Module DD-16 — ZeroClaw: The Rust Microkernel Harness

ZeroClaw: The Rust Microkernel Harness

32,000+ stars. Apache-2.0. Rust single-binary. Trait-driven microkernel with 6-layer safety. 25+ LLM providers. The thin-by-philosophy, medium-by-implementation answer to OpenClaw.

60
minutes
8
artifacts
0
sub-sections
ZeroClaw's defining contribution is ADR-002: trait-driven extensibility. The kernel depends ONLY on zeroclaw-api traits — never on concrete implementations — making it the cleanest separation of concerns in the roster. The deep-dive's load-bearing claim: the 6-layer safety model (channel access control, autonomy level, workspace boundary, shell policy, OS sandbox, tool receipts) is the reference architecture for thin-harness security, and the tool-receipt system (HMAC-SHA256 over successful tool calls) is the only harness that directly addresses the fabricated-tool-claim attack (Module 11) at the protocol layer. The honest tension: thin by philosophy, medium-thick by implementation (~700-800k LOC), with RFC #5574 closing the gap.
Key Claims
Load-Bearing Claims

The trait-driven kernel (ADR-002) is the cleanest separation of concerns in the roster. Adding a provider, channel, or tool is a trait impl wired through a factory — not a core patch. The kernel depends ONLY on zeroclaw-api traits, never on concrete implementations. This is what makes 25+ provider slots possible without core bloat.

The 6-layer safety model is the reference architecture for thin-harness security. Channel access control, autonomy level, workspace boundary, shell policy, OS sandbox, tool receipts — each layer blocks a different attack class, composed as a cascade not a toggle. Security runs BETWEEN model emit and tool exec; a block surfaces as ToolResult::Err the model can react to. The deepest safety surface in the thin-harness category (Module 6: 5/5).

Tool receipts (HMAC-SHA256) are the only protocol-layer defense against fabricated-tool-claim attacks. Every successful tool call gets a receipt fed back into the conversation. If the model claims a tool returned data but no receipt exists, the harness can flag the fabrication. Caveat: ephemeral keys mean this is an in-context integrity signal TODAY, not yet a durable audit log.

The thickness paradox: thin by philosophy, medium-thick by implementation, RFC #5574 closing the gap. ZeroClaw is uncompromisingly thin by intent (single binary, no telemetry, no SaaS, no hidden prompts) but ~700-800k Rust LOC across 1,015 files by implementation. The microkernel refactor is shrinking zeroclaw-runtime so kernel = loop + policy, everything else behind feature flags.

After This Module
01
Explain ZeroClaw's trait-driven kernel (ADR-002) and why it is the cleanest separation of concerns in the roster — adding anything is a trait impl, not a core patch.
02
Recite the 6-layer safety model in order (channel pairing, autonomy level, workspace boundary, shell policy, OS sandbox, tool receipts) and explain how the layers compose as a cascade rather than a toggle.
03
Analyze the thickness paradox: thin by philosophy, medium-thick by implementation, with RFC #5574 (microkernel refactor) closing the gap.
04
Evaluate the tool-receipt system as a defense against fabricated-tool-claim attacks (Module 11), and name its limitation: ephemeral keys, not yet a durable audit log.
05
Score ZeroClaw (34/60), explain the wins (Module 6 Permission/Safety: 5/5) and losses (Module 3 Context: 2/5), and judge when to build on it.
Artifacts
01
Teaching Document
~195 lines; trait-driven kernel (ADR-002), the 6-layer safety model, provider agnosticism (25+ slots), minimal-prompt philosophy, explicit-only memory, the thickness paradox, tool receipts vs fabricated-tool-claim (Module 11), scoring (34/60), anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid diagrams — the trait-driven kernel (ADR-002), the 6-layer safety cascade, where security runs in the agent loop, the thickness paradox (philosophy vs implementation), explicit-only memory vs Hermes's free-writes
READ
03
Slide Deck
11 slides — reveal.js, dark theme, design-system teal; covers the thesis (trait-driven + 6-layer), adding a provider step-by-step, the 6-layer cascade, where security runs, tool receipts vs fabricated claims, the thickness paradox, explicit-only memory, scoring, anti-patterns, the lab
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~3,200 words spoken at ~140 wpm across 11 slide cues
READ
05
Flashcards
20 flashcards (TSV) — mix of recall, application, and analysis; covers ADR-002, the 6-layer model, tool receipts, explicit-only memory, provider agnosticism, the thickness paradox, the Hermes comparison
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Build the 6-Layer Safety Cascade — runnable Python (3.10+, type hints, no external deps): model each layer as a gate function, send tool calls through the cascade, implement the tool-receipt system (HMAC-SHA256) and confirm it detects a fabricated claim, simulate the explicit-only memory rule (~90 min)
DO
08
Module Web Page
Single-file HTML hub
HERE