TORQCLAW TrustOS is a governed local/cloud AI agent control plane: a TypeScript gateway, router, MCP bridge, and console UI wrapped around a forked Hermes Python execution engine.
It is built around one product thesis:
Local when private.
Cloud when needed.
Approval before action.
Budget before spend.
Receipts after every run.
Learning that is measurable, governed, and reversible.
| Area | Status |
|---|---|
| Phase 0 — Foundation Repair | Complete |
| Phase 1 — Visible Trust MVP | Complete |
| Phase 2 — Governed Learning MVP | Not started |
| Current remote baseline | origin/master closed Phase 1 at 1fe4ce25812da2502d2268efd65f49bf833100b5 |
| Current green gate | 805/805 TypeScript tests · 75/75 Python tests · typecheck 12/12 · contracts drift OK · build 7/7 |
The local E:\TorqClaw checkout was last confirmed clean at the same Phase-1 closeout state before this README refresh. This README summarizes the improvements now implemented on GitHub.
- Hybrid routing across LOCAL_EDGE and FRONTIER tiers.
- Privacy and local-only rules override model confidence.
- Role-based command authorization for operator/channel/node seats.
- Headless channels cannot silently approve gated actions.
- Gateway-owned grants: clients cannot inject
grantedTools. - All terminal task outcomes flow through the governed gateway event path.
- Per-task budgets from console controls or
TORQCLAW_DEFAULT_MAX_COST. - Provider-reported spend is the enforcement source of truth.
- Budget breach cancels execution and emits a clear failure path.
- Honest fallback when spend is unavailable: the iteration cap is the guard.
- Cost summaries and receipt fields expose enforcement state without static pricing-table claims.
- Route preview and structured route explanation surfaces.
- Router diagnostics are surfaced to the console and receipts.
- Local/private safety locks are visible and not silently overridden.
- Route receipts show what was selected and why.
- Write-capable tools pause for approval on both tiers.
- Approval card v2 shows mechanical gate facts without inventing risk scores.
- Registry misses render honestly as
write-class (unclassified). - FRONTIER engine hooks render as engine approvals without fake capability labels.
- Approval history UI reads live approval truth from
tool_approvals, not stale receipt embeds. - Pending history rows are display-only; the live approval card remains the only action surface.
- Terminal tasks produce queryable receipts from real telemetry.
- Receipts avoid fabricated values and distinguish missing facts from known facts.
- Receipt replay and safe diagnostic export are separate surfaces: raw local diagnostics remain local/unredacted, while safe export uses server-side redaction.
GET_SAFE_EXPORTis an operator-only read command.- Safe export is generated on demand;
run_receipts.safe_export_jsondeliberately remainsNULL. - Unknown fields fail closed and do not export.
- Prompts, assembled context, raw event replay, raw args, raw results, and memory context are omitted wholesale.
- Retained short residue is scrubbed for known secret shapes before character caps.
- Absolute Windows, UNC, POSIX-home, and
~paths redact to[REDACTED:path]. - Approval status is read from live
tool_approvals, not frozen receipt embeds. - Safe export copy includes an explicit notice: known secret shapes were removed, but the export cannot guarantee that no secrets remain.
- Zod contracts remain the TypeScript source of truth.
- JSON Schema is emitted into both the contracts package and Python wrapper schema directory.
pnpm contracts:checkverifies generated schema drift.- CI gates TypeScript tests, typecheck, contracts drift, build, and Python wrapper tests.
Graphify project profile files are present on master through governed Graphify PRs and are accepted current repository state. Graphify relocation or cleanup remains a separate operator-lane item and is not part of TrustOS Phase 1.
[ Console / HTTP channel / future channel adapters ]
│
▼
┌─────────────────────────────────────────────┐
│ TypeScript Control Plane │
│ Fastify gateway :18790 · sessions · authz │
│ enrich → route → dispatch → receipts │
└───────────────┬─────────────────────────────┘
│
┌────────┴────────┐
▼ ▼
┌──────────────┐ ┌──────────────────────────┐
│ LOCAL_EDGE │ │ FRONTIER / Hermes Engine │
│ Ollama /v1 │ │ Python · MCP wrapper │
│ tool loop │ │ streamable-http │
└──────┬───────┘ └──────────┬───────────────┘
│ │
└──────────┬───────────┘
▼
┌─────────────────────────────────────────────┐
│ Universal MCP Bridge │
│ namespaced tools · capability policy │
│ path scope · approval-gated writes │
└─────────────────────────────────────────────┘
| Path | What |
|---|---|
packages/contracts |
Zod source of truth; emits JSON Schema for TypeScript and Python consumers |
packages/router |
Hybrid route rule hierarchy and diagnostics |
packages/gateway |
Fastify gateway, sessions, authz, dispatch, receipts, approvals, safe export |
packages/inference |
LOCAL_EDGE Ollama-compatible tool loop |
packages/bridge |
MCP server registry, namespacing, tool filtering, capability/path policy |
packages/channel-http |
HTTP channel adapter using the role: 'channel' seat |
apps/console |
Next.js console: route preview, receipts, approvals, safe export UI |
engines/hermes_kernel |
Python MCP wrapper over vendored hermes-agent |
docs/TRUSTOS-BUILD-LEDGER.md |
Implementation ledger and phase closeout record |
git clone https://github.com/pilotwaffle/TORQCLAW.git
cd TORQCLAW
git submodule update --init --recursive
pnpm install
pnpm --filter @torqclaw/contracts build
# Python engine: venv + deps + vendored Hermes agent dependencies
cd engines/hermes_kernel
uv sync
uv pip install -e ./vendor/hermes-agent
cd ../..
