A developer shipped Unwind this week, a deterministic security proxy for AI agents that runs on a Raspberry Pi 5 and intercepts every MCP tool call without the agent knowing it exists. Built after 18 months of experimenting with AI tools, Unwind wraps any MCP server to enforce 15 deterministic security checks on every action, logs everything in a tamper-evident hash chain called CRAFT, and snapshots file changes for rollback. It sits between your agent and its tools, offering a novel approach to securing AI operations by combining Apple’s Time Machine philosophy with cryptographic audit chains. The system caught its own builder, Codex, attempting unauthorized commands during the first live test, proving the concept works in practice while highlighting the tension between security and automation.
What Exactly Is Unwind and Why Did a Developer Build It on a Raspberry Pi?
Unwind is a deterministic security proxy specifically designed for AI agents, intercepting tool calls at the Model Context Protocol (MCP) standard input/output (stdio) layer. The developer had a Raspberry Pi 5 available from a previous summer project and decided to use it as the initial platform for an OpenClaw installation. Once OpenClaw was operational, the immediate question arose: how can one supervise an AI agent when human attention is not constantly available? The answer came from the inspiration of Apple’s Time Machine concept: if something goes wrong, there must be a way to review what occurred and revert to a previous state. The Raspberry Pi 5 became the ideal testbed for this concept, demonstrating that robust security infrastructure can operate effectively on affordable hardware, costing approximately $80. The device now hosts three distinct PyPI packages that form the Unwind ecosystem: craft-auth for tamper-evident authentication, ghostmode for dry-run previews, and unwind-mcp for comprehensive enforcement. This was a deliberate choice to avoid cloud deployment, aiming to prove that resource-constrained hardware can handle security-critical agent supervision without requiring significant enterprise budgets.
How Does Unwind’s MCP Stdio Proxy Architecture Work Under the Hood?
Unwind functions as a transparent wrapper around any MCP server. When a user executes a command such as unwind serve -- npx @modelcontextprotocol/server-filesystem ~/Documents, Unwind initiates the designated upstream MCP server as a child process. It then intercepts all JSON-RPC messages that pass through the standard input and output streams. From the perspective of the AI agent, it appears to be communicating directly with the filesystem server. However, every single tool call is first routed through Unwind’s deterministic enforcement pipeline. This architectural approach ensures compatibility with various AI agent environments, including Claude Desktop, Cursor, Windsurf, and VS Code Copilot. The proxy pattern is crucial because it requires no modifications to either the AI agent itself or the MCP server it intends to use. Unwind simply positions itself in the communication path, parsing incoming requests, executing its 15 security checks, and then either allowing the call to proceed or blocking it while providing a clear explanation. The decision to use the stdio approach was based on its universality across different MCP implementations, eliminating the need for network sockets or HTTP middleware, which could otherwise introduce additional attack surfaces and complexity.
What Makes CRAFT Different From Standard Logging Systems?
CRAFT (Command Authentication System for Tamper-evident Logging) is a specialized, zero-dependency Python library designed for tamper-evident command authentication. Unlike conventional logging mechanisms, which can be susceptible to modification or deletion by an attacker, CRAFT constructs a cryptographic hash chain. In this chain, each log entry incorporates the cryptographic hash of the preceding entry. This design means that any unauthorized alteration to a log entry will break the chain’s integrity, making the modification immediately detectable. The entire implementation is written in pure Python using only the standard library, consisting of 1,605 lines of code, which contributes to its auditable nature and lightweight footprint. Users can quickly experiment with it by running pip install craft-auth && craft-auth demo, which visually demonstrates the real-time construction of the hash chain. For AI agents, this system provides cryptographic proof of executed commands, including their timing and the originating agent. This creates an audit trail that can withstand rigorous forensic scrutiny, unlike traditional logging that often assumes a benign system environment. CRAFT, conversely, operates on the principle that the system might be hostile, and therefore cryptographically proves integrity.
How Does Ghost Mode Let You Preview Agent Actions Before They Execute?
