Kodachi Claw - Anonymous AI Agent Runtime

Documentation Navigation

Navigate the documentation:

• Anonymity Features - What makes kodachi-claw invisible
• Internet Recovery - Auto-heal after MAC changes
• CLI Reference - All commands and flags
• Quick Start - Launch your first anonymous agent

File Information

Property	Value
Binary Name	kodachi-claw
Version	9.0.1
File Size	28.3MB
Author	theonlyhennygod
License	Proprietary - Kodachi OS
Category	AI & Intelligence
Description	Kodachi hardened AI runtime with embedded anonymity controls
JSON Data	View Raw JSON

SHA256 Checksum

f62a591c302a284dbfe11b1b32251e85d20401eedcbbbb95a1923d22a43ccc5f

---

The Power of ZeroClaw. The Anonymity of Kodachi.

Get the power of ZeroClaw with full anonymity. Forged from ZeroClaw's ultra-lightweight Rust agent engine, kodachi-claw hides your AI agent inside the Tor network. Every API call, every model request, every channel message is routed through embedded Tor circuits. Your agent cannot be tracked, fingerprinted, or traced back to you.

While other AI agent runtimes run on the open internet, kodachi-claw wraps that same agent runtime with Kodachi's anonymity stack: embedded Tor circuits, identity randomization, OPSEC filtering, and network namespace isolation.

What is ZeroClaw?

ZeroClaw is an ultra-lightweight Rust AI agent runtime, the fastest and smallest autonomous assistant. It connects to 28+ AI providers, listens on 15+ communication channels (Telegram, Discord, Slack, Matrix, WhatsApp, Signal, Email, and more), executes tools, manages memory, and runs scheduled tasks, all from a single static binary.

kodachi-claw is forged from ZeroClaw and inspired by OpenClaw, the original Node.js personal AI assistant that pioneered multi-channel agent communication. kodachi-claw takes the ZeroClaw engine and wraps it with Kodachi's anonymity stack, making it the only AI agent runtime that operates entirely inside the Tor network.

Independent Runtime

kodachi-claw is not a KAICS sub-binary. It is an independent, standalone runtime that integrates Kodachi services (online-auth, ip-fetch, tor-switch, oniux) directly as in-process Rust libraries.

---

The Claw Family

Claw Family Variants 7 PROJECTS

All variants of the open-source AI agent runtime family, from the original Node.js project to ultra-minimal Zig and anonymity-hardened Kodachi fork.

Project	Language	Size	Description	Repository
OpenClaw	Node.js	~28MB dist · >1GB RAM	The original personal AI assistant on any platform	openclaw/openclaw
ZeroClaw	Rust	3.4MB bin · <5MB RAM	Ultra-lightweight: 99% less memory, runs on $10 hardware	zeroclaw-labs/zeroclaw
NullClaw	Zig	678KB bin · ~1MB RAM	Fastest and smallest: 678KB binary, <2ms startup	nullclaw/nullclaw
PicoClaw	Go	~8MB bin · <10MB RAM	Tiny personal agent: <10MB RAM footprint	sipeed/picoclaw
IronClaw	Rust	~4MB bin · <8MB RAM	Privacy-focused with WASM-sandboxed tools	nearai/ironclaw
NanoClaw	TypeScript	~12MB dist · ~80MB RAM	Lightweight container-secured agent with Claude Agent SDK, WhatsApp, scheduled jobs	qwibitai/nanoclaw
Kodachi Claw	Rust	28.3MB bin · ~45MB RAM	Anonymity-hardened: embedded Tor, OPSEC filter, namespace isolation	Desktop XFCE · Terminal Server · Binary Package · Standalone Download · CLI Reference

Key Differentiator

All the claws give you an AI agent. Only kodachi-claw makes that agent invisible.

---

Standalone Download

kodachi-claw ships pre-installed with the Kodachi Terminal Server ISO, the Kodachi Desktop XFCE ISO, and the binary package. For separate deployment, it is also available as a standalone download below — no installer needed. Download both files to the same folder and run. The public key is embedded at compile time, so only the binary and its .sig file are required.

kodachi-claw Binary

Standalone

Single static binary with embedded Tor runtime, identity randomization, and OPSEC filtering. Linux x86-64 only.

v9.0.1 28.3MB

Download kodachi-claw Download Signature (.sig)

Installation

Download both files to the same folder and make the binary executable. No dependencies required — everything is statically linked. You can also download via browser and place both files in any directory you prefer (Desktop, Downloads, etc.).

# Option 1: wget (download both files to a new folder)
mkdir -p ~/kodachi-claw && cd ~/kodachi-claw
wget https://www.kodachi.cloud/apps/os/install/kodachi-claw/kodachi-claw
wget https://www.kodachi.cloud/apps/os/install/kodachi-claw/kodachi-claw_v9.0.1.sig
chmod 755 kodachi-claw

# Option 2: curl (same result, different tool)
mkdir -p ~/kodachi-claw && cd ~/kodachi-claw
curl -LO https://www.kodachi.cloud/apps/os/install/kodachi-claw/kodachi-claw
curl -LO https://www.kodachi.cloud/apps/os/install/kodachi-claw/kodachi-claw_v9.0.1.sig
chmod 755 kodachi-claw

# Run (requires sudo for identity randomization)
sudo ./kodachi-claw onboard --interactive

Both Files Required

You must download both kodachi-claw (the binary) and kodachi-claw_v9.0.1.sig (the signature) and place them in the same folder. The binary verifies its own signature on startup — without the .sig file, kodachi-claw will refuse to run. You can use any directory you like: ~/Desktop, ~/Downloads, /opt/kodachi-claw, or anywhere else — just keep both files together.

Binary Integrity & Build Info

Version

9.0.1

Build Date

2026-02-21

File Size

28.3MB

SHA256 Checksum: f62a591c302a284dbfe11b1b32251e85d20401eedcbbbb95a1923d22a43ccc5f

Verification: The public key is embedded at compile time. Place the .sig file in the same directory as the binary — kodachi-claw verifies its own signature on startup.

---

ZeroClaw vs Kodachi Claw

kodachi-claw shares the ZeroClaw agent engine but adds a full anonymity stack, enhanced security, Kodachi service integration, and CLI enhancements. This table shows what kodachi-claw adds on top of ZeroClaw:

ZeroClaw Base Engine UPSTREAM

The open-source Rust agent runtime that Kodachi Claw is forked from. All features below are inherited.

