Show HN: Unwind – 我用树莓派为 AI 代理构建了一个安全代理
1 分•作者: David-Brug-Ai•3 天前
过去 18 个月里,我一直在试验 AI 工具,有时一天要花几个小时。最近,我发布了三个开源软件包,它们位于 AI 智能体和它们调用的工具之间。<p>我有一个暑期项目中用到的树莓派 5,它成为了我第一个 OpenClaw 的安装设备。一旦它运行起来,我就开始思考一个问题:当你不看的时候,谁来监视智能体?<p>UNWIND 的想法来源于苹果的 Time Machine。如果出现问题,你应该能够看到发生了什么并将其回滚。CRAFT,这个防篡改的审计链,来自于我几个月前一直在进行的一个独立的密码学项目。将两者与一个确定性的执行管道结合起来,就是我想要构建的设计。<p>UNWIND 充当 MCP stdio 代理。它封装了任何 MCP 服务器,拦截了每一个工具调用,而智能体永远不会知道它的存在。如果你正在使用 Claude Desktop、Cursor、Windsurf 或 VS Code Copilot 与 MCP 服务器,这就是主要的集成路径,也是目前最可靠的路径。虽然 OpenClaw 也有支持,但存在未解决的适配器问题,所以目前应该使用 MCP stdio 路径。<p>Claude Code 负责规划。树莓派上的 Codex 是构建者。我选择 Codex 是因为 OpenAI 允许 Pro 用户通过 OAuth 访问 OpenClaw,且没有 API 费用。我赋予了 Codex 一个 soul.md 文件(OpenClaw 智能体使用的指令文件),定义了它的角色是安全分析师:证据优先,标记未知项,永不假设,并且对于每一个发现,都要产生一个关于发生了什么、为什么重要的结构化评估……有了这个框架,它总能在 Claude Code 产生的每个计划中找到 5 或 6 个真正的结构性问题。<p>UNWIND 是一个确定性的安全代理,位于智能体和每个工具调用之间。每次调用都会运行 15 个检查。在执行路径中没有 LLM,只有规则和模式匹配。每个操作都记录在防篡改的哈希链中。文件更改会被快照,以便回滚。<p>三个软件包,目前都在 PyPI 上:<p>*craft-auth*:防篡改的命令身份验证。零依赖,纯 Python stdlib,1605 行。10 秒内试用:`pip install craft-auth && craft-auth demo`。输出结果不言自明。<p>*ghostmode*:MCP 服务器的试运行代理。看看你的智能体会做什么,而不会让它做任何事情。拦截写入,读取通过,什么都不会改变。`pip install ghostmode && ghostmode -- npx @modelcontextprotocol/server-filesystem ~/Documents`(需要 Node.js 作为上游 MCP 服务器,Ghost Mode 本身是纯 Python)。<p>*unwind-mcp*:完整的执行引擎。`pip install unwind-mcp && unwind serve -- npx @modelcontextprotocol/server-filesystem ~/Documents` 然后将 Claude Desktop 或 Cursor 指向它。每个工具调用都会在终端中显示 ALLOW/BLOCK 决策。在 localhost:9001 上使用 `unwind dashboard` 访问仪表板(首先使用 `unwind sidecar serve` 启动 sidecar)。<p>安装后,Codex 立即被其自己的仪表板标记为 TAINTED。它在设置期间获取了网页,然后尝试执行一个命令。它帮助构建的安全堆栈在第一次实际操作中就捕获了它。<p>粗糙之处。<p>需要 Python 3.10+。Mac 附带 3.9.6,导入会崩溃。Homebrew Python 3.11+ 运行良好。Windows 未经过测试。原则上是纯 Python 和跨平台的,但没有人验证过。<p>污点系统工作正常,但对于无人值守的使用来说过于激进。正常的智能体工作流程会立即触发污点,这会阻止执行,直到人工批准。当你坐在那里时,这很好。当智能体自行运行时,它实际上被冻结了。“外部内容可能携带提示注入”和“智能体的正常工作涉及外部内容”之间的紧张关系是一个真正的问题,我还没有干净地解决。<p>欢迎第一批真正的用户测试者。<p>UNWIND 和 Ghost Mode 采用 AGPL-3.0 协议。craft-auth 是独立的,没有任何 AGPL 依赖项,可以单独授权。<p>github.com/unwind-mcp
查看原文
I've been experimenting with AI tools, sometimes hours a day for the last 18 months, and recently shipped three open source packages that sit between AI agents and the tools they call.<p>I had a Raspberry Pi 5 from a summer project that became my first OpenClaw install. Once it was running I turned to the problem, what watches the agent while you're not watching?<p>The idea for UNWIND came from Apple's Time Machine. If something goes wrong, you should be able to see what happened and roll it back. CRAFT, the tamper-evident audit chain, came from a separate cryptographic project I'd been working on for months before. Combining the two with a deterministic enforcement pipeline was the design I wanted to build.<p>UNWIND works as an MCP stdio proxy. It wraps any MCP server, intercepts every tool call on the way through, and the agent never knows it's there. If you're using Claude Desktop, Cursor, Windsurf, or VS Code Copilot with MCP servers, that's the primary integration path and the one that works most reliably right now. OpenClaw support exists but has unresolved adapter issues, so the MCP stdio path is the one to use today.