# SILO Integration for Predict Desktop **Version:** 1.1.0 **Date:** 2026-04-25 **Status:** Phase 1 Implemented, Phase 2 Infrastructure Pending --- ## Executive Summary This document analyzes the feasibility of integrating SILO (Secure Intelligence Layer Operations) with Predict Desktop to provide real-time AI agent behavioral monitoring. SILO can detect adversarial behavior, policy violations, and anomalous patterns in Predict's AI-powered features. ### Key Findings | Aspect | Assessment | Notes | |--------|------------|-------| | **Technical Feasibility** | **HIGH** | Clean architecture, strong logging, webhook support | | **Integration Effort** | **MEDIUM** | ~2-3 weeks for webhook approach, ~4-6 weeks for deep integration | | **Security Benefit** | **HIGH** | Monitors LLM, trading, workflows for policy violations | | **Performance Impact** | **LOW** | Async event emission, non-blocking | ### Recommended Approach **Phase 1: Webhook Integration** (Quick Win) - Register SILO as webhook subscriber for Predict events - Monitor assistant interactions, algorithm decisions, trade executions **Phase 2: Deep Integration** (Full Monitoring) - Embed SILO sidecar in Predict infrastructure - Real-time LLM interception and behavioral scoring --- ## What is SILO? SILO is an AI-native security framework that detects adversarial behavior in AI agents through real-time behavioral monitoring. ### Core Capabilities | Capability | Description | |------------|-------------| | **Trust Deficit Scoring** | 0-100 score tracking agent trustworthiness | | **Behavioral Analysis** | ML-based anomaly detection | | **Prompt Injection Detection** | Identifies jailbreak/override attempts | | **Response Actions** | OBSERVE → RESTRICT → ISOLATE → TERMINATE | | **Real-time Dashboard** | Live agent monitoring and alerts | ### SILO Architecture ``` ┌─────────────────────────────────────────────────────────────────┐ │ SILO Cortex │ │ (Correlation Engine, TDS Engine, Response Controller) │ ├─────────────────────────────────────────────────────────────────┤ │ EventBus (gRPC) │ ├───────────────┬───────────────┬───────────────┬────────────────┤ │ Sidecar 1 │ Sidecar 2 │ Sidecar 3 │ Predict Hook │ │ (Linux VM) │ (Windows VM) │ (Docker) │ (Webhook) │ └───────────────┴───────────────┴───────────────┴────────────────┘ ``` --- ## Predict Components to Monitor ### 1. Assistant (LLM Chat) **Location:** `/packages/be/src/assistant/handler.ts` **What SILO Monitors:** - Prompt injection attempts in user messages - System prompt override attempts - Unauthorized instruction injection - Token usage anomalies - Response policy violations **Data Available:** ```typescript interface AssistantTurn { conversationId: string; role: 'user' | 'assistant'; content: string; model: string; provider: string; promptTokens: number; completionTokens: number; latencyMs: number; snapshotHash: string; // Context fingerprint } ``` **Risk Level:** HIGH - Direct LLM interaction surface ### 2. Algorithm Builder (NL→DSL) **Location:** `/packages/be/src/algorithms/llm/translate.ts` **What SILO Monitors:** - LLM-generated trading strategies - DSL whitelist violations - Look-ahead bias in backtest - Confidence score manipulation - Parse failure patterns (attack signatures) **Data Available:** ```typescript interface AlgorithmTranslation { userId: string; naturalLanguage: string; generatedDSL: string; parseSuccess: boolean; retryCount: number; whitelistViolations: string[]; } ``` **Risk Level:** HIGH - Agent can generate executable trading logic ### 3. LLM Jury System **Location:** `/packages/be/src/algorithms/llm/jury.ts` **What SILO Monitors:** - Multi-stage decision integrity - Proposer/Critic/Judge consistency - Confidence score distribution - Decision override attempts **Data