KelvinClaw / Open-source Agent Runtime · v0.2.2 · MIT

A secure, modular agent harness for zero-trust environments.

KelvinClaw starts from a minimal trusted core and expands outward. Capability is added deliberately — every plugin ships as a signed WASM binary, declaring its scopes upfront. Security isn't duct-taped on. It is the foundation.

Install KelvinClaw View source
CI passingABI compat check322 commits11 releasesWritten in Rust + WASM
KelvinClaw · The runtime

The runtime never takes a plugin on faith.

Every plugin declares its scopes and capabilities before it runs — including our own first-party ones. Trust operates in levels: from unsigned local builds up to verified, registry-vetted releases. Nothing installs without passing a quality gate.

  • Signed WASM plugins. Ed25519 manifests, SHA-256 entrypoints, no exceptions for first-party.
  • Capability declarations. Filesystem, network, and tool scopes gated before execution.
  • Local-first. Run end-to-end with no API keys via the built-in echo provider.
§01 · Trust model

Trust operates in tiers.

Plugins move from local development to first-party release through escalating proof. Each tier defines what verification is required and what the runtime is willing to admit. Nothing installs without passing the gate appropriate to its tier.

TIER 01
unsigned_local
Local dev builds. Warns on install — still loads. We won't stop you, but we will judge you a little.
TIER 02
community_signed
Third-party publishers with an Ed25519 key in your trusted_publishers.json.
TIER 03
registry_verified
Listed in the hosted index. Version, checksum, and trust tier tracked upstream.
TIER 04
first_party
Signed by Agentic Highway. KMS-backed signing for releases. Core admission policy enforced.
§02 · Plugins

Two plugin types. Signed WASM. No exceptions.

KelvinClaw ships with no plugins by default. Discover and install through the integrated plugin manager, backed by a hosted index that tracks versions, checksums, and trust tiers. Point at ours, or fork and run your own.

T
kelvin.websearch

wasm_tool_v1 — whitelisted web host access

tool
T
kelvin.wiki

wasm_tool_v1 — read-only wikipedia fetch

tool
M
kelvin.anthropic

wasm_model_v1 — claude messages API

model
M
kelvin.openai

wasm_model_v1 — chat completions

model
M
kelvin.ollama

wasm_model_v1 — local inference, no egress

model
M
kelvin.openrouter

wasm_model_v1 — multi-provider routing

model
§03 · Control / Data plane split

Memory and orchestration live in separate planes.

A compromised plugin in the control plane has no direct path to memory operations. The memory data plane is an independent process communicating over gRPC, validating JWT delegation per operation, and running isolated WASM memory modules.

Control plane

Orchestration & trust

  • kelvin-brain · agent loop
  • kelvin-gateway · WebSocket ingress
  • kelvin-host · trusted executive
  • trust policy enforcement
  • telemetry & lifecycle events
Data plane

Memory, isolated

  • kelvin-memory-api · gRPC contracts
  • kelvin-memory-controller · server + policy
  • kelvin-memory-module-sdk · WASM modules
  • per-op JWT delegation check
  • independent process boundary

The control plane assigns privilege by ingress origin: operators on the WebSocket get elevated access; Telegram and Discord get a reduced scope; unpaired guests interact under different permissions entirely.

§04 · Local model providers

4B-class models can do meaningful work.

With kelvin.ollama, no prompts, tokens, or tool outputs leave the host. The minimal core and failure containment change what is realistic with local inference — a flubbed tool call trips a circuit breaker instead of derailing the session.

01 / REGULATED WORKLOADS

Keep data inside your infrastructure

Sending agent interactions to a cloud API means sending data outside your infrastructure — conflicting with legal, contractual, or internal policy requirements. A local model plugin removes that dependency entirely.

02 / FAILURE CONTAINMENT

Circuit breakers, fuel budgets, bounded retries

The runtime doesn't rely on the model for security. When a tool call fails, it trips a breaker. Sessions stay stable even when small models misstep.

§05 · Honest status

Building in the open. Warts and all.

We built the trust model first because it is the part you can't tape on later. Everything else is a work in progress — here is exactly what works and what doesn't today.

Works today

  • Core runtime — prompts, tool execution, lifecycle events
  • Plugin index, search, and installation
  • Failure containment — circuit breakers, fuel budgets, bounded retries
  • Telegram and Discord ingress
  • Session management and notes
  • Whitelisted web hosts and restricted filesystem access
  • Ed25519 signed-manifest verification
  • Ollama, Anthropic, OpenAI, OpenRouter providers

Not yet · in progress

  • Shell execution in the ABI — tough security problem, unsolved
  • MCP and skills integrations — same category
  • Plugin types for memory modules & ingress channels
  • Tool plugins only support one tool per plugin (coming soon)
  • Community plugin submission helpers aren't fully tested
  • Whatever bugs you find — kick our tires
Get started in 30 seconds

Run the full stack locally. No API key required.

Try KelvinClaw with the built-in echo provider — no OpenAI or Anthropic key needed. When you are ready, swap in a real model plugin with kpm install.

$ cp .env.example .env && docker compose up -d
$ docker compose --profile tui run --rm kelvin-tui
Download v0.2.2 release Star on GitHub Open issues · help wanted

Linux · macOS · Windows bundles published. SHA-256 for every artifact. MIT licensed.