Ghostmode is a dry-run proxy that offers a precise preview of an AI agent’s intended actions without allowing it to enact any permanent changes. When an MCP server is wrapped with ghostmode, all write operations are intercepted and meticulously logged, while read operations are permitted to pass through unimpeded. This functionality enables an AI agent to freely browse files, access documentation, and formulate its action plans, but it prevents any actual modification of the filesystem or execution of commands. To utilize it, one simply runs pip install ghostmode && ghostmode -- npx @modelcontextprotocol/server-filesystem ~/Documents. The tool then outputs all intercepted calls to the terminal in real-time, providing immediate feedback. This feature is exceptionally valuable for testing newly developed agents or for reviewing the proposed plans generated by AI models like Claude Code before granting them write permissions to a codebase. It significantly reduces the apprehension associated with deploying autonomous agents on production environments by creating a safe, read-only sandbox that maintains the illusion of full access for the agent while safeguarding critical data.
Why Did the Builder Use Codex on a Pi Instead of Cloud-Based Development?
The builder’s decision to use Codex running directly on the Raspberry Pi 5, rather than opting for cloud-based development, was motivated by specific technical and economic considerations. OpenAI’s policy allows Pro users to authenticate with OpenClaw via OAuth, effectively providing access to Codex with zero API costs for OpenClaw development. This cost-free arrangement offered a significant advantage over incurring per-token rates associated with cloud-based development. The development workflow involved Claude Code for the high-level planning phases, while Codex was responsible for executing the actual building tasks on the Raspberry Pi. The builder provided Codex with a soul.md file, which meticulously defined its role as a security analyst. This included strict instructions: prioritize evidence, flag all unknowns, never make assumptions, and produce structured assessments for every finding. This specific framing consistently led Codex to identify five or six legitimate structural issues in nearly every plan generated by Claude Code, establishing a multi-agent review process that enhanced code quality without incurring additional financial overhead.
What Are the 15 Deterministic Security Checks Running on Every Tool Call?
Unwind incorporates 15 distinct deterministic security checks that are applied to every intercepted tool call, crucially without any involvement from a Large Language Model (LLM) in the enforcement process. This design choice is fundamental for security: unlike LLM-based security systems that can be susceptible to hallucinations or confusion through prompt injection, Unwind relies purely on predefined rules and pattern matching. These checks encompass a range of common attack vectors, including path traversal detection (e.g., ../), command injection patterns (e.g., using backticks or semicolons), taint analysis for external content, and attempts at privilege escalation. Each check yields an unambiguous ALLOW or BLOCK decision, which is displayed in the terminal dashboard. The deterministic nature of this pipeline ensures consistent and auditable behavior, unaffected by variables such as model temperature or the constraints of context windows. The rules are implemented in Python and execute within milliseconds, introducing negligible latency to tool calls while providing strong assurances about which actions are permitted.
How Does Unwind Compare to Other OpenClaw Security Tools?
The OpenClaw ecosystem has seen the emergence of several security tools, each employing different methodologies. Unwind distinguishes itself through its specific MCP stdio proxy architecture and its commitment to deterministic enforcement. Below is a comparison highlighting its distinctions from other alternatives:
| Tool | Architecture | Enforcement Type | Integration Method | Hardware Requirements | Primary Focus |
|---|---|---|---|---|---|
| Unwind | MCP stdio proxy | Deterministic rules | Wrapper script | Pi 5+ or any Linux | Protocol-level interception, tamper-evident logging |
| AgentWard | OpenClaw native | Policy-based | OpenClaw native adapter | Cloud or local (JVM) | Runtime policy enforcement for OpenClaw agents |
| ClawShield | Network proxy (HTTP) | Heuristic + rules | HTTP middleware | Server-grade | Network traffic analysis, API call filtering |
| Rampart | Kernel module (eBPF) | System call filtering | System-level | Linux kernel 5.15+ | Low-level system protection, sandboxing |
| SecureAgent | LLM-based analysis | Contextual judgment | Agent plugin | Cloud (GPU intensive) | Semantic understanding of agent intent |
Unwind’s approach avoids the need for kernel modules or complex network configurations, making it a highly portable solution for developers operating agents on laptops or edge devices. In contrast to tools like Rampart, which requires eBPF support, or ClawShield, which necessitates modifications to the network stack, Unwind functions wherever Python 3.10 or newer is available. This positions Unwind as an accessible entry point for developers seeking security guarantees without the overhead of intricate infrastructure setup. Its focus on the direct communication between agent and tool allows for precise control at a critical interaction point.
