Apoxy:// CLRK

Run untrusted
agents safely.

CLRK is the Cognitive Loop Runtime for Kubernetes. Run any agent — CrewAI, LangGraph, ADK, OpenAI Agents — in a gVisor sandbox with every byte of egress routed through Envoy. Credentials, cost, and policy live in the infrastructure, not in your agent code.

FIG. 02 CLRK

Hosted CLRK is coming.

CLRK is open source today — run it in your own Kubernetes cluster. The fully hosted runtime is on the way. Leave your email and we’ll tell you when it’s live.

01InterceptSandbox

Controlled egress, no SDKs.

Agents run with normal networking inside a gVisor sandbox. CLRK's userspace netstack transparently pulls every connect() through an Envoy fleet — so credential injection, cost metering, and policy enforcement are governed at the wire, not in the agent.

FIG. 02 REV. A
Agent sandbox
gVisor · netstack
sees plain HTTP · no proxy config
CrewAI · LangGraph · ADK
Envoy egress gateway
ext_proc
inject · meter · trace
TLS terminate · L7 capture
Any reachable service
Upstreams
real credentials injected
APIs · MCP · Databases
Isolation
gVisor userspace
Each execution gets its own network namespace. Compromised agent code can't reach the host or the cluster.
Credentials
Never in the worker
Workers never hold API keys. Envoy attaches the real secret as the request leaves the sandbox.
Egress
Default-deny allowlist
Nothing leaves unless you allow it. Every hop is captured for cost, audit, and tracing.
02InjectCredentials

Credentials the agent can't leak.

Store the secret on the cluster and bind it to a route. The agent makes its call with no auth header at all — the proxy inserts the real credential as the request leaves the sandbox. Rotate keys, scope them per user, and revoke without ever touching agent code.

03GovernPolicy

Guardrails at the infra layer.

A declarative, Gateway-API-inspired model. Compose egress rules, budgets, and routes to describe exactly what an agent can reach — enforced by the proxy, transparent to the agent.

POL / 01

Egress lockdown

  • EgressGateway with defaultPolicy: deny-all.
  • Allowlist upstreams by host, CIDR, or port.
  • DNS-level blocking for everything else.
POL / 02

Cost & token budgets

  • Per-agent and per-execution token counting.
  • Cap LLM spend before it runs away.
  • Catch cost spikes from prompt injection.
POL / 03

LLM routing & failover

  • Cross-provider fallback in the order you define.
  • A failed call retries the next backend — even a different provider.
  • Requests translated + re-authed per attempt, no SDK changes.
POL / 04

MCP tunnels & tool policy

  • Tunnel to private and internal MCP servers.
  • Allowlist tools per agent with MCPRoute.
  • Per-agent OAuth and rate limits, managed.
04ObserveOTLP

Know what your
agents are doing.

Full request/response visibility for every LLM inference and external call — because it all flows through the proxy. Metered, traced, and exportable anywhere.

$

Cost dashboard

Per-agent, per-execution, and per-user LLM spend — attributed automatically from the proxy, not reverse-engineered from a provider bill.

OT

OTLP traces

Follow a single inbound request through the sandbox and out to every LLM and tool call. Ship to Datadog, Grafana Cloud, Axiom, or any OTLP endpoint.

Ask in plain English

Point your assistant at Apoxy's MCP server and ask what an agent called, how many tokens it burned, or which upstreams it hit — no dashboards to wire up by hand.

Ship agents
you can trust.

Sandbox, credentials, cost, and policy — handled at the infrastructure layer. No SDK, no rewrites, no agent code changes.