Skip to main content

Architecture

How the QuilrAI Network Monitor processes every request, from the client application through the proxy to the origin server and back.

Client Application
# Explicit proxy mode
export HTTPS_PROXY=http://localhost:8443
export HTTP_PROXY=http://localhost:8080

# Or transparent redirect mode
# (no app config needed, packet redirector
#  intercepts at the OS network layer)
QuilrAI Network Monitor
Intercept
Explicit Proxy
HTTP :8080
HTTPS :8443
Browser / app configured
Transparent Redirect
Packet Redirector
Network Extension (macOS)
WinDivert (Windows)
Inspect
TLS MITM
Dynamic cert generation
SNI-based host matching
Per-host bypass list
WebSocket
Upgrade detection
Bidirectional proxying
Frame inspection
Scan
DLP Engine
Contextual detection
Exact data matching
Block / redact / prompt
Analyzers
Remote API
Local AI model
Heuristic (regex + keywords)
Enforce
Policy Decision
Allow: forward request
Block: reject with 403
Prompt: justification UI
Health Monitoring
Per-host circuit breakers
Passive failure tracking
Active probe checks
Traffic Logging · Process Attribution · Health Metrics · Kill Switch
Origin Servers
HTTPS EndpointsHTTP EndpointsWebSocket ServersAPI ServicesSaaS PlatformsInternal Services
QuilrAI

Pipeline Stages

Every intercepted request flows through these stages in order. Each stage is independently configurable from the dashboard.

StageDescription
Explicit ProxyAccepts HTTP on port 8080 and TLS on port 8443.
Transparent RedirectOS-level traffic interception via Network Extension (macOS) or WinDivert (Windows). No app config needed.
TLS MITMTLS handshake with dynamic certificate generation and SNI extraction for HTTPS inspection.
WebSocketDetects Upgrade headers and proxies WebSocket connections bidirectionally.
DLP EnginePluggable analyzer pipeline (remote API, local AI model, or heuristic regex) with content extraction rules.
Policy DecisionAllow, block, or prompt for justification based on DLP findings. Native or Tauri-based justification UI.
Health MonitoringPer-host health states (Healthy / Degraded / Unhealthy / Critical) with circuit breakers.

Response Path

Responses from origin servers pass back through the DLP engine for output scanning before returning to the client. The same detection categories and actions (block, redact, prompt) apply to both directions.

Platform Support

PlatformPacket RedirectorJustification UIProcess Attribution
macOSNetwork Extension (kernel-level, Unix Socket IPC with SCM_RIGHTS)Cocoa native dialogAudit tokens (~5 ms)
WindowsWinDivert kernel driver (packet interception + rewrite)Windows message-based dialogSocketLayer events + GetExtendedUdpTable
Cross-platform-Tauri WebView (default)-

Observability

Every request is logged with host, process attribution, DLP findings, and policy actions. Exposes GET /health (JSON) and GET /metrics (Prometheus). Remote kill switch disables the proxy via IPC; new connections get 503 while in-flight requests drain.