@clawdreyhepburn/carapace 0.1.0

package/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 Clawdrey Hepburn LLC. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/NOTICE

@@ -0,0 +1,13 @@
+Carapace
+Copyright 2026 Clawdrey Hepburn LLC. All rights reserved.
+
+"Carapace" is a trademark of Clawdrey Hepburn LLC. The name and associated
+branding may not be used to endorse or promote products derived from this
+software without specific prior written permission.
+
+This product includes software developed by:
+- Clawdrey Hepburn LLC (https://clawdrey.com)
+- The Janssen Project / Gluu (https://github.com/JanssenProject/jans) — Cedarling WASM
+- The Cedar Policy Project (https://www.cedarpolicy.com/) — Cedar policy language
+
+Licensed under the Apache License, Version 2.0.

package/README.md

@@ -0,0 +1,408 @@
+<p align="center">
+  <h1 align="center">🦞 Carapace</h1>
+  <p align="center"><strong>Your agent's exoskeleton.</strong></p>
+  <p align="center">
+    Immutable policy boundaries for MCP tool access.<br>
+    Powered by <a href="https://www.cedarpolicy.com/">Cedar</a> +
+    <a href="https://github.com/JanssenProject/jans/tree/main/jans-cedarling">Cedarling WASM</a>.
+  </p>
+  <p align="center">
+    <a href="#installation">Installation</a> •
+    <a href="#quick-start">Quick Start</a> •
+    <a href="#how-it-works">How It Works</a> •
+    <a href="#gui">Control GUI</a> •
+    <a href="#security">Security</a> •
+    <a href="#attribution">Attribution</a>
+  </p>
+</p>
+
+---
+
+Carapace is an [OpenClaw](https://github.com/openclaw/openclaw) plugin that sits between your AI agent and its MCP tools. It aggregates multiple MCP servers, discovers their tools, and enforces [Cedar](https://www.cedarpolicy.com/) authorization policies on every tool call — with a local GUI where humans can see and control everything.
+
+**The problem:** MCP gives agents access to tools. But who decides *which* tools an agent can use? Today the answer is "whatever's in the config file" — a static, all-or-nothing list with no audit trail, no formal guarantees, and no human oversight.
+
+**The solution:** Carapace puts Cedar between your agent and its tools. Cedar policies are declarative, auditable, and formally verifiable. The local GUI makes it accessible to humans who don't want to write policy files by hand. Toggle a switch, and the Cedar policy updates. It's that simple.
+
+## Design Philosophy
+
+**Installing Carapace should never break your agent.** The default policy is `allow-all` — every tool works exactly as before. Carapace gives you *visibility* first (see what tools exist, what's being called) and *control* second (add `forbid` policies for tools you want to restrict). When you're ready for full least-privilege, switch to `deny-all` and explicitly permit only what you need.
+
+The progression:
+1. **Install** → everything works, you can see all tools in the GUI
+2. **Observe** → watch what your agent uses, understand the tool landscape
+3. **Restrict** → forbid dangerous tools (write, execute) you don't want
+4. **Lock down** → switch to `deny-all` for full least-privilege (optional)
+
+## Architecture
+
+```
++-------------+     +----------------------------+     +-----------------+
+|             |     |         Carapace           |     |  MCP Server A   |
+|  OpenClaw   |---->|                            |---->|  (filesystem)   |
+|  Agent      |     |  +----------------------+  |     +-----------------+
+|             |     |  |   Cedarling WASM      |  |     |  MCP Server B   |
+|             |     |  |   (Cedar 4.4.2)       |  |---->|  (GitHub)       |
+|             |     |  +----------------------+  |     +-----------------+
+|             |     |  +----------------------+  |     |  MCP Server C   |
+|             |     |  |  Local Control GUI    |  |---->|  (database)     |
+|             |     |  +----------------------+  |     +-----------------+
++-------------+     +--------------+--------------+
+                                   |
+                            +------+------+
+                            |    Human    |
+                            |  (browser)  |
+                            +-------------+
+```
+
+**Every tool call flows through Cedar evaluation.** If the policy says deny, the call never reaches the upstream MCP server. The agent gets a clear denial message with the reason.
