|
2 | 2 |
|
3 | 3 | Governance and credential injection proxy for [OpenClaw](https://github.com/openclaw/openclaw). Keeps real secrets out of the agent, enforces per-request policy on every connection and tool call, and puts a human in the loop when it matters. |
4 | 4 |
|
5 | | -## Features |
6 | | - |
7 | | -- **Phantom token credential injection.** OpenClaw gets fake API keys. Sluice swaps them for real credentials in-flight via MITM. Leaked tokens are useless outside the proxy. |
8 | | -- **Two-layer governance.** MCP gateway intercepts tool calls (names, arguments, responses). SOCKS5 proxy intercepts all network traffic (HTTP, HTTPS, WebSocket, gRPC, SSH, IMAP, SMTP, DNS, QUIC/HTTP3). |
9 | | -- **Human-in-the-loop approval.** "Ask" policy rules trigger Telegram or webhook notifications. OpenClaw blocks until a human responds. |
10 | | -- **Policy engine.** Glob-based rules for destinations, protocols, ports, and MCP tools. Content inspection blocks secrets in arguments and redacts them from responses. |
11 | | -- **7 credential backends.** age (default), HashiCorp Vault, 1Password, Bitwarden, KeePass, gopass, environment variables. Chain multiple providers. |
12 | | -- **Hot credential reload.** Add or rotate credentials via Telegram or CLI. Phantom tokens are regenerated and pushed to OpenClaw without restarts. |
13 | | -- **Tamper-evident audit log.** Every connection, tool call, and approval decision is logged with blake3 hash chaining. |
14 | | -- **4 deployment modes.** Docker, Apple Container (macOS micro-VMs), macOS VM via tart (Apple framework access), or standalone binary. |
15 | | - |
16 | 5 | ## Why Sluice |
17 | 6 |
|
18 | | -AI agents need credentials to be useful. Giving them real credentials is dangerous. They can leak secrets in tool outputs, connect to unexpected endpoints, or make destructive API calls without oversight. |
| 7 | +AI agents need credentials to be useful. Giving them real credentials is dangerous. |
| 8 | + |
| 9 | +**The problem:** OpenClaw makes API calls, opens network connections, and invokes MCP tools. Without governance, it can leak secrets in tool outputs, connect to unexpected endpoints, or make destructive API calls. No existing tool combines credential isolation, human approval, all-protocol interception, and MCP-level governance in one place. |
19 | 10 |
|
20 | | -No existing tool combines credential isolation, human approval, all-protocol interception, and MCP-level governance in one place. Sluice intercepts everything at two layers and never gives OpenClaw real credentials. |
| 11 | +**The solution:** Sluice intercepts everything at two layers and never gives OpenClaw real credentials. |
21 | 12 |
|
22 | 13 | | Layer | What it sees | What it governs | |
23 | 14 | |-------|-------------|-----------------| |
24 | 15 | | **MCP Gateway** | Tool names, arguments, responses | File writes, exec, deletions, any MCP tool call | |
25 | 16 | | **SOCKS5 Proxy** | Every TCP and UDP connection | HTTP, HTTPS, WebSocket, gRPC, SSH, IMAP, SMTP, DNS, QUIC/HTTP3 | |
26 | 17 |
|
| 18 | +**Phantom token swap:** OpenClaw gets phantom tokens that look like real API keys. Sluice's MITM proxy swaps them for real credentials in-flight. If a phantom token leaks, it is useless outside the proxy. |
| 19 | + |
| 20 | +**Human approval:** Connections and tool calls matching "ask" policy rules trigger a notification via Telegram or HTTP webhook. OpenClaw blocks until a human responds with Allow or Deny. |
| 21 | + |
| 22 | +**Credential isolation:** Real secrets live in an encrypted vault (age, HashiCorp Vault, 1Password, Bitwarden, KeePass, or gopass). They are decrypted into zeroed memory only at injection time and never exposed to the agent process. |
| 23 | + |
27 | 24 | ## How It Works |
28 | 25 |
|
29 | 26 | ```mermaid |
|
0 commit comments