Secure-by-default AI Agent Framework with Zero Trust Architecture
Quick Start • Architecture • Security Layers • Providers • Channels • Differentials • Contributing
IronClaw is a production-grade AI agent framework written in Rust, engineered from the ground up with security as its primary concern. Every tool execution is validated, sandboxed, and audited. No implicit trust — every action requires explicit permission.
25+ LLM providers | 20+ communication channels | 13-step security pipeline | 432+ tests | ~25,000 lines of Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh# Clone and build
git clone https://github.com/CyberSecurityUP/ironclaw.git
cd ironclaw
cargo build --release
# Run the onboarding wizard (easiest way to get started)
./target/release/ironclaw onboard
# Or run directly with a provider
./target/release/ironclaw run --provider ollama --model llama3.3
# Run with the Web UI
./target/release/ironclaw run --provider anthropic --ui
# Check your security posture
./target/release/ironclaw doctor
Use preset aliases for quick selection:
| Preset | Provider | Model | Use Case |
|---|---|---|---|
fast |
Groq | llama-3.3-70b-versatile | Ultra-low latency |
smart |
Anthropic | claude-sonnet-4-5 | Highest quality |
cheap |
DeepSeek | deepseek-chat | Lowest cost |
local |
Ollama | llama3.3 | No API key needed |
vision |
gemini-2.5-flash | Multimodal | |
code |
Anthropic | claude-sonnet-4-5 | Code generation |
ironclaw run --provider fast # Groq ultra-fast
ironclaw run --provider local # Ollama local
ironclaw run --provider smart # Claude best quality
# Ollama (free, local)
ollama serve && ollama pull llama3.3
ironclaw run --provider ollama
# Anthropic (Claude)
export ANTHROPIC_API_KEY="sk-ant-api03-..."
ironclaw run --provider anthropic
# OpenAI (GPT)
export OPENAI_API_KEY="sk-..."
ironclaw run --provider openai
# Google (Gemini)
export GOOGLE_API_KEY="AIza..."
ironclaw run --provider google
# OpenRouter (100+ models, single API key)
export OPENROUTER_API_KEY="sk-or-..."
ironclaw run --provider openrouter --model google/gemini-2.5-pro
See QUICKSTART.md for detailed setup instructions for all 25 providers.
┌──────────────────────────────────────────────────────────────┐
│ CLI / Web UI / Channels │
├──────────────────────────────────────────────────────────────┤
│ Core Engine │
│ ┌────────────┬────────────┬────────────┬──────────────────┐ │
│ │ Provider │ Tool │ Memory │ Workflow │ │
│ │ Router │ Registry │ Store │ Engine │ │
│ ├────────────┼────────────┼────────────┼──────────────────┤ │
│ │ Skill │ Cost │ Context │ Agent │ │
│ │ Verifier │ Tracker │ Chunking │ Orchestrator │ │
│ └────────────┴────────────┴────────────┴──────────────────┘ │
├──────────────────────────────────────────────────────────────┤
│ Security Pipeline (13 steps) │
│ ┌──────────┬──────────┬──────────┬──────────┬───────────┐ │
│ │ Command │ RBAC │ Sandbox │ Audit │ DLP │ │
│ │ Guardian │ Policy │ Enforcer │ Log │ Engine │ │
│ ├──────────┼──────────┼──────────┼──────────┼───────────┤ │
│ │ Anti- │ SSRF │ Skill │Community │ Session │ │
│ │ Stealer │ Guard │ Scanner │ Scanner │ Auth │ │
│ └──────────┴──────────┴──────────┴──────────┴───────────┘ │
├──────────────────────────────────────────────────────────────┤
│ Sandbox (Docker / Bubblewrap / Native) │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Multi-Level Profiles: Minimal → Standard → Elevated │ │
│ └──────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────┤
│ Communication Channels (20+) & Gateway (JWT/OAuth2) │
└──────────────────────────────────────────────────────────────┘
| Module | Description | Lines |
|---|---|---|