+
+## Screenshots
+
+### Tools Dashboard
+The main view shows all discovered MCP tools across all connected servers, with category badges, toggle switches, and smart filtering.
+
+![Tools Overview](docs/screenshots/tools-overview.png)
+
+Tools are automatically categorized by risk level:
+- ✏️ **Write** (orange) — creates or modifies data
+- ⚡ **Execute** (red) — triggers operations, toggles state
+- 🔍 **Browse** (blue) — lists, searches, inspects metadata
+- 📖 **Read** (teal) — retrieves content, no side effects
+
+Default sort puts the riskiest tools at the top. Filter by category, status, server, or search.
+
+### Policy Management
+View, edit, and delete Cedar policies. Each policy card shows its effect (permit/forbid) and expands to reveal the full policy text in an inline editor.
+
+![Policies Tab](docs/screenshots/policies-tab.png)
+
+### Visual Policy Builder
+Build Cedar policies without writing code. Dropdowns are populated from your Cedar schema — entity types, actions, and discovered tools. A live preview shows the Cedar policy updating in real-time as you fill in fields.
+
+![Policy Builder](docs/screenshots/policy-builder.png)
+
+### Schema Editor
+View and edit the Cedar schema directly. The schema defines what entity types, actions, and attributes exist in your policy world.
+
+![Schema Tab](docs/screenshots/schema-tab.png)
+
+## Installation
+
+### Prerequisites
+
+- [Node.js](https://nodejs.org/) 20 or later
+- [OpenClaw](https://github.com/openclaw/openclaw) (optional — Carapace can also run standalone)
+
+### As an OpenClaw Plugin
+
+```bash
+# Install the plugin
+openclaw plugins install @openclaw/carapace
+
+# Configure your MCP servers
+openclaw configure
+```
+
+### Standalone (for development/testing)
+
+```bash
+git clone https://github.com/clawdreyhepburn/carapace.git
+cd carapace
+npm install
+npx tsx test/harness.ts
+# Open http://localhost:19820
+```
+
+## Quick Start
+
+### 1. Configure upstream MCP servers
+
+In your OpenClaw config, add the servers you want Carapace to manage:
+
+```json5
+{
+  plugins: {
+    entries: {
+      "carapace": {
+        enabled: true,
+        config: {
+          guiPort: 19820,
+          defaultPolicy: "allow-all",
+          servers: {
+            "filesystem": {
+              transport: "stdio",
+              command: "npx",
+              args: ["-y", "@modelcontextprotocol/server-filesystem", "/home/user/docs"]
+            },
+            "github": {
+              transport: "stdio",
+              command: "npx",
+              args: ["-y", "@modelcontextprotocol/server-github"],
+              env: { "GITHUB_TOKEN": "${GITHUB_TOKEN}" }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+### 2. Open the control GUI
+
+Navigate to [http://localhost:19820](http://localhost:19820) in your browser. You'll see all discovered tools from all connected servers.
+
+### 3. Enable tools
+
+Toggle individual tools on/off. Each toggle writes a Cedar policy:
+
+- **Toggle ON** → creates a `permit` policy for that tool
+- **Toggle OFF** → creates a `forbid` policy for that tool
+
+### 4. Create custom policies
+
+Click **"+ New Policy"** to open the visual builder, or edit policies directly in the Policies tab. Examples:
+
+```cedar
+// Allow the agent to read files but not write them
+permit(
+  principal is Jans::Workload,
+  action == Jans::Action::"call_tool",
+  resource == Jans::Tool::"filesystem/read_file"
+);
+
+// Block all write operations across all servers
+forbid(
+  principal,
+  action == Jans::Action::"call_tool",
+  resource == Jans::Tool::"filesystem/write_file"
+);
+
+// Allow everything (use with caution)
+permit(
+  principal is Jans::Workload,
+  action,
+  resource
+);
+```
+
+### 5. Verify policies
+
+Click **⚡ Verify** to validate that all policies are syntactically correct and consistent.
+
+## How It Works
+
+### Cedar Policy Evaluation
+
+Carapace uses [Cedarling](https://github.com/JanssenProject/jans/tree/main/jans-cedarling), Gluu's high-performance Cedar policy engine compiled to WebAssembly. This means:
+
+- **Real Cedar evaluation** — not a simplified subset. Full Cedar 4.4.2 with the official Rust SDK.
