SecureTalon is a security-first agent platform inspired by OpenClaw. It executes AI tool intents only through least-privilege policies, broker-mediated tools, Docker-sandboxed skills, and tamper-evident audit logs—so agents remain powerful, observable, and safe by design.
OpenClaw demonstrated the power of autonomous agents.
SecureTalon makes them safe to use in real environments.
SecureTalon adds:
- Deny-by-default policies — No tool runs unless you explicitly allow it with constraints.
- Broker-mediated tools — Every file, HTTP, and Docker call goes through the broker; no back doors.
- Docker-sandboxed skills — Skills run in containers by default; network and mounts are opt-in.
- Tamper-evident audit logs — Hash-chained events; you can validate integrity and prove what ran.
- Safe replay without re-execution — Step through any run from the audit log; no tools run again.
- Built-in admin console — Sessions, policies, audit, and replay in one Svelte UI.
| Area | OpenClaw | SecureTalon |
|---|---|---|
| Default posture | permissive | deny-by-default |
| Tool access | direct | broker-mediated |
| Execution isolation | optional | Docker-sandboxed by default |
| Policy enforcement | ad-hoc | capability tokens |
| Audit | basic logs | hash-chained tamper-evident |
| Replay | limited | safe replay without re-execution |
| UI console | minimal | built-in Svelte admin console |
Concept mapping so conversion feels easy:
| OpenClaw | SecureTalon |
|---|---|
| Agent | Run — one execution per message; steps show policy_eval and tool_exec |
| Tool | Brokered tool — file.read, http.fetch, docker.run go through the broker with constraints |
| Plugin | Skill — Docker image by digest; register via API, allow via session policy |
| exec.security / allowlist | Session policy overrides — per-session allowlist with constraints (roots, domains, images) |
| exec.ask / approvals | Deny-by-default — add an override to allow; no interactive ask yet |
| Logs | Audit (hash-chained) + Replay (safe, no re-execution) |
Full guide: OpenClaw migration (what to change, example conversions).
The admin console is a major differentiator. Below: dashboard, policy editor, audit chain validation, and replay viewer.
| Dashboard | Policy editor |
|---|---|
| Sessions and quick links | Session overrides, tool constraints, guardrails |
| Audit — Chain OK | Replay viewer |
|---|---|
| Hash chain valid, filters, timeline | Safe replay timeline, step-through, jump to type |
- Deny-by-default — Only explicitly allowed tools and constraints are permitted per session.
- Capability tokens — Short-lived, signed tokens issued by the policy engine; the broker is the only verifier and executor.
- Broker mediation — All tool intents (file, HTTP, Docker) go through the broker; constraints (paths, domains, images) are enforced before execution.
- Tamper-evident audit — Events are appended to a hash chain; you can validate integrity and replay runs without re-executing tools.
Details: docs/backend/SECURITY-MODEL.md.
- Internal agent ops — Run file, HTTP, or containerized skills under strict allowlists with full audit and replay.
- Compliance-sensitive workloads — Prove what ran, when, and with what policy via hash-chained logs.
- Safe skill adoption — Register Docker skills by digest; enforce network/mount policies and inspect runs in the console.
- Post-incident review — Use safe replay and audit to step through a run without re-executing any tools.
Ready-to-run demos in examples/ with sample policies and intents you can copy or run:
| Demo | Description |
|---|---|
| file-read-demo | policy.json + run.ps1; allows file.read under work/, sends intent, shows run. |
| http-fetch-demo | policy.json + message.json + run.ps1; allows GET to a domain, sends intent, shows response. |
| docker-skill-demo | policy.json + message.json + run.ps1; allows docker.run by image digest (set IMAGE_DIGEST or edit JSON). |
| deny-then-fix | Trigger a deny, add override, retry. |
Run from repo root: .\examples\file-read-demo\run.ps1 (and similarly for the others). Backend must be running.
Requires ADMIN_TOKEN. Optional: ADDR (default :8080), DATA_DIR, TOKEN_SECRET.
ADMIN_TOKEN=your-secret-token go run ./cmd/securetalonTo use port 8090 (e.g. for the UI default):
ADDR=:8090 ADMIN_TOKEN=your-secret-token go run ./cmd/securetaloncd ui
npm install
npm run devOpen http://localhost:5173. In the UI, Connect with:
- API base:
http://localhost:8090(or your backend URL) - Token: same as
ADMIN_TOKEN
See ui/README.md for API mapping and build.
- Start backend:
ADDR=:8090 ADMIN_TOKEN=demo go run ./cmd/securetalon - Start UI:
cd ui && npm i && npm run dev→ connect withhttp://localhost:8090and tokendemo - Create session (Sessions → New session).
- Set policy: Policies → select the session → add override: tool
file.read, allow, roots e.g.work(chips), Save. - Create a file the agent can read (e.g.
mkdir work 2>nul & echo hello > work\input.txton Windows, ormkdir -p work && echo hello > work/input.txton Unix). - Send message with parseable intent: in Session detail, send e.g. “Read work/input.txt” or use a message that triggers a file.read intent; or call the API with body
{"content":"...", "intents":[{"tool":"file.read","params":{"path":"work/input.txt"}}]}. - View run: open the run from the session; confirm steps (policy_eval ALLOW/DENY, tool_exec ok/error) and status (queued → running → completed).
- Audit: Audit → set session filter → Refresh → Validate chain → “Chain OK”.
- Replay: Replay → enter run ID → Load Safe Replay → step through timeline (no re-execution).
See scripts/demo-happy-path.ps1 for an automated API-only demo (PowerShell).
- MVP (done) — Deny-by-default policy, capability tokens, broker (file/http/Docker), hash-chained audit, safe replay, Svelte admin console.
- Next — Approval workflows, RBAC, skill hub and signing, gVisor option, policy packs. See docs/backend/ROADMAP.md.
We welcome issues and pull requests. See CONTRIBUTING.md for how to run the project, how to add tools or skills, coding standards, and CI (policy, token, and audit chain tests run on every push/PR).
We take security seriously. See SECURITY.md for our threat model, responsible disclosure process, and what SecureTalon does and does not guarantee. If you believe you’ve found a vulnerability, report it privately (e.g. GitHub Security Advisories or maintainer contact); do not open a public issue.
Downloadable zips for public release must not include the .git directory (fine in the live repo, not in artifacts). GitHub’s Code → Download ZIP already omits .git.
To build a clean distribution zip yourself (e.g. for releases), run from the repo root:
.\scripts\make-dist-zip.ps1This produces SecureTalon-YYYYMMDD.zip with source and docs, excluding .git, node_modules, ui/dist, data, and .env.
Further documentation: docs/ (backend architecture, API, UI specs).
License: MIT