Available:** ```typescript interface JuryDecision { algorithmId: string; proposerDecision: string; criticFeedback: string; judgeDecision: 'approve' | 'reject' | 'modify'; confidence: number; reasoning: string; } ``` **Risk Level:** MEDIUM - Agent auto-approval gateway ### 4. Trade Execution **Location:** `/packages/be/src/trading/services/trade-execution.ts` **What SILO Monitors:** - Position sizing violations - Leverage limits - Rapid trading patterns (manipulation) - Unauthorized broker actions - Idempotency key reuse (replay attacks) **Data Available:** ```typescript interface TradeExecution { userId: string; algorithmId: string; side: 'buy' | 'sell'; symbol: string; quantity: number; price: number; executionMode: 'paper' | 'live'; idempotencyKey: string; } ``` **Risk Level:** CRITICAL - Financial impact ### 5. Workflow Actions **Location:** `/packages/be/src/workflows/runner.ts` **What SILO Monitors:** - External webhook destinations - Email/SMS content for data exfil - Unauthorized action types - Rate limit bypass attempts - Condition evaluation anomalies **Data Available:** ```typescript interface WorkflowExecution { workflowId: string; userId: string; triggerEvent: object; conditionResult: boolean; actions: ActionExecution[]; status: 'completed' | 'failed'; } ``` **Risk Level:** HIGH - Agent can trigger external actions --- ## Integration Approaches ### Approach 1: Webhook Subscription (Recommended First) **Effort:** ~2 weeks **Impact:** Low (additive, no code changes) ``` ┌─────────────┐ POST /events ┌─────────────┐ │ Predict │ ──────────────────▶ │ SILO │ │ Backend │ │ Webhook │ │ │ ◀────────────────── │ Receiver │ └─────────────┘ 200 OK / Alert └─────────────┘ ``` **Implementation:** 1. **Predict Side:** Add SILO as webhook subscriber ```typescript // In /packages/be/src/webhooks/subscribers.ts const siloSubscription = { url: 'https://silo.internal/api/predict-events', events: ['assistant.turn', 'algorithm.translate', 'trade.execute', 'workflow.run'], secret: process.env.SILO_WEBHOOK_SECRET, }; ``` 2. **SILO Side:** Create Predict event handler ```rust // In silo-cortex/src/integrations/predict.rs fn handle_predict_event(event: PredictEvent) -> SiloEvent { match event.event_type { "assistant.turn" => analyze_llm_interaction(event), "algorithm.translate" => analyze_dsl_generation(event), "trade.execute" => analyze_trade(event), "workflow.run" => analyze_workflow(event), } } ``` **Pros:** - No changes to Predict core - Easy to enable/disable - Works with existing webhook infrastructure **Cons:** - Async (not real-time blocking) - Limited to events Predict already emits - Cannot intercept/modify requests ### Approach 2: Middleware Integration **Effort:** ~4 weeks **Impact:** Medium (code changes required) ``` ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ Request │ ──▶ │ SILO │ ──▶ │ Predict │ │ │ │ Middleware │ │ Handler │ │ │ ◀── │ │ ◀── │ │ └─────────────┘ └─────────────┘ └─────────────┘ ``` **Implementation:** 1. **Create SILO middleware for Next.js:** ```typescript // In /packages/be/src/lib/silo/middleware.ts import { SiloClient } from '@silo/sdk'; const silo = new SiloClient({ cortexUrl: process.env.SILO_CORTEX_URL, apiKey: process.env.SILO_API_KEY, }); export async function siloMiddleware( request: NextRequest, handler: () => Promise ): Promise { const startTime = Date.now(); // Pre-request analysis const preCheck = await silo.analyzeRequest({ path: request.nextUrl.pathname, method: request.method, userId: extractUserId(request), body: await request.clone().json(), }); if (preCheck.action === 'BLOCK') { return NextResponse.json({ error: 'Request blocked by security policy' }, { status: 403 }); } // Execute handler const response = await handler(); // Post-response analysis