Decoyrail documentation
Decoyrail runs AI coding agents behind a local TLS-intercepting proxy. The agent holds decoy credentials, the proxy swaps in real secrets only for approved destinations, and a decoy seen anywhere else is treated as an exfiltration attempt: blocked and recorded.
| Doc | Read it when you want to |
|---|---|
| Getting started | install Decoyrail and protect your first agent |
| How it works | follow the architecture and request path |
| Policy reference | write egress and secret-release rules |
| Vault & secret release | manage secrets, decoys, and release destinations |
| Sensitive-data filtering | block, mask, or warn on structured sensitive data |
| Audit & metering | inspect events, verify logs, and control spend |
| Analytics | query spend, usage, and security events |
| Threat model | understand Decoyrail's guarantees and limits |
What's coming next is in the roadmap.