kastellanTalks to you planned
Telegram, Signal, and its own email account.
Your personal AI agent.
Trustworthy by construction.
Kastellan reads your mail, searches the web, runs code, and remembers what matters — and it cannot reach anything you didn’t explicitly allow. Every tool runs in its own kernel sandbox. Every plan is reviewed before a single tool fires.
A castellan is the officer a lord entrusts to hold a stronghold: full authority within the walls, none to act beyond them.
$ cargo install kastellan-core
# v0.1.0 on crates.io
Rust core
AGPL-3.0
Linux + macOS first-class
No vendor lock-in
Runs on your hardware
WHY IT’S DIFFERENT
Read the full security architecture →
Two kinds of walls: mechanical and semantic
Kernel sandboxes
One OS process and one kernel jail per tool — bubblewrap, Landlock, and seccomp on Linux; Seatbelt on macOS. A compromised tool reaches its own short allowlist. Never the next tool’s. Never the core.
CASSANDRA oversight
Every plan the agent forms is reviewed before any tool runs — against five constitutional constraints that no user, admin, or configuration change can override.
What it does — each capability inside its own walls
Works the web today
Web search and page fetch, host-allowlisted; a sandboxed browser is next.
Runs code planned
Python in a no-network scratch jail.
Remembers today
Postgres memory with semantic, lexical, and graph recall.
Learns skills today
Distils successful runs into reusable skills — gated on your approval.
Accountable today
An append-only audit log of every action, enforced by the database itself.
Where it stands today
Full roadmap →
v0.1.0
on crates.io
~1,500
tests green
13
workspace crates
2
OS sandboxes, first-class
Phase 0 — Sandboxed core (done) · Phase 1 — Memory & agent loop (done) · Phase 3 — Web egress (in progress) · Channels · python-exec · frontier gate (planned)
Built in the open. Help hold the walls.
Rust, security review, docs, red-teaming — contributions welcome.
Start contributing