<p>Claude Codehandled planning. Codex on the Pi was the builder. I chose Codex because OpenAI lets Pro users OAuth into OpenClaw with no API costs. I gave Codex a soul.md (the instruction file OpenClaw agents use) that defined its role as a security analyst: evidence first, flag unknowns, never assume, and for every finding produce a structured assessment of what happened, why it matters...With that framing it consistently found 5 or 6 real structural issues in every plan Claude Code produced.<p>UNWIND is a deterministic security proxy that sits between the agent and every tool call. 15 checks run on every call. No LLM in the enforcement path, just rules and pattern matching. Every action logged in a tamper-evident hash chain. File changes snapshotted for rollback.<p>Three packages, all on PyPI right now:<p>*craft-auth* : Tamper-evident command authentication. Zero dependencies, pure Python stdlib, 1,605 lines. Try it in 10 seconds: `pip install craft-auth && craft-auth demo`. The output speaks for itself.<p>*ghostmode* : Dry-run proxy for MCP servers. See what your agent would do without letting it do anything. Writes intercepted, reads pass through, nothing changes. `pip install ghostmode && ghostmode -- npx @modelcontextprotocol/server-filesystem ~/Documents` (needs Node.js for the upstream MCP server, Ghost Mode itself is pure Python).<p>*unwind-mcp* : The full enforcement engine. `pip install unwind-mcp && unwind serve -- npx @modelcontextprotocol/server-filesystem ~/Documents` then point Claude Desktop or Cursor at it. Every tool call shows ALLOW/BLOCK decisions in the terminal. Dashboard at localhost:9001 with `unwind dashboard` (start the sidecar first with `unwind sidecar serve`).<p>after install,Codex was immediately flagged TAINTED by its own dashboard. It had been fetching web pages during setup, then tried to execute a command. The security stack it helped build caught it on its first live action.<p>Rough edges.<p>Requires Python 3.10+. Mac ships with 3.9.6 and the import will crash. Homebrew Python 3.11+ works fine. Windows is untested. Pure Python and cross-platform in principle but nobody has verified it.<p>The taint system works correctly but is too aggressive for unattended use. Normal agent workflow, triggers taint immediately, which blocks execution until a human approves. When you're sitting there, this is fine. When the agent is running on its own, it's effectively frozen. The tension between "external content could carry prompt injection" and "the agent's normal job involves external content" is a genuine design problem I haven't solved cleanly.<p>First real human testers welcome.<p>UNWIND and Ghost Mode are AGPL-3.0. craft-auth is standalone with zero AGPL dependencies and can be licensed separately.<p>github.com/unwind-mcp