CyberArmor

Pre-Ingestion URL Trust Gate and AI Security Runtime

CyberArmor evaluates URLs, web pages, prompts, and agent-bound content before humans, browsers, applications, or AI agents trust them. It detects phishing, hidden prompt injection, promptware, credential-harvesting signals, sensitive-data risk, and IOC indicators, then enforces tenant policy through allow, warn, redact, sandbox, block, isolate, route, or evidence-only decisions. — Comprehensive protection for organizations deploying AI, Agentic AI, and LLM-powered applications.

Overview

CyberArmor is a zero-trust, multi-layered security platform that provides real-time monitoring, policy enforcement, data loss prevention, and compliance management for enterprise AI workloads. Designed to support deployment with FIPS 140-3-validated cryptographic modules where required by customer environments, and aligned with CNSA 2.0+ post-quantum algorithm recommendations.

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                        Admin Dashboard                          │
│                    (Vanilla JS SPA + Nginx)                     │
├─────────────────────────────────────────────────────────────────┤
│                       Ingress / Load Balancer                   │
├────────┬────────┬────────┬────────┬────────┬────────┬──────────┤
│Control │ Policy │Detect- │Response│Identity│  SIEM  │Compliance│
│ Plane  │ Engine │  ion   │        │Provider│Connector│ Engine  │
│ :8000  │ :8001  │ :8002  │ :8003  │ :8004  │ :8005  │ :8006   │
├────────┬────────┬────────┬────────┬────────┬────────┬──────────┤
│ Agent  │AI Router│ Audit │Integ-  │Runtime │Secrets │ OpenBao  │
│Identity│        │       │ration  │  API   │Service │  Vault   │
│ :8008  │ :8009  │ :8011 │ :8012  │ :8010  │ :8013  │          │
├────────────────────────────┬────────────────────────────────────┤
│  URL / Context Trust Gate  │  Detonation Worker (isolated net)  │
│          :8014             │          :8015 (internal only)     │
├────────────────────────────┴────────────────────────────────────┤
│                   Transparent AI Proxy (:8080)                  │
│             (mitmproxy dev; HTTPS on :8443 in dev)              │
├─────────────────────────────────────────────────────────────────┤
│   PostgreSQL              Redis              Message Queue      │
├──────────┬──────────┬──────────┬──────────┬─────────────────────┤
│ Endpoint │ Browser  │   IDE    │ Office   │   RASP Agents       │
│  Agent   │Extensions│Extensions│ Add-ins  │  (9 languages)      │
├──────────┼──────────┼──────────┼──────────┼─────────────────────┤
│  macOS   │ Chrome   │ VS Code  │  Word    │  Java  │  .NET     │
│ Windows  │ Firefox  │ Visual   │  Excel   │ Python │  Node.js  │
│  Linux   │  Safari  │  Studio  │ PowerPt  │   Go   │  Rust     │
│          │   Edge   │  Cursor  │ OneNote  │  Ruby  │  PHP      │
│          │  Brave   │   Kiro   │ Outlook  │  C/C++ │           │
├──────────┴──────────┴──────────┴──────────┴────────┴───────────┤
│  Kernel: Linux eBPF │ macOS Endpoint Security │ Windows WFP    │
├─────────────────────┴────────────────────────┴─────────────────┤
│  ROS2 Agent (Robotics)  │  React Native Mobile (iOS/Android)   │
└─────────────────────────┴──────────────────────────────────────┘

