{"id":50388944,"url":"https://github.com/JoasASantos/ironclaw","last_synced_at":"2026-06-16T08:00:51.576Z","repository":{"id":339215525,"uuid":"1160940123","full_name":"JoasASantos/ironclaw","owner":"JoasASantos","description":"Your own personal AI assistant. But with security by design. Support for numerous operating systems. Any platform.","archived":false,"fork":false,"pushed_at":"2026-02-18T16:04:09.000Z","size":314,"stargazers_count":77,"open_issues_count":0,"forks_count":10,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-18T02:45:04.690Z","etag":null,"topics":["ai","ai-agents","ai-assistant","data","openclaw","own-your-data","personal","personal-assistant","zeroclaw"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JoasASantos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-18T14:52:52.000Z","updated_at":"2026-04-11T07:29:45.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/JoasASantos/ironclaw","commit_stats":null,"previous_names":["cybersecurityup/ironclaw","joasasantos/ironclaw"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/JoasASantos/ironclaw","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoasASantos%2Fironclaw","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoasASantos%2Fironclaw/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoasASantos%2Fironclaw/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoasASantos%2Fironclaw/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JoasASantos","download_url":"https://codeload.github.com/JoasASantos/ironclaw/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoasASantos%2Fironclaw/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34396429,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-16T02:00:06.860Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","ai-agents","ai-assistant","data","openclaw","own-your-data","personal","personal-assistant","zeroclaw"],"created_at":"2026-05-30T17:00:24.151Z","updated_at":"2026-06-16T08:00:51.569Z","avatar_url":"https://github.com/JoasASantos.png","language":"Rust","funding_links":[],"categories":["OpenClaw Rewrites \u0026 Alternatives"],"sub_categories":[],"readme":"# IronClaw\n\n\u003cp align=\"center\"\u003e\n \u003cstrong\u003eSecure-by-default AI Agent Framework with Zero Trust Architecture\u003c/strong\u003e\n \u003cimg width=\"500\" height=\"400\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c40d7c04-ca7f-425c-b2da-d4f46b31e251\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e \u0026bull;\n \u003ca href=\"#architecture\"\u003eArchitecture\u003c/a\u003e \u0026bull;\n \u003ca href=\"#security-layers\"\u003eSecurity Layers\u003c/a\u003e \u0026bull;\n \u003ca href=\"#providers\"\u003eProviders\u003c/a\u003e \u0026bull;\n \u003ca href=\"#channels\"\u003eChannels\u003c/a\u003e \u0026bull;\n \u003ca href=\"#differentials\"\u003eDifferentials\u003c/a\u003e \u0026bull;\n \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nIronClaw is a production-grade AI agent framework written in **Rust**, engineered from the ground up with **security as its primary concern**. Every tool execution is validated, sandboxed, and audited. No implicit trust — every action requires explicit permission.