octvex

Self-hostable · TypeScript · PostgreSQL · Prisma · MCP

Run agents across isolated environments.
Keep trust boundaries intact.

A self-hostable control plane for teams running AI agents across many separate systems — each with its own credentials, policies, approvals, and audit. The control plane decides what's allowed. Edges execute inside the environment that holds the access.

How control works How execution scales

What breaks when environment count grows

Each environment is a separate blast radius

Credentials from environment A shouldn't touch environment B. But agents need both, and long-lived secrets get threaded through shared context. One compromised run can expose more than its own environment.

Every environment has its own approval rules

One environment needs manager sign-off for billing access. Another blocks weekend runs. A flat approval model can't represent per-environment risk profiles.

Runs fail in systems you don't own

An agent stalls inside a remote environment at 3 AM. Without a reconstructable timeline of tool calls, credential access, and policy decisions, explaining the failure means restoring live access.

Fleet size grows with target count

Every new environment adds targets, identities, and concurrent runs. One gateway host can't absorb unbounded growth without becoming the bottleneck.

Per-environment control

Every environment is a workspace. Policy, credentials, memory, approvals, and audit are scoped to the workspace that owns them. A leaked token, a bad approval, or a noisy run in one workspace does not broaden access in another.

Credentials stay in the vault

  • AES-256-GCM at rest. Secrets never serialize into agent context.
  • Just-in-time resolution. Credentials are injected server-side only for the approved action.
  • Per-run leases. A credential binding lives only as long as the run that uses it.
  • OAuth brokerage. Common providers with token refresh, scoped to workspace.

Policy, approval, and audit per workspace

  • Policy engine. RBAC/ABAC with a DSL, domain-scoped grants, and rate controls. Every decision is recorded.
  • Approval gates. A run blocks with evidence and expiry. Approvers see the requested action and why it's blocked. The run resumes in place after approval.
  • Audit trail. Tool calls, approvals, credential access, and state transitions — queryable by workspace and run.

How a governed request flows

sequenceDiagram
  autonumber
  participant U as User
  participant C as Core
  participant H as Approver
  participant V as Vault
  participant S as Scorer
  participant E as Edge
  U->>C: Submit task
  C->>C: Resolve identity, workspace
  C->>C: Evaluate policy
  alt approval required
    C-->>H: Block run, attach evidence
    H-->>C: Approve or deny
  end
  C->>V: Resolve credentials (JIT)
  V-->>C: Scoped material
  C->>S: Select placement
  S-->>C: Best edge
  C->>E: Lease execution
  E-->>C: Progress, checkpoints, artifacts
  E-->>C: Terminal result
  C-->>U: Reconstructed run timeline

Fleet, fan-out, and execution

An edge is a worker process that runs inside the environment reaching the target — a local machine, a sandbox, a VPC, or a hosted browser service. One task can fan out across multiple edges in parallel. The fleet scales without manual coordination. 

flowchart LR
  T["Task"] --> P["Parent run"]
  P -->|spawn| C1["Child A\nEdge: sandbox"]
  P -->|spawn| C2["Child B\nEdge: VPC"]
  P -->|spawn| C3["Child C\nEdge: fixed host"]
  C1 --> JG["Join group"]
  C2 --> JG
  C3 --> JG
  JG --> R["Reducer\n(optional)"]
  R --> P2["Parent\nresumes"]
  JG -.-> P2

Sub-agent sprawl

  • Parallel fan-out. A parent run spawns children. Each child runs on a capable edge against its own target.
  • Join groups. The parent blocks until all children terminate. Failed branches skip-propagate through the dependency graph.
  • Reducer children. When parallel results need aggregation, the harness spawns a reducer over a frozen view of sibling outputs.
  • Delegation limits. Cap nesting depth, fan-out width, and total descendants per parent. Children cannot raise the ceiling.

Edge fleet scaling

  • Placement engine. Ranks edges by capacity, affinity, latency, health, and workspace fitness.
  • Auto-scaler. Watches queue pressure and provisions new edges when thresholds cross. Process, Docker, or external backend.
  • Expiring leases. Tasks leased with TTLs. A crashed edge releases its work automatically.
  • Quarantine and drain. Unhealthy edges drain without losing in-flight runs.

Execution modes

Persistent sandbox

Sandbox leases hold browser state, cookies, and auth across runs. Agents stay logged into a target portal without re-authenticating.

Fixed host

Pin execution to a specific edge — the machine with the desktop session, the VPN route, or the local app already installed.

Transient / VPC / hosted

Fresh sandbox per run, VPC-routed edge, or cloud provider (Browserbase, Browserless, Cloudflare BR, CDP attach).

Memory and operational continuity

Three things must survive between runs: what an agent learned, the state of multi-step work, and the boundary between one environment's knowledge and another's. All three are workspace-scoped and persisted in Postgres.

Workspace memory

Agents reuse prior context inside the same environment without inheriting context from unrelated work.

  • Markdown scoped per workspace. One workspace's memory is invisible to another.
  • Hybrid retrieval. Full-text + vector with diversity and recency weighting.
  • Secret detection. Credential patterns flagged on write before they reach retrievable memory.
  • Session summaries. Written on run completion, available to future runs in the same workspace.

