MCPcopy Index your code
hub / github.com/JoasASantos/ironclaw

github.com/JoasASantos/ironclaw @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
1,536 symbols 3,148 edges 42 files 437 documented · 28%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

IronClaw

Secure-by-default AI Agent Framework with Zero Trust Architecture image

Quick StartArchitectureSecurity LayersProvidersChannelsDifferentialsContributing


IronClaw is a production-grade AI agent framework written in Rust, engineered from the ground up with security as its primary concern. Every tool execution is validated, sandboxed, and audited. No implicit trust — every action requires explicit permission.

25+ LLM providers | 20+ communication channels | 13-step security pipeline | 432+ tests | ~25,000 lines of Rust


Quick Start

Prerequisites

  • Rust 1.75+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
  • SQLite3 (bundled in the build)
  • Docker (optional, for container sandbox)
  • Ollama (optional, for local models with no API key)

Build & Run

# Clone and build
git clone https://github.com/CyberSecurityUP/ironclaw.git
cd ironclaw
cargo build --release

# Run the onboarding wizard (easiest way to get started)
./target/release/ironclaw onboard

# Or run directly with a provider
./target/release/ironclaw run --provider ollama --model llama3.3

# Run with the Web UI
./target/release/ironclaw run --provider anthropic --ui

# Check your security posture
./target/release/ironclaw doctor

Provider Presets

Use preset aliases for quick selection:

Preset Provider Model Use Case
fast Groq llama-3.3-70b-versatile Ultra-low latency
smart Anthropic claude-sonnet-4-5 Highest quality
cheap DeepSeek deepseek-chat Lowest cost
local Ollama llama3.3 No API key needed
vision Google gemini-2.5-flash Multimodal
code Anthropic claude-sonnet-4-5 Code generation
ironclaw run --provider fast    # Groq ultra-fast
ironclaw run --provider local   # Ollama local
ironclaw run --provider smart   # Claude best quality

Provider Setup Examples

# Ollama (free, local)
ollama serve && ollama pull llama3.3
ironclaw run --provider ollama

# Anthropic (Claude)
export ANTHROPIC_API_KEY="sk-ant-api03-..."
ironclaw run --provider anthropic

# OpenAI (GPT)
export OPENAI_API_KEY="sk-..."
ironclaw run --provider openai

# Google (Gemini)
export GOOGLE_API_KEY="AIza..."
ironclaw run --provider google

# OpenRouter (100+ models, single API key)
export OPENROUTER_API_KEY="sk-or-..."
ironclaw run --provider openrouter --model google/gemini-2.5-pro

See QUICKSTART.md for detailed setup instructions for all 25 providers.


Architecture

┌──────────────────────────────────────────────────────────────┐
│                     CLI / Web UI / Channels                   │
├──────────────────────────────────────────────────────────────┤
│                        Core Engine                            │
│  ┌────────────┬────────────┬────────────┬──────────────────┐ │
│  │  Provider   │    Tool    │   Memory   │     Workflow     │ │
│  │  Router     │  Registry  │   Store    │     Engine       │ │
│  ├────────────┼────────────┼────────────┼──────────────────┤ │
│  │  Skill      │   Cost     │  Context   │   Agent          │ │
│  │  Verifier   │  Tracker   │  Chunking  │  Orchestrator    │ │
│  └────────────┴────────────┴────────────┴──────────────────┘ │
├──────────────────────────────────────────────────────────────┤
│                    Security Pipeline (13 steps)               │
│  ┌──────────┬──────────┬──────────┬──────────┬───────────┐  │
│  │ Command  │   RBAC   │ Sandbox  │  Audit   │   DLP     │  │
│  │ Guardian │  Policy  │ Enforcer │   Log    │  Engine   │  │
│  ├──────────┼──────────┼──────────┼──────────┼───────────┤  │
│  │  Anti-   │   SSRF   │  Skill   │Community │ Session   │  │
│  │ Stealer  │  Guard   │ Scanner  │ Scanner  │   Auth    │  │
│  └──────────┴──────────┴──────────┴──────────┴───────────┘  │
├──────────────────────────────────────────────────────────────┤
│         Sandbox (Docker / Bubblewrap / Native)                │
│  ┌──────────────────────────────────────────────────────┐    │
│  │ Multi-Level Profiles: Minimal → Standard → Elevated  │    │
│  └──────────────────────────────────────────────────────┘    │
├──────────────────────────────────────────────────────────────┤
│      Communication Channels (20+) & Gateway (JWT/OAuth2)      │
└──────────────────────────────────────────────────────────────┘