\n\n**25+ LLM providers** | **20+ communication channels** | **13-step security pipeline** | **432+ tests** | **~25,000 lines of Rust**\n\n---\n\n## Quick Start\n\n### Prerequisites\n\n- **Rust 1.75+** — `curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh`\n- **SQLite3** (bundled in the build)\n- **Docker** (optional, for container sandbox)\n- **Ollama** (optional, for local models with no API key)\n\n### Build \u0026 Run\n\n```bash\n# Clone and build\ngit clone https://github.com/CyberSecurityUP/ironclaw.git\ncd ironclaw\ncargo build --release\n\n# Run the onboarding wizard (easiest way to get started)\n./target/release/ironclaw onboard\n\n# Or run directly with a provider\n./target/release/ironclaw run --provider ollama --model llama3.3\n\n# Run with the Web UI\n./target/release/ironclaw run --provider anthropic --ui\n\n# Check your security posture\n./target/release/ironclaw doctor\n```\n\n### Provider Presets\n\nUse preset aliases for quick selection:\n\n| Preset | Provider | Model | Use Case |\n|--------|----------|-------|----------|\n| `fast` | Groq | llama-3.3-70b-versatile | Ultra-low latency |\n| `smart` | Anthropic | claude-sonnet-4-5 | Highest quality |\n| `cheap` | DeepSeek | deepseek-chat | Lowest cost |\n| `local` | Ollama | llama3.3 | No API key needed |\n| `vision` | Google | gemini-2.5-flash | Multimodal |\n| `code` | Anthropic | claude-sonnet-4-5 | Code generation |\n\n```bash\nironclaw run --provider fast # Groq ultra-fast\nironclaw run --provider local # Ollama local\nironclaw run --provider smart # Claude best quality\n```\n\n### Provider Setup Examples\n\n```bash\n# Ollama (free, local)\nollama serve \u0026\u0026 ollama pull llama3.3\nironclaw run --provider ollama\n\n# Anthropic (Claude)\nexport ANTHROPIC_API_KEY=\"sk-ant-api03-...\"\nironclaw run --provider anthropic\n\n# OpenAI (GPT)\nexport OPENAI_API_KEY=\"sk-...\"\nironclaw run --provider openai\n\n# Google (Gemini)\nexport GOOGLE_API_KEY=\"AIza...\"\nironclaw run --provider google\n\n# OpenRouter (100+ models, single API key)\nexport OPENROUTER_API_KEY=\"sk-or-...\"\nironclaw run --provider openrouter --model google/gemini-2.5-pro\n```\n\nSee [QUICKSTART.md](QUICKSTART.md) for detailed setup instructions for all 25 providers.\n\n---\n\n## Architecture\n\n```\n┌──────────────────────────────────────────────────────────────┐\n│ CLI / Web UI / Channels │\n├──────────────────────────────────────────────────────────────┤\n│ Core Engine │\n│ ┌────────────┬────────────┬────────────┬──────────────────┐ │\n│ │ Provider │ Tool │ Memory │ Workflow │ │\n│ │ Router │ Registry │ Store │ Engine │ │\n│ ├────────────┼────────────┼────────────┼──────────────────┤ │\n│ │ Skill │ Cost │ Context │ Agent │ │\n│ │ Verifier │ Tracker │ Chunking │ Orchestrator │ │\n│ └────────────┴────────────┴────────────┴──────────────────┘ │\n├──────────────────────────────────────────────────────────────┤\n│ Security Pipeline (13 steps) │\n│ ┌──────────┬──────────┬──────────┬──────────┬───────────┐ │\n│ │ Command │ RBAC │ Sandbox │ Audit │ DLP │ │\n│ │ Guardian │ Policy │ Enforcer │ Log │ Engine │ │\n│ ├──────────┼──────────┼──────────┼──────────┼───────────┤ │\n│ │ Anti- │ SSRF │ Skill │Community │ Session │ │\n│ │ Stealer │ Guard │ Scanner │ Scanner │ Auth │ │\n│ └──────────┴──────────┴──────────┴──────────┴───────────┘ │\n├──────────────────────────────────────────────────────────────┤\n│ Sandbox (Docker / Bubblewrap / Native) │\n│ ┌──────────────────────────────────────────────────────┐ │\n│ │ Multi-Level Profiles: Minimal → Standard → Elevated │ │\n│ └──────────────────────────────────────────────────────┘ │\n├──────────────────────────────────────────────────────────────┤\n│ Communication Channels (20+) \u0026 Gateway (JWT/OAuth2) │\n└──────────────────────────────────────────────────────────────┘\n```\n\n### Core Modules\n\n| Module | Description | Lines |\n|--------|-------------|-------|\n| `core/` | Engine, config, types, tools, cost tracker, chunking, cache, history, scheduler, multimodal | ~4,500 |\n| `providers/` | 25 LLM provider integrations + presets + catalog | ~1,850 |\n| `channels/` | 20 communication channels with security pipeline | ~1,475 |\n| `security/` | Credential scanning, network/system policy | ~2,530 |\n| `gateway/` | API