PATTERN Cited by 1 source

Four-component agent production stack¶

Pattern¶

The minimum architectural bar for running AI agents in enterprise production is four interlocking components, each addressing a governance failure mode that bare-sandbox agent deployment (agent + credentials on a Mac mini, agent + creds in a VM) cannot address:

Gateway — single choke point for all agentic egress; observability, rate limits, guardrails, kill switch.
Audit log + transcripts — every prompt, tool call, output, and reasoning-chain step captured for replay and agentic performance review.
Token vault — credentials held out-of-band; agent never sees the credentials, gateway asks the vault for short-lived scoped tokens per operation.
Sandboxed compute and storage with gateway-only egress — agents get computers (sandboxes), but egress is restricted to the gateway, and auth comes from out-of-band agent-identity metadata rather than files inside the sandbox.

Canonical statement¶

From the 2026-04-14 Redpanda Openclaw is not for enterprise scale post (Source: sources/2026-04-14-redpanda-openclaw-is-not-for-enterprise-scale):

"Gateway + Audit trail + Token vault + Sandboxed compute = Agents in production. That's the minimum required to give anyone (developer, security team, CIO, etc) actual control over their agents. Once you have it, you stop worrying about the dog, because you stopped giving it your documents in the first place."

This is the essay's concluding formula. It compresses the prior Redpanda governance-pattern pair (AAC + durable- event-log audit envelope) into a four-component architectural recipe with explicit component boundaries.

The problem the pattern solves¶

Bare-sandbox agents (the "Openclaw in a crate" framing) fail at enterprise scale for four independent reasons, each of which requires a dedicated component:

Failure mode	Component that solves it
Agent can exfiltrate / leak / misuse its own credentials	Token vault (credentials never inside the agent)
Agent actions are opaque — can't debug, can't audit, can't prove compliance	Audit log + transcripts (every action captured)
Agent can call anything reachable from the sandbox with no throttle / policy enforcement	Gateway (choke point for egress + policy)
Scaling deployment across IT = N copies of credentials on N VMs = N-times blast radius	Sandboxed compute with gateway-only egress (sandboxes are fine IF they can't leak)

Each component alone doesn't solve the problem; each three isn't sufficient. The four compose:

Gateway without audit log = policy enforcement without evidence for debugging or compliance.
Audit log without gateway = evidence of misuse captured after the fact, no prevention.
Token vault without gateway = secure credentials but no single observability / policy point, no kill switch.
Sandbox without token vault = the dog-and-documents problem: credentials still inside the compromised surface.
Sandbox without gateway-only egress = bypass via direct API calls; the other three components can't see the traffic.

The four components¶

1. Gateway¶

"The entire architecture pictured above is structured around having this gateway component. It's the keystone that everything else builds upon."

Verbatim capabilities (Source: sources/2026-04-14-redpanda-openclaw-is-not-for-enterprise-scale):

Single choke point: "The gateway boils down to having a single choke point for all agentic access to external systems and information."
Full observability: "record every tool call and LLM invocation, enabling you to stitch back together why a loan was approved or who authored the prompt that pushed new code to production."
Centralised rate limits and guardrails.
Kill switch: "the kill switch goes to turn off a rogue agent leaking your Salesforce customer data. No need to hunt down API access for 27 different services and systems, just turn it off for a single service or set of services for your entire digital workforce at once."

Cross-reference: this is patterns/central-proxy-choke-point specialised for AI-agent egress, and patterns/mcp-as-centralized-integration-proxy in the MCP-specific instantiation.

2. Audit log and transcripts¶

"You want to know why and how the agent did a thing, not just what it did." (Source: sources/2026-04-14-redpanda-openclaw-is-not-for-enterprise-scale)

Transcripts capture "inputs, outputs, tool calls, token usage, and the agent's reasoning chain." The post adds a new use case to the audit-log pattern: agentic performance review via A/B-comparing different agent versions on similar tasks.

Cross-reference: patterns/durable-event-log-as-agent-audit-envelope is the substrate shape. This pattern uses that substrate as the audit-log component.

3. Token vault¶

"Don't give the dog your keys." (Source: sources/2026-04-14-redpanda-openclaw-is-not-for-enterprise-scale)

"A token vault handles credentials out-of-band. The agent never holds your Salesforce token directly. When it needs to take an action, the gateway requests a short-lived, scoped token from the vault for exactly that operation."

Key unlock: OBO for systems that don't support service accounts — "Many enterprise systems — Salesforce, ServiceNow — don't support service accounts at all. They only support user-based auth." The token vault makes OBO flows possible against these systems without the agent ever holding user credentials.

Cross-reference: concepts/token-vault is the canonical concept. patterns/on-behalf-of-agent-authorization is the pattern that composes with it. AAC's "no long-lived credentials" property is implemented via this component.

4. Sandboxed compute and storage¶

"Sandboxes are right. You give all your human workforce computers after all. Giving agents computational power to achieve their goals is one of the key capabilities to how Claude Code has taken over software development." (Source: sources/2026-04-14-redpanda-openclaw-is-not-for-enterprise-scale)

The post endorses sandboxes as a component — LLMs are more effective when they can post-process tool output with Unix commands. The critical constraints:

"these sandboxes need to have very limited network access so that they can only go through the gateway" — egress restriction.
"it is imperative that authentication is passed via out-of-band metadata associated with the agent's identity" — no credentials in the sandbox.

