Quickstart: Transparent Proxy

This guide gets the transparent proxy running on your machine. Once enabled, all HTTP/HTTPS traffic from the agent user is automatically scanned for prompt injection before it reaches the agent.

Prerequisites

• Linux (iptables or nftables) or macOS (pf)
• Root/sudo access for firewall rule setup
• Keyring (Linux only): gnome-keyring, KWallet, or pass — used for wallet key storage

Caution

The transparent proxy sets up system-wide traffic interception for the designated user. It is intended for isolated machines or VMs that run AI agents, not for general-purpose workstations.

Install and Enable

1. Install the CLI

   curl -fsSL https://getstronghold.xyz/install.sh | sh

   This downloads the stronghold binary for your platform and places it on your PATH.

2. Check system compatibility

   stronghold doctor

   Doctor verifies that your system has the required dependencies (firewall backend, kernel modules) and reports any issues.

3. Initialize Stronghold

   sudo stronghold init

   This performs first-time setup:

   1. System check and account setup
   2. Wallet creation and API registration
   3. Creates the dedicated system user (stronghold / _stronghold)
   4. Installs proxy and CLI binaries
   5. Generates and installs a MITM CA certificate into the system trust store
   6. Configures and starts the proxy service
   7. Enables transparent proxying (firewall rules)

   After init completes, the proxy is already running. You do not need to run stronghold enable after a fresh install.

4. Re-enable the proxy (after disabling)

   If you previously ran stronghold disable, you can re-enable the proxy without repeating the full init:

   sudo stronghold enable

   This restarts the proxy process and reinstalls the firewall rules.

5. Verify it is running

   stronghold status

   You should see the proxy status as enabled with the firewall rules active.

Post-Setup Checks

Health check — verify connectivity to the Stronghold API and blockchain RPCs:

stronghold health

Account balance — check your current balance and wallet address:

stronghold account balance

If your balance is zero, you will need to fund your wallet before the proxy can process requests. See Funding Your Account for options.

What Happens Next

With the proxy enabled, any process running as the stronghold / _stronghold user has its outbound HTTP/HTTPS traffic intercepted:

1. The request is forwarded to the destination server by the proxy.
2. The response content is scanned by the Stronghold API.
3. If the scan returns ALLOW, the response is passed through to the agent unchanged.
4. If the scan returns WARN, the response is passed through with warning headers attached.
5. If the scan returns BLOCK, the response is replaced with a block notice and the original content is never delivered to the agent.

The proxy adds X-Stronghold-* headers to every proxied response. See Response Headers for details.

Next Steps

• Proxy Configuration — customize thresholds, allowlists, and behavior
• Enable & Disable — manage the proxy lifecycle
• Core Concepts — understand decisions, scores, and threat categories