Contain Untrusted Agents.
Swarm is for agents that work for you. clawdapus is for agents that work as you.
Most agent frameworks assume the agent is a trusted process. They handle orchestration, memory, and tool use — but they leave governance, credential management, identity projection, and cost containment to the application developer. That's fine for controlled experiments. It's not fine for production deployments where agents operate with real identities, real budgets, and real consequences.
clawdapus is the infrastructure layer below your agent framework. It treats agents as untrusted workloads — the same way a container orchestrator treats application containers — and wraps them in a governed, auditable execution environment.
MIT licensed. Built in the open. Flux Inc. is a contributing organization and production implementation partner.
The Core Insight
Autonomous agents deployed in healthcare, finance, or enterprise settings aren't just code — they're proxies for organizational intent. They post to feeds, reply on chat platforms, query databases, and execute actions under your organization's identity. The risk isn't just "the agent does something wrong." The risk is: the agent does something wrong under your name, with your credentials, in your regulated environment.
clawdapus addresses this with four interlocking mechanisms:
Behavioral Contracts
Every agent is bound by a read-only behavioral contract — a structured AGENTS.md file defining the agent's purpose, constraints, and rules of engagement. The contract is bind-mounted from the host at the infrastructure layer. The agent cannot modify it. It cannot override it. It survives container compromise.
Contracts compose: organization-wide mandates, department-level overlays, and role-specific refinements stack through INCLUDE directives with enforce, guide, and reference modes.
Credential Starvation
Agents never hold real API keys, database credentials, or service tokens. Instead, they receive dummy bearer tokens. The cllama governance proxy — running as a separate sidecar — holds the real credentials and swaps them at inference time. Even a fully compromised agent cannot bypass governance, because it lacks the credentials to do so.
Governed Tool Presentation
Tools aren't just available or not — they're mediated. In native mode, clawdapus governs which tools an agent can see and call, with per-agent tool manifests compiled at deploy time. In mediated mode, the cllama proxy injects, executes, and handles tool results transparently — the agent participates in tool use without having direct access to the underlying service.
The result: an agent can query a database without holding a connection string. It can post to Slack without holding an OAuth token. Capability without credential exposure.
Identity Trust
Agents have declared, infrastructure-managed identities — Discord handles, Telegram usernames, Slack user IDs. These are provisioned at deploy time via the HANDLE directive, broadcast as environment variables across the pod, and used to establish peer-discovery and messaging allowlists. Identity is infrastructure-owned. Agents don't configure it. They inherit it.
The Anatomy of a Governed Agent
clawdapus extends Docker with two purpose-built formats:
- Clawfile — an extended Dockerfile that declares an agent's capabilities, identity, and governance requirements
- claw-pod.yml — an extended docker-compose.yml that defines governed agent fleets, surfaces, and behavioral defaults
The claw CLI compiles these into standard OCI images and Docker Compose files. You can eject from clawdapus at any time — your artifacts remain plain Docker. No vendor lock-in.
Key Concepts
Ambient Memory Plane
Infrastructure-owned memory services that derive durable state from session history. Rather than agents managing their own memory — which they could corrupt, selectively forget, or exfiltrate — the ambient memory plane provides pluggable backends (semantic search, graph, rolling summaries) behind a stable interface.
The governance proxy automatically injects relevant derived context into future turns. The agent receives memory. It doesn't control it.
Session History as Infrastructure
Every inference transaction is written to an append-only JSONL ledger at the proxy boundary — independent of the agent runtime. Session history records normalized request/response pairs, token usage, cost, interventions, and tool execution traces. It persists across container restarts. It's the substrate for memory plane backfill, drift scoring, and compliance audit.
Agents cannot modify session history. They can't selectively delete transactions. It's infrastructure-owned.
Drift Scoring
How far does an agent's behavior diverge from its contract? Drift is measured by proxy telemetry — intervention counts, error rates, response amendments, cost anomalies — not by self-report. The Master Claw (an autonomous governor agent in the pod) reads this telemetry and makes fleet decisions: quarantining drifting agents, reallocating budgets, or escalating to human operators.
Surfaces and Capability Discovery
Services in a clawdapus pod declare their capabilities through claw.describe descriptors — feeds they publish, tools they expose, endpoints they serve. The pod compiler wires subscriptions at deploy time. Every agent receives an auto-generated CLAWDAPUS.md infrastructure map listing what it can reach, who its peers are, and what skills it has available.
Agents discover their environment. They don't configure it.
Flux Inc. and clawdapus
Flux Inc. is a contributing organization to the clawdapus project and provides production implementation expertise for organizations deploying the framework in regulated environments.
Our Model Governance Layer is built on the cllama sidecar standard that clawdapus pioneered — adapted for healthcare and enterprise customer deployment with pre-configured behavioral contracts, HIPAA-adjacent audit logging, and Active Directory integration.
Deployment Expertise for Regulated Environments
clawdapus is MIT-licensed and freely available. But deploying agent containment infrastructure in a hospital system, financial institution, or government agency requires more than running claw up. Flux provides:
- Pre-configured behavioral contract templates for healthcare and enterprise contexts
- Identity trust integration with existing IAM and Active Directory infrastructure
- HIPAA-adjacent audit logging and compliance reporting
- Ongoing governance tuning and fleet oversight
- Support for the full clawdapus platform as it evolves
Open Source References
clawdapus — Agent containment infrastructure MIT License · github.com/mostlydev/clawdapus Documentation at clawdapus.dev
cllama — The governance proxy standard Part of the clawdapus project Read the cllama overview
Manifesto — The philosophy behind governed agent deployment clawdapus.dev/manifesto
Quickstart — Get a governed agent running in minutes clawdapus.dev/guide/quickstart
Ready to Contain Your Agents?
Whether you're deploying autonomous agents for the first time or scaling a fleet that's outgrown prompt-level governance, we can help you architect the right containment strategy.