Architecture & Integration

Self-hosted Rust appliance. Deploys in your VPC, bare-metal server, or air-gapped OT network. Plugs beneath whatever agent framework or service mesh you already run.

How Daylite deploys

Control plane + data plane

Daylite runs as a central control plane (1-3 HA instances). Agents emit audit events via SDK or proxy mode. The control plane appends to a SHA-256 hash-chain with HMAC-SHA-256 signatures and generates regulator-admissible evidence packs on demand.

docker: fastest path
docker run -p 8080:8080 \
  -e DAYLITE_PROFILE=eu-ai-act-annex-viii \
  -e DATABASE_URL=postgres://daylite:secret@db/daylite \
  ghcr.io/daylite-ai/daylite:latest

# Daylite control plane is running on port 8080.
# Hash-chain audit is active. Profile loaded.
# Next step: integrate your agent framework via SDK or proxy mode.
verify the hash-chain
curl http://localhost:8080/v1/audit/verify

# Returns chain integrity status:
# {
#   "chain_length": 0,
#   "verified": true,
#   "last_hash": "genesis",
#   "profile": "eu-ai-act-annex-viii"
# }

Integration Patterns

Two ways to feed agent actions into Daylite. Choose based on your existing stack.

Pattern A: SDK Integration (most common)

Embed the Daylite SDK in your agent code, or use the OpenAI-compatible proxy with any framework. Every tool call, state change, and decision emits an event to the control plane asynchronously.

python: agent integration
from daylite import DayliteClient

client = DayliteClient(
    control_plane_url="http://daylite.internal:8080",
    api_key="dyl_...",
    agent_id="kyc-automation-v2",
)

# In your LangGraph node
def execute_tool(state):
    with client.audit_step(
        tool_name="salesforce.query",
        classification="CONFIDENTIAL",
    ) as step:
        result = salesforce_api.query(state["account_id"])
        step.record_output_hash(result)
        return result

# Every call produces:
# - SHA-256 hash-chain entry
# - HMAC-signed audit record
# - UUIDv7 step identity
# - Offline-verifiable via /v1/audit/verify

Pattern B: Proxy Mode (no SDK changes)

Route MCP tool calls through Daylite proxy. Five-step policy enforcement on every call: secret scan, PII scan, classification ceiling, tool policy, cryptographic sign.

MCP proxy JSON-RPC 2.0
POST /v1/mcp/proxy
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "github.create_issue",
    "arguments": {...}
  },
  "id": 1
}

# Response headers:
# X-Daylite-Agent: 018f3c4a-... (UUIDv7)
# X-Daylite-Audit: chained (SHA-256 hash-chain recorded)
# X-Daylite-Verdict: allow (policy check passed)

Regulatory Profiles

Profiles are YAML bundles that map regulatory requirements to enforceable policies and evidence formats. Ship as part of the binary.

dora-art12.yaml
DORA Article 12 tamper-evident logging for EU financial entities. Append-only hash-chain with HMAC signatures. In force since January 2025.
eu-ai-act-annex-viii.yaml
EU AI Act Article 12 logging with an Annex VIII registration export endpoint and Article 14 human-oversight metadata.

Deployment Options

docker-compose: HA control plane with PostgreSQL
services:
  daylite:
    image: ghcr.io/daylite-ai/daylite:latest
    ports: ["8080:8080"]
    environment:
      DATABASE_URL: postgres://daylite:secret@db:5432/daylite
      DAYLITE_PROFILE: eu-ai-act-annex-viii
      DAYLITE_HMAC_KEY_FILE: /run/secrets/hmac_key
    depends_on: [db]
  db:
    image: postgres:16
    environment:
      POSTGRES_DB: daylite
      POSTGRES_USER: daylite
      POSTGRES_PASSWORD: secret

A Helm chart for Kubernetes and Zarf-based air-gapped packaging are on the roadmap. Today, deploy via Docker or docker-compose, including inside air-gapped networks by transferring the image through approved media.

API Endpoints

MethodEndpointDescription
POST/v1/audit/eventsEmit audit event (SDK endpoint)
GET/v1/audit/verifyVerify hash-chain integrity (offline-capable)
POST/v1/audit/export/annex-viiiExport EU AI Act Annex VIII registration JSON
POST/v1/audit/export/regulatoryExport regulator-ready evidence pack (ZIP)
POST/v1/mcp/proxyMCP JSON-RPC proxy with 5-step policy enforcement
GET/v1/compliance/nist-800-53NIST 800-53 Rev 5 control mapping
GET/v1/compliance/eu-ai-actEU AI Act ↔ NIST 800-53 unified mapping
POST/v1/api-keysCreate tenant API key (dyl_ prefix, SHA-256 stored)
GET/POST/scim/v2/UsersSCIM 2.0 user provisioning (RFC 7644)

Authentication

API key
Authorization: Bearer dyl_your-api-key

Keys provisioned via API, SCIM 2.0, or OIDC SSO (Okta, Microsoft Entra ID, any OpenID Connect provider). Stored as SHA-256 hashes. mTLS with your internal CA supported for zero-trust environments.

Response Headers

HeaderDescription
X-Daylite-AgentUUIDv7 per-step agent identity
X-Daylite-AuditHash-chain status (chained / signed / verified)
X-Daylite-VerdictPolicy engine decision (allow / deny / audit-only)
X-Daylite-ClassificationData classification tier applied
X-Daylite-ProfileRegulatory profile active for this tenant
Request architecture review