Skip to content
Modules

Beacon — the endpoint agent

The signed local daemon that inventories AI tooling and CVEs, enforces Lyra policy across three planes, and detects OS-level exfil a cloud gateway can't see.

Beacon is a thick, signed daemon that runs on every machine where agents do work — Windows, macOS, and Linux. It is the reach that a cloud gateway does not have: it sees shadow and local AI, un-gatewayed MCP servers, and OS-level activity. It combines endpoint detection and vulnerability management in one signed sensor, built for the age of autonomous tooling.

Inventory and CVE posture

On enrollment and on a schedule, Beacon inventories the installed AI toolchain — CLIs and tools such as Claude Code and Codex, their versions, whether any are down-level, and any known CVE exposure. This posture is reported to Observatory and gates enforcement: a policy can refuse to run inference through a tool with an open critical CVE.

# Illustrative — inspect the local inventory and posture
beacon inventory --format json
beacon cve list --severity high

Three enforcement planes

Beacon enforces across three planes so that both the request path and the host are covered:

  • Plane A — inference. Every model call is routed through the local policy service. Lyra decides the model, redaction, and whether the call proceeds — locally, offline, with no cloud hop.
  • Plane B — runtime observation. Process- and config-level telemetry from user space; no kernel driver. It observes process launches and agent activity, flagging out-of-band processes that never touch the gateway, the ADR pillar.
  • Plane C — network/egress. Allow/deny for outbound connections and data egress, with secrets injected from Umbra as short-lived leases rather than stored on disk.

The local policy service

The heart of Beacon is a local policy service that intercepts inference and network requests, evaluates the active Lyra policy, and returns an allow/deny decision deterministically. Because evaluation is local, enforcement continues even when the endpoint is offline, and there is no latency tax on agentic loops that would otherwise stack across a cloud round-trip.

{
  "decision": "deny",
  "plane": "A",
  "rule": "alyria.lyra/deny.tool-not-brokered",
  "tool": "shell.exec",
  "reason": "capability not granted for role software-dev",
  "asi": "ASI05"
}

Every decision is signed and streamed to Spectra, forming one audit chain that maps cleanly to OWASP ASI and to NIST AI RMF / ISO/IEC 42001 controls.