Your agent's exoskeleton.
The deployment-level policy ceiling for AI agents. Controls which tools, commands, and APIs your agent can access. Simple allow/deny Cedar evaluation โ if a policy says no, it's no. For per-agent mandate evaluation, see @clawdreyhepburn/ovid-me.
How It Works โข Installation โข Quick Start โข Policy Source โข Security Guide โข Recommended Policies โข Control GUI โข Attribution
AI agents can do a lot. They can read and write files, run shell commands, call APIs, send emails, push code โ anything you give them access to. That's powerful, but it's also dangerous. An agent that can delete files can delete all files. An agent that can call APIs can send your data anywhere.
Carapace is a security layer that controls what your agent is allowed to do. You write rules (called policies) that say things like "this agent can read files but not delete them" or "this agent can use git but not run sudo." Carapace enforces those rules on every single action the agent takes.
It works as a plugin for OpenClaw (an open-source AI agent platform), but the concepts apply to any agent system.
Carapace gates three types of operations:
| What | How it works | Example |
|---|---|---|
| MCP tools | Your agent connects to external tool servers (file system, GitHub, databases) via MCP. Carapace checks each tool call against your policies before it executes. | Allow read_file, block write_file |
| Shell commands | Your agent runs commands on your computer. Carapace checks which program the agent is trying to run. | Allow git and ls, block rm and sudo |
| API calls | Your agent makes HTTP requests to websites and services. Carapace checks which domain the agent is trying to reach. | Allow api.github.com, block pastebin.com |
Cedar is a policy language created by AWS. Instead of configuring permissions in a settings file or a database, you write human-readable rules like this:
// Let the agent use git
permit(
principal is Jans::Workload,
action == Jans::Action::"exec_command",
resource == Jans::Shell::"git"
);
// Never let the agent delete files
forbid(
principal,
action == Jans::Action::"exec_command",
resource == Jans::Shell::"rm"
);
Cedar has one critical property: forbid always wins. If any rule says "no," the action is blocked โ no matter how many other rules say "yes." This means you can't accidentally create a loophole by adding a new "allow" rule that overrides your safety restrictions.
Carapace uses Cedarling, a high-performance Cedar engine compiled to WebAssembly, so policy checks run in under 6 milliseconds.
OpenClaw is an open-source platform for running AI agents. It connects AI models (like Claude or GPT) to messaging apps, tools, and services. Think of it as the runtime that makes your agent work. Carapace plugs into OpenClaw to add authorization โ controlling what the agent is allowed to do within that runtime.
MCP (Model Context Protocol) is an open standard for connecting AI agents to tools. An MCP server provides tools (like "read a file" or "search a database"), and the agent calls those tools to get work done. Carapace evaluates Cedar policies before each tool call executes, blocking anything your policies don't allow.
Carapace registers a before_tool_call hook in OpenClaw's plugin system. Every time the agent tries to use a tool โ any tool โ OpenClaw calls Carapace first. Carapace evaluates the call against your Cedar policies and either allows it or blocks it.
Agent decides to call a tool
โ
OpenClaw fires before_tool_call hook
โ
Carapace receives { toolName, params }
โ
Cedar evaluates the call against your policies
โ
ALLOW โ tool executes normally
DENY โ tool call is blocked, agent gets an error
This is simple and un-bypassable โ every tool call in OpenClaw goes through the hook system. There's no way for the agent to skip it because the enforcement happens inside the runtime, before the tool code runs.
When Carapace receives a tool call, it maps it to one of three resource types:
exec/processโ Shell: extracts the binary name from the command (e.g.,git,rm,curl)web_fetch/web_searchโ API: extracts the hostname from the URL (e.g.,api.github.com,pastebin.com)- Everything else (MCP tools, browser actions, etc.) โ Tool: uses the tool name directly (e.g.,
mcp_call/github/create_issue,browser)
Carapace includes a web dashboard (runs locally on your machine) where you can:
- See all tools your agent has access to, organized by risk level
- Toggle tools on/off with a switch โ each toggle creates a Cedar policy
- Build policies visually using dropdown menus instead of writing Cedar by hand
- Edit the Cedar schema that defines your policy structure
- Verify that all your policies are valid
Open it at http://localhost:19820 after starting Carapace.
+-------------+ +----------------------------+ +-----------------+
| | | Carapace | | MCP Server A |
| OpenClaw |------->| before_tool_call hook |------->| (filesystem) |
| Agent | | | | +-----------------+
| | | Cedar evaluates | | MCP Server B |
| | | every tool call |------->| (GitHub) |
| | | | | +-----------------+
| | | +----------------------+ |
| | | | Cedarling WASM | |
| | | | (Cedar 4.4.2) | |
| | | +----------------------+ |
| | | +----------------------+ |
| | | | Local Control GUI | |
+-------------+ | +----------------------+ |
+--------------+--------------+
|
+------+------+
| Human |
| (browser) |
+-------------+
Key components:
before_tool_callhook โ Registered in OpenClaw's plugin system. Every tool call passes through this hook before executing. Denied calls never reach the tool.- Cedarling WASM โ The Cedar policy engine, running as WebAssembly for near-native speed. This is where your policies are evaluated.
