A CLI-driven security proxy that scans every HTTP request for threats using the Citadel AI engine — paid per request via the x402 protocol.
stronghold is an early-stage Go project in the AI payments / x402 ecosystem, focused on agent, agentic-systems, agents, ai. It currently has 5 GitHub stars and 0 forks, and sits alongside related tools like citadel-ai, nano-currency-mcp-server, mcp-client.
Enterprise Security for AI Infrastructure
Protect AI agents from prompt injection attacks and credential leaks.
Stronghold intercepts and scans all traffic through a transparent proxy, blocking threats before they reach your models.
A pay-per-request security API built on the Citadel AI security scanner with x402 payment protocol integration.
curl -fsSL https://getstronghold.xyz/install.sh | sh
stronghold doctor
sudo stronghold init
sudo stronghold enable
All HTTP/HTTPS traffic is now routed through the transparent proxy for real-time security scanning.
Stronghold operates at the network level, scanning all content before it reaches the AI agent.
Traditional security approaches require the agent to invoke a scanning API. However, to make that call, the agent must first read the content into its context window. At that point, prompt injection can already influence the agent's behavior, causing it to ignore scan results or fail to invoke the security API entirely.
The transparent proxy architecture eliminates this vulnerability:
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Agent │ │ Kernel │ │ Stronghold │
│ (any app) │ ──▶ │ iptables │ ──▶ │ Proxy │
└─────────────┘ │ pf │ │ :8402 │
└─────────────┘ └──────┬──────┘
│
┌───────────────────────────┼───────────────────────────┐
│ ▼ │
│ ┌─────────────┐ ┌───────────┐ ┌─────────────┐ │
│ │ Fetch │ ─▶ │ Scan │ ─▶ │ Return │ │
│ │ content │ │ (API) │ │ result │ │
│ └─────────────┘ └───────────┘ └─────────────┘ │
│ │
│ ALLOW / WARN / BLOCK │
└───────────────────────────────────────────────────────┘
┌──────────────────┐
External Content │ │ Agent Output
(web, email, API) │ AI Agent │ (to user)
│ │ │ │
▼ └──────────────────┘ ▼
┌─────────┐ ┌─────────┐
│ PROXY │ ──── safe content ────────▶ │ API │
│ SCAN │ │ SCAN │
└─────────┘ └─────────┘
│ │
▼ ▼
Prompt injection Credential leak
detection detection
| Layer | Direction | Threat Detection |
|---|---|---|
| Proxy | Inbound | Prompt injection attacks in external content |
| API | Outbound | Credential leaks in agent responses |
curl -fsSL https://getstronghold.xyz/install.sh | sh
git clone https://github.com/yv-was-taken/stronghold.git
cd stronghold
go build -o stronghold ./cmd/cli
go build -o stronghold-proxy ./cmd/proxy
init, enable, and disable commandsRun stronghold doctor to verify that all system requirements are met.
| Command | Description | Root Required |
|---|---|---|
stronghold doctor |
Verify system requirements | No |
stronghold init |
Initialize installation and configure wallet | Yes |
stronghold enable |
Start proxy and enable traffic interception | Yes |
stronghold disable |
Stop proxy and restore direct network access | Yes |
stronghold status |
Display proxy status and statistics | No |
stronghold health |
Check API and Base/Solana RPC health | No |
stronghold logs |
View proxy logs | No |
stronghold account balance |
Display current account balance | No |
stronghold account deposit |
Display deposit options | No |
stronghold wallet list |
List configured Base/Solana wallet addresses | No |
stronghold wallet balance |
Display per-chain wallet balances | No |
stronghold wallet export |
Export private key for backup | No |
stronghold wallet replace <evm|solana> |
Replace wallet by chain | No |
stronghold wallet link |
Register local wallet addresses with server | No |
stronghold config get [key] |
Display configuration value(s) | No |
stronghold config set <key> <value> |
Update a configuration value | No |
stronghold uninstall |
Remove Stronghold from the system | Yes |
# List configured wallets
stronghold wallet list
# Show per-chain balances
stronghold wallet balance
# Replace specific wallet by chain (positional)
stronghold wallet replace evm
stronghold wallet replace solana
Control how the proxy handles scan results without modifying the scanning itself:
# View all scanning configuration
stronghold config get scanning
# Never block content (headers still show scan results)
stronghold config set scanning.content.action_on_block allow
stronghold config set scanning.content.action_on_warn allow
# Strict mode - block even warnings
stronghold config set scanning.content.action_on_warn block
# Disable content scanning entirely
stronghold config set scanning.content.enabled false
Configuration file location: ~/.stronghold/config.yaml
Example configuration:
scanning:
content:
enabled: true
action_on_warn: warn # allow | warn | block
action_on_block: block # allow | warn | block
output:
enabled: true # reserved for future output policy
action_on_warn: warn # currently not enforced by proxy runtime
action_on_block: block # currently not enforced by proxy runtime
When the proxy scans content, headers are added to every response:
| Header | Description |
|---|---|
X-Stronghold-Decision |
Scan result: ALLOW, WARN, or BLOCK |
X-Stronghold-Action |
Proxy action taken: allow, warn, or block |
X-Stronghold-Reason |
Human-readable explanation (if flagged) |
X-Stronghold-Score |
Combined threat score (0.00 - 1.00) |
Headers are present even when content is not blocked, enabling agents to observe scan results programmatically.
| Endpoint | Method | Description |
|---|---|---|
/health |
GET | Health check |
/health/live |
GET | Liveness probe for orchestration |
/health/ready |
GET | Readiness probe for orchestration |
/v1/pricing |
GET | Retrieve endpoint pricing |
Payment via x402 protocol is required for the following endpoints.
| Endpoint | Method | Price | Description |
|---|---|---|---|
/v1/scan/content |
POST | $0.001 | Prompt injection detection |
/v1/scan/output |
POST | $0.001 | Credential leak detection |
Money field format:
/v1/pricing includes both price_micro_usdc (canonical) and price_usd (human-readable)Breaking change (February 18, 2026):
Scans external content for prompt injection attacks. The transparent proxy invokes this endpoint automatically.