core/ |
Engine, config, types, tools, cost tracker, chunking, cache, history, scheduler, multimodal | ~4,500 |
providers/ |
25 LLM provider integrations + presets + catalog | ~1,850 |
channels/ |
20 communication channels with security pipeline | ~1,475 |
security/ |
Credential scanning, network/system policy | ~2,530 |
gateway/ |
API gateway with JWT, OAuth2, session auth, rate limiting | ~1,150 |
workflow/ |
DAG-based workflow engine with 10 action types | ~1,230 |
agents/ |
Multi-agent orchestration with 5 coordination patterns | ~1,010 |
observability/ |
Structured logging, audit trail, SIEM export, metrics | ~1,190 |
memory/ |
Encrypted stores (SQLite, file, Redis, Postgres) | ~1,060 |
skills/ |
Skill loader, registry, scanner (27 rules), community scanner | ~1,750 |
sandbox/ |
Docker, Bubblewrap, Native backends + multi-level profiles | ~980 |
guardian/ |
Command validation with 45+ blocked patterns | ~650 |
dlp/ |
Data Loss Prevention with 22+ detection rules | ~520 |
antitheft/ |
Anti-stealer credential harvesting detection | ~470 |
network/ |
SSRF protection + URL validation | ~450 |
auth/ |
LLM session authentication (HMAC-SHA256 tokens) | ~300 |
cli/ |
Doctor (20 checks), onboard wizard, policy, audit, skills | ~1,200 |
ui/ |
Web UI (Axum + WebSocket + embedded assets) | ~550 |
IronClaw follows Zero Trust principles with 13 overlapping security layers:
Every shell command is validated against 45+ blocklist patterns and heuristic rules. Blocks reverse shells, privilege escalation, data exfiltration, credential access, and injection attacks.
Full role-based permission model for filesystem, network, and system access. Deny rules always take precedence. Rate limiting per role.
All tool execution runs in isolated environments (Docker rootless, Bubblewrap, or Native) with seccomp profiles, no host access by default, and explicit network policies.
Per-skill isolation levels — Minimal, Standard, Elevated, Unrestricted, Custom — with fine-grained control over filesystem access, network access, resource limits, and environment variables.
All skills must be cryptographically signed (Ed25519) with SHA-256 content hashing. Only skills signed by trusted keys can execute.
Scans skill/plugin source code for 27 dangerous patterns (eval, exec, crypto mining, exfiltration, env harvesting, obfuscated code, privilege escalation, persistence mechanisms) with CWE mapping.
Typosquatting detection via Levenshtein distance against known packages (npm, PyPI, crates.io), reputation database, dependency analysis, and quarantine for untrusted packages.
All memory encrypted at rest (AES-256-GCM), segregated by context, sanitized against injection attacks. Multiple backends: SQLite, file, Redis, Postgres.
Dedicated module detecting credential harvesting, sensitive file access (SSH keys, cloud creds, crypto wallets, browser profiles, keychains), multi-step exfiltration correlation, and stealer-like command patterns.
Blocks private/reserved IP ranges (RFC 1918, CGNAT, link-local), cloud metadata endpoints (AWS/GCP/Azure), DNS rebinding, IP obfuscation (decimal, hex, octal), and dangerous URL schemes.
Scans all tool outputs for sensitive data (private keys, AWS/GCP/Azure credentials, database URIs, JWT tokens, API keys, /etc/shadow) with configurable actions: block, redact, warn.
Structured JSON logging with automatic PII redaction, security audit trail, and SIEM export capability. OpenTelemetry integration for metrics and tracing.
Active LLM session as proof of identity — HMAC-SHA256 signed tokens with configurable TTL, provider health-check validation, rate-limited session creation.
