Skip to content
/
Tier B A9 Sandbox substrate

IronClaw

ironclaw · nearai/ironclaw · ★ 12k · last commit 2026-05-26

WASM-sandboxed personal AI runtime with defense-in-depth security: capability-based tool isolation, credential vault, prompt injection defense, and endpoint allowlisting.

Best whenUntrusted AI tools must execute in WASM sandboxes with capability grants, not just be constrained by permission check lists.
Skip ifInline multi-line prompt templates in Rust code (use include_str!() from files), Using info!/warn! in background tasks (corrupts TUI)
vs seeds
superpowersor agent-os, IronClaw replaces the AI tool runtime rather than augmenting it. The WASM-compiled dynamic tool building an…
Primitive shape 33 total
Skills 32 MCP tools 1
00

Summary

IronClaw — Summary

IronClaw is a Rust-built personal AI assistant and Agent OS that positions privacy and security as first-class architectural concerns. Its signature capability is a WASM sandbox — untrusted tools execute in isolated WebAssembly containers with capability-based permissions rather than running directly on the host. Credential injection happens at the host boundary, so LLM tools never see raw API keys; a leak-detection layer confirms no secrets slip through. The framework supports multi-channel access (REPL, HTTP webhooks, WASM channels for Telegram/Slack, web gateway with SSE) and includes a cron-based Routines system for background automation. IronClaw can build new tools dynamically from natural language descriptions, compiling them as WASM modules and installing them without restart. The 32-crate Rust workspace is heavily modular, with dedicated crates for WASM isolation, secrets management, network policy, authorization, trust chains, and embeddings. With 12,351 stars and daily commits, IronClaw is among the most technically ambitious personal-harness frameworks in this batch.

Differs from seeds: IronClaw shares NanoClaw's security-first ethos but goes further: where NanoClaw uses Docker containers, IronClaw uses WASM sandboxes for tools (Docker containers are available for heavier subprocess isolation). Unlike claude-flow's multi-agent hive-mind, IronClaw is single-agent with self-expanding tool capabilities. Unlike superpowers's skills-over-features model, IronClaw is a full standalone runtime (not a Claude Code plugin) with its own TUI, web gateway, and PostgreSQL+pgvector memory backend.

01

Overview

IronClaw — Overview

Origin

IronClaw is developed by NearAI (nearai). It presents as an "Agent OS focused on privacy, security and extensibility" — a standalone personal AI runtime, not a Claude Code plugin. Written in Rust 1.92+ with a 32-crate modular workspace.

Philosophy (verbatim from README)

"IronClaw is built on a simple principle: your AI assistant should work for you, not against you."

"In a world where AI systems are increasingly opaque about data handling and aligned with corporate interests, IronClaw takes a different approach:

  • Your data stays yours - All information is stored locally, encrypted, and never leaves your control
  • Transparency by design - Open source, auditable, no hidden telemetry or data harvesting
  • Self-expanding capabilities - Build new tools on the fly without waiting for vendor updates
  • Defense in depth - Multiple security layers protect against prompt injection and data exfiltration"

Security Model (verbatim)

  • WASM Sandbox — Untrusted tools run in isolated WebAssembly containers with capability-based permissions
  • Credential Protection — Secrets are never exposed to tools; injected at the host boundary with leak detection
  • Prompt Injection Defense — Pattern detection, content sanitization, and policy enforcement
  • Endpoint Allowlisting — HTTP requests only to explicitly approved hosts and paths

Repo Facts

  • GitHub: https://github.com/nearai/ironclaw
  • Stars: 12,351 (2026-05-26)
  • Language: Rust
  • License: Apache-2.0 OR MIT (dual)
  • Version: 0.29.0
  • Last commit: 2026-05-26 (actively maintained)
02

Architecture

IronClaw — Architecture

Distribution

  • Type: Native binary (Rust) + install script
  • Install methods:
    • macOS/Linux: curl -LsSf .../ironclaw-installer.sh | sh
    • Windows: PowerShell installer or MSI
    • Homebrew: brew install ironclaw
    • Cargo: cargo build --release
  • Runtime: Rust 1.92+, PostgreSQL 15+ with pgvector extension, NEAR AI account (auth)

Architecture Overview

IronClaw is a standalone runtime with multiple access layers:

