Skip to content

IronClaw

Security-hardened, self-hosted AI agents — isolation you can prove, not just claim.

IronClaw runs autonomous agents the way a security team would want them run: every agent lives in a per-session sandbox, every capability change passes through a deterministic human-approval gateway, and every action lands in an append-only audit log. There is no path that bypasses the gateway.

Zero-credential chat demo: one command starts the offline mock-agent control-plane with no API key; a chat message engages the agent, which launches a real per-session sandbox container; the reply flows back through the encrypted per-session queue.
Zero credentials, one command. The offline mock-agent runs the full chat → per-session sandbox → reply path with no API key — production seals each sandbox with gVisor and network=none. See the Quickstart.

  • Quickstart

    From a clean clone to submitting, approving, and auditing your first agent action — in about five minutes, on your machine.

  • Tutorials

    Hands-on, copy-pasteable walkthroughs: your first sandboxed agent, connecting Slack, and writing a custom channel adapter.

  • Security & trust

    The trust story: the threat model, the sealed-runtime invariants, and how a user verifies what they install.

  • Architecture

    The control-plane / sandbox split, the frozen contract between them, and the encrypted queues they speak over.

  • API reference

    The control-plane HTTP API (OpenAPI 3.1) consumed by ironctl and the web console.

What makes IronClaw different

  • Assume the agent is hostile. The threat model treats the agent inside the sandbox as potentially compromised — by prompt injection, a poisoned tool result, or a hostile model output — and designs the blast radius around that assumption.
  • Every mutation is gated. Persona, enabled tools, packages, wiring, permissions, and mounts are held at the gateway until a human approves them. See the Quickstart for a hands-on demonstration.
  • Verifiable supply chain. Every release is checksummed, keyless-signed (cosign), and carries build-provenance attestations. See the Release runbook for how to verify a download.

Where to go next

If you want to… Read
Run IronClaw locally Quickstart
Follow a hands-on walkthrough Tutorials
Understand the design IronClaw, ExplainedArchitecture
Evaluate the security posture Security & trustThreat model
Wire an agent to Slack / Discord / … Channel adapters
Extend an agent with curated capabilities Skills
Drive the control-plane API API reference