Deploy AI agent governance in 8 steps. One container, no code changes, no engineering sprint.
The d3cipher Gateway is a Docker container you deploy in your own infrastructure. Your AI agents talk to it instead of directly to OpenAI, Anthropic, or any other provider. The gateway enforces governance policies — audit trail, kill switch, token budgets, encrypted transcripts — without touching a single line of agent code.
Your prompts and responses never leave your network in plaintext. Only cryptographic stamps and encrypted blobs reach the d3cipher cloud. The server cannot read your content. Only your Account Key can decrypt it.
Your Agent d3cipher Gateway AI Provider
(no changes) (your network) (OpenAI, etc.)
| | |
|--- API request ---->| |
| |-- stamp (metadata) ----->| d3cipher Cloud
| |-- encrypt body --------->| (can't read it)
| | |
| |--- forward request ----->|
| |<-- provider response ----|
| | |
| |-- stamp response ------->| d3cipher Cloud
| |-- encrypt response ----->| (can't read it)
|<-- response --------| |
| | |
Sign up to create your account. You'll receive four credentials — two API keys and two registry credentials:
| Credential | What It Is | Who Holds It |
|---|---|---|
Admin Keylsk_admin_... |
API key for the dashboard — provisioning, fleet management, auditing | You (compliance / admin) |
Gateway Keylsk_gateway_... |
API key for the Docker container — stamp-only, least privilege. Even if compromised, it cannot access your data or settings. | IT / DevOps |
Registry Usernamedeploy-XXXXXXXX |
Docker login username for the private container registry. Not your email address. | IT / DevOps |
Registry Tokengldt-XXXX... |
Docker login password. Lost it? Regenerate in the dashboard under API Keys. | IT / DevOps |
Send IT the Gateway Key, Registry Username, and Registry Token via a secure channel, along with this page. The Account Key is generated later in Step 5.
Liberty is our free, open-source secrets manager.
It encrypts your keys to your hardware fingerprint — no .env files, no plaintext, no leaks.
The gateway CLI reads from Liberty automatically.
pipx install liberty-secrets
liberty init
# pipx not installed? Use: pip install --break-system-packages liberty-secrets
Why Liberty? Your Account Key decrypts agent transcripts. Storing it in a
plaintext .env file defeats the purpose of envelope encryption. Liberty keeps
it encrypted at rest, bound to your hardware, and decrypted only when you need it
(or injected at runtime with liberty exec -- cmd).
Learn more →
LockStock images are hosted on a private GitLab Container Registry. Store the registry credentials from your welcome email (Step 0) in Liberty, then authenticate Docker:
# Store registry credentials in Liberty (one-time) liberty add LOCKSTOCK_REGISTRY_USER "deploy-XXXXXXXX" liberty add LOCKSTOCK_REGISTRY_TOKEN "gldt-XXXX..." # Authenticate Docker from Liberty (no plaintext passwords) liberty show LOCKSTOCK_REGISTRY_TOKEN | docker login registry.gitlab.com \ -u "$(liberty show LOCKSTOCK_REGISTRY_USER)" --password-stdin # Gateway (production middleware — runs as a service) docker pull registry.gitlab.com/d3cipher/lockstock-images/gateway:v4.19.2 # Admin-Tools (compliance CLI — run on-demand) docker pull registry.gitlab.com/d3cipher/lockstock-images/admin-tools:v4.19.2
Your registry username is deploy-XXXXXXXX, not your email address.
Find it in your welcome email under "Container Registry" or in the
dashboard
under API Keys → Container Registry. Lost your token? Click "Regenerate" in the dashboard.
The lockstock-gateway CLI is a bash script inside the admin-tools image you pulled in Step 2.