Core Services

Service	Port	Description
Control Plane	8000	Central API gateway, tenant management, API key CRUD
Policy Engine	8001	Extensible AND/OR policy evaluation, priority-based rules
Detection	8002	Prompt injection, jailbreak, toxicity, PII detection
Response	8003	Incident management, automated response actions
Identity Provider	8004	SSO integration (Entra ID, Okta, Ping, AWS IAM)
SIEM Connector	8005	Output to Splunk, Sentinel, QRadar, Elastic, Google SecOps, Syslog/CEF
Compliance Engine	8006	14 compliance frameworks with evidence-based assessment
Agent Identity	8008	AI agent identities, credentials, tokens, and delegation chains
AI Router	8009	Unified gateway to AI providers with credential vault, request normalization, cost tracking, and governance
Proxy Agent	8010	Policy decision API and local block actions
Audit Service	8011	Immutable PQC-signed audit log and AI action graph
Integration Control	8012	SaaS integration discovery, OAuth scope visibility, and control actions
Secrets Service	8013	Thin CyberArmor control layer over OpenBao: tenant/provider credential storage, transit encrypt/decrypt/sign, key rotation
URL / Context Trust Gate	8014	Pre-ingestion safety check for URLs and external content destined for humans, browsers, endpoint agents, RASP-instrumented apps, and AI agents. Detects phishing, hidden prompt injection, promptware, and IOCs before content reaches AI context.
Detonation Worker	8015 (internal)	Isolated Playwright sandbox for the URL Trust Gate. Renders attacker-controlled URLs in one-shot Chromium contexts on a dedicated detonation network with no route to internal services. Built on Microsoft's published Playwright image.
Transparent Proxy	8080 / 8443	AI traffic interception, inspection, and policy enforcement
OpenBao Vault	—	Underlying secret and cryptographic engine (KV, transit, key management)

Security Features

• Post-Quantum Cryptography: ML-KEM-1024 (Kyber) key encapsulation, ML-DSA-87 (Dilithium) signing
• PQC API Key Transport: PQC:<base64> header format with AES-256-GCM encryption
• Zero Trust Architecture: All inter-service communication authenticated
• Multi-Tenant: Complete tenant isolation across all services
• FIPS 140-3 Support: Designed to integrate with FIPS 140-3-validated cryptographic modules where customer environments require them
• CNSA 2.0+ Ready: Post-quantum algorithm suite

Compliance Frameworks (14)

Framework	Controls	Description
NIST CSF 2.0	18	Cybersecurity Framework
NIST 800-53 r5	20	Security and Privacy Controls
NIST AI RMF	17	AI Risk Management Framework
CMMC Level 3	16	Cybersecurity Maturity Model
NYDFS 23 NYCRR 500	15	NY Financial Services Cybersecurity
ISO 27001:2022	18	Information Security Management
CIS Controls v8	16	Center for Internet Security
CSA CCM v4	16	Cloud Security Alliance
OWASP (Combined)	19	Web + API + LLM Top 10 2025 + Agentic AI
SANS Top 25	15	Most Dangerous Software Weaknesses
PCI-DSS v4.0	17	Payment Card Industry
SOC 2	19	Trust Services Criteria
GDPR	16	EU General Data Protection
CCPA/CPRA	14	California Consumer Privacy

URL / Context Trust Gate

A pre-ingestion control point that sits between consumers (humans, browsers, endpoint agents, RASP-instrumented apps, AI agents) and the open web. Before any consumer follows a URL or ingests external content, the gate canonicalizes the destination, fetches it safely, scores for phishing / hidden prompt injection / promptware / data-exfil / IOCs, and applies a policy decision (allow / warn / redact / sandbox / block / isolate) — preserving evidence as it goes.

This addresses the gap between traditional URL filters ("is this site malicious for a human?") and AI security ("is this site safe for a browser AND an AI agent to consume?"). Existing Safe Browsing / SmartScreen / VirusTotal feeds do not detect AI-context attacks like indirect prompt injection or hidden promptware payloads in CSS-hidden / Unicode-tag-encoded text.

Consumer hooks ship in this repo:

• Browser extension: extensions/chromium-shared/url_trust_gate.js — webNavigation.onBeforeNavigate listener with fast-path race + async standard-depth backfill.
• Endpoint agent: agents/endpoint-agent/monitors/url_trust_gate.py — gate client + loopback IPC daemon (127.0.0.1:48515) that other endpoint software (IDE addins, custom agents, MCP clients) can call before connecting; integrated into the agent's network monitor.
• RASP (Python): rasp/python/cyberarmor_rasp_url_trust_gate.py — monkeypatches requests / httpx / urllib3 so server-side AI tools consult the gate before any outbound URL fetch.
• LangChain SDK: sdks/python/cyberarmor/frameworks/langchain_url_trust_gate.py — wrap_tool / wrap_agent_tools / make_guarded_browser_tool for AI agents.
• LlamaIndex SDK: sdks/python/cyberarmor/frameworks/llamaindex.py — reader and node-parser hooks that gate URLs before LlamaIndex fetches or indexes external content.

