Local-First Gateway for OpenClaw

Local-First
Gateway for
OpenClaw.

Every call evaluated. Every decision before execution. Your data never leaves unless you OK it.

ClawCoat is the local-first gateway for OpenClaw. Every tool call evaluated before execution. Allow, gate for human approval, or block. Five trust tiers earned by behavior and promoted by you. Runs entirely on your hardware. Your data never leaves unless you OK it.

Get Started Try Live Demo
The Solution

Trust is earned.
Act out of bounds and you lose it.

Every agent starts at Quarantine with restricted privileges - no tools, no external access, no autonomy. They earn their way up through demonstrated behavior and human approval, one verified action at a time. And they can lose it instantly. Demotion skips levels. Misbehave enough and it's back to Quarantine, no matter how high they climbed.

Quarantine

All actions require human approval. Read-only tools only. Zero autonomous execution.

Probation

Internal tools allowed. External calls still gated. Write access requires approval.

Resident

Read/write autonomous. High-risk actions (financial, delete, new domains) still gated.

Citizen

Full autonomous operation. Anomaly-flagged actions require approval. Demonstrated reliability.

Agent

Full earned autonomy. Anomalies are advisory only - logged, not gating. Pre-authorized action profile. Trust fully earned.

The Manners Engine measures. HITL gates promote. ClawCoat protects locally. Promotion is sequential - every step requires an explicit human decision through the approval gate. Demotion is instant and can skip levels. A Manners score below 50% triggers automatic demotion to Quarantine. Your data never leaves your network unless you authorize it.

How It Works

The active measurement mechanism.

The Manners Engine is ClawCoat's active measurement device - scoring every OpenClaw agent action in real time against five behavioral principles. The score moves with every call. It is the number a human reads when deciding whether an agent has earned the next tier. Not a report generated after the fact. Not a checkbox. A live measurement that drives the gate.

Human Control

Agents operate autonomously within defined boundaries. Destructive, irreversible, or trust-crossing actions require explicit human approval before execution.

Transparency

Every agent action is logged to a cryptographic audit chain. Users see what agents did, why, and what they plan to do next. Nothing is hidden.

Value Alignment

Agents act within their defined role. Behavioral baselines detect deviations. When uncertain, agents escalate to humans rather than assume.

Privacy

Data never crosses tenant boundaries. No telemetry, no cloud callbacks. All agent operations run on your own hardware - your data stays yours.

Security

Zero-trust architecture with cryptographic message signing between all agents. Nonce replay protection. Tamper-evident audit chain on every action.

Every principle is scored at runtime with measurable KPIs.

See It Work

Pick a tier. Pick a tool.
See it governed.

Every OpenClaw agent that talks to ClawCoat passes through an 8-step pipeline before any tool executes. Select a trust tier and a tool below to see the decision. Watch what happens to the Manners Score when an action is blocked.

Trust tiers define what an OpenClaw agent is allowed to do autonomously, what requires human approval, and what is blocked outright. Tiers are earned through demonstrated behavior and human authorization - never assigned at setup.

Full pipeline docs on GitHub  · 

Manners Score

1.00 Live Score

Submit a blocked action - watch the score drop.

1.00 - 0.75   Satisfactory
0.74 - 0.50   Warning
Below 0.50   Auto-demote to Quarantine
Below 0.25   Auto-suspend
The Problem

OpenClaw agents ship without guardrails. That gap has consequences.

OpenClaw-class agents have 194,000+ GitHub stars and no built-in governance layer. No mandatory oversight. No behavioral scoring. No trust tiers. API keys exposed at scale. Malicious skills in the supply chain. Agents get capability by default - oversight has to be added deliberately.

0
GitHub stars in 82 days
0
Exposed instances (Kaspersky)
0
Malicious skills discovered
1-Click
RCE exploit chain (CVE-2026-25253)

If you are running an OpenClaw agent, these numbers describe your exposure. ClawCoat is the layer that completes the OpenClaw stack.

Guiding Layer

You provide direction.
ClawCoat provides enforcement.

You (Strategic Direction) Set policy, approve promotions, define boundaries
↓ HITL approval gates ↓
ClawCoat (Deterministic Enforcement) Trust levels, Manners scoring, anomaly detection, audit chain
↓ governed MCP proxy ↓
OpenClaw Agent (Earned Autonomy) Operates within earned trust level, never self-promotes

Enforcement that doesn’t depend on the model being right

ClawCoat doesn't just restrict OpenClaw agents - it governs them. You provide strategic direction. The platform provides deterministic enforcement that can’t be prompt-injected, hallucinated away, or bypassed by a clever instruction.

