carapace

Stable release available. Carapace is ready for real use on its verified stable paths; partial and in-progress areas are called out explicitly in the docs.

A security-focused, open-source personal AI assistant. Runs on your machine. Works through Signal, Telegram, Discord, Slack, webhooks, and console. Supports Anthropic, OpenAI, Codex, Ollama, Gemini, Vertex AI, Bedrock, and Venice AI. Extensible via WASM plugins and guarded filesystem tools. Written in Rust.

A hardened alternative to openclaw / clawdbot — for when your assistant needs a hard shell.

• Multi-provider LLM engine — Anthropic, OpenAI API key, Codex subscription login, Ollama, Google Gemini, Vertex AI, AWS Bedrock, and Venice AI with streaming, tool dispatch, and cancellation
• Multi-channel messaging — Signal, Telegram, Discord, Slack, console, and webhooks
• Channel activity framework — per-channel typing indicators and after-response read receipts, with Signal as the first activity-enabled built-in channel
• Tooling and local workspace access — built-in agent tools, guarded filesystem tools for explicit roots, and channel-specific tool schemas
• Signed plugin runtime — plugins are signature-verified and run with strict permissions and resource limits
• Secure defaults — local-first binding, locked-down auth behavior, encrypted secret storage, guarded tool execution, root-scoped filesystem access, and OS-level subprocess sandboxing for protected paths
• Infrastructure — TLS, mTLS, mDNS discovery, config hot-reload, Tailscale integration, Prometheus metrics, audit logging. Multi-node clustering is partially implemented

Carapace focuses on a hardened core first. If you're coming from openclaw, the following are planned but not yet on par:

• Broader channel coverage (e.g., WhatsApp/iMessage/Teams/Matrix/WebChat)
• Companion apps / nodes (macOS + iOS/Android clients)
• Browser control and live canvas/A2UI experiences
• Skills/onboarding UX and multi-agent routing
• Automatic model/provider failover

Carapace is designed to address the major vulnerability classes reported in the January 2026 openclaw security disclosures:

See docs/security.md for the full security model. See docs/security-comparison.md for a threat-by-threat comparison with OpenClaw. See docs/feature-status.yaml and docs/feature-evidence.yaml for verified-vs-partial implementation status.

1. Install cara from the latest release (Linux/macOS/Windows):
   • https://getcara.io/install
   • docs/site/install.md
2. Run guided setup:

   cara setup

3. Start the assistant:

   cara

4. Verify first-run outcome:

   cara verify --outcome auto --port 18789

5. Start local interactive chat:

   cara chat

Use /help in chat for REPL commands (/new, /exit, /quit).

If you use cloud models, finish one provider onboarding path before launching: set one provider key (for example ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, or VENICE_API_KEY), use Codex sign-in through cara setup --provider codex or the Control UI, or use Gemini Google sign-in through cara setup --provider gemini --auth-mode oauth or the Control UI. Codex and Gemini Google sign-in both require CARAPACE_CONFIG_PASSWORD so the stored auth profile stays encrypted at rest. If you are not sure where to start, choose local-chat as your first outcome, start with one provider, and add channels only after cara verify --outcome auto passes. If you want Cara to inspect one local project directory, enable the filesystem block for a single workspace root and start with the guarded local project assistant recipe.

Carapace ships a stable release line. Core paths are tested and verified for routine use, while partial and in-progress areas remain explicitly documented.

• Working now: setup wizard, local chat (cara chat), token auth enforcement, health/control endpoints (including durable task controls), control UI frontend foundation (status/channels/redacted config editor), Codex subscription onboarding, per-channel activity config with Signal typing/read-receipt flows, and OpenAI-compatible HTTP endpoints.
• In progress: advanced Control UI flows (pairing/workflow UX), broader channel smoke evidence, and hardened internet-facing deployment guidance.

See docs/feature-status.yaml and docs/feature-evidence.yaml for the current source of truth.

• Roadmap — what we're building now, next, and later
• Up next: Anthropic subscription onboarding, guided Bedrock/Vertex onboarding, provider migration/import paths, and advanced Control UI flows
• Recently shipped: first stable release, long-running assistant MVP (durable queue + autonomy verify), cross-platform subprocess sandboxing, guided setup (cara setup), first-run verifier (cara verify), Gemini onboarding (Google sign-in or API key via CLI and Control UI), Codex onboarding (OpenAI subscription login via CLI and Control UI), Vertex AI provider support, per-channel activity features with Signal typing indicators and after-response read receipts, and guarded filesystem tools for explicit workspace roots

• Website — install, first run, security, ops, cookbook, troubleshooting
• Getting started — full setup and operations
• Install — release binaries, signatures, and install commands
• First run — secure local startup and smoke checks
• Help — setup help, team evaluation, and cookbook request paths
• Security model — architecture and trust boundaries
• Security comparison — threat-by-threat view
• Channel setup — Signal, Telegram, Discord, Slack, webhooks
• Channel smoke validation — live checks and evidence capture
• Cookbook — outcome-first walkthroughs
• Roadmap — near-term and longer-term priorities
• Release & upgrade policy — compatibility, migration, rollback, release checklist
• CLI guide — subcommands, flags, and device identity
• Documentation index — architecture/protocol/security references
• Security reporting policy — private vulnerability reporting and response expectations
• Report feedback or bugs

If you want to build from source or contribute, start here:

• CONTRIBUTING.md
• docs/README.md

Apache-2.0 — see LICENSE.