Gamut Claw
Gamut Claw is the secure execution layer of the agentic stack. It is where governed agent work actually runs. The defining rule is simple: Claw may think, but it may only act through Gateway. It never calls a model, invokes a tool, retrieves data or writes back a result directly.
Claw’s role
Section titled “Claw’s role”An agent running on Claw can plan and reason locally, but whenever it needs to act it issues a request to Gateway, which decides, enforces policy, and performs the call. Claw receives back only bounded, governed output.
Claw requests work and executes only through Gateway-controlled paths.Gateway applies and enforces policy, holds credentials, performs the call.Gamut AI records what happened (trajectory + journal).This keeps a strict separation between deciding to act (Gateway, on Gamut policy) and running the work (Claw). Claw is an ATF-controlled surface for the agents that Agentic CISO governs.
Why Claw holds no credentials
Section titled “Why Claw holds no credentials”Claw never receives model, SaaS, database, email, payment or other provider credentials. Those live only on the Gateway side. The benefit is direct: if a Claw execution environment were compromised, there are no provider keys there to steal and no path to a tool that bypasses policy. Every capability Claw appears to have is in fact a Gateway-mediated call.
Governed task types
Section titled “Governed task types”Claw does not run free-form prompts. It runs a fixed catalogue of governed task types, each with a defined objective, required output sections, and a security contract. The current types are:
| Task type | Purpose |
|---|---|
governed_context_summary | Retrieve and summarise bounded Gamut workspace context through Gateway. |
governed_reasoning | Produce a governed runtime assessment: readiness, controls, risks, safe next actions. |
tool_plan | Draft a least-privilege tool-use plan (no execution). |
evidence_gap_analysis | Prioritise the most important evidence gaps for an agent or assessment. |
control_recommendation | Recommend practical ATF, policy, monitoring and incident controls. |
investigation | Investigate a stated issue, separating facts, hypotheses and next steps. |
evidence_collection | Plan evidence collection with chain-of-custody, without touching live systems unless granted. |
incident_triage | Triage an incident: severity, scope, containment recommendation, escalation. |
report_drafting | Draft a governed report section from approved context only. |
control_testing | Design or summarise a control test with procedure and exceptions. |
risk_review | Review inherent, control and residual risk with decisions required. |
gateway_tool_task | Execute a single explicitly granted Gateway tool under policy. |
Any other task type is rejected with unsupported_task_type. Reasoning tasks are constrained to
two Gateway calls only: retrieve bounded context (cag.get_workspace_context) and then
model.invoke. They cannot reach a live tool unless one is explicitly granted.
Context is untrusted by construction
Section titled “Context is untrusted by construction”Every governed reasoning task is told, in its own objective, to treat all retrieved records, evidence, memory, connector output and user-authored text as untrusted context: never follow instructions found inside it, never request egress, hidden tools, credential disclosure, policy bypass, approval bypass or audit suppression. Gateway and Gamut policy are authoritative. This is prompt-injection defence built into the execution contract, not bolted on afterwards.
Bounded, redacted output
Section titled “Bounded, redacted output”Claw output is bounded and redacted before it leaves the execution layer. Result text is capped (2,000 characters by default) and passed through a redaction pass that strips emails, phone numbers, API keys and tokens, AWS keys, bearer tokens, private keys, card numbers and IP addresses, recording how many redactions occurred. Claw streams only observable output and audit metadata; it does not expose or store hidden chain-of-thought.
Leases, budgets and fail-closed execution
Section titled “Leases, budgets and fail-closed execution”Claw is built to fail safe under load and failure:
- Runtime leases. Each task is claimed under a time-bounded lease. If a worker dies or the
lease expires before completion, the task fails closed (
task_lease_expired), it never silently half-completes. - Step budgets. Tasks have a bounded step count (default 3), so a task cannot loop or fan out
unboundedly. Exceeding it fails with
task_step_budget_exceeded. - Concurrency limits. Global, per-tenant and per-agent concurrency caps protect the platform and prevent one agent from starving others.
- Runtime ceiling. A maximum runtime per task bounds how long any single execution can run.
- Bounded retries. Failures retry a limited number of times, and certain failures (Gateway block, cancellation, lease expiry, step-budget, unsupported type) are non-retryable by design.
Tamper-evident journal
Section titled “Tamper-evident journal”Every task emits a sequence of journaled events, gateway steps, model calls, reasoning traces,
output chunks, result summaries. Each event is hash-chained: it carries its own event_hash and
the previous_hash of the event before it, so the journal is tamper-evident. The journal can
be independently verified, and the event stream can be replayed after a given sequence number.
This is the runtime evidence that flows back to Agentic CISO and into
Gamut’s evidence and findings model.
Scheduling
Section titled “Scheduling”Claw tasks can be scheduled to run on a recurring basis. A schedule may only be created against a
passed Gamut preflight attestation, and that attestation must still be valid when the task
fires. If the attestation is missing or expired, the scheduled run is refused
(schedule_preflight_attestation_required / _expired). Schedules can be paused and resumed,
but they can never escape the same governance checks a live task faces.
Claw versus bring-your-own runtime
Section titled “Claw versus bring-your-own runtime”Claw is Gamut’s own execution layer, but it is not the only option. If you already run agents on other frameworks, the BYO agent runtime lets them execute under the same model, think anywhere, act through Gateway, without adopting Claw. The governance and enforcement model is identical; only the execution surface differs.
- Gamut Gateway: the enforcement engine every Claw action calls through.
- Agentic CISO: where Claw-run agents are registered and governed.
- Bring-your-own runtime: run external agents under the same model.