IronClaw：一个基于Rust的clawd，在隔离的WASM沙箱中运行工具。

IronClaw：一个基于Rust的clawd，在隔离的WASM沙箱中运行工具。
IronClaw: a Rust-based clawd that runs tools in isolated WASM sandboxes

原始链接: https://github.com/nearai/ironclaw

## IronClaw：您的安全、本地AI助手 IronClaw 是一款开源AI助手，其核心原则是**用户隐私和控制**。与许多AI工具不同，您的所有数据都将**本地存储、加密且绝不共享**，从而提供完全的透明度并消除企业的数据收集行为。 IronClaw 使用 Rust 构建，具有强大的**纵深防御安全架构**，利用 WASM 沙箱、凭证保护和提示注入防御。它允许**动态工具构建**——即时创建自定义功能——并通过 REPL、Webhook 和 Web 网关无缝集成。主要功能包括并行作业处理、自动化例程（cron 作业和事件触发器）以及混合搜索功能，以实现高效的数据检索。安装过程简单，可通过 Windows、macOS 和 Linux 的安装程序，或通过源代码编译进行安装。 IronClaw 需要安装 PostgreSQL 并启用 pgvector 扩展，以及一个 NEAR AI 帐户用于身份验证。它是一款功能强大、可定制且**值得信赖的AI助手**，适用于个人和专业用途。

## IronClaw：安全的AI工具执行 IronClaw是一个新的基于Rust的项目，旨在在隔离的WebAssembly (WASM)沙箱中安全地运行AI工具。该项目由“Attention is all you need”论文的作者之一开发，专注于安全优先的实现，特别是解决提示注入漏洞。该项目利用WASM为工具创建这些隔离环境，一个关键问题是如何在不损害其安全性的前提下，在沙箱*内部*强制执行基于能力的权限。开发者强调其加固的设计以及隔离工具以实现更安全执行的好处。它响应了对安全AI开发日益增长的需求，并戏称在开发过程中增加了“……并使其安全”。更多信息可以在其GitHub仓库中找到：[https://github.com/nearai/ironclaw](https://github.com/nearai/ironclaw)。

原文

Your secure personal AI assistant, always on your side

Philosophy • Features • Installation • Configuration • Security • Architecture

IronClaw is built on a simple principle: your AI assistant should work for you, not against you.

In a world where AI systems are increasingly opaque about data handling and aligned with corporate interests, IronClaw takes a different approach:

Your data stays yours - All information is stored locally, encrypted, and never leaves your control
Transparency by design - Open source, auditable, no hidden telemetry or data harvesting
Self-expanding capabilities - Build new tools on the fly without waiting for vendor updates
Defense in depth - Multiple security layers protect against prompt injection and data exfiltration

IronClaw is the AI assistant you can actually trust with your personal and professional life.

WASM Sandbox - Untrusted tools run in isolated WebAssembly containers with capability-based permissions
Credential Protection - Secrets are never exposed to tools; injected at the host boundary with leak detection
Prompt Injection Defense - Pattern detection, content sanitization, and policy enforcement
Endpoint Allowlisting - HTTP requests only to explicitly approved hosts and paths

Multi-channel - REPL, HTTP webhooks, WASM channels (Telegram, Slack), and web gateway
Docker Sandbox - Isolated container execution with per-job tokens and orchestrator/worker pattern
Web Gateway - Browser UI with real-time SSE/WebSocket streaming
Routines - Cron schedules, event triggers, webhook handlers for background automation
Heartbeat System - Proactive background execution for monitoring and maintenance tasks
Parallel Jobs - Handle multiple requests concurrently with isolated contexts
Self-repair - Automatic detection and recovery of stuck operations

Dynamic Tool Building - Describe what you need, and IronClaw builds it as a WASM tool
MCP Protocol - Connect to Model Context Protocol servers for additional capabilities
Plugin Architecture - Drop in new WASM tools and channels without restarting

Hybrid Search - Full-text + vector search using Reciprocal Rank Fusion
Workspace Filesystem - Flexible path-based storage for notes, logs, and context
Identity Files - Maintain consistent personality and preferences across sessions

Rust 1.85+
PostgreSQL 15+ with pgvector extension
NEAR AI account (authentication handled via setup wizard)

Visit Releases page to see the latest updates.

Install via Windows Installer (Windows)

Download the Windows Installer and run it.

Install via powershell script (Windows)

irm https://github.com/nearai/ironclaw/releases/latest/download/ironclaw-installer.ps1 | iex

Install via shell script (macOS, Linux, Windows/WSL)

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/nearai/ironclaw/releases/latest/download/ironclaw-installer.sh | sh

Compile the source code (Cargo on Windows, Linux, macOS)

Install it with cargo, just make sure you have Rust installed on your computer.

# Clone the repository
git clone https://github.com/nearai/ironclaw.git
cd ironclaw

# Build
cargo build --release

# Run tests
cargo test

For full release (after modifying channel sources), run ./scripts/build-all.sh to rebuild channels first.