Extract it to your host:
mkdir -p ~/.local/bin docker run --rm registry.gitlab.com/d3cipher/lockstock-images/admin-tools:v4.19.2 \ cat /usr/local/bin/lockstock-gateway > ~/.local/bin/lockstock-gateway && \ chmod +x ~/.local/bin/lockstock-gateway
Verify it works: lockstock-gateway --help
Command not found? Run: export PATH="$HOME/.local/bin:$PATH" (add to ~/.bashrc or ~/.zshrc to make permanent)
Why extract? The CLI runs on your host because it reads from Liberty (hardware-bound to your machine)
and manages Docker containers. It's a bash script with no compiled dependencies — just needs
liberty, curl, jq, and docker on your PATH.
# Required — the gateway will not start without these liberty add LOCKSTOCK_API_KEY "lsk_admin_..." liberty add LOCKSTOCK_GATEWAY_KEY "lsk_gateway_..." liberty add LOCKSTOCK_UPSTREAM_URL "https://api.openai.com" # Set LOCKSTOCK_UPSTREAM_URL to your AI provider's endpoint: # https://api.openai.com OpenAI # https://api.anthropic.com Anthropic # http://localhost:11434 Ollama / local models # Store your AI provider key (whichever you use) liberty add ANTHROPIC_API_KEY "sk-ant-..." liberty add OPENAI_API_KEY "sk-..."
Verify: lockstock-gateway config — all required fields should show values, not MISSING.
From now on, every lockstock-gateway command reads from the vault automatically.
Open the dashboard → Settings → Generate Account Key.
Save your Account Key immediately. It is shown once and cannot be recovered. If you lose it, encrypted transcripts are permanently unreadable — that's the proof that we can't read them either.
Send the Account Key to IT via a secure channel, then store it:
liberty add LOCKSTOCK_ACCOUNT_KEY "your-64-char-hex-key"
Without the Account Key, your gateway still runs — the audit chain records every action and the kill switch works. But transcript content will not be encrypted, and the Auditor tab in your dashboard will show "Blob not available" for all transcripts. You can add the Account Key later and restart the gateway.
Account Key64-char hex |
Encryption key for transcripts. Generated entirely in your browser — the server never sees it, only a verification hash. This is what lets you read the exact prompts and responses your agents processed, decrypted in your browser. The server stores only ciphertext it cannot read. | Compliance + IT |
Register at least one agent before starting the gateway. Choose one path:
# Option A: Provision from the CLI (recommended — one command, fully automatic) lockstock-gateway provision --name my-agent # The CLI auto-detects your provider from Liberty. Override with: # lockstock-gateway provision --name my-agent --provider anthropic-native # Option B: Provision from the dashboard, then activate locally # 1. Go to dashboard > Provision Agent > copy Agent ID and Genesis Token # 2. Run: lockstock-gateway activate \ --agent "agent_XXXXXXXX_my_agent" \ --token "your-genesis-token" \ --name my-agent # --name sets the Liberty key label (e.g., LOCKSTOCK_AGENT_MY_AGENT). # If omitted, derived from the agent ID. # Verify your registered agents lockstock-gateway agents
Dashboard genesis tokens are single-use and expire in 24 hours. If yours has expired, provision a new agent from the dashboard.
Adding agents later? If your gateway is already running, restart it
after provisioning so it picks up the new agent:
lockstock-gateway stop && lockstock-gateway start
lockstock-gateway start
lockstock-gateway start reads all credentials from Liberty, creates a secure
environment, starts the Docker container with --network host (binds 127.0.0.1:4000),
and shreds the temporary env file. No manual environment variables needed.
Verify it's running:
curl http://localhost:4000/healthz
# {"status": "ok", "version": "4.6.2"}
To stop: lockstock-gateway stop •
Full status (container + agents + config): lockstock-gateway status
These are the container-side variable names, used in Docker Compose and Kubernetes manifests.