Category	Feature
AI Providers	29+ built-in: OpenAI, Anthropic (Claude), OpenRouter, Cohere, Groq, Hugging Face, Together AI, Replicate, Ollama, vLLM, custom OpenAI-compatible endpoints. Subscription-native auth for OpenAI Codex and Claude Code via OAuth.
Channels	15+ channels: CLI, Telegram, Discord, Slack, Mattermost, iMessage, Matrix, Signal, WhatsApp, Email, IRC, Lark, DingTalk, QQ, Webhooks
Tools	Shell execution, file operations, memory management, cron scheduling, Git integration, HTTP requests, browser automation, screenshots, image analysis, Composio integrations, delegation
Memory	Backends: SQLite (default), PostgreSQL, Markdown files, Lucid. Hybrid vector + keyword search (FTS5 BM25). Auto-save, LRU cache, snapshot/hydrate, safe reindex.
Hardware	STM32 microcontrollers, Raspberry Pi GPIO, USB peripherals. Runs on ARM64, x86-64, ARMv7. Optimized for <5MB RAM on $10 hardware.
Security	Gateway pairing, Docker sandboxing, allowlists, rate limiting, filesystem scoping, encrypted secrets at rest, workspace isolation, config-based access control
Secret Store	ChaCha20-Poly1305 AEAD encrypted credential storage with multi-profile authentication
Integrations	70+ integrations across 9 categories. Skill loader supporting TOML manifests with markdown instructions.
Tunneling	Cloudflare, Tailscale, ngrok, custom implementations, or none
Observability	Noop, Log, Multi observer types. Extensible for Prometheus and OpenTelemetry.
Scheduler	Cron-based task scheduling, heartbeat engine for periodic tasks, persistent job store
Daemon Mode	Systemd service management, background operation, auto-restart, one-click bootstrap installer
Runtime	Native execution, Docker sandboxed runtime. Response caching, memory migration from competing systems, shell completions, diagnostics.

What Kodachi Claw Adds KODACHI EXCLUSIVE

Production-grade anonymity layer built on top of ZeroClaw. These features exist only in Kodachi Claw.

Addition	What It Does
Embedded Arti Tor	Full Tor stack compiled into the binary. Multi-circuit pool (default 10 instances) with load balancing. Every API call, model request, and channel message routed through Tor.
Circuit Pool Manager	Configurable circuit count (1-50), sticky circuits for session consistency, automatic circuit rotation, health monitoring per circuit.
Identity Randomization	MAC address randomization via macchanger, hostname randomization via hostnamectl, timezone randomization via timedatectl. All on startup, auto-restored on exit.
OPSEC Filter	Scans all outbound agent messages and redacts identity leaks (real IPs, hostnames, usernames, MAC addresses) before they reach any provider or channel.
Namespace Isolation (oniux)	Kernel-level network namespace via oniux. All traffic is forced through Tor at the OS level. No DNS or IP leaks possible, even from child processes.
IP Leak Verification	Automated check on startup via ip-fetch. Confirms traffic exits through Tor network, not your real IP. Blocks operation if verification fails.
DNS Leak Verification	Automated DNS leak test on startup. Confirms DNS queries are routed through Tor, not your ISP resolvers.
Kodachi Auth Gate	In-process online-auth integration with device ID verification, auto-recovery, and session persistence. No external auth binary needed.
Extended Sandboxing	Adds Bubblewrap and Firejail backends on top of ZeroClaw's Landlock and Docker support.
Preflight Checks	Full anonymity preflight before agent starts: Tor bootstrap, identity randomization, IP/DNS verification, OPSEC filter init, instance locking.
Cleanup on Exit	Restores original MAC, hostname, and timezone on exit. Tears down Tor circuits and cleans instance locks.
4 Circuit Strategies	Round-robin, random, least-used, and sticky strategies for Tor circuit selection. Sticky keeps the same exit node per channel to prevent identity flickering.
Instance Locking	Prevents Tor instance conflicts across concurrent runs. Ensures only one kodachi-claw process controls the circuit pool at a time.
Claude Code CLI Provider	No API key needed — invokes installed Claude Code CLI directly as a subprocess. Lazy path detection, 120s timeout, secret scrubbing.
ai-gateway Integration	Safe command execution through policy firewall and approval workflow. Three-tier risk classification with human-in-the-loop for dangerous operations.
CLI Enhancements (cli-core)	--json / --json-pretty / --json-human output modes, -e examples, -n info. Consistent CLI framework shared across all Kodachi binaries.
Internet Recovery	Automatic connectivity check (IP ping + DNS resolve) after identity changes and on shutdown. Invokes health-control NetworkRecovery in-process when connectivity is lost. Standalone recover-internet subcommand for on-demand recovery.
Signal Handler	Graceful SIGINT/SIGTERM handling ensures cleanup (identity restore, internet recovery, Tor teardown) always runs, even when interrupted with Ctrl+C.
Service Libraries	Integrates online-auth, ip-fetch, tor-switch, oniux, dns-leak, permission-guard, integrity-check, deps-checker, logs-hook, health-control as in-process Rust libraries (not shell calls).

---

Anonymity Architecture

kodachi-claw wraps the ZeroClaw agent engine with a multi-layered anonymity stack:

┌─────────────────────────────────────────────────────────────┐
│                     kodachi-claw binary                      │
│                                                              │
│  ┌──────────┐   ┌────────────────────────────────────────┐  │
│  │  Agent    │   │     Anonymity Stack                    │  │
│  │  Engine   │   │                                        │  │
│  │ ─────────→│   │  ┌──────────┐  ┌───────────────────┐  │  │
│  │ Providers │   │  │ OPSEC    │  │ Identity           │  │  │
│  │ Channels  │   │  │ Filter   │  │ Randomization      │  │  │
│  │ Tools     │   │  │ (redact) │  │ MAC/Host/Timezone  │  │  │
│  │ Memory    │   │  └────┬─────┘  └───────────────────┘  │  │
│  │ Scheduler │   │       │                                │  │
│  └──────────┘   │  ┌────▼───────────────────────────────┐│  │
│                  │  │    Embedded Arti Tor Runtime        ││  │
│                  │  │    ┌─────┐┌─────┐┌─────┐ ... ×10   ││  │
│                  │  │    │Circ1││Circ2││Circ3│            ││  │
│                  │  │    └──┬──┘└──┬──┘└──┬──┘            ││  │
│                  │  └───────┼──────┼──────┼───────────────┘│  │
│                  └──────────┼──────┼──────┼────────────────┘  │
└─────────────────────────────┼──────┼──────┼──────────────────┘
                              ▼      ▼      ▼
                         Tor Exit Nodes → AI Providers / Channels

Embedded Tor Runtime

kodachi-claw embeds the Arti Tor stack directly into the binary, no external Tor daemon needed.

Mode	Flag	Description
Multi-Circuit (default)	--mode multi-circuit	Pool of N Tor instances (default 10), load-balanced across requests
Isolated	--mode isolated	Full network namespace via oniux, separate kernel network stack
Single	--mode single	One Tor circuit for low-resource environments

Circuit assignment strategies (--circuit-strategy):

Strategy	Behavior
round-robin (default)	Each request goes to the next circuit in sequence
random	Random circuit per request
least-used	Route to the circuit with fewest active connections
sticky	Same tool/channel always uses the same circuit

Identity Randomization

On startup, kodachi-claw randomizes your system fingerprint:

Feature	Flag to Skip	Description
MAC address	--skip-mac	Randomizes network interface MAC address
Hostname	--skip-hostname	Sets a random hostname
Timezone	--skip-timezone	Sets a random timezone
All three	--skip-identity	Skip all identity randomization

Use --restore-on-exit to restore original MAC, hostname, and timezone on shutdown.

Use --auto-recover-internet to automatically check and recover internet connectivity after each identity change (especially MAC randomization which cycles network interfaces) and on shutdown.

Verification & Leak Prevention

Feature	Flag to Skip	Description
IP verification	--skip-ip-check	Confirms traffic exits through Tor
DNS verification	--skip-dns-check	Confirms DNS queries don't leak
OPSEC filter	-	Redacts outbound identity leaks from agent messages
Auth gate	--auth-mode auto\|required	Kodachi online-auth integration (always runs, mode controls failure behavior)
Preflight checks	--skip-integrity-check, --skip-permission-check	Integrity and permission verification before launch

Tor Instance Management

Setting	Flag	Default
Pool size	--tor-instances N	10
Instance policy	--instance-policy	reuse (alternatives: new, mixed)
Instance prefix	--instance-prefix	kodachi-claw-instance

Namespace Isolation (oniux)

With --mode isolated, kodachi-claw uses oniux to create a Linux network namespace that forces ALL traffic through Tor at kernel level, no bypass is possible, even from misbehaving tools or libraries.

---

Quick Start

First-Time Setup

# 1. Run the interactive setup wizard (no sudo needed for onboard)
kodachi-claw onboard --interactive

# 2. Or quick setup with an API key
kodachi-claw onboard --api-key sk-... --provider openrouter

Launch Anonymous Agent

# Start interactive agent with full anonymity (10 Tor circuits)
sudo kodachi-claw agent

# Single query through Tor
sudo kodachi-claw agent --message "check my security posture"

# Start autonomous daemon (all channels + gateway + scheduler)
sudo kodachi-claw daemon

Control Anonymity Level

# Maximum isolation — kernel-level namespace via oniux
sudo kodachi-claw --mode isolated agent

# 20 Tor circuits for high-throughput agents
sudo kodachi-claw --tor-instances 20 daemon

# Sticky circuits — same tool always uses same exit node
sudo kodachi-claw --circuit-strategy sticky daemon

# Restore identity on exit
sudo kodachi-claw --restore-on-exit agent

# Skip all anonymity (direct connection — local testing only)
sudo kodachi-claw --skip-anonymity agent

Check Status

# Show Tor circuits, identity state, agent status
sudo kodachi-claw status

# JSON output for automation
sudo kodachi-claw --json-pretty status

# Show all commands and examples
kodachi-claw -e

---

Kodachi Service Integration

kodachi-claw integrates these Kodachi services directly as in-process Rust libraries (not external binary calls):

Service	Integration
online-auth	Authentication gate, verifies Kodachi license before agent launch
ip-fetch	IP verification, confirms traffic exits through Tor
tor-switch	Tor instance management, creates and manages embedded Arti circuits
oniux	Namespace isolation, Linux network namespace for --mode isolated
cli-core	Shared CLI framework, consistent output formatting and JSON modes
auth-shared	Shared authentication, device ID and session management

Optional integrations (enabled with --features kodachi-services):

Service	Integration
dns-leak	DNS verification during preflight
permission-guard	Permission checks during preflight
integrity-check	Binary integrity verification
deps-checker	Dependency validation
logs-hook	Centralized logging
health-control	Internet connectivity recovery after identity changes (NetworkRecovery in-process)

---

Claude Code CLI Provider — No API Key Needed

kodachi-claw includes a built-in Claude Code CLI provider that invokes the installed claude binary as a subprocess. No API key management needed. Claude Code handles authentication internally.

How It Works

1. Lazy path detection - the CLI path is detected on first use (not at startup), so construction never fails
2. Hardened search order - checks well-known paths first (/usr/local/bin/claude, /usr/bin/claude), then ~/.local/bin/claude, then falls back to which claude
3. Subprocess invocation - runs claude -p <prompt> --output-format text [--model <model>]
4. 120-second timeout - prevents hanging on long operations
5. Secret scrubbing - redacts API keys from error messages

Usage

# Configure kodachi-claw to use Claude Code as the provider
kodachi-claw onboard --provider claude-code

# Or use it directly in agent mode (provider aliases: claude-code, claude, claude-cli)
kodachi-claw agent --provider claude-code --message "analyze my security posture"

# List all providers (claude-code shows as local — no API key required)
kodachi-claw providers list

Why This Matters

Most AI providers require API keys. On a fresh Kodachi installation, no API keys are configured. The Claude Code CLI provider bypasses this entirely. If Claude Code is installed, kodachi-claw can use it immediately. Combined with the anonymity stack, your agent talks to Claude through Tor with no API key exposure.

---

ai-gateway Integration — Safe Command Execution

kodachi-claw integrates with ai-gateway for policy-gated command execution across all Kodachi services. The gateway provides service discovery, risk classification, and approval workflows.

