Routing, retries, caching
Keep the gateway when the problem is model delivery, provider failover, or prompt observability.
AI gateways are useful for routing, retries, and caching. Prompt firewalls are useful for input scanning. Logging stacks are useful after the fact. Clavenar is for agent tool calls that can create side effects: inspect, decide, approve, and prove on the same hot path.
Keep the gateway when the problem is model delivery, provider failover, or prompt observability.
Keep the scanner when the action is still text and the worst outcome is a bad response.
Put approvals, policy replay, credentials, and cryptographic evidence on the request path before the side effect happens.
A customer-support agent asks to issue a refund outside its normal pattern. The category difference shows up before the upstream call fires.
Routes the request and records provider metadata.
Scans the text, but may not see the typed tool semantics.
Captures what happened after the tool call already ran.
Parks the action for policy and HIL review, releases only after approval, then links the decision to a verifiable audit row.
| Capability | Clavenar | AI gateways Portkey‑class |
Prompt firewalls input scanners |
DIY logging roll your own |
|---|---|---|---|---|
| Prevent and control before side effects | ||||
| Semantic inspection intent + drift + injection |
Three signals, in‑line | routing and telemetry first | input string first | depends on custom work |
| Credentials never touch the agent | Vault‑injected at proxy | agent usually holds the keys | agent usually holds the keys | depends on custom work |
| Multi‑instance velocity breaker | NATS‑KV, CAS‑correct | often per‑instance | not the core job | must be built |
| Published policy and attack catalog | Inspect the current coverage inventory | not usually included | vendor benchmark | must be built |
| Approve and decide safely | ||||
| Human approvals on dangerous tool calls | Slack & Teams, fail‑closed | not usually in path | not usually in path | ad hoc chat approval |
| Published mock‑mode pipeline p95 excludes a live model-provider request |
2.20 ms hit / 20.1 ms miss | not measured here | not measured here | not measured here |
| Replay a policy edit before you publish Policy Lab — diff against last 7d of real traffic + the catalog |
Edit → replay → publish | not usually included | not usually included | edit → deploy → monitor |
| Propose rules from your own traffic Self‑Learn — five detectors over the audit chain, one‑click Accept |
Mine → review → accept | not usually included | not usually included | dashboards, review, draft |
| Prove and operate | ||||
| Cryptographic, replayable audit trail | SHA‑256 + /verify |
append‑only logs | not the core job | whatever you ship |
| Open‑source, wire‑compatible OSS edition | Clavenar Lite (Apache‑2.0) | often SaaS first | often SaaS first | fully yours to maintain |
| Stack | Rust end‑to‑end | mixed runtimes common | varies by vendor | heterogeneous |
Comparison reflects common deployment patterns, not a claim that every vendor or homegrown stack behaves identically. If a gateway, firewall, or internal platform already provides fail‑closed approvals, credential isolation, replayable policy diffs, and cryptographic chain verification on the tool-call path, treat it as the same control-plane category Clavenar is defining here.
Every entry commits to its predecessor in canonical JSON; the field order is the chain version. Auditors don't get a vendor deck — they get a deterministic replay and a single endpoint that says tampered=false.
An earlier racing architecture exposed a side‑effect window for Yellow‑tier tools during review, so it was removed before a production path. The safer ordering is now part of the design.
The inspector is deliberately a different LLM from your agent's primary model. A jailbreak that fools the agent doesn't automatically fool the clavenar.
No GIL contention. No cold‑start CPython. Predictable tail latency on both the verdict and the upstream roundtrip — the kind that survives an SRE's first p99 query.
Policy Lab takes your draft Rego, runs it against the last seven days of your real traffic AND a 40‑attack catalog, and shows you the verdict diff before activate. Nobody else can do this because nobody else has a structured immutable chain holding every PolicyInput.
Self‑Learn mines the chain for after‑hours concentrations, argument‑cap outliers, attestation gaps, velocity spikes and intent‑score drift, then surfaces ranked Rego candidates with a diff vs. your active bundle. Brain writes the one‑liner. Operator clicks Accept. The rule lands as a draft.
"But our LLM gateway already logs requests."
A logging stack tells you what happened. Clavenar tells you what shouldn't happen, blocks it before it does, and then logs it — into a chain you can prove.