Core Modules

Module Description Lines
core/ Engine, config, types, tools, cost tracker, chunking, cache, history, scheduler, multimodal ~4,500
providers/ 25 LLM provider integrations + presets + catalog ~1,850
channels/ 20 communication channels with security pipeline ~1,475
security/ Credential scanning, network/system policy ~2,530
gateway/ API gateway with JWT, OAuth2, session auth, rate limiting ~1,150
workflow/ DAG-based workflow engine with 10 action types ~1,230
agents/ Multi-agent orchestration with 5 coordination patterns ~1,010
observability/ Structured logging, audit trail, SIEM export, metrics ~1,190
memory/ Encrypted stores (SQLite, file, Redis, Postgres) ~1,060
skills/ Skill loader, registry, scanner (27 rules), community scanner ~1,750
sandbox/ Docker, Bubblewrap, Native backends + multi-level profiles ~980
guardian/ Command validation with 45+ blocked patterns ~650
dlp/ Data Loss Prevention with 22+ detection rules ~520
antitheft/ Anti-stealer credential harvesting detection ~470
network/ SSRF protection + URL validation ~450
auth/ LLM session authentication (HMAC-SHA256 tokens) ~300
cli/ Doctor (20 checks), onboard wizard, policy, audit, skills ~1,200
ui/ Web UI (Axum + WebSocket + embedded assets) ~550

Security Layers

IronClaw follows Zero Trust principles with 13 overlapping security layers:

1. Command Guardian

Every shell command is validated against 45+ blocklist patterns and heuristic rules. Blocks reverse shells, privilege escalation, data exfiltration, credential access, and injection attacks.

2. Role-Based Access Control (RBAC)

Full role-based permission model for filesystem, network, and system access. Deny rules always take precedence. Rate limiting per role.

3. Sandbox Isolation

All tool execution runs in isolated environments (Docker rootless, Bubblewrap, or Native) with seccomp profiles, no host access by default, and explicit network policies.

4. Multi-Level Sandbox Profiles

Per-skill isolation levels — Minimal, Standard, Elevated, Unrestricted, Custom — with fine-grained control over filesystem access, network access, resource limits, and environment variables.

5. Skill Signature Verification

All skills must be cryptographically signed (Ed25519) with SHA-256 content hashing. Only skills signed by trusted keys can execute.

6. Skill Static Analyzer

Scans skill/plugin source code for 27 dangerous patterns (eval, exec, crypto mining, exfiltration, env harvesting, obfuscated code, privilege escalation, persistence mechanisms) with CWE mapping.

7. Community Skill Security Scanner

Typosquatting detection via Levenshtein distance against known packages (npm, PyPI, crates.io), reputation database, dependency analysis, and quarantine for untrusted packages.

8. Memory Protection

All memory encrypted at rest (AES-256-GCM), segregated by context, sanitized against injection attacks. Multiple backends: SQLite, file, Redis, Postgres.

9. Anti-Stealer Detection

Dedicated module detecting credential harvesting, sensitive file access (SSH keys, cloud creds, crypto wallets, browser profiles, keychains), multi-step exfiltration correlation, and stealer-like command patterns.

