Self-hosted proxy for AI coding agents: per-team spend caps, secret-scanning at egress, and a metadata-only audit log
Conduit is a self-hosted proxy designed to sit between AI coding agents and their API providers, enabling per-team spend caps, egress secret scanning, and metadata-only audit logging. It enforces hard budgets at the gateway, blocks requests containing sensitive secrets before they reach providers, and records only metadata without storing prompts or completions. The project is open-source under Apache 2.0 and runs entirely within the user's cloud environment, providing governance and cost attribution features that shared API keys lack. It is currently single-org tested and does not yet include advanced governance or enterprise certifications.
AI Analysis
Technical Summary
Conduit is an on-premises proxy solution for AI coding agents that addresses operational challenges such as shared API key spend attribution and secret leakage risks. It enforces hard per-team spend caps with real-time blocking, performs egress secret scanning to block sensitive credentials (e.g., AWS keys, private keys, tokens) before they leave the network, and maintains an append-only audit log containing only metadata about requests. The proxy supports multiple upstream providers (Anthropic, OpenAI, Bedrock, Azure) and integrates with existing deployments like LiteLLM and Portkey. It is designed to run in Docker with Postgres, Redis, and ClickHouse, and emphasizes security posture through signed container images, SBOM attestations, and cryptographic protections. The project is open-source and currently lacks enterprise-grade certifications and advanced governance features but aims to fill gaps in cost attribution, egress control, and audit readiness for AI coding agent usage.
Potential Impact
Conduit mitigates operational risks related to uncontrolled spending on AI coding agent APIs and the accidental or malicious leakage of sensitive secrets in outbound requests. By enforcing hard spend caps and blocking requests containing secrets before they reach providers, it reduces financial exposure and data leakage risks. The metadata-only audit log supports compliance and auditing without storing sensitive prompt or completion data. However, it is not a vulnerability or exploit itself but a security control tool. There are no known exploits in the wild related to Conduit, and it does not introduce direct vulnerabilities based on the provided information.
Mitigation Recommendations
This is not a vulnerability but a security control solution. Users interested in controlling AI coding agent spend and egress governance can deploy Conduit as described in its documentation. Since it is open-source and self-hosted, organizations should follow the installation and configuration guides to implement it securely. No patch or remediation is applicable. Users should verify container image signatures and review the security posture documentation before deployment. Advanced governance features and enterprise certifications are planned but not yet available, so organizations should assess if Conduit meets their compliance requirements before adoption.
Self-hosted proxy for AI coding agents: per-team spend caps, secret-scanning at egress, and a metadata-only audit log
Description
Conduit is a self-hosted proxy designed to sit between AI coding agents and their API providers, enabling per-team spend caps, egress secret scanning, and metadata-only audit logging. It enforces hard budgets at the gateway, blocks requests containing sensitive secrets before they reach providers, and records only metadata without storing prompts or completions. The project is open-source under Apache 2.0 and runs entirely within the user's cloud environment, providing governance and cost attribution features that shared API keys lack. It is currently single-org tested and does not yet include advanced governance or enterprise certifications.
Reddit Discussion
We rolled out Claude Code / Cursor to the team and hit two ops problems fast: a shared provider key means finance can't attribute the bill to anyone, and there's nothing stopping an agent from shipping an AWS key or internal secret straight to a provider API.
So I built Conduit — a self-hosted proxy you put in front of Anthropic (or Bedrock) and OpenAI (or Azure). Agents point at it and it forwards the request. Runs in Docker with Postgres/Redis/ClickHouse.
What it does:
- Hard per-team spend caps, enforced at the gateway before the request leaves your network. Counters are in Redis so the block is real-time — over the limit returns a 402. Auth fails closed; budgets fail open (a cost control shouldn't take down the data path over a Redis blip — configurable).
- Egress secret-scanning: blocks AWS keys, private keys, JWTs, GitHub/Stripe tokens before they reach the provider. Alert mode first, then promote categories to block. Records the category, never the value.
- Append-only audit log (CSV/JSON): who, when, model, tokens, cost, governance category. Prompts and completions are never stored — no code path writes them to disk.
- Supply chain: multi-arch images (amd64+arm64), cosign-signed keyless via OIDC, CycloneDX SBOM attached as a signed attestation.
Honest about scope: the response cache is exact-match (good for repeated programmatic calls, won't hit interactive coding sessions), the scanner is high-confidence regex + a per-org entity list (not ML DLP), and it's single-org tested so far.
Apache-2.0, quickstart + screenshots in the README:
https://github.com/anee769/conduit
Curious how others are handling agent spend attribution and egress control — rolling your own, LiteLLM/Portkey, or just eating the risk?
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Conduit is an on-premises proxy solution for AI coding agents that addresses operational challenges such as shared API key spend attribution and secret leakage risks. It enforces hard per-team spend caps with real-time blocking, performs egress secret scanning to block sensitive credentials (e.g., AWS keys, private keys, tokens) before they leave the network, and maintains an append-only audit log containing only metadata about requests. The proxy supports multiple upstream providers (Anthropic, OpenAI, Bedrock, Azure) and integrates with existing deployments like LiteLLM and Portkey. It is designed to run in Docker with Postgres, Redis, and ClickHouse, and emphasizes security posture through signed container images, SBOM attestations, and cryptographic protections. The project is open-source and currently lacks enterprise-grade certifications and advanced governance features but aims to fill gaps in cost attribution, egress control, and audit readiness for AI coding agent usage.
Potential Impact
Conduit mitigates operational risks related to uncontrolled spending on AI coding agent APIs and the accidental or malicious leakage of sensitive secrets in outbound requests. By enforcing hard spend caps and blocking requests containing secrets before they reach providers, it reduces financial exposure and data leakage risks. The metadata-only audit log supports compliance and auditing without storing sensitive prompt or completion data. However, it is not a vulnerability or exploit itself but a security control tool. There are no known exploits in the wild related to Conduit, and it does not introduce direct vulnerabilities based on the provided information.
Mitigation Recommendations
This is not a vulnerability but a security control solution. Users interested in controlling AI coding agent spend and egress governance can deploy Conduit as described in its documentation. Since it is open-source and self-hosted, organizations should follow the installation and configuration guides to implement it securely. No patch or remediation is applicable. Users should verify container image signatures and review the security posture documentation before deployment. Advanced governance features and enterprise certifications are planned but not yet available, so organizations should assess if Conduit meets their compliance requirements before adoption.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":22,"reasons":["external_link","non_newsworthy_keywords:meta","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":["meta"]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a4541fe27e9c79719cde944
Added to database: 07/01/2026, 16:36:14 UTC
Last enriched: 07/01/2026, 16:36:29 UTC
Last updated: 07/02/2026, 03:21:22 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.