gateway with JWT, OAuth2, session auth, rate limiting | ~1,150 |\n| `workflow/` | DAG-based workflow engine with 10 action types | ~1,230 |\n| `agents/` | Multi-agent orchestration with 5 coordination patterns | ~1,010 |\n| `observability/` | Structured logging, audit trail, SIEM export, metrics | ~1,190 |\n| `memory/` | Encrypted stores (SQLite, file, Redis, Postgres) | ~1,060 |\n| `skills/` | Skill loader, registry, scanner (27 rules), community scanner | ~1,750 |\n| `sandbox/` | Docker, Bubblewrap, Native backends + multi-level profiles | ~980 |\n| `guardian/` | Command validation with 45+ blocked patterns | ~650 |\n| `dlp/` | Data Loss Prevention with 22+ detection rules | ~520 |\n| `antitheft/` | Anti-stealer credential harvesting detection | ~470 |\n| `network/` | SSRF protection + URL validation | ~450 |\n| `auth/` | LLM session authentication (HMAC-SHA256 tokens) | ~300 |\n| `cli/` | Doctor (20 checks), onboard wizard, policy, audit, skills | ~1,200 |\n| `ui/` | Web UI (Axum + WebSocket + embedded assets) | ~550 |\n\n---\n\n## Security Layers\n\nIronClaw follows **Zero Trust** principles with **13 overlapping security layers**:\n\n### 1. Command Guardian\nEvery shell command is validated against **45+ blocklist patterns** and heuristic rules. Blocks reverse shells, privilege escalation, data exfiltration, credential access, and injection attacks.\n\n### 2. Role-Based Access Control (RBAC)\nFull role-based permission model for filesystem, network, and system access. **Deny rules always take precedence**. Rate limiting per role.\n\n### 3. Sandbox Isolation\nAll tool execution runs in isolated environments (Docker rootless, Bubblewrap, or Native) with seccomp profiles, no host access by default, and explicit network policies.\n\n### 4. Multi-Level Sandbox Profiles\nPer-skill isolation levels — **Minimal, Standard, Elevated, Unrestricted, Custom** — with fine-grained control over filesystem access, network access, resource limits, and environment variables.\n\n### 5. Skill Signature Verification\nAll skills must be cryptographically signed (**Ed25519**) with SHA-256 content hashing. Only skills signed by trusted keys can execute.\n\n### 6. Skill Static Analyzer\nScans skill/plugin source code for **27 dangerous patterns** (eval, exec, crypto mining, exfiltration, env harvesting, obfuscated code, privilege escalation, persistence mechanisms) with CWE mapping.\n\n### 7. Community Skill Security Scanner\n**Typosquatting detection** via Levenshtein distance against known packages (npm, PyPI, crates.io), **reputation database**, **dependency analysis**, and **quarantine** for untrusted packages.\n\n### 8. Memory Protection\nAll memory encrypted at rest (**AES-256-GCM**), segregated by context, sanitized against injection attacks. Multiple backends: SQLite, file, Redis, Postgres.\n\n### 9. Anti-Stealer Detection\nDedicated module detecting credential harvesting, sensitive file access (SSH keys, cloud creds, crypto wallets, browser profiles, keychains), multi-step exfiltration correlation, and stealer-like command patterns.\n\n### 10. SSRF Protection\nBlocks private/reserved IP ranges (RFC 1918, CGNAT, link-local), cloud metadata endpoints (AWS/GCP/Azure), DNS rebinding, IP obfuscation (decimal, hex, octal), and dangerous URL schemes.\n\n### 11. Data Loss Prevention (DLP)\nScans all tool outputs for sensitive data (private keys, AWS/GCP/Azure credentials, database URIs, JWT tokens, API keys, /etc/shadow) with configurable actions: **block, redact, warn**.\n\n### 12. Observability \u0026 Audit\nStructured JSON logging with automatic **PII redaction**, security audit trail, and **SIEM export** capability. OpenTelemetry integration for metrics and tracing.