Why Did the System Flag Codex as TAINTED on Its First Live Action?
During Unwind’s inaugural live test, the system immediately flagged Codex as “TAINTED” on its own dashboard. This incident served as a clear demonstration of the critical role security proxies play. The sequence of events revealed that Codex had been retrieving web pages during its setup phase, which inherently marked its operational context as potentially compromised due to external content ingestion. Subsequently, when Codex attempted to execute a shell command, Unwind promptly blocked the action and mandated human approval. This scenario vividly illustrated the security stack successfully identifying and intervening in a potentially risky operation, even when performed by the system’s own builder. The incident underscores how AI agents can inadvertently carry compromised context across different operations. While Codex was simply performing its intended function—gathering documentation and then executing setup commands—Unwind accurately identified the transition from consuming external content to executing code as a taint violation, correctly escalating it for human review.
What Is the Real Difference Between MCP Stdio and OpenClaw Native Support?
Unwind offers two distinct integration pathways, though only one currently provides reliable functionality. The MCP stdio proxy path is considered production-ready and has undergone extensive testing with environments such as Claude Desktop, Cursor, Windsurf, and VS Code Copilot. This method involves Unwind wrapping the MCP server and intercepting JSON-RPC messages transmitted over standard input and output streams. While OpenClaw native support technically exists, it is currently plagued by unresolved adapter issues that render it unstable for routine use. Consequently, users operating OpenClaw agents are strongly advised to utilize the MCP stdio path for the foreseeable future. The distinction between these two methods is significant: the stdio approach benefits from its universality across diverse MCP implementations, whereas native OpenClaw integration demands specific adapter logic that is still undergoing debugging and refinement. The developer prioritized the MCP stdio path due to its immediate user base and broader compatibility, with plans to fully resolve OpenClaw native adapter issues in subsequent releases.
How Do You Deploy Unwind in Production Today?
Deploying Unwind necessitates a Python environment version 3.10 or higher. This requirement immediately presents a challenge for macOS users, as the operating system typically ships with Python 3.9.6, causing an import crash if Unwind is attempted directly. Therefore, upgrading to Python 3.11 or newer, preferably through a package manager like Homebrew, is essential for macOS users. While Windows support remains untested, the pure Python codebase theoretically should function if dependencies are met. For a complete Unwind experience, it is recommended to install all three associated packages: pip install craft-auth ghostmode unwind-mcp. Following installation, the sidecar component can be initiated with unwind sidecar serve, and the Unwind dashboard can be launched via unwind dashboard, which becomes accessible at localhost:9001. To protect an MCP server, use the command unwind serve -- npx @modelcontextprotocol/server-filesystem ~/Documents. The terminal provides real-time ALLOW/BLOCK decisions. For unattended operations, careful calibration of the taint settings is crucial, as the default configuration will block execution upon detecting external content, effectively pausing autonomous agents until manual human approval is provided.
Why Is the Taint System Too Aggressive for Unattended Operation?
The current taint detection system in Unwind, while functionally correct, creates a significant challenge for truly autonomous AI agents. When an agent retrieves external content, such as web pages or data from API responses, Unwind categorizes the session as “TAINTED.” Any subsequent attempt to execute commands or write files will be blocked until a human explicitly approves the action. This behavior is perfectly suitable when a user is actively monitoring the terminal and dashboard. However, for agents designed to operate without constant human supervision, this aggressive detection mechanism means the agent will halt immediately upon encountering external content—a common and often necessary part of an agent’s normal operational workflow. The developer acknowledges this as a genuine design dilemma that currently lacks a straightforward resolution. The inherent conflict between the need to guard against potential prompt injection from external content and the agent’s functional requirement to process such content necessitates either a meticulous calibration of taint rules or the implementation of delayed approval queues for specifically trusted domains, allowing for a more nuanced approach to automation.
How Does Deterministic Enforcement Prevent Prompt Injection Attacks?