User Input
  ├── REPL (terminal)
  ├── HTTP webhooks
  ├── WASM channels (Telegram, Slack, WeChat, Feishu, Discord)
  └── Web Gateway (browser, SSE/WebSocket)
           ↓
    IronClaw Engine (Rust)
       ├── Tool execution → WASM Sandbox (isolated per tool)
       ├── Docker Sandbox (heavier subprocess isolation)
       ├── Credential injection (host boundary, never in WASM)
       ├── Memory (PostgreSQL + pgvector)
       └── Routines (cron/event/webhook triggers)

Crate Structure (32 crates)

Key crates:

  • ironclaw — main binary
  • ironclaw_wasm — WASM sandbox execution engine
  • ironclaw_secrets — credential protection + leak detection
  • ironclaw_network — endpoint allowlisting
  • ironclaw_safety — prompt injection defense
  • ironclaw_memory — hybrid search (full-text + vector)
  • ironclaw_skills — skill loading/execution
  • ironclaw_engine — orchestration logic
  • ironclaw_tui — terminal UI (Ratatui)
  • ironclaw_gateway — web gateway (SSE/WebSocket)
  • ironclaw_dispatcher — routing
  • ironclaw_events — event system
  • ironclaw_embeddings — vector embeddings
  • ironclaw_mcp — MCP protocol support
  • ironclaw_authorization — capability-based auth
  • ironclaw_trust — trust chain management

Channel Architecture (WASM-compiled)

Channels (Telegram, Slack, WeChat, Discord, Feishu, WhatsApp) are compiled as separate WASM binaries from channels-src/. Same for tools (tools-src/). Loaded at runtime without restart.

Directory Tree

ironclaw/
├── src/              # Main binary entry point
├── crates/           # 32 Rust crates (isolated concerns)
├── channels-src/     # WASM channel source (Telegram, Slack, WeChat, etc.)
├── tools-src/        # WASM tool source (Composio, GitHub, Gmail, etc.)
├── skills/           # 32 SKILL.md files (Claude Code skills)
├── profiles/         # Runtime profiles (local-sandbox.toml, server.toml, etc.)
├── migrations/       # PostgreSQL schema migrations
├── Dockerfile        # Docker image for server mode
├── docker-compose.yml
└── scripts/build-all.sh

Target AI Tools

  • IronClaw is its own runtime — not a plugin for Claude Code
  • Supports any LLM via its own completion API
  • CLAUDE.md + AGENTS.md present for development guidance (not user workflow)
03

Components

IronClaw — Components

Skills (32 SKILL.md files in skills/)

  • ceo-setup — CEO/executive persona setup
  • code-review — Code review workflow
  • coding — Best practices for code editing (keyword-activated)
  • commit — Git commit workflow
  • commitment-digest — Digest of commitments/todos
  • commitment-setup — Commitment tracking setup
  • commitment-triage — Triage commitments
  • content-creator-setup — Content creation persona
  • decision-capture — Capture decisions
  • delegation — Delegation workflow
  • delegation-tracker — Track delegated tasks
  • developer-setup — Developer environment setup
  • github-workflow — GitHub PR/issue workflow
  • github — GitHub operations
  • idea-parking — Park ideas for later
  • linear — Linear issue management
  • llm-council — Multi-LLM council for decisions
  • local-test — Local testing workflow
  • new-project — New project setup
  • plan-mode — Planning mode
  • portfolio — Portfolio management
  • product-prioritization — Product roadmap prioritization
  • project-setup — Project initialization
  • qa-review — QA review process
  • review-checklist — Code review checklist
  • review-readiness — Review readiness assessment
  • routine-advisor — Routine optimization advisor
  • security-review — Security audit skill
  • tech-debt-tracker — Technical debt tracking

Tool Infrastructure (WASM modules)

Built from tools-src/:

  • Composio integration
  • GitHub tools
  • Gmail tools
  • Google Calendar tools
  • Google Docs tools
  • Google Drive tools
  • Google Sheets tools
  • Google Slides tools
  • Slack tools
  • Telegram tools

Channel Modules (WASM-compiled, from channels-src/)

  • Discord
  • Feishu
  • Slack
  • Telegram
  • WeChat
  • WhatsApp

Runtime Profiles (in profiles/)

