https://github.com/nearai/ironclaw

IronClaw is OpenClaw inspired implementation in Rust focused on privacy and security
https://github.com/nearai/ironclaw

Last synced: about 1 month ago
JSON representation

IronClaw is OpenClaw inspired implementation in Rust focused on privacy and security

• Host: GitHub
• URL: https://github.com/nearai/ironclaw
• Owner: nearai
• License: apache-2.0
• Created: 2026-02-03T06:57:10.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2026-02-17T08:37:08.000Z (3 months ago)
• Last Synced: 2026-02-17T11:34:46.350Z (3 months ago)
• Language: Rust
• Homepage:
• Size: 3.33 MB
• Stars: 2,045
• Watchers: 22
• Forks: 172
• Open Issues: 57
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE-APACHE
  • Agents: AGENTS.md

Awesome Lists containing this project

• awesome-openclaw - nearai/ironclaw - Privacy- and security-focused Rust implementation inspired by OpenClaw. (🛡️ Security & Safety)
• awesome-starred - nearai/ironclaw - IronClaw is an Agent OS focused on privacy, security and extensibility (Rust)
• awesome-claw-cn - IronClaw
• awesome-claws - IronClaw - Rust - OpenClaw-inspired personal assistant focused on privacy and security with local encrypted data and layered defenses. (Main Projects)
• awesome-rainmana - nearai/ironclaw - IronClaw is an Agent OS focused on privacy, security and extensibility (Rust)
• awesome-personal-ai-assistants - IronClaw - Defense-in-depth architecture with WASM-sandboxed tools, credential injection (secrets never exposed to tool code), prompt injection detection, and endpoint allowlisting. Dynamic tool building, Docker sandbox, web gateway, and routines engine. `Rust`  (Security-Focused)
• awesome-claw-opus - IronClaw - based fork with WebAssembly isolation, capability-based permissions, and credential injection/leak detection. (Security / Security-Enhanced Variants)
• awesome-openclaw - nearai/ironclaw - OpenClaw-inspirierte Rust-Implementierung mit Fokus auf Datenschutz und Sicherheit.  (Alternative Architekturen)
• awesome - nearai/ironclaw - IronClaw is OpenClaw inspired implementation in Rust focused on privacy and security (<a name="Rust"></a>Rust)
• awesome-agent-orchestrators - ironclaw - OpenClaw-inspired implementation in Rust focused on privacy and security. (Personal Assistants)
• awesome-cli-coding-agents - IronClaw - based permissions, and prompt injection defense. (Terminal-native coding agents / OpenClaw ecosystem)
• awesome-agent-runtime-security - ironclaw - injection | WASM-sandboxed tools (capability-based permissions, endpoint allowlisting), host-boundary credential injection where secrets never enter WASM memory. | (Sandboxing & Isolation)
• StarryDivineSky - nearai/ironclaw - based ACL）隔离 WASM 模块运行上下文，通过宿主边界密钥注入机制杜绝凭据泄露；记忆层采用倒数排名融合（RRF）算法桥接传统全文索引与向量数据库，实现高召回率的混合检索；调度层则基于事件驱动架构集成 Cron 定时、Webhook 触发与并行上下文隔离，配合 Docker 编排与自修复探针保障长时任务的鲁棒性。IronClaw 的独特之处在于将企业级零信任架构与 AI Agent 工作流深度融合，并将其轻量化、本地化。它直击当前 AI 应用中“功能越强，风险越高”的信任危机，通过可审计的开源代码与模块化设计，在绝对数据主权与强大自动化能力之间取得平衡。无论是追求隐私的个人用户、需要定制化工具链的开发者，还是处理敏感业务的企业团队，IronClaw 都提供了一个无需妥协的 AI 协作基座。 (A01_文本生成_文本对话 / 大语言对话模型及数据)

README

          


  



IronClaw




  Your secure personal AI assistant, always on your side





  

  

  





  Philosophy •

  Features •

  Installation •

  Configuration •

  Security •

  Architecture



---

## Philosophy

IronClaw is built on a simple principle: **your AI assistant should work for you, not against you**.

In a world where AI systems are increasingly opaque about data handling and aligned with corporate interests, IronClaw takes a different approach:

- **Your data stays yours** - All information is stored locally, encrypted, and never leaves your control

- **Transparency by design** - Open source, auditable, no hidden telemetry or data harvesting

- **Self-expanding capabilities** - Build new tools on the fly without waiting for vendor updates

- **Defense in depth** - Multiple security layers protect against prompt injection and data exfiltration

IronClaw is the AI assistant you can actually trust with your personal and professional life.

