Auditable — The agent loop + provider model fits in ~5K lines. The core (excluding the optional web UI) is ~196K lines across 46 modular crates you can audit independently, with 3,100+ tests and zero unsafe code*.

Installation

# One-liner install script (macOS / Linux)
curl -fsSL https://www.moltis.org/install.sh | sh

# macOS / Linux via Homebrew
brew install moltis-org/tap/moltis

# Docker (multi-arch: amd64/arm64)
docker pull ghcr.io/moltis-org/moltis:latest

# Or build from source
cargo install moltis --git https://github.com/moltis-org/moltis

Comparison

| | OpenClaw | PicoClaw | NanoClaw | ZeroClaw | Moltis | |---|---|---|---|---|---| | Language | TypeScript | Go | TypeScript | Rust | Rust | | Agent loop | ~430K LoC | Small | ~500 LoC | ~3.4K LoC | ~5K LoC (runner.rs + model.rs) | | Full codebase | — | — | — | 1,000+ tests | ~124K LoC (2,300+ tests) | | Runtime | Node.js + npm | Single binary | Node.js | Single binary (3.4 MB) | Single binary (44 MB) | | Sandbox | App-level | — | Docker | Docker | Docker + Apple Container | | Memory safety | GC | GC | GC | Ownership | Ownership, zero unsafe* | | Auth | Basic | API keys | None | Token + OAuth | Password + Passkey + API keys + Vault | | Voice I/O | Plugin | — | — | — | Built-in (15+ providers) | | MCP | Yes | — | — | — | Yes (stdio + HTTP/SSE) | | Hooks | Yes (limited) | — | — | — | 15 event types | | Skills | Yes (store) | Yes | Yes | Yes | Yes (+ OpenClaw Store) | | Memory/RAG | Plugin | — | Per-group | SQLite + FTS | SQLite + FTS + vector |

* unsafe is denied workspace-wide. The only exceptions are opt-in FFI wrappers behind the local-embeddings feature flag, not part of the core.

Full comparison with benchmarks →

Architecture — Crate Map

Core (always compiled):

| Crate | LoC | Role | |-------|-----|------| | moltis (cli) | 4.0K | Entry point, CLI commands | | moltis-agents | 9.6K | Agent loop, streaming, prompt assembly | | moltis-providers | 17.6K | LLM provider implementations | | moltis-gateway | 36.1K | HTTP/WS server, RPC, auth | | moltis-chat | 11.5K | Chat engine, agent orchestration | | moltis-tools | 21.9K | Tool execution, sandbox | | moltis-config | 7.0K | Configuration, validation | | moltis-sessions | 3.8K | Session persistence | | moltis-plugins | 1.9K | Hook dispatch, plugin formats | | moltis-service-traits | 1.3K | Shared service interfaces | | moltis-common | 1.1K | Shared utilities | | moltis-protocol | 0.8K | Wire protocol types |

Optional (feature-gated or additive):

| Category | Crates | Combined LoC | |----------|--------|-------------| | Web UI | moltis-web | 4.5K | | GraphQL | moltis-graphql | 4.8K | | Voice | moltis-voice | 6.0K | | Memory | moltis-memory, moltis-qmd | 5.9K | | Channels | moltis-telegram, moltis-whatsapp, moltis-discord, moltis-msteams, moltis-channels | 14.9K | | Browser | moltis-browser | 5.1K | | Scheduling | moltis-cron, moltis-caldav | 5.2K | | Extensibility | moltis-mcp, moltis-skills, moltis-wasm-tools | 9.1K | | Auth & Security | moltis-auth, moltis-oauth, moltis-onboarding, moltis-vault | 6.6K | | Networking | moltis-network-filter, moltis-tls, moltis-tailscale | 3.5K | | Provider setup | moltis-provider-setup | 4.3K | | Import | moltis-openclaw-import | 7.6K | | Apple native | moltis-swift-bridge | 2.1K | | Metrics | moltis-metrics | 1.7K | | Other | moltis-projects, moltis-media, moltis-routing, moltis-canvas, moltis-auto-reply, moltis-schema-export, moltis-benchmarks | 2.5K |

Use --no-default-features --features lightweight for constrained devices (Raspberry Pi, etc.).