10. SSRF Protection

Blocks private/reserved IP ranges (RFC 1918, CGNAT, link-local), cloud metadata endpoints (AWS/GCP/Azure), DNS rebinding, IP obfuscation (decimal, hex, octal), and dangerous URL schemes.

11. Data Loss Prevention (DLP)

Scans all tool outputs for sensitive data (private keys, AWS/GCP/Azure credentials, database URIs, JWT tokens, API keys, /etc/shadow) with configurable actions: block, redact, warn.

12. Observability & Audit

Structured JSON logging with automatic PII redaction, security audit trail, and SIEM export capability. OpenTelemetry integration for metrics and tracing.

13. LLM Session Authentication

Active LLM session as proof of identity — HMAC-SHA256 signed tokens with configurable TTL, provider health-check validation, rate-limited session creation.


Providers

IronClaw supports 25+ LLM providers out of the box:

Provider Models API Key Env Var
Anthropic Claude 4.5 Sonnet, Haiku ANTHROPIC_API_KEY
OpenAI GPT-4.1, GPT-4.1-mini, o3, o4-mini OPENAI_API_KEY
Google Gemini 2.5 Flash, Pro GOOGLE_API_KEY
Groq Llama 3.3, Mixtral GROQ_API_KEY
DeepSeek DeepSeek Chat, Coder DEEPSEEK_API_KEY
Mistral Mistral Large, Small MISTRAL_API_KEY
Cohere Command R+ COHERE_API_KEY
xAI Grok-3 XAI_API_KEY
Together Llama, Mixtral, Code Llama TOGETHER_API_KEY
Fireworks Llama, Mixtral FIREWORKS_API_KEY
Perplexity pplx-7b, pplx-70b PERPLEXITY_API_KEY
Replicate Llama, Stable Diffusion REPLICATE_API_TOKEN
AI21 Jamba 1.5 AI21_API_KEY
OpenRouter 100+ models OPENROUTER_API_KEY
Ollama Any local model (local, no key)
LM Studio Any local model (local, no key)
Cerebras Llama 3.3 CEREBRAS_API_KEY
SambaNova Llama, Mixtral SAMBANOVA_API_KEY
AWS Bedrock Claude, Llama AWS credentials
Google Vertex AI Gemini, PaLM GCP credentials
Azure OpenAI GPT-4, GPT-3.5 AZURE_OPENAI_API_KEY
Cloudflare Workers AI Llama, Mistral CF_API_TOKEN
Lepton Llama LEPTON_API_KEY
Hugging Face Various HF_API_TOKEN
Jan Local models (local, no key)
# List all providers and models
ironclaw models

# Show only providers with available API keys
ironclaw models --available

Channels

IronClaw supports 20 communication channels, each with rate limiting, sender validation, input sanitization, and credential redaction:

Channel Type Rate Limit
CLI Interactive terminal 120/burst, 10/s
Slack Events API + Web API 50/burst, 1/s
Discord Gateway WebSocket + REST 50/burst, 2/s
Telegram Bot API (long-poll/webhook) 30/burst, 1/s
WhatsApp Business API 20/burst, 0.5/s
Matrix Client-server API (/sync) 60/burst, 2/s
IRC Persistent TCP 30/burst, 1/s
Teams Bot Framework 40/burst, 1.5/s
Google Chat Workspace API 40/burst, 1.5/s
Signal Signal CLI / REST bridge 20/burst, 0.5/s
iMessage AppleScript (macOS) 20/burst, 0.5/s
BlueBubbles iMessage bridge 20/burst, 0.5/s
Zalo Official Account API 30/burst, 1/s
Zalo Personal Personal API 20/burst, 0.5/s
Web UI HTTP + WebSocket 100/burst, 5/s
REST API JSON POST /v1/messages 200/burst, 20/s
WebSocket Bidirectional streaming 100/burst, 10/s
gRPC Unary + streaming RPCs 200/burst, 20/s
Email SMTP (out) + IMAP (in) 10/burst, 0.2/s
LINE Messaging API 30/burst, 1/s