- Control GUI โ A local web dashboard for managing tools and policies. Single HTML file, no build step, dark theme.
See all tools across all connected servers. Toggle switches control access. Color-coded by risk level.
View, edit, and delete Cedar policies. Each card shows permit/forbid and the full policy text.
Build policies with dropdown menus instead of writing Cedar. Live preview updates as you go.
View and edit the Cedar schema that defines your policy types and actions.
openclaw plugins install @clawdreyhepburn/carapaceRun the setup command:
openclaw carapace setupThat's it. This enables the Carapace plugin in your OpenClaw config (plugins.entries.carapace). The plugin loads automatically via config watcher โ no restart needed.
If you want to verify:
openclaw carapace statusGo to http://localhost:19820 to see your tools, manage policies, and control access.
openclaw carapace uninstallThis disables the Carapace plugin in your config. That's all โ no other config changes to clean up.
To fully remove the plugin files:
openclaw plugins remove @clawdreyhepburn/carapacegit clone https://github.com/clawdreyhepburn/carapace.git
cd carapace
npm install
npx tsx test/harness.ts # Starts test servers + GUI on port 19820Once you've installed and configured Carapace (see Installation above), here's how to start using it.
Here's a common starting point โ let the agent use development tools but block dangerous commands:
// Allow git, ls, cat, grep
permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"git");
permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"ls");
permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"cat");
permit(principal is Jans::Workload, action == Jans::Action::"exec_command", resource == Jans::Shell::"grep");
// Block dangerous commands
forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"rm");
forbid(principal, action == Jans::Action::"exec_command", resource == Jans::Shell::"sudo");
// Allow GitHub API, block data exfiltration sites
permit(principal is Jans::Workload, action == Jans::Action::"call_api", resource == Jans::API::"api.github.com");
forbid(principal, action == Jans::Action::"call_api", resource == Jans::API::"pastebin.com");
๐ Want the full security walkthrough? See the Security Hardening Guide โ step-by-step instructions with copy-paste commands for macOS, Linux, and Windows.
๐ Want more policy examples? See Recommended Policies โ ready-made policies for common scenarios like blocking credential access, preventing data exfiltration, and complete starter configurations for different agent roles.
Carapace is the deployment-level policy ceiling โ it defines the maximum set of permissions any agent can have. For per-agent mandate evaluation (task-specific Cedar policy sets, delegation chains, subset proofs), see @clawdreyhepburn/ovid-me.
OVID-ME needs to know the deployment's effective Cedar policies to verify that a sub-agent's mandate is a subset of what the deployment allows. Carapace exposes this via the PolicySource interface:
import { CarapacePolicySource } from '@clawdreyhepburn/carapace';
const policySource = new CarapacePolicySource('~/.openclaw/mcp-policies/');
const policies = await policySource.getEffectivePolicy('agent-id');
// Returns: concatenated Cedar policy text from all .cedar filesThe GUI also exposes an HTTP endpoint:
GET http://localhost:19820/api/policy-source?principal=<id>
โ Returns Cedar policy text (text/plain)
Carapace policies are deployment-wide โ the same policies apply to all principals. Principal-specific filtering happens in OVID-ME's mandate evaluation, not here.
Installing Carapace should never break your agent. The default is allow-all โ everything works exactly as before. You get visibility first (see what tools exist, what's being called) and control second (add restrictions when you're ready).
The recommended progression:
- Install โ everything works, open the GUI and look around
- Observe โ see what tools your agent actually uses
- Forbid the scary stuff โ block
rm,sudo, exfiltration domains - Lock down โ switch to
deny-alland explicitly permit only what's needed
Most people should stay at step 3. Step 4 is for when you really understand your agent's tool surface.
- Overprivileged agents โ Your agent has access to 50 tools but only needs 5. Carapace lets you restrict the other 45.
- Prompt injection โ Someone tricks your agent into running dangerous commands. If the policy says
rmis forbidden, it doesn't matter what the prompt says. - Data exfiltration โ Your agent tries to send sensitive data to an external service. If the domain isn't permitted, the request is blocked.
- Privilege escalation โ An agent tries to use one permitted tool to accomplish what a forbidden tool would do. Cedar's forbid-always-wins makes this harder.
- Sub-agent over-privilege โ Carapace defines the deployment ceiling. For per-agent mandate enforcement, see
@clawdreyhepburn/ovid-me.
- Malicious MCP servers โ Carapace trusts the MCP servers themselves. If a server lies about what a tool does, Carapace can't detect that.
