kodachi-claw
Kodachi hardened AI runtime with embedded anonymity controls
Version: 9.0.1 | Size: 28.3MB | Author: theonlyhennygod
License: Proprietary - Kodachi OS | Website: https://github.com/WMAL/Linux-Kodachi
File Information
| Property | Value |
|---|---|
| Binary Name | kodachi-claw |
| Version | 9.0.1 |
| Build Date | 2026-02-21T23:54:07.928539571Z |
| Rust Version | 1.82.0 |
| File Size | 28.3MB |
| JSON Data | View Raw JSON |
SHA256 Checksum
Features
| Feature | Description |
|---|---|
| Feature | Embedded Arti-first Tor anonymity runtime |
| Feature | Multi-circuit load balancing across Tor instances |
| Feature | Isolated per-request circuit assignment |
| Feature | Single-circuit mode for consistent identity |
| Feature | Automatic MAC address randomization |
| Feature | Hostname and timezone randomization |
| Feature | IP and DNS leak verification |
| Feature | OPSEC filter (outbound identity leak redaction) |
| Feature | HMAC-SHA256 tamper-evident audit logging |
| Feature | Authentication via online-auth integration |
| Feature | Integrity checking via integrity-check integration |
| Feature | Permission monitoring via permission-guard integration |
| Feature | Centralized logging via logs-hook integration |
| Feature | 12+ AI providers (OpenAI, Anthropic, Gemini, Ollama, OpenRouter, etc.) |
| Feature | 14 communication channels (Telegram, Discord, Slack, Matrix, etc.) |
| Feature | Hybrid memory (SQLite FTS5 + vector cosine similarity) |
| Feature | ChaCha20-Poly1305 encrypted secret store |
| Feature | Sandbox backends (Landlock, Bubblewrap, Firejail, Docker) |
| Feature | Cron job scheduler with security allowlists |
| Feature | Gateway server with rate limiting and idempotency |
| Feature | Hardware peripherals (STM32, RPi GPIO, robotics) |
| Feature | Configurable circuit assignment strategies |
| Feature | Identity restoration on shutdown |
| Feature | Retry and timeout controls for network operations |
| Feature | JSON output mode for automation |
Security Features
| Feature | Description |
|---|---|
| Authentication | In-process Kodachi auth with auto-recovery, device ID verification |
| Encryption | ChaCha20-Poly1305 AEAD, TLS 1.3 via Arti, HMAC-SHA256 webhooks |
| Inputvalidation | Command allowlists, path sanitization, SSRF protection |
| Ratelimiting | Sliding-window rate limiting with configurable thresholds |
System Requirements
| Requirement | Value |
|---|---|
| OS | Linux (Kodachi OS, Debian-based distributions) |
| Privileges | Root/sudo required for MAC/hostname/timezone randomization |
| Dependencies | macchanger (MAC randomization), ip (network interface control), hostnamectl or hostname (hostname management), timedatectl (timezone management), online-auth (authentication service), integrity-check (file integrity verification), permission-guard (permission monitoring), logs-hook (centralized logging) |
Global Options
| Flag | Description |
|---|---|
-h, --help |
Print help and exit |
-v, --version |
Print version and exit |
-n, --info |
Show detailed program information and exit |
-e, --examples |
Show comprehensive command examples and exit |
--json |
Output startup status as compact JSON |
--json-pretty |
Output startup status as pretty JSON |
--json-human |
Output startup status as human-readable JSON |
--mode <MODE> |
Anonymity runtime mode [default: multi-circuit] [possible values: multi-circuit, isolated, single] |
--tor-instances <N> |
Tor pool size (ignored in single mode) [default: 10] |
--instance-policy <POLICY> |
Instance reuse policy [default: reuse] [possible values: reuse, new, mixed] |
--instance-prefix <PREFIX> |
Instance name prefix [default: kodachi-claw-instance] |
--access-mode <MODE> |
Access mode for execution path [default: system] [possible values: system, gateway] |
--auth-mode <MODE> |
Authentication mode [default: auto] [possible values: auto, required] |
--skip-mac |
Skip MAC randomization |
--skip-hostname |
Skip hostname randomization |
--skip-timezone |
Skip timezone randomization |
--skip-identity |
Skip all identity randomization |
--skip-tor |
Skip embedded Tor startup |
--skip-ip-check |
Skip IP/Tor verification checks [aliases: --skip-verify] |
--skip-dns-check |
Skip DNS verification checks |
--skip-anonymity |
Skip all anonymity bootstrap behavior |
--skip-integrity-check |
Skip integrity check during preflight |