Channel Security Pipeline

All messages pass through a security pipeline:

Inbound: Rate limiting → Sender validation → Input sanitization (null bytes, ANSI escapes, role injection)

Outbound: Credential redaction (API keys, AWS keys, tokens) → PII redaction (emails, card numbers) → Internal URL / SSRF detection


Workflow Engine

DAG-based automation engine with 10 action types:

  • LlmCall — Send prompts to any provider
  • ToolExec — Execute registered tools
  • ChannelSend — Send messages to any channel
  • WaitForEvent — Pause until an external trigger
  • Transform — Map/filter data with templates
  • Branch — Conditional branching with 8 operators
  • SubWorkflow — Nest workflows
  • HttpRequest — External API calls
  • Delay — Time-based delays
  • Log — Structured logging

Features: {{variable}} template resolution, cycle detection via topological sort, conditional execution, retry policies with exponential backoff, 6 trigger types (manual, scheduled, webhook, channel_message, event, on_completion).


Collaborative Agents

Multi-agent orchestration with 6 built-in roles and 5 coordination patterns:

Roles

Role Capabilities
Researcher Web search, file read, analysis
Coder Code generation, file write, tool execution
Reviewer Code review, analysis
Planner Planning, task decomposition
Tester Test execution, analysis
Security Auditor Security scanning, analysis

Coordination Patterns

  • Sequential — Agents execute one after another, passing results forward
  • Parallel — All agents work simultaneously, results aggregated
  • Debate — Agents propose, critique, and refine answers
  • Hierarchical — Lead agent delegates tasks to sub-agents
  • Pipeline — Each agent transforms and passes data to the next

Native Multimodal Support

Process images, audio, video, and files natively:

  • Images: JPE

Extension points exported contracts — how you extend this code

Provider (Interface)
(no doc) [13 implementers]
src/providers/mod.rs
MemoryStore (Interface)
(no doc) [5 implementers]
src/memory/mod.rs
SkillSourceAdapter (Interface)
Adapter trait for external skill sources (OpenClaw, ZeroClaw, custom). [2 implementers]
src/skills/mod.rs
SandboxBackend (Interface)
(no doc) [3 implementers]
src/sandbox/mod.rs
Tool (Interface)
(no doc) [3 implementers]
src/core/tool.rs
PipeOk (Interface)
Extension helper so the macro can call `.pipe_ok()` on a `Vec`. [1 implementers]
src/channels/mod.rs
Tunnel (Interface)
(no doc) [3 implementers]
src/tunnel/mod.rs
Plugin (Interface)
(no doc)
src/plugins/mod.rs

Core symbols most depended-on inside this repo

clone
called by 204
src/rbac/mod.rs
get
called by 72
src/core/tool.rs
store
called by 25
src/memory/mod.rs
check_url
called by 23
src/network/mod.rs
scan_source
called by 21
src/skills/scanner.rs
scan_output
called by 19
src/dlp/mod.rs
scanner
called by 16
src/skills/scanner.rs
default_guardian
called by 15
src/security/mod.rs

Shape

Function 761
Method 468
Class 252
Enum 46
Interface 9

Languages

Rust100%

Modules by API surface

src/security/mod.rs135 symbols
tests/security_tests.rs127 symbols
src/core/config.rs107 symbols
src/channels/mod.rs71 symbols
src/observability/mod.rs66 symbols
src/agents/mod.rs64 symbols
src/workflow/mod.rs60 symbols
src/providers/mod.rs58 symbols
src/skills/community.rs51 symbols
src/gateway/mod.rs51 symbols
src/memory/mod.rs49 symbols
src/sandbox/profiles.rs44 symbols

Datastores touched

mydbDatabase · 1 repos
appDatabase · 1 repos

For agents

$ claude mcp add ironclaw \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact