Endo is an object-capability runtime for JavaScript built on Hardened JavaScript (SES). It provides a daemon that manages confined guest programs communicating through a durable message system. Guests receive only the capabilities explicitly granted to them by the host -- they cannot reach ambient authority like the filesystem, network, or environment. All state is persisted through a formula store, so the daemon and its guests survive restarts. Capabilities are named via pet names in per-agent directories, and all inter-agent communication flows through a typed mail system (send, request, define, form).
Llamadrome is an LLM agent that runs as a confined Endo guest. It receives messages from the host, sends them to an LLM backend (Anthropic or Ollama), and proposes code for sandboxed evaluation via tool calls. The host reviews each proposal and decides which capabilities to grant. Recent work on the llm-long-running-tasks branch adds:
- Conversation persistence -- LLM conversation history survives daemon restarts via
storeValueon the guest's own directory - Multi-step chaining --
store_resultandchain_evaltools let the LLM save intermediate values and compose multi-step computations - Task threading -- messages can be grouped by thread ID for visibility (
endo inbox --thread,endo threads) - Async approval recovery -- if the daemon restarts while a
define_codeorrequest_evaluationis pending host approval, the agent resumes the pending tool call on startup
The key security property: the LLM proposes code with named capability slots, but the host decides what fills those slots. The LLM never handles raw credentials or unrestricted references.
IronClaw is NEAR AI's Rust-based agent framework that sandboxes tools and channels in WebAssembly components. Each tool runs in a WASM sandbox with a WIT-defined interface specifying exactly which host capabilities it can access (http-request, workspace-read, tool-invoke, secret-exists). The framework provides multi-channel support (Discord, Telegram, Matrix, GitHub, web), persistent workspace storage, a heartbeat/self-repair system, credential injection with leak detection, prompt injection defense, and token cost estimation. Tools and channels are compiled as WASM components and loaded at runtime.
| Concern | IronClaw (NEAR) | Endo/Llamadrome |
|---|---|---|
| Sandbox model | WASM components (wasmtime) | SES Compartments (Hardened JS) |
| Capability control | WIT-defined host imports (tool can only call what host exposes) | Object-capability discipline (E(powers).method(), least-authority guest) |
| Tool interface | wit/tool.wit: execute(input) -> result + schema() + description() |
M.interface() guards + makeExo() |
| Persistence | Workspace files (workspace-read/write in WIT) | Formula store (storeValue, formulateMarshalValue) |
| Credential handling | Host-side injection via secret-exists + environment vars, leak detection scanner |
Endo pet names + confinement (guest never sees raw secrets, only capabilities) |
| Multi-step chaining | Tool invocation from within tools (tool-invoke host import) |
chain_eval + store_result tools |
| Liveness | Heartbeat system with self-repair/restart | Durable promises + resumePending() after daemon restart |
| Channel model | Multi-channel (Discord, Telegram, Matrix, web) via channel.wit |
Endo mail system (followMessages, send, threads) |
IronClaw's WASM tool components could be loaded as Endo guest modules. The WIT execute(input) -> result contract maps cleanly to an Endo exo with a single execute method. The host imports (http-request, workspace-read, tool-invoke) map to Endo capabilities that the host endows. This would give IronClaw tools Endo's durable persistence and capability confinement for free.
IronClaw has a leak detection scanner that checks LLM outputs for credential patterns. Endo's approach is more fundamental: the guest never has the credential at all. It has a pet name that resolves to a capability. If Llamadrome proposes code via define_code, the host decides which capabilities to bind -- the LLM never sees raw secrets. IronClaw could adopt this pattern: instead of injecting credentials into the WASM sandbox environment, expose them as opaque capability handles that can only be used (not read).
IronClaw has a mature multi-channel system (Discord, Telegram, Matrix, web, GitHub) with proper on-start/on-poll/on-respond/on-shutdown lifecycle hooks. Llamadrome currently only communicates through Endo's mail system. IronClaw's channel WASM components could be adapted as Endo "bridge" guests that relay messages between external channels and the Endo mail system. Each channel would be a confined guest with only the capabilities it needs (e.g., a Discord channel guest gets send to the LLM agent but nothing else).
IronClaw has estimation/ (token counting, cost estimation) and evaluation/ modules. These could inform Llamadrome's tool calling decisions -- before proposing a large define_code, estimate the token cost and whether the conversation will fit in context. This is especially relevant for the conversation persistence we just built: knowing when to summarize/trim the saved conversation.
IronClaw has FTS + vector search via Reciprocal Rank Fusion in its workspace. Endo's directory is currently flat pet-name lookup. For agents managing many stored results (via store_result), a search capability would help the LLM find relevant prior results without knowing exact pet names. This could be an Endo guest module that indexes the directory.
IronClaw has safety/ with prompt injection detection and content filtering. Llamadrome currently trusts the system prompt to guide the LLM. IronClaw's safety checks could be added as a pre-filter on Llamadrome's processMessage -- scan incoming user content for injection attempts before passing to the Anthropic API, and scan LLM responses before executing tool calls.
The deepest synthesis is philosophical: both projects implement capability-based security for AI agents, just at different layers. IronClaw uses WASM as the isolation boundary with WIT as the capability contract. Endo uses SES Compartments with object-capability discipline. A combined system could offer defense-in-depth: SES confinement at the JavaScript layer (Endo) wrapping WASM confinement at the compute layer (IronClaw), with Endo's durable formula store providing persistence that IronClaw's workspace system currently handles with plain files.
The most practical near-term integration would be IronClaw's channel components as Endo bridge guests -- this immediately gives Llamadrome access to Discord/Telegram/Matrix without building those integrations from scratch, while keeping Endo's security model intact.