--skip-permission-check |
Skip permission check during preflight |
--restore-on-exit |
Restore MAC/hostname/timezone state on shutdown |
--auto-recover-internet |
Auto-check and recover internet after identity changes and on exit |
--skip-auto-recover-internet |
Disable auto-recover-internet (overrides --auto-recover-internet) |
-V, --verbose |
Enable verbose logging output |
-q, --quiet |
Suppress all non-error output |
--no-color |
Disable colored output |
--timeout <SECONDS> |
Timeout in seconds for network operations [default: 30] |
--retry <COUNT> |
Number of retries for network operations [default: 3] |
--circuit-strategy <STRATEGY> |
Circuit assignment strategy for multi-circuit mode [default: round-robin] [possible values: round-robin, random, least-used, sticky] |
--skip-all |
Skip all anonymity startup phases except OS authentication |
Commands
Commands
onboard
Initialize your workspace and configuration
Usage:
agent
Start the AI agent loop
Usage:
gateway
Start the gateway server (webhooks, websockets)
Usage:
daemon
Start long-running autonomous runtime (gateway + channels + heartbeat + scheduler)
Usage:
service
Manage OS service lifecycle (launchd/systemd user service)
Usage:
doctor
Run diagnostics for daemon/scheduler/channel freshness
Usage:
status
Show system status (full details)
Usage:
cron
Configure and manage scheduled tasks
Usage:
models
Manage provider model catalogs
Usage:
providers
List supported AI providers
Usage:
channel
Manage channels (telegram, discord, slack)
Usage:
integrations
Browse 50+ integrations
Usage:
skills
Manage skills (user-defined capabilities)
Usage:
migrate
Migrate data from other agent runtimes
Usage:
auth
Manage provider subscription authentication profiles
Usage:
hardware
Discover and introspect USB hardware
Usage:
peripheral
Manage hardware peripherals (STM32, RPi GPIO, etc.)
Usage:
help
Print this message or the help of the given subcommand(s)
Usage:
Examples
AI Agent
Start and interact with the AI agent
Interactive session with full anonymity
Expected Output: Tor bootstrapped, identity randomized, agent readyNote
Requires onboarding first: kodachi-claw onboard
Single message mode
Expected Output: Response through Tor-routed connectionSpecific provider/model
Expected Output: Agent session using Anthropic ClaudeLocal offline model
Expected Output: Agent runs with local model, Tor still active for toolsLow temperature for deterministic output
Expected Output: Agent runs with temperature 0.2Hardware peripheral attached
Expected Output: Agent with STM32 board attachedUse installed Claude Code CLI (no API key)
Expected Output: Agent uses local Claude Code CLI for inferenceNote
Requires claude CLI installed. No API key needed
Daemon & Gateway
Long-running services and webhook endpoints
Full daemon with all channels
Expected Output: Daemon running: all configured channels activeNote
Listens on all configured channels simultaneously
Custom gateway port
Expected Output: Gateway + channels + heartbeat + scheduler runningBind to all interfaces
Expected Output: Daemon bound to 0.0.0.0:9090Gateway-only (webhook/WebSocket)
Expected Output: Gateway accepting webhook requests on :9090Install as systemd service
Expected Output: Service installed with auto-restart on failureSetup & Onboarding
First-time configuration and channel management
Full wizard (9 steps)
Expected Output: Guided 9-step setup wizardNote
Run this first before using agent or daemon
Quick setup
Expected Output: Config created with OpenRouter providerQuick setup with memory backend
Expected Output: Config created with Anthropic + SQLite memoryQuick setup with Claude Code CLI (no API key)
Expected Output: Config created with claude-code providerNote
No API key needed -- Claude Code handles auth internally
Reconfigure channels only
Expected Output: Channel configuration updatedBind Telegram identity
Expected Output: Telegram user bound to allowlistStatus & Diagnostics
System status, health checks, and diagnostics
Full status including MAC, hostname, timezone, IP, auth
Expected Output: Complete system status with identity infoBasic status without security/identity info
Expected Output: Config and channel status onlyJSON status for automation
Expected Output: Pretty-printed JSON envelope with status dataRun health diagnostics
Expected Output: Diagnostic report for daemon/scheduler/channelsProbe model availability