## Features

### Security First

- **WASM Sandbox** - Untrusted tools run in isolated WebAssembly containers with capability-based permissions

- **Credential Protection** - Secrets are never exposed to tools; injected at the host boundary with leak detection

- **Prompt Injection Defense** - Pattern detection, content sanitization, and policy enforcement

- **Endpoint Allowlisting** - HTTP requests only to explicitly approved hosts and paths

### Always Available

- **Multi-channel** - REPL, HTTP webhooks, WASM channels (Telegram, Slack), and web gateway

- **Docker Sandbox** - Isolated container execution with per-job tokens and orchestrator/worker pattern

- **Web Gateway** - Browser UI with real-time SSE/WebSocket streaming

- **Routines** - Cron schedules, event triggers, webhook handlers for background automation

- **Heartbeat System** - Proactive background execution for monitoring and maintenance tasks

- **Parallel Jobs** - Handle multiple requests concurrently with isolated contexts

- **Self-repair** - Automatic detection and recovery of stuck operations

### Self-Expanding

- **Dynamic Tool Building** - Describe what you need, and IronClaw builds it as a WASM tool

- **MCP Protocol** - Connect to Model Context Protocol servers for additional capabilities

- **Plugin Architecture** - Drop in new WASM tools and channels without restarting

### Persistent Memory

- **Hybrid Search** - Full-text + vector search using Reciprocal Rank Fusion

- **Workspace Filesystem** - Flexible path-based storage for notes, logs, and context

- **Identity Files** - Maintain consistent personality and preferences across sessions

## Installation

### Prerequisites

- Rust 1.85+

- PostgreSQL 15+ with [pgvector](https://github.com/pgvector/pgvector) extension

- NEAR AI account (authentication handled via setup wizard)

## Download or Build

Visit [Releases page](https://github.com/nearai/ironclaw/releases/) to see the latest updates.

  Install via Windows Installer (Windows)

Download the [Windows Installer](https://github.com/nearai/ironclaw/releases/latest/download/ironclaw-x86_64-pc-windows-msvc.msi) and run it.

  Install via powershell script (Windows)

```sh

irm https://github.com/nearai/ironclaw/releases/latest/download/ironclaw-installer.ps1 | iex

```

  Install via shell script (macOS, Linux, Windows/WSL)

```sh

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/nearai/ironclaw/releases/latest/download/ironclaw-installer.sh | sh

```

  Install via Homebrew (macOS/Linux)

```sh

brew install ironclaw

```

  Compile the source code (Cargo on Windows, Linux, macOS)

Install it with `cargo`, just make sure you have [Rust](https://rustup.rs) installed on your computer.

```bash

# Clone the repository

git clone https://github.com/nearai/ironclaw.git

cd ironclaw

# Build

cargo build --release

# Run tests

cargo test

```

For **full release** (after modifying channel sources), run `./scripts/build-all.sh` to rebuild channels first.

### Database Setup

```bash

# Create database

createdb ironclaw

# Enable pgvector

psql ironclaw -c "CREATE EXTENSION IF NOT EXISTS vector;"

```

## Configuration

Run the setup wizard to configure IronClaw:

```bash

ironclaw onboard

```

The wizard handles database connection, NEAR AI authentication (via browser OAuth),

and secrets encryption (using your system keychain). Settings are persisted in the

connected database; bootstrap variables (e.g. `DATABASE_URL`, `LLM_BACKEND`) are

written to `~/.ironclaw/.env` so they are available before the database connects.

### Alternative LLM Providers

IronClaw defaults to NEAR AI but works with any OpenAI-compatible endpoint.

Popular options include **OpenRouter** (300+ models), **Together AI**, **Fireworks AI**,

**Ollama** (local), and self-hosted servers like **vLLM** or **LiteLLM**.

Select *"OpenAI-compatible"* in the wizard, or set environment variables directly:

```env

LLM_BACKEND=openai_compatible

LLM_BASE_URL=https://openrouter.ai/api/v1

LLM_API_KEY=sk-or-...

LLM_MODEL=anthropic/claude-sonnet-4

```

See [docs/LLM_PROVIDERS.md](docs/LLM_PROVIDERS.md) for a full provider guide.

## Security

IronClaw implements defense in depth to protect your data and prevent misuse.

