CrabMeat v0.1.0: A Security-First Agent Gateway That Doesn't Trust the LLM with the Security Boundary

CrabMeat v0.1.0 dropped yesterday under Apache 2.0, built on one design thesis: the LLM never holds the security boundary. The project is a direct response to failures like Summer Yue's agent deleting 200+ emails — where a safety instruction was a prompt that got compacted away.
Key protections (all always-on, no config toggle)
- Capability ID indirection — The model sees per-session HMAC-derived opaque IDs like
cap_a4f9e2b71c83, never real tool names. It cannot guess or forge a tool name because it doesn't know any. - Effect classes — Every tool declares a class (
read,write,exec,network). Every agent declares which classes it can use. The check is a pure function with no runtime state, easy to test exhaustively, hard to bypass. - IRONCLAD_CONTEXT — Critical safety instructions are pinned to the top of the context window and explicitly marked as non-compactable. The compaction failure mode that stripped Yue's instruction cannot happen.
- Tamper-evident audit chain — Every tool call, privileged operation, and scheduler run enters the same SHA-256 hash-chained log. Tampering is provable.
- Streaming output leak filter — Secrets (API keys, JWTs, PEM blocks, capability IDs) are redacted mid-stream across token boundaries before reaching the client.
- No YOLO mode — There is no global 'trust the LLM with everything' switch. Expanded reach comes through named scoped roots that are explicit, audit-logged, and bounded.
The README lists 15 always-on protections in a table; none can be turned off by config. The gateway is local-first by default, configured for Ollama, LM Studio, vLLM out of the box. Anthropic and OpenAI require explicit configuration — no silent cloud shipping.
Who it's for
Developers building agentic systems who need architectural guarantees, not prompt-based safety, and want a gateway they can trust with tool execution and sensitive data.
📖 Read the full source: r/ClaudeAI
👀 See Also

NarrateAI MCP Server Demo Shows Claude Adding Voiceover to Videos
A live demo shows Claude using the NarrateAI MCP server to automatically narrate videos from a URL, handling async polling and generating narration by analyzing silent screen recordings.
Voker Launches Agent Analytics Platform with Intent/Correction/Resolution Primitives
YC S24 startup Voker launches an agent analytics platform with a lightweight SDK that automatically annotates user intents, corrections, and resolutions — providing self-service dashboards without relying on LLMs for data engineering.

Manifest Adds Support for MiniMax Token Plans with M2.7 Model
Manifest, an open source routing layer for OpenClaw, now supports MiniMax token plans starting at $10/month. The new MiniMax M2.7 model is specifically trained for OpenClaw workflows and scores 62.7 on MM-ClawBench and 56.2 on SWE-Bench Pro.

Comparing Multi-Agent AI Systems: Anthropic's Harness vs Agyn's Engineering Org Model
Anthropic published a harness design for long-running application development, while Agyn's multi-agent system for team-based autonomous software engineering was open-sourced last month. Both systems reject monolithic agents in favor of role separation, structured handoffs, and review loops.