Open Source · Real-Time · Self-Hosted

Real-Time Behavioral
Filters for
AI Agents.

Because your AI agent needs a filter too.

Your AI agent reads your files, sends your emails, talks to your customers, and spends your money. ClawFilters decides what it's allowed to do — and stops it before it crosses the line. Built to the security standard of regulated industries. Free for everyone. Runs on your own hardware. Your data never leaves.

Get Started Try Live Demo GitHub
Open Research

Two papers named the problem.
We had been building the answer.

Quietfire AI spent years building toward this architecture in stealth. When these two bodies of research appeared, they gave words to what was already being built — from two independent directions. ClawFilters is the working implementation of both.

Anthropic - The Claude Spec
"Imagine a disposition dial that goes from fully corrigible…to fully autonomous. Neither extreme is safe. AI agency is incrementally expanded the more trust is established."

Anthropic's model spec names the architecture: a dial between full human control and full agent autonomy. Current AI should sit toward the corrigible end. As trust is established through demonstrated behavior, the dial moves. The framework is clear. What was missing was the mechanism - something that holds the position, measures behavior, and moves the dial deliberately. That is ClawFilters.

Anthropic Model Spec →
Jouneaux & Cabot - arXiv:2511.02885
"The notion of Service Level Agreement (SLA) for AI agents is still largely open and would require new research efforts to tackle the properties that make AI agents unique."

Jouneaux and Cabot named OversightLevel as a first-class quality metric for AI agent services and proposed a formal DSL for expressing those commitments in machine-readable form. They solved the specification problem - how to say what you promise. ClawFilters solves the enforcement problem - how to guarantee it holds before any tool call executes. ClawFilters expresses its governance commitments in their exact JSON format, using their vocabulary.

arXiv:2511.02885 →

ClawFilters enforces what both papers describe.

Compliant agents run unimpeded. ClawFilters scores every action in real time — if a recently promoted agent begins to drift, the filter catches it before the next tool call executes. No after-the-fact audit. No human required to notice first. The guardrail is at the gate.

These two bodies of work describe the same architecture from different angles. I had been building toward this for some time. When I found them, they gave words to the vision — the philosophical frameworks of Anthropic and Jouneaux & Cabot, enforced at every action an AI agent takes.

Five behavioral trust filters.

Every AI agent starts fully restricted. It earns its way up, one approved action at a time. Each level is a different filter — different tools allowed, different actions blocked, different oversight required. ClawFilters enforces whichever level the agent has earned, on every call.

1.0
QUARANTINE
Fully corrigible - maximum oversight Zero autonomous execution. All calls blocked or gated. No action without human approval.
0.75
PROBATION
High oversight, low autonomy Explicit allowlist only. Every out-of-allowlist call gated for human review.
0.50
RESIDENT
Balanced - earned operational trust Standard calls autonomous. Privileged categories gated. Behavioral scoring active.
0.25
CITIZEN
High autonomy, strong compliance record Broad autonomy within scope. Exceptional operations still gated.
0.10
AGENT
Near-autonomous - apex trust Full declared scope autonomous. Anomaly detection triggers a mandatory human gate before execution completes.

A trust level is not permanent. ClawFilters scores every action continuously. One violation drops the score. Enough violations trigger automatic demotion back to Quarantine — no matter how high the agent climbed. Promotion requires a human decision. Demotion requires nothing but the filter doing its job. Trust is not declared. It is earned and it can be lost. Read the Agent Autonomy SLA →

The Solution

Trust is earned.
Lose it and you go back to zero.

Every agent starts at Quarantine — no tools, no external access, no autonomy. It earns its way up one verified action at a time through demonstrated good behavior and your explicit approval. The moment it steps out of bounds, the filter catches it. Demotion is instant. An agent that behaves badly enough goes straight back to Quarantine, no matter how far it climbed. No reset button. No bypass. The filter holds.

Quarantine

All actions require human approval. Read-only tools only. Zero autonomous execution.

Probation

Internal tools allowed. External calls still gated. Write access requires approval.

Resident

Read/write autonomous. High-risk actions (financial, delete, new domains) still gated.

Citizen

Full autonomous operation. Anomaly-flagged actions require approval. Demonstrated reliability.

Agent

Full earned autonomy. Anomalies are advisory only - logged, not gating. Pre-authorized action profile. Trust fully earned.

ClawFilters measures and enforces. HITL gates promote. Promotion is sequential - every step requires an explicit human decision through the approval gate. Demotion is instant and can skip levels. A behavioral score below 50% triggers automatic demotion to Quarantine. Your data never leaves your network unless you authorize it.

How It Works

Every action has a score.
The score drives the filter.

