agent-specific rules
[[agents.deploy-bot.rules.allow]]
domains = ["api.github.com"]
methods = ["GET", "POST"]

[[agents.monitor-bot.rules.allow]]
domains = ["api.datadog.com"]

Audit Logging

Every request is logged as JSONL:

{
  "timestamp": "2025-01-15T10:30:00Z",
  "agent": "agent+deploy@example.com",
  "method": "POST",
  "url": "https://api.github.com/repos/org/repo/releases",
  "rule": "grant_required",
  "grant_id": "abc123",
  "decision": "allowed",
  "status": 201,
  "duration_ms": 342
}

Common Patterns

Allow reads, require grants for writes

default_action = "block"

[[rules.allow]]
domains = ["api.github.com"]
methods = ["GET", "HEAD", "OPTIONS"]

[[rules.grant_required]]
domains = ["api.github.com"]
methods = ["POST", "PUT", "PATCH", "DELETE"]
grant_type = "once"

Block sensitive endpoints

[[rules.deny]]
domains = ["*.internal.corp", "metadata.google.internal"]

[[rules.deny]]
domains = ["*"]
paths = ["/admin/*", "/.env", "/secrets/*"]

escapes

Setuid-root Rust binary for local privilege elevation via AuthZ-JWT.

OpenApe Browser

Grant-aware headless browser with route interception and delegation login.