Self-hosted Rust appliance. Deploys in your VPC, bare-metal server, or air-gapped OT network. Plugs beneath whatever agent framework or service mesh you already run.
Daylite runs as a central control plane (1-3 HA instances). Agents emit audit events via SDK, proxy mode, or WASM filter. The control plane appends to a SHA-256 hash-chain with HMAC-SHA-256 signatures and generates regulator-admissible evidence packs on demand.
docker run -p 8080:8080 \
-e DAYLITE_PROFILE=nerc-cip-015-1 \
-e DATABASE_URL=postgres://daylite:secret@db/daylite \
ghcr.io/daylite-ai/daylite:latest
# Daylite control plane is running on port 8080.
# Hash-chain audit is active. Profile loaded.
# Next step: integrate your agent framework via SDK or WASM filter.curl http://localhost:8080/v1/audit/verify
# Returns chain integrity status:
# {
# "chain_length": 0,
# "verified": true,
# "last_hash": "genesis",
# "profile": "nerc-cip-015-1"
# }Three ways to feed agent actions into Daylite. Choose based on your existing stack.
Embed the Daylite SDK in your agent framework — LangGraph, AutoGen, kagent, Dapr, or custom. Every tool call, state change, and decision emits an event to the control plane asynchronously.
from daylite import DayliteClient
client = DayliteClient(
control_plane_url="http://daylite.internal:8080",
api_key="dyl_...",
agent_id="kyc-automation-v2",
)
# In your LangGraph node
def execute_tool(state):
with client.audit_step(
tool_name="salesforce.query",
classification="CONFIDENTIAL",
) as step:
result = salesforce_api.query(state["account_id"])
step.record_output_hash(result)
return result
# Every call produces:
# - SHA-256 hash-chain entry
# - HMAC-signed audit record
# - UUIDv7 step identity
# - Merkle tree aggregationRoute MCP tool calls through Daylite proxy. Five-step policy enforcement on every call: secret scan, PII scan, classification ceiling, tool policy, cryptographic sign.
POST /v1/mcp/proxy
Content-Type: application/json
{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "github.create_issue",
"arguments": {...}
},
"id": 1
}
# Response headers:
# X-Daylite-Agent: 018f3c4a-... (UUIDv7)
# X-Daylite-Audit: chained (SHA-256 hash-chain recorded)
# X-Daylite-Verdict: allow (policy check passed)Compile Daylite as a proxy-wasm filter for Envoy. Plugs into Solo.io agentgateway, Tetrate Agent Router, or any Istio deployment. Adds cryptographic audit without replacing the mesh.
http_filters:
- name: daylite-wasm
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
config:
name: "daylite-audit-filter"
root_id: "daylite-audit"
vm_config:
runtime: "envoy.wasm.runtime.v8"
code:
local: { filename: "/etc/envoy/daylite-filter.wasm" }
configuration:
"@type": type.googleapis.com/google.protobuf.StringValue
value: |
{
"control_plane_url": "http://daylite.internal:8080",
"profile": "dora-art12",
"sample_rate": 1.0
}Profiles are YAML bundles that map regulatory requirements to enforceable policies and evidence formats. Ship as part of the binary.
services:
daylite:
image: ghcr.io/daylite-ai/daylite:latest
ports: ["8080:8080"]
environment:
DATABASE_URL: postgres://daylite:secret@db:5432/daylite
DAYLITE_PROFILE: nerc-cip-015-1
DAYLITE_HMAC_KEY_FILE: /run/secrets/hmac_key
depends_on: [db]
db:
image: postgres:16
environment:
POSTGRES_DB: daylite
POSTGRES_USER: daylite
POSTGRES_PASSWORD: secrethelm install daylite oci://ghcr.io/daylite-ai/charts/daylite \
--set profile=dora-art12 \
--set replicaCount=3 \
--set persistence.enabled=truezarf package create . # bundles binary + HMAC keys + config
# Transfer via approved media
zarf package deploy daylite-package.tar.zst
# No internet, no DNS, no external dependencies.
# Deploys inside SCIFs, NERC CIP Electronic Security Perimeters,
# validated pharma environments.| Method | Endpoint | Description |
|---|---|---|
| POST | /v1/audit/events | Emit audit event (SDK endpoint) |
| GET | /v1/audit/verify | Verify hash-chain integrity (offline-capable) |
| POST | /v1/audit/export/annex-viii | Export EU AI Act Annex VIII registration JSON |
| POST | /v1/audit/export/regulatory | Export regulator-ready evidence pack (ZIP) |
| POST | /v1/mcp/proxy | MCP JSON-RPC proxy with 5-step policy enforcement |
| GET | /v1/compliance/nist-800-53 | NIST 800-53 Rev 5 control mapping |
| GET | /v1/compliance/eu-ai-act | EU AI Act ↔ NIST 800-53 unified mapping |
| POST | /v1/api-keys | Create tenant API key (dyl_ prefix, SHA-256 stored) |
| GET/POST | /scim/v2/Users | SCIM 2.0 user provisioning (RFC 7644) |
Authorization: Bearer dyl_your-api-keyKeys provisioned via API, SCIM 2.0, or OIDC SSO (Okta, Microsoft Entra ID, any OpenID Connect provider). Stored as SHA-256 hashes. mTLS with your internal CA supported for zero-trust environments.
| Header | Description |
|---|---|
| X-Daylite-Agent | UUIDv7 per-step agent identity |
| X-Daylite-Audit | Hash-chain status (chained / signed / verified) |
| X-Daylite-Verdict | Policy engine decision (allow / deny / audit-only) |
| X-Daylite-Classification | Data classification tier applied |
| X-Daylite-Profile | Regulatory profile active for this tenant |