  • local-sandbox.toml — Personal local use
  • local.toml — Local development
  • server-multitenant.toml — Multi-tenant server
  • server.toml — Server deployment

Security Subsystems

  • WASM sandbox (crate: ironclaw_wasm)
  • Credential vault (crate: ironclaw_secrets)
  • Network allowlist (crate: ironclaw_network)
  • Prompt injection defense (crate: ironclaw_safety)
  • Trust chain (crate: ironclaw_trust)
  • Authorization (crate: ironclaw_authorization)

MCP Support

  • ironclaw_mcp crate provides MCP protocol support
  • Can connect to external MCP servers
05

Prompts

IronClaw — Prompts

Verbatim Excerpt 1: coding Skill (skills/coding/SKILL.md)

---
name: coding
version: "1.0.0"
description: Best practices for code editing, search, and file operations
activation:
  keywords:
    - "code"
    - "edit"
    - "fix"
    - "implement"
    - "refactor"
    - "bug"
    [... 9 more keywords]
  patterns:
    - "(?i)(add|remove|update|modify|create|delete|rename|move)\\s.*(file|function|class|method|variable|import)"
    - "(?i)(fix|debug|investigate|trace|find)\\s.*(bug|error|issue|crash|fail)"
  tags:
    - "development"
    - "coding"
  max_context_tokens: 1500
---

# Coding Best Practices

## Tool Usage Discipline
- **Prefer `apply_patch` over `write_file`** for modifying existing files.
- **Always `read_file` before editing.** Never edit a file you haven't read.
- **Use `glob` for file discovery** instead of `shell` with `find` or `ls`.
- **Use `grep` for content search** instead of `shell` with `grep` or `rg`.

## Code Change Discipline
- **Minimal changes.** Don't add features, refactor, or "improve" beyond what was asked.
- **No unnecessary comments or docstrings.**
- **One thing at a time.** Make focused changes, verify with `read_file`, then move to the next change.

## Code Quality
- Don't introduce security vulnerabilities (command injection, XSS, SQL injection, path traversal).
- Preserve existing code style and conventions.
- Test after changes when test infrastructure exists.

Technique: Keyword + regex pattern activation with max_context_tokens: 1500 cap. This is NOT a Claude Code skill — it's IronClaw's own skill format with activation metadata controlling automatic injection based on message content. The Iron Laws pattern (minimal change, read-before-edit) mirrors superpowers but implemented in IronClaw's native YAML-fronted format.

Verbatim Excerpt 2: CLAUDE.md (Development Guide)

# IronClaw Development Guide

## Code Style
- **Prompt templates live in files, not Rust code**: Multi-line prompt strings go in `crates/ironclaw_engine/prompts/*.md` and are loaded via `include_str!()`. Never inline large prompt templates as Rust string constants.
- **Logging levels matter for REPL/TUI**: `info!` and `warn!` output appears in the REPL and corrupts the terminal UI. Use `debug!` for internal diagnostics.

## Architecture
- Extension and channel onboarding has two distinct identities that must not be conflated:
  - `credential_name`: backend secret identity used for storage, injection, and gate resume
  - `extension_name`: user-facing installed extension/channel identity

Technique: Developer CLAUDE.md as architectural constraint injection — describes system-level invariants (credential identity separation, prompt template file discipline) using explicit "must not" antipatterns with examples.

09

Uniqueness

IronClaw — Uniqueness & Positioning

differs_from_seeds

IronClaw is most architecturally comparable to ccmemory (both use external database backends for persistent memory) but differs radically: ccmemory is a Claude Code plugin with ~10 MCP tools storing data in Neo4j, while IronClaw is a 32-crate Rust standalone runtime with WASM sandboxing, PostgreSQL+pgvector hybrid memory, and its own TUI/web gateway. IronClaw's WASM tool sandbox has no equivalent in any seed framework. Unlike superpowers (14 skills, zero runtime) or agent-os (bash scripts + markdown), IronClaw is a complete replacement for the AI runtime layer, not an augmentation of an existing tool. It shares claude-flow's ambition for a comprehensive platform but differs in architecture: claude-flow layers on Node.js with an MCP server + SQLite, IronClaw is Rust with WASM isolation + PostgreSQL.

