FAQ
Questions about how Clawvisor works.
Credentials
Credential vaulting vs proxying
Does the agent ever receive the real credential?
No. Real secrets stay in the vault. The agent receives a scoped, short-lived handle, and Clawvisor swaps the real credential in at call time, inside the gateway. The credential is never placed in the agent's context, the model prompt, or the response.
Is this vaulting, or just proxying the request?
Both, deliberately. The vault is where the secret lives at rest, encrypted and out of reach of the agent. The proxy is the enforcement point: every call routes through the gateway, which injects the credential only after the call passes purpose and policy checks. Vaulting without an enforcing proxy still lets a compromised agent ask for the secret. Proxying without a vault still leaves the secret reachable. You need both.
Why not just proxy and skip the vault?
A pure pass-through proxy has to get its upstream credential from somewhere, and if that lives next to the agent it is one prompt injection away from exposure. Holding the secret in the vault means the credential exists in exactly one controlled place, and the agent works entirely through handles it cannot exchange for the underlying secret.
What happens to a credential when a task ends?
The handle the agent was using is revoked with the task. There is nothing for the agent to keep, cache, or replay later, because it never held the credential and the handle no longer resolves.
Who can see the secrets on managed cloud?
On the managed cloud they are stored encrypted and injected at call time; they are never exposed to agents or model context. On self-hosted, the vault runs inside your own network and we never see your traffic at all.
Lifecycle
How tasks work and expire
What is a task?
A task is the authorized unit of work. It carries the declared purpose, the policy decision that approved it, the set of tool calls it is allowed to make, and the human it is tied back to. Every protected tool call belongs to exactly one task.
When does a task expire?
A task ends when its work is done, when it hits its time or call budget, or when someone revokes it. Agents start with zero standing access, so expiry is the normal state. Access exists only while a task is open, and the moment it closes the granted tools are withdrawn.
What happens to access the instant a task expires?
It fails closed. The handles issued for that task stop resolving, so any further call the agent attempts is denied. A task that is over cannot reach what it could reach a moment earlier, even if the agent still tries.
Can a long-running agent keep access alive indefinitely?
Not by default. Standing access is the thing Clawvisor is built to remove. A long-running agent opens a fresh task each time it needs to act, and each task is scoped and bounded on its own, so there is no permanent grant for a compromised loop to ride on.
If a task is compromised mid-flight, what is the blast radius?
At most what that one task was approved to do. Because tools are granted per task and revoked when it ends, a hijacked prompt cannot reach anything the task never needed, and it cannot extend its own lifetime to keep going.
Deployment
Self-hosting and requirements
Can I run Clawvisor entirely myself?
Yes. The core gateway is open core and self-hostable. You run it inside your own network, you operate it, and we never see your traffic. It is the same gateway that powers the managed cloud.
What do I need to self-host it?
Somewhere to run the gateway service inside your network, a datastore for the vault and audit log, and outbound reach to the tools and APIs your agents call. Point your agents at the gateway, most commonly by overriding the model base URL, and calls start flowing through it.
How do agents get pointed at the gateway?
Override the provider base URL so agent traffic routes through Clawvisor, for example setting ANTHROPIC_BASE_URL to https://llm.clawvisor.com, and authenticate with a Clawvisor agent token set as the request header in place of your real provider API key. The real key stays in the vault and is swapped in only after the call passes purpose and policy checks; from there the gateway verifies, scopes, and logs every call. There is an install one-liner to get the service up quickly.
What do I give up by self-hosting instead of using cloud?
The gateway itself is the same. The managed cloud adds risk scoring, longer log retention, and team and org governance, and it removes the operational burden of running and updating the service. Self-hosting trades that convenience for full control and isolation.
Do you see my credentials or traffic when I self-host?
No. On self-hosted everything stays in your vault, in your network. We have no visibility into your secrets or your tool calls.
Status
Project status and security roadmap
Is Clawvisor ready to put in front of real agents?
Yes. The core gateway, credential vaulting, per-task containment, and full audit trail are working and in use in front of real agents today. The product is open core and moving fast, so you get a control plane you can deploy now that keeps getting stronger with every release.
What does the audit trail cover today?
Every protected tool call records the action, its arguments, the policy decision, and the task that authorized it, replayable and tied back to the human who approved the work. It is a full audit trail of what your agents did and why each call was allowed.
What is the security roadmap from here?
The near-term focus is hardening the enforcement path, expanding the intent-verification evaluation suite, deepening governance controls, and adding the SSO, custom retention, and data-residency options that Enterprise teams need. Self-hosting already gives security-sensitive teams full isolation today.
How can I follow along or report an issue?
The core is open, so the fastest way to see what is shipping, raise an issue, or read the code is the repository. The community channel is the place to ask questions and follow progress as the project matures.
Still have a question?
Reach out and we will give you a straight answer, or read the code yourself. The core is open.