plasma-shield-gateway

Last updated: February 13, 2026

The full Plasma Shield gateway: forward proxy (outbound) + reverse proxy (inbound).

Overview

The gateway runs both halves of the shield:

  1. Forward Proxy (outbound) – Agents use this as HTTP_PROXY for all outbound traffic
  2. Reverse Proxy (inbound) – External traffic to agents routes through this

This is the production deployment for Plasma Shield. Agents are invisible to the outside world; all traffic flows through the gateway.

Usage

bash
plasma-shield-gateway 
  --outbound :8080 
  --inbound :8443 
  --agents /etc/plasma-shield/fleet.yaml 
  --rules /etc/plasma-shield/rules.yaml

Flags

FlagDefaultDescription
--outbound:8080Forward proxy port (outbound agent traffic)
--inbound:8443Reverse proxy port (inbound to agents)
--tls-cert(none)TLS certificate file for HTTPS (required for production)
--tls-key(none)TLS private key file for HTTPS (required for production)
--agents/etc/plasma-shield/agents.yamlFleet configuration file
--rules(none)Rules file for filtering

TLS Configuration

Production deployments MUST use TLS for the inbound proxy. Bearer tokens are transmitted in the Authorization header – without TLS, they’re visible to network sniffers.

bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Run with TLS
plasma-shield-gateway 
  --tls-cert /etc/plasma-shield/cert.pem 
  --tls-key /etc/plasma-shield/key.pem

For production, use certificates from Let’s Encrypt or your organization’s CA.

Configuration

Fleet Configuration (agents.yaml)

yaml
tenants:
  - id: my-fleet
    mode: fleet  # or "isolated"
    agents:
      - id: agent-1
        name: "Agent One"
        ip: "10.0.0.1"
        webhook_url: "http://10.0.0.1:18789"
        tier: crew

tokens:
  - token: "${API_TOKEN}"  # from environment
    tenant_id: my-fleet
    name: "My API Token"

Environment Variables

  • SHIELD_TOKEN_<TENANT>=<token> – Register auth tokens (fallback if not in config)

Traffic Flow

Outbound (Agent → World)

php
Agent ---> [Forward Proxy :8080] ---> Internet
             |
             +-- Filter rules applied
             +-- Logging

Agents must be configured to use the shield as HTTP proxy:

bash
export HTTP_PROXY=http://shield:8080
export HTTPS_PROXY=http://shield:8080

Inbound (World → Agent)

php
Client ---> [Reverse Proxy :8443] ---> Agent
              |
              +-- Auth required (Bearer token)
              +-- Routes: /agent/{id}/...
              +-- Tenant isolation enforced

Clients access agents via:

bash
curl -H "Authorization: Bearer $TOKEN" 
  https://shield:8443/agent/my-agent/hooks

Security

  • Agents have no public endpoints
  • All traffic is logged
  • Tenant isolation: tokens only grant access to owned agents
  • Fleet mode: opt-in inter-agent communication

More in Cmd

Plasma Shield API Server

Standalone REST API server for human-only shield management. Run this on a dedicated VPS with…

Plasma Shield CLI

Human-only management interface for the shield router. Install on your personal machine, not on agent…

Plasma Shield Proxy

The core router service that inspects and filters all agent traffic. Run this on a…

Plasma Shield API Server

Standalone REST API server for human-only shield management. Run this on a dedicated VPS with…

All Plasma Shield Docs View all Cmd
View on GitHub