Streaming Inspection, Guardian Sidecar, And Egress Proxy
MeshGuard uses three enforcement layers.
| Layer | Purpose | Bypass resistance |
|---|---|---|
| In-process PEP | Low-latency policy checks inside AGT or framework adapter. | Depends on agent process integrity. |
| Guardian sidecar | Last-known-good policy enforcement and WAL-backed audit when the gateway is unreachable. | Stronger in Kubernetes or VM placement. |
| Egress proxy | Network-level enforcement for outbound traffic. | Strongest when paired with network policy. |
Streaming Inspection
Supported protocols:
- Server-Sent Events.
- OpenAI streaming.
- Anthropic streaming.
- Bedrock response streams.
- Vertex streaming.
- gRPC bidirectional streaming.
Enforcement modes:
- log-only
- redact
- block-and-truncate
- full-block
Matched sensitive content is deterministically redacted before audit so the audit log does not become a secondary PII/PHI store.