decoyrail

Roadmap

Where Decoyrail is going, phase by phase. Each phase opens with the bar it has to clear to count as done; phases ship when they clear it, which is why there are no dates on this page. For what works today, see the docs.

The long arc: Decoyrail starts as the security boundary for AI agents (decoy credentials, egress policy, tripwires) and, once that boundary is trusted, becomes the natural place to govern and measure everything that crosses it.

Working core (shipped: the v0.2.x releases)

An encrypted decoy vault with policy-declared secret release, a TLS-intercepting proxy with SSE passthrough, the decoy-to-real swap with tripwires (including encoded-form detection), a default-deny egress policy with an escalate tier that fails closed, spend metering with a monthly budget and kill switch, a hash-chained and head-anchored audit log, hot reload, and integration tests plus a live e2e script.

Not in the product yet: machine-wide capture, the LLM judge, SigV4 re-signing, SSRF blocking, rate limiting, and any GUI. The phases below cover them.

v0.3: The boundary pays for itself (in progress)

The bar: Decoyrail can show a team, in dollars, what it saved them last month, and the number is bigger than its own bill.

The proxy that inspects every request is also the only thing positioned to make those requests cheaper: it sees all the traffic, from stock agents, with no configuration change. A gateway can only optimize traffic that was configured to route through it; an endpoint proxy measures and improves everything, including traffic that would have skipped a gateway. And it composes with the gateway you may already run (LiteLLM, OpenRouter, a corporate proxy): Decoyrail can sit in front of it, with the gateway key vaulted like any other secret, so even that credential never rests in an agent's environment. This phase comes before the fleet phases because everything in it serves a single seat with no IT involvement: install it, run your agent, and the report speaks for itself. Security features stay free, always. In this phase, measurement is free for everyone and the automatic fixes are the paid tier.

v0.4: Manageable by IT

The bar: an IT admin can install Decoyrail on a handful of developer Macs, author and push signed rules from one console, and review the fleet's audit trail in the log/SIEM system they already run, without touching a terminal on any dev machine.

Through all of this, the surface a developer sees stays deliberately thin: decoyrail run, decoyrail status, and (in v0.5) approval prompts. A security tool that developers resent gets routed around, so staying out of the way is a design goal, not a nicety.

v0.5: Policy intelligence

The bar: escalate resolves to something better than deny, and admins stop writing rules by hand.

Further out

Directions we're committed to exploring, not yet promises: machine-wide traffic capture that doesn't depend on env vars, with per-process attribution; MDM and SSO fleet deployment; a fleet console for teams that don't run a SIEM; routing traffic onto the model contracts you already pay for; growing the data guards into a full detector line; agents beyond the developer Mac, starting with CI runners and Linux; and first-party hosted canary alerting, which waits until the project has earned the trust that any hosted component demands.