Discovery — Find Commands

# kodachi-claw can discover available commands through ai-gateway
ai-gateway search "check tor status" --limit 1 --json | jq '.data.results[0].invocation'

# Get full command specification
ai-gateway help tor-switch tor-status --json | jq '.data.needs_root,.data.offline_safe,.data.network_touching'

Safe Execution — Validate Then Run

# Step 1: Dry-run validates without executing
ai-gateway run tor-switch --command tor-status --dry-run --json

# Step 2: Execute passive command (no env var needed)
ai-gateway run tor-switch --command tor-status --json

# kodachi-claw integration path through ai-gateway
ai-gateway run kodachi-claw --command status --dry-run --json
ai-gateway run kodachi-claw --command status --json

Agent Identity and Capabilities

# Discover what kodachi-claw is allowed to do
ai-gateway capabilities --agent-id kodachi-claw \
  --agent-token $KODACHI_AGENT_TOKEN_KODACHI_CLAW --json

Approval Workflow for Dangerous Operations

# Step 1: Human issues a time-limited approval ticket (10 minutes)
TICKET=$(ai-gateway approve issue health-control block-internet \
  --agent-id kodachi-claw --ttl 600 --json | jq -r '.data.ticket')

# Step 2: kodachi-claw executes using identity + ticket
ai-gateway run health-control --command block-internet \
  --agent-id kodachi-claw \
  --agent-token $KODACHI_AGENT_TOKEN_KODACHI_CLAW \
  --approval-ticket "$TICKET" --json

Why This Matters

Without ai-gateway, kodachi-claw executes commands directly. With ai-gateway, every command goes through a policy firewall with three-tier risk classification (Passive/Active/Dangerous), per-agent rate limiting, and human-in-the-loop approval for destructive operations. This adds a safety layer between the autonomous agent and real system operations.

For full ai-gateway workflows, see the ai-gateway Guide.

---

Scenario 1: First-Time Setup — Onboard and Launch Your Anonymous Agent

Get kodachi-claw running with full Tor anonymity in under 5 minutes.

Step 1: Initialize Workspace

# Interactive setup — walks you through provider selection, API keys, channels
kodachi-claw onboard --interactive

# Or quick setup with a single API key
kodachi-claw onboard --api-key sk-... --provider openrouter

Step 2: Launch the Agent Through Tor

# Start the agent — boots 10 Tor circuits, randomizes identity, verifies IP/DNS
sudo kodachi-claw agent

# Expected startup sequence:
# ✓ MAC address randomized (was 00:1A:2B:3C:4D:5E → 7A:3F:91:D2:E8:4C)
# ✓ Hostname randomized (was kodachi → xr7-phantom-node)
# ✓ Timezone randomized (was UTC → Pacific/Fiji)
# ✓ Tor pool started: 10 circuits active
# ✓ IP verification passed: exit node 185.xxx.xxx.xxx (Tor)
# ✓ DNS verification passed: no leaks detected
# ✓ Agent ready — all traffic routed through Tor

Step 3: Verify Anonymity

# Check full system status
sudo kodachi-claw status

# JSON output for scripting
sudo kodachi-claw --json-pretty status

Why this matters: Every API call, model request, and channel message goes through embedded Tor circuits. Your real IP, MAC, hostname, and timezone are never exposed.

---

Scenario 2: Maximum Isolation — Kernel-Level Namespace via Oniux

When standard Tor routing isn't enough, use network namespace isolation to guarantee no traffic bypasses Tor.

Step 1: Launch in Isolated Mode

# Full network namespace — separate kernel network stack
sudo kodachi-claw --mode isolated agent

# Expected output:
# ✓ Creating network namespace via oniux...
# ✓ Namespace active: all traffic forced through Tor at kernel level
# ✓ No bypass possible — even misbehaving libraries are contained

Step 2: Verify Namespace Isolation

# All traffic from the agent process is confined to the Tor namespace
sudo kodachi-claw --mode isolated --json-pretty status

Step 3: Run Autonomous Daemon in Isolation

# Long-running autonomous runtime with kernel-level Tor enforcement
sudo kodachi-claw --mode isolated daemon

Why this matters: In isolated mode, oniux creates a Linux network namespace that forces ALL traffic through Tor at the kernel level. Even if a tool or library tries to make a direct connection, it physically cannot — the kernel blocks it.

---

Scenario 3: High-Throughput Daemon — Multi-Circuit Load Balancing

Run an autonomous agent across multiple Tor circuits for parallel operations.

Step 1: Start Daemon with 20 Circuits

# 20 Tor circuits for high-throughput channel monitoring
sudo kodachi-claw --tor-instances 20 daemon

# Expected output:
# ✓ Tor pool started: 20 circuits active
# ✓ Gateway listening on 127.0.0.1:3000
# ✓ Channels active: Telegram, Discord, Matrix
# ✓ Scheduler running: 3 cron jobs
# ✓ Heartbeat: every 60s

Step 2: Use Sticky Circuits for Consistent Identity

# Same channel always uses the same exit node — prevents identity flickering
sudo kodachi-claw --tor-instances 20 --circuit-strategy sticky daemon

Step 3: Monitor Circuit Health

# Check all circuits and their status
sudo kodachi-claw --json-pretty status

# Run diagnostics
sudo kodachi-claw doctor

Why this matters: Each Tor circuit has a different exit IP. With round-robin or random strategy, your agent's apparent location changes per request. With sticky, each channel gets a consistent identity while remaining anonymous.

---

Scenario 4: Identity Management — Randomize, Verify, Restore

Control exactly what gets randomized and restore your original identity on exit.

Step 1: Selective Identity Randomization

# Randomize MAC only (skip hostname and timezone)
sudo kodachi-claw --skip-hostname --skip-timezone agent

# Randomize hostname only
sudo kodachi-claw --skip-mac --skip-timezone agent

# Skip all identity randomization (use current MAC/hostname/timezone)
sudo kodachi-claw --skip-identity agent

Step 2: Auto-Restore on Exit

# Randomize everything, but restore originals when the agent stops
sudo kodachi-claw --restore-on-exit agent

# Expected on shutdown:
# ✓ Restoring MAC address: 7A:3F:91:D2:E8:4C → 00:1A:2B:3C:4D:5E
# ✓ Restoring hostname: xr7-phantom-node → kodachi
# ✓ Restoring timezone: Pacific/Fiji → UTC
# ✓ Tor circuits closed
# ✓ Cleanup complete

Step 3: Skip Everything for Local Testing

# No Tor, no identity randomization — direct connection (testing only!)
sudo kodachi-claw --skip-all agent

Why this matters: --restore-on-exit ensures your system returns to its original state after the agent stops. This is critical for shared machines or when switching between anonymous and normal operations.

