moltis
Moltis is a secure, persistent personal agent server built in Rust, designed for sandboxed execution on your hardware.
<a href="https://moltis.org"><img src="https://raw.githubusercontent.com/moltis-org/moltis/main/website/favicon.svg" alt="Moltis" width="64"></a>
Moltis — A secure persistent personal agent server in Rust
One binary — sandboxed, secure, yours.
Installation • Comparison • Architecture • Security • Features • How It Works • Contributing
</div>Moltis recently hit the front page of Hacker News. Please open an issue for any friction at all. I'm focused on making Moltis excellent.
Secure by design — Your keys never leave your machine. Every command runs in a sandboxed container, never on your host.
Your hardware — Runs on a Mac Mini, a Raspberry Pi, or any server you own. One Rust binary, no Node.js, no npm, no runtime.
Full-featured — Voice, memory, cross-session recall, automatic edit checkpoints, scheduling, Telegram, Discord, browser automation, MCP servers, SSH or node-backed remote exec, managed deploy keys with host pinning in the web UI, a live Settings → Tools inventory, Cursor-compatible project context, and context-file threat scanning — all built-in. No plugin marketplace to get supply-chain attacked through.
Auditable — The agent loop + provider model fits in ~5K lines. The core (excluding the optional web UI) is ~196K lines across 46 modular crates you can audit independently, with 3,100+ tests and zero unsafe code*.
Installation
# One-liner install script (macOS / Linux)
curl -fsSL https://www.moltis.org/install.sh | sh
# macOS / Linux via Homebrew
brew install moltis-org/tap/moltis
# Docker (multi-arch: amd64/arm64)
docker pull ghcr.io/moltis-org/moltis:latest
# Or build from source
cargo install moltis --git https://github.com/moltis-org/moltis
Comparison
| OpenClaw | PicoClaw | NanoClaw | ZeroClaw | Moltis | |
|---|---|---|---|---|---|
| Language | TypeScript | Go | TypeScript | Rust | Rust |
| Agent loop | ~430K LoC | Small | ~500 LoC | ~3.4K LoC | ~5K LoC (runner.rs + model.rs) |
| Full codebase | — | — | — | 1,000+ tests | ~124K LoC (2,300+ tests) |
| Runtime | Node.js + npm | Single binary | Node.js | Single binary (3.4 MB) | Single binary (44 MB) |
| Sandbox | App-level | — | Docker | Docker | Docker + Apple Container |
| Memory safety | GC | GC | GC | Ownership | Ownership, zero unsafe* |
| Auth | Basic | API keys | None | Token + OAuth | Password + Passkey + API keys + Vault |
| Voice I/O | Plugin | — | — | — | Built-in (15+ providers) |
| MCP | Yes | — | — | — | Yes (stdio + HTTP/SSE) |
| Hooks | Yes (limited) | — | — | — | 15 event types |
| Skills | Yes (store) | Yes | Yes | Yes | Yes (+ OpenClaw Store) |
| Memory/RAG | Plugin | — | Per-group | SQLite + FTS | SQLite + FTS + vector |
* unsafe is denied workspace-wide. The only exceptions are opt-in FFI wrappers behind the local-embeddings feature flag, not part of the core.
Architecture — Crate Map
Core (always compiled):
| Crate | LoC | Role |
|---|---|---|
moltis (cli) | 4.0K | Entry point, CLI commands |
moltis-agents | 9.6K | Agent loop, streaming, prompt assembly |
moltis-providers | 17.6K | LLM provider implementations |
moltis-gateway | 36.1K | HTTP/WS server, RPC, auth |
moltis-chat | 11.5K | Chat engine, agent orchestration |
moltis-tools | 21.9K | Tool execution, sandbox |
moltis-config | 7.0K | Configuration, validation |
moltis-sessions | 3.8K | Session persistence |
moltis-plugins | 1.9K | Hook dispatch, plugin formats |
moltis-service-traits | 1.3K | Shared service interfaces |
moltis-common | 1.1K | Shared utilities |
moltis-protocol | 0.8K | Wire protocol types |
Optional (feature-gated or additive):
| Category | Crates | Combined LoC |
|---|---|---|
| Web UI | moltis-web | 4.5K |
| GraphQL | moltis-graphql | 4.8K |
| Voice | moltis-voice | 6.0K |
| Memory | moltis-memory, moltis-qmd | 5.9K |
| Channels | moltis-telegram, moltis-whatsapp, moltis-discord, moltis-msteams, moltis-channels | 14.9K |
| Browser | moltis-browser | 5.1K |
| Scheduling | moltis-cron, moltis-caldav | 5.2K |
| Extensibility | moltis-mcp, moltis-skills, moltis-wasm-tools | 9.1K |
| Auth & Security | moltis-auth, moltis-oauth, moltis-onboarding, moltis-vault | 6.6K |
| Networking | moltis-network-filter, moltis-tls, moltis-tailscale | 3.5K |
| Provider setup | moltis-provider-setup | 4.3K |
| Import | moltis-openclaw-import | 7.6K |
| Apple native | moltis-swift-bridge | 2.1K |
| Metrics | moltis-metrics | 1.7K |
| Other | moltis-projects, moltis-media, moltis-routing, moltis-canvas, moltis-auto-reply, moltis-schema-export, moltis-benchmarks | 2.5K |
Use --no-default-features --features lightweight for constrained devices (Raspberry Pi, etc.).
