ZeroClaw: The Rust Microkernel Harness
32,000+ stars. Apache-2.0. Rust single-binary. Trait-driven microkernel with 6-layer safety. 25+ LLM providers. The thin-by-philosophy, medium-by-implementation answer to OpenClaw.
The trait-driven kernel (ADR-002) is the cleanest separation of concerns in the roster. Adding a provider, channel, or tool is a trait impl wired through a factory — not a core patch. The kernel depends ONLY on zeroclaw-api traits, never on concrete implementations. This is what makes 25+ provider slots possible without core bloat.
The 6-layer safety model is the reference architecture for thin-harness security. Channel access control, autonomy level, workspace boundary, shell policy, OS sandbox, tool receipts — each layer blocks a different attack class, composed as a cascade not a toggle. Security runs BETWEEN model emit and tool exec; a block surfaces as ToolResult::Err the model can react to. The deepest safety surface in the thin-harness category (Module 6: 5/5).
Tool receipts (HMAC-SHA256) are the only protocol-layer defense against fabricated-tool-claim attacks. Every successful tool call gets a receipt fed back into the conversation. If the model claims a tool returned data but no receipt exists, the harness can flag the fabrication. Caveat: ephemeral keys mean this is an in-context integrity signal TODAY, not yet a durable audit log.
The thickness paradox: thin by philosophy, medium-thick by implementation, RFC #5574 closing the gap. ZeroClaw is uncompromisingly thin by intent (single binary, no telemetry, no SaaS, no hidden prompts) but ~700-800k Rust LOC across 1,015 files by implementation. The microkernel refactor is shrinking zeroclaw-runtime so kernel = loop + policy, everything else behind feature flags.