Posted on by Steve Bar Yakov Gindi

From Proxy to Enterprise Appliance: Hardening Agent Provost for the AWS Marketplace

Ten weeks ago (March 21st, to be exact), I pushed the first commit for Agent Provost. It started as a solid, functioning proxy that did exactly what it was supposed to do: sit between an AI agent and an MCP server. I quickly moved this to Alpaca trading platform to make a uable product instead of Stevie’s Toy. I immiediatly started enforcing rules so the AI couldn’t blow up a brokerage account.

But there is a massive difference between a cool piece of software that works on your laptop and an enterprise-grade security appliance that hedge funds and fintech startups will trust with their capital. Putting a product on the AWS Marketplace requires a completely different level of paranoia.

Over the last 71 days—taking about 10 days off, and working less than 5 hours a day—I tore Agent Provost down to the studs and rebuilt it into a zero-trust, stateless, immutable fortress. Here is exactly how I made it hard to break as I scaled it for the enterprise market.

1. Zero-Trust & Stateless Architecture (The RAM Disk)

The Problem: Storing API keys on a hard drive is a massive liability. If someone rips the EBS volume out of the AWS data center, or takes a snapshot of the instance, they get the keys.

The Fix: I made the appliance 100% stateless. On boot, the system fetches the API keys from AWS Secrets Manager and injects them directly into a volatile tmpfs RAM disk. If the instance loses power or shuts down, the keys vanish instantly. Furthermore, I dropped root privileges for Docker execution—creating a dedicated, unprivileged provost user to run the containers, preventing any potential privilege escalation.

2. Immutable Releases & The “Golden AMI”

The Problem: Relying on latest Docker tags is a recipe for disaster. You never know exactly what code is running in production.

The Fix: I built a rigorous, automated CI/CD pipeline that bakes a “Golden AMI” for ARM64/Graviton processors. The pipeline automatically builds the Docker image, pushes it to AWS ECR Public, extracts the exact @sha256 digest, and pins it in the environment files. Before the AMI is baked, a sanitization script aggressively scrubs bash history, system logs, and authorized SSH keys, ensuring a completely anonymous and secure artifact.

3. The “Stateless Detective” Boot

The Problem: If the AMI is completely stateless and scrubbed, how does it know which customer it belongs to when it boots up?

The Fix: I engineered a “Detective” boot sequence. When a customer deploys the 1-click CloudFormation template, AWS tags the EC2 instance. On boot, the instance uses IMDSv2 (Instance Metadata Service) and the EC2 API to read its own tags. It dynamically discovers its CloudFormation stack name, reconstructs the names of its specific S3 bucket and Secrets Manager vault, and pulls its configuration into memory. Zero hardcoded files.

4. Hot-Reloadable Rules Engine

The Problem: Customers need to update their trading limits (e.g., Max Notional, Blocked Symbols) without SSHing into the box or dropping active proxy connections.

The Fix: I moved the trading rules out of static files and into AWS Secrets Manager via CloudFormation parameters. A cron-driven synchronization script polls AWS every 10 minutes. If a user updates their rules in the AWS Console, the script automatically regenerates the configuration, and the OpenResty proxy hot-reloads the new limits instantly.

5. WORM Compliance & Audit Logging

The Problem: If an AI goes rogue, compliance officers need cryptographic proof of what happened—proof that cannot be tampered with or deleted.

The Fix: I configured Fluent Bit to stream all AI trading requests and proxy decisions directly to an Amazon S3 bucket with Object Lock (Write Once, Read Many) enabled. Even a root administrator cannot delete these logs. I also added CloudFormation parameters to sync the EC2 instance to the user’s local timezone (e.g., Asia/Jerusalem), ensuring the S3 log directory partitions match the user’s actual trading day.

Agent Provost is now live in preview. I didn’t just build a proxy; I built a compliant, zero-trust appliance that protects your capital from AI hallucinations. You can check out the exclusive AWS Marketplace listing here:
Agent Provost: Secure MCP Proxy for Alpaca

Leave a Reply