Clawdstrike

EDR for the age of the swarm.
Fail closed. Sign the truth.

Status: pre-1.0 beta. Public APIs are stable; defaults may still tighten before 1.0.

Clawdstrike is a policy engine, an EDR, and a signed audit chain in one binary. An AI agent's tool_call sits in the same event taxonomy as a kernel-level file_access, process_exec, network_flow, dylib_load, or launch_persistence. One policy engine evaluates them. One Ed25519-signed causal graph records them. Defaults fail closed.

The same engine ships as a Rust crate, a TypeScript SDK, a Python package, a Go module, a CLI, a desktop EDR agent (macOS Endpoint Security + Network Extension; Linux Tetragon + Hubble), and an enterprise control plane.

Quick Start  ·  Guards  ·  Policies  ·  Formal Verification  ·  Enterprise  ·  Design

---

Quick Start

Install via your preferred package manager:

brew install backbay-labs/tap/clawdstrike   # macOS, Linux
npm  install @clawdstrike/sdk               # TypeScript
pip  install clawdstrike                    # Python
cargo add clawdstrike                       # Rust
go   get github.com/backbay-labs/clawdstrike-go

Scaffold a project and start the daemon:

clawdstrike init --keygen
# writes policy.yaml, config.toml, keys/clawdstrike.key{,.pub}

clawdstrike daemon start && clawdstrike daemon status
# Status: healthy | Version: 0.2.7 | Uptime: 2s

Three denials, each signed:

$ clawdstrike check --action-type file --ruleset strict ~/.ssh/id_rsa
BLOCKED [Critical]: Access to forbidden path: ~/.ssh/id_rsa

$ clawdstrike check --action-type egress --ruleset strict api.openai.com:443
BLOCKED [Error]: Egress to api.openai.com blocked by policy

$ clawdstrike check --action-type mcp --ruleset strict shell_exec
BLOCKED [Error]: Tool 'shell_exec' is blocked by policy

Verify the policy itself compiles and is internally consistent:

$ clawdstrike verify --policy strict
Consistency:  PASS  (47 formulas, 0 conflicts)
Completeness: PASS  (4/4 action types covered)
Inheritance:  PASS  (0 weakened prohibitions)

Run a real agent under enforcement:

clawdstrike run --policy clawdstrike:strict -- python my_agent.py

The agent runs normally. Every tool call hits the engine first. Denials raise a typed error in your SDK and emit a signed receipt.

Cluster: Helm chart and control plane

For fleet deployments, install the Helm chart. hushd and the Spine signers are fail-closed and need keys at install time, so pre-create the Secrets and reference them from the chart:

NS=clawdstrike-system
kubectl create namespace "$NS"

kubectl -n "$NS" create secret generic clawdstrike-hushd-auth \
  --from-literal=CLAWDSTRIKE_API_KEY="$(openssl rand -hex 32)" \
  --from-literal=CLAWDSTRIKE_ADMIN_KEY="$(openssl rand -hex 32)" \
  --from-literal=CLAWDSTRIKE_AUTH_PEPPER="$(openssl rand -hex 32)"

kubectl -n "$NS" create secret generic clawdstrike-spine \
  --from-literal=SPINE_LOG_SEED_HEX="$(openssl rand -hex 32)" \
  --from-literal=SPINE_WITNESS_SEED_HEX="$(openssl rand -hex 32)"

helm install clawdstrike \
  oci://ghcr.io/backbay-labs/clawdstrike/helm/clawdstrike --version 0.2.0 \
  --namespace "$NS" \
  --set hushd.auth.existingSecret=clawdstrike-hushd-auth \
  --set spine.secrets.existingSecret=clawdstrike-spine

That brings up hushd, the Spine checkpointer + witness, and bundled NATS JetStream. The Control API (enrollment, posture commands, signed completion bundles back) and the Tetragon/Hubble telemetry bridges are opt-in.

See the chart README for the full parameter set, and Enterprise enrollment for end-to-end agent onboarding.

