OpenClaw, security-hardened with HashiCorp Vault, secret-zero elimination, and production-grade secret management.
SecureClaw is a security-hardened fork of OpenClaw β a personal AI assistant gateway you run on your own infrastructure.
This fork extends the upstream project with enterprise-grade secret management, Vault integration, and a hardened deployment architecture designed for security-conscious operators.
The upstream OpenClaw project is excellent. SecureClaw layers the following on top:
- KV v2 secrets backend for all application secrets
- Transit secrets engine for encryption-as-a-service and auto-unseal
VaultClientwith auto token renewal, retry backoff, and graceful degradation- Vault agent sidecar pattern for secret injection
SecretRefURI pattern:vault://path/to/secret#fieldandenv://VAR_NAME- No secrets ever written to disk, environment files, or container logs
- All secret resolution happens at runtime via the
SecretRefresolver
- Dedicated
vault-transitservice with Transit auto-unseal wired up qdrantvector store service for semantic memory- Immutable container filesystem where possible
- Non-root service execution throughout
first-run.shβ idempotent 15-step initialisation script- Colour output,
--rotate-tokensflag - Never prints secrets to stdout
- Full Vault initialisation, unsealing, policy and AppRole setup
openclaw/ β Upstream OpenClaw source (synced from openclaw/openclaw)
secureclaw/ β SecureClaw hardening layer
βββ docker/ β Hardened compose + Vault config
βββ src/ β VaultClient, SecretRef resolver, extensions
βββ scripts/ β first-run.sh and operator tooling
βββ docs/
βββ architecture/ β System design and ADRs
βββ development/ β Claude Code prompts and dev guides
βββ runbooks/ β Operational runbooks
βββ security/ β Threat model, security controls
| Branch | Purpose |
|---|---|
main |
Fork baseline; periodically synced from upstream |
secureclaw |
Active SecureClaw development β all hardening work lives here |
release/v* |
Tagged stable SecureClaw releases |
See FORK_NOTES.md for upstream sync guidance.
SecureClaw is under active development. The hardening layer is being built in stages:
- Stage 1 (In Progress): Vault integration, SecretRef pattern, hardened compose, first-run script
- Stage 2 (Planned): Prompt injection hardening, agent sandboxing, audit logging
- Stage 3 (Planned): mTLS between services, secrets rotation automation, compliance controls
For the underlying OpenClaw functionality (channels, agents, voice, canvas), refer to the upstream documentation.
- Docker + Docker Compose v2
- HashiCorp Vault (provided via compose or external)
- Node β₯ 22 (for upstream OpenClaw runtime)
git clone https://github.com/RichardHam-Co-Uk/secureclaw.git
cd secureclaw
git checkout secureclaw
# Initialise Vault and all services
bash secureclaw/scripts/first-run.sh
# Start the hardened stack
docker compose -f secureclaw/docker/docker-compose.yml up -dSecureClaw is built on a defence-in-depth model:
- All secrets resolved at runtime via
SecretRefβ no plaintext secrets in config files or environment - Vault Transit provides encryption-as-a-service; the application never holds raw encryption keys
- Container images run non-root; filesystems are immutable where the runtime permits
- Prompt injection risk mitigated via agent sandboxing (Stage 2)
- Full audit trail via Vault audit log + structured application logging
Active development uses Claude Code with structured prompts. See:
secureclaw/docs/development/CLAUDE_CODE_PROMPTS.mdβ Session prompts for each build milestonesecureclaw/docs/architecture/β Architecture decision recordssecureclaw/docs/security/β Threat model and security controls
SecureClaw is a fork of OpenClaw by Peter Steinberger and the OpenClaw community, licensed under the MIT License.
All upstream functionality and intellectual property remains the work of the OpenClaw contributors. This fork adds security hardening on top of that foundation.
This is currently a personal/private hardening project. Contributions welcome once the architecture stabilises post-Stage 1.