Deployment Topology
TameFlare uses a cloud proxy model. There is no binary to download, no Docker container to run, no server to manage. The dashboard is hosted at tameflare.com. The gateway runs in the cloud at proxy.tameflare.com.
How the components connect
You (developer)
│
│ tf run -- python agent.py
▼
┌─────────────────────────────────────────────────────┐
│ proxy.tameflare.com (cloud gateway) │
│ │
│ 1. Identifies gateway by token in proxy auth │
│ 2. Loads connectors + permissions from dashboard │
│ 3. Intercepts all HTTP/HTTPS from your process │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │Connectors│ │Permission│ │Credential│ │
│ │ (8 types)│ │ Checker │ │ Vault │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │
│ domain → connector → parse action → check perms │
│ │
│ allowed: inject creds → forward │
│ denied: return 403 │
│ require_approval: hold connection → wait │
└─────────────────────────────────────────────────────┘
│ ▲
│ HTTPS │ Config from dashboard
▼ │
External APIs tameflare.com
(GitHub, Stripe, ...) (dashboard)
What runs where
| Component | Where it runs | What it does |
|---|---|---|
| Dashboard | tameflare.com (hosted) | Configure gateways, manage connectors/permissions, view traffic, approve requests, manage team |
CLI (tf) | Your machine | Sets HTTPS_PROXY env var, spawns your process. No binary download needed. |
| Cloud gateway | proxy.tameflare.com (hosted) | Transparent HTTP/HTTPS proxy. Intercepts traffic, parses actions, checks permissions, injects credentials |
| Your process | Your machine | Runs with HTTPS_PROXY set. All outbound traffic routed through cloud gateway |
Config sync
The gateway fetches its full configuration from the dashboard:
- On startup -
GET /api/gateway/configwith per-gateway token (gwtk_*) - Every 60 seconds - polls for config updates (new connectors, changed permissions, blocked categories)
- Config includes: connectors with credentials, permissions, blocked category deny rules, org kill switch state
If the dashboard is unreachable, the gateway continues operating with its last-fetched config. New config changes won't apply until connectivity is restored.
Network requirements
The gateway needs outbound HTTPS access to:
| Destination | Purpose |
|---|---|
tameflare.com | Config sync, traffic logging, approval workflow |
Your upstream APIs (e.g., api.github.com) | Forwarding allowed requests |
The cloud gateway is hosted at proxy.tameflare.com. No inbound ports need to be opened on your machine.
What happens when things fail
| Scenario | Impact | Your process affected? |
|---|---|---|
| Dashboard unreachable | No config updates, no new traffic in dashboard | No - gateway uses cached config, proxy continues working |
| Gateway crashes | All HTTP requests from your process fail (proxy unreachable) | Yes - restart with tf run |
| Internet down | Gateway can't reach dashboard or upstream APIs | Yes - all requests fail |
Multiple gateways
You can create multiple gateways in the dashboard, each with different connectors and permissions:
| Gateway | Use case | Connectors |
|---|---|---|
dev-bot | Development agent | GitHub (allow all), OpenAI (allow all) |
deploy-agent | CI/CD pipeline | GitHub (read only), Slack (allow) |
prod-agent | Production agent | GitHub (require approval for writes), Stripe (deny deletes) |
Each gateway has its own token and runs independently. Use tf init --list to select which gateway to use, then tf run -- <cmd> to proxy traffic.
Next steps
- System Architecture - high-level overview
- Performance - latency benchmarks
- Security - TLS interception and credential vault
- CI/CD Integration - running in pipelines