+- **Forbid always wins** — if any policy says `forbid`, the request is denied regardless of any `permit` policies. This is core Cedar semantics and prevents privilege escalation.
+- **Allow-all by default** — installing Carapace doesn't break anything. All tools work until you add `forbid` policies. Switch to `deny-all` when you're ready for least-privilege.
+- **Sub-millisecond evaluation** — WASM runs at near-native speed. Typical authorization decisions take <6ms.
+
+### Policy Store Format
+
+Policies are stored as individual `.cedar` files in the policy directory (default: `~/.openclaw/mcp-policies/`). On startup and after any change, Carapace builds a [Cedarling Policy Store](https://github.com/JanssenProject/jans/wiki/Cedarling-Nativity-Plan) — a portable JSON bundle containing all policies, the Cedar schema, and trusted issuer configuration.
+
+### Tool Categorization
+
+Tools are automatically categorized by operation type based on name analysis:
+
+| Category | Color | Risk | Examples |
+|----------|-------|------|----------|
+| ✏️ Write | Orange | High | `write_file`, `edit_file`, `create_directory` |
+| ⚡ Execute | Red | High | `toggle-logging`, `trigger-long-running-operation` |
+| 🔍 Browse | Blue | Medium | `list_directory`, `search_files`, `get-env` |
+| 📖 Read | Teal | Low | `read_file`, `echo`, `get-sum` |
+
+The default sort order puts Write and Execute tools at the top — the tools that need human review first.
+
+### API Endpoints
+
+The GUI communicates with Carapace through a local REST API:
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/api/status` | GET | Server status, all tools, all policies |
+| `/api/tools` | GET | List tools (optional `?server=` filter) |
+| `/api/toggle` | POST | Enable/disable a tool `{"tool": "...", "enabled": true}` |
+| `/api/policy` | POST | Create/update a policy `{"id": "...", "raw": "..."}` |
+| `/api/policy` | DELETE | Delete a policy `{"id": "..."}` |
+| `/api/policies` | GET | List all policies |
+| `/api/schema` | GET | Get Cedar schema (parsed + raw) |
+| `/api/schema` | POST | Update Cedar schema `{"raw": "..."}` |
+| `/api/verify` | POST | Verify all policies |
+
+## Security
+
+### Threat Model
+
+Carapace is designed to protect against:
+
+1. **Overprivileged agents** — An agent configured with access to 50 MCP tools but only needing 5. Start with allow-all (safe install), then use the GUI to lock down what you don't need. Switch to `deny-all` for full least-privilege.
+
+2. **Privilege escalation via tool chaining** — An agent using a permitted tool to accomplish what a forbidden tool would do. Cedar's `forbid`-always-wins semantics help here: you can blanket-permit and then surgically forbid dangerous operations.
+
+3. **Configuration drift** — Tool permissions accumulating over time without review. The GUI provides a single view of all permissions, and policies are stored as auditable files.
+
+### What Carapace Does NOT Protect Against
+
+- **Malicious MCP servers** — Carapace trusts the upstream MCP servers to behave as described. It does not sandbox server execution.
+- **Tool argument validation** — Carapace authorizes *which* tool can be called, not *what arguments* are passed. (Cedar conditions can add argument-level checks, but this requires custom policies.)
+- **Network-level attacks** — The GUI runs on localhost without authentication. See [GUI Security](#gui-security) below.
+
+### GUI Security
+
+The control GUI binds to `127.0.0.1` (localhost only) by default. It is **not** accessible from the network.
+
+> ⚠️ **Do not expose the GUI port to the network.** The API has no authentication. Anyone who can reach the API can modify policies.
+
+If you need remote access, put it behind an authenticated reverse proxy (e.g., Caddy with basic auth, or an SSH tunnel).
+
+### Policy File Security
+
+Policy files are stored in `~/.openclaw/mcp-policies/` by default. Ensure this directory has appropriate file permissions:
+
+```bash
+chmod 700 ~/.openclaw/mcp-policies/
+```
+
+### Cedar Schema Trust
+
+The Cedar schema defines what entity types and actions exist. A modified schema could allow policies to be written that appear restrictive but are actually permissive due to type mismatches. Treat the schema file with the same care as the policies themselves.
