Smokescreen
Stripe’s open-source egress proxy / SSRF-prevention HTTP CONNECT proxy. Pre-dates the AI-agent era; repurposed (per Andrew Bullen’s [un]prompted talk) as the network-side control point for the egress-leg of Lethal Trifecta containment.
Origin
Smokescreen is a long-standing Stripe open-source project (publicly available as stripe/smokescreen). It was originally built for general SSRF prevention — preventing internal services from being tricked into making egress requests to attacker-controlled internal IPs / metadata services. The AI-agent application is a re-use of an existing control rather than a new build.
Use in Stripe’s agent architecture (per Bullen’s talk)
The control flow:
- Tag agentic services. Stripe knows which services are agents because every agent has to talk to a foundation model, and Stripe routes those through a known proxy. This is the operational handle.
- Smokescreen proxies the egress. The agent service’s outbound HTTP egress goes through Smokescreen as the choke point.
- CI-time check. When a tagged-agent service tries to configure egress (declare allowed domains / endpoints), CI requires an escalated review.
The combination — tag + Smokescreen choke + CI gate — is what Bullen calls Stripe’s “strong egress control program that pre-dated the world of AI agents.”
Why this matters for the wiki
This is one of the most concrete data points in the corpus that breaking the egress leg of the Lethal Trifecta is operational, not aspirational, when the org has a pre-existing egress proxy program. It’s also a generalizable pattern: any organization with a foundation-model proxy can derive an “is-agent” tag for free.
Verify externally
The Smokescreen GitHub repo and recent commit history would confirm whether AI-specific features have landed since Bullen’s talk. Worth a follow-up scrape.
See also
- Toolshed — the MCP / tool-call counterpart inside Stripe.
- Lethal Trifecta · Prompt Injection Containment for Agentic Systems · Breaking the Lethal Trifecta (Without Ruining Your Agents)