Daily Infographic · Tech · June 29, 2026

CyClaw v1.8.0

Offline-First · RAG-Enforced · Secure Local AI "Second Brain"
📅 Mon Jun 29, 2026 · Built by Chris Grady · cgfixit/CyClaw

📋 What is CyClaw?

Prev. Versions

CyClaw is a personal, offline-first RAG (Retrieval-Augmented Generation) backend built by Chris Grady. It runs as a FastAPI server bound exclusively to 127.0.0.1:8787 — never exposed to the internet. Every query is answered first from your local Markdown corpus using a hybrid ChromaDB + BM25 retrieval pipeline fused with Reciprocal Rank Fusion (RRF). Only if the corpus lacks a relevant answer does the system escalate — and even then only with triple explicit human confirmation.

The security model is topology-enforced, not prompt-enforced: a LangGraph 7-node state machine makes all routing decisions via hard graph edges, eliminating the possibility of LLM jailbreak bypassing safety policy. Version 1.8.0 (current) adds filesystem & SQL connectors, a NeMo Guardrails layer, and a comprehensive agentic layer — all opt-in and fully out-of-band from the core request path.

Key design principles: zero telemetry, all embeddings run locally (sentence-transformers), a SHA-256–signed soul/personality layer with drift detection, and a persistent audit log that stores only hashes — never raw query text.

📑 Table of Contents

1 Key Stats 2 Request Flow 3 Security Invariants 4 Retrieval Engine 5 Gate Layers 6 Core Modules 7 Version Timeline 8 Out-of-Band Layer 9 Tech Stack 10 CI/CD & Security
7
Graph Nodes
33
Injection Patterns
60
Req/min Limit
5
Topology Invariants
384
Embed Dims

§2 · Request Flow

LangGraph 7-Node State Machine
🌐
HTTP POST /query · MCP tool call
Client entry — loopback only, 127.0.0.1:8787
🛡️
① gate.py (FastAPI)
Rate limit → Injection filter (33 patterns) → Soul init → Telemetry kill
🔍
② retrieve (UNCONDITIONAL ENTRY)
Chroma + BM25 + RRF fusion — always runs first, no exception
🔀
③ route_by_score
top_score ≥ 0.028 RRF? YES → local LLM · NO → user gate
④ local_llm
LM Studio :1234
Qwen2.5-7B
⑤ user_gate
needs_confirm=true
human decision
⑥ grok_fallback
xAI Grok
triple-gated
⑥ offline_best
local LLM
no RAG gate
📜
⑦ audit_logger (ALL PATHS CONVERGE)
SHA-256 hash + PII redact → logs/audit.jsonl · no shortcut path
§3 · 5 Security Invariants (Topology-Enforced)
1
RAG-First retrieve is the unconditional graph entry — zero LLM calls can precede it. Not a config flag. Not a prompt rule. A hard graph edge.
2
Topology = Policy Routing is enforced by LangGraph edges only — never by LLM output, never by if/else code. LLM jailbreak cannot reroute execution.
3
Triple-Gated External (Grok) Requires ALL THREE simultaneously: mode=hybrid AND grok.enabled=true AND user_confirmed_online=true.
4
Audit Convergence All 6 execution paths converge at audit_logger. There is no shortcut path that skips audit. Zero exceptions.
5
Soul Governance Soul/personality evolution requires an explicit human reason string. No autonomous modification from any execution path is possible.

§4 · Hybrid Retrieval Engine

RRF Fusion Pipeline
ChromaDB — Semantic (cosine, 384-dim) 50%
all-MiniLM-L6-v2 · lru_cache triple layer · local CPU
BM25Okapi — Keyword (Porter stemming) 50%
Enhanced Porter stemmer · custom AI/ML/CyClaw vocab · no NLTK punkt (CVE-safe)
RRF Fusion Score (k=60, equal 1.0/1.0) Min ≥ 0.028
Per-chunk provenance metadata · score gates routing decision
Formula
RRF(d) = Σ 1 / (k + ranki(d))  ·  k = 60
Equal weight across semantic + keyword rankings. Score threshold 0.028 determines local LLM vs. human gate.
§5 · Gate.py Middleware Stack
🌐
TrustedHostMiddleware
Host header allowlist · DNS-rebinding defense
L1
⏱️
Rate Limiter
60 req/min per IP · thread-safe · runs FIRST
L2
🔍
Prompt Injection Filter
33 patterns · config-driven · lru_cache · OWASP baseline
L3
🧠
Soul Init (PersonalityManager)
soul.md loaded · SHA-256 drift detection · preamble ≤8000 chars
L4
🚫
Telemetry Kill Block
Runs BEFORE any SDK import · blocks LangChain/Chroma/OTel telemetry
L5

