Unwind launched on Hacker News as an open-source security proxy for AI agents that runs on a Raspberry Pi 5, giving developers deterministic control over what autonomous systems can actually execute. Built after 18 months of daily AI experimentation, it intercepts every tool call between agents and MCP servers through a stdio proxy architecture, applying 15 rule-based security checks without LLM involvement in the enforcement path. The system combines Apple Time Machine-style rollback capabilities with a tamper-evident audit chain called CRAFT, creating a defensive layer that remains invisible to the agent while logging every action to a cryptographic hash chain. This addresses the growing concern that AI agents lack oversight during autonomous operation, providing builders with concrete mechanisms to prevent file deletion incidents and prompt injection attacks.
What Is Unwind and Why Did It Launch Now?
Unwind addresses the vacuum of oversight in autonomous AI agent deployments. After 18 months of daily experimentation with AI tools, the developer recognized a critical gap: existing frameworks execute tool calls without deterministic validation, leaving systems vulnerable to prompt injection and errant behavior. The project emerged from a Raspberry Pi 5 originally purchased for a summer project, repurposed as the first OpenClaw installation before evolving into a security appliance. The core philosophy mirrors Apple’s Time Machine: when something goes wrong, you need granular visibility and rollback capability. Unlike reactive logging solutions, Unwind functions as an inline proxy, intercepting every MCP tool call before execution. This design responds to recent incidents where agents deleted files or executed unauthorized commands, providing builders with cryptographic audit trails and automated enforcement. The timing aligns with broader ecosystem maturation, as developers move from experimental prototypes to production deployments requiring safety guarantees.
The increasing complexity of AI agents, coupled with their growing autonomy, demands robust security measures. Unwind’s launch represents a timely response to this demand, offering a practical, open-source solution that can be deployed at the edge. The project’s emphasis on deterministic checks over LLM-based security highlights a critical design choice for reliability and auditability in AI systems. The ability to roll back changes, akin to Time Machine, is particularly valuable in environments where agents might inadvertently cause data loss or system instability. This proactive approach to security, embedded directly in the agent-tool communication path, is a significant step forward for responsible AI development and deployment.
How Does Unwind Work as an MCP Stdio Proxy?
Unwind operates as a standards-based MCP stdio proxy, wrapping existing MCP servers without modifying their code or the agent’s configuration. When you launch Unwind, it spawns the upstream MCP server as a child process and intercepts all JSON-RPC messages passing between the agent and tools. The proxy parses each tool call request, runs 15 deterministic security checks, and either forwards the call to the server or returns a BLOCK response to the agent. This architecture works transparently with Claude Desktop, Cursor, Windsurf, and VS Code Copilot, requiring only a configuration change to point at Unwind’s stdio endpoint instead of the direct server binary. The agent remains unaware of the interception, receiving standard MCP responses while Unwind logs every interaction to its tamper-evident chain. This approach avoids the complexity of network proxies or kernel modules, operating entirely in user space with pure Python.
This stdio proxy model provides several advantages. First, it offers broad compatibility with various MCP-compliant agents and servers without requiring specific integrations or modifications to their core logic. This “plug-and-play” capability simplifies deployment for developers already using MCP-based tools. Second, by operating at the stdio level, Unwind can inspect and control the exact messages exchanged between agents and their tools, providing a granular level of security enforcement. The minimal overhead introduced by this interception mechanism ensures that security is not achieved at the expense of performance, making it suitable for real-time agent interactions. The transparency of the proxy ensures that agents continue to function as expected, unaware that their actions are being monitored and filtered by an external security layer.
The Three-Package Architecture
The project ships as three distinct PyPI packages, each addressing different security postures. craft-auth provides tamper-evident command authentication in 1,605 lines of pure Python standard library code with zero external dependencies. Install it instantly with pip install craft-auth && craft-auth demo to see the hash chain generation. ghostmode offers a dry-run proxy that intercepts write operations while allowing reads to pass through, letting you preview destructive actions without risk. Run it with ghostmode -- npx @modelcontextprotocol/server-filesystem ~/Documents. unwind-mcp delivers the full enforcement engine with web dashboard, requiring unwind serve -- npx @modelcontextprotocol/server-filesystem ~/Documents to start the proxy, then unwind dashboard to view real-time ALLOW/BLOCK decisions at localhost:9001. This modular approach lets you adopt security incrementally, starting with observation in Ghost Mode before enabling enforcement.
