Why Clavenar

Agent control plane is a real category.

AI gateways are useful for routing, retries, and caching. Prompt firewalls are useful for input scanning. Logging stacks are useful after the fact. Clavenar is for agent tool calls that can create side effects: inspect, decide, approve, and prove on the same hot path.

Use a gateway for

Routing, retries, caching

Keep the gateway when the problem is model delivery, provider failover, or prompt observability.

Use a prompt firewall for

Input and output screening

Keep the scanner when the action is still text and the worst outcome is a bad response.

Use Clavenar when

Tools can move money, data, or infrastructure

Put approvals, policy replay, credentials, and cryptographic evidence on the request path before the side effect happens.

Scenario

Agent attempts a refund tool call.

A customer-support agent asks to issue a refund outside its normal pattern. The category difference shows up before the upstream call fires.

Gateway

Routes the request and records provider metadata.

Prompt firewall

Scans the text, but may not see the typed tool semantics.

DIY logging

Captures what happened after the tool call already ran.

Clavenar

Parks the action for policy and HIL review, releases only after approval, then links the decision to a verifiable audit row.

Capability Clavenar AI gateways
Portkey‑class
Prompt firewalls
input scanners
DIY logging
roll your own
Prevent and control before side effects
Semantic inspection
intent + drift + injection
Three signals, in‑line routing and telemetry first input string first depends on custom work
Credentials never touch the agent Vault‑injected at proxy agent usually holds the keys agent usually holds the keys depends on custom work
Multi‑instance velocity breaker NATS‑KV, CAS‑correct often per‑instance not the core job must be built
Published policy and attack catalog Inspect the current coverage inventory not usually included vendor benchmark must be built
Approve and decide safely
Human approvals on dangerous tool calls Slack & Teams, fail‑closed not usually in path not usually in path ad hoc chat approval
Published mock‑mode pipeline p95
excludes a live model-provider request
2.20 ms hit / 20.1 ms miss not measured here not measured here not measured here
Replay a policy edit before you publish
Policy Lab — diff against last 7d of real traffic + the catalog
Edit → replay → publish not usually included not usually included edit → deploy → monitor
Propose rules from your own traffic
Self‑Learn — five detectors over the audit chain, one‑click Accept
Mine → review → accept not usually included not usually included dashboards, review, draft
Prove and operate
Cryptographic, replayable audit trail SHA‑256 + /verify append‑only logs not the core job whatever you ship
Open‑source, wire‑compatible OSS edition Clavenar Lite (Apache‑2.0) often SaaS first often SaaS first fully yours to maintain
Stack Rust end‑to‑end mixed runtimes common varies by vendor heterogeneous

Comparison reflects common deployment patterns, not a claim that every vendor or homegrown stack behaves identically. If a gateway, firewall, or internal platform already provides fail‑closed approvals, credential isolation, replayable policy diffs, and cryptographic chain verification on the tool-call path, treat it as the same control-plane category Clavenar is defining here.

Six properties that aren't easy to copy

01

The chain is the product

Every entry commits to its predecessor in canonical JSON; the field order is the chain version. Auditors don't get a vendor deck — they get a deterministic replay and a single endpoint that says tampered=false.

02

Security‑first, the hard way

An earlier racing architecture exposed a side‑effect window for Yellow‑tier tools during review, so it was removed before a production path. The safer ordering is now part of the design.

03

Two‑model isolation

The inspector is deliberately a different LLM from your agent's primary model. A jailbreak that fools the agent doesn't automatically fool the clavenar.

04

Rust in the hot path

No GIL contention. No cold‑start CPython. Predictable tail latency on both the verdict and the upstream roundtrip — the kind that survives an SRE's first p99 query.

05

Replay before you publish

Policy Lab takes your draft Rego, runs it against the last seven days of your real traffic AND a 40‑attack catalog, and shows you the verdict diff before activate. Nobody else can do this because nobody else has a structured immutable chain holding every PolicyInput.

06

Propose rules from your own traffic

Self‑Learn mines the chain for after‑hours concentrations, argument‑cap outliers, attestation gaps, velocity spikes and intent‑score drift, then surfaces ranked Rego candidates with a diff vs. your active bundle. Brain writes the one‑liner. Operator clicks Accept. The rule lands as a draft.

"But our LLM gateway already logs requests."

A logging stack tells you what happened. Clavenar tells you what shouldn't happen, blocks it before it does, and then logs it — into a chain you can prove.