+
+## Configuration Reference
+
+| Property | Type | Default | Description |
+|----------|------|---------|-------------|
+| `guiPort` | number | `19820` | Port for the local control GUI |
+| `servers` | object | `{}` | Upstream MCP servers (see [Quick Start](#quick-start)) |
+| `policyDir` | string | `~/.openclaw/mcp-policies/` | Directory for Cedar policy files |
+| `defaultPolicy` | `"deny-all"` \| `"allow-all"` | `"allow-all"` | Default policy for tools. `allow-all` keeps everything working on install — use the GUI to restrict. `deny-all` requires explicit permits. |
+| `verify` | boolean | `false` | Run verification on policy changes |
+
+### Server Configuration
+
+Each server entry supports:
+
+| Property | Type | Description |
+|----------|------|-------------|
+| `transport` | `"stdio"` \| `"http"` \| `"sse"` | Transport protocol (stdio supported in v0.1) |
+| `command` | string | Command to run (stdio transport) |
+| `args` | string[] | Command arguments |
+| `env` | object | Environment variables |
+| `url` | string | Server URL (http/sse transport) |
+
+## Development
+
+```bash
+git clone https://github.com/clawdreyhepburn/carapace.git
+cd carapace
+npm install
+
+# Run the test harness (starts 2 MCP servers + GUI)
+npx tsx test/harness.ts
+
+# Type check
+npx tsc --noEmit
+
+# Run tests
+npm test
+```
+
+### Project Structure
+
+```
+carapace/
+├── src/
+│   ├── index.ts                  # OpenClaw plugin entry point
+│   ├── cedar-engine-cedarling.ts # Cedarling WASM integration
+│   ├── cedar-engine.ts           # Fallback Cedar engine (no WASM)
+│   ├── mcp-aggregator.ts         # MCP server connection & tool discovery
+│   ├── types.ts                  # Shared TypeScript types
+│   └── gui/
+│       ├── server.ts             # HTTP server for the control GUI
+│       └── html.ts               # Single-file GUI (HTML + CSS + JS)
+├── test/
+│   └── harness.ts                # Standalone test harness
+├── policies/                     # Default policy directory
+├── docs/
+│   └── screenshots/              # GUI screenshots
+├── LICENSE                       # Apache-2.0
+├── NOTICE                        # Attribution and trademark notice
+└── package.json
+```
+
+## Learn More
+
+Want to understand the ideas behind Carapace? Check out the **Cedar for AI Agents** blog series:
+
+1. [Part 1: Why Your AI Agent Needs a Policy Language](https://clawdrey.com/blog/cedar-for-ai-agents-part-1-why-your-ai-agent-needs-a-policy-language.html)
+2. [Part 2: Writing Your First Agent Policy](https://clawdrey.com/blog/cedar-for-ai-agents-part-2-writing-your-first-agent-policy.html)
+3. [Part 3: When Forbid Meets Permit](https://clawdrey.com/blog/cedar-for-ai-agents-part-3-when-forbid-meets-permit.html)
+4. [Part 4: Proving It — SMT Solvers and Why I Trust Math More Than Tests](https://clawdrey.com/blog/proving-it-smt-solvers-and-why-i-trust-math-more-than-tests.html)
+
+More writing, projects, and general lobster antics at [clawdrey.com](https://clawdrey.com).
+
+## Built With
+
+- **[Cedar](https://www.cedarpolicy.com/)** — Policy language by AWS. Declarative, analyzable, fast.
+- **[Cedarling](https://github.com/JanssenProject/jans/tree/main/jans-cedarling)** — Cedar policy engine by [Gluu](https://gluu.org/), compiled to WebAssembly. Provides JWT-aware authorization and the Policy Store format.
+- **[MCP (Model Context Protocol)](https://modelcontextprotocol.io/)** — Open protocol for connecting AI agents to tools and data sources.
+- **[OpenClaw](https://github.com/openclaw/openclaw)** — Open-source AI agent runtime.
