Open-source AI agent protocol with auditability, safety controls, and a live AgentOps control plane.
Project description
ClearFrame
The open-source AI agent protocol built for auditability, safety, and control.
ClearFrame is a drop-in alternative to OpenClaw and MCP that puts you in control of your AI agents. Every tool call is scored for alignment, every reasoning step is captured, every credential is encrypted, and every action is logged to a tamper-evident audit trail.
Why ClearFrame?
| Problem with OpenClaw / MCP | ClearFrame's answer |
|---|---|
| Single process reads untrusted content AND executes tools → prompt injection | Reader/Actor isolation — two sandboxed processes, typed pipe between them |
Credentials stored in plaintext ~/.env |
Encrypted Vault — AES-256-GCM, memory-locked, auto-locks on session end |
| No audit trail — forensics impossible | HMAC-chained Audit Log — tamper-evident, cryptographically verifiable |
| No concept of what the agent is supposed to do | Goal Monitor — every tool call scored for alignment; drift triggers auto-pause |
| Chain-of-thought never captured | Reasoning Transparency Layer (RTL) — full trace as queryable JSON |
| No visibility into what context the model received | Context Feed Auditor — every token source-tagged and hashed |
| No operator control plane | AgentOps — live REST + WebSocket dashboard to approve, block, or tweak |
| Plugin ecosystem with no signing or review | Signed Plugin Registry — Ed25519 signatures, hash pinning, sandboxed execution |
Quick Start
pip install clearframe
# Initialise a new agent project
clearframe init my-agent
cd my-agent
# Edit agent.py, then run
python agent.py
Minimal example
import asyncio
from clearframe import AgentSession, ClearFrameConfig
from clearframe.core.manifest import GoalManifest, ToolPermission
async def main():
config = ClearFrameConfig()
manifest = GoalManifest(
goal="Search for the latest AI safety papers and summarise them",
permitted_tools=[
ToolPermission(tool_name="web_search", max_calls_per_session=5),
],
)
async with AgentSession(config, manifest) as session:
result = await session.call_tool("web_search", query="AI safety 2026")
print(result)
asyncio.run(main())
Architecture
┌─────────────────────────────────────────────────────────────┐
│ AgentSession │
│ │
│ ┌──────────────┐ typed pipe ┌──────────────────────┐ │
│ │ ReaderSandbox│ ─────────────► │ ActorSandbox │ │
│ │ (untrusted │ │ (tool execution only) │ │
│ │ content) │ │ never reads raw input │ │
│ └──────────────┘ └──────────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌──────────────┐ ┌───────────────────────┐ │
│ │Context Feed │ │ Goal Monitor │ │
│ │Auditor │ │ alignment scoring │ │
│ │source-tags + │ │ auto-pause on drift │ │
│ │hashes every │ │ operator queue │ │
│ │token │ └───────────────────────┘ │
│ └──────────────┘ │ │
│ ▼ │
│ ┌───────────────────────┐ │
│ │ RTL (Reasoning │ │
│ │ Transparency Layer) │ │
│ │ hash-verified traces │ │
│ └───────────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────┐ │
│ │ HMAC-Chained Audit │ │
│ │ Log (tamper-evident) │ │
│ └───────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────┐
│ AgentOps Server │
│ REST + WebSocket │
│ localhost:7477 │
└───────────────────────┘
Core Concepts
GoalManifest
Declare what the agent is allowed to do before it starts. The runtime enforces it.
from clearframe.core.manifest import GoalManifest, ToolPermission, ResourceScope
manifest = GoalManifest(
goal="Book a flight to London for next Friday",
permitted_tools=[
ToolPermission(tool_name="web_search", max_calls_per_session=10),
ToolPermission(tool_name="web_fetch", max_calls_per_session=5),
ToolPermission(tool_name="send_email", max_calls_per_session=1, require_approval=True),
],
allow_file_write=False,
allow_code_execution=False,
max_steps=30,
resource_scope=ResourceScope(
allowed_domains=["flights.example.com", "*.airline.com"],
),
)
Vault
Never store credentials in plaintext again.
from clearframe.core.vault import Vault
from clearframe.core.config import VaultConfig
vault = Vault(VaultConfig())
vault.unlock("your-master-password")
vault.set("openai_api_key", "sk-...")
key = vault.get("openai_api_key")
vault.lock() # auto-zeroises memory
Audit Log
Cryptographically verify nothing was tampered with.
clearframe audit-verify
# ✓ Audit log integrity verified — no tampering detected.
clearframe audit-tail --lines 50
AgentOps Server
Start the live control plane:
clearframe ops-start
# AgentOps running at http://localhost:7477
# Auth token: <printed once to console>
CLI Reference
clearframe init <name> Create a new agent project
clearframe audit-verify Verify audit log HMAC chain integrity
clearframe audit-tail Show recent audit entries
clearframe ops-start Start AgentOps control plane
clearframe version Show version
Comparison vs OpenClaw / MCP
| Feature | OpenClaw | MCP | ClearFrame |
|---|---|---|---|
| Reader/Actor isolation | ✗ | ✗ | ✅ |
| Goal alignment scoring | ✗ | ✗ | ✅ |
| Reasoning trace capture | ✗ | Partial | ✅ Full JSON |
| Tamper-evident audit log | ✗ | ✗ | ✅ HMAC chain |
| Encrypted credential vault | ✗ | ✗ | ✅ AES-256-GCM |
| Context feed hashing | ✗ | ✗ | ✅ |
| Live operator control plane | ✗ | ✗ | ✅ |
| Signed plugin registry | ✗ | ✗ | ✅ Ed25519 |
| Auto-pause on drift | ✗ | ✗ | ✅ |
| Open source | ✅ | ✅ | ✅ Apache 2.0 |
Contributing
See CONTRIBUTING.md. All contributions welcome — open an issue first for large changes.
License
Apache 2.0 — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file clearframe-0.1.0.tar.gz.
File metadata
- Download URL: clearframe-0.1.0.tar.gz
- Upload date:
- Size: 19.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
06423948d6d017d34962155c349041d61d5c80348f7e0bae74ef599466127be0
|
|
| MD5 |
ec111339e785cb15da21269018f9f3f3
|
|
| BLAKE2b-256 |
0281b9272b579e0545de9a218c632af8181ae46348239dc080b64db6e4a741a8
|
File details
Details for the file clearframe-0.1.0-py3-none-any.whl.
File metadata
- Download URL: clearframe-0.1.0-py3-none-any.whl
- Upload date:
- Size: 24.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fc7dffd0d80f245dc1367a8512cf110c07b4b5a6b9a5cb2e29bb9052b660614c
|
|
| MD5 |
fb5aa09540d4a60882f148c2603c6504
|
|
| BLAKE2b-256 |
fe003750ca08631aa99d37e47b8d966ce213d99eab0b5aa3d215c0fd5930a951
|