Self-hosted Rust appliance. Deploys in your VPC, bare-metal server, or air-gapped OT network. Plugs beneath whatever agent framework or service mesh you already run.
Daylite runs as a central control plane (1-3 HA instances). Agents emit audit events via SDK or proxy mode. The control plane appends to a SHA-256 hash-chain with HMAC-SHA-256 signatures and generates regulator-admissible evidence packs on demand.
docker run -p 8080:8080 \
-e DAYLITE_PROFILE=eu-ai-act-annex-viii \
-e DATABASE_URL=postgres://daylite:secret@db/daylite \
ghcr.io/daylite-ai/daylite:latest
# Daylite control plane is running on port 8080.
# Hash-chain audit is active. Profile loaded.
# Next step: integrate your agent framework via SDK or proxy mode.curl http://localhost:8080/v1/audit/verify
# Returns chain integrity status:
# {
# "chain_length": 0,
# "verified": true,
# "last_hash": "genesis",
# "profile": "eu-ai-act-annex-viii"
# }Two ways to feed agent actions into Daylite. Choose based on your existing stack.
Embed the Daylite SDK in your agent code, or use the OpenAI-compatible proxy with any framework. Every tool call, state change, and decision emits an event to the control plane asynchronously.
from daylite import DayliteClient
client = DayliteClient(
control_plane_url="http://daylite.internal:8080",
api_key="dyl_...",
agent_id="kyc-automation-v2",
)
# In your LangGraph node
def execute_tool(state):
with client.audit_step(
tool_name="salesforce.query",
classification="CONFIDENTIAL",
) as step:
result = salesforce_api.query(state["account_id"])
step.record_output_hash(result)
return result
# Every call produces:
# - SHA-256 hash-chain entry
# - HMAC-signed audit record
# - UUIDv7 step identity
# - Offline-verifiable via /v1/audit/verifyRoute MCP tool calls through Daylite proxy. Five-step policy enforcement on every call: secret scan, PII scan, classification ceiling, tool policy, cryptographic sign.
POST /v1/mcp/proxy
Content-Type: application/json
{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "github.create_issue",
"arguments": {...}
},
"id": 1
}
# Response headers:
# X-Daylite-Agent: 018f3c4a-... (UUIDv7)
# X-Daylite-Audit: chained (SHA-256 hash-chain recorded)
# X-Daylite-Verdict: allow (policy check passed)Profiles are YAML bundles that map regulatory requirements to enforceable policies and evidence formats. Ship as part of the binary.
services:
daylite:
image: ghcr.io/daylite-ai/daylite:latest
ports: ["8080:8080"]
environment:
DATABASE_URL: postgres://daylite:secret@db:5432/daylite
DAYLITE_PROFILE: eu-ai-act-annex-viii
DAYLITE_HMAC_KEY_FILE: /run/secrets/hmac_key
depends_on: [db]
db:
image: postgres:16
environment:
POSTGRES_DB: daylite
POSTGRES_USER: daylite
POSTGRES_PASSWORD: secretA Helm chart for Kubernetes and Zarf-based air-gapped packaging are on the roadmap. Today, deploy via Docker or docker-compose, including inside air-gapped networks by transferring the image through approved media.
| Method | Endpoint | Description |
|---|---|---|
| POST | /v1/audit/events | Emit audit event (SDK endpoint) |
| GET | /v1/audit/verify | Verify hash-chain integrity (offline-capable) |
| POST | /v1/audit/export/annex-viii | Export EU AI Act Annex VIII registration JSON |
| POST | /v1/audit/export/regulatory | Export regulator-ready evidence pack (ZIP) |
| POST | /v1/mcp/proxy | MCP JSON-RPC proxy with 5-step policy enforcement |
| GET | /v1/compliance/nist-800-53 | NIST 800-53 Rev 5 control mapping |
| GET | /v1/compliance/eu-ai-act | EU AI Act ↔ NIST 800-53 unified mapping |
| POST | /v1/api-keys | Create tenant API key (dyl_ prefix, SHA-256 stored) |
| GET/POST | /scim/v2/Users | SCIM 2.0 user provisioning (RFC 7644) |
Authorization: Bearer dyl_your-api-keyKeys provisioned via API, SCIM 2.0, or OIDC SSO (Okta, Microsoft Entra ID, any OpenID Connect provider). Stored as SHA-256 hashes. mTLS with your internal CA supported for zero-trust environments.
| Header | Description |
|---|---|
| X-Daylite-Agent | UUIDv7 per-step agent identity |
| X-Daylite-Audit | Hash-chain status (chained / signed / verified) |
| X-Daylite-Verdict | Policy engine decision (allow / deny / audit-only) |
| X-Daylite-Classification | Data classification tier applied |
| X-Daylite-Profile | Regulatory profile active for this tenant |