\n\n### 13. LLM Session Authentication\nActive LLM session as proof of identity — **HMAC-SHA256** signed tokens with configurable TTL, provider health-check validation, rate-limited session creation.\n\n---\n\n## Providers\n\nIronClaw supports **25+ LLM providers** out of the box:\n\n| Provider | Models | API Key Env Var |\n|----------|--------|-----------------|\n| Anthropic | Claude 4.5 Sonnet, Haiku | `ANTHROPIC_API_KEY` |\n| OpenAI | GPT-4.1, GPT-4.1-mini, o3, o4-mini | `OPENAI_API_KEY` |\n| Google | Gemini 2.5 Flash, Pro | `GOOGLE_API_KEY` |\n| Groq | Llama 3.3, Mixtral | `GROQ_API_KEY` |\n| DeepSeek | DeepSeek Chat, Coder | `DEEPSEEK_API_KEY` |\n| Mistral | Mistral Large, Small | `MISTRAL_API_KEY` |\n| Cohere | Command R+ | `COHERE_API_KEY` |\n| xAI | Grok-3 | `XAI_API_KEY` |\n| Together | Llama, Mixtral, Code Llama | `TOGETHER_API_KEY` |\n| Fireworks | Llama, Mixtral | `FIREWORKS_API_KEY` |\n| Perplexity | pplx-7b, pplx-70b | `PERPLEXITY_API_KEY` |\n| Replicate | Llama, Stable Diffusion | `REPLICATE_API_TOKEN` |\n| AI21 | Jamba 1.5 | `AI21_API_KEY` |\n| OpenRouter | 100+ models | `OPENROUTER_API_KEY` |\n| Ollama | Any local model | (local, no key) |\n| LM Studio | Any local model | (local, no key) |\n| Cerebras | Llama 3.3 | `CEREBRAS_API_KEY` |\n| SambaNova | Llama, Mixtral | `SAMBANOVA_API_KEY` |\n| AWS Bedrock | Claude, Llama | AWS credentials |\n| Google Vertex AI | Gemini, PaLM | GCP credentials |\n| Azure OpenAI | GPT-4, GPT-3.5 | `AZURE_OPENAI_API_KEY` |\n| Cloudflare Workers AI | Llama, Mistral | `CF_API_TOKEN` |\n| Lepton | Llama | `LEPTON_API_KEY` |\n| Hugging Face | Various | `HF_API_TOKEN` |\n| Jan | Local models | (local, no key) |\n\n```bash\n# List all providers and models\nironclaw models\n\n# Show only providers with available API keys\nironclaw models --available\n```\n\n---\n\n## Channels\n\nIronClaw supports **20 communication channels**, each with rate limiting, sender validation, input sanitization, and credential redaction:\n\n| Channel | Type | Rate Limit |\n|---------|------|------------|\n| CLI | Interactive terminal | 120/burst, 10/s |\n| Slack | Events API + Web API | 50/burst, 1/s |\n| Discord | Gateway WebSocket + REST | 50/burst, 2/s |\n| Telegram | Bot API (long-poll/webhook) | 30/burst, 1/s |\n| WhatsApp | Business API | 20/burst, 0.5/s |\n| Matrix | Client-server API (/sync) | 60/burst, 2/s |\n| IRC | Persistent TCP | 30/burst, 1/s |\n| Teams | Bot Framework | 40/burst, 1.5/s |\n| Google Chat | Workspace API | 40/burst, 1.5/s |\n| Signal | Signal CLI / REST bridge | 20/burst, 0.5/s |\n| iMessage | AppleScript (macOS) | 20/burst, 0.5/s |\n| BlueBubbles | iMessage bridge | 20/burst, 0.5/s |\n| Zalo | Official Account API | 30/burst, 1/s |\n| Zalo Personal | Personal API | 20/burst, 0.5/s |\n| Web UI | HTTP + WebSocket | 100/burst, 5/s |\n| REST API | JSON POST /v1/messages | 200/burst, 20/s |\n| WebSocket | Bidirectional streaming | 100/burst, 10/s |\n| gRPC | Unary + streaming RPCs | 200/burst, 20/s |\n| Email | SMTP (out) + IMAP (in) | 10/burst, 0.2/s |\n| LINE | Messaging API | 30/burst, 1/s |\n\n### Channel Security Pipeline\n\nAll messages pass through a security pipeline:\n\n**Inbound:** Rate limiting → Sender validation → Input sanitization (null bytes, ANSI escapes, role injection)\n\n**Outbound:** Credential redaction (API keys, AWS keys, tokens) → PII redaction (emails, card numbers) → Internal URL / SSRF detection\n\n---\n\n## Workflow Engine\n\nDAG-based automation engine with **10 action types**:\n\n- **LlmCall** — Send prompts to any provider\n- **ToolExec** — Execute registered tools\n- **ChannelSend** — Send messages to any channel\n- **WaitForEvent** — Pause until an external trigger\n- **Transform** — Map/filter data with templates\n- **Branch** — Conditional branching with 8 operators\n- **SubWorkflow** — Nest workflows\n- **HttpRequest** — External API calls\n- **Delay** — Time-based delays\n- **Log** — Structured logging\n\nFeatures: `{{variable}}` template resolution, cycle detection via topological sort, conditional execution, retry policies with exponential backoff, 6 trigger types (manual, scheduled, webhook, channel_message, event, on_completion).