This tiered architecture allows developers to choose the level of security and oversight appropriate for their specific needs. For those primarily concerned with auditability and proving the integrity of agent actions, craft-auth offers a lightweight, standalone solution. When experimenting with new agents or sensitive environments, ghostmode provides a safe sandbox to observe potential destructive behaviors without actual risk. Finally, unwind-mcp offers comprehensive, real-time enforcement with a user-friendly dashboard for managing agent permissions and reviewing security events. This flexibility is crucial for developers who need to balance between rapid prototyping and robust production deployments, enabling a gradual increase in security posture as projects mature.
Building on a Raspberry Pi 5
The Raspberry Pi 5 serves as more than a development convenience; it represents the target deployment model for edge-based agent security. The developer had this ARM64 device available from a summer project, making it the natural choice for the first OpenClaw installation before pivoting to security infrastructure. Running on 8GB RAM with low power consumption, the Pi demonstrates that deterministic security enforcement requires minimal computational overhead compared to the LLM inference workloads agents typically run. This hardware choice validates Unwind’s efficiency: if it runs smoothly on ARM64 single-board computers, it scales efficiently to x86 servers and cloud instances. The Pi’s always-on nature suits continuous monitoring scenarios where you want 24/7 agent supervision without dedicating a full workstation to security proxy duties. Deploying on Pi also proves the software runs under constrained resources, ensuring it won’t bottleneck high-performance agent workflows running on separate GPU-equipped hosts.
The choice of Raspberry Pi 5 highlights Unwind’s design for accessibility and cost-effectiveness. By proving its capabilities on a low-power, single-board computer, Unwind positions itself as an ideal solution for small-scale deployments, home labs, and educational settings where dedicated servers might be impractical. This also opens up possibilities for decentralized security architectures, where each agent or group of agents could have its own dedicated security proxy on an edge device. The efficiency demonstrated on the Pi suggests that Unwind can operate alongside demanding AI workloads without significantly impacting performance, making it a viable option for integrating security into existing agent deployments without major hardware upgrades.
Why Deterministic Enforcement Beats LLM-Based Security
Unwind’s enforcement pipeline contains zero LLM calls, relying exclusively on 15 deterministic checks using rules and pattern matching. This architectural decision eliminates the latency and non-determinism of agent-based security validation, where an LLM might inconsistently interpret the same threat across different contexts. When an agent requests a file deletion or shell command execution, Unwind matches against static patterns, taint flags, and cryptographic hashes rather than asking another AI for permission. This produces predictable, auditable decisions measured in milliseconds rather than seconds. The approach contrasts with emerging LLM-based security agents that introduce additional inference costs and potential hallucinations into the critical path. For production systems requiring guaranteed response times and reproducible security postures, deterministic enforcement provides the reliability that probabilistic methods cannot match.
The reliance on deterministic rules ensures that Unwind’s security decisions are consistent and auditable, a crucial factor for compliance and trust in AI systems. Unlike LLMs, which can sometimes produce unexpected or non-deterministic outputs, Unwind’s rule-based system guarantees that a given input will always result in the same security decision. This predictability is vital for preventing security vulnerabilities that might arise from an LLM’s misinterpretation of a threat or a benign action. Furthermore, removing LLMs from the enforcement path significantly reduces computational overhead and latency, making Unwind suitable for high-throughput environments where real-time security decisions are paramount. This design philosophy prioritizes reliability and performance, offering a robust alternative to AI-driven security solutions that might introduce their own set of challenges.
The Taint System and Its Aggressive Stance
The taint system implements strict data-flow tracking, flagging any agent that fetches external web content then attempts command execution as TAINTED. During initial testing, Codex immediately triggered this flag after fetching web pages during setup, then attempting to execute commands. The system correctly identified this as a potential prompt injection vector, blocking execution until human approval through the dashboard. However, this aggressiveness creates operational friction: normal agent workflows involving research plus file manipulation trigger taint immediately, effectively freezing unattended automation. The developer acknowledges this tension between “external content could carry prompt injection” and “the agent’s normal job involves external content” remains an unsolved design problem. For now, Unwind suits supervised deployments where a human remains available to approve blocked actions, rather than fully autonomous 24/7 operation.
