Stable release

Security-first personal AI assistant

Private by default
Locked down until you configure access
Secrets kept in OS credential stores
Plugins must be signed and permission-scoped
Subprocesses run with OS sandbox limits
Built-in outbound request protections

Carapace runs local-first, keeps security controls explicit, and gives you auditable behavior across chat channels and guarded local workspace tools. Works through Signal, Telegram, Discord, Slack, webhooks, and console, with explicit provider:model routing across cloud, local, and subscription-login providers.

Install in minutes Run first setup

Quick start

Run setup, choose your first outcome, then start Carapace:

cara setup
cara

Want a quick security comparison? Carapace vs OpenClaw threat-by-threat table .

New here? Follow the full path: Install -> First Run -> Security -> Ops -> Cookbook.

Carapace ships a stable release line for its verified paths. Partial and in-progress areas are called out explicitly in the docs and feature status.

If you are unsure which first path to choose, start with one provider and local-chat, then add channels after cara verify --outcome auto passes.

Coming from OpenClaw, OpenCode, Aider, or NemoClaw? Use cara import to preview and import provider configuration.

Want a local project assistant? Enable filesystem for one workspace root and start with the guarded local project assistant recipe.

Need guided help or evaluating for a team?

Use the public help paths for setup blockers, cookbook gaps, or a small-team evaluation. Keep secrets and sensitive details out of public issues.

Request setup help Team setup / pilot

Popular walkthroughs

Use task-focused recipes instead of piecing setup together manually.

Want a missing recipe? Request one here .

Docs hubs

Hardened by design

Secure defaults, credential handling, and policy boundaries are treated as first-class concerns.

Guarded local tools

Enable read/search access for explicit workspace roots, then opt into write and move operations only when you want them.

Channel-ready

Integrate with chat and webhook channels while keeping one controlled assistant runtime.

Operator focused

Clear CLI workflows, status surfaces, and logs for practical debugging and day-to-day operations.