Technical track · 3 of 3

Plan your first deployment.

Clavenar ships in two shapes. Pick the one that matches your situation; both speak the same wire format, both write the same ledger rows, and you can migrate from one to the other without rewriting policy.

clavenar‑lite — single binary

Proxy, policy, and ledger in one Apache‑2.0 process. docker run clavenar/clavenar‑lite or a static binary. Best for a 1‑hour eval, a local pen‑test rig, or a small self‑host. SQLite under the hood; suitable for a single agent fleet up to a few hundred req/min.

See lite → · Lite status & roadmap →

Full control plane — multi‑service

Proxy + Brain + Policy + HIL + Sandbox + Ledger + Identity, each in its own process with mTLS between them. Helm chart on EKS/GKE/AKS, or compose stack on a VPS. Best for production fleets, multi‑tenant agent operations, or any deployment with a regulator in scope.

Editions & pricing → · Compare →

Topology

Sidecar in front of every tool call.

Your agent doesn’t talk to upstream APIs directly. It talks mTLS to the Clavenar proxy; the proxy injects the real credentials only after the verdict resolves. Real keys never live in agent memory, which kills the single largest exfiltration path.

  [ Agent (LLM + tools) ]
            |  mTLS, agent SVID, no real creds
            v
  [ Clavenar Proxy :8443 ]
       ├──> Brain        (intent + persona + injection)
       ├──> Policy        (Rego + velocity breaker)
       ├──> HIL           (parks Yellow-tier; waits for human)
       └──> Ledger        (hash-chained verdict + outcome)
            |  on Authorized: inject real creds, await upstream
            v
  [ Upstream API (Stripe / Salesforce / RDS / …) ]
Where to go from here

Three concrete next steps.

Run the SDK quickstart

Five minutes from pip install to your first verdict, with both Anthropic and OpenAI clients pre‑wrapped.

Quickstart →

Read the wire format

One spec, every contract. The exact JSON the proxy speaks, the ledger’s canonical envelope, and the HIL approval shape.

Wire spec →

Pick a client SDK

Typed Rust, Python, TypeScript. Plus a CLI (clavenarctl) for ops and audit grep.

Clients →

Talk to us about your deployment.

A 30‑minute call: your agent stack, your threat model, your audit posture. We’ll tell you which shape fits and what the first week looks like.

Request a 30‑minute call