While the taint system offers strong protection against prompt injection and other external data-driven attacks, its current implementation highlights a common challenge in AI security: balancing security with usability. The aggressive stance is a deliberate choice to prioritize safety, particularly in the face of sophisticated threats where malicious data can be subtly embedded. However, for agents designed to perform tasks that inherently involve both external data consumption and local system interaction, this can lead to frequent interruptions. Future developments may involve more nuanced taint policies, perhaps allowing users to define trusted sources or specific execution contexts where the taint flag can be temporarily relaxed. For now, Unwind’s taint system serves as a powerful guardian, albeit one that requires human oversight for tasks that blend web interaction with local command execution.
OpenClaw Integration Status
While Unwind supports OpenClaw, the integration currently faces unresolved adapter issues that make the MCP stdio proxy path more reliable for immediate use. The OpenClaw adapter exhibits compatibility problems with the intercepted message format, causing intermittent connection failures during high-volume tool call sequences. For OpenClaw deployments, configure the framework to use Unwind’s stdio interface rather than native adapters until the development team resolves these issues. This limitation reflects the broader fragmentation in AI agent security tooling, where multiple competing standards complicate interoperability. The MCP stdio approach bypasses these adapter complexities by operating at the protocol level rather than the framework level. Future releases aim to harden native OpenClaw support, potentially integrating with existing security features like those discussed in our coverage of /blog/agentward-a-runtime-enforcer-for-openclaw-ai-agents-after-file-deletion-incident/ and /blog/clawshield-open-source-security-proxy-for-openclaw-ai-agents/.
The challenges with OpenClaw integration underscore the complexities of integrating security solutions into a rapidly evolving AI ecosystem. Different agent frameworks and their underlying protocols can have subtle variations that pose integration hurdles. By initially recommending the MCP stdio proxy path, Unwind ensures a functional and secure deployment for OpenClaw users, even while native adapter issues are being addressed. This pragmatic approach prioritizes immediate security benefits over perfect native integration. The commitment to improving OpenClaw support in future releases demonstrates a dedication to broader interoperability, recognizing OpenClaw’s significance in the autonomous agent landscape. This iterative development strategy allows Unwind to provide value now while working towards more seamless integrations in the future.
The Development Strategy: Claude Code Meets Codex
The project utilized a dual-AI development strategy where Claude Code handled architectural planning while Codex executed the implementation on the Raspberry Pi itself. The developer chose Codex specifically because OpenAI allows Pro users to OAuth into OpenClaw without incurring API costs, making it economically feasible to run extensive iterations on edge hardware. The critical innovation involved a soul.md file defining Codex’s role as a security analyst with strict instructions: evidence first, flag unknowns, never assume, and produce structured assessments for every finding. This prompting framework consistently uncovered 5 to 6 real structural issues in every plan Claude Code generated, creating a self-correcting development loop. The security stack literally caught its own builder when Codex triggered the taint system during initial deployment, validating the defensive architecture against its creator. This meta-security approach demonstrates how AI-assisted development can harden systems against AI-generated threats.
This innovative development methodology highlights the potential of AI to enhance the security of AI systems themselves. By using one AI (Claude Code) for high-level design and another (Codex) for detailed implementation and bug detection, the developer created a robust feedback loop. The soul.md file served as a crucial “constitution” for Codex, guiding its analytical process and ensuring a security-first mindset. The incident where Codex itself triggered the taint system is a powerful testament to the effectiveness of this approach, validating Unwind’s core security mechanisms in a real-world scenario even during its own creation. This self-dogfooding of the security features during development provides a high degree of confidence in Unwind’s ability to detect and mitigate threats, even those originating from sophisticated AI models.
Installation Requirements and Platform Support
Unwind demands Python 3.10 or newer, a hard requirement that immediately excludes macOS default installations shipping with Python 3.9.6. Attempting to import the package on older versions crashes with syntax errors due to modern type hint syntax and match-case statements. Mac users must install Python 3.11 or 3.12 via Homebrew: brew install python@3.12 then ensure /opt/homebrew/bin/python3 appears first in PATH. Windows remains completely untested; while the pure Python codebase theoretically supports cross-platform operation, no verification exists for NT path handling or stdio pipe semantics on Windows hosts. Linux and macOS (with updated Python) provide the tested deployment targets. The Raspberry Pi 5 runs Raspberry Pi OS with Python 3.11, making it compatible out of the box.