await silo.recordEvent({ type: 'http_request', path: request.nextUrl.pathname, userId: extractUserId(request), latencyMs: Date.now() - startTime, statusCode: response.status, }); return response; } ``` 2. **Wrap critical endpoints:** ```typescript // In /apps/web/src/app/api/predict/v1/assistant/stream/route.ts export async function POST(request: NextRequest) { return siloMiddleware(request, async () => { return handleAssistantStream(request); }); } ``` **Pros:** - Real-time blocking capability - Full request/response visibility - Can modify or reject requests **Cons:** - Adds latency to every request - Requires Predict code changes - Tighter coupling ### Approach 3: Sidecar Deployment **Effort:** ~6 weeks **Impact:** Infrastructure change ``` ┌─────────────────────────────────────────────┐ │ Kubernetes Pod │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ Predict │ ◀──▶ │ SILO │ │ │ │ Container │ │ Sidecar │ │ │ └─────────────┘ └─────────────┘ │ │ │ │ │ │ ▼ ▼ │ │ PostgreSQL SILO Cortex │ └─────────────────────────────────────────────┘ ``` **Implementation:** 1. **Deploy SILO sidecar alongside Predict:** ```yaml # In kubernetes/predict-deployment.yaml spec: containers: - name: predict image: predict:latest env: - name: SILO_SIDECAR_URL value: "http://localhost:9091" - name: silo-sidecar image: silo/sidecar:latest ports: - containerPort: 9091 env: - name: SILO_CORTEX_URL value: "https://cortex.silo.internal" - name: SILO_AGENT_NAME value: "predict-backend" ``` 2. **Intercept at network level:** - eBPF monitoring of all syscalls - Network traffic analysis - Process behavior tracking **Pros:** - Full visibility (network, syscalls, processes) - Works without code changes - Can detect low-level attacks **Cons:** - Infrastructure complexity - Requires Linux host (for eBPF) - Higher resource usage --- ## Recommended Implementation Plan ### Phase 1: Webhook Integration (Weeks 1-2) | Task | Owner | Effort | |------|-------|--------| | Create SILO webhook receiver endpoint | SILO Team | 2 days | | Define event schemas | Both Teams | 1 day | | Add SILO webhook to Predict | Predict Team | 2 days | | Test event flow | Both Teams | 2 days | | Dashboard integration | SILO Team | 3 days | **Deliverables:** - SILO receives all Predict AI events - Dashboard shows Predict agent activity - Basic anomaly alerts ### Phase 2: Enhanced Monitoring (Weeks 3-4) | Task | Owner | Effort | |------|-------|--------| | LLM prompt analysis | SILO Team | 3 days | | Trade pattern detection | SILO Team | 3 days | | Workflow action monitoring | SILO Team | 2 days | | TDS scoring for Predict agents | SILO Team | 2 days | **Deliverables:** - Prompt injection detection - Trading anomaly alerts - Per-user trust scores ### Phase 3: Deep Integration (Weeks 5-8) | Task | Owner | Effort | |------|-------|--------| | Middleware SDK development | SILO Team | 5 days | | Predict middleware integration | Predict Team | 3 days | | Real-time blocking capability | Both Teams | 3 days | | Performance optimization | Both Teams | 3 days | **Deliverables:** - Real-time request blocking - Sub-10ms latency overhead - Full audit trail --- ## API Specification ### Predict → SILO Events ```typescript // POST https://silo.internal/api/predict-events interface PredictEvent { eventType: 'assistant.turn' | 'algorithm.translate' | 'trade.execute' | 'workflow.run'; timestamp: string; // ISO 8601 userId: string; sessionId: string; payload: AssistantTurn | AlgorithmTranslation | TradeExecution | WorkflowExecution; metadata: { ip: string; userAgent: string; requestId: string; }; } ``` ### SILO → Predict Responses ```typescript // Response to webhook interface SiloResponse { received: boolean; eventId: string; analysis: { trustScore: number; // 0-100 riskLevel: 