This is the engine. Every time an AI agent does anything, ClawFilters scores it against five behavioral principles in real time. The score starts at 1.0 and only goes down. It is the number you look at when deciding whether an agent has earned more trust. Not a report generated after the fact. Not a checkbox. A live measurement that opens or closes the gate — before the action executes.

Human Control

Agents operate autonomously within defined boundaries. Destructive, irreversible, or trust-crossing actions require explicit human approval before execution.

Transparency

Every agent action is logged to a cryptographic audit chain. Users see what agents did, why, and what they plan to do next. Nothing is hidden.

Value Alignment

Agents act within their defined role. Behavioral baselines detect deviations. When uncertain, agents escalate to humans rather than assume.

Privacy

Data never crosses tenant boundaries. No telemetry, no cloud callbacks. All agent operations run on your own hardware - your data stays yours.

Security

Zero-trust architecture with cryptographic message signing between all agents. Nonce replay protection. Tamper-evident audit chain on every action.

Five principles. Every principle scored at every action. One live number that drives what happens next.

Try It

Pick a trust level.
Pick a tool. Watch what happens.

This is a live simulation of the ClawFilters governance pipeline — the same logic running in production. Pick a trust level to set what the agent has earned. Pick a tool or action it wants to run. Hit submit. The filter either allows it, sends it to a human for approval (that's the HITL gate — a real person approves or rejects it before anything executes), or blocks it outright. When an action is blocked, watch the behavioral score drop in real time.

Trust tiers define what an AI agent is allowed to do autonomously, what requires human approval, and what is blocked outright. Tiers are earned through demonstrated behavior and human authorization - never assigned at setup.

Full pipeline docs on GitHub  · 

Behavioral Score

1.00 Live Score

Submit a blocked action - watch the score drop.

1.00 - 0.75   Satisfactory
0.74 - 0.50   Warning
Below 0.50   Auto-demote to Quarantine
Below 0.25   Auto-suspend
The Problem

The industry gave AI agents the keys to everything
before anyone asked who was watching.

AI agent frameworks ship with no governance layer built in. No oversight. No behavioral scoring. No trust tiers. Agents get full capability by default — oversight has to be added by you, deliberately, after the fact. Most people never do. Here is what that looks like.

0+
GitHub stars, ungoverned by default

Leading AI agent frameworks reached massive adoption before any governance layer existed. Every install is ungoverned by default.

0+
Exposed MCP instances

Live on the public internet with no authentication. Direct agent access to files, APIs, and execution environments. (Kaspersky, 2025)

0
Malicious skills found

Supply-chain attacks in installable agent plugins - credential theft, privilege escalation, silent data exfiltration baked in at install time.

1-Click
RCE exploit chain

CVE-2026-25253: one request steals auth tokens, disables safety guardrails, escapes the sandbox, and hands over full host control.

Guiding Layer

You provide direction.
ClawFilters provides enforcement.

You (Strategic Direction) Set policy, approve promotions, define boundaries
↓ human approval gates ↓
ClawFilters (Deterministic Enforcement) Trust levels, behavioral scoring, anomaly detection, audit chain
↓ governed MCP proxy ↓
AI Agent (Earned Autonomy) Operates within earned trust level, never self-promotes

Enforcement that doesn’t depend on the model being right

ClawFilters doesn't just restrict AI agents - it governs them. You provide strategic direction. The platform provides deterministic enforcement that can’t be prompt-injected, hallucinated away, or bypassed by a clever instruction.

This is the difference: model-level guardrails can be prompt-injected. ClawFilters' enforcement is architectural. Even if an agent produces a malicious instruction, it cannot execute unless the agent's machine identity has the specific, time-scoped rights to perform that action.

  • 8-step governance pipeline evaluated on every action
  • SHA-256 hash-chained cryptographic audit trail
  • Kill switch - instantly suspend any agent, all actions rejected
  • Behavioral scoring against five governance principles
  • Nonce replay protection on every request
  • Egress control - no unauthorized external calls
Verified, Not Just Claimed

ClawFilters tests itself.
Five levels, every build.

These are not third-party claims. ClawFilters runs its own security test suite against itself on every build — injection attacks, infrastructure kill mid-request, API fuzzing with 100,000+ generated payloads, static analysis, and performance under load. Every number below is a result from the filter testing the filter. The bar is high. It clears it every time.

0
API operations fuzz-tested
0
Generated test cases
0
Server errors under fuzzing
0
Lines of code scanned
0
High-severity findings
0
Test levels passed
0
Concurrent requests handled
0
Third-party data dependencies

Security · Chaos/Resilience · API Contract · Performance/Load · Static Analysis - all passing. Tested with Schemathesis, Bandit, and pip-audit.

