The Governance Proxy.
The blood-brain barrier for autonomous agents.
Application-layer governance — prompt engineering, system messages, "don't do X" instructions — is fragile. A sufficiently long context, a sufficiently clever user, or a model update can break it. cllama takes governance out of the prompt and puts it where it belongs: in a separate process, at the infrastructure layer, between your agents and the outside world.
cllama is an open standard and reference implementation for LLM governance proxies. It is part of the clawdapus project (MIT licensed) and is the engine behind Flux's Model Governance Layer customer deployments.
What cllama Does
cllama is a single binary that exposes an OpenAI-compatible API endpoint to agent runtimes, and proxies their requests to the real LLM provider — intercepting both directions.
To the agent, cllama looks exactly like an LLM provider. To the provider, cllama looks like a standard API client. Everything in between — identity verification, policy enforcement, credential management, cost tracking, and audit logging — happens transparently.
Core Mechanisms
Credential Starvation
This is the foundational security property of cllama. Agent containers are provisioned with unique dummy bearer tokens — random strings that identify the agent to the proxy but are useless for anything else. The real API keys — for Anthropic, OpenAI, Azure, or any other provider — are held exclusively by cllama.
The agent can't bypass governance by calling the provider directly. It doesn't have the credentials to do so. Even a fully compromised agent, running as root inside its container, cannot exfiltrate API keys it was never given.
This is not a soft control. It's a hard architectural guarantee.
Identity Resolution
A single cllama instance serves an entire pod of multiple agents. Each agent has a unique bearer token, which cllama resolves to an identity at request time — loading that agent's behavioral contract, budget allocation, permitted models, and tool manifest from a shared context volume.
One proxy. Many agents. Zero credential sharing.
Bidirectional Policy Enforcement
cllama intercepts both directions of inference traffic:
- Outbound (agent → provider): Prompts are evaluated against the agent's behavioral contract. Context is decorated with organizational identity and policy. Tool manifests are injected or filtered based on per-agent authorization.
- Inbound (provider → agent): Responses are evaluated against MUST-priority compliance rules before delivery. Non-compliant responses are retried with corrective context. Only a compliant response — or an explicit escalation — reaches the agent or end user.
Neither the agent nor the provider knows this is happening.
Cost Metering and Budget Enforcement
Every inference transaction is metered: token counts are multiplied by current provider pricing tables, and cost is tracked per (agent, provider, model) tuple. Hard budget caps can be enforced — when an agent hits its spend limit, cllama can throttle, downgrade the model, or block further requests entirely.
cllama can also silently route model requests — an agent requesting anthropic/claude-opus-4 can be transparently served claude-haiku-4-5 if the budget is exhausted. The agent sees a valid response. It never knows its model was changed.
Structured Audit at the Proxy Boundary
Session history is written as a structured JSONL ledger at the proxy boundary — not inside the agent runtime, not in the application layer. Every record contains: timestamp, agent ID, model, provider, latency, status, token counts, cost (USD), and any intervention reason.
This ledger is append-only. Agents cannot modify it. It persists across container restarts. It's the authoritative record of what your AI actually did — suitable for compliance review, drift scoring, and incident investigation.
The cllama Standard
cllama is defined as an open standard, not just a single implementation. Any container image that:
- Exposes an OpenAI-compatible proxy endpoint
- Accepts clawdapus context (via environment variables and volume mounts)
- Emits standardized structured logs
...qualifies as a cllama proxy. The reference implementation (cllama-passthrough) is a pure proxy with credential starvation and audit logging. Policy modules add bidirectional interception, response amendment, and drift scoring on top.
This means the governance architecture is auditable, replaceable, and extensible — properties that matter in regulated environments.
Deployment Variants
cllama-passthrough
The reference implementation. Pure credential starvation, identity resolution, cost metering, and audit logging. No cognitive intervention — requests and responses pass through unmodified (except for credential swap). The minimum viable governance proxy.
Suitable for: organizations starting with basic audit and cost control.
cllama-policy
Adds bidirectional interception, behavioral contract enforcement, and response governance. Evaluates outbound prompts against MUST/SHOULD rules. Retries non-compliant responses. Records interventions in session history. Powers the full MGL compliance loop.
Suitable for: regulated environments with MUST-priority behavioral constraints.
Flux MGL Deployment
Flux Inc.'s production implementation of cllama for healthcare and enterprise customers. Includes pre-configured behavioral contract templates, HIPAA-adjacent audit log formatting, Active Directory identity integration, and operator tooling for policy management.
Learn about the Model Governance Layer →
Self-Hosted / Custom
cllama is MIT-licensed. You can run the reference implementation yourself, build policy modules against the open standard, or deploy it as part of a clawdapus agent pod.
Relationship to clawdapus and MGL
cllama originated as the governance proxy component of the clawdapus agent containment framework — the piece responsible for separating agent capability from agent credentials. It was later formalized as a standalone open standard, recognizing that the governance proxy pattern is useful far beyond the clawdapus pod context.
Flux's Model Governance Layer is a production-hardened implementation of cllama for enterprise and healthcare customers: pre-integrated with organizational identity systems, pre-configured with compliance-oriented behavioral contracts, and supported by Flux's implementation expertise.
The three layers compose:
| Layer | What it does |
|---|---|
| clawdapus | Orchestrates and contains agent fleets — surfaces, identity topology, behavioral contracts, session history |
| cllama | Governs inference traffic — credential starvation, policy enforcement, cost metering, audit |
| MGL | Flux's production deployment — enterprise/healthcare integration, compliance contracts, support |
Flux's Role
Flux Inc. is a contributing organization to the clawdapus project and the primary commercial implementation partner for organizations deploying cllama in regulated environments. We helped develop the credential starvation architecture, contributed to the governed tool presentation specification, and operate cllama in production for healthcare customers today.
Open Source, Production-Grade Implementation
The open-source nature of cllama is a feature, not a limitation. In regulated environments, governance infrastructure that can't be audited isn't governance — it's a promise. cllama's open standard means your auditors can inspect how credential starvation works, how behavioral contracts are enforced, and how session history is written.
Flux provides the production expertise: deployment, integration, tuning, and ongoing support.
Govern Your Inference Traffic
Ready to put credential isolation and policy enforcement at the infrastructure layer instead of the prompt layer?