Unwind’s deterministic enforcement pipeline is meticulously designed to contain no LLM components within its decision-making pathway. This is a deliberate and fundamental security choice. LLM-based security systems, by their very nature, can be susceptible to sophisticated prompt injection attacks that manipulate their context window or exploit biases present in their training data. Unwind, conversely, relies solely on predefined rules and pattern matching, operating much like traditional intrusion detection systems but specifically tailored for MCP tool calls. The 15 security checks are programmed to identify specific attack patterns, such as path traversal attempts using ../, command injection techniques involving backticks or semicolons, and the execution of unexpected binary files. Because these rules are entirely deterministic, they consistently produce the same outcome regardless of how a prompt is phrased. An attacker cannot deceive this security layer by crafting clever or misleading prompts, as the layer does not interpret natural language. Instead, it parses structured JSON-RPC requests and rigorously evaluates them against hardcoded deny lists and established behavioral heuristics, offering a robust defense against prompt injection.
What Does Rollback Look Like When an Agent Goes Wrong?
When Unwind identifies a blocked action or a user manually initiates a rollback, the system leverages its file snapshotting capability to restore previous states. This functionality is inspired by Apple’s Time Machine, where Unwind captures snapshots of files before any modifications are made by tool calls. For instance, if an AI agent inadvertently deletes an incorrect file or introduces malicious code, the user can revert to the prior, undamaged state directly through the Unwind dashboard or via command-line interface. The rollback mechanism is seamlessly integrated with the CRAFT audit chain, which means users can precisely pinpoint which specific action caused the damage and exactly when it occurred. This integration creates a comprehensive forensic timeline, where security events are directly correlated with filesystem changes. For developers who deploy AI agents on critical production repositories, this feature provides a crucial safety net, enabling experimentation with autonomous coding assistants without the inherent risk of irreversible damage to their main codebase.
What Hardware Constraints Shaped Unwind’s Design?
The development environment of a Raspberry Pi 5 imposed specific hardware constraints that, paradoxically, led to significant improvements in Unwind’s software design. The Pi’s limited RAM and CPU processing power effectively precluded the inclusion of heavy dependencies or the adoption of containerized microservice architectures. This forced design choice resulted in a pure Python implementation that relies exclusively on the standard library for craft-auth, keeping the codebase concise at just 1,605 lines and completely free of external dependencies. This minimalist approach enhances the code’s auditability and minimizes its attack surface. Furthermore, the Pi 5’s ARM architecture ensured that the code was inherently portable across various platforms, as it could not rely on x86-specific optimizations or binaries. This constrained development environment proved that effective security tools do not necessarily require high-end enterprise servers. The principle emerged: if it runs efficiently on a Raspberry Pi, it will run effectively anywhere, from developer laptops to cloud instances, without demanding complex configuration changes or leading to “dependency hell.”
Where Does Unwind Fit in the OpenClaw Security Ecosystem?
Unwind carves out a distinct and important niche within the expanding OpenClaw security landscape, specifically targeting the MCP interception layer for deterministic enforcement. While other tools, such as Rampart, concentrate on kernel-level protection, and AgentWard focuses on runtime policy enforcement for OpenClaw native agents, Unwind operates precisely at the protocol layer where AI agents communicate with their tools. Its AGPL-3.0 license means that commercial users must carefully consider their obligations, though craft-auth can be licensed separately since it possesses no AGPL dependencies. For developers and builders, Unwind represents a new category of security tool that operates under the assumption of potential compromise, prioritizing the provision of verifiable evidence rather than presuming inherent safety and offering mere convenience. As AI agents continue to advance in capabilities and autonomy, this “paranoid” yet pragmatic approach to security is likely to become a standard practice. The project stands as a testament that significant security infrastructure can indeed originate from weekend projects on commodity hardware, thereby lowering the barrier to entry for critical AI agent security research and development.
How Do You Configure the Security Rules in craft-auth?
