A desktop application that runs an autonomous CLI agent inside a five-container security perimeter on the user's own computer, with a Telegram interface for chat. Open-source under MIT. Ships pre-wired for OpenClaw; the perimeter is designed to extend to other CLI agents.
The architecture, threat model, and per-component capabilities are described in docs/trifecta.md.
Author: @albertdobmeyer · Public landing page: opentrapp.com
Autonomous CLI agents — OpenClaw is one prominent example — execute shell commands, read files, and load skills from third-party registries. Run with default settings, the agent has the same operating-system privileges as the user. The ClawHavoc study (2026-Q1) of one such registry classified 11.9 % of published skills as malicious (341 of 2,857). OpenTrApp wraps any such agent in a defense-in-depth perimeter to reduce the impact of agent compromise, malicious skills, and prompt-injection attacks. The shipped integration is OpenClaw; the perimeter is designed to extend to other CLI agents.
Reasoning is delegated to the agent's vendor API (Anthropic's, for OpenClaw); only the agent's execution layer (file work, tool calls, skill invocations) is local.
These are the principles that shape every design and product decision in this project. They are written down because the alternative — leaving them implicit — is how projects drift.
- Safety-first, safety-always. The perimeter exists because autonomous agents are powerful and powerful tools fail in expensive ways. Every architectural choice is evaluated against its containment effect first; convenience second. Defaults err on the restrictive side and are documented when they do.
- Honest about residual risk. The application can never claim to make running an autonomous agent absolutely safe. It raises the cost of compromise via defense-in-depth and is open about the gaps that remain. The threat model names them; the whitepaper explains them.
- Agent-agnostic, community-driven. The perimeter is not coupled to any single CLI agent. The reference deployment is OpenClaw because OpenClaw exists today; the architecture is designed to extend to others. Contributions that broaden compatibility are welcomed.
- Transparency over marketing. No tracking, no telemetry, no proprietary blobs. Every dependency, every container layer, every external request is documentable from the source tree. Reproducibility steps are in
docs/reproduce.md. - Shared for the safety of the commons. This project is MIT-licensed and developed in the open. Security research findings, hardening recipes, and threat-model deltas land in the repo where everyone running an autonomous CLI agent can benefit, not in private channels.
- Telegram bot interface — message the agent from a paired phone
- File read/write within a sandboxed workspace; the host filesystem is not exposed to the container
- Image processing on Telegram-supplied content
- Skill loading from ClawHub gated by a 87-pattern scanner with MITRE-ATT&CK mapping and Content Disarm & Reconstruction
- 24-point startup verification of the perimeter topology
- API keys held by
vault-proxyand injected per request; the agent container never reads the literal key
Web browsing, web fetch, and the broader OpenClaw tool surface are not enabled by default. They are available at "Soft Shell" via CLI configuration in v0.3.0; see components/opencli-container/.
- This is experimental software. It is provided as-is, without warranty of any kind. The authors accept no responsibility for damage resulting from its use.
- Autonomous AI agent containment is an open research problem. The perimeter raises the cost of a successful compromise; it does not eliminate the possibility. The full attacker-capability matrix and residual-risk enumeration are in
docs/threat-model.md; the differential against alternative containment strategies (Firejail, gVisor, VM-only isolation, scanner-only, etc.) is indocs/why-not-x.md. - The agent's reasoning is not local. Operating OpenTrApp without internet access to Anthropic's API is not supported.
- Installer binaries are signed with the Tauri auto-updater key, not with OS-level code-signing certificates. macOS Gatekeeper and Windows SmartScreen will display a first-launch warning.
- One of the three originally-planned modules (
openagent-social) is parked since 2026-05-03. The target API has been intermittent since 2026-04-05 following Meta's acquisition of Moltbook. The container is still defined incompose.yml; the code is preserved atcomponents/openagent-social/.
- 64-bit Linux, macOS (Apple Silicon or Intel), or Windows
- Podman or Docker installed and runnable by the current user
- Approximately 4 GB free disk space for the five container images
- An Anthropic API key and a Telegram bot token (the in-app setup wizard explains how to obtain both)
Pre-built installers for all three platforms are attached to each GitHub release:
| Platform | Format |
|---|---|
| Linux | .deb, .rpm, .AppImage |
| macOS | .dmg (Apple Silicon and Intel) |
| Windows | .msi, .exe |
The setup wizard verifies that Podman or Docker is installed and walks the user through API-key entry and Telegram pairing. No terminal interaction is required after install.
For unsupported platforms or to audit the build pipeline, see Building from source below.