Bounded delegation

Child agents get only the context they need. Long runs survive restarts. Operators resume or audit work without reconstructing state manually.

  • Durable state machine. Runs progress through planning, queued, running, blocked, completed. Not ephemeral chat.
  • Structured steps. Dependency-tracked. Dependent steps skip when a branch fails.
  • Context budgeting. Children get re-scoped context packs with workspace memory — not raw parent state.
  • Rolling checkpoints. Summaries persist at each checkpoint. Children inherit current progress, not stale context.

Architecture

Core decides. The edge fleet executes. Console and Desk expose the same run state, approvals, and audit to different operator roles. 

flowchart TB
  subgraph ingress[" Ingress "]
    direction LR
    U["User"] ~~~ A["Agent"] ~~~ CH["Channel"] ~~~ CLI["CLI"] ~~~ MCP["MCP Client"]
  end
  subgraph core["Octvex Core"]
    direction TB
    AUTH["Auth / workspace"] --- POL["Policy / approvals"]
    POL --- ORCH["Orchestration / harness"]
    ORCH --- VAULT["Credential vault"]
    VAULT --- BK["Broker / routing"]
    BK --- MEM["Memory"]
    MEM --- AUD["Audit"]
  end
  subgraph surfaces[" Operator surfaces "]
    direction LR
    CONSOLE["Console\nweb"] ~~~ DESK["Desk\nlocal HITL"]
  end
  subgraph edge["Edge fleet"]
    direction LR
    E1["local"] ~~~ E2["sandbox"] ~~~ E3["VPC"] ~~~ E4["hosted"]
  end
  ingress --> core
  core --> surfaces
  core --> edge
  edge -. "progress / artifacts / telemetry" .-> core
control plane

octvex-core

Orchestration, policy, credentials, MCP, audit. MCP server upstream, client downstream.

  • Task/Run lifecycle, persona resolution, schedules
  • Parent/child delegation, join groups
  • AES-256-GCM vault, OAuth across 11 providers
  • EdgeRouting, EdgeScorer, EdgeAutoScaler
execution plane

octvex-edge

Runs in the trust boundary that can reach the target. Enrolls, leases work, streams progress.

  • 5 browser providers (Playwright, CDP, Browserbase, Browserless, Cloudflare BR)
  • HTTP runtime, persistent sandbox leases
  • Handler registry: child_run, browser, http, cloudflared
web ops

octvex-console

Workspace admin, run management, policy editing, approval queue, audit logs, fleet monitoring.

local ops

octvex-desk

Desktop client for HITL approvals, MCP client auto-config (Claude, Cursor, VS Code), biometric vault.

How Octvex compares

Two common reference points. Octvex is the right fit when hosting, credentials, execution placement, and approval workflows need to stay under operator control.

vs Claude Managed Agents

Claude Managed Agents is a fully managed Claude-native service on Anthropic's infrastructure — built-in sandboxing, tool execution, long-running sessions. Octvex is for teams running agents across many isolated environments where tenancy, execution, and credentials stay under operator control.

Claude Managed AgentsOctvex
Operating modelFully managed cloud service hosted by AnthropicSelf-hosted control plane on your own infrastructure
Model supportClaude models on Anthropic's cloudModel-agnostic; works with any LLM through MCP
IsolationSession-based execution managed by AnthropicWorkspace-scoped isolation per environment; multi-tenant by design
Execution placementCentralized sandbox with built-in code and tool executionDistributed edge fleet across local, sandbox, VPC, and hosted environments
CredentialsAnthropic-managed auth with scoped permissionsJIT credential vault with per-run leases; never placed in prompts
GovernanceScoped permissions and managed governance toolsRBAC/ABAC policy engine with approval gates and HITL
OrchestrationLong-running sessions; multi-agent coordination in research previewParent/child fan-out across parallel edges with join groups
Memory & auditSession persistence; memory tooling in research previewPersistent sandbox leases, fixed-host pinning, full audit trail, hybrid memory per workspace

vs OpenClaw

If you know OpenClaw: it's a single-gateway agent runtime — typed protocol, Markdown memory, skills, cron, webhooks. Octvex starts from similar primitives but targets multi-environment, multi-edge operation where the workspace is the trust boundary.

OpenClawOctvex
Trust boundarySingle gateway, single operatorWorkspace-scoped isolation per environment
ExecutionRuns on the gateway hostControl plane / edge fleet split across trust boundaries
Fan-outSingle-process agent loopParent/child sprawl across parallel edges with join groups
ScalingVertical: one hostHorizontal: auto-scaler provisions edges on demand
StateLocal disk directoryPostgres-backed durable runs, artifacts, audit
MemoryMarkdown + optional QMDMarkdown-in-Postgres, hybrid retrieval, scope-aware
CredentialsIn-memory snapshotWorkspace-isolated vault, per-run JIT leases
MigrationImporter for OpenClaw exports

OpenClaw is the direct inspiration for the typed protocol, channel model, skills, and memory philosophy. Octvex takes that model and makes it safe to share across environments and hosts.