Cross-reference: patterns/agent-sandbox-with-gateway-only-egress is the dedicated pattern page.

Redpanda-specific instantiation: agi CLI — "a dynamic, self-describing CLI to mediate access to external tools" inside the sandbox that fits "the composable Unix workflow while keeping all communication strictly governed by the gateway."

Why all four compose¶

The pattern's load-bearing claim is composition:

Blast-radius containment requires the gateway (kill switch)
token vault (no long-lived cred leak).
Replay-able audit requires the audit log + the gateway (to see all traffic) + the token vault (to prove identity behind each call).
Multi-tenant agent requires OBO, which requires the token vault + the gateway (to carry identity).
Iterative agent evaluation (A/B performance review) requires the audit log + reproducible sandboxes.

Each component is necessary. The post's "= Agents in production" equation hinges on all four being present.

Composition with existing wiki patterns¶

Existing pattern	Role in the four-component stack
patterns/central-proxy-choke-point	The gateway component's architectural stance
patterns/mcp-as-centralized-integration-proxy	MCP-specific gateway instantiation
patterns/agentic-access-control (AAC)	Policy-layer contract the gateway + token vault enforce
patterns/on-behalf-of-agent-authorization (OBO)	Identity flow through the gateway, backed by the token vault
patterns/durable-event-log-as-agent-audit-envelope	The substrate the audit-log component writes to
patterns/agent-sandbox-with-gateway-only-egress	The sandboxed-compute component's network stance
patterns/credentialed-proxy-sandbox	Fly.io's peer-pattern at non-agent altitude; the four-component stack is the agent-specific generalisation

The pattern's contribution vs. the prior art is crystallising the four components as a named minimum — prior Redpanda posts named the patterns individually; this post compresses them into a specific, quotable architectural formula.

Redpanda ADP mapping¶

The Agentic Data Plane is positioned as the production substrate for all four components:

Gateway: Redpanda Connect + MCP-server add-on, "an agentic governance layer between all the data systems and agents connecting through it".
Audit log: Redpanda streaming log as the durable-event-log substrate for the six agent-event classes (prompt + input + context-retrieval + tool-call + output + action).
Token vault: ADP's IdP-integrated credential minter; OBO workflow the first shipped governance feature. Mechanism not disclosed.
Sandboxed compute: the agi CLI mediates sandbox→gateway calls per the four-component sandbox contract.

The post closes: "read our blog on [Redpanda Agentic Data Plane] to see what we're doing to help you get your security (and agents) in line."

The threat-model-at-scale argument¶

The pattern's implicit rhetorical structure (Source: sources/2026-04-14-redpanda-openclaw-is-not-for-enterprise-scale):

"If you're a developer running it on a dedicated machine with limited access and scope, the threat model is manageable. You're not running it on company cloud infrastructure. You're not giving it access to production systems. The documents and the dog are both yours. The problem shows up when organizations try to scale that model. When the IT team decides 'just run it in a VM' for each department."

The sandbox-alone threat model is correct for the dev- machine case and incorrect for the enterprise case. The four-component stack is the architectural response to the "'just run it in a VM' for each department" failure mode.

Caveats¶

Pattern-altitude, not mechanism-altitude. The post names the four components without walking their internal mechanism or interface contracts. Token-vault protocol, audit-log schema, sandbox-gateway handshake, kill-switch trigger — all left unspecified.
Redpanda-framed minimum. The "minimum" claim is framed from Redpanda's vendor perspective. Competing vendors (Anthropic MCP + enterprise IdP, Databricks Unity AI Gateway
Unity Catalog, AWS Bedrock Agents + IAM + CloudTrail) would decompose the minimum differently — Bedrock might compress gateway + audit log into Bedrock Agents + CloudTrail, for example.
Sandboxing-correctness is assumed. The pattern treats the sandbox as an execution-isolation primitive that works. Real sandbox escape (container breakout, VM escape, syscall exploit) is a separate axis the pattern doesn't engage.
Prompt injection is an orthogonal axis. The four-component stack prevents credential exfiltration and gives you audit + kill-switch. It does not prevent a prompt-injected agent from correctly exercising its legitimate authorised actions in a malicious sequence. Complement: concepts/ai-agent-guardrails.
External-agent integration under-specified. Agents running outside the four-component stack (Claude API directly, Cursor with its own creds) don't benefit automatically. Post implies "route them through a governed proxy" without walking the mechanism.
Cost model unclear. Running gateway + vault + audit log + sandboxed-compute for every agent invocation adds non-trivial infrastructure cost. The pattern is presented as the enterprise-scale minimum, which assumes the enterprise can afford this cost; cost-scaling-with-agent-throughput isn't engaged.

Seen in¶

sources/2026-04-14-redpanda-openclaw-is-not-for-enterprise-scale — canonical wiki introduction. Names all four components explicitly and closes with the "Gateway + Audit trail + Token vault + Sandboxed compute = Agents in production" formula. Introduces the agi CLI as Redpanda's sandbox→gateway mediator. Canonicalises the "Don't give the dog your documents" rhetorical framing for enterprise agent deployment.