Expected Output: Available models for the specified providerScheduled Tasks
Configure and manage cron-style scheduled tasks
List all scheduled tasks
Expected Output: Table of scheduled tasks with statusRun every 6 hours
Expected Output: Task added with cron scheduleWeekly with timezone
Expected Output: Task scheduled for Monday 9AM ETOne-shot at specific time
Expected Output: One-time task scheduledEvery 5 minutes
Expected Output: Interval task added (300s)One-shot after 30 minutes
Expected Output: One-time delayed task scheduledPause/resume tasks
Expected Output: Task paused/resumedModels & Providers
Manage AI model catalogs and providers
Refresh model catalog from default provider
Expected Output: Model catalog updatedForce refresh from specific provider
Expected Output: OpenAI model catalog force-refreshedList all 12+ supported AI providers
Expected Output: Provider table with active markerCheck cached model availability
Expected Output: Model availability from cacheChannel Management
Configure and manage communication channels
List configured channels
Expected Output: Channel status tableStart all configured channels
Expected Output: All channels listeningHealth check all channels
Expected Output: Channel health reportAdd Telegram channel
Expected Output: Telegram channel configuredRemove a channel
Expected Output: Discord channel removedBind Telegram user ID to allowlist
Expected Output: Telegram user ID boundAuthentication
Manage provider authentication profiles
OAuth login
Expected Output: Browser-based OAuth flow startedDevice code flow
Expected Output: Device code displayed for authorizationPaste API key
Expected Output: API key stored securelyInteractive token entry
Expected Output: Token stored in encrypted secret storeRefresh access token
Expected Output: Token refreshed successfullyList all auth profiles
Expected Output: Auth profile table with active markersShow active profile and token expiry
Expected Output: Profile status with expiration infoRemove auth profile
Expected Output: Auth profile removedSkills Management
Manage user-defined capabilities
List installed skills
Expected Output: Installed skills tableInstall from GitHub
Expected Output: Skill installed and registeredRemove installed skill
Expected Output: Skill removedIntegrations
Browse and manage service integrations
Show GitHub integration details
Expected Output: GitHub integration configuration and statusShow Jira integration details
Expected Output: Jira integration configuration and statusMigration
Import data from other agent runtimes
Preview migration without writing
Expected Output: Migration preview with changes listedImport from OpenClaw
Expected Output: Data imported from OpenClaw workspaceHardware & Peripherals
Discover and manage hardware devices
Enumerate USB devices and known boards
Expected Output: Detected hardware devicesIntrospect specific device
Expected Output: Device capabilities and firmware infoGet chip info
Expected Output: Chip specifications and pinoutList configured peripherals
Expected Output: Configured peripheral boardsAdd STM32 board
Expected Output: Peripheral added to configFlash firmware
Expected Output: Firmware flashed to deviceService Lifecycle
Install and manage as a system service
Install as systemd/launchd service
Expected Output: Service unit installedStart the service
Expected Output: Service startedStop the service
Expected Output: Service stoppedCheck service status
Expected Output: Service running/stopped statusUninstall the service
Expected Output: Service unit removedAnonymity & Tor Modes
Control Tor instances, circuits, and identity randomization
10 parallel circuits
Expected Output: 10 Arti instances bootstrapped, traffic distributed across circuitsNote
Default mode. Each tool/channel gets a different circuit
Namespace isolation via oniux
Expected Output: Namespace-isolated agent with embedded TorNote
Requires root or CAP_NET_ADMIN
Single circuit (low-resource)
Expected Output: Single Arti instance, minimal memory usageSticky circuit assignment
Expected Output: Sticky circuit assignment per tool/channelNote
Strategies: round-robin (default), random, least-used, sticky
Random assignment across 5 circuits
Expected Output: Random circuit selection per requestRestore identity on exit
Expected Output: Identity restored after session endsNote