If you use lockstock-gateway start with Liberty, store them with the LOCKSTOCK_ prefix
(e.g., LOCKSTOCK_UPSTREAM_URL). The CLI maps them automatically.
| Variable | Description |
|---|---|
LOCKSTOCK_GATEWAY_KEY required |
Gateway Key (lsk_gateway_*) from your welcome email. Store it with liberty add LOCKSTOCK_GATEWAY_KEY. If lost, regenerate in the dashboard under API Keys. Stamp-only, least-privilege — the container cannot access admin endpoints. |
UPSTREAM_URL required |
The AI provider your agents call. Examples: https://api.openai.com, https://api.anthropic.com, https://bedrock-runtime.us-east-1.amazonaws.com |
ACCOUNT_KEY required |
64-character hex key for encrypted transcript storage. Generated in the dashboard (Step 5). Enables the Auditor tab — without it, all transcripts show "Blob not available." The audit chain and kill switch still work, but you cannot read what your agents said. |
AGENT_ID required |
Every request must identify its agent. For single-agent deployments, the CLI sets this automatically. For multiple agents, each client sends the X-D3cipher-Agent header instead (see Step 8). Either way, the gateway must know which agent is making the request. |
MLS_SEED auto-generated |
Agent-to-agent E2EE (ADR-002). Generated automatically by lockstock-gateway setup (which runs during provision and activate). The MLS (Messaging Layer Security) sidecar provides encrypted agent-to-agent communication — within your org or across company boundaries. Agents generate chain-bound KeyPackages and establish E2E sessions that even d3cipher cannot read. Independent of Account Key — three separate secrets, three separate blast radii. Verify with: lockstock-gateway config |
LOCKSTOCK_URL optional |
Override the d3cipher cloud URL. Only needed for on-premise deployments. Defaults to production. |
What is MLS? Messaging Layer Security (RFC 9420)
is the IETF standard for scalable end-to-end encrypted group communication.
Every gateway container ships with a compiled MLS binary (/usr/local/bin/mls-agent).
When to enable it: When your agents exchange data with each other or with agents at other organizations. Layer 4 (Account Key) encrypts transcripts so d3cipher can't read them. MLS (Layer 5) encrypts agent-to-agent messages so no one outside the session — not other teams, not operators, not d3cipher — can read the exchange.
How it connects to the chain: MLS KeyPackages are chain events. The MLS credential IS the agent's chain state hash — a frozen or revoked agent's KeyPackages are automatically rejected. No separate revocation list needed.
Kubernetes? The gateway exposes /healthz for liveness probes
and /metrics for Prometheus scraping. Single replica recommended (agent state is in-memory).
Change your AI client's base URL to route through the gateway instead of directly to the provider:
# OpenAI SDK / OpenAI-compatible OPENAI_BASE_URL=http://localhost:4000 # Anthropic SDK / Claude Code ANTHROPIC_BASE_URL=http://localhost:4000
That's it. The CLI auto-sets the default agent identity when exactly one agent is registered — no header needed. Just change the base URL and go.
Each client identifies itself to the gateway with the X-D3cipher-Agent header.
The value is the agent ID from Liberty — the agent_XXXXXXXX_my_agent
format written by lockstock-gateway provision or activate in Step 6.