'low' | 'medium' | 'high' | 'critical'; detectedPatterns: string[]; recommendedAction: 'allow' | 'monitor' | 'restrict' | 'block'; }; alerts: Alert[]; } // Alert pushed to Predict (optional callback) interface Alert { alertId: string; severity: 'info' | 'warning' | 'critical'; message: string; userId: string; action: 'notify' | 'restrict' | 'terminate'; } ``` --- ## Security Considerations ### Data Handling | Data Type | Handling | Retention | |-----------|----------|-----------| | User messages | Hashed for pattern matching | 90 days | | Trade data | Full logging for compliance | 7 years | | Credentials | NEVER transmitted to SILO | N/A | | API keys | Redacted before emission | N/A | ### Authentication ```typescript // Webhook signature verification const isValidSignature = ( payload: string, signature: string, secret: string ): boolean => { const expected = crypto .createHmac('sha256', secret) .update(payload) .digest('hex'); return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(expected) ); }; ``` ### Network Security - TLS 1.3 required for all SILO communication - mTLS for production deployments - IP allowlisting for webhook endpoints --- ## Cross-Account AWS Deployment Since Predict and SILO run in separate AWS accounts with different subdomains, the following infrastructure is required. ### Architecture ``` ┌─────────────────────────────────────────────────────────────────────────────┐ │ AWS Account: Predict (Your Account) │ │ ┌─────────────────┐ │ │ │ Predict Desktop │──┐ │ │ │ (Backend) │ │ │ │ └─────────────────┘ │ │ │ │ POST https://preprod.silo-dev.com/ │ │ │ api/v1/predict/webhook │ │ │ Header: X-Predict-Signature: │ └───────────────────────┼─────────────────────────────────────────────────────┘ │ │ HTTPS over Internet (or VPC PrivateLink) ▼ ┌─────────────────────────────────────────────────────────────────────────────┐ │ AWS Account: SILO (Partner Account) │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Route53 │───▶│ ALB │───▶│ Cortex │ │ │ │ (DNS) │ │ (HTTPS) │ │ (Webhook) │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ └─────────────────────────────────────────────────────────────────────────────┘ ``` ### Webhook Configuration (Predict Side) **Environment Variables:** ```bash # Production webhook endpoint SILO_WEBHOOK_URL=https://preprod.silo-dev.com/api/v1/predict/webhook # Shared HMAC secret (coordinate with SILO team) SILO_WEBHOOK_SECRET=<256-bit-secret-from-secrets-manager> # Optional: Timeout and retry settings SILO_WEBHOOK_TIMEOUT_MS=5000 SILO_WEBHOOK_RETRY_COUNT=3 ``` **Secrets Manager (Predict Account):** ```bash # Store the shared webhook secret aws secretsmanager create-secret \ --name "predict/silo/webhook-secret" \ --secret-string '{"secret":""}' # Retrieve in application aws secretsmanager get-secret-value \ --secret-id "predict/silo/webhook-secret" \ --query SecretString --output text | jq -r .secret ``` ### Webhook Client Implementation ```typescript // /packages/be/src/lib/silo/client.ts import crypto from 'crypto'; interface SiloWebhookClient { sendEvent(event: PredictEvent): Promise; } export function createSiloClient(): SiloWebhookClient { const webhookUrl = process.env.SILO_WEBHOOK_URL!; const webhookSecret = process.env.SILO_WEBHOOK_SECRET!; const timeoutMs = parseInt(process.env.SILO_WEBHOOK_TIMEOUT_MS || '5000'); return { async sendEvent(event: PredictEvent): Promise { const payload = JSON.stringify(event); // Calculate HMAC-SHA256 signature const signature = crypto .createHmac('sha256', webhookSecret) .update(payload) .digest('hex'); const response = await fetch(webhookUrl, { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Predict-Signature': signature, }, body: payload, signal: AbortSignal.timeout(timeoutMs), }); if (!response.ok) { throw