Moltis — A secure persistent personal agent server in Rust

One binary — sandboxed, secure, yours.

Installation • Comparison • Architecture • Security • Features • How It Works • Contributing

Moltis recently hit the front page of Hacker News. Please open an issue for any friction at all. I'm focused on making Moltis excellent.

Secure by design — Your keys never leave your machine. Every command runs in a sandboxed container, never on your host.

Your hardware — Runs on a Mac Mini, a Raspberry Pi, or any server you own. One Rust binary, no Node.js, no npm, no runtime.

Full-featured — Voice, memory, cross-session recall, automatic edit checkpoints, scheduling, Telegram, Discord, browser automation, MCP servers, SSH or node-backed remote exec, managed deploy keys with host pinning in the web UI, a live Settings → Tools inventory, Cursor-compatible project context, and context-file threat scanning — all built-in. No plugin marketplace to get supply-chain attacked through.

Auditable — The agent loop + provider model fits in ~5K lines. The core (excluding the optional web UI) is ~196K lines across 46 modular crates you can audit independently, with 3,100+ tests and zero unsafe code*.

Installation

# One-liner install script (macOS / Linux)
curl -fsSL https://www.moltis.org/install.sh | sh

# macOS / Linux via Homebrew
brew install moltis-org/tap/moltis

# Docker (multi-arch: amd64/arm64)
docker pull ghcr.io/moltis-org/moltis:latest

# Or build from source
cargo install moltis --git https://github.com/moltis-org/moltis

Comparison

	OpenClaw	PicoClaw	NanoClaw	ZeroClaw	Moltis
Language	TypeScript	Go	TypeScript	Rust	Rust
Agent loop	~430K LoC	Small	~500 LoC	~3.4K LoC	~5K LoC (`runner.rs` + `model.rs`)
Full codebase	—	—	—	1,000+ tests	~124K LoC (2,300+ tests)
Runtime	Node.js + npm	Single binary	Node.js	Single binary (3.4 MB)	Single binary (44 MB)
Sandbox	App-level	—	Docker	Docker	Docker + Apple Container
Memory safety	GC	GC	GC	Ownership	Ownership, zero `unsafe`*
Auth	Basic	API keys	None	Token + OAuth	Password + Passkey + API keys + Vault
Voice I/O	Plugin	—	—	—	Built-in (15+ providers)
MCP	Yes	—	—	—	Yes (stdio + HTTP/SSE)
Hooks	Yes (limited)	—	—	—	15 event types
Skills	Yes (store)	Yes	Yes	Yes	Yes (+ OpenClaw Store)
Memory/RAG	Plugin	—	Per-group	SQLite + FTS	SQLite + FTS + vector

* unsafe is denied workspace-wide. The only exceptions are opt-in FFI wrappers behind the local-embeddings feature flag, not part of the core.

Full comparison with benchmarks →

Architecture — Crate Map

Core (always compiled):

Crate	LoC	Role
`moltis` (cli)	4.0K	Entry point, CLI commands
`moltis-agents`	9.6K	Agent loop, streaming, prompt assembly
`moltis-providers`	17.6K	LLM provider implementations
`moltis-gateway`	36.1K	HTTP/WS server, RPC, auth
`moltis-chat`	11.5K	Chat engine, agent orchestration
`moltis-tools`	21.9K	Tool execution, sandbox
`moltis-config`	7.0K	Configuration, validation
`moltis-sessions`	3.8K	Session persistence
`moltis-plugins`	1.9K	Hook dispatch, plugin formats
`moltis-service-traits`	1.3K	Shared service interfaces
`moltis-common`	1.1K	Shared utilities
`moltis-protocol`	0.8K	Wire protocol types

Optional (feature-gated or additive):

Category	Crates	Combined LoC
Web UI	`moltis-web`	4.5K
GraphQL	`moltis-graphql`	4.8K
Voice	`moltis-voice`	6.0K
Memory	`moltis-memory`, `moltis-qmd`	5.9K
Channels	`moltis-telegram`, `moltis-whatsapp`, `moltis-discord`, `moltis-msteams`, `moltis-channels`	14.9K
Browser	`moltis-browser`	5.1K
Scheduling	`moltis-cron`, `moltis-caldav`	5.2K
Extensibility	`moltis-mcp`, `moltis-skills`, `moltis-wasm-tools`	9.1K
Auth & Security	`moltis-auth`, `moltis-oauth`, `moltis-onboarding`, `moltis-vault`	6.6K
Networking	`moltis-network-filter`, `moltis-tls`, `moltis-tailscale`	3.5K
Provider setup	`moltis-provider-setup`	4.3K
Import	`moltis-openclaw-import`	7.6K
Apple native	`moltis-swift-bridge`	2.1K
Metrics	`moltis-metrics`	1.7K
Other	`moltis-projects`, `moltis-media`, `moltis-routing`, `moltis-canvas`, `moltis-auto-reply`, `moltis-schema-export`, `moltis-benchmarks`	2.5K

Use --no-default-features --features lightweight for constrained devices (Raspberry Pi, etc.).

