decoyrail

Decoyrail documentation

Decoyrail runs AI coding agents behind a local TLS-intercepting proxy. The agent holds decoy credentials, the proxy swaps in real secrets only for approved destinations, and a decoy seen anywhere else is treated as an exfiltration attempt: blocked and recorded.

Doc Read it when you want to
Getting started install Decoyrail and protect your first agent
How it works follow the architecture and request path
Policy reference write egress and secret-release rules
Vault & secret release manage secrets, decoys, and release destinations
Sensitive-data filtering block, mask, or warn on structured sensitive data
Audit & metering inspect events, verify logs, and control spend
Analytics query spend, usage, and security events
Threat model understand Decoyrail's guarantees and limits

What's coming next is in the roadmap.