Seal

The cryptographically secured AI coding agent. Designed as a defense against rogue agents, prompt injection, and curl scripts that delete your production database — without slowing the agent down.

Seal runs its agent loop inside a WebAssembly sandbox with cryptographically signed capabilities. The agent literally cannot do anything it wasn't signed for — not by policy, not by config file, but by mathematical guarantee.

Install

curl -fsSL https://sealedsecurity.com/seal-install.sh | sh

macOS and Linux. On Windows, use WSL2. Full install paths (curl, Homebrew, from source) and first-run setup are on the docs site:

• Install →
• Getting started →
• CLI commands →
• Using the TUI →
• Permission model →
• Manifest reference →
• Troubleshooting →

How It Works

┌──────────────────────────────────────────────────────────┐
│ seal-cli (TUI)                                           │
│  Markdown rendering, paste detection, status bar         │
│  gRPC (tonic) over Unix socket                           │
└────────────────────┬─────────────────────────────────────┘
                     │ RPC
┌────────────────────▼─────────────────────────────────────┐
│ seal-daemon                                              │
│  Wasmtime host — loads seal-agent.wasm                   │
│  Provides sandboxed WIT interfaces:                      │
│    llm     → Anthropic (API key + OAuth) / OpenRouter    │
│    tools   → file read/write/search, command execution   │
│    storage → session persistence                         │
│    console → user interaction                            │
│  Sandbox: signed capability manifest (seal.toml)         │
│  Every tool call checked against allow/deny patterns     │
│  Invalid signature → refuse to start (fail closed)       │
└────────────────────┬─────────────────────────────────────┘
                     │ WIT interfaces
┌────────────────────▼─────────────────────────────────────┐
│ seal-agent (Wasm component, no_std)                      │
│  ReAct loop: LLM → parse tools → execute → loop          │
│  Zero WASI imports — no filesystem, network, or clock    │
│  API keys never enter the sandbox                        │
│  Context-aware system prompt with project capabilities   │
└──────────────────────────────────────────────────────────┘

Testing

just test            # runs all crates' tests in parallel via mprocs

Seal uses a dual-target testing strategy for the agent crate:

• Native tests (cargo test -p seal-agent): The agent logic (ReAct loop, message parsing, system prompt building, tool dispatch) is tested natively using a HostInterface trait with mock implementations. This gives fast iteration, standard cargo test workflow, and debugger support — none of which are available when targeting wasm32-wasip3 (no test harness exists for the Wasm component model).

• Wasm integration tests (cargo test -p seal-daemon): The compiled Wasm component is loaded into Wasmtime with mock LLM backends, tested end-to-end over gRPC. These verify the full stack: WIT interface binding, sandbox enforcement, signature verification, session persistence, and the CLI↔daemon protocol.

Crate	What it covers
seal-agent	ReAct loop, orphan repair, message shape, system prompt
seal-cli	TUI state, embark wizard, paste/mask, toml editor
seal-crypto	Ed25519 sign/verify, keystore edge cases
seal-proto	gRPC wire format, RPC client helpers
seal-policy	Manifest parsing, grant synthesis, command pattern, policy trait
seal-raft	Multi-agent list/create views
seal-daemon	Sandbox decisions, RPC e2e, SSE parser, storage
seal-tui	Renderer, selection, clipboard, permission prompt
seal-utils	I/O primitives, credential lookup, path resolve

Plus #[ignore]-gated live tests that hit real provider APIs — run with cargo test -- --ignored after setting the relevant *_API_KEY. Exercise the real OS keychain backend separately (pops a permission prompt on first run):

just test-keychain

Project Structure

crates/
  seal-cli/                CLI binary (TUI, embark/init wizard, daemon mgmt, signing)
  seal-daemon/             Wasmtime host, LLM backends, sandbox, gRPC server
  seal-agent/              Wasm component (no_std ReAct loop)
  seal-tui/                Shared TUI primitives (renderer, selection, markdown)
  seal-proto/              gRPC wire format (CLI ↔ daemon RPC client + types)
  seal-policy/             Manifest types, grant synthesis, capabilities, policy trait
  seal-crypto/             Ed25519 signing, pluggable key backend
  seal-daemon-supervisor/  Daemon lifecycle helpers (start/stop/status)
  seal-utils/              Paths, I/O, credentials, guarded futures
  seal-raft/               Multi-agent session manager
  seal-dashboard/          Live daemon dashboard
wit/                       WIT interface definitions (daemon ↔ agent boundary)
proto/                     Protobuf schema (CLI ↔ daemon gRPC)
docs/                      Architecture docs, system prompt research

Architecture

See docs/ARCHITECTURE.md for the full design — WIT schema, gRPC schema, security model, and component interactions.

Community

• Discord — discord.gg/cKx7NUzsyc for real-time chat, questions, and announcements.
• GitHub Issues — bug reports and feature requests.
• GitHub Discussions — design discussion, Q&A, ideas.

Contributing

See CONTRIBUTING.md. All contributors must sign a CLA. The repo uses Graphite for stacked PRs and the merge queue — the contributing guide walks through the one-time setup.

License

Seal is dual-licensed:

• AGPL-3.0-only — see LICENSE. Free to use, modify, and distribute under AGPL terms.
• Commercial license — available for organizations that don't want to comply with AGPL's network-copyleft terms. Contact licensing@sealedsecurity.com.

Plumbing crates: permissive carve-out

Two crates are licensed permissively (MIT OR Apache-2.0) instead of AGPL:

• seal-proto — the gRPC wire protocol the CLI, TUI, and daemon speak.
• seal-utils — path math, atomic I/O, async-spawn helpers, filesystem wrappers.

See LICENSE-MIT and LICENSE-APACHE for the permissive-license texts.