ICME LabsAstrolayb
Integrates with
ICME Labs

The context API for ICME PreFlight

Astrolayb is a thin proxy that drops into your cloud, gathers identity, reachability and blast-radius context, and ships it to ICME so every agent prompt gets a cryptographic SAT / UNSAT verdict — straight from your dashboard.

Mapped standards ·HIPAANIST 800-53NIST AI RMFCIS Controls v8SOC 2ISO 27001ISO 42001
//live · real-time preflight console

Type a prompt. Watch the proxy clear it.

proxy.astrolayb.ioapi.icme.io
agent-shell ── prompt intercept @ astrolayb-proxy
user prompt → billing-agent
$ Refund order #A-9921 for $84.20 back to the original card.
examples ·
resolved → POST stripe.refunds.create|target → ch_3PqLm… · $84.20
proxy pipeline · per-action preflightawaiting
  • 01
    Intercept promptastrolayb
    proxy/v1 · parse intent
  • 02
    Gather contextastrolayb
    IAM · reachability · Astrolayb identity
  • 03
    ICME solvericme
    SMT-LIB · check each scope/req
  • 04
    Jolt Atlas prooficme
    NovaNet zkVM · stamp each control
  • 05
    Release to agentagent
    execute · or block at proxy
Awaiting preflight. The proxy holds the action until ICME returns a verdict.
context bundle → icme
0/6 retrieved
agent
billing-agent
resolved action
POST stripe.refunds.create
// run preflight — astrolayb will fetch only what this action touches.
identity graph · preview
beta
IAMprincipalstripe:refunds.writestripe:charges.readledger:appendstripe:refunds.write …owns(charge)PCI 7.1 — least privi…SOC 2 CC6.1 — logical…
principal scope satisfied missing
identity → required controls
0/4 solved
principal
arn:aws:iam::acme:role/billing-agent
scopes held
stripe:refunds.writestripe:charges.readledger:append
  • stripe:refunds.write ≤ $5k
    Refund amount $84.20 under cap
    pending
  • owns(charge)
    Charge belongs to billing-agent tenant
    pending
  • PCI 7.1 — least privilege
    Scoped to own merchant
    pending
  • SOC 2 CC6.1 — logical access
    MFA + role chain verified
    pending
astrolayb controls touched
0/5 stamped
  • Astrolayb · least-privilegepending
  • SOC 2 CC6.1pending
  • PCI 7.1pending
  • NIST 800-53 AC-6pending
  • CIS Controls v8 · 6.8pending
//architecture · split of work

Astrolayb gathers context. ICME proves the verdict.

Astrolayb sits inline as a thin proxy in your environment. We do the cloud lookups so ICME can do the math. Most of the latency is the cryptographic proof — not the scan.

agent.prompt("…")
        │
        ▼
┌─────────────────────────────┐
│  astrolayb proxy            │  ~80ms — gather context
│  identity · reachability    │
│  blast radius · policy refs │
└──────────────┬──────────────┘
               │ POST /v1/checkIt
               ▼
┌─────────────────────────────┐
│  ICME control plane         │  ~240ms — solve + prove
│  SMT-LIB · SAT/UNSAT        │
│  Jolt Atlas zkVM receipt    │
└──────────────┬──────────────┘
               │ verdict + proof
               ▼
  proxy releases action  ✓     or blocks at the wire  ✗
Astrolayb scan
~80ms
IAM + reachability in tenant
ICME solver + proof
~240ms
SMT-LIB · Jolt Atlas zkVM
Block at proxy
0 side-effects
action never reaches target