---

How it works

flowchart LR
    A[Agent / sensor] --> B[Canonical event]
    B --> C[Policy engine + guard stack]
    C -->|allow| D[Action runs]
    C -->|deny| E[Blocked, fail-closed]
    C --> F[Ed25519 receipt]
    F --> G[Causal graph]
    G -.->|enterprise| H[Spine audit chain]

Loading

SDK adapters and OS-level sensors feed the same canonical event into the policy engine. Adapters cover AI agent tool calls; kernel sensors (macOS Endpoint Security and Network Extension, Linux Tetragon and Hubble) cover file, process, network, dylib, and persistence events. The guard stack returns a verdict, the verdict ships with an Ed25519 receipt, and each receipt is content-hashed into a per-session causal graph that threads agent identity through downstream OS events.

When a decision crosses a response threshold the engine emits a signed effect: quarantine a file, restrict an egress destination, suspend a process tree, revoke a previously-issued approval. Effects are reversible where possible. Past observations stay on a disk-backed flight recorder, so a tightened policy can be simulated against last week's state before it ships. In enterprise mode the receipt chain ships over NATS to the Spine checkpointer; an independent witness co-signs each batch.

Logs are stories; proof is a signature.

---

Guards

Each guard is a composable check at the tool boundary. Returns a verdict with evidence. Fail-fast or aggregate; configured per-policy.

Guard	Catches
ForbiddenPathGuard	Access to .ssh, .env, .aws, credential stores, registry hives
PathAllowlistGuard	Whitelisted file access for least-privilege agents
EgressAllowlistGuard	Outbound network calls by domain (deny-by-default or allowlist)
SecretLeakGuard	AWS keys, GitHub tokens, private keys, API secrets in file writes
PatchIntegrityGuard	Dangerous patches like rm -rf /, chmod 777, disable security
ShellCommandGuard	Dangerous shell commands before execution
McpToolGuard	MCP tool invocations, with confirmation gates
PromptInjectionGuard	Injection attacks in untrusted input
JailbreakGuard	4-layer detection: heuristic + statistical + ML + optional LLM judge
ComputerUseGuard	CUA actions: remote sessions, clipboard, input injection, file transfer
RemoteDesktopSideChannelGuard	Clipboard, audio, drive mapping, file transfer in CUA sessions
InputInjectionCapabilityGuard	Input injection capability restrictions for CUA environments
SpiderSenseGuard	Hierarchical threat screening: vector similarity, optional LLM escalation

Source of truth: crates/libs/clawdstrike/src/guards/.

---

Policies

Versioned, deterministic policy-as-code. Schema 1.5.0 (backward-compatible with 1.1.0+). Supports extends from built-ins, local files, remote URLs, and git refs. Remote extends is host-allowlisted and integrity-pinned via #sha256=<64-hex>.

Built-in rulesets: permissive · default · strict · ai-agent · ai-agent-posture · cicd · remote-desktop · remote-desktop-permissive · remote-desktop-strict · spider-sense.

The operational loop (observe, synth, tighten):

# Generate a least-privilege candidate from observed events
clawdstrike policy synth run.events.jsonl \
  --extends clawdstrike:default --out candidate.yaml

# Replay the events against the candidate
clawdstrike policy simulate candidate.yaml run.events.jsonl --fail-on-deny

# Diff the candidate against the baseline
clawdstrike policy diff clawdstrike:default candidate.yaml

See policy schema, posture schema, and the observe, synth, tighten guide.

---

Formal verification

The policy engine's core decision logic is specified in Lean 4 and differentially tested against the Rust implementation via the Aeneas translation pipeline.

Proved in Lean (5 properties across 44 of 45 core functions):

• Deny monotonicity: any guard denial denies the overall verdict
• Severity total order: ordering is consistent and transitive
• Cycle rejection: circular extends chains are always caught
• Signature roundtrip: Ed25519 sign-then-verify succeeds
• Disabled-guard allow: a disabled guard cannot produce a phantom deny

Out of scope of the proof: guards beyond the core decision logic, IO, network, and the crypto primitives themselves (we rely on ed25519-dalek).

clawdstrike verify --policy strict       # Z3 policy analysis
cargo test -p formal-diff-tests          # nightly differential tests
cd formal/lean4/ClawdStrike && lake build

See the formal verification guide.

---

Receipts

Every verdict ships with an Ed25519-signed attestation containing the decision, the policy that made it, and the evidence. Receipts are canonicalised with RFC 8785 JSON Canonicalization, so a signature verifies byte-identically in Rust, TypeScript, and Python.

