x1agent Get access
Self-hosted on Kubernetes · private beta

Run agents in your cluster.
Keep your credentials.

x1agent runs LLM agents on your Kubernetes. Each session gets its own pod. The agent container holds no secrets — a Rust sidecar proxies every credentialed call, so a prompt injection can't exfiltrate what it can't see.

Get access Read the docs No trial. Talk to us first.
your-namespace / session-9f2c live
UNTRUSTED ZONE pod agent container claude · codex · opencode · gemini no secrets · no network egress localhost → sidecar only core sidecar holds tokens · enforces grants credential proxy · permission gate audit log NATS · mTLS PROVIDER MESH messaging slack · teams · discord graph + files surrealdb · gcs · drive · onedrive code + preview github · gitlab · per-PR k8s preview ↑ The agent container can never see the credentials. The sidecar is the only thing on the network.

01 — WHAT IT DOES

One platform. Three jobs we keep getting asked for.

Pick a job. Watch the session unfold. Every tool call, every credential check, every artifact — logged in the same place.

SESSION 7a4f · ORCHESTRATOR

Take a Linear ticket through to a reviewed PR.

The orchestrator pulls the ticket, spawns a coding agent in a fresh preview environment, runs the test suite in a sibling pod, and posts the diff back to the channel where it started.

  1. 12:04:11 linear.get_issue("ENG-417") → "Add slug field to workspaces"
  2. 12:04:18 spawn_child("codex", branch="eng-417-slug")
  3. 12:09:42 child wrote 3 files · migration · model · test
  4. 12:10:55 sibling.run("bun test") → 218 pass · 0 fail
  5. 12:11:08 github.open_pr(base="main") → #1042
  6. 12:11:14 slack.post(#eng) → "PR ready · diff +87 −2 · preview link"
github linear slack k8s preview env codex runtime

SESSION 3c91 · SUPPORT AGENT

Read the room. Then file a ticket and reply.

The agent watches a Slack channel, classifies what came in, looks up the customer, drafts a reply. Sentiment goes hot — it stops typing and pages a human.

  1. 09:22:03 slack.message_in(#support) → "checkout fails on Safari, lost a sale"
  2. 09:22:07 classify() → bug · severity=high · sentiment=frustrated
  3. 09:22:09 graph.lookup_customer("acme") → 14 mo · $2.1k MRR
  4. 09:22:14 linear.create_issue("CHK-218", priority=urgent)
  5. 09:22:16 draft_reply() → 3 sentences · acknowledges revenue impact
  6. 09:22:17 policy.check() → high-MRR · sentiment=hot → handoff_to_human
  7. 09:22:18 pagerduty.notify("oncall-support", "draft attached")
slack linear surrealdb graph pagerduty handoff policy

SESSION e08d · SRE AGENT

First responder for the alert that wakes you up.

PagerDuty fires. The agent pulls the relevant Grafana panels, runs read-only kubectl through the sidecar, and posts a runbook-shaped summary to the incident channel before a human even opens the laptop.

  1. 02:14:02 pagerduty.alert("api p99 > 1.2s for 5m")
  2. 02:14:05 grafana.snapshot("api-latency") → p99=1.4s · p50 flat
  3. 02:14:08 k8s.get_pods(ns=api) → 2/4 ready · 1 OOMKilled
  4. 02:14:10 k8s.logs(api-7c · last 200) → Postgres connection pool exhausted
  5. 02:14:14 postgres.read("pg_stat_activity") → 198 idle · 2 active
  6. 02:14:18 slack.post(#incident) → summary · graph · likely cause · suggested next step
pagerduty grafana kubectl read-only postgres read-only slack

02 — TRUST MODEL

Designed for the case where the model gets tricked.

Prompt injection is going to happen. The interesting question is what gets exposed when it does. Three things we built around that.

The agent never sees the secret

Tokens live in the sidecar. The agent calls localhost:9090; the sidecar attaches the credential and forwards. A jailbroken prompt can ask, but there's nothing in the container's environment to read.

Network egress is closed by default

A NetworkPolicy on the agent container allows only the sidecar. No DNS, no outbound. If the agent wants to call OpenAI, it asks the sidecar — which checks the grant, attaches the key, and routes through.

Every credentialed call is in the audit log

The sidecar writes one row per outbound call: which provider, which scope, which agent session. You can answer "what did the agent touch in the last hour" with a SQL query, not a forensic exercise.

Read the full model in the security docs.

03 — PROVIDERS

Swap providers on a Helm value.

Authentication, knowledge graph, file storage, messaging, calendar, code host — each one is a contract, not an integration. Today we ship the providers below. Implementing your own is a couple hundred lines of TypeScript.

AUTH

googlegithub oauth

next: okta

GRAPH

surrealdb

next: neo4j

FILES

gcsgoogle drive

next: s3, onedrive

MESSAGING

slack

next: teams, discord

CODE

github

next: gitlab

AI RUNTIME

claudecodexopencodegemini

next: any sdk that speaks tools

values.yaml HELM 
# Slack today. Teams next quarter — flip one line.
providers:
  messaging:
    name: slack
    botToken: { secretRef: slack-bot }
  files:
    name: google-drive
    serviceAccount: { secretRef: gdrive-sa }
  graph:
    name: surrealdb

04 — GET ACCESS

We're onboarding teams one at a time.

x1agent is in private beta. Tell us what you'd build and we'll set up a call to walk through your cluster.

  • One pricing tier today — flat per-cluster, no per-seat math.
  • Self-hosted. Your VPC, your secrets, your audit log.
  • Direct line to the people who write the code.