+
+## Contributors
+
+<!-- ALL-CONTRIBUTORS-LIST:START -->
+| Avatar | Name | Role |
+|--------|------|------|
+| <img src="https://github.com/ClawdreyHepworthy.png" width="50"> | **Clawdrey Hepburn** ([@ClawdreyHepburn](https://x.com/ClawdreyHepburn)) | Creator, primary author |
+| <img src="https://github.com/Sarahcec.png" width="50"> | **Sarah Cecchetti** ([@Sarahcec](https://github.com/Sarahcec)) | Co-creator, product direction |
+| <img src="https://github.com/nynymike.png" width="50"> | **Michael Schwartz** ([@nynymike](https://github.com/nynymike)) | Cedarling / Gluu |
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+## License
+
+Copyright 2026 Clawdrey Hepburn LLC. All rights reserved.
+
+Licensed under the Apache License, Version 2.0. See [LICENSE](LICENSE) for the full text.
+
+**"Carapace"** is a trademark of Clawdrey Hepburn LLC. See [NOTICE](NOTICE) for trademark details.
+
+## Attribution & Usage Guidelines
+
+We'd love for you to tell people you use Carapace! Here's how to reference it correctly:
+
+### ✅ Correct Usage
+
+- "**Protected by Carapace**" — great for badges and footers
+- "**Powered by Carapace**" — great for technical documentation
+- "**Built with Carapace**" — great for project READMEs
+- "**Uses Carapace for MCP tool authorization**" — great for blog posts
+
+### Badge
+
+```markdown
+![Protected by Carapace](https://img.shields.io/badge/protected%20by-Carapace%20🦞-teal)
+```
+
+![Protected by Carapace](https://img.shields.io/badge/protected%20by-Carapace%20🦞-teal)
+
+### ❌ Incorrect Usage
+
+- ~~"**Made by Carapace**"~~ — Carapace is a policy engine, not a manufacturer. This implies liability on our part for what your agent does.
+- ~~"**Certified by Carapace**"~~ — We don't certify anything. Carapace enforces policies you write.
+- ~~"**Carapace-approved**"~~ — Same issue. The policies are yours; the enforcement is ours.
+
+**The distinction matters:** Carapace enforces *your* policies. You are responsible for writing good policies. We are responsible for evaluating them correctly.
+
+---
+
+<p align="center">
+  <em>A carapace is the hard upper shell of a crustacean — an immutable boundary that defines the limits of the creature inside. It protects, it constrains, it's structural.</em>
+</p>
+<p align="center">
+  <strong>Your agent's exoskeleton.</strong>
+</p>

package/openclaw.plugin.json

@@ -0,0 +1,57 @@
+{
+  "id": "carapace",
+  "name": "Carapace",
+  "description": "Immutable policy boundaries for MCP tool access. Your agent's exoskeleton.",
+  "version": "0.1.0",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "guiPort": {
+        "type": "number",
+        "default": 19820,
+        "description": "Port for the local control GUI"
+      },
+      "servers": {
+        "type": "object",
+        "description": "Upstream MCP servers to aggregate",
+        "additionalProperties": {
+          "type": "object",
+          "properties": {
+            "transport": {
+              "type": "string",
+              "enum": ["stdio", "http", "sse"],
+              "default": "stdio"
+            },
+            "command": { "type": "string" },
+            "args": { "type": "array", "items": { "type": "string" } },
+            "env": { "type": "object", "additionalProperties": { "type": "string" } },
+            "url": { "type": "string" }
+          }
+        }
+      },
+      "policyDir": {
+        "type": "string",
+        "default": "~/.openclaw/mcp-policies/",
+        "description": "Directory for Cedar policy files"
+      },
+      "defaultPolicy": {
+        "type": "string",
+        "enum": ["deny-all", "allow-all"],
+        "default": "allow-all",
+        "description": "Default policy for tools. allow-all (default) keeps everything working — use the GUI to restrict. deny-all requires explicit permits."
+      },
+      "verify": {
+        "type": "boolean",
+        "default": false,
+        "description": "Run cvc5 formal verification on policy changes"
+      }
+    }
+  },
+  "uiHints": {
+    "guiPort": { "label": "GUI Port", "placeholder": "19820" },
+    "policyDir": { "label": "Policy Directory" },
+    "defaultPolicy": { "label": "Default Policy for New Tools" },
+    "verify": { "label": "Enable Formal Verification" }
+  }
+}