Architecture

Ephos is built on a Decoupled 3-Worker Enclave Model. This separation of concerns ensures that no single point of failure can compromise the entire security chain.

1. The Security Gateway (Policy Enforcement)

This is the entry point for all agent requests. It is a high-performance Cloudflare Worker that handles:

• Authentication (Clerk OIDC / JWT validation)
• Usage monitoring and rate limiting
• Routing requests to the Secure Enclave

2. The Secure Enclave (Ephos Vault)

A completely isolated worker with no direct public routes. It performs all cryptographic operations and database interactions. It retrieves encrypted Master Secrets (Phantom Keys) and performs decryption in Ephemeral RAM.

3. The MCP Layer (Protocol)

A dedicated worker that implements the Model Context Protocol. It allows AI agents to "discover" tools and use them without ever seeing the secrets required to power those tools.

Data Flow

When a request is made:

1. The Gateway verifies the identity token (Ephos Tokens) and checks entitlements.
2. The Gateway invokes the Enclave via an internal service binding, passing the client's Token Secret.
3. The Enclave fetches the agent's delegated payload and decrypts it using the provided secret.
4. The Enclave executes the request, redacts the response, and returns it to the Gateway.
5. The Gateway returns the scrubbed response to the client.