Distinctive Positioning

  1. WASM capability-based sandboxing: The only framework in this batch (and likely the corpus) that sandboxes LLM tool calls in WebAssembly with capability grants. Significantly more fine-grained than Docker container isolation.

  2. Dynamic WASM tool compilation: Agents can describe a needed tool in natural language; IronClaw builds and deploys it as a WASM module without restart. No other framework does this.

  3. Defense in depth: Four explicit security layers (WASM sandbox, credential injection, prompt injection defense, endpoint allowlisting) with each layer independently verifiable.

  4. 32-crate Rust modular workspace: Level of modularity reflects intent to make individual security subsystems auditable and replaceable.

  5. Hybrid RRF memory: Reciprocal Rank Fusion combining full-text + vector search is the most sophisticated memory retrieval in the batch.

Observable Failure Modes

  • Requires PostgreSQL + pgvector — higher infrastructure complexity than SQLite-based peers
  • NEAR AI account required for auth — introduces external dependency
  • WASM tool compilation from natural language is an advanced capability that may be unreliable
  • 32-crate workspace means long build times (especially full release build)
  • Not portable to Claude Code — users who want Claude Code skills are better served by NanoClaw or superpowers
  • Channel WASM binaries require separate build step (./scripts/build-all.sh)
04

Workflow

IronClaw — Workflow

Installation Phase

Step Artifact Gate
Install binary (curl/brew/cargo) ironclaw binary Automated
Setup wizard (NEAR AI account) Auth credentials Manual (account creation)
Configure profile ~/.ironclaw/config or profiles/*.toml Manual
Install PostgreSQL + pgvector Database backend Manual
Add channel modules (WASM) Channel binaries loaded Manual (per channel)

Per-Request Flow

Step Artifact Notes
Input arrives (REPL / webhook / web) User message Any channel
Dispatcher routes to engine Request object
Skills activated by keyword/pattern match Skill context injected Automatic
LLM generates tool calls Tool invocation requests
Tool runs in WASM sandbox Isolated execution Capability-checked
Credentials injected at boundary HTTP requests with auth Never in WASM
Response returned to channel Formatted output

Routine (Background Task) Flow

Step Artifact
Cron trigger / event trigger / webhook Routine activation
Engine runs autonomously Background execution
Heartbeat system monitors progress Health checks
Self-repair for stuck operations Automatic recovery

Tool Building Flow

Step Artifact
User describes needed tool in natural language Tool specification
IronClaw generates WASM tool code WASM source
Tool compiled and loaded New WASM module
Available immediately without restart Tool registered

Approval Gates

  • Initial NEAR AI account creation (one-time)
  • Endpoint allowlist configuration (explicit per-hostname)
  • Credential vault population (manual per secret)
  • No mid-task approval prompts (autonomous operation by default)
06

Memory Context

IronClaw — Memory & Context

Memory Architecture

Three layers (from README):

  1. Identity files — Maintain consistent personality and preferences across sessions
  2. Pinned facts — Explicitly remembered facts
  3. Per-session episodes — Session-level conversation history with transcript fallback

Backend

  • PostgreSQL 15+ with pgvector extension
  • Vector embeddings stored for semantic search
  • ironclaw_memory and ironclaw_embeddings crates handle storage and retrieval
  • Schema managed via migrations/ directory

Search Mechanism

Hybrid search — Reciprocal Rank Fusion (RRF) combining:

  • Full-text search (PostgreSQL FTS)
  • Vector similarity search (pgvector)

"At most one compact slice per request based on what you're actually asking. A background consolidator decays, merges, and evicts so memory stays sharp instead of bloating. Most turns inject ~800 tokens or less; many inject zero."

Workspace Filesystem

  • Flexible path-based storage for notes, logs, and context
  • Accessible to agents within defined capability bounds

Context Management

  • Background consolidator: decays, merges, evicts old memories
  • Session-end distillation (not per-turn): one pass after session completes
  • Salience scoring: what matters gets retained
  • Compaction budget: ~800 tokens per request target, inject zero when not needed

Cross-Session Handoff

  • Identity files provide continuity across sessions
  • Pinned facts explicitly span sessions
  • PostgreSQL persistence ensures nothing lost between restarts

Isolation

  • Memory isolated per user (local mode) or per tenant (server-multitenant mode)
  • WASM tools cannot access memory directly — only through capability-granted host API calls
07

Orchestration

IronClaw — Orchestration

Multi-Agent

IronClaw is a single-agent runtime. The llm-council skill enables consulting multiple LLM opinions on decisions, but this is implemented as a skill-driven advisory pattern rather than concurrent agent instances.