---

Scenario 5: Multi-Channel Anonymous Communication

Deploy your agent across multiple communication channels, all routed through Tor.

Step 1: Add Channels

# Add Telegram channel
kodachi-claw channel add --type telegram --token BOT_TOKEN --chat-id CHAT_ID

# Add Discord channel
kodachi-claw channel add --type discord --token BOT_TOKEN --channel-id CHANNEL_ID

# Add Matrix channel
kodachi-claw channel add --type matrix --homeserver https://matrix.org --token ACCESS_TOKEN --room-id ROOM_ID

Step 2: Start Daemon with All Channels

# Start autonomous daemon — listens on all configured channels through Tor
sudo kodachi-claw daemon

# Messages from Telegram, Discord, Matrix all arrive through Tor circuits
# Responses go back through Tor — channel providers never see your real IP

Step 3: Check Channel Health

# List active channels
kodachi-claw channel list

# Run channel diagnostics
kodachi-claw channel doctor

Why this matters: Every channel connection (Telegram API, Discord WebSocket, Matrix federation) goes through Tor. The channel providers see a Tor exit node, not your real IP address.

---

Scenario 6: Scheduled Tasks — Cron Jobs Through Tor

Schedule automated tasks that execute anonymously on a timer.

Step 1: Add Scheduled Tasks

# Run a security check every hour
kodachi-claw cron add --schedule "0 * * * *" --command "check security posture"

# Send a daily report to Telegram at 9am
kodachi-claw cron add --schedule "0 9 * * *" --command "send daily security report"

# Run DNS leak check every 30 minutes
kodachi-claw cron add-every --interval 30m --command "verify dns integrity"

Step 2: List and Manage Tasks

# List all scheduled tasks
kodachi-claw cron list

# Pause a task
kodachi-claw cron pause --id 1

# Remove a task
kodachi-claw cron remove --id 2

Step 3: Run Daemon with Scheduler

# Daemon automatically runs all cron jobs through Tor
sudo kodachi-claw daemon

Why this matters: Scheduled tasks inherit the full anonymity stack — each cron execution goes through Tor with a fresh or reused circuit depending on your instance policy.

---

Scenario 7: Service Management — Install as System Service

Run kodachi-claw as a persistent system service that starts on boot.

Step 1: Install the Service

# Install as systemd service
sudo kodachi-claw service install

# Start the service
sudo kodachi-claw service start

# Check service status
sudo kodachi-claw service status

Step 2: Service Operates with Full Anonymity

# The service runs with the same anonymity stack:
# - Tor circuits are established on service start
# - Identity is randomized on service start
# - All channels and cron jobs run through Tor
# - Restore-on-exit triggers on service stop

Step 3: Manage the Service

# Stop the service
sudo kodachi-claw service stop

# Uninstall the service
sudo kodachi-claw service uninstall

Why this matters: As a system service, kodachi-claw starts automatically on boot with full anonymity. No manual intervention needed — your agent is always running and always anonymous.

---

Scenario 8: Diagnostics and Troubleshooting

Diagnose issues with Tor connectivity, channels, and system health.

Step 1: Run Full Diagnostics

# Check daemon, scheduler, and channel freshness
sudo kodachi-claw doctor

# Check AI provider model availability
sudo kodachi-claw doctor models

Step 2: Verbose Status Output

# Detailed status with all Tor circuits, identity state, agent config
sudo kodachi-claw -V status

# JSON output for parsing
sudo kodachi-claw --json-pretty status

Step 3: Test Connectivity Without Starting Agent

# Skip agent startup — just verify anonymity stack works
sudo kodachi-claw --skip-all status

# Test only Tor connectivity
sudo kodachi-claw agent --message "what is my IP?" --json

Why this matters: The doctor command checks all subsystems (Tor circuits, channel connections, scheduler jobs, provider availability) and reports issues before they become problems.

---

Scenario 9: Internet Recovery — Auto-Heal After Identity Changes

MAC address randomization cycles network interfaces down and up, which can break internet connectivity. kodachi-claw can automatically detect and recover from this.

Step 1: Enable Auto-Recovery

# Auto-recover internet after MAC changes and on shutdown
sudo kodachi-claw --auto-recover-internet --restore-on-exit agent

# Expected startup sequence:
# ✓ MAC address randomized (was 00:1A:2B:3C:4D:5E → 7A:3F:91:D2:E8:4C)
# ✓ Waiting 2s for interfaces to stabilize...
# ✓ Net check: IP ping OK, DNS resolve OK
# ✓ Internet connectivity verified after MAC change
# ✓ Hostname randomized
# ✓ Timezone randomized
# ✓ Tor pool started: 10 circuits active

Step 2: Standalone Recovery Command

# Check connectivity and recover if broken
sudo kodachi-claw recover-internet

# Force recovery (skip connectivity check, go straight to health-control)
sudo kodachi-claw recover-internet --force

# JSON output for automation
sudo kodachi-claw --json recover-internet

Step 3: Override Auto-Recovery

# Disable auto-recovery even if another flag enables it
sudo kodachi-claw --auto-recover-internet --skip-auto-recover-internet agent

How Recovery Works

1. Net check: Pings 1.1.1.1 (IP layer) and resolves google.com (DNS layer) with 6s timeouts
2. If connectivity OK: Continues normally
3. If connectivity lost: Invokes health-control NetworkRecovery in-process (library call, not binary)
4. Health-control tries: ~10 recovery methods (interface restart, DHCP renew, DNS reset, etc.)
5. Verification: Runs net check again to confirm recovery
6. Non-fatal: All outcomes are logged but never abort the agent — connectivity loss is degraded, not fatal

Recovery Points

Trigger	When
Post-MAC change	After network interface cycling during MAC randomization
Post-identity bootstrap	After all identity changes complete (belt-and-suspenders)
Shutdown	After identity restore, before Tor teardown
SIGINT/SIGTERM	Signal handler runs cleanup path including recovery
Manual	kodachi-claw recover-internet subcommand

Why this matters: MAC randomization takes network interfaces down and up. On some hardware or network configurations, connectivity doesn't automatically restore. Auto-recovery ensures your agent always has internet access without manual intervention.