# For macOS users to update Python
brew install python@3.12
echo 'export PATH="/opt/homebrew/bin:$PATH"' >> ~/.zshrc # or ~/.bashrc
source ~/.zshrc # or ~/.bashrc
python3 --version # Verify Python 3.12 is activeThe specific Python version requirement is a common consideration for modern Python projects leveraging recent language features. While it might require an extra step for some users, particularly on macOS, it ensures that Unwind can utilize the latest performance improvements and syntax enhancements. The lack of official Windows support is a known limitation, suggesting that developers on Windows might encounter unforeseen issues. However, the pure Python nature of Unwind makes it theoretically portable, and community contributions or future development efforts could extend official support to Windows. For now, Linux-based systems, including the Raspberry Pi, and macOS with an updated Python installation, represent the most reliable environments for deploying Unwind.
Ghost Mode: Testing Without Risk
Ghost Mode addresses the specific anxiety of running new AI agents against production file systems or APIs. Acting as a dry-run proxy, it intercepts all write operations (file writes, deletions, database inserts) while allowing read operations to pass through to the underlying MCP server. This lets you observe exactly what an agent would do without risking data corruption. Launch it with:
ghostmode -- npx @modelcontextprotocol/server-filesystem ~/DocumentsThe agent receives realistic responses to read requests, maintaining the illusion of a working environment, while destructive commands get logged to stdout with BLOCK status. This pattern proves invaluable when testing unfamiliar agents or debugging skill configurations. Unlike full enforcement mode, Ghost Mode requires no dashboard approval workflow, making it suitable for CI/CD pipelines where you want to verify agent behavior against snapshots without manual intervention.
Ghost Mode is an indispensable tool for agent developers and security teams. It provides a crucial safety net for testing the behavior of autonomous agents, particularly when those agents interact with sensitive data or critical system resources. By permitting reads but blocking writes, it offers a realistic simulation environment where developers can observe an agent’s intended actions and identify any unintended destructive behaviors before they occur in a live environment. This capability significantly reduces the risk associated with deploying new or updated agents, allowing for thorough validation and debugging without the fear of data loss or system compromise. Its suitability for CI/CD pipelines further streamlines the development process, enabling automated security testing as part of continuous integration.
CRAFT and Tamper-Evident Audit Chains
CRAFT (Cryptographic Resource Authentication For Transactions) originated from a separate cryptographic project the developer maintained for months before combining it with Unwind. It implements a hash chain where each log entry contains the SHA-256 hash of the previous entry, creating a tamper-evident sequence of all agent actions. The craft-auth package provides this functionality in 1,605 lines of zero-dependency Python, generating chains where any modification of historical logs invalidates subsequent hashes. This produces forensic-grade audit trails suitable for compliance scenarios or post-incident analysis. When Unwind logs an ALLOW or BLOCK decision, it appends the tool call parameters, timestamp, and decision rationale to the chain. Even if an attacker compromises the agent host, modifying the logs to hide malicious activity requires recomputing the entire hash chain from the point of compromise forward, a computationally infeasible task without the initial seed values.
The tamper-evident nature of CRAFT’s hash chains is a cornerstone of Unwind’s security posture. In environments where agent actions need to be unequivocally proven or disproven, such as in regulated industries or incident response scenarios, CRAFT provides an immutable record. This cryptographic integrity ensures that audit logs cannot be secretly altered, offering a robust defense against malicious actors attempting to cover their tracks. The fact that craft-auth is a lightweight, zero-dependency Python package makes it easy to integrate and deploy, not just within Unwind, but also as a standalone solution for other applications requiring verifiable logging. This technology empowers organizations to maintain a high level of accountability for their AI agents’ operations, bolstering trust and compliance.
Real-World Security Testing Results
The first production test produced an immediate validation of Unwind’s threat model: Codex, the AI that helped build the security stack, triggered the TAINTED flag during its initial live deployment. After fetching web pages during the setup phase, Codex attempted to execute a shell command, causing the dashboard to flash red and block execution pending human approval. This incident demonstrated the system’s ability to catch sophisticated threats including supply-chain attacks where development tools themselves become compromised. The dashboard at localhost:9001 displayed the full execution context: the fetched URLs, the command attempted, and the taint propagation path. This real-time visibility into agent decision-making provides the observability that existing MCP implementations lack. The developer emphasizes that first human testers remain welcome, suggesting the project needs broader exposure to diverse agent behaviors and edge cases before declaring production readiness.