Security

Zero unsafe code* — denied workspace-wide; only opt-in FFI behind local-embeddings flag
Sandboxed execution — Docker + Apple Container, per-session isolation
Secret handling — secrecy::Secret, zeroed on drop, redacted from tool output
Authentication — password + passkey (WebAuthn), rate-limited, per-IP throttle
SSRF protection — DNS-resolved, blocks loopback/private/link-local
Origin validation — rejects cross-origin WebSocket upgrades
Hook gating — BeforeToolCall hooks can inspect/block any tool invocation
Supply chain integrity — artifact attestations, Sigstore keyless signing, GPG signing (YubiKey), SHA-256/SHA-512 checksums

See Security Architecture for details. Verify releases with gh attestation verify <artifact> -R moltis-org/moltis or see Release Verification.

Features

AI Gateway — Multi-provider LLM support (OpenAI Codex, GitHub Copilot, Local), streaming responses, agent loop with sub-agent delegation, parallel tool execution
Communication — Web UI, Telegram, Microsoft Teams, Discord, API access, voice I/O (8 TTS + 7 STT providers), mobile PWA with push notifications
Memory & Recall — Per-agent memory workspaces, embeddings-powered long-term memory, hybrid vector + full-text search, session persistence with auto-compaction, cross-session recall, Cursor-compatible project context, context-file safety scanning
Safer Agent Editing — Automatic checkpoints before built-in skill and memory mutations, restore tooling, session branching
Extensibility — MCP servers (stdio + HTTP/SSE), skill system, 15 lifecycle hook events with circuit breaker, destructive command guard
Security — Encryption-at-rest vault (XChaCha20-Poly1305 + Argon2id), password + passkey + API key auth, sandbox isolation, SSRF/CSWSH protection
Operations — Cron scheduling, OpenTelemetry tracing, Prometheus metrics, cloud deploy (Fly.io, DigitalOcean), Tailscale integration, managed SSH deploy keys, host-pinned remote targets, live tool inventory in Settings, and CLI/web remote-exec doctor flows

How It Works

Moltis is a local-first persistent agent server — a single Rust binary that sits between you and multiple LLM providers, keeps durable session state, and can meet you across channels without handing your data to a cloud relay.

┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│   Web UI    │  │  Telegram   │  │  Discord    │
└──────┬──────┘  └──────┬──────┘  └──────┬──────┘
       │                │                │
       └────────┬───────┴────────┬───────┘
                │   WebSocket    │
                ▼                ▼
        ┌─────────────────────────────────┐
        │          Gateway Server         │
        │   (Axum · HTTP · WS · Auth)     │
        ├─────────────────────────────────┤
        │        Chat Service             │
        │  ┌───────────┐ ┌─────────────┐  │
        │  │   Agent   │ │    Tool     │  │
        │  │   Runner  │◄┤   Registry  │  │
        │  └─────┬─────┘ └─────────────┘  │
        │        │                        │
        │  ┌─────▼─────────────────────┐  │
        │  │    Provider Registry      │  │
        │  │  Multiple providers       │  │
        │  │  (Codex · Copilot · Local)│  │
        │  └───────────────────────────┘  │
        ├─────────────────────────────────┤
        │  Sessions  │ Memory  │  Hooks   │
        │  (JSONL)   │ (SQLite)│ (events) │
        └─────────────────────────────────┘
                       │
               ┌───────▼───────┐
               │    Sandbox    │
               │ Docker/Apple  │
               │  Container    │
               └───────────────┘

See Quickstart for gateway startup, message flow, sessions, and memory details.

Getting Started

Build & Run

Requires just (command runner) and Node.js (for Tailwind CSS).

git clone https://github.com/moltis-org/moltis.git
cd moltis
just build-css                  # Build Tailwind CSS for the web UI
just build-release              # Build in release mode
cargo run --release --bin moltis

For a full release build including WASM sandbox tools:

just build-release-with-wasm    # Builds WASM artifacts + release binary
cargo run --release --bin moltis

Open https://moltis.localhost:3000. On first run, a setup code is printed to the terminal — enter it in the web UI to set your password or register a passkey.

Optional flags: --config-dir /path/to/config --data-dir /path/to/data

Docker

# Docker / OrbStack
docker run -d \
  --name moltis \
  -p 13131:13131 \
  -p 13132:13132 \
  -p 1455:1455 \
  -v moltis-config:/home/moltis/.config/moltis \
  -v moltis-data:/home/moltis/.moltis \
  -v /var/run/docker.sock:/var/run/docker.sock \
  ghcr.io/moltis-org/moltis:latest

Open https://localhost:13131 and complete the setup. For unattended Docker deployments, set MOLTIS_PASSWORD, MOLTIS_PROVIDER, and MOLTIS_API_KEY before first boot to skip the setup wizard. See Docker docs for Podman, OrbStack, TLS trust, and persistence details.

Cloud Deployment

Provider	Deploy
DigitalOcean

Fly.io (CLI):

fly launch --image ghcr.io/moltis-org/moltis:latest
fly secrets set MOLTIS_PASSWORD="your-password"

All cloud configs use --no-tls because the provider handles TLS termination. See Cloud Deploy docs for details.

Star History

License

MIT

Version	Changes	Urgency	Date
20260420.02	Latest release: 20260420.02	High	4/20/2026
20260417.02	Latest release: 20260417.02	High	4/17/2026
20260414.02	Latest release: 20260414.02	High	4/14/2026
20260413.06	Latest release: 20260413.06	High	4/14/2026
20260410.01	Latest release: 20260410.01	High	4/10/2026
20260408.01	Latest release: 20260408.01	High	4/8/2026

moltis

Description

README