---

System Information

Component	Version	License
kodachi-claw	9.0.1	Apache-2.0
Arti (Tor)	1.9.0	MIT/Apache-2.0
oniux	0.8.1	MIT/Apache-2.0
Documentation	9.0.1	All Rights Reserved

---

Related Documentation

• AI Overview — Full AI architecture, KAICS system, and service dependency map
• ai-cmd Scenarios — Natural language command execution and AI engine tiers
• ai-gateway CLI Reference — Command catalog, policy firewall, and safe execution
• kodachi-claw CLI Reference — Complete flag and subcommand reference
• ai-trainer Scenarios — Model training and snapshot management
• ai-learner Scenarios — Learning cycle and accuracy analysis
• ai-discovery Scenarios — Command pattern discovery and training data generation
• ai-monitor Scenarios — System monitoring and proactive suggestions

Examples

AI Agent

Start and interact with the AI agent

Interactive session with full anonymity

sudo kodachi-claw agent

Expected Output: Tor bootstrapped, identity randomized, agent ready

Note

Requires onboarding first: kodachi-claw onboard

Single message mode

sudo kodachi-claw agent --message "What is my IP?"

Expected Output: Response through Tor-routed connection

Specific provider/model

sudo kodachi-claw agent --provider anthropic --model claude-sonnet-4-5-20250929

Expected Output: Agent session using Anthropic Claude

Local offline model

sudo kodachi-claw agent --message "scan ports" --provider ollama --model llama3

Expected Output: Agent runs with local model, Tor still active for tools

Low temperature for deterministic output

sudo kodachi-claw agent --temperature 0.2 --message "write secure code"

Expected Output: Agent runs with temperature 0.2

Hardware peripheral attached

sudo kodachi-claw agent --peripheral nucleo-f401re:/dev/ttyACM0 --message "blink LED"

Expected Output: Agent with STM32 board attached

Use installed Claude Code CLI (no API key)

sudo kodachi-claw agent --provider claude-code --message "What is my IP?" --skip-anonymity

Expected Output: Agent uses local Claude Code CLI for inference

Note

Requires claude CLI installed. No API key needed

Daemon & Gateway

Long-running services and webhook endpoints

Full daemon with all channels

sudo kodachi-claw daemon

Expected Output: Daemon running: all configured channels active

Note

Listens on all configured channels simultaneously

Custom gateway port

sudo kodachi-claw daemon --port 8080

Expected Output: Gateway + channels + heartbeat + scheduler running

Bind to all interfaces

sudo kodachi-claw daemon --host 0.0.0.0 --port 9090

Expected Output: Daemon bound to 0.0.0.0:9090

Gateway-only (webhook/WebSocket)

sudo kodachi-claw gateway --port 9090

Expected Output: Gateway accepting webhook requests on :9090

Install as systemd service

sudo kodachi-claw service install && sudo kodachi-claw service start

Expected Output: Service installed with auto-restart on failure

Setup & Onboarding

First-time configuration and channel management

Full wizard (9 steps)

kodachi-claw onboard --interactive

Expected Output: Guided 9-step setup wizard

Note

Run this first before using agent or daemon

Quick setup

kodachi-claw onboard --api-key sk-... --provider openrouter

Expected Output: Config created with OpenRouter provider

Quick setup with memory backend

kodachi-claw onboard --api-key sk-... --provider anthropic --memory sqlite

Expected Output: Config created with Anthropic + SQLite memory

Quick setup with Claude Code CLI (no API key)

kodachi-claw onboard --provider claude-code

Expected Output: Config created with claude-code provider

Note

No API key needed -- Claude Code handles auth internally

Reconfigure channels only

kodachi-claw onboard --channels-only

Expected Output: Channel configuration updated

Bind Telegram identity

kodachi-claw channel bind-telegram myusername

Expected Output: Telegram user bound to allowlist

Status & Diagnostics

System status, health checks, and diagnostics

Full status including MAC, hostname, timezone, IP, auth

sudo kodachi-claw status

Expected Output: Complete system status with identity info

Basic status without security/identity info

kodachi-claw status --skip

Expected Output: Config and channel status only

JSON status for automation

sudo kodachi-claw --json-pretty status

Expected Output: Pretty-printed JSON envelope with status data

Run health diagnostics

kodachi-claw doctor

Expected Output: Diagnostic report for daemon/scheduler/channels

Probe model availability

sudo kodachi-claw doctor models --provider openai

Expected Output: Available models for the specified provider

Scheduled Tasks

Configure and manage cron-style scheduled tasks

List all scheduled tasks

kodachi-claw cron list

Expected Output: Table of scheduled tasks with status

Run every 6 hours

kodachi-claw cron add "0 */6 * * *" "check disk space"

Expected Output: Task added with cron schedule

Weekly with timezone

kodachi-claw cron add "0 9 * * 1" "weekly report" --tz America/New_York

Expected Output: Task scheduled for Monday 9AM ET

One-shot at specific time

kodachi-claw cron add-at "2026-03-01T09:00:00Z" "deploy update"

Expected Output: One-time task scheduled

Every 5 minutes

kodachi-claw cron add-every 300000 "heartbeat check"

Expected Output: Interval task added (300s)

One-shot after 30 minutes

kodachi-claw cron once 30m "backup workspace"

Expected Output: One-time delayed task scheduled

Pause/resume tasks

kodachi-claw cron pause <ID> && kodachi-claw cron resume <ID>

Expected Output: Task paused/resumed

Models & Providers

Manage AI model catalogs and providers

Refresh model catalog from default provider

kodachi-claw models refresh

Expected Output: Model catalog updated

Force refresh from specific provider

sudo kodachi-claw models refresh --provider openai --force

Expected Output: OpenAI model catalog force-refreshed

List all 12+ supported AI providers

kodachi-claw providers

Expected Output: Provider table with active marker

Check cached model availability

kodachi-claw doctor models --use-cache

Expected Output: Model availability from cache

Channel Management

Configure and manage communication channels

List configured channels

kodachi-claw channel list

Expected Output: Channel status table

Start all configured channels

sudo kodachi-claw channel start

Expected Output: All channels listening

Health check all channels

sudo kodachi-claw channel doctor

Expected Output: Channel health report

Add Telegram channel

kodachi-claw channel add telegram '{"bot_token":"...","allowed_users":["user1"]}'

