Cavaridge AI gateway
Every LLM call from every Cavaridge™ surface routes through one place: the Cavaridge AI gateway.
Why a single gateway
Section titled “Why a single gateway”- Single point of LLM cost control — per-tenant spend caps live here.
- Provider failover — if a model class degrades, the gateway routes to a comparable provider.
- No app-level keys — apps authenticate via per-app service tokens.
- Single audit point — every prompt + completion observable through Langfuse.
Service-token model
Section titled “Service-token model”Master OpenRouter key lives in one place: Doppler cavaridge-platform/prd/OPENROUTER_API_KEY. The gateway holds it. Apps authenticate via per-app service tokens. Per-app cost attribution flows through the service-token metadata.
Per-tenant spend caps
Section titled “Per-tenant spend caps”Caps configured per tenant via tenantConfig. Gateway rejects with a typed error when exceeded.
Failover
Section titled “Failover”The Model Intelligence System (MIS) tracks model availability per task class. On degradation, gateway falls back to next-best in the same class; if multiple providers fail, returns a typed error rather than a worse model.
Pitfalls
Section titled “Pitfalls”- Don’t import OpenRouter directly in any app — the gateway is the only allowed caller.
- Don’t paste the master key into chat / agent contexts.
- Don’t add a per-app
OPENROUTER_API_KEY— service tokens, not API keys.
See apps/spaniel/docs/KEY-ROTATION.md for the rotation runbook.