# Optional local model setup
pnpm model:setup
# Configure environment
cp .env.example .env
# Bring up engine + gateway + console
node --env-file=.env ops/dev-up.mjsConsole: http://localhost:3000
Gateway: 127.0.0.1:18790
Optional HTTP channel: 127.0.0.1:18792
A quick stub-mode smoke test with no provider key:
node ops/e2e.mjs| Variable | Default | Notes |
|---|---|---|
TORQCLAW_DATA_DIR |
~/.torqclaw |
Gateway state DB, credentials, skill queue |
TORQCLAW_PORT / TORQCLAW_HOST |
18790 / 127.0.0.1 |
Loopback-first gateway binding |
TORQCLAW_GATEWAY_TOKEN |
unset dev mode | Required for non-loopback deployment |
HERMES_ENGINE_URL / HERMES_ENGINE_TOKEN |
http://127.0.0.1:8000/mcp |
Python engine endpoint |
OLLAMA_HOST / TORQCLAW_LOCAL_MODEL |
localhost:11434 / torq-local |
LOCAL_EDGE model config |
HERMES_MODEL / HERMES_PROVIDER / HERMES_API_KEY / HERMES_BASE_URL |
unset stub mode | FRONTIER provider config |
HERMES_CODING_PROVIDER / HERMES_CODING_MODEL / HERMES_CODING_API_KEY / HERMES_CODING_BASE_URL |
optional | Per-task override for complex coding tasks |
TORQCLAW_PREFER_CLOUD |
unset | 1 lowers the bar for cloud routing while privacy/local-only still win |
TORQCLAW_DEFAULT_MAX_COST |
unset/unlimited | Fallback budget when a task sets none |
HERMES_MAX_ITERATIONS |
30 |
Hard cap on the Hermes loop |
HERMES_STUB_COST_USD |
0.0 |
Stub-mode spend value for tests |
HERMES_STUB_COST_UNAVAILABLE |
unset | 1 makes stub spend unavailable |
The console controls are user-owned and per submission:
- Budget — default/env fallback, free local-only, fixed amounts, or custom
maxCostUsd. - Mode — Auto, This machine only (
LOCAL_ONLY), or Cloud allowed. - Private — sets
containsSensitiveData; automation must not clear it. - Fast/urgent — latency hint for routing.
- Stop — cancels a running task through the gateway.
A credential-looking prompt may trigger a client-side suggestion to mark private. It never silently flips the flag and never blocks submission.
A write-capable tool never runs without operator approval.
- LOCAL_EDGE raises
ToolApprovalRequiredbefore executing an ungranted gated tool. - FRONTIER blocks through the Hermes
pre_tool_callhook and returns through the same gateway approval path. APPROVE_TOOLcarries onlyapprovalIdand decision; the gateway reads the tool and args from its own database.- Allow once re-mints a gateway-owned one-shot grant.
- Deny ends with a terminal error and does not store memory.
- Approval history is read-only and display-only; history rows cannot approve.
Safe export is designed for support/debugging without pretending to solve all data-leak risk.
- Request via
GET_SAFE_EXPORTfrom an operator seat. - Export is generated on demand from allowed receipt/task/approval facts.
- Server redaction removes known secret shapes and absolute path shapes.
- The UI displays the redaction report before copy.
- Copy JSON uses the server SafeExport object exactly.
- Copy Markdown is a pure projection of that object with GitHub-paste escaping.
- Raw local diagnostics remain available only as explicitly labeled local/unredacted diagnostics.
The console is the primary operator client. packages/channel-http is the first non-console adapter and connects as role: 'channel'.
TORQCLAW_HTTP_CHANNEL=1 node --env-file=.env ops/dev-up.mjs
curl -s localhost:18792/task -H 'content-type: application/json' \
-d '{"prompt":"research MCP gateway namespacing and compare the options"}'A task that needs interactive approval returns a pending-approval response honestly; a headless channel cannot click the approval card.
Copy ops/servers.example.json to ~/.torqclaw/servers.json.
Each server entry supports:
idfor namespace prefixing, such asfilesystem__read_file.stdioorstreamable-httptransport.- optional
toolsallowlist to keep large servers focused. - capability/approval policy.
pathArgKeysand path scopes for read/write/deny enforcement.
Path-like arguments are resolved before policy matching. deny always wins.
Run the current gate:
pnpm typecheck
pnpm test
pnpm contracts:check
pnpm build
cd engines/hermes_kernel
uv run pytestCurrent Phase-1 closeout gate:
805/805 TypeScript tests
75/75 Python tests
typecheck 12/12
contracts drift OK
build 7/7
- No hidden authority. Client requests cannot inject grants, scopes, approvals, or internal authorization.
- Privacy beats routing confidence. Private/local-only tasks stay local.
- Budget before spend. Cloud tasks carry an explicit budget story.
- Approval before write. Write-class tools pause on both tiers.
- Receipts from evidence. Receipts and exports are built from recorded facts; absent facts are not invented.
- Safe export is honest. It removes known secret shapes but never claims total safety.
- Protocol drift fails fast. Generated schemas are checked against source of truth.
- Wrap, do not rewrite Hermes. Upstream Hermes remains vendored; TORQCLAW owns
mcp_wrapper/. - Governed phases. Phase 2 is not started until explicitly scoped and approved.
Completed:
- Phase 0 — Foundation Repair.
- Phase 1 — Visible Trust MVP.
Not started:
- Phase 2 — Governed Learning MVP.
Filed non-blocking residuals:
TCLAW-FIX-G— refresh/re-project receipt approval embeds after approval decision.TCLAW-FIX-H— at-rest sanitization for persistedtasks.error/full_receipt_json.error.TCLAW-GRAPHIFY-CLEANUP— Graphify cleanup/relocation operator lane.