### WASM Sandbox

All untrusted tools run in isolated WebAssembly containers:

- **Capability-based permissions** - Explicit opt-in for HTTP, secrets, tool invocation

- **Endpoint allowlisting** - HTTP requests only to approved hosts/paths

- **Credential injection** - Secrets injected at host boundary, never exposed to WASM code

- **Leak detection** - Scans requests and responses for secret exfiltration attempts

- **Rate limiting** - Per-tool request limits to prevent abuse

- **Resource limits** - Memory, CPU, and execution time constraints

```

WASM ──► Allowlist ──► Leak Scan ──► Credential ──► Execute ──► Leak Scan ──► WASM

         Validator     (request)     Injector       Request     (response)

```

### Prompt Injection Defense

External content passes through multiple security layers:

- Pattern-based detection of injection attempts

- Content sanitization and escaping

- Policy rules with severity levels (Block/Warn/Review/Sanitize)

- Tool output wrapping for safe LLM context injection

### Data Protection

- All data stored locally in your PostgreSQL database

- Secrets encrypted with AES-256-GCM

- No telemetry, analytics, or data sharing

- Full audit log of all tool executions

## Architecture

```

┌────────────────────────────────────────────────────────────────┐

│                          Channels                              │

│  ┌──────┐  ┌──────┐   ┌─────────────┐  ┌─────────────┐         │

│  │ REPL │  │ HTTP │   │WASM Channels│  │ Web Gateway │         │

│  └──┬───┘  └──┬───┘   └──────┬──────┘  │ (SSE + WS)  │         │

│     │         │              │         └──────┬──────┘         │

│     └─────────┴──────────────┴────────────────┘                │

│                              │                                 │

│                    ┌─────────▼─────────┐                       │

│                    │    Agent Loop     │  Intent routing       │

│                    └────┬──────────┬───┘                       │

│                         │          │                           │

│              ┌──────────▼────┐  ┌──▼───────────────┐           │

│              │  Scheduler    │  │ Routines Engine  │           │

│              │(parallel jobs)│  │(cron, event, wh) │           │

│              └──────┬────────┘  └────────┬─────────┘           │

│                     │                    │                     │

│       ┌─────────────┼────────────────────┘                     │

│       │             │                                          │

│   ┌───▼─────┐  ┌────▼────────────────┐                         │

│   │ Local   │  │    Orchestrator     │                         │

│   │Workers  │  │  ┌───────────────┐  │                         │

│   │(in-proc)│  │  │ Docker Sandbox│  │                         │

│   └───┬─────┘  │  │   Containers  │  │                         │

│       │        │  │ ┌───────────┐ │  │                         │

│       │        │  │ │Worker / CC│ │  │                         │

│       │        │  │ └───────────┘ │  │                         │

│       │        │  └───────────────┘  │                         │

│       │        └─────────┬───────────┘                         │

│       └──────────────────┤                                     │

│                          │                                     │

│              ┌───────────▼──────────┐                          │

│              │    Tool Registry     │                          │

│              │  Built-in, MCP, WASM │                          │

│              └──────────────────────┘                          │

└────────────────────────────────────────────────────────────────┘

```

### Core Components

| Component | Purpose |

|-----------|---------|

| **Agent Loop** | Main message handling and job coordination |

| **Router** | Classifies user intent (command, query, task) |

| **Scheduler** | Manages parallel job execution with priorities |

| **Worker** | Executes jobs with LLM reasoning and tool calls |

| **Orchestrator** | Container lifecycle, LLM proxying, per-job auth |

| **Web Gateway** | Browser UI with chat, memory, jobs, logs, extensions, routines |

| **Routines Engine** | Scheduled (cron) and reactive (event, webhook) background tasks |

| **Workspace** | Persistent memory with hybrid search |

| **Safety Layer** | Prompt injection defense and content sanitization |

## Usage

```bash

# First-time setup (configures database, auth, etc.)

ironclaw onboard

# Start interactive REPL

cargo run

# With debug logging

RUST_LOG=ironclaw=debug cargo run

```

## Development

```bash

# Format code

cargo fmt

# Lint

cargo clippy --all --benches --tests --examples --all-features

# Run tests

createdb ironclaw_test

cargo test

# Run specific test

cargo test test_name

```

- **Telegram channel**: See [docs/TELEGRAM_SETUP.md](docs/TELEGRAM_SETUP.md) for setup and DM pairing.

- **Changing channel sources**: Run `./channels-src/telegram/build.sh` before `cargo build` so the updated WASM is bundled.

## OpenClaw Heritage

IronClaw is a Rust reimplementation inspired by [OpenClaw](https://github.com/openclaw/openclaw). See [FEATURE_PARITY.md](FEATURE_PARITY.md) for the complete tracking matrix.

Key differences:

- **Rust vs TypeScript** - Native performance, memory safety, single binary

- **WASM sandbox vs Docker** - Lightweight, capability-based security

- **PostgreSQL vs SQLite** - Production-ready persistence

- **Security-first design** - Multiple defense layers, credential protection

## License

Licensed under either of:

- Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE))

- MIT License ([LICENSE-MIT](LICENSE-MIT))

at your option.