Note: Direct API integration is recommended only when the proxy cannot be deployed (e.g., serverless environments, sandboxed containers). The proxy provides stronger protection by scanning content before it enters the agent's context.
curl -X POST https://api.getstronghold.xyz/v1/scan/content \
-H "Content-Type: application/json" \
-H "X-PAYMENT: x402;..." \
-d '{
"text": "external content to scan",
"source_url": "https://example.com",
"source_type": "web_page"
}'
Scans agent responses for credential leaks before delivery to end users. Detects API keys, passwords, database connection strings, cloud provider credentials, and private keys.
curl -X POST https://api.getstronghold.xyz/v1/scan/output \
-H "Content-Type: application/json" \
-H "X-PAYMENT: x402;..." \
-d '{
"text": "Here is the config: DB_PASSWORD=secret123"
}'
{
"decision": "BLOCK",
"scores": {
"heuristic": 0.85,
"ml_confidence": 0.92,
"semantic": 0.75
},
"reason": "High heuristic score - possible prompt injection",
"latency_ms": 15,
"request_id": "uuid-for-tracing"
}
Decision Values:
ALLOW: No threats detected; content is safe to processWARN: Elevated risk detected; manual review recommendedBLOCK: High-confidence threat detected; request should be rejectedBoth the proxy and API require an account with a USDC balance.
Via Dashboard: Visit https://getstronghold.xyz/dashboard
Via CLI: Run sudo stronghold init to create a local wallet and register it with the service.
stronghold account balance # Display current balance
stronghold account deposit # Display deposit options
| Endpoint | Price per Request |
|---|---|
/v1/scan/content |
$0.001 |
/v1/scan/output |
$0.001 |
X-PAYMENT headerX-PAYMENT-RESPONSE headerimport { x402Client } from "x402-fetch";
const fetchWithPayment = x402Client({
wallet: userWallet,
network: "base"
});
// Scan agent output before delivery to the end user
const result = await fetchWithPayment(
"https://api.getstronghold.xyz/v1/scan/output",
{
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ text: agentResponse })
}
);
const scanResult = await result.json();
if (scanResult.decision === "BLOCK") {
console.log("Credential leak detected:", scanResult.reason);
}
Stronghold is fully self-hostable. Docker Compose brings up the complete stack: PostgreSQL, the API server, and the x402 payment facilitator.
git clone https://github.com/yv-was-taken/stronghold.git && cd stronghold
cp .env.example .env # Configure environment variables
docker-compose up -d
# With HTTPS via Caddy reverse proxy
docker-compose --profile with-proxy up -d
Copy .env.example to .env and configure the required values. See .env.example for full documentation.
API Server:
| Variable | Required | Default | Description |
|---|---|---|---|
X402_EVM_WALLET_ADDRESS |
Yes* | - | EVM USDC receiving address (Base) |
X402_SOLANA_WALLET_ADDRESS |
No | - | Solana USDC receiving address |
X402_NETWORKS |
No | base |
Supported networks (comma-separated): base, solana, base-sepolia, solana-devnet |
STRONGHOLD_ENABLE_HUGOT |
No | true |
Enable ML classification layer |
STRONGHOLD_ENABLE_SEMANTICS |
No | true |
Enable semantic similarity layer |
STRONGHOLD_BLOCK_THRESHOLD |
No | 0.55 |
Score threshold for BLOCK decisions |
STRONGHOLD_WARN_THRESHOLD |
No | 0.35 |
Score threshold for WARN decisions |
*When no wallet addresses are configured, the server runs in development mode without payment verification.
x402 Facilitator (settles payments on-chain):
| Variable | Required | Default | Description |
|---|---|---|---|
FACILITATOR_EVM_PRIVATE_KEY |
Yes | - | Private key for the EVM settlement wallet (funded with ETH for gas) |
RPC_URL_BASE |
Yes | - | Base mainnet RPC endpoint |
RPC_URL_BASE_SEPOLIA |
No | - | Base Sepolia RPC endpoint (for testnet) |
The facilitator wallet needs a small ETH balance on Base for gas (~0.01 ETH lasts ~90,000 settlements at current gas prices). You can use any RPC provider; Alchemy's free tier (30M compute units/month) is sufficient for most deployments.
.
├── cmd/
│ ├── api/ # API server entry point
│ ├── cli/ # CLI client entry point
│ └── proxy/ # Proxy daemon entry point
├── facilitator/ # x402 payment settlement service
├── internal/
│ ├── server/ # HTTP server setup
│ ├── handlers/ # API endpoint handlers
│ ├── middleware/ # x402 payment verification
│ ├── stronghold/ # Citadel scanner integration
│ ├── wallet/ # Wallet management
│ ├── cli/ # CLI implementation
│ └── proxy/ # Proxy implementation
├── web/ # Frontend (Next.js)
└── install.sh # One-line installer script
MIT