You can retrieve it with:
liberty show LOCKSTOCK_AGENT_MY_AGENT
# → agent_a3f7b2c1_my_agent
How you set that header depends on which SDK your agent uses:
# ── Claude Code ────────────────────────────────────────────── # Set ANTHROPIC_CUSTOM_HEADERS before launching Claude Code. # The SDK sends these headers on every API request. # Docs: https://docs.anthropic.com/en/docs/build-with-claude/claude-code export ANTHROPIC_BASE_URL=http://localhost:4000 export ANTHROPIC_API_KEY=$(liberty show ANTHROPIC_API_KEY) export ANTHROPIC_CUSTOM_HEADERS="X-D3cipher-Agent: $(liberty show LOCKSTOCK_AGENT_MY_AGENT)" claude # ── OpenAI Python SDK ──────────────────────────────────────── # Pass the header via default_headers on the client constructor. # Docs: https://github.com/openai/openai-python#custom-headers import openai client = openai.OpenAI( base_url="http://localhost:4000/v1", api_key="sk-...", # your OpenAI key default_headers={ "X-D3cipher-Agent": "agent_a3f7b2c1_my_agent" # from Liberty } ) # ── OpenAI Node.js SDK ─────────────────────────────────────── # Docs: https://github.com/openai/openai-node#custom-headers const client = new OpenAI({ baseURL: "http://localhost:4000/v1", apiKey: "sk-...", defaultHeaders: { "X-D3cipher-Agent": "agent_a3f7b2c1_my_agent" // from Liberty } }); # ── curl ───────────────────────────────────────────────────── curl http://localhost:4000/v1/chat/completions \ -H "Authorization: Bearer sk-..." \ -H "X-D3cipher-Agent: $(liberty show LOCKSTOCK_AGENT_MY_AGENT)" \ -H "Content-Type: application/json" \ -d '{"model":"gpt-4","messages":[{"role":"user","content":"hello"}]}'
That's it. No SDK to install. No middleware to inject. No code changes beyond the base URL (and one header for multi-agent). The agents think they're talking to their AI provider. They're actually talking to a gateway in your own network that enforces your governance policies.
Refresh your dashboard. Agents appear as they make their first call.
Lock any agent instantly from the dashboard. The gateway returns a 429 error to the agent. The request never reaches the AI provider. Unlock when ready.
Set per-agent spending limits. When an agent exhausts its token budget, the circuit breaker
trips automatically. The gateway also clamps max_tokens on each request to prevent
a single call from blowing the remaining budget.
If you provided an Account Key, open the Auditor tab in the dashboard. Enter your key. Read the full content of every prompt and response, decrypted entirely in your browser. The d3cipher server stores only ciphertext it cannot read.
Sentinel ML monitors agent request velocity using incremental statistical analysis. Unusual spikes trigger alerts. The circuit breaker can automatically halt agents that exceed defined thresholds.
Prompts and completions. API keys. Customer data. Request and response bodies. The Account Key. Everything that matters stays behind your firewall.
Agent ID. Task type. Timestamp. Token count. Sequence number. Cryptographic hashes. Encrypted blobs (that only your Account Key can decrypt). Governance metadata — not your data.
LockStock ships two Docker images built from the same codebase. They share the same cryptographic libraries but have a hard trust boundary between them:
| Gateway | Admin-Tools | |
|---|---|---|
| Image | d3cipher/lockstock-images/gateway |
d3cipher/lockstock-images/admin-tools |
| Purpose | Reverse proxy — stamp, encrypt, forward | Compliance tooling — decrypt transcripts, rotate keys |
| Runs as | Service (port 4000, always on) | CLI (on-demand, not a service) |
| Can encrypt | Yes | Yes |
| Can decrypt | No — decrypt function stripped at build time | Yes — full decrypt capability |
| Lives on | Your infrastructure (next to agents) | Operator's machine (compliance officer) |
| CLI commands | lockstock-gateway start|stop|status|provision|agents|config — ships in admin-tools, manages the gateway container from the hostlockstock-audit, lockstock-rotate — run via admin-tools container |
|
Why strip decrypt from the gateway? The gateway sits in your production network, handling live traffic. If it were compromised, an attacker with decrypt capability could read every transcript. By removing the decrypt function at build time (and verifying its absence), a compromised gateway can only see ciphertext — exactly what the d3cipher cloud sees. Decryption happens offline, on the operator's machine, with the Admin-Tools container.