Isolation Mechanism

WASM Sandbox (primary):

  • Untrusted tools run in isolated WebAssembly containers
  • Capability-based permission model: each WASM tool only gets capabilities explicitly granted
  • Credentials injected at host boundary — never passed into WASM
  • Endpoint allowlisting: HTTP requests blocked unless host is on the approved list
  • Prompt injection defense via pattern detection + content sanitization in ironclaw_safety

Docker Sandbox (secondary, heavier isolation):

  • Available for subprocess execution requiring more capabilities
  • Per-job tokens and orchestrator/worker pattern
  • Parallel jobs with isolated contexts

Execution Mode

Continuous/Event-driven:

  • REPL: interactive loop
  • Webhooks: event-driven on HTTP triggers
  • Routines: scheduled (cron), event-triggered, webhook-triggered
  • Heartbeat system: proactive background execution for monitoring/maintenance
  • Self-repair: automatic detection and recovery of stuck operations

Multi-Model

  • Not explicitly documented as multi-model in README
  • llm-council skill suggests consulting multiple models for important decisions
  • IronClaw's own completion API is model-agnostic (not tied to specific LLM)

Orchestration Pattern

Sequential within single session. Parallel jobs supported in Docker sandbox mode for concurrent requests.

Consensus Mechanism

llm-council skill — advisory pattern, not algorithmic consensus.

Prompt Chaining

Skills can be composed; output from one operation feeds into next. Not a formal chaining mechanism.

08

Ui Cli Surface

IronClaw — UI & CLI Surface

CLI Binary

  • ironclaw — primary binary (Rust)
  • Installed via curl .../ironclaw-installer.sh | sh, brew install ironclaw, or cargo build --release
  • Shell completions provided: ironclaw.bash, ironclaw.fish, ironclaw.zsh

Terminal UI (TUI)

  • Built with Ratatui (Rust TUI library)
  • Crate: ironclaw_tui
  • Interactive REPL mode
  • Note from CLAUDE.md: info!/warn! logs corrupt the TUI — all internal diagnostics use debug!

Web Gateway

  • Browser UI with real-time SSE/WebSocket streaming
  • Crate: ironclaw_gateway
  • Port: unknown (not found in README)

IDE Integration

None. IronClaw is a standalone runtime, not a Claude Code plugin or VS Code extension.

Channel Surfaces (User-Facing)

  • REPL (terminal)
  • HTTP webhooks (programmatic)
  • WASM channels: Telegram, Slack, Discord, WeChat, Feishu, WhatsApp
  • Web Gateway: Browser-based chat UI

Observability

  • Structured logging via debug!/info!/warn! macros (Rust tracing)
  • Replay: no explicit audit log format found
  • Heartbeat system provides runtime health status
  • Self-repair subsystem detects and recovers from stuck operations

MCP Integration

  • ironclaw_mcp crate implements MCP protocol
  • IronClaw can connect to external MCP servers as a client

Related frameworks

same archetype · same primary tool · same memory type

Daytona ★ 72k
A9 Sandbox substrate

Provide secure, elastic, sub-90ms sandbox compute infrastructure for running AI-generated code, accessible via multi-language…

CUA ★ 17k
A9 Sandbox substrate

Unified SDK for building, benchmarking, and deploying agents that interact with full OS GUIs via isolated VMs.

E2B ★ 12k
A9 Sandbox substrate

Run AI-generated code safely in cloud-hosted isolated sandboxes via a 3-line SDK integration.

OpenSandbox ★ 11k
A9 Sandbox substrate

Protocol-first general-purpose sandbox platform for AI applications with multi-language SDKs and pluggable isolation backends.

Microsandbox ★ 6.3k
A9 Sandbox substrate

Spawn hardware-isolated microVMs as child processes directly from application code, with no server setup, in under 100ms.

CubeSandbox ★ 5.9k
A9 Sandbox substrate

Sub-60ms KVM microVM sandboxes for AI agents with E2B drop-in compatibility and <5MB memory overhead.