CrabMeat v0.1.0: A Security-First Agent Gateway That Doesn't Trust the LLM with the Security Boundary

CrabMeat v0.1.0 dropped yesterday under Apache 2.0, built on one design thesis: the LLM never holds the security boundary. The project is a direct response to failures like Summer Yue's agent deleting 200+ emails — where a safety instruction was a prompt that got compacted away.

Key protections (all always-on, no config toggle)

• Capability ID indirection — The model sees per-session HMAC-derived opaque IDs like cap_a4f9e2b71c83, never real tool names. It cannot guess or forge a tool name because it doesn't know any.
• Effect classes — Every tool declares a class (read, write, exec, network). Every agent declares which classes it can use. The check is a pure function with no runtime state, easy to test exhaustively, hard to bypass.
• IRONCLAD_CONTEXT — Critical safety instructions are pinned to the top of the context window and explicitly marked as non-compactable. The compaction failure mode that stripped Yue's instruction cannot happen.
• Tamper-evident audit chain — Every tool call, privileged operation, and scheduler run enters the same SHA-256 hash-chained log. Tampering is provable.
• Streaming output leak filter — Secrets (API keys, JWTs, PEM blocks, capability IDs) are redacted mid-stream across token boundaries before reaching the client.
• No YOLO mode — There is no global 'trust the LLM with everything' switch. Expanded reach comes through named scoped roots that are explicit, audit-logged, and bounded.

The README lists 15 always-on protections in a table; none can be turned off by config. The gateway is local-first by default, configured for Ollama, LM Studio, vLLM out of the box. Anthropic and OpenAI require explicit configuration — no silent cloud shipping.

Who it's for

Developers building agentic systems who need architectural guarantees, not prompt-based safety, and want a gateway they can trust with tool execution and sensitive data.