Expected Output: Telegram channel configured

Remove a channel

kodachi-claw channel remove discord

Expected Output: Discord channel removed

Bind Telegram user ID to allowlist

kodachi-claw channel bind-telegram 123456789

Expected Output: Telegram user ID bound

Authentication

Manage provider authentication profiles

OAuth login

kodachi-claw auth login --provider openai-codex

Expected Output: Browser-based OAuth flow started

Device code flow

kodachi-claw auth login --provider openai-codex --device-code

Expected Output: Device code displayed for authorization

Paste API key

kodachi-claw auth paste-token --provider anthropic --auth-kind api-key

Expected Output: API key stored securely

Interactive token entry

kodachi-claw auth setup-token --provider anthropic

Expected Output: Token stored in encrypted secret store

Refresh access token

kodachi-claw auth refresh --provider openai-codex

Expected Output: Token refreshed successfully

List all auth profiles

kodachi-claw auth list

Expected Output: Auth profile table with active markers

Show active profile and token expiry

kodachi-claw auth status

Expected Output: Profile status with expiration info

Remove auth profile

kodachi-claw auth logout --provider openai-codex

Expected Output: Auth profile removed

Skills Management

Manage user-defined capabilities

List installed skills

kodachi-claw skills list

Expected Output: Installed skills table

Install from GitHub

kodachi-claw skills install https://github.com/user/skill-repo

Expected Output: Skill installed and registered

Remove installed skill

kodachi-claw skills remove my-skill

Expected Output: Skill removed

Integrations

Browse and manage service integrations

Show GitHub integration details

kodachi-claw integrations info github

Expected Output: GitHub integration configuration and status

Show Jira integration details

kodachi-claw integrations info jira

Expected Output: Jira integration configuration and status

Migration

Import data from other agent runtimes

Preview migration without writing

kodachi-claw migrate openclaw --dry-run

Expected Output: Migration preview with changes listed

Import from OpenClaw

kodachi-claw migrate openclaw --source /path/to/openclaw/workspace

Expected Output: Data imported from OpenClaw workspace

Hardware & Peripherals

Discover and manage hardware devices

Enumerate USB devices and known boards

kodachi-claw hardware discover

Expected Output: Detected hardware devices

Introspect specific device

kodachi-claw hardware introspect /dev/ttyACM0

Expected Output: Device capabilities and firmware info

Get chip info

kodachi-claw hardware info --chip stm32f401re

Expected Output: Chip specifications and pinout

List configured peripherals

kodachi-claw peripheral list

Expected Output: Configured peripheral boards

Add STM32 board

kodachi-claw peripheral add nucleo-f401re /dev/ttyACM0

Expected Output: Peripheral added to config

Flash firmware

kodachi-claw peripheral flash --port /dev/ttyACM0

Expected Output: Firmware flashed to device

Service Lifecycle

Install and manage as a system service

Install as systemd/launchd service

sudo kodachi-claw service install

Expected Output: Service unit installed

Start the service

sudo kodachi-claw service start

Expected Output: Service started

Stop the service

sudo kodachi-claw service stop

Expected Output: Service stopped

Check service status

kodachi-claw service status

Expected Output: Service running/stopped status

Uninstall the service

sudo kodachi-claw service uninstall

Expected Output: Service unit removed

Anonymity & Tor Modes

Control Tor instances, circuits, and identity randomization

10 parallel circuits

sudo kodachi-claw --mode multi-circuit --tor-instances 10 agent

Expected Output: 10 Arti instances bootstrapped, traffic distributed across circuits

Note

Default mode. Each tool/channel gets a different circuit

Namespace isolation via oniux

sudo kodachi-claw --mode isolated agent

Expected Output: Namespace-isolated agent with embedded Tor

Note

Requires root or CAP_NET_ADMIN

Single circuit (low-resource)

sudo kodachi-claw --mode single --tor-instances 1 agent

Expected Output: Single Arti instance, minimal memory usage

Sticky circuit assignment

sudo kodachi-claw --circuit-strategy sticky daemon

Expected Output: Sticky circuit assignment per tool/channel

Note

Strategies: round-robin (default), random, least-used, sticky

Random assignment across 5 circuits

sudo kodachi-claw --circuit-strategy random --tor-instances 5 agent

Expected Output: Random circuit selection per request

Restore identity on exit

sudo kodachi-claw --restore-on-exit agent

Expected Output: Identity restored after session ends

Note

Without this flag, spoofed identity persists after exit

Selective identity spoofing

sudo kodachi-claw --skip-mac --skip-hostname agent

Expected Output: Only timezone randomized, Tor still active

Gateway access with required auth

sudo kodachi-claw --access-mode gateway --auth-mode required daemon

Expected Output: Gateway mode with mandatory authentication

Check and recover internet connectivity

sudo kodachi-claw recover-internet

Expected Output: Internet connectivity is working / Internet recovered successfully

Note

Invokes health-control recover-internet if connectivity is lost

Force recovery even if internet appears working

sudo kodachi-claw recover-internet --force

Expected Output: Internet recovered successfully

Note

Skips initial check, goes straight to health-control recovery

Check/recover with JSON output

sudo kodachi-claw --json recover-internet

Expected Output: {status: connected, recovery_needed: false, ...}

Note

Returns JSON envelope with connectivity status and recovery details

Auto-recover internet after identity changes

sudo kodachi-claw --auto-recover-internet --restore-on-exit agent

Expected Output: Net check after MAC change, recovery on exit

Note

Checks connectivity after MAC randomization and during shutdown

Skip flag overrides auto-recover

sudo kodachi-claw --auto-recover-internet --skip-auto-recover-internet agent

Expected Output: Agent runs without auto-recovery (skip wins)

Note

--skip-auto-recover-internet takes precedence over --auto-recover-internet

Skip Controls

Disable specific startup phases for debugging or testing

No Tor, no identity changes

sudo kodachi-claw --skip-anonymity agent

Expected Output: Agent runs without Tor, no identity changes

Note

WARNING: No privacy protection. Local testing only

Skip all startup phases

sudo kodachi-claw --skip-all status

Expected Output: Status with no anonymity bootstrap

Quick status without Tor

sudo kodachi-claw --skip-tor --skip-identity status

Expected Output: Status report with auth check only

Skip verification checks

sudo kodachi-claw --skip-dns-check --skip-ip-check agent

Expected Output: Tor starts but IP/DNS not verified

Skip preflight checks

sudo kodachi-claw --skip-integrity-check --skip-permission-check agent

Expected Output: Agent starts without preflight verification

Output & Automation

JSON output modes for scripting and CI/CD

Compact JSON for scripting

sudo kodachi-claw --json status

Expected Output: {"status":"success",...}

Pretty-printed JSON

sudo kodachi-claw --json-pretty status

Expected Output: Formatted JSON with indentation

Human-annotated JSON

sudo kodachi-claw --json-human status

Expected Output: JSON with human-readable annotations

Note

Also: --json (compact), --json-pretty (indented)