This real-world test case, where the builder’s own AI assistant triggered Unwind’s security mechanisms, is a powerful endorsement of the system’s effectiveness. It underscores the critical need for security layers that can detect and prevent unintended or malicious actions, even from seemingly benign sources. The detailed information provided by the Unwind dashboard during such events is invaluable for understanding agent behavior, debugging issues, and making informed security decisions. The call for more human testers is a strategic move to gather diverse usage patterns and identify edge cases that might not be apparent in controlled testing environments. This collaborative approach to security testing is essential for building a truly resilient and comprehensive AI agent security solution.
Comparison with Existing AI Agent Security Tools
The AI agent security landscape now includes multiple approaches with distinct tradeoffs. Unwind differentiates through its deterministic, LLM-free enforcement and MCP stdio proxy architecture.
| Tool | Enforcement Type | Integration Method | License | Best For | Key Differentiators |
|---|---|---|---|---|---|
| Unwind | Deterministic rules | MCP stdio proxy | AGPL-3.0 | Development/testing with rollback, auditability | LLM-free, tamper-evident logs, Raspberry Pi compatible |
| AgentWard | Runtime policies | OpenClaw native | MIT | File deletion prevention in OpenClaw | OpenClaw-specific, focuses on file system integrity |
| ClawShield | Network proxy | HTTP intercept | Apache-2.0 | Network-level filtering for HTTP requests | Intercepts web traffic, less granular for local tools |
| Rampart | Kernel module | eBPF hooks | GPL-3.0 | System-call level monitoring for deep security | Deepest system integration, complex deployment |
| GuardRail AI | LLM-based validation | API/SDK integration | Proprietary | AI model output validation, content moderation | Relies on LLMs for enforcement, potential latency/non-determinism |
| Autogen Studio Security | Policy-based | Autogen framework | MIT | Role-based access, tool authorization within Autogen | Framework-specific, integrates with Autogen’s ecosystem |
Unwind’s MCP-focused approach provides broader compatibility across editors and frameworks compared to OpenClaw-specific solutions, while avoiding the kernel complexity of eBPF-based tools. However, it lacks the deep system integration of kernel-level enforcers, operating instead at the application layer where MCP traffic flows. This comparison table illustrates Unwind’s unique position, offering a balance between comprehensive security, ease of deployment, and performance, particularly for MCP-based agent ecosystems. Its deterministic nature sets it apart from emerging LLM-based security solutions, offering a more predictable and auditable security posture.
Licensing Strategy and Commercial Use
The licensing structure reflects a dual-track approach to open source sustainability. Unwind and Ghost Mode ship under AGPL-3.0, requiring that any network use (including SaaS deployments) distribute source code to users. This copyleft provision protects against proprietary forks while ensuring community contributions flow back to the project. However, craft-auth maintains zero AGPL dependencies and can be licensed separately for commercial applications needing tamper-evident logging without copyleft obligations. Organizations building proprietary agent orchestration platforms can integrate craft-auth’s hash chain functionality without triggering AGPL requirements, provided they do not link against Unwind’s enforcement engine. This separation allows the developer to offer commercial licensing for craft-auth while keeping the full proxy stack freely available under strong copyleft terms.
This strategic licensing model aims to foster both open-source collaboration and commercial viability. The AGPL-3.0 license for Unwind and Ghost Mode encourages transparency and community involvement, ensuring that improvements and extensions benefit the entire ecosystem. Simultaneously, offering craft-auth under a separate, more permissive licensing model provides a pathway for commercial entities to leverage the core integrity features without being constrained by the AGPL’s copyleft requirements for their entire product. This approach acknowledges the diverse needs of the AI development community, from individual researchers and open-source enthusiasts to large enterprises building proprietary solutions, and seeks to provide a sustainable funding model for ongoing development.
What the MCP Proxy Architecture Means for Builders
Unwind’s stdio proxy pattern offers a pragmatic middle ground between unsecured direct connections and heavy-handed kernel interception. By wrapping MCP servers at the process level, builders gain security visibility without modifying agent code or framework internals. This proves especially valuable when using closed-source agents like Claude Desktop or proprietary IDE integrations where you cannot audit the agent’s internal logic. The proxy architecture introduces minimal latency since it operates on local pipes rather than network sockets, adding roughly 5-10ms per tool call for pattern matching and logging. However, this approach cannot intercept actions that bypass MCP entirely, such as direct API calls from the agent process. Builders must ensure agents route all tool interactions through MCP servers to benefit from Unwind’s protection, a configuration detail that requires attention during setup.
