01
Hybrid PQC TLS
X25519 + ML-KEM-768 key exchange. Config-driven algorithm selection with graceful fallback. OpenSSL 3.5+.
Security
Post-quantum ready.
Cryptographically agile.
The first AI gateway with hybrid post-quantum TLS, hash-chained audit trails, and config-driven cryptographic agility. Every request is protected against harvest-now-decrypt-later attacks — today, not after the next upgrade cycle.
Threat model
Harvest now, decrypt later.
Nation-state adversaries are capturing encrypted traffic today, storing it in bulk, and waiting for quantum computers to break RSA and ECC. NIST's timeline: cryptographically relevant quantum computers within 10–15 years.
High-value HNDL targets
- • API keys — multi-year revocation tail
- • Prompts & responses — training data, trade secrets
- • Audit trails — tamper target for retroactive denial
- • Agent certificates — identity forgery
- • Memory stores — long-lived knowledge graphs
Six defence layers
Every request, every response, every audit row.
02
Hash-chained audit
SHA-256 chained entries with Redis CAS for atomicity. Chain-verification API exposed publicly.
03
mTLS agent identity
SPIFFE-compatible certificates, 5-minute rotation via the Cryptographic Agent Framework.
04
Dual-signed audit entries
HMAC-SHA256 + ML-DSA-65 on every row. Classical + post-quantum in parallel.
05
Runtime guardrails
PII scanning, prompt-injection detection, tool-call firewall. Token-level stream interception.
06
Anomaly detection
Consumption guardian flags retry storms, cost spikes, and drift. ARM auto-quarantines offenders.
Standards & mandates
Aligned with the regulators.
NSM-10 PQC mandate, EU CRA, SWIFT 8.0, SOC 2, FIPS 203 (ML-KEM), FIPS 204 (ML-DSA).
NSM-10
EU CRA
SWIFT 8.0
SOC 2
FIPS 203
FIPS 204
Protect your AI traffic today.
Swap your base_url. Every request gets post-quantum protection, hash-chained audit, runtime guardrails. No configuration required to start.