LynxGateway
A KVKK-native, multi-provider enterprise AI gateway for Turkish organizations; a closed-source compliance and governance layer on top of the open-source LiteLLM (MIT) core.
Overview
Lets organizations use external LLMs like OpenAI / Anthropic / Bedrock without personal data (PII) leaving the country in plaintext, in an auditable and KVKK/VERBİS-compliant way. Core principle: PII never reaches the provider as plaintext — it is masked at the Edge layer and unmasked as the response returns.
A niche for the Turkish market with TCKN/IBAN checksums + Turkish NER + VERBİS PDF; residency-aware fallback and hash-chained audit written from scratch without any enterprise dependency.
Phases 0–3 (technical hardening) complete, field pilot pending. 20/20 integration + 139 unit tests, OIDC SSO proven end-to-end, live self-host instance.
Highlights
TCKN (checksum), IBAN (mod-97), phone, email + Presidio/spaCy NER (name/address/organization); pseudonym + unmask; secure streaming (SSE) round-trip.
/v1/chat/completions, with virtual lk_… keys.
Hashed keys, RPM/TPM rate limits, monthly token budget, lifecycle/offboarding.
Data class (confidential/internal/public) + region; confidential data cannot leave the country; residency-safe provider fallback.
Envelope encryption (KEK→DEK, AES-256-GCM); provider keys are never stored in plaintext.
Hash-chained log + verification endpoint, filtered query + CSV export.
Admin RBAC (owner/admin/auditor/viewer); OIDC + SAML 2.0 SSO with in-house code.
VERBİS PDF report (Turkish); Shadow AI (unauthorized access) detection and reporting.
Automated license_guard blocking enterprise leakage on every commit/CI + CycloneDX SBOM.
Tech Stack
| Edge & Control | Python 3.11 + FastAPI |
| Panel | Next.js 14 |
| Core | LiteLLM (MIT core only) |
| Database | PostgreSQL (isolated litellm DB) · Redis/Valkey |
| NLP | Presidio + spaCy |
| Security | cryptography · python3-saml · ReportLab |
| Infrastructure | Fully Docker |