Every question, answered

The brain is the Claude you already pay for, reached through the claude CLI you are already signed into. Urfael is everything around that brain a wrapper is not: a tamper-evident ledger of every action, an ed25519 seal over it, a read-only sandbox for untrusted messages, a credential-deny boundary, nineteen hardened chat channels, voice in and out, proactive active recall over your own notes, a multi-agent Council, and a security benchmark you can run in one command. The model is rented. The sovereignty, the memory, and the safety are yours, on your machine, under MIT.

By default, your existing Claude subscription, flat-rate. There is no Urfael account and no server you rent from us. You can also point it at any of 30 providers (you pay their per-token rate) or at a local model on your own GPU, where it costs you only electricity. We do not see your traffic; there is nothing to see. On the subscription path, see the next answer about Anthropic's terms.

Urfael is not built, endorsed, or operated by Anthropic, and running it on a flat-rate Claude subscription depends on Anthropic's consumer terms, which we do not control. We say so plainly. It is not a single point of failure: the same Urfael, with the same security guarantees, also runs on any of 30 providers through a documented proxy, or on a local model on your own GPU, with one config line. So if those terms ever change, your cost model changes, not the product.

It is a command: npm run security. It boots the real daemon and dashboard and attacks them the way self-hosted agents were attacked in 2026, then prints a pass-or-fail table. The latest run resists 10 of 10 real-world attack classes across 95 of 95 checks. You do not take our word for it. You run it.

Yes, and an honest one. OpenClaw and Hermes Agent optimize for channel count and model breadth, and they are genuinely good at it. Urfael optimizes for what matters when a machine lives on your desk and acts for you: the smallest blast radius, a flat bill, local voice, and not overstating what it does. Where the others default to optional sandboxes and an inbound surface, Urfael opens no network port, allowlists every sender before the brain sees a token, and runs remote turns read-only by default. It ships a security benchmark you run yourself (10/10 attack classes, 95/95 checks) and a tamper-evident ledger so it can prove what it did. The full comparison, every win and every gap in the same table, is in the full comparison.

Security is something you should be able to verify, not a word you read. Urfael was built blast-radius-first: no inbound network port (a 0600 unix socket only), fail-closed allowlists on every channel, read-only sandboxed remote turns, and autonomous work confined to throwaway containers with no secrets mounted. The proof is a command, npm run security, which boots the real daemon and runs the actual attacks that compromised other self-hosted agents in 2026, landing on 10/10 attack classes and 95/95 checks. Run it yourself rather than take anyone's word for it.

Because the containment is structural, not a clever prompt. Remote and untrusted turns run a read-only profile: read and search your notes, no shell, no write, and critically no network-egress tool. The vault also denies the agent reading your credential stores outright, a hard boundary that holds even in Full mode. So an injected "read a secret and send it somewhere" has nothing to read and nowhere to send.

Yes, and we will not hide it. The default Fortress posture has no egress, so untrusted content cannot exfiltrate at all. If you deliberately enable Full mode the agent can fetch the web, which means a successful injection could exfiltrate notes you have given it, though never your credentials, because the credential-deny boundary still holds. Run Full mode only in a VM, a container, or a throwaway account. The benchmark, the docs, and this answer all say the same thing on purpose.

It is the whole point. The brain listens on a 0600 unix socket only, never a TCP port. The topology is one-way: Urfael reaches out (to your Claude login, to chat APIs it polls); nothing reaches in. There is no gateway to expose, no token to leak over a socket, no DM endpoint to spray. The agent gateways that got owned in 2026, reported in the tens of thousands, were owned because they were reachable. This one is not.

Yes. Claude is native through your subscription, the one path billed to you with no per-token meter. Every other provider (OpenAI, Gemini, Llama, Mistral, DeepSeek, Groq, Ollama, LM Studio, NVIDIA NIM, OpenRouter, Bedrock, Vertex, Azure) runs through a documented Anthropic-compatible proxy such as claude-code-router or LiteLLM, with the same sandbox harness enforcing the boundaries. You can also switch models mid-conversation by just saying so: switch to opus.

Yes. Point it at a local model (Ollama or NVIDIA NIM) and use the local voice model, and nothing leaves the machine. See the Local-GPU guide. You trade some capability for total air-gap; that is your call to make, not ours.

That is the trust suite, and it is real. Every action lands in a hash-chained Ledger of Record, so tampering is detectable. An ed25519 Sovereign Seal signs the chain head, so you can prove the record's authorship and integrity at a moment in time (it proves the record is authentic, not that every claim inside is true, we are precise about that). urfael why pickaxes the provenance of any lesson it learned. And urfael forget writes a tombstone for provable, consented deletion.

macOS on Apple Silicon or Intel is the primary, best-tested target. Linux runs the full stack but has far less mileage. The Matrix, Signal and WhatsApp bridges are code-complete and reviewed, with their parsing and allowlist logic unit-tested, but not yet battle-hardened against live accounts. Real-world scale is small, because this is a personal tool and we say so. There are 533 unit tests, an end-to-end harness against a live daemon, and adversarial security regressions frozen from real findings. What only time and users add is the one thing we cannot fake.

A multi-agent orchestration you can watch. Urfael decomposes a hard question, dispatches read-only sandboxed workers to gather what each needs, then synthesizes one answer. The workers cannot write, cannot run a shell, and cannot reach the network; they read and report. You see the whole thing happen rather than trusting a black box.

No. Urfael is an independent, open-source project under the MIT license. It runs on your Claude subscription but is not built, endorsed, or operated by Anthropic. The Urfael name and the Uruz mark are an original character drawn from the public-domain Elder Futhark.