# Create database
createdb ironclaw

# Enable pgvector
psql ironclaw -c "CREATE EXTENSION IF NOT EXISTS vector;"

Run the setup wizard to configure IronClaw:

The wizard handles database connection, NEAR AI authentication (via browser OAuth), and secrets encryption (using your system keychain). All settings are saved to ~/.ironclaw/settings.toml.

IronClaw implements defense in depth to protect your data and prevent misuse.

All untrusted tools run in isolated WebAssembly containers:

Capability-based permissions - Explicit opt-in for HTTP, secrets, tool invocation
Endpoint allowlisting - HTTP requests only to approved hosts/paths
Credential injection - Secrets injected at host boundary, never exposed to WASM code
Leak detection - Scans requests and responses for secret exfiltration attempts
Rate limiting - Per-tool request limits to prevent abuse
Resource limits - Memory, CPU, and execution time constraints

WASM ──► Allowlist ──► Leak Scan ──► Credential ──► Execute ──► Leak Scan ──► WASM
         Validator     (request)     Injector       Request     (response)

External content passes through multiple security layers:

Pattern-based detection of injection attempts
Content sanitization and escaping
Policy rules with severity levels (Block/Warn/Review/Sanitize)
Tool output wrapping for safe LLM context injection

All data stored locally in your PostgreSQL database
Secrets encrypted with AES-256-GCM
No telemetry, analytics, or data sharing
Full audit log of all tool executions

┌────────────────────────────────────────────────────────────────────┐
│                          Channels                                  │
│  ┌──────┐  ┌──────┐  ┌─────────────┐  ┌─────────────┐            │
│  │ REPL │  │ HTTP │  │WASM Channels│  │ Web Gateway │            │
│  └──┬───┘  └──┬───┘  └──────┬──────┘  │ (SSE + WS) │            │
│     │         │              │         └──────┬──────┘            │
│     └─────────┴──────────────┴────────────────┘                   │
│                              │                                     │
│                    ┌─────────▼─────────┐                          │
│                    │    Agent Loop     │  Intent routing           │
│                    └────┬─────────┬────┘                          │
│                         │         │                                │
│              ┌──────────▼───┐  ┌──▼──────────────┐               │
│              │  Scheduler   │  │ Routines Engine  │               │
│              │(parallel jobs)│  │(cron, event, wh) │               │
│              └──────┬───────┘  └────────┬─────────┘               │
│                     │                   │                          │
│       ┌─────────────┼───────────────────┘                         │
│       │             │                                              │
│   ┌───▼────┐   ┌────▼────────────────┐                           │
│   │ Local  │   │    Orchestrator     │                           │
│   │Workers │   │  ┌───────────────┐  │                           │
│   │(in-proc)│   │  │ Docker Sandbox│  │                           │
│   └───┬────┘   │  │   Containers  │  │                           │
│       │        │  │ ┌───────────┐ │  │                           │
│       │        │  │ │Worker / CC│ │  │                           │
│       │        │  │ └───────────┘ │  │                           │
│       │        │  └───────────────┘  │                           │
│       │        └─────────┬───────────┘                           │
│       └──────────────────┤                                        │
│                          │                                        │
│              ┌───────────▼──────────┐                             │
│              │    Tool Registry     │                             │
│              │  Built-in, MCP, WASM │                             │
│              └──────────────────────┘                             │
└────────────────────────────────────────────────────────────────────┘

Component	Purpose
Agent Loop	Main message handling and job coordination
Router	Classifies user intent (command, query, task)
Scheduler	Manages parallel job execution with priorities
Worker	Executes jobs with LLM reasoning and tool calls
Orchestrator	Container lifecycle, LLM proxying, per-job auth
Web Gateway	Browser UI with chat, memory, jobs, logs, extensions, routines
Routines Engine	Scheduled (cron) and reactive (event, webhook) background tasks
Workspace	Persistent memory with hybrid search
Safety Layer	Prompt injection defense and content sanitization

# First-time setup (configures database, auth, etc.)
ironclaw onboard

# Start interactive REPL
cargo run

# With debug logging
RUST_LOG=ironclaw=debug cargo run

# Format code
cargo fmt

# Lint
cargo clippy --all --benches --tests --examples --all-features

# Run tests
createdb ironclaw_test
cargo test

# Run specific test
cargo test test_name

Telegram channel: See docs/TELEGRAM_SETUP.md for setup and DM pairing.
Changing channel sources: Run ./channels-src/telegram/build.sh before cargo build so the updated WASM is bundled.

IronClaw is a Rust reimplementation inspired by OpenClaw. See FEATURE_PARITY.md for the complete tracking matrix.

Key differences:

Rust vs TypeScript - Native performance, memory safety, single binary
WASM sandbox vs Docker - Lightweight, capability-based security
PostgreSQL vs SQLite - Production-ready persistence
Security-first design - Multiple defense layers, credential protection

Licensed under either of:

at your option.

IronClaw：一个基于Rust的clawd，在隔离的WASM沙箱中运行工具。 IronClaw: a Rust-based clawd that runs tools in isolated WASM sandboxes

IronClaw：一个基于Rust的clawd，在隔离的WASM沙箱中运行工具。
IronClaw: a Rust-based clawd that runs tools in isolated WASM sandboxes