new Error(`SILO webhook failed: ${response.status}`); } return response.json(); }, }; } ``` ### Event Emission Examples **Assistant Handler:** ```typescript // /packages/be/src/assistant/handler.ts import { createSiloClient } from '../lib/silo/client'; const siloClient = createSiloClient(); export async function handleAssistantTurn(turn: AssistantTurn) { // ... existing logic ... // Emit to SILO (async, non-blocking) siloClient.sendEvent({ event_type: 'assistant.turn', timestamp: new Date().toISOString(), user_id: turn.userId, session_id: turn.sessionId, payload: { conversation_id: turn.conversationId, role: turn.role, content_hash: hashContent(turn.content), // Don't send raw content model: turn.model, provider: turn.provider, prompt_tokens: turn.promptTokens, completion_tokens: turn.completionTokens, latency_ms: turn.latencyMs, }, }).catch(err => { // Log but don't fail the request console.error('SILO webhook failed:', err.message); }); return response; } ``` **Trade Execution:** ```typescript // /packages/be/src/trading/services/trade-execution.ts import { createSiloClient } from '../../lib/silo/client'; const siloClient = createSiloClient(); export async function executeTrade(trade: TradeRequest) { // ... existing logic ... // Emit to SILO (async, non-blocking) siloClient.sendEvent({ event_type: 'trade.execute', timestamp: new Date().toISOString(), user_id: trade.userId, payload: { algorithm_id: trade.algorithmId, symbol: trade.symbol, side: trade.side, quantity: trade.quantity, price: trade.price, execution_mode: trade.executionMode, }, }).catch(err => { console.error('SILO webhook failed:', err.message); }); return result; } ``` ### Network Requirements **Outbound Access from Predict VPC:** Predict's application servers need outbound HTTPS access to SILO's webhook endpoint: | Source | Destination | Port | Protocol | |--------|-------------|------|----------| | Predict App Servers | `preprod.silo-dev.com` | 443 | HTTPS | **Security Group (Predict):** ```hcl resource "aws_security_group_rule" "silo_webhook_egress" { security_group_id = aws_security_group.predict_app.id type = "egress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # Or specific SILO IP ranges description = "SILO webhook HTTPS" } ``` **NAT Gateway (for Private Subnets):** If Predict runs in private subnets, ensure NAT Gateway is configured and provide the Elastic IP to SILO team for IP allowlisting: ```bash # Get NAT Gateway Elastic IP aws ec2 describe-nat-gateways --query 'NatGateways[*].NatGatewayAddresses[*].PublicIp' ``` ### VPC PrivateLink (Optional - Most Secure) For private cross-account connectivity without internet exposure: 1. **SILO Team:** Creates VPC Endpoint Service 2. **Predict Team:** Creates VPC Endpoint in your account 3. **Result:** Private DNS resolves to internal IP ```bash # Create VPC Endpoint (after SILO provides service name) aws ec2 create-vpc-endpoint \ --vpc-id vpc-12345678 \ --service-name com.amazonaws.vpce.us-east-1.vpce-svc-XXXX \ --vpc-endpoint-type Interface \ --subnet-ids subnet-abcd1234 \ --security-group-ids sg-12345678 ``` ### Testing Webhook Connectivity **From Predict Backend:** ```bash # Test DNS resolution dig preprod.silo-dev.com # Test HTTPS connectivity (no auth) curl -v https://preprod.silo-dev.com/health # Test webhook endpoint (with signature) SECRET="your-webhook-secret" PAYLOAD='{"event_type":"test","user_id":"test123","payload":{}}' SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2) curl -X POST https://preprod.silo-dev.com/api/v1/predict/webhook \ -H "Content-Type: application/json" \ -H "X-Predict-Signature: $SIG" \ -d "$PAYLOAD" ``` **Expected Response:** ```json { "received": true, "event_id": "evt_abc123", "analysis": { "trust_score": 