Ironclad

Ironclad AI

Ironclad AI

Ironclad AI

Ironclad AI

Ironclad AI

Ironclad AI

Ironclad AI

Ironclad AI

Ironclad AI

Ironclad AI

How I used Claude Code (and Codex) for adversarial review to build my security-first agent gateway

Long-time lurker first time posting. Hey everyone! So earlier this year, I got pulled into the OpenClaw hype. WHAT?! A local agent that drives your tools, reads your mail, writes files for you? The demos seemed genuinely incredible, people were posting non-stop about it, and I wanted in. I had been working on this problem since last year and was genuinely excited to see that someone had actually solved it. Then around February, Summer Yue, Meta's director of alignment for Superintelligence Labs, posted that her agent had deleted over 200 emails from her inbox. YIKES. She'd told it: "Check this inbox too and suggest what you would archive or delete, don't action until I tell you to." When she pointed it at her real inbox, the volume of data triggered context window compaction, and during that compaction the agent "lost" her original safety instruction. She had to physically run to her computer and kill the process to stop it. That should literally NEVER be the case with any software ever. This is a person whose actual job is AI alignment, at Meta's superintelligence lab, who could not stop an agent from deleting her email. The agent's own memory management quietly summarized away the "don't act without permission" instruction, treated the task as authorized, and started speed-running deletions. She had to kill the host process. That's when I sort of went down the rabbit hole, not because Yue did anything wrong, but because the failure mode was actually architectural and I knew that in my gut. Guess what I found? Yep. Tons more instances of this sort of thing happening. Over and over. Why? Because the safety constraint was just a prompt. It's obvious, isn't it? It's LLM 101. Prompts can be summarized away. Prompts can be misread. Prompts are fucking NOT a security boundary. And yet every agent framework I have ever seen seems to be treating them as one. I went and read the OpenClaw source code, which I should have done to begin with. What I found was a pattern I think a lot of agent frameworks have fallen into: \- Tool names sit in the model context, so the model can guess or forge them \- "Dangerous mode" is one config flag away from default \- Memory management has no concept of instruction priority \- The audit story is mostly "the model thought it should" I went looking for a security-first alternative I could trust, anything that was really being talked about or at a bare minimum attempted to address the security concerns I had. I couldn't find one. So I made it myself. CrabMeat is what came out of that, what I WANTED to exist. v0.1.0 dropped yesterday. Apache 2.0. WebSocket gateway for agentic LLM workloads. One design thesis: The LLM never holds the security boundary. **What that means in code:** **Capability ID indirection.** The model doesn't see real tool names. It sees per-session HMAC-derived opaque IDs (cap\_a4f9e2b71c83). It can't guess or forge a tool name because it doesn't know any tool names. **Effect classes.** Every tool declares a class (read, write, exec, network). Every agent declares which classes it can use. The check is a pure function with no runtime state, easy to test exhaustively, hard to bypass. **IRONCLAD\_CONTEXT.** Critical safety instructions are pinned to the top of the context window and explicitly marked as non-compactable. The Yue failure mode, compaction silently stripping the safety constraint, cannot happen by construction. The compactor literally cannot touch them. **Tamper-evident audit chain.** Every tool call, every privileged operation, every scheduler run enters the same SHA-256 hash-chained log. If something happens, you can prove what happened. If the chain is tampered with, you can prove that too. **Streaming output leak filter.** Secrets are caught mid-stream across token boundaries, capability IDs, API keys, JWTs, PEM blocks redacted before they reach the client. **No YOLO mode.** There is no global "trust the LLM with everything" switch. There never will be. Expanded reach comes through named scoped roots that are explicit, audit-logged, and bounded. The README has 15 'always-on' protections in a table. None of them can be turned off by config, because these things being toggleable is how the ecosystem ended up where it is. I decided to make sure that this wasn't just a 'trend hopping' project and aligned with my own personal values as well. I built this to be secure and local-first by default. Configured for Ollama / LM Studio / vLLM out of the box. Anthropic and OpenAI work too but require explicit configuration. There is no "happy path" that silently ships your prompts to a cloud endpoint. I decided that FIRST it needed to only run as an email agent with a CLI. Bidirectional IMAP + SMTP with allowlisted senders, threading preserved, attachments handled. This is the use case that bit Yue and a lot of other people, and I wanted to prove it could be done with real boundaries. I added in 30+ built-in t

Anthropic launches Claude For Legal with practice-area plugins and MCP connectors to nine major legal platforms

Anthropic rolled out Claude For Legal (May 12), adding practice-area plugins for commercial, employment, privacy, product, corporate, and AI governance law. The release also includes MCP connectors to tools lawyers already use: DocuSign, Ironclad, iManage, NetDocuments, LexisNexis, Thomson Reuters, Box, Everlaw, and LSuite. This follows the same playbook as Claude for Creative Work from April. Anthropic seems to be systematically building vertical-specific connector ecosystems rather than shipping a general-purpose tool. Each launch bundles domain plugins with integrations into the professional software stack people already have open. Curious whether anyone in legal has tried the practice-area plugins yet, specifically how they compare to just prompting base Claude with domain context. Source: [https://www.streetinsider.com/Reuters/Anthropic%2Bexpands%2BClaude%27s%2BAI%2Btools%2Bfor%2Blaw%2Bfirms%2C%2Blawyers/26476360.html](https://www.streetinsider.com/Reuters/Anthropic%2Bexpands%2BClaude%27s%2BAI%2Btools%2Bfor%2Blaw%2Bfirms%2C%2Blawyers/26476360.html)