Security
- Zero
unsafecode* — denied workspace-wide; only opt-in FFI behindlocal-embeddingsflag - Sandboxed execution — Docker + Apple Container, per-session isolation
- Secret handling —
secrecy::Secret, zeroed on drop, redacted from tool output - Authentication — password + passkey (WebAuthn), rate-limited, per-IP throttle
- SSRF protection — DNS-resolved, blocks loopback/private/link-local
- Origin validation — rejects cross-origin WebSocket upgrades
- Hook gating —
BeforeToolCallhooks can inspect/block any tool invocation - Supply chain integrity — artifact attestations, Sigstore keyless signing, GPG signing (YubiKey), SHA-256/SHA-512 checksums
See Security Architecture for details.
Verify releases with gh attestation verify <artifact> -R moltis-org/moltis or see Release Verification.
Features
- AI Gateway — Multi-provider LLM support (OpenAI Codex, GitHub Copilot, Local), streaming responses, agent loop with sub-agent delegation, parallel tool execution
- Communication — Web UI, Telegram, Microsoft Teams, Discord, API access, voice I/O (8 TTS + 7 STT providers), mobile PWA with push notifications
- Memory & Recall — Per-agent memory workspaces, embeddings-powered long-term memory, hybrid vector + full-text search, session persistence with auto-compaction, cross-session recall, Cursor-compatible project context, context-file safety scanning
- Safer Agent Editing — Automatic checkpoints before built-in skill and memory mutations, restore tooling, session branching
- Extensibility — MCP servers (stdio + HTTP/SSE), skill system, 15 lifecycle hook events with circuit breaker, destructive command guard
- Security — Encryption-at-rest vault (XChaCha20-Poly1305 + Argon2id), password + passkey + API key auth, sandbox isolation, SSRF/CSWSH protection
- Operations — Cron scheduling, OpenTelemetry tracing, Prometheus metrics, cloud deploy (Fly.io, DigitalOcean), Tailscale integration, managed SSH deploy keys, host-pinned remote targets, live tool inventory in Settings, and CLI/web remote-exec doctor flows
How It Works
Moltis is a local-first persistent agent server — a single Rust binary that sits between you and multiple LLM providers, keeps durable session state, and can meet you across channels without handing your data to a cloud relay.
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Web UI │ │ Telegram │ │ Discord │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
└────────┬───────┴────────┬───────┘
│ WebSocket │
▼ ▼
┌─────────────────────────────────┐
│ Gateway Server │
│ (Axum · HTTP · WS · Auth) │
├─────────────────────────────────┤
│ Chat Service │
│ ┌───────────┐ ┌─────────────┐ │
│ │ Agent │ │ Tool │ │
│ │ Runner │◄┤ Registry │ │
│ └─────┬─────┘ └─────────────┘ │
│ │ │
│ ┌─────▼─────────────────────┐ │
│ │ Provider Registry │ │
│ │ Multiple providers │ │
│ │ (Codex · Copilot · Local)│ │
│ └───────────────────────────┘ │
├─────────────────────────────────┤
│ Sessions │ Memory │ Hooks │
│ (JSONL) │ (SQLite)│ (events) │
└─────────────────────────────────┘
│
┌───────▼───────┐
│ Sandbox │
│ Docker/Apple │
│ Container │
└───────────────┘
See Quickstart for gateway startup, message flow, sessions, and memory details.
Getting Started
Build & Run
Requires just (command runner) and Node.js (for Tailwind CSS).
git clone https://github.com/moltis-org/moltis.git
cd moltis
just build-css # Build Tailwind CSS for the web UI
just build-release # Build in release mode
cargo run --release --bin moltis
For a full release build including WASM sandbox tools:
just build-release-with-wasm # Builds WASM artifacts + release binary
cargo run --release --bin moltis
Open https://moltis.localhost:3000. On first run, a setup code is printed to
the terminal — enter it in the web UI to set your password or register a passkey.
Optional flags: --config-dir /path/to/config --data-dir /path/to/data
Docker
# Docker / OrbStack
docker run -d \
--name moltis \
-p 13131:13131 \
-p 13132:13132 \
-p 1455:1455 \
-v moltis-config:/home/moltis/.config/moltis \
-v moltis-data:/home/moltis/.moltis \
-v /var/run/docker.sock:/var/run/docker.sock \
ghcr.io/moltis-org/moltis:latest
Open https://localhost:13131 and complete the setup. For unattended Docker
deployments, set MOLTIS_PASSWORD, MOLTIS_PROVIDER, and MOLTIS_API_KEY
before first boot to skip the setup wizard. See Docker docs
for Podman, OrbStack, TLS trust, and persistence details.
Cloud Deployment
| Provider | Deploy |
|---|---|
| DigitalOcean |  |
Fly.io (CLI):
fly launch --image ghcr.io/moltis-org/moltis:latest
fly secrets set MOLTIS_PASSWORD="your-password"
All cloud configs use --no-tls because the provider handles TLS termination.
See Cloud Deploy docs for details.
Star History
License
MIT