Deploying Eloryn

Eloryn is architected as lightweight, containerized microservices in Rust and TypeScript — high performance, small memory footprint, and portable across very different environments. Critically, it deploys on your own infrastructure: your data and your agents’ traffic stay where you host them.

Cloud (Azure / AWS / GCP)

• Compute — the Guardian Stack deploys as containers on managed Kubernetes (AKS / EKS) or serverless compute for smaller footprints; the Wasmtime sandbox can run on confidential-computing nodes that encrypt sandbox memory.
• Key management — Ed25519 signing keys live in a hardware-backed key vault (Azure Key Vault / AWS KMS), never on disk, authenticated via managed identities so there are no hardcoded credentials.
• Network — the deployment is isolated in a private virtual network; traffic to internal databases travels over private links rather than the public internet.
• Observability — Eloryn emits OpenTelemetry traces for ingestion into your SOC tooling, surfacing agent health scores, intercepted tool calls, and circuit-breaker events.

On-premises and air-gapped

For defence, healthcare, and other high-sensitivity environments, Eloryn supports fully air-gapped, on-premises deployment using locally hosted open-source models — for complete data sovereignty with no dependency on a public AI provider.

How it wraps an agent

Eloryn acts as the execution authority over any autonomous agent in the environment:

• The agent’s planner formulates a multi-step execution graph for a request.
• Before running a step, the executor requests a capability token from Eloryn.
• Eloryn evaluates the intent against the Supervisor; if approved, it provisions a tightly scoped, short-lived Wasmtime sandbox and a Biscuit token limited to the required endpoints.
• If a compromised agent attempts an unauthorized system call or query, the sandbox denies it and the circuit breaker terminates the instance.