\n\n---\n\n## Collaborative Agents\n\nMulti-agent orchestration with **6 built-in roles** and **5 coordination patterns**:\n\n### Roles\n| Role | Capabilities |\n|------|-------------|\n| Researcher | Web search, file read, analysis |\n| Coder | Code generation, file write, tool execution |\n| Reviewer | Code review, analysis |\n| Planner | Planning, task decomposition |\n| Tester | Test execution, analysis |\n| Security Auditor | Security scanning, analysis |\n\n### Coordination Patterns\n- **Sequential** — Agents execute one after another, passing results forward\n- **Parallel** — All agents work simultaneously, results aggregated\n- **Debate** — Agents propose, critique, and refine answers\n- **Hierarchical** — Lead agent delegates tasks to sub-agents\n- **Pipeline** — Each agent transforms and passes data to the next\n\n---\n\n## Native Multimodal Support\n\nProcess images, audio, video, and files natively:\n\n- **Images**: JPEG, PNG, GIF, WebP (max 10 MB)\n- **Audio**: MP3, WAV, OGG, FLAC, M4A (max 25 MB)\n- **Video**: MP4, WebM, MOV (max 100 MB)\n- **Files**: PDF, TXT, CSV, JSON, XML\n\nAutomatic MIME detection, base64 encoding, format conversion for Anthropic/OpenAI APIs.\n\n---\n\n## Differentials vs. Related Projects\n\nIronClaw was inspired by and extends concepts from [ZeroClaw](https://github.com/zeroclaw-labs/zeroclaw) and [OpenClaw](https://github.com/openclaw/openclaw), but is a ground-up rewrite focused on defense-in-depth security.\n\n| Feature | ZeroClaw | OpenClaw | **IronClaw** |\n|---------|----------|----------|-------------|\n| **Language** | Rust | TypeScript | **Rust** |\n| **Security Layers** | 3 (RBAC, Guardian, Sandbox) | 4 (Sandbox, SSRF, Gateway, Scanner) | **13 overlapping layers** |\n| **LLM Providers** | 8 | 12 | **25+** |\n| **Communication Channels** | 5 (CLI, Slack, Discord, Telegram, Web) | 8 | **20** |\n| **RBAC** | Flat autonomy levels | None | **Full role-based model with deny precedence** |\n| **Sandbox** | Optional Docker/Bubblewrap | Docker only | **Mandatory, multi-backend + multi-level profiles** |\n| **Memory Encryption** | Secrets only | None | **All memory (AES-256-GCM)** |\n| **Skill Verification** | None | None | **Ed25519 cryptographic signatures** |\n| **Command Validation** | Pattern-based (~20 patterns) | Sandbox-level only | **Guardian + sandbox (45+ patterns)** |\n| **Audit Logging** | Basic file log | Basic | **Structured JSON + SIEM export + PII redaction** |\n| **Anti-Stealer** | None | None | **Dedicated detection module** |\n| **SSRF Protection** | None | Gateway-level | **Full IP/DNS/scheme/metadata validation** |\n| **DLP** | None | None | **22+ rules, output scanning + redaction** |\n| **Skill Scanning** | None | Heuristic (basic) | **27-rule static analysis + community scanner** |\n| **Typosquatting Detection** | None | None | **Levenshtein distance vs. known packages** |\n| **Workflow Engine** | None | None | **DAG-based with 10 action types** |\n| **Multi-Agent** | None | None | **5 coordination patterns, 6 built-in roles** |\n| **Multimodal** | Text only | Text + images | **Images, audio, video, files** |\n| **Cost Tracking** | None | Basic | **SQLite-backed with daily/monthly budgets** |\n| **Session Auth** | None | None | **HMAC-SHA256 LLM session tokens** |\n| **Web UI** | None | React app | **Embedded Axum + WebSocket (no separate build)** |\n| **Onboarding** | Manual config | Manual config | **Interactive TUI wizard** |\n| **Test Coverage** | ~80 tests | ~150 tests | **432+ tests (336 unit + 96 integration)** |\n| **Prompt Injection Defense** | None | None | **Input sanitization layer** |\n\n### Key Architectural Differences\n\n1. **Defense in Depth**: IronClaw chains 13 security layers in a pipeline — even if one layer is bypassed, others catch the threat. ZeroClaw and OpenClaw use isolated security checks that don't overlap.