Optional reputation feeds (configurable, gate works without them):

• Google Safe Browsing v4 — set SAFE_BROWSING_API_KEY
• Microsoft SmartScreen (Defender Threat Intelligence) — set SMARTSCREEN_TENANT_ID / SMARTSCREEN_CLIENT_ID / SMARTSCREEN_CLIENT_SECRET
• VirusTotal v3 — set VIRUSTOTAL_API_KEY; results cached in-process for VIRUSTOTAL_CACHE_TTL_S seconds

See docs/architecture/url-trust-gate.md for the full pipeline, latency budgets, decision actions, evidence schema, and production traps with code-level guards mapped to each.

Quick Start

15-minute URL Trust Gate PoC

For evaluators who want to see the URL Trust Gate block live attack pages without standing up the full stack:

git clone https://github.com/aisecurefuture/CyberArmorAi.git
cd CyberArmorAi
bash scripts/poc/install.sh

The script generates secrets, brings up only the services the gate needs (policy, detection, audit, response, postgres, redis, opa, url-trust-gate, plus a poc-test-server serving four crafted pages), waits for health, and runs scripts/poc/run_url_trust_gate_demo.py to demonstrate live verdicts on:

• a benign tea-blends article (expected: allow)
• a display:none promptware payload (expected: warn / redact / block)
• an instruction interleaved with zero-width characters (expected: warn / redact / block)
• a fake Microsoft sign-in credential-harvest page (expected: warn / redact / block)

See scripts/poc/README.md for prerequisites, hardening steps before production, and troubleshooting.

Docker Compose (Development)

cd infra/docker-compose
cp .env.example .env
# Edit .env with your configuration
docker-compose up -d

Access the admin dashboard at http://localhost:3000

Smoke Test

# Start stack + run validation
./scripts/smoke-test.sh --up

# Run validation only (stack already running)
./scripts/smoke-test.sh

Deployment Docs

• Hetzner Ubuntu test deployment: docs/deployment/hetzner-ubuntu-vm.md
• One-pass first-server checklist: docs/deployment/hetzner-first-server-checklist.md
• PQC auth rollout guide: docs/security/pqc-auth-rollout.md
• OpenBao + secrets service architecture: docs/architecture/openbao-cyberarmor-secrets-service.md
• Jenkins security and OpenBao integration pipeline: docs/security/jenkins-security-pipeline.md
• Jenkins security pipeline: docs/security/jenkins-security-pipeline.md
• V1 readiness and tenant onboarding plan: docs/v1-readiness-plan.md
• Ubuntu hardening helper script: scripts/hardening/harden_ubuntu_server.sh

Current Product Boundary

The URL Trust Gate runs end-to-end and is pilot-ready: the 15-minute PoC installer brings up the full gate stack on any developer laptop, and the three reputation feeds (Google Safe Browsing, SmartScreen, VirusTotal) are configurable via environment variables. The broader platform is deployable for internal testing, staging, and controlled design-partner validation. Remaining work before general availability includes tenant-facing self-service onboarding, MFA enforcement, and the OpenAI/Anthropic tool-use URL field wrappers (next on the build queue). See docs/architecture/capability-status.md for the full status table.

Kubernetes / Helm (Production)

cd infra/helm/cyberarmor
# Edit values.yaml for your environment
helm install cyberarmor . -n cyberarmor --create-namespace

Endpoint Agent

cd agents/endpoint-agent
pip install -r requirements.txt
sudo python installer.py install --server https://your-cyberarmor-server --api-key YOUR_KEY