This is the difference: model-level guardrails can be prompt-injected. ClawCoat's enforcement is architectural. Even if an agent produces a malicious instruction, it cannot execute unless the agent's machine identity has the specific, time-scoped rights to perform that action.

  • 8-step governance pipeline evaluated on every action
  • SHA-256 hash-chained cryptographic audit trail
  • Kill switch - instantly suspend any agent, all actions rejected
  • Manners compliance scoring against five behavioral principles
  • Nonce replay protection on every request
  • Egress control - no unauthorized external calls
Verified, Not Just Claimed

Five levels of automated security testing

We don't just say it's secure. We run injection attacks, kill infrastructure mid-request, fuzz every API endpoint with 100,000+ generated payloads, and measure what happens.

0
API operations fuzz-tested
0
Generated test cases
0
Server errors under fuzzing
0
Lines of code scanned
0
High-severity findings
0
Test levels passed
0
Concurrent requests handled
0
Third-party data dependencies

Security · Chaos/Resilience · API Contract · Performance/Load · Static Analysis - all passing. Tested with Schemathesis, Bandit, and pip-audit.

In Action

See ClawCoat work

Real governance decisions. Real kill switches. Real human-in-the-loop approvals. Your agents, your rules.

ClawCoat governance block demo
Watch Now

Governance Block

An OpenClaw agent tries to call a blocked tool. ClawCoat evaluates the call at step 4 of the governance pipeline and rejects the action before it executes.
ClawCoat kill switch demo
Watch Now

Kill Switch

One API call suspends any agent instantly. All subsequent actions are rejected at the governance gate - no re-entry until a human administrator reinstates.
ClawCoat HITL reject demo
Watch Now

HITL - Reject

A high-risk action triggers the human-in-the-loop gate. The reviewer rejects it. The agent receives a denial and cannot proceed.
ClawCoat HITL approve demo
Watch Now

HITL - Approve

A gated action awaits human review. The reviewer approves it. The agent proceeds with the confirmed action logged to the audit trail.

Full source and governance pipeline at github.com/QuietFireAI/ClawCoat.

Try the Live Demo →
The Promise

Keep your data where it belongs.

Every AI platform asks you to trust their cloud with your most sensitive data. ClawCoat doesn't. All AI processing runs on your hardware. All encryption keys are yours. Data only leaves your network when you explicitly allow it - and every outbound request is logged, governed, and auditable.

Attorney-Client Privilege Preserved

Client communications, case strategy, and work product stay on your infrastructure. No cloud provider can be subpoenaed for data they never received.

Patient Data Protected

Patient health information is encrypted, de-identified using all 18 HIPAA Safe Harbor identifiers, and never transmitted without explicit authorization.

Your Hardware, Your AI

All AI processing runs on your own machines via Ollama for local inference. No OpenAI. No Google. No data sent to third-party services. Your information physically stays on your hardware - your data stays where it belongs - unless you choose otherwise.

Open Source, Enterprise-Grade

The same security stack built for law firms and clinics runs on your home server. Every line of code is public. Every claim is verifiable. Open source under Apache 2.0 - free for any use, personal or commercial.

What You Get

Contract-ready documentation, out of the box

Every deployment includes the compliance documentation your prospects, auditors, and legal teams require.

SOC 2

SOC 2 Type I Report

51 controls across 5 Trust Service Criteria with management assertion and evidence mapping.

DPA

Data Processing Agreement

13-section customer-ready template with 3 annexes and placeholder brackets for client details.

PEN

Pen Test Preparation

Attack surface inventory of 177 endpoints, OWASP Top 10 mapping, scoped test plan for third-party assessors.

DR

Disaster Recovery

Automated DR test script with RPO/RTO measurement. RPO=24hr, RTO=15min verified.

SRM

Shared Responsibility Matrix

12-domain table clarifying customer vs. ClawCoat obligations for every security control.

HA

High Availability Architecture

Docker Swarm and Kubernetes deployment paths with component HA strategies and data replication matrix.

Self-Hosted Stack

Everything runs on your hardware

No SaaS dependencies. No OpenAI, Google cloud or external API calls for core functionality. Your local VRAM, your residential IP, your data sovereignty.

Py
FastAPI
Pg
PostgreSQL
Rd
Redis
Ol
Ollama
Tk
Traefik
Cl
Celery
Mq
MQTT
Pm
Prometheus
Gf
Grafana
Dk
Docker

Strong enough for a law firm.
Made for you and me.

Because everybody deserves the best.

Get Started

Three steps. Your hardware. Your rules.

Whether you're a solo user with a spare PC or a firm with a server rack, getting started is the same.