IronClaw supports 25+ LLM providers out of the box:
| Provider | Models | API Key Env Var |
|---|---|---|
| Anthropic | Claude 4.5 Sonnet, Haiku | ANTHROPIC_API_KEY |
| OpenAI | GPT-4.1, GPT-4.1-mini, o3, o4-mini | OPENAI_API_KEY |
| Gemini 2.5 Flash, Pro | GOOGLE_API_KEY |
|
| Groq | Llama 3.3, Mixtral | GROQ_API_KEY |
| DeepSeek | DeepSeek Chat, Coder | DEEPSEEK_API_KEY |
| Mistral | Mistral Large, Small | MISTRAL_API_KEY |
| Cohere | Command R+ | COHERE_API_KEY |
| xAI | Grok-3 | XAI_API_KEY |
| Together | Llama, Mixtral, Code Llama | TOGETHER_API_KEY |
| Fireworks | Llama, Mixtral | FIREWORKS_API_KEY |
| Perplexity | pplx-7b, pplx-70b | PERPLEXITY_API_KEY |
| Replicate | Llama, Stable Diffusion | REPLICATE_API_TOKEN |
| AI21 | Jamba 1.5 | AI21_API_KEY |
| OpenRouter | 100+ models | OPENROUTER_API_KEY |
| Ollama | Any local model | (local, no key) |
| LM Studio | Any local model | (local, no key) |
| Cerebras | Llama 3.3 | CEREBRAS_API_KEY |
| SambaNova | Llama, Mixtral | SAMBANOVA_API_KEY |
| AWS Bedrock | Claude, Llama | AWS credentials |
| Google Vertex AI | Gemini, PaLM | GCP credentials |
| Azure OpenAI | GPT-4, GPT-3.5 | AZURE_OPENAI_API_KEY |
| Cloudflare Workers AI | Llama, Mistral | CF_API_TOKEN |
| Lepton | Llama | LEPTON_API_KEY |
| Hugging Face | Various | HF_API_TOKEN |
| Jan | Local models | (local, no key) |
# List all providers and models
ironclaw models
# Show only providers with available API keys
ironclaw models --available
IronClaw supports 20 communication channels, each with rate limiting, sender validation, input sanitization, and credential redaction:
| Channel | Type | Rate Limit |
|---|---|---|
| CLI | Interactive terminal | 120/burst, 10/s |
| Slack | Events API + Web API | 50/burst, 1/s |
| Discord | Gateway WebSocket + REST | 50/burst, 2/s |
| Telegram | Bot API (long-poll/webhook) | 30/burst, 1/s |
| Business API | 20/burst, 0.5/s | |
| Matrix | Client-server API (/sync) | 60/burst, 2/s |
| IRC | Persistent TCP | 30/burst, 1/s |
| Teams | Bot Framework | 40/burst, 1.5/s |
| Google Chat | Workspace API | 40/burst, 1.5/s |
| Signal | Signal CLI / REST bridge | 20/burst, 0.5/s |
| iMessage | AppleScript (macOS) | 20/burst, 0.5/s |
| BlueBubbles | iMessage bridge | 20/burst, 0.5/s |
| Zalo | Official Account API | 30/burst, 1/s |
| Zalo Personal | Personal API | 20/burst, 0.5/s |
| Web UI | HTTP + WebSocket | 100/burst, 5/s |
| REST API | JSON POST /v1/messages | 200/burst, 20/s |
| WebSocket | Bidirectional streaming | 100/burst, 10/s |
| gRPC | Unary + streaming RPCs | 200/burst, 20/s |
| SMTP (out) + IMAP (in) | 10/burst, 0.2/s | |
| LINE | Messaging API | 30/burst, 1/s |
All messages pass through a security pipeline:
Inbound: Rate limiting → Sender validation → Input sanitization (null bytes, ANSI escapes, role injection)
Outbound: Credential redaction (API keys, AWS keys, tokens) → PII redaction (emails, card numbers) → Internal URL / SSRF detection
DAG-based automation engine with 10 action types:
Features: {{variable}} template resolution, cycle detection via topological sort, conditional execution, retry policies with exponential backoff, 6 trigger types (manual, scheduled, webhook, channel_message, event, on_completion).
Multi-agent orchestration with 6 built-in roles and 5 coordination patterns:
| Role | Capabilities |
|---|---|
| Researcher | Web search, file read, analysis |
| Coder | Code generation, file write, tool execution |
| Reviewer | Code review, analysis |
| Planner | Planning, task decomposition |
| Tester | Test execution, analysis |
| Security Auditor | Security scanning, analysis |
Process images, audio, video, and files natively:
$ claude mcp add ironclaw \
-- python -m otcore.mcp_server <graph>