Security

• Zero unsafe code* — denied workspace-wide; only opt-in FFI behind local-embeddings flag
• Sandboxed execution — Docker + Apple Container, per-session isolation
• Secret handling — secrecy::Secret, zeroed on drop, redacted from tool output
• Authentication — password + passkey (WebAuthn), rate-limited, per-IP throttle
• SSRF protection — DNS-resolved, blocks loopback/private/link-local
• Origin validation — rejects cross-origin WebSocket upgrades
• Hook gating — BeforeToolCall hooks can inspect/block any tool invocation
• Supply chain integrity — artifact attestations, Sigstore keyless signing, GPG signing (YubiKey), SHA-256/SHA-512 checksums

See Security Architecture for details. Verify releases with gh attestation verify <artifact> -R moltis-org/moltis or see Release Verification.

Features

• AI Gateway — Multi-provider LLM support (OpenAI Codex, GitHub Copilot, Local), streaming responses, agent loop with sub-agent delegation, parallel tool execution
• Communication — Web UI, Telegram, Microsoft Teams, Discord, API access, voice I/O (8 TTS + 7 STT providers), mobile PWA with push notifications
• Memory & Recall — Per-agent memory workspaces, embeddings-powered long-term memory, hybrid vector + full-text search, session persistence with auto-compaction, cross-session recall, Cursor-compatible project context, context-file safety scanning
• Safer Agent Editing — Automatic checkpoints before built-in skill and memory mutations, restore tooling, session branching
• Extensibility — MCP servers (stdio + HTTP/SSE), skill system, 15 lifecycle hook events with circuit breaker, destructive command guard
• Security — Encryption-at-rest vault (XChaCha20-Poly1305 + Argon2id), password + passkey + API key auth, sandbox isolation, SSRF/CSWSH protection
• Operations — Cron scheduling, OpenTelemetry tracing, Prometheus metrics, cloud deploy (Fly.io, DigitalOcean), Tailscale integration, managed SSH deploy keys, host-pinned remote targets, live tool inventory in Settings, and CLI/web remote-exec doctor flows

How It Works

Moltis is a local-first persistent agent server — a single Rust binary that sits between you and multiple LLM providers, keeps durable session state, and can meet you across channels without handing your data to a cloud relay.

┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│   Web UI    │  │  Telegram   │  │  Discord    │
└──────┬──────┘  └──────┬──────┘  └──────┬──────┘
       │                │                │
       └────────┬───────┴────────┬───────┘
                │   WebSocket    │
                ▼                ▼
        ┌─────────────────────────────────┐
        │          Gateway Server         │
        │   (Axum · HTTP · WS · Auth)     │
        ├─────────────────────────────────┤
        │        Chat Service             │
        │  ┌───────────┐ ┌─────────────┐  │
        │  │   Agent   │ │    Tool     │  │
        │  │   Runner  │◄┤   Registry  │  │
        │  └─────┬─────┘ └─────────────┘  │
        │        │                        │
        │  ┌─────▼─────────────────────┐  │
        │  │    Provider Registry      │  │
        │  │  Multiple providers       │  │
        │  │  (Codex · Copilot · Local)│  │
        │  └───────────────────────────┘  │
        ├─────────────────────────────────┤
        │  Sessions  │ Memory  │  Hooks   │
        │  (JSONL)   │ (SQLite)│ (events) │
        └─────────────────────────────────┘
                       │
               ┌───────▼───────┐
               │    Sandbox    │
               │ Docker/Apple  │
               │  Container    │
               └───────────────┘

See Quickstart for gateway startup, message flow, sessions, and memory details.

Getting Started

Build & Run

Requires just (command run