§6 · Core Modules

Key File Map
Module Role
gate.pyFastAPI entry, soul endpoints, API key auth, rate limit, sanitizer
graph.py7-node LangGraph topology — all security policy lives here
retrieval/hybrid_search.pyRRF fusion (k=60) over ChromaDB + BM25Okapi
retrieval/indexer.pyCorpus ingestion with chunk sanitization
retrieval/embeddings.pyLocal CPU embedding · SentenceTransformer · triple lru_cache
utils/sanitizer.py33-pattern prompt-injection filter; patterns in config.yaml
utils/personality.pySoul versioning, SHA-256 drift detection, injection scan on write
utils/logger.pyAudit JSONL — SHA-256 query hashing, PII redaction
mcp_hybrid_server.pyMCP server (retrieval-only, no LLM, no sampling capability)
metrics.pyaudit.jsonl analyzer — usage statistics and review

§7 · Version Timeline

Release History
v1.2.0 Superseded
8 OWASP patterns · 90-day TTL · sanitizer baseline
v1.3.0 Pre-Langgrinch
Rate limiting 60/min · 13 OWASP patterns · soul SHA-256 drift detection · atomic writes · TTL→365 days
v1.4.0 Superseded
Dropbox/cloud corpus sync (out-of-band rclone) + requirements.txt pinned for Python 3.12 + vuln patches
v1.5.0 Superseded
Out-of-band agentic layer foundations + memory orchestration nodes + Docker hardening
v1.6.0 Superseded
Governed read-only GitHub context via gh CLI + local skills registry + .claude/ workflows
v1.7.0 Superseded
Browser Sync + Agentic ops consoles in terminal UI · loopback-only audited POST /ops/sync + /ops/agentic
v1.8.0 Production ✓
Filesystem connector (fsconnect) + SQL connector (sqlconnect) + NeMo Guardrails layer · all opt-in, all out-of-band
What's New in v1.8.0
📁 agentic/fsconnect/ — Filesystem Connector
Scoped reads + gated atomic writes over local/SMB shares. TOCTOU-safe pathsafe.py core using POSIX openat/O_NOFOLLOW. Closes CVE-2025-53110 (sibling-prefix) and CVE-2025-53109 (symlink escape). 5 MiB read cap. Writes default-OFF. Toggleable RAG-corpus indexing.
🗄️ agentic/sqlconnect/ — Read-Only SQL Scaffold
SELECT/WITH-only query guard (rejects DDL/DML) + session-level read-only transaction + hard allow_write: false. Supports Postgres + MSSQL. DSN from env var only, never hardcoded. Disabled by default.
🛡️ guardrails/ — NeMo Guardrails Layer
Opt-in defense-in-depth only — never a routing authority. Soft-imports nemoguardrails; degrades to offline heuristic rails when absent. Hallucination grounding check (threshold 0.18). Separate hash-only metrics stream.

§8 · Out-of-Band Architecture

Never imported by gate.py · graph.py · mcp_hybrid_server.py
agentic/
Read-only GitHub context via gh CLI + governed local skills registry. Writable scaffold exists but is non-executing. Full audit log on all reads, refusals, registry changes.
sync/
Optional Dropbox corpus sync via rclone. Safety fuses: max_delete, max_transfer. Scheduler integration for Linux/Windows. Optional reindex trigger.
agentic/fsconnect/
Scoped filesystem reads + gated writes. TOCTOU-safe pathsafe core. RAG-corpus indexing of shares. Disabled by default; separate writable_roots from allowed_roots.
guardrails/
NeMo Guardrails skeleton. Offline heuristic rails degrade gracefully. Logs only SHA-256 hashes. Defense-in-depth only; LangGraph topology stays sole policy authority.
Design rationale: Out-of-band isolation means even if any of these layers were fully compromised, they cannot modify the 5 security invariants enforced in gate.py + graph.py. The main request path remains clean.

§9 · Tech Stack

Technologies & Dependencies
Python 3.12 FastAPI 0.136 LangGraph 1.1 ChromaDB BM25Okapi sentence-transformers all-MiniLM-L6-v2 LM Studio :1234 Qwen2.5-7B xAI Grok (fallback) NeMo Guardrails SQLite / Postgres rclone (Dropbox) Docker (non-root) seccomp cap_drop: ALL MCP Server Claude Desktop CodeQL Advanced Gitleaks OSV-Scanner DevSkim torch 2.12.1+cpu Pydantic RRF (k=60)

§10 · CI/CD & Security Checks

GitHub Actions Workflows
ci.yml (Tests + Coverage + Gate) 80% cov
codeql.yml (Advanced) SAST
gitleaks.yml Secret Scan
devskim.yml Static
osv-scanner.yml SCA / Deps
Container Hardening
🚫 Non-root user
🚫 no-new-privileges flag
🚫 cap_drop: ALL capabilities
📖 Read-only rootfs
🔒 seccomp profile
📊 Resource limits enforced
⚡ eBPF/Falco (opt-in, off by default)
Privacy & Audit Model
Zero Telemetry
Telemetry kill block runs before any SDK import — LangChain, Chroma, and OTel env vars are all blocked at startup.
SHA-256 Audit Log
Raw query text is never persisted. Only the SHA-256 hash + PII-redacted metadata goes into logs/audit.jsonl.
Local Binding Only
127.0.0.1:8787 — no external exposure. All embeddings run on local CPU. No cloud dependency for offline operation.