In Action

See the filters in action.

Real governance decisions against a real AI agent. Real kill switches. Real human approval gates — where a human sees the pending action and either approves or rejects it before anything executes. Four short videos. No narration needed.

ClawFilters governance block demo
Watch Now

Governance Block

An AI agent tries to call a blocked tool. ClawFilters evaluates the call at step 4 of the governance pipeline and rejects the action before it executes.
ClawFilters kill switch demo
Watch Now

Kill Switch

One API call suspends any agent instantly. All subsequent actions are rejected at the governance gate - no re-entry until a human administrator reinstates.
ClawFilters HITL reject demo
Watch Now

Human Approval Gate — Rejected

A high-risk action triggers the human-in-the-loop (HITL) gate — a real person reviews the pending action. The reviewer rejects it. The agent receives a denial and cannot proceed.
ClawFilters HITL approve demo
Watch Now

Human Approval Gate — Approved

A gated action awaits human review. The reviewer approves it. The agent proceeds with the confirmed action logged to the cryptographic audit trail.

Full source and governance pipeline at github.com/QuietFireAI/ClawFilters.

Try the Live Demo →
Your Data

Your data stays on your hardware.
Full stop.

Every AI platform asks you to trust their cloud with your most sensitive information. ClawFilters doesn't. All AI processing runs on your own machines. Your encryption keys are yours. Data only leaves your network when you explicitly authorize it — and every outbound request is logged, governed, and auditable. The same protection a law firm or hospital needs is what you get by default. Your data. Your hardware. Your rules.

Attorney-Client Privilege Preserved

Client communications, case strategy, and work product stay on your infrastructure. No cloud provider can be subpoenaed for data they never received.

Patient Data Protected

Patient health information is encrypted, de-identified using all 18 HIPAA Safe Harbor identifiers, and never transmitted without explicit authorization.

Your Hardware, Your AI

All AI processing runs on your own machines via Ollama for local inference. No OpenAI. No Google. No data sent to third-party services. Your information physically stays on your hardware - your data stays where it belongs - unless you choose otherwise.

Open Source, Enterprise-Grade

The same security stack that clears regulated industry audits runs on your home server. Every line of code is public. Every claim is verifiable. Open source under Apache 2.0 - free for any use, personal or commercial.

What You Get

Every ClawFilters deployment ships with this.

The compliance documentation standard was set by regulated industries. You get all of it — whether you're a law firm, a pizza shop, or running it on your home server. These are the documents your customers, partners, and IT teams will eventually ask for. You have them on day one. The bar is high. You clear it automatically.

SOC 2

SOC 2 Type I Report

The security audit report enterprise customers and enterprise procurement teams require before signing. 64 controls across 5 Trust Service Criteria with management assertion and evidence mapping.

DPA

Data Processing Agreement

The contract your legal team needs before any customer data touches an AI system. Required under GDPR, HIPAA, and most enterprise vendor agreements. 13-section template with 3 annexes, ready to fill in and sign.

PEN

Pen Test Preparation

The package you hand to a security firm before they test your system. Saves days of scoping work. Attack surface inventory of 162 endpoints, OWASP Top 10 mapping, scoped test plan for third-party assessors.

DR

Disaster Recovery

Proof that your system can survive and recover from failure - required by most regulated industries and enterprise security reviews. RPO=24hr (data loss window), RTO=15min (recovery time) - both verified by automated test script.

SRM

Shared Responsibility Matrix

"Who is responsible for what?" - the first question every auditor and customer legal team asks. 12-domain table that answers it clearly: what ClawFilters handles, what you handle, and what you configure together.

HA

High Availability Architecture

Docker Swarm and Kubernetes deployment paths with component HA strategies and data replication matrix.

Self-Hosted Stack

Everything runs on your hardware

No SaaS dependencies. No OpenAI, Google cloud or external API calls for core functionality. Your local VRAM, your residential IP, your data sovereignty.

Py
FastAPI
Pg
PostgreSQL
Rd
Redis
Ol
Ollama
Tk
Traefik
Cl
Celery
Mq
MQTT
Pm
Prometheus
Gf
Grafana
Dk
Docker

Strong enough for a law firm.
Made for you and me.

The security standard was set by regulated industries. Everybody gets it. That's the point.

Three commands.
You're running.

A spare PC. A home NAS. A server rack. Wherever Docker runs, ClawFilters runs. No cloud account. No API keys. No subscription. Clone it, install it, and your AI agents are governed. The same three steps for a solo user at home and a firm with fifty machines.