The admin-tools container provides two CLI commands for compliance officers:
# Decrypt and read agent transcripts docker run --rm registry.gitlab.com/d3cipher/lockstock-images/admin-tools:v4.19.2 \ lockstock-audit \ --account-key "your-64-char-hex-key" \ --agent-id "agent_0d20202e_claude_d3cipher" \ --api-key "lsk_admin_..." \ --format json # Rotate your Account Key (re-wrap all agent encryption keys) docker run --rm registry.gitlab.com/d3cipher/lockstock-images/admin-tools:v4.19.2 \ lockstock-rotate \ --old-key "current-64-char-hex-key" \ --new-key "new-64-char-hex-key" \ --api-key "lsk_admin_..." \ --dry-run
lockstock-audit fetches encrypted blobs from the d3cipher cloud, unwraps the encryption keys
using your Account Key, and outputs the plaintext transcripts locally. Nothing is sent back to the server.
lockstock-rotate re-wraps all encryption keys under a new Account Key — use it if your
Account Key is compromised or as part of a regular key rotation policy.
version: "3.8"
services:
d3cipher-gateway:
image: registry.gitlab.com/d3cipher/lockstock-images/gateway:v4.19.2
ports:
- "127.0.0.1:4000:4000"
environment:
LOCKSTOCK_GATEWAY_KEY: "${LOCKSTOCK_GATEWAY_KEY}" # From Liberty: liberty show LOCKSTOCK_GATEWAY_KEY
UPSTREAM_URL: "https://api.openai.com"
ACCOUNT_KEY: "${ACCOUNT_KEY}"
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:4000/healthz"]
interval: 30s
timeout: 5s
retries: 3
apiVersion: apps/v1
kind: Deployment
metadata:
name: d3cipher-gateway
spec:
replicas: 1
selector:
matchLabels:
app: d3cipher-gateway
template:
metadata:
labels:
app: d3cipher-gateway
spec:
containers:
- name: gateway
image: registry.gitlab.com/d3cipher/lockstock-images/gateway:v4.19.2
ports:
- containerPort: 4000
env:
- name: LOCKSTOCK_GATEWAY_KEY
valueFrom:
secretKeyRef:
name: d3cipher-secrets
key: api-key
- name: UPSTREAM_URL
value: "https://api.openai.com"
- name: ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: d3cipher-secrets
key: account-key
livenessProbe:
httpGet:
path: /healthz
port: 4000
initialDelaySeconds: 5
periodSeconds: 30
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
---
apiVersion: v1
kind: Service
metadata:
name: d3cipher-gateway
spec:
selector:
app: d3cipher-gateway
ports:
- port: 4000
targetPort: 4000
type: ClusterIP
Single replica recommended. The gateway maintains per-agent state in memory (DEK cache, budget tracking, connection pools). Multiple replicas would create independent state per pod. Horizontal scaling is on the roadmap.
| Path | Purpose |
|---|---|
/healthz |
Liveness probe. Returns 200 if gateway is up and d3cipher cloud is reachable, 503 if degraded. |
/metrics |
Prometheus-compatible metrics: request count, rejection count, and latency per agent. |
/* |
Everything else is proxied to UPSTREAM_URL through LockStock governance middleware. |
lockstock-gateway: command not found: Extract the CLI from the admin-tools image (Step 3). If already extracted, add ~/.local/bin to your PATH: export PATH="$HOME/.local/bin:$PATH"
Gateway returns 400 "Missing X-D3cipher-Agent header": Either set AGENT_ID on the container for a default, or add the X-D3cipher-Agent header to each agent's HTTP requests.
Gateway returns 429 "Token budget exhausted": The agent's token budget is depleted. Go to the dashboard, increase the budget or click Unlock to reset the counter.
Gateway returns 409 "Chain hash mismatch": The agent's chain has forked — a duplicate agent, a replay attempt, or a cloned credential. This is a hard stop. Investigate immediately.
Gateway returns 503 "LockStock stamp rejected": The circuit breaker has tripped (velocity anomaly or manual lock). Check the dashboard for the reason. Click Unlock to restore access.
/healthz returns 503: The gateway can't reach the d3cipher cloud. Check network connectivity and LOCKSTOCK_URL if set.
Agents not appearing in dashboard: Make sure the agents are actually sending requests through the gateway (check OPENAI_BASE_URL points to the gateway, not directly to OpenAI).
Transcripts show "Blob not available": The ACCOUNT_KEY environment variable wasn't set when those requests were processed. Set it and future transcripts will be encrypted and stored.