Enterprise deployments forward receipts through Spine, an Ed25519-signed and hash-chained envelope log. Tamper any record and every later record fails verification.

---

SDKs

TypeScript

npm install @clawdstrike/sdk

import { HushEngine, loadPolicy } from "@clawdstrike/sdk";

const engine = new HushEngine(await loadPolicy("clawdstrike:strict"));
const verdict = await engine.check({
  actionType: "file",
  target: "~/.ssh/id_rsa",
});
// verdict.decision === "deny"
// verdict.receipt is Ed25519-signed

Python

pip install clawdstrike

from clawdstrike import HushEngine, load_policy

engine = HushEngine(load_policy("clawdstrike:strict"))
verdict = engine.check(action_type="file", target="~/.ssh/id_rsa")
# verdict.decision == "deny"

Rust

[dependencies]
clawdstrike = "0.2"

use clawdstrike::{HushEngine, Policy, Action, Decision};

let policy = Policy::load_builtin("strict")?;
let engine = HushEngine::new(policy);
let verdict = engine.check(&Action::file("~/.ssh/id_rsa"))?;
assert_eq!(verdict.decision, Decision::Deny);

Go

go get github.com/backbay-labs/clawdstrike-go

engine, _ := clawdstrike.NewEngine(clawdstrike.LoadBuiltin("strict"))
verdict, _ := engine.Check(clawdstrike.FileAction{Target: "~/.ssh/id_rsa"})
// verdict.Decision == clawdstrike.Deny

---

Plugins

Plugin	Install
Claude Code	clawdstrike-plugin/
Cursor	cursor-plugin/
OpenClaw adapter	npm install @clawdstrike/openclaw (guide)
Desktop Agent	apps/agent/

---

Enterprise

The same engine plus a managed control plane: Control API, NATS JetStream transport, Spine audit chain, and a Control Console for SOC workflow. Enrolment over mTLS, posture commands with request/reply acks, signed completion bundles back to the API.

See enterprise enrollment and adaptive architecture.

---

Compliance

Clawdstrike is not a certified product. It produces evidence that maps to standard control frameworks: signed action attestations, integrity-chained audit trails, deterministic policy evaluation.

Framework	Evidence the engine produces
SOC 2 (CC6.1, CC7.2)	Logical access controls and signed audit trail
HIPAA §164.312(b)	Audit controls with non-repudiable receipts
PCI-DSS 10.5	Tamper-evident, hash-chained logs

Compliance mappings are draft. Open an issue if you need a framework formalised.

---

Design principles

Fail closed. Invalid policies reject at load time. Evaluation errors deny access. Missing config defaults to restrictive. Security degradation requires explicit, auditable action.

Proof, not logs. Ed25519 receipts are cryptographic attestations, not log lines someone can edit. Canonical JSON (RFC 8785) ensures signatures verify identically in Rust, TypeScript, and Python.

Same envelope, any pipe. A signed Spine envelope is byte-identical whether it travels over NATS at 100K msg/sec, libp2p gossipsub over residential internet, or a LoRa radio at 1,200 bps. The transport is invisible to the truth layer.

Attenuation only. Agents delegate subsets of their capabilities, never escalate. Delegation tokens carry cryptographic capability ceilings. Privilege escalation isn't prevented by policy; it's prevented by math.

Own your stack. Apache-2.0. Self-hostable. No vendor dependency for security-critical infrastructure. The same engine runs on a developer laptop, an enterprise fleet, and a Raspberry Pi on a radio mesh.

---

Documentation

Getting Started	Rust · TypeScript · Python
Concepts	Design Philosophy · Enforcement Tiers · Multi-Language
Framework Guides	OpenAI · Claude · Vercel AI · LangChain · OpenClaw
Reference	Guards · Policy Schema · Repo Map
Enterprise	Enrollment Guide · Adaptive Architecture

---

Security

If you discover a vulnerability:

• Sensitive: email connor@backbay.io. 48-hour response.
• Non-sensitive: open a GitHub issue with the security label.

See SECURITY.md and THREAT_MODEL.md.

Contributing

See CONTRIBUTING.md.

cargo fmt --all && cargo clippy --workspace -- -D warnings && cargo test --workspace

License

Apache License 2.0. See LICENSE.