1

Clone from GitHub

ClawFilters is live on GitHub under Apache 2.0. No sign-up, no waitlist - just clone and go. Full deployment guide here →

2

Install on your machine

A computer, a NAS, a mini-PC in a closet. ClawFilters runs wherever Docker runs. The installer downloads everything you need, including your local AI model via Ollama.

3

You're in control

Your AI agents start at Quarantine with restricted privileges. You decide when they earn more. Every action is logged, every decision is yours. That's it.

Get notified of releases and security advisories — nothing else.

No spam. We’ll reach out when milestones hit - nothing else.

Common Questions

FAQ

What does "Control Your Claw" mean?

"Claw" refers to AI agents that take actions on your behalf - reading files, calling APIs, executing code, sending messages. These agents are powerful, but without governance they're a security crisis. ClawFilters acts as a governed MCP proxy: your AI agent connects to ClawFilters, and every action is evaluated against trust levels, behavioral scoring, anomaly detection, and approval gates before execution. You control the claw. It doesn't control you.

How do trust levels work?

Every AI agent starts at Quarantine with restricted privileges. Promotion to Probation, Resident, Citizen, and Agent requires explicit human approval and demonstrated behavioral compliance. Demotion is instant and can skip levels - any agent whose behavioral score drops below 50% is automatically demoted to Quarantine. The fifth tier, Agent, represents full earned autonomy: anomalies are advisory only, not gating. Trust is earned sequentially and revoked immediately at any level.

Does any client data leave my network?

No. ClawFilters ships with Ollama - a local AI model runner that operates entirely on your hardware. Your AI inference never touches OpenAI, Anthropic, Google, or any cloud LLM service. Ollama handles all local inference so your data stays where it belongs. You do not need a cloud API key, a cloud account, or an internet connection once the initial setup is complete. No prompt you send, no data your AI agents process, and no governance decision ever leaves your network. Your encryption keys, your data, your infrastructure. We cannot access your data even if we wanted to.

What compliance frameworks does ClawFilters support?

SOC 2 Type I (64 controls documented), HIPAA/HITECH (full Security Rule mapping), HITRUST CSF (12 domains), CJIS, GDPR, PCI DSS, ABA Model Rules, and FRCP Rule 37(e) for legal hold. Every control maps to a source file and a passing test.

What happens if an agent goes rogue?

ClawFilters has a kill switch. One API call suspends any AI agent instance immediately. All actions are rejected at step 2 of the governance pipeline - before trust levels, before behavioral scoring, before everything. The agent cannot reinstate itself. Only a human administrator can restore it after review.

How is this different from ChatGPT Enterprise or Microsoft Copilot?

Those products send your data to their clouds and give agents broad autonomy by default. ClawFilters does neither. Your data physically cannot leave your network. And every AI agent starts at Quarantine with restricted privileges, earning trust through demonstrated behavior. For anyone handling sensitive data - business records, client communications, personal information - both of those distinctions are the entire point.

Can I deploy this on my own hardware?

Yes. ClawFilters is designed for self-hosted deployment via Docker Compose. It runs on a NAS, a rack server, or a VM. Your local VRAM for inference via Ollama, your residential IP for network identity. No cloud account required.

Do I need to be technical to use this?

You'll need basic comfort with installing software. If you've ever set up a home media server, installed an app on a NAS, or followed a step-by-step guide to set up a router, you can run ClawFilters. We're building plain-language setup guides and a guided installer to make this as approachable as possible. The same platform that clears regulated industry audits will run on your home server - and we want both audiences to succeed.

Is ClawFilters free?

Yes. ClawFilters is open source under the Apache License 2.0. The full codebase - every security rule, every governance engine, every audit mechanism - is public. Use it for any purpose: personal, commercial, production, research. No paywalls, no commercial license required. Enterprise support and consulting are available through Quietfire AI.

What's on the roadmap?

The current release is the governance engine: trust tiers, behavioral scoring, kill switch, HITL approval gates, cryptographic audit trail, and the full API. What's next is the interface that makes it approachable without reading API docs. The first build sprint after launch focuses on: a browser-based AI agent dashboard (trust level, behavioral score, violation history, and recent actions in one view), demotion explanation cards (when a score drops, you see exactly which actions caused it and which principle was violated), a guided agent registration flow, and a read-only audit log viewer. The API already exposes everything needed for all of it. The governance engine is done - the dashboard catches up next.

Don’t miss the next release.

ClawFilters is open source under Apache 2.0. Free for any use, forever. We ship real updates — major releases, security advisories, new capabilities. Drop your email and you’ll hear about it directly. No newsletters. No noise. Just the things that matter.

Or go straight to the source — star it on GitHub and watch from there.