Project Structure

ai-protect-system-claude-4.6/
├── admin-dashboard/          # Vanilla JS admin SPA (16 views)
├── agents/
│   ├── endpoint-agent/       # Cross-platform endpoint security agent
│   │   ├── crypto/           # PQC key transport & signing
│   │   ├── dlp/              # Data loss prevention scanner
│   │   ├── monitors/         # Process, network, file, AI tool monitors
│   │   ├── platform/         # macOS, Windows, Linux integrations
│   │   └── zero_day/         # RCE guard & sandbox
│   ├── proxy-agent/          # Policy decision agent API
│   └── ros-agent/            # ROS2 robotics security agent
├── extensions/
│   ├── chromium-shared/      # Shared Chrome/Brave/Edge extension (MV3)
│   ├── edge/                 # Edge-specific manifest
│   ├── firefox/              # Firefox extension (MV2)
│   ├── safari/               # Safari Web Extension
│   ├── vscode/               # VS Code extension (TypeScript)
│   ├── visual-studio/        # Visual Studio extension (C#)
│   ├── cursor/               # Cursor IDE extension
│   ├── kiro/                 # Kiro IDE extension
│   └── office365/            # Office 365 add-in (Word, Excel, PPT, OneNote, Outlook)
├── scripts/
│   ├── poc/                  # 15-minute URL Trust Gate PoC: install.sh, uninstall.sh, demo script, four attack pages, README
│   ├── hardening/            # Ubuntu server hardening helper
│   └── smoke-test.sh         # Full-stack smoke test
├── infra/
│   ├── docker-compose/       # Docker Compose for local development
│   ├── envoy/                # Envoy proxy config + Lua filter
│   └── helm/cyberarmor/      # Kubernetes Helm chart
├── kernel/
│   ├── linux/                # eBPF monitoring programs
│   ├── macos/                # Endpoint Security system extension
│   └── windows/              # Minifilter + WFP driver
├── libs/
│   └── cyberarmor-core/      # Shared PQC crypto library
├── mobile/                   # React Native iOS/Android app
├── rasp/                     # Runtime Application Self-Protection
│   ├── java/                 # Java agent (javaagent)
│   ├── dotnet/               # .NET middleware
│   ├── python/               # Python WSGI/ASGI middleware
│   ├── nodejs/               # Node.js express/koa middleware
│   ├── go/                   # Go http.RoundTripper wrapper
│   ├── rust/                 # Rust inspector
│   ├── ruby/                 # Ruby Rack/Faraday middleware
│   ├── php/                  # PHP PSR-15/Laravel middleware
│   └── c_cpp/                # C/C++ LD_PRELOAD interceptor
└── services/
    ├── agent-identity/       # AI agent identity, credentials, and delegation chains
    ├── ai-router/            # Unified AI provider gateway with credential vault and cost tracking
    ├── audit/                # Immutable PQC-signed audit log and AI action graph
    ├── compliance/           # Compliance engine (14 frameworks)
    ├── control-plane/        # Central API gateway and tenant management
    ├── detection/            # Prompt injection, jailbreak, toxicity, PII detection
    ├── identity/             # Identity provider service
    ├── integration-control/  # SaaS integration discovery and OAuth scope control
    ├── llm-mock/             # Mock LLM endpoint for local development and testing
    ├── policy/               # Policy engine with AND/OR groups
    ├── proxy/                # Transparent proxy core
    ├── response/             # Incident management and automated response actions
    ├── runtime/              # Unified AISR runtime decision API (orchestrates detection, policy, response)
    ├── secrets-service/      # CyberArmor control layer over OpenBao (KV, transit, key rotation)
    ├── siem-connector/       # SIEM output integrations
    ├── url-trust-gate/       # Pre-ingestion control point: canonicalizes URLs, runs SSRF-guarded safe crawl, fans out to detection for prompt-injection / promptware scoring, decides allow/warn/redact/sandbox/block, writes evidence
    └── detonation-worker/    # Isolated Playwright sandbox the gate calls for deep-mode renders. Lives on a dedicated `detonation` Docker network with no route to internal services