While Unwind comes pre-configured with 15 default security checks, the craft-auth library offers extensive customization capabilities for its tamper-evident audit chain and authentication rules. The library exposes a straightforward API that allows users to define specific command patterns requiring cryptographic signatures or particular hash validations. Beyond basic rules, you can configure various operational parameters, such as the intervals at which the hash chain is verified, the retention policies for file snapshots, and even specify custom hashing algorithms if the default SHA-256 does not align with specific compliance or security requirements. Although the craft-auth demo command illustrates the default configuration, production deployments can extend or subclass the ChainVerifier class to implement bespoke corporate security policies. The fact that craft-auth relies exclusively on the Python standard library ensures complete transparency, allowing users to audit every line of the validation logic themselves. This level of transparency is paramount for security software, where hidden dependencies or obfuscated binaries could themselves harbor vulnerabilities or backdoors.
What Licensing Pitfalls Should Commercial Users Avoid?
Unwind and Ghost Mode are distributed under the AGPL-3.0 license, which imposes specific obligations on commercial deployments. If an organization modifies the code or uses it to provide a service over a network, they are typically required to release their modifications under the same AGPL-3.0 license. This can introduce complexities when integrating Unwind into proprietary AI agent systems. However, craft-auth, a core component, stands apart with zero AGPL dependencies and can be licensed separately. This makes craft-auth a viable option for commercial products that require tamper-evident logging without inheriting the broader copyleft obligations of the AGPL. Companies evaluating Unwind should thoroughly audit their intended usage patterns: internal development use might be permissible, but bundling it into a product offered to customers necessitates legal review to ensure compliance. The dual-licensing option for craft-auth provides a crucial escape hatch for incorporating the cryptographic components while maintaining the full proxy solution under open-source terms.
Frequently Asked Questions
Can I run Unwind on macOS without Homebrew?
You cannot run Unwind on macOS without upgrading Python. macOS ships with Python 3.9.6, and Unwind requires Python 3.10 or higher. The import will crash immediately on the system Python. You must install Python 3.11 or newer through Homebrew or another package manager. Once you have the correct version, the installation is straightforward with pip. The rest of the stack works normally on Mac once the Python version requirement is satisfied. Windows support remains completely untested, though the pure Python code should theoretically work if dependencies are available.
Why did Codex flag itself as TAINTED during setup?
Codex flagged itself because it followed a common agent pattern: fetching external web pages during setup, then attempting to execute shell commands. Unwind’s taint system marks sessions as TAINTED when they ingest external content, assuming it could contain prompt injection attacks. When Codex then tried to run commands, Unwind blocked the execution and flagged the dashboard. This was the security system working exactly as designed, catching potentially compromised context before it could execute code. The incident proved the concept works even when the agent and the security tool are built by the same developer.
How does Unwind compare to using a sandboxed container for AI agents?
Unwind adds minimal latency to tool calls because it uses deterministic pattern matching rather than LLM-based analysis. The 15 security checks run in milliseconds on a Raspberry Pi 5, suggesting overhead is negligible on modern laptops or servers. Because it operates at the stdio layer, it avoids network stack latency that HTTP proxies introduce. The main performance consideration is the tamper-evident logging in CRAFT, which requires hashing operations, but these are optimized pure Python implementations. For most use cases, you will not notice Unwind is running until it blocks a malicious action.
Is Unwind suitable for production AI agents right now?
Unwind is suitable for production use with attended AI agents, but the taint system currently makes it unsuitable for fully unattended operation. The aggressive external content detection blocks execution when agents fetch web pages or API data, requiring human approval to continue. If your use case involves a human in the loop or batch processing with manual checkpoints, Unwind provides excellent protection. For 24/7 autonomous agents that need to browse the web and execute commands continuously, you will need to wait for the developer to solve the taint calibration problem or run Unwind in monitor-only mode without enforcement.
How does CRAFT differ from blockchain logging?
CRAFT uses a cryptographic hash chain similar to blockchain structure, but it does not distribute the ledger or use consensus mechanisms. It is a local-first tamper-evident log where each entry contains the hash of the previous entry, creating proof of sequence and integrity. Unlike blockchain, there is no mining, no tokens, and no network requirement. The verification happens locally using pure Python stdlib. CRAFT is designed for forensic audit trails on single machines or small networks, not for distributed consensus. It provides the integrity guarantees of blockchain without the energy consumption or complexity of distributed ledgers.