Architecture summary
The runtime perimeter consists of five containers connected by per-service internal compose networks. The L7 (application-layer) policy and the L3 (network-layer) policy live in separate containers — see ADR-0009 for the rationale.
| Container | Role | Description |
|---|---|---|
vault-agent |
Runtime containment | Read-only root filesystem, all Linux capabilities dropped, custom syscall profile, workspace mount only |
vault-forge |
Supply-chain defense | 87-pattern skill scanner, zero-trust line verifier, Content Disarm & Reconstruction pipeline |
vault-proxy |
L7 egress policy | Domain allowlist, API-key injection, request logging, post-resolve destination-IP check. Holds API keys; no internet attachment (chains to vault-egress). |
vault-pioneer |
Social-content analysis | Parked — see Limitations |
vault-egress |
L3 egress policy | Kernel-level RFC1918 drop; pinned DoT resolver (Quad9 + Cloudflare); the only container with internet attachment. Holds NET_ADMIN but no secrets. |
vault-proxy is the bridge between the internal containers. vault-egress is the bridge to the public internet. Neither container holds both API credentials and elevated network capabilities — that separation is the load-bearing security property the five-container topology exists for.
flowchart LR
USER[User] --> GUI["OpenTrApp GUI"]
GUI --> PERIMETER
subgraph PERIMETER["Perimeter"]
AGENT[vault-agent]
FORGE[vault-forge]
PIONEER["vault-pioneer<br/>(parked)"]
PROXY["vault-proxy<br/>(L7 policy)"]
EGRESS["vault-egress<br/>(L3 policy + DoT)"]
end
AGENT --> PROXY
FORGE --> PROXY
AGENT <-.->|"write-only volume"| FORGE
PROXY --> EGRESS
EGRESS --> ANTHROPIC[Anthropic API]
EGRESS --> TELEGRAM[Telegram]
EGRESS --> CLAWHUB[ClawHub]
classDef parked stroke-dasharray: 5 5,color:#777
class PIONEER parked
Five Mermaid drawings (topology, trust tiers, network-isolation matrix, the skill-loading flow, the assistant-state machine) are in docs/diagrams.md. The full architecture, attacker-capability matrix, defense-in-depth tables, and ownership matrix are in docs/trifecta.md and docs/threat-model.md.
Building from source
All three submodules are public; no special access is required.
git clone --recurse-submodules https://github.com/albertdobmeyer/opentrapp.git
cd opentrapp/app
npm install
npm run dev # frontend dev server
cd src-tauri && cargo build # Rust backendFor a release-style desktop build, install Tauri's prerequisites for the target platform and run cd app && npm run tauri build.
cd app/src-tauri && cargo test --lib # Rust unit tests (56 at v0.3.0)
cd app && npm test -- --run # Vitest (74 at v0.3.0)
cd app && npx tsc --noEmit # TypeScript strict
cd app && npx playwright test # End-to-end (25)
bash tests/orchestrator-check.sh # Manifest validation (42 checks)
podman compose up -d && podman compose down # Perimeter smoke testContinuous integration runs all of the above on every push to main and every release tag; see .github/workflows/ci.yml. For an end-to-end script that re-derives every numerical claim in this README from a fresh clone, see docs/reproduce.md and run bash docs/reproduce.sh.
Release artefacts are accompanied by a CycloneDX SBOM, a cosign keyless signature (sigstore), and a SLSA Build Level 2 build-provenance attestation. Verification:
# CycloneDX SBOM
syft scan packages:artefact.deb -o cyclonedx-json | diff - sbom.cyclonedx.json
# cosign signature (keyless / sigstore)
cosign verify-blob \
--certificate sbom.cyclonedx.json.pem \
--signature sbom.cyclonedx.json.sig \
--certificate-identity "https://github.com/albertdobmeyer/opentrapp/.github/workflows/ci.yml@refs/tags/vX.Y.Z" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
sbom.cyclonedx.json
# SLSA build provenance — see the `intoto.jsonl` asset on each release
cosign verify-attestation --type slsaprovenance ...opentrapp/ (this repository — desktop GUI + perimeter orchestrator)
├── components/
│ ├── opencli-container/ runtime containment (vault-agent + vault-proxy)
│ ├── openskill-forge/ supply-chain defense (vault-forge)
│ └── openagent-social/ social-content analysis (vault-pioneer) — parked
├── app/ Tauri 2 + React 18 desktop application
├── compose.yml 4-service perimeter with network isolation
├── schemas/component.schema.json component manifest contract
└── config/orchestrator-workflows.yml cross-component workflow definitions
See CLAUDE.md for the full architecture specification and contribution rules.
Released under the MIT License. The license permits use, modification, redistribution, and inclusion in derivative works subject only to the attribution requirement (preservation of the copyright notice). No warranty is provided.