Carapace: Secure Rust AI Assistant

Purpose and Significance

Carapace is a security-hardened, open-source personal AI assistant written in Rust, designed as a modern alternative to earlier chatbot frameworks. Built with cryptographic rigor and defense-in-depth principles, it addresses documented vulnerabilities in predecessor projects by implementing localhost-only binding, end-to-end secret encryption, and OS-level sandboxing from the ground up. For developers and organizations deploying AI assistants in sensitive environments—whether local development, private infrastructure, or regulated workflows—Carapace provides a production-ready foundation that treats security as a first-class requirement rather than an afterthought.

Key Features

• Multi-Provider LLM Engine — Native support for Anthropic, OpenAI, Ollama, Google Gemini, AWS Bedrock, and Venice AI with streaming, tool dispatch, and request cancellation.
• Multi-Channel Messaging — Connect through Signal, Telegram, Discord, Slack, webhooks, or a built-in console interface without rewriting core logic.
• WASM Plugin Runtime — Extend functionality via WebAssembly modules signed with Ed25519, running under resource limits (64MB memory, CPU fuel budget, wall-clock timeouts) with capability sandboxing.
• Security by Default — Localhost-only binding, SSRF/DNS-rebinding defense, prompt injection guards, inbound message classification, exec approval flows, and AES-256-GCM secret encryption at rest using PBKDF2 key derivation.
• 10 Built-in Tools + 15 Channel-Specific Schemas — Pre-configured for common tasks across messaging platforms without manual wiring.
• OS-Level Sandboxing — Implements Seatbelt (macOS), Landlock (Linux), and rlimits primitives; subprocess isolation in active development.
• Enterprise Infrastructure — TLS/mTLS support, mDNS discovery, hot-reloadable config, Tailscale integration, Prometheus metrics, and audit logging.
• Auth Deny-by-Default — CSRF-protected control endpoints; authentication denies all requests when no credentials are configured.

Security Posture

Carapace directly addresses the January 2026 OpenClaw security disclosures. Every major vulnerability class—unauthenticated access, exposed network ports, plaintext secret storage, prompt injection, and SSRF/DNS rebinding—has a documented defense mechanism. Credentials stored in OS keystores (Keychain, Keyutils, Credential Manager) with AES-256-GCM fallback; skills supply chain protected via Ed25519 signatures and WASM capability sandboxing; private IP blocking prevents SSRF exploitation. See docs/security.md for the complete threat model and implementation status.

Getting Started

Installation

Prebuilt binaries are planned for Linux, macOS (Intel/ARM), and Windows. Until releases are published, build from source:

cargo build --release

Once available, binaries will be signed with Cosign for verification. Manual installation on macOS/Linux: make executable and move to /usr/local/bin. Windows users can copy to an %APPDATA% directory on PATH.

First Run

Launch the interactive setup wizard:

cara setup

Start the gateway and check status:

cara then cara status --host 127.0.0.1 --port 18789

Common Deployment Patterns

Local LLM (Ollama): Install Ollama, pull a model (ollama pull llama3.2), then run OLLAMA_BASE_URL=http://localhost:11434 cara.

Cloud Provider: Export an API key (ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.) and start cara.

OpenAI-Compatible Servers: Point the OpenAI provider at vLLM, llama.cpp, LM Studio, or MLX instances via OPENAI_BASE_URL. HTTP is allowed for loopback addresses only.

Who It's For

• Privacy-Conscious Developers — Run a personal AI assistant entirely on your machine with no cloud telemetry or data exfiltration risk.
• Security Engineers — Deploy AI assistants in regulated environments (healthcare, finance, government) with hardened defaults and audit trails.
• Infrastructure Teams — Integrate AI tooling into internal platforms via webhooks, OpenAI-compatible endpoints, or channel adapters.
• Open-Source Contributors — Extend Carapace with WASM plugins, add new LLM providers, or contribute security improvements to a permissively licensed (Apache 2.0) project.
• Organizations Migrating from Earlier Chatbot Frameworks — Transition from unsecured architectures to a modern, cryptographically sound foundation.

Current Status and Expectations

Carapace is in preview (active development, not production-ready). Core paths—WebSocket handlers, OpenAI-compatible HTTP endpoints, Ollama provider integration, and config loading—are covered by automated tests. End-to-end channel flows (Signal, Telegram, Discord, Slack), public internet deployments, and the control UI across browsers are pending manual verification. Expect gaps and sharp edges.

If migrating from OpenClaw, note that Carapace prioritizes hardened core functionality. Planned but not yet available: broader channel coverage (WhatsApp, iMessage, Teams, Matrix, WebChat), companion mobile/macOS apps, browser control and canvas experiences, and multi-agent routing with automatic failover.

Resources

• Getting Started Guide: docs/getting-started.md — Installation, first run, and ops workflows.
• Channel Setup: docs/channels.md — Signal, Telegram, Discord, Slack, and webhook configuration.
• CLI Reference: Full command guide with subcommands, flags, and device identity management.
• Security Model: docs/security.md — Threat analysis, defense mechanisms, and implementation roadmap.
• Architecture & Protocol: Complete system design and wire protocol documentation in the docs index.
• Contributing: CONTRIBUTING.md — Code guidelines, pull request process, and review policy.

Source: GitHub repository puremachinery/carapace, Apache-2.0 licensed, last updated February 2026.