Implementation goal

Zero-Trust Agent Proxy Infrastructure

Vertex is a Vercel-hosted Rust proxy that lets autonomous agents use dummy credentials while real production tokens remain bound to Supabase policy rows and decrypted only for scoped downstream execution.

Target stack

Hosting platformVercel Serverless Functions

Runtime enginevercel-rust, Cargo workspace prepared for AWS Lambda API gateway compatibility

Language specificationRust Edition 2021 stable

Database layerSupabase PostgreSQL with pg_sodium, pg_graphql, and Supabase Vault

Cryptographic primitivesring for ES256/SHA-256 support, ed25519-dalek for downstream internal signing

Directory structure

/api/proxy.rsMain serverless endpoint route handler

/Cargo.tomlWorkspace root configuration and release profile

/src/lib.rsShared library module root

/src/domain/mod.rsDomain module root

/src/domain/traits.rsCore service abstractions using OOP trait patterns

/src/domain/models.rsStrict token, payload, claim, proxy, response, and audit types

/src/infrastructure/mod.rsInfrastructure module root

/src/infrastructure/vault.rsSupabase Vault and ALE Postgres client interface

/src/infrastructure/crypto.rsES256 verification engine and token swapping

/src/infrastructure/telemetry.rsPlonky2/ZK audit proof integration placeholder

/supabase/migrations/20260524000000_zero_trust_vault.sqlDatabase initialization schema

Database tables

usersid, organization_name, created_at

agent_policiesuser_id, policy_name, allowed_domains, allowed_methods, is_active

proxy_credentialspolicy_id, dummy_token, encrypted_real_token, target_domain, key_id, created_at

telemetry_audit_trailpolicy_id, timestamp, request_hash, destination_host, http_status, zk_proof_bytes

Stored procedures

resolve_and_decrypt_credentialAccepts in_dummy_token and in_domain, checks active policy bounds, decrypts via pg_sodium, returns plaintext token, policy_id, and allowed_methods to the caller session.

Rust contracts

CredentialVaultfn resolve_token(&self, dummy: &str, domain: &str) -> Result<String, VaultError>

RequestProxyfn forward_request(&self, context: ProxyContext) -> Result<ResponsePayload, ProxyError>

AuditLoggerfn commit_trace(&self, record: AuditRecord) -> Result<(), ValidationError>

ProxyContexttarget_url: reqwest::Url, method: reqwest::Method, headers: HeaderMap, body: Vec<u8>

Claimssub: String, iss: String, exp: usize, aud: String, policy_id: uuid::Uuid

Proxy flow

1. Validate ES256 agent JWTReject non-ES256 algorithms, validate issuer/audience, and extract policy_id.

2. Parse proxy invocationAccept target URL, method, headers, and optional base64 body for the downstream request.

3. Resolve dummy credentialCall Supabase RPC using dummy token and canonical target domain.

4. Enforce policyMatch returned policy_id and allowed_methods before forwarding.

5. Swap token in scopeReplace dummy bearer with decrypted downstream bearer and zeroize token material.

6. Commit audit traceWrite policy, destination host, status, request hash, and optional proof bytes.

Security guardrails

Hard reject non-ES256 JWTs.

Verify target host against policy domain bounds.

Reject private, loopback, link-local, multicast, documentation, and metadata-service targets.

Strip hop-by-hop headers before forwarding.

Bound downstream requests to 10 seconds.

Keep decrypted token material scoped and zeroized.

Release profile

opt-levelz

ltotrue

codegen-units1

panicabort