85.0, "risk_level": "low", "detected_patterns": [], "recommended_action": "allow" } } ``` ### Troubleshooting | Issue | Cause | Solution | |-------|-------|----------| | Connection timeout | Firewall/SG blocking | Check egress rules, NAT Gateway | | 401 Unauthorized | Invalid signature | Verify secret matches on both sides | | 403 Forbidden | IP not allowlisted | Provide NAT Gateway IP to SILO team | | 500 Server Error | SILO backend issue | Contact SILO team, check status page | | DNS resolution failed | Route53 not propagated | Wait 5-10 min, try `dig @8.8.8.8` | --- ## Performance Impact ### Webhook Approach (Async) | Metric | Impact | |--------|--------| | Request latency | +0ms (async) | | Memory overhead | ~10MB for queue | | Network | ~1KB per event | ### Middleware Approach (Sync) | Metric | Impact | |--------|--------| | Request latency | +5-15ms | | Memory overhead | ~50MB for cache | | Network | ~2KB per request | --- ## Files to Modify in Predict ### Phase 1 (Webhook) | File | Change | |------|--------| | `/packages/be/src/lib/silo/client.ts` | New: SILO webhook client | | `/packages/be/src/lib/silo/events.ts` | New: Event type definitions | | `/packages/be/src/assistant/handler.ts` | Add: Event emission after LLM call | | `/packages/be/src/algorithms/llm/translate.ts` | Add: Event emission after translation | | `/packages/be/src/trading/services/trade-execution.ts` | Add: Event emission after trade | | `/packages/be/src/workflows/runner.ts` | Add: Event emission after workflow | ### Phase 2 (Middleware) | File | Change | |------|--------| | `/packages/be/src/lib/silo/middleware.ts` | New: Request/response interceptor | | `/apps/web/src/middleware.ts` | Add: SILO middleware chain | | `/packages/be/src/lib/silo/blocking.ts` | New: Real-time blocking logic | --- ## Conclusion SILO integration with Predict Desktop is highly feasible and provides significant security value for monitoring AI agent behavior. The webhook approach offers a quick win with minimal code changes, while the middleware approach enables real-time blocking for critical operations. ### Current Status | Phase | Status | Notes | |-------|--------|-------| | **Phase 1: Webhook Handler** | ✅ Complete | SILO backend ready to receive events | | **Phase 2: Infrastructure** | 🔄 In Progress | Route53, ALB, TLS configuration | | **Phase 3: Predict Integration** | ⏳ Pending | Waiting for webhook URL confirmation | ### Webhook Configuration **Production URL:** ``` https://preprod.silo-dev.com/api/v1/predict/webhook ``` **Required Headers:** ``` Content-Type: application/json X-Predict-Signature: ``` **Supported Events:** - `assistant.turn` - LLM chat interactions - `algorithm.translate` - NL→DSL translations - `jury.decision` - Multi-agent jury decisions - `trade.execute` - Trade executions - `workflow.run` - Workflow triggers ### Next Steps 1. ✅ ~~Review this document with both teams~~ 2. ✅ ~~Agree on Phase 1 scope and timeline~~ 3. 🔄 **SILO Team:** Complete Route53 + ALB setup 4. 🔄 **Security:** Exchange webhook secrets via Secrets Manager 5. ⏳ **Predict Team:** Implement webhook client 6. ⏳ **Both Teams:** End-to-end testing --- ## Appendix: SILO Event Types | Event Type | Description | TDS Impact | |------------|-------------|------------| | `LlmInteraction` | Assistant chat turn | +1-5 per suspicious pattern | | `AlgorithmGenerated` | NL→DSL translation | +5-10 if whitelist violation | | `TradeExecuted` | Order placed | +10-20 if limit exceeded | | `WorkflowTriggered` | Automation fired | +5-15 if unauthorized action | | `PromptInjectionDetected` | Jailbreak attempt | +30-50 immediate | | `DataExfiltrationAttempt` | Sensitive data in output | +40-60 immediate | --- ## Contact - **SILO Team:** security@silo.red - **Predict Team:** engineering@predict.app