Without this flag, spoofed identity persists after exit
Selective identity spoofing
Expected Output: Only timezone randomized, Tor still activeGateway access with required auth
Expected Output: Gateway mode with mandatory authenticationCheck and recover internet connectivity
Expected Output: Internet connectivity is working / Internet recovered successfullyNote
Invokes health-control recover-internet if connectivity is lost
Force recovery even if internet appears working
Expected Output: Internet recovered successfullyNote
Skips initial check, goes straight to health-control recovery
Check/recover with JSON output
Expected Output: {status: connected, recovery_needed: false, ...}Note
Returns JSON envelope with connectivity status and recovery details
Auto-recover internet after identity changes
Expected Output: Net check after MAC change, recovery on exitNote
Checks connectivity after MAC randomization and during shutdown
Skip flag overrides auto-recover
Expected Output: Agent runs without auto-recovery (skip wins)Note
--skip-auto-recover-internet takes precedence over --auto-recover-internet
Skip Controls
Disable specific startup phases for debugging or testing
No Tor, no identity changes
Expected Output: Agent runs without Tor, no identity changesNote
WARNING: No privacy protection. Local testing only
Skip all startup phases
Expected Output: Status with no anonymity bootstrapQuick status without Tor
Expected Output: Status report with auth check onlySkip verification checks
Expected Output: Tor starts but IP/DNS not verifiedSkip preflight checks
Expected Output: Agent starts without preflight verificationOutput & Automation
JSON output modes for scripting and CI/CD
Compact JSON for scripting
Expected Output: {"status":"success",...}Pretty-printed JSON
Expected Output: Formatted JSON with indentationHuman-annotated JSON
Expected Output: JSON with human-readable annotationsNote
Also: --json (compact), --json-pretty (indented)
Verbose logging
Expected Output: Debug-level log outputSuppress non-error output
Expected Output: Only error messages shownCustom network settings
Expected Output: 60s timeout, 5 retries, fresh instancesNote
Policies: reuse (default), new, mixed
AI Gateway Providers
Route requests through AI gateway proxies (Cloudflare, Vercel, custom OpenAI-compatible endpoints)
Use Cloudflare AI Gateway
Expected Output: Request routed through gateway.ai.cloudflare.com/v1 over TorNote
Set CLOUDFLARE_API_KEY env var or api_key in config. Supports all Cloudflare-hosted models
Use Vercel AI Gateway
Expected Output: Request routed through api.vercel.ai over TorNote
Set VERCEL_API_KEY env var or api_key in config
Any OpenAI-compatible gateway via custom URL
Expected Output: Request sent to your-gateway.example.com/v1/chat/completions over TorNote
Works with vLLM, LiteLLM, Azure OpenAI, any /v1/chat/completions endpoint
Anthropic-compatible proxy (corporate/self-hosted)
sudo kodachi-claw agent --provider "anthropic-custom:https://llm-proxy.corp.example.com" --message "review PR"
Note
For proxies that speak the Anthropic Messages API instead of OpenAI format
Groq ultra-fast inference gateway
Expected Output: Daemon running with Groq LPU inference, all channels activeNote
Set GROQ_API_KEY. Ultra-low latency for supported models
Together AI inference gateway
sudo kodachi-claw agent --provider together --model meta-llama/Llama-3-70b-chat-hf --message "analyze"
Note
Set TOGETHER_API_KEY. Supports 100+ open models
Fireworks AI inference gateway
sudo kodachi-claw agent --provider fireworks --model accounts/fireworks/models/llama-v3-70b-instruct --message "write tests"
Note
Set FIREWORKS_API_KEY. Optimized for fast open-model inference
Onboard with a custom AI gateway
Expected Output: Config created with custom gateway as default providerNote
The custom URL is stored in config.toml as default_provider
List all supported AI gateway providers
Expected Output: Table showing 30+ providers including Cloudflare, Vercel, Groq, Together, Fireworks, Mistral, xAI, and moreNote
Use custom: prefix for unlisted OpenAI-compatible gateways
Environment Variables
| Variable | Description | Default | Values |
|---|---|---|---|
RUST_LOG |
Set logging level | info | trace, debug, info, warn, error |
Exit Codes
| Code | Description |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid arguments |
| 3 | Permission denied |