Configuration

Environment Variables

Variable	Description	Default
CONTROL_PLANE_URL	Control plane service URL	http://control-plane:8000
POLICY_API_SECRET	Policy service API key	(required)
DETECTION_API_SECRET	Detection service API key	(required)
POSTGRES_URL	PostgreSQL connection string	postgresql://...
REDIS_URL	Redis connection string	redis://redis:6379
PQC_ENABLED	Enable post-quantum crypto	true
FIPS_MODE	Enable FIPS 140-3 mode	true
LOG_LEVEL	Logging level	INFO
AGENT_IDENTITY_API_SECRET	Agent identity service API key	(required)
AGENT_IDENTITY_JWT_SECRET	JWT signing secret for agent tokens	(required)
ROUTER_API_SECRET	AI router service API key	(required)
ROUTER_ENCRYPTION_KEY	AES-256 master key for provider credential encryption	(required)
AUDIT_API_SECRET	Audit service API key	(required)
CYBERARMOR_AUDIT_SIGNING_KEY	PQC signing key for immutable audit entries	(required)
AUDIT_RETENTION_DAYS	Audit log retention period	365
SECRETS_SERVICE_API_SECRET	Secrets service API key	(required)
OPENBAO_ADDR	OpenBao server address	(required)
OPENBAO_TOKEN	OpenBao root/service token	(required)
OPENBAO_NAMESPACE	OpenBao namespace	(optional)
OPENBAO_KV_MOUNT	OpenBao KV secrets mount path	(optional)
OPENBAO_TRANSIT_MOUNT	OpenBao transit engine mount path	(optional)
CYBERARMOR_ENFORCE_SECURE_SECRETS	Reject insecure default secrets at startup	false
CYBERARMOR_ENFORCE_MTLS	Require mTLS for inter-service calls	false
URL_TRUST_GATE_API_SECRET	URL Trust Gate service API key	(required)
DETONATION_WORKER_URL	Base URL of the detonation worker (e.g. http://detonation-worker:8015); unset disables deep-mode	(optional)
DETONATION_WORKER_API_SECRET	Shared secret between the gate and the detonation worker	(required if worker enabled)
SAFE_BROWSING_API_KEY	Google Safe Browsing v4 Lookup API key (optional second-opinion feed; gate works without it)	(optional)
SMARTSCREEN_TENANT_ID	Azure AD tenant ID for Microsoft SmartScreen / Defender Threat Intelligence feed	(optional)
SMARTSCREEN_CLIENT_ID	App registration client ID for SmartScreen feed	(optional)
SMARTSCREEN_CLIENT_SECRET	App registration client secret for SmartScreen feed	(optional)
VIRUSTOTAL_API_KEY	VirusTotal v3 API key for URL reputation feed	(optional)
VIRUSTOTAL_CACHE_TTL_S	In-process TTL for VirusTotal results (seconds)	3600
URL_TRUST_GATE_DETONATION_DEFAULT	Run detonation by default for depth=deep requests (on / off)	off
URL_TRUST_GATE_CRAWLER_TIMEOUT_S	Per-request crawler timeout for the gate's safe fetcher	4.0
URL_TRUST_GATE_CACHE_TTL_S	Reputation-cache TTL on the gate	900

Identity Provider Setup

See docs/azure-app-registration.md for Microsoft Entra ID setup instructions.

RASP Integration

Each RASP agent intercepts AI API calls at the application layer:

# Python example (canonical)
import cyberarmor_rasp
cyberarmor_rasp.init(server="https://your-server", api_key="YOUR_KEY")
# Canonical import is `cyberarmor_rasp`.

# Automatically intercepts requests/httpx calls to AI endpoints

// Node.js example (canonical export path)
const cyberarmor = require('cyberarmor-rasp');
cyberarmor.init({ server: 'https://your-server', apiKey: 'YOUR_KEY' });
// Legacy import `require('cyberarmor-rasp/legacy')` remains supported.
// Automatically patches http/https modules

// Go example
import ca "github.com/cyberarmor/rasp-go"
client := &http.Client{Transport: ca.New(config).RoundTripper(http.DefaultTransport)}

Development

Prerequisites

• Python 3.11+
• Node.js 18+
• Docker & Docker Compose
• (Optional) Kubernetes cluster with Helm 3

Running Services Locally

# Start infrastructure
docker-compose -f infra/docker-compose/docker-compose.yml up -d postgres redis

# Start individual services
cd services/policy && pip install -r requirements.txt && uvicorn main:app --port 8001
cd services/compliance && uvicorn main:app --port 8006

Running Tests

# Shared crypto library
cd libs/cyberarmor-core && python -m pytest tests/

# Policy engine
cd services/policy && python -m pytest

# Compliance frameworks
cd services/compliance && python -m pytest

License

Proprietary - Gratitech Research and Charitable Endeavor Corporation - All rights reserved.

Support

• Enterprise Support: support@cyberarmor.com
• Security Issues: security@cyberarmor.com