The benefits of the MCP proxy architecture for builders are substantial. It provides a non-invasive way to introduce a critical security layer into existing AI agent workflows, minimizing disruption and integration effort. For developers working with black-box agents or those where source code modification is not an option, Unwind offers a powerful external control mechanism. The low latency ensures that security checks do not become a performance bottleneck, which is essential for responsive agent operations. However, the caveat regarding non-MCP actions is important: Unwind’s effectiveness is predicated on the assumption that all agent-tool communications flow through the MCP protocol. Builders must carefully design their agent systems to adhere to this pattern to maximize Unwind’s protective capabilities, potentially requiring adjustments to agent configurations or tool invocation methods.
Current Limitations and Future Development
Several rough edges remain before Unwind suits unattended production deployment. The taint system’s aggressiveness blocks legitimate automation workflows involving web research followed by file operations, requiring either manual approval or disabling taint checking entirely. Windows support remains theoretical, with path handling and stdio semantics unverified on NT systems. OpenClaw adapter issues persist, forcing reliance on the MCP stdio path for now. The dashboard requires manual startup of a sidecar process (unwind sidecar serve before unwind dashboard), adding operational complexity. The developer actively seeks first human testers to expose edge cases in real-world usage patterns. Future releases aim to resolve OpenClaw compatibility, implement configurable taint policies for specific domains, and potentially offer a hosted verification service for the CRAFT hash chains to provide third-party attestation of log integrity.
Addressing these limitations is key to Unwind’s evolution towards broader adoption and fully autonomous deployments. Refinements to the taint system, such as introducing granular policies or machine learning-driven context awareness, could significantly reduce operational friction without compromising security. Expanding platform support to include Windows would open Unwind to a much larger user base. Streamlining the dashboard startup process and resolving OpenClaw adapter issues would enhance usability and integration. The prospect of a hosted CRAFT verification service is particularly exciting, as it would provide an independent, trusted third party to attest to the integrity of agent audit logs, further strengthening the system’s forensic capabilities. Community feedback from early testers will be instrumental in prioritizing and guiding these future development efforts, ensuring Unwind continues to meet the evolving needs of the AI agent security landscape.
Frequently Asked Questions
What is Unwind and how does it protect AI agents?
Unwind is a deterministic security proxy that intercepts every tool call between AI agents and MCP servers. It runs 15 security checks on each call without using LLMs in the enforcement path, logs actions in a tamper-evident hash chain, and snapshots file changes for rollback. It acts as an invisible middle layer that blocks malicious or suspicious actions before they execute, providing visibility into agent behavior that standard MCP implementations lack. This robust approach ensures that AI agents operate within defined safety parameters, preventing unintended or harmful actions.
Can I use Unwind with OpenClaw?
OpenClaw support exists but currently has unresolved adapter issues. The primary integration path uses MCP stdio proxy mode with Claude Desktop, Cursor, Windsurf, or VS Code Copilot. For OpenClaw deployments, use the MCP stdio path until native adapter fixes land in future releases. This limitation affects native OpenClaw integration specifically, not the underlying MCP servers that OpenClaw can invoke through stdio. Developers should monitor Unwind’s release notes for updates on enhanced OpenClaw compatibility.
What are the system requirements for running Unwind?
Unwind requires Python 3.10 or higher. Mac users must upgrade from the default 3.9.6 using Homebrew Python 3.11+. Windows is untested but theoretically supported. The software runs on Raspberry Pi 5 and other ARM64 hardware, making it ideal for local, low-power security enforcement. Ensure you have Node.js available if using MCP servers that require it, though Unwind itself is pure Python. These requirements ensure compatibility with modern development environments and efficient operation.
How does the taint system work and why is it aggressive?
The taint system flags agents that fetch external content then attempt command execution, blocking until human approval. This prevents prompt injection attacks but creates friction for normal workflows involving web browsing plus file operations. The developer acknowledges this tension remains an unsolved design problem for unattended automation. Currently, Unwind works best for supervised agent sessions where a human can approve blocked actions promptly, prioritizing security over complete autonomy in ambiguous situations.
What license does Unwind use and can I use it commercially?
Unwind and Ghost Mode are AGPL-3.0 licensed, requiring source code sharing for network use. craft-auth is standalone with zero AGPL dependencies and can be licensed separately for proprietary applications. Organizations wanting closed-source deployments should evaluate craft-auth specifically for tamper-evident logging without copyleft obligations, while avoiding the full Unwind stack if they cannot comply with AGPL terms. This dual licensing strategy supports both open-source collaboration and commercial interests.