1

Clone from GitHub

ClawCoat is live on GitHub under Apache 2.0. Clone the repo and grab the setup guide from the docs folder. No sign-up, no waitlist - just your hardware and the code.

2

Install on your machine

A computer, a NAS, a mini-PC in a closet. ClawCoat runs wherever Docker runs. The installer downloads everything you need, including your local AI model via Ollama.

3

You're in control

Your OpenClaw agents start at Quarantine with restricted privileges. You decide when they earn more. Every action is logged, every decision is yours. That's it.

Get notified of releases, security advisories, and project updates.

No spam. We’ll reach out when milestones hit - nothing else.

Common Questions

FAQ

What does "Control Your Claw" mean?

"Claw" refers to OpenClaw agents that can take actions on your behalf - reading files, calling APIs, executing code, sending messages. These agents are powerful, but without governance they're a security crisis. ClawCoat acts as a governed MCP proxy: the OpenClaw agent connects to ClawCoat, and every action is evaluated against trust levels, Manners compliance, anomaly detection, and approval gates before execution. You control the claw. It doesn't control you.

How do trust levels work?

Every OpenClaw agent starts at Quarantine with restricted privileges. Promotion to Probation, Resident, Citizen, and Agent requires explicit human approval and demonstrated behavioral compliance. Demotion is instant and can skip levels - any agent whose Manners compliance score drops below 50% is automatically demoted to Quarantine. The fifth tier, Agent, represents full earned autonomy: anomalies are advisory only, not gating. Trust is earned sequentially and revoked immediately at any level.

Does any client data leave my network?

No. ClawCoat ships with Ollama - a local AI model runner that operates entirely on your hardware. Your AI inference never touches OpenAI, Anthropic, Google, or any cloud LLM service. Ollama handles all local inference so your data stays where it belongs. You do not need a cloud API key, a cloud account, or an internet connection once the initial setup is complete. No prompt you send, no data your OpenClaw agents process, and no governance decision ever leaves your network. Your encryption keys, your data, your infrastructure. We cannot access your data even if we wanted to.

What compliance frameworks does ClawCoat support?

SOC 2 Type I (51 controls documented), HIPAA/HITECH (full Security Rule mapping), HITRUST CSF (12 domains), CJIS, GDPR, PCI DSS, ABA Model Rules, and FRCP Rule 37(e) for legal hold. Every control maps to a source file and a passing test.

What happens if an agent goes rogue?

ClawCoat has a kill switch. One API call suspends any OpenClaw agent instance immediately. All actions are rejected at step 2 of the governance pipeline - before trust levels, before Manners compliance, before everything. The agent cannot reinstate itself. Only a human administrator can restore it after review.

How is this different from ChatGPT Enterprise or Microsoft Copilot?

Those products send your data to their clouds and give agents broad autonomy by default. ClawCoat does neither. Your data physically cannot leave your network. And every OpenClaw agent starts at Quarantine with restricted privileges, earning trust through demonstrated behavior. For firms handling privileged communications or protected health information, both of those distinctions are the entire point.

Can I deploy this on my own hardware?

Yes. ClawCoat is designed for self-hosted deployment via Docker Compose. It runs on a NAS, a rack server, or a VM. Your local VRAM for inference via Ollama, your residential IP for network identity. No cloud account required.

Do I need to be technical to use this?

You'll need basic comfort with installing software. If you've ever set up a home media server, installed an app on a NAS, or followed a step-by-step guide to set up a router, you can run ClawCoat. We're building plain-language setup guides and a guided installer to make this as approachable as possible. The same platform running at law firms will run on your home server - and we want both audiences to succeed.

Is ClawCoat free?

Yes. ClawCoat is open source under the Apache License 2.0. The full codebase - every security rule, every governance engine, every audit mechanism - is public. Use it for any purpose: personal, commercial, production, research. No paywalls, no commercial license required. Enterprise support and consulting are available through Quietfire AI.

What's on the roadmap?

The current release is the governance engine: trust tiers, Manners compliance, kill switch, HITL approval gates, cryptographic audit trail, and the full API. What's next is the interface that makes it approachable without reading API docs. The first build sprint after launch focuses on: a browser-based OpenClaw agent dashboard (trust level, Manners score, violation history, and recent actions in one view), demotion explanation cards (when a score drops, you see exactly which actions caused it and which principle was violated), a guided agent registration flow, and a read-only audit log viewer. The API already exposes everything needed for all of it. The governance engine is done - the dashboard catches up next.

Stay in the loop.

Open source under Apache 2.0. Self-hosted, free for any use. Drop your email and we’ll reach out when something worth knowing happens - major releases, security advisories, what’s next.