\n\n2. **Rust Performance**: IronClaw compiles to a single static binary with `lto = true` and `panic = abort` — no runtime, no garbage collector, no dependency on Node.js or Python.\n\n3. **Mandatory Sandboxing**: In IronClaw, sandboxing is enforced by default. ZeroClaw makes it optional; OpenClaw requires Docker but allows host network access.\n\n4. **Credential Security**: IronClaw's Anti-Stealer module actively monitors for credential harvesting patterns (SSH key enumeration, cloud credential access, multi-step exfiltration chains). Neither ZeroClaw nor OpenClaw has an equivalent.\n\n5. **Community Trust**: IronClaw's Community Scanner checks skills against typosquatting databases, reputation scores, and dependency graphs before allowing installation. Neither predecessor does this.\n\n---\n\n## Configuration\n\nIronClaw uses YAML configuration (`ironclaw.yaml`):\n\n```yaml\nagent:\n system_prompt: \"You are a secure AI assistant powered by IronClaw.\"\n default_provider: \"anthropic\"\n default_model: \"claude-sonnet-4-5-20250514\"\n max_turns: 100\n tool_timeout_secs: 30\n max_daily_cost_cents: 500 # $5.00/day\n\npermissions:\n filesystem:\n read: [\"./src/**\", \"./docs/**\"]\n write: [\"./output/**\"]\n deny: [\"/etc/shadow\", \"**/.ssh/id_*\", \"**/.env\"]\n network:\n allow_domains: [\"api.anthropic.com\", \"api.openai.com\"]\n block_domains: [\"169.254.169.254\"]\n block_private: true\n system:\n allow_shell: false\n require_approval: true\n\nsandbox:\n backend: \"docker\" # \"docker\", \"bubblewrap\", or \"native\"\n enforce: true\n\nmemory:\n backend: \"sqlite\"\n encrypt_at_rest: true\n\nantitheft:\n enforce: true\n\ndlp:\n enabled: true\n\nui:\n enabled: false\n port: 3000\n theme: \"dark\"\n```\n\nSee `config/ironclaw.yaml` for a complete example.\n\n---\n\n## CLI Commands\n\n```bash\nironclaw run # Start interactive agent\nironclaw run --ui # Start with Web UI\nironclaw ui # Start Web UI server only\nironclaw models # List all providers and models\nironclaw doctor # Run 20 security diagnostic checks\nironclaw policy # Show active security policy\nironclaw audit # View audit log\nironclaw onboard # Interactive setup wizard\nironclaw skill list # List installed skills\nironclaw skill verify # Verify skill signatures\nironclaw skill scan # Static analysis on skill source\nironclaw skill install # Install from trusted registry\n```\n\n---\n\n## Project Structure\n\n```\nironclaw/\n├── src/\n│ ├── main.rs # CLI entry point (clap)\n│ ├── core/ # Engine, config, types, tools, cost, cache, history, multimodal\n│ ├── providers/ # 25 LLM provider integrations\n│ ├── channels/ # 20 communication channels + security pipeline\n│ ├── gateway/ # API gateway (JWT, OAuth2, session auth, rate limiting)\n│ ├── workflow/ # DAG-based workflow engine\n│ ├── agents/ # Multi-agent orchestration\n│ ├── sandbox/ # Docker, Bubblewrap, Native backends + profiles\n│ ├── guardian/ # Command validation (45+ patterns)\n│ ├── rbac/ # Role-based access control\n│ ├── memory/ # Encrypted memory stores\n│ ├── security/ # Credential scanning, network/system policy\n│ ├── antitheft/ # Anti-stealer detection\n│ ├── network/ # SSRF protection\n│ ├── dlp/ # Data Loss Prevention\n│ ├── skills/ # Skill loader, scanner, community scanner\n│ ├── plugins/ # Plugin system (lifecycle, sandbox, permissions)\n│ ├── auth/ # LLM session authentication\n│ ├── observability/ # Logging, audit trail, SIEM, metrics\n│ ├── cli/ # Doctor, onboard, policy, audit, skills, models\n│ ├── ui/ # Web UI (Axum + WebSocket)\n│ └── tunnel/ # Encrypted tunnel pool\n├── config/ # Example configuration\n├── docs/ # Threat model, security audit\n├── tests/ # Integration \u0026 security tests (1,700+ lines)\n├── ui/static/ # Web UI static assets\n├── Cargo.toml\n├── QUICKSTART.md\n├── SECURITY.md\n├── CONTRIBUTING.md\n└── CODE_OF_CONDUCT.md\n```\n\n---\n\n## Testing\n\n```bash\n# Run all tests (432+)\ncargo test\n\n# Run by module\ncargo test guardian # Command Guardian\ncargo test rbac # RBAC\ncargo test dlp # Data Loss Prevention\ncargo test antitheft # Anti-Stealer\ncargo test ssrf # SSRF Protection\ncargo test memory # Encrypted Memory\ncargo test scanner # Skill Scanner\ncargo test providers # Provider tests\ncargo test channels # Channel pipeline\ncargo test auth # Session Authentication\ncargo test workflow # Workflow Engine\ncargo test agents # Collaborative Agents\ncargo test multimodal # Multimodal support\ncargo test channel_security # Channel security integration\n```\n\n---\n\n## Roadmap\n\n- [x] **v0.1** — Core framework with 10 security layers, 25 providers\n- [x] **v0.2** — 20 channels, workflow engine, collaborative agents, multimodal\n- [ ] **v0.3** — Skill marketplace with trusted registry\n- [ ] **v0.4** — WASM sandbox backend\n- [ ] **v0.5** — Prompt injection ML detection layer\n- [ ] **v0.6** — Hardware security module (HSM) integration\n- [ ] **v1.0** — Production-ready with SOC 2 compliance documentation\n\n---\n\n## Credits \u0026 Inspiration\n\nIronClaw draws architectural insights from two open-source projects:\n\n- **[ZeroClaw](https://github.com/zeroclaw-labs/zeroclaw)** — A fast, minimal AI assistant in Rust with tool support, multi-channel integration, and policy-based security. Informed IronClaw's command validation, provider abstraction, and memory management design.\n\n- **[OpenClaw](https://github.com/openclaw/openclaw)** — A feature-rich AI agent platform in TypeScript with Docker sandboxing, SSRF protection, and gateway authentication. Influenced IronClaw's sandbox architecture and network security guards.\n\nIronClaw is an independent project that restructures and extends concepts from both with a focus on **defense-in-depth security**, **formal RBAC**, and **cryptographic verification**.\n\n## Star History\n\n[![Star History Chart](https://api.star-history.com/svg?repos=CyberSecurityUP/ironclaw\u0026type=date\u0026legend=top-left)](https://www.star-history.com/#CyberSecurityUP/ironclaw\u0026type=date\u0026legend=top-left)\n\n---\n\n## Legal Notice\n\nIronClaw is an independent open-source project. It is inspired by and builds upon concepts from ZeroClaw (Apache-2.0) and OpenClaw (MIT), but contains original code with a restructured architecture focused on security. All original source projects are credited above.\n\nThis software is provided \"as-is\" without warranty. The security measures implemented reduce risk but cannot guarantee absolute protection. Users are responsible for their own security posture and compliance requirements.\n\n## License\n\nApache-2.0\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. See [SECURITY.md](SECURITY.md) for vulnerability reporting.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJoasASantos%2Fironclaw","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FJoasASantos%2Fironclaw","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJoasASantos%2Fironclaw/lists"}