Verbose logging

sudo kodachi-claw -V --verbose agent --message "debug this"

Expected Output: Debug-level log output

Suppress non-error output

sudo kodachi-claw -q --quiet daemon

Expected Output: Only error messages shown

Custom network settings

sudo kodachi-claw --timeout 60 --retry 5 --instance-policy new daemon

Expected Output: 60s timeout, 5 retries, fresh instances

Note

Policies: reuse (default), new, mixed

AI Gateway Providers

Route requests through AI gateway proxies (Cloudflare, Vercel, custom OpenAI-compatible endpoints)

Use Cloudflare AI Gateway

sudo kodachi-claw agent --provider cloudflare --message "summarize this"

Expected Output: Request routed through gateway.ai.cloudflare.com/v1 over Tor

Note

Set CLOUDFLARE_API_KEY env var or api_key in config. Supports all Cloudflare-hosted models

Use Vercel AI Gateway

sudo kodachi-claw agent --provider vercel --message "explain this code"

Expected Output: Request routed through api.vercel.ai over Tor

Note

Set VERCEL_API_KEY env var or api_key in config

Any OpenAI-compatible gateway via custom URL

sudo kodachi-claw agent --provider "custom:https://your-gateway.example.com" --message "hello"

Expected Output: Request sent to your-gateway.example.com/v1/chat/completions over Tor

Note

Works with vLLM, LiteLLM, Azure OpenAI, any /v1/chat/completions endpoint

Anthropic-compatible proxy (corporate/self-hosted)

sudo kodachi-claw agent --provider "anthropic-custom:https://llm-proxy.corp.example.com" --message "review PR"

Expected Output: Request sent to llm-proxy.corp.example.com using Anthropic API format

Note

For proxies that speak the Anthropic Messages API instead of OpenAI format

Groq ultra-fast inference gateway

sudo kodachi-claw daemon --provider groq

Expected Output: Daemon running with Groq LPU inference, all channels active

Note

Set GROQ_API_KEY. Ultra-low latency for supported models

Together AI inference gateway

sudo kodachi-claw agent --provider together --model meta-llama/Llama-3-70b-chat-hf --message "analyze"

Expected Output: Request routed through Together AI over Tor

Note

Set TOGETHER_API_KEY. Supports 100+ open models

Fireworks AI inference gateway

sudo kodachi-claw agent --provider fireworks --model accounts/fireworks/models/llama-v3-70b-instruct --message "write tests"

Expected Output: Request routed through Fireworks AI over Tor

Note

Set FIREWORKS_API_KEY. Optimized for fast open-model inference

Onboard with a custom AI gateway

kodachi-claw onboard --api-key sk-... --provider "custom:https://gateway.example.com"

Expected Output: Config created with custom gateway as default provider

Note

The custom URL is stored in config.toml as default_provider

List all supported AI gateway providers

kodachi-claw providers

Expected Output: Table showing 30+ providers including Cloudflare, Vercel, Groq, Together, Fireworks, Mistral, xAI, and more

Note

Use custom: prefix for unlisted OpenAI-compatible gateways

---

CLI Reference

Global Flags

Flag	Default	Description
-v, --version	-	Print version and exit
-n, --info	-	Show detailed program information
-e, --examples	-	Show comprehensive command examples
--json	-	Output as compact JSON
--json-pretty	-	Output as pretty-printed JSON
--json-human	-	Output as human-readable JSON
--mode	multi-circuit	Anonymity mode: multi-circuit, isolated, single
--tor-instances	10	Tor pool size (ignored in single mode)
--instance-policy	reuse	Instance reuse policy: reuse, new, mixed
--instance-prefix	kodachi-claw-instance	Instance name prefix
--circuit-strategy	round-robin	Circuit assignment: round-robin, random, least-used, sticky
--access-mode	system	Access mode for execution path (gateway mode not yet implemented)
--auth-mode	auto	Authentication mode: auto (skip if unavailable), required (must succeed)
--skip-mac	false	Skip MAC randomization
--skip-hostname	false	Skip hostname randomization
--skip-timezone	false	Skip timezone randomization
--skip-identity	false	Skip all identity randomization
--skip-tor	false	Skip embedded Tor startup
--skip-ip-check	false	Skip IP/Tor verification
--skip-dns-check	false	Skip DNS verification
--skip-anonymity	false	Skip entire anonymity bootstrap
--skip-integrity-check	false	Skip integrity check during preflight
--skip-permission-check	false	Skip permission check during preflight
--skip-all	false	Skip all startup phases
--restore-on-exit	false	Restore MAC/hostname/timezone on shutdown
--auto-recover-internet	false	Auto-check and recover internet after identity changes and on exit
--skip-auto-recover-internet	false	Override and disable auto-recover even if --auto-recover-internet is set
-V, --verbose	false	Enable verbose logging
-q, --quiet	false	Suppress non-error output
--no-color	false	Disable colored output
--timeout	30	Timeout in seconds for network operations
--retry	3	Number of retries for network operations

Subcommands

Command	Description
onboard	Initialize workspace and configuration
agent	Start the AI agent loop
gateway	Start the gateway server (webhooks, websockets)
daemon	Start long-running autonomous runtime (gateway + channels + heartbeat + scheduler)
service	Manage OS service lifecycle (install, start, stop, status, uninstall)
doctor	Run diagnostics for daemon/scheduler/channel freshness
status	Show system status (full details)
cron	Configure and manage scheduled tasks
models	Manage provider model catalogs
providers	List supported AI providers
channel	Manage channels (Telegram, Discord, Slack, Matrix, etc.)
integrations	Browse 50+ integrations
skills	Manage skills (user-defined capabilities)
migrate	Migrate data from other agent runtimes
auth	Manage provider subscription authentication profiles
hardware	Discover and introspect USB hardware
peripheral	Manage hardware peripherals (STM32, RPi GPIO, etc.)
recover-internet	Check internet connectivity and recover if broken (invokes health-control)