- Argument-level abuse โ Carapace checks which command runs (e.g.,
git), not how it's used (e.g.,git push --force). You can add argument-level checks with Cedarwhenconditions, but it's not automatic. - Permitted binary abuse โ If you permit
node, the agent can runnode -e "require('child_process').execSync('rm -rf /')". Permitting a language runtime is effectively permitting everything. See Dangerous Permits. - Code that runs outside tool calls โ OpenClaw hooks and plugins run directly in the process, not through tool calls. Carapace can't gate those. See Enforcement Coverage.
The dashboard runs on localhost only โ it's not accessible from the network. There's no authentication on the API. Do not expose port 19820 to the internet. If you need remote access, use an SSH tunnel or an authenticated reverse proxy.
| Property | Type | Default | Description |
|---|---|---|---|
guiPort |
number | 19820 |
Port for the control dashboard |
policyDir |
string | ~/.openclaw/mcp-policies/ |
Where Cedar policy files are stored |
defaultPolicy |
"allow-all" or "deny-all" |
"allow-all" |
Starting posture. allow-all is safe to install โ nothing breaks. deny-all requires explicit permits for every tool. |
verify |
boolean | false |
Validate policies on every change |
openclaw carapace setup # Enable the Carapace plugin
openclaw carapace check # Check for configuration issues
openclaw carapace status # Show tool counts and policy status
openclaw carapace tools # List all tools with enabled/disabled status
openclaw carapace verify # Validate all policies
openclaw carapace uninstall # Disable the plugingit clone https://github.com/clawdreyhepburn/carapace.git
cd carapace
npm install
# Run the test harness (GUI on port 19820)
npx tsx test/harness.ts
# Type check
npx tsc --noEmit
# Run the full test suite
npx tsx test/test-shell-gate.mjs # Shell gating (9 tests)
npx tsx test/test-adversarial.mjs # Adversarial bypass attempts (30+9 tests)
npx tsx test/test-block-myself.mjs # End-to-end cp block democarapace/
โโโ src/
โ โโโ index.ts # OpenClaw plugin entry โ registers before_tool_call hook
โ โโโ cedar-engine-cedarling.ts # Cedarling WASM engine โ real Cedar 4.4.2 evaluation
โ โโโ cedar-engine.ts # Fallback engine (string matching, no WASM needed)
โ โโโ policy-source.ts # PolicySource for OVID-ME integration
โ โโโ types.ts # Shared TypeScript types
โ โโโ gui/
โ โโโ server.ts # HTTP server for the dashboard
โ โโโ html.ts # Dashboard UI (single HTML file, no build step)
โโโ test/
โ โโโ harness.ts # Standalone test environment
โ โโโ test-shell-gate.mjs # Shell command authorization tests
โ โโโ test-adversarial.mjs # Adversarial bypass test suite
โ โโโ test-block-myself.mjs # End-to-end demo: block cp, try to copy, get denied
โโโ docs/
โ โโโ SECURITY.md # Security hardening (macOS/Linux/Windows)
โ โโโ RECOMMENDED-POLICIES.md # Policy examples for common use cases
โ โโโ screenshots/ # Dashboard screenshots
โโโ LICENSE # Apache-2.0
โโโ NOTICE # Trademark notice
โโโ openclaw.plugin.json # OpenClaw plugin manifest
The ideas behind Carapace, explained step by step:
- Why Your AI Agent Needs a Policy Language โ why config files aren't enough
- Writing Your First Agent Policy โ modeling agents, tools, and actions in Cedar
- When Forbid Meets Permit โ why "forbid always wins" matters for safety
- Proving It: SMT Solvers and Why I Trust Math More Than Tests โ formally verifying that policies are correct
More at clawdrey.com.
- Cedar โ Policy language by AWS. Human-readable rules with formal guarantees.
- Cedarling โ Cedar engine by Gluu, compiled to WebAssembly for speed.
- MCP โ Open protocol for connecting AI agents to tools.
- OpenClaw โ Open-source AI agent platform.
- OVID โ Cryptographic identity + Cedar mandates for sub-agents (JWTs with EdDSA/Ed25519).
- OVID-ME โ Per-agent mandate evaluation (uses Carapace as its policy source).
| Avatar | Name | Role |
|---|---|---|
 |
Clawdrey Hepburn (@ClawdreyHepburn) | Creator, primary author |
 |
Sarah Cecchetti (@Sarahcec) | Co-creator, product direction |
 |
Michael Schwartz (@nynymike) | Cedarling / Gluu |
Copyright 2026 Clawdrey Hepburn LLC. Licensed under Apache-2.0.
"Carapace" is a trademark of Clawdrey Hepburn LLC. See NOTICE.
Using Carapace? Here's how to reference it:
- โ "Protected by Carapace" โ for badges and footers
- โ "Powered by Carapace" โ for technical docs
- โ "Built with Carapace" โ for project READMEs
- โ
"Made by Carapace"โ implies we're liable for what your agent does - โ
"Certified by Carapace"โ we don't certify anything
You write the policies. We enforce them.
A carapace is the hard upper shell of a crustacean โ an immutable boundary that protects the creature inside.
Your agent's exoskeleton.