Support for chained proxies / proxy composition

[dpup]

Enable Moat to support chaining multiple transparent proxies for outbound network and LLM traffic (e.g. Headroom, logging, telemetry, policy enforcement), while preserving isolation, debuggability, and minimal configuration.

Problem

Developers increasingly rely on transparent proxies for:

• LLM cost reduction / context compression (e.g. Headroom)
• Logging and observability
• Policy enforcement and activity interception
• Replay and audit

Each proxy typically assumes it is the proxy. This creates friction when users want:

• Multiple proxies
• Clear ordering
• Local-first execution
• Strong sandbox boundaries

Moat already acts as a control plane for execution. It should also act as a proxy orchestration layer.

Goals

• Allow multiple proxies to be composed deterministically
• Keep agent / app configuration unchanged (transparent where possible)
• Preserve Moat’s security, audit, and replay guarantees
• Make proxy behavior inspectable and debuggable

Requirements

• Users can declare an ordered proxy chain
• Proxies apply to outbound:
• LLM API traffic
• HTTP(S) traffic
• Ordering is explicit and stable
• Proxies must not bypass Moat’s sandbox or credential boundaries

Example config:

proxies:
  - chopratejas/headroom
  - seifghazi/claude-code-proxy
  - fuergaosi233/claude-code-proxy
  - moat-telemetry
  - moat-policy

Open Questions

• Should proxies run:
  • inside the sandbox?
  • as sidecars?
